Lockheed Martin Cyber Weekly


    Securing the Air: An Approach to Hybrid Cloud Security

    September 24, 2014 11:34 AM by Chandra McMahon

    A hybrid cloud is a consolidation of a private cloud and a public cloud. The reason for their growing popularity stems from their ability to offer multiple deployment models at once.

    Gartner predicts that globally, almost half of all large enterprises will have deployed hybrid clouds by the end of 2017.  That means we are in a defining moment wherein companies will begin planning to move away from private into hybrid clouds.

    The challenge, though, is how to interconnect multiple clouds to work as a seamless whole. You don’t want a cloud for e-mail, another one for content management and development, and yet another for collaboration; especially if the clouds lack the capability to interact with one another. More importantly, the complexity between hybrid clouds introduces a new paradigm of cybersecurity vulnerabilities. But with a careful implementation of standards concerning how to perform governance and implement IT systems to protect data, securing the hybrid cloud becomes possible.

    Establish industry-specific and federal security controls

    The energy and utilities industry have The North American Electric Reliability Corporation’s Critical Infrastructure Protection (NERC CIP) controls, the financial sector has the Payment Card Industry (PCI) standards and the healthcare industry has to comply with security guidelines laid out in the Health Insurance Portability and Accountability Act (HIPAA).

    We provide a set of cloud-specific controls and baseline security measures from the Federal Risk and Authorization Management Program, the federal government’s security accreditation program for cloud services and providers. FedRAMP standardizes the approach to security assessment, authorization and continuous monitoring for cloud products and services with a “do once, use many times” framework that is expected to reduce the cost, time and staff required to conduct agency security assessments of cloud solutions.

    Our Solutions as a Service Secure Community Cloud or SolaS -- which consists of a community, private and hybrid cloud -- is built to meet the government’s Federal Information System Management Act (FISMA) security guidelines at the Moderate Security Level and FedRAMP certification. SolaS received the FedRAMP Joint Authorization Board’s provisional authorization to operate, which is the most rigorous approval, and involves a thorough review by chief information officers of the General Services Administration, and Homeland Security and Defense departments.

    As a cybersecurity company, Lockheed Martin not only meets the FedRAMP requirements but has also layered in specific security controls developed by the company.

    We are working with companies in the energy, finance, healthcare and education sectors to identify similar baselines they can use to deploy trusted cloud services within their domain space.

    I believe we will start to see a more significant adoption of the hybrid cloud as the industry-specific controls and the government-specific controls are extended to the cloud. At this point, commercial entities can start to consume each other’s cloud services in a more trusting environment, and in a manner similar to the way agencies share data with FedRAMP.

    At Lockheed Martin our approach towards the hybrid cloud and security is in lock-step with the bottom line in the commercial space- to understand how to use, secure and bundle services across multiple environments and make it seamless to their customers

    Join the Conversation!

    Crystal Ball: The Virtues of Outcome-Based Cyber Security

    September 18, 2014 2:02 PM by Chandra McMahon

    Recently, Hold Security, a firm in Milwaukee, announced that a Russian crime ring had stolen 1.2 billion user credentials and 500 million e-mail addresses from 420,000 websites.  According to an article by the New York Times, if true, the cyber-heist would be the largest in history.

    Hold Security did not name the victims of the attack, citing nondisclosure agreements with victim companies.

    In the face of attacks like this, it would be nice if Chief Information Security Officers (CISOs) had a crystal ball to keep their networks safe. But that's not really necessary. Attacks like this are as defendable as they are inevitable with the use of emerging tools including threat intelligence and outcome-based cybersecurity.

    Read More »

    The Growing Minority: Women in IT & Cyberspace (Part II)

    September 10, 2014 3:02 PM by Chandra McMahon

    Last week, we took a look at the current landscape of minorities in cybersecurity and IT with a particular emphasis on women in those fields. Both personally and professionally, I feel that diversity is an important aspect of an effective cybersecurity approach, and can help fill the gap managers have to meet the demands for more talented cyber-professionals in today’s IT environment.

    A couple of years ago, Frost and Sullivan released a study that shows that information security discipline is not evolving fast enough:

    “…women represent just 11% of this profession [IT Security]. Placed in the context of women in the general workforce and women in professional and managerial roles—where women are at near parity with men in both of these measurements in developed countries—this 11% is alarming.

    Furthermore, this low percent of women in the information security profession has been stagnant despite double-digit annual increases in this profession. In 2012 alone, the global information security workforce grew by 306,000 and is on pace to increase by another 332,000 in 2013.”

    Read More »

    The Growing Minority: Women in IT & Cyberspace

    August 27, 2014 1:54 PM by Chandra McMahon

    One emotion few of my peers experience is the feeling of walking into a room and being the only woman - and it didn't matter whether I was visiting a Security Operations Center (SOC), attending a Chief Information Security Forum or meeting with Information Security leaders in various industries.  Meeting after meeting and at all levels, I have concluded that the low numbers of women and minorities working within cybersecurity and across the IT discipline is a concern from a personal standpoint and a business risk that I feel few recognize.

    The cybersecurity industry continues to grow at an incredible rate. A recent study by the organization Women in Cybersecurity found that security professionals worldwide are expected to increase to nearly 4.2 million by 2015. Although women hold 56 percent of all professional jobs in the U.S. workforce, only 25% of all IT jobs are held by women.

    Read More »

    Checkmate: Planning for the Future of Cyber Security (Part II)

    August 13, 2014 11:25 AM by Chandra McMahon

    Last week, we talked about how cyber security is like Chess. In order to be effective, you have to prepare and anticipate your opponent’s moves and styles of attack before they happen. Today we will look at the other side of the cyber coin: attackers. What future capabilities do we think they will have, and what can we do to start preparing for them?

    There are about three major capabilities that future Advanced Persistent Threats (APT) and attackers will have:

    Read More »

    Checkmate: Planning for the Future of Cyber Security

    August 6, 2014 1:34 PM by Chandra McMahon

    Cyber security is like Chess. You have to prepare and anticipate your opponent’s moves and styles of attack before they happen. The more moves and scenarios you can plan for in the future, the stronger your security will be, and the greater your chance of success.

    Like Chess, effective cyber security is also about making assumptions on present trends and looking back at the past to anticipate the future. But unlike Chess, your tools and technologies constantly evolve for you and those seeking to harm your networks. In 20 years, a pawn will still be a pawn, but continuous monitoring or incident response will look and feel completely different. In some possible scenarios, they may not even exist anymore.

    Read More »

    Neighborhood Watch: Protecting Your IP with the Cyber Ecosystem

    July 16, 2014 4:36 PM by Chandra McMahon

    Whenever your kids go outside to play, it’s a great feeling to know that they are safe. Here at Lockheed Martin, we feel the same about your intellectual property (IP). Most enterprises work very hard to maintain the safety and integrity of their intellectual property. IP is the heart of every company. IP is the very data that makes each one of our organizations unique and valuable entities.

    Even though most enterprises work hard to make sure their IP is protected, without careful consideration of the cyber ecosystem, this protection might only be halfway effective. Identifying threats is hard enough within the cyber walls of your corporate enterprise, but as you well know, your IP and your company’s data moves outside those walls all the time. Where it goes, who it interfaces with and what it interfaces with – that is what we mean by the cyber ecosystem.

    Read More »

    Risky Business: The role of Risk Management in Cyber Security

    July 10, 2014 12:06 PM by Chandra McMahon

    One of the most common terms in any large organization is Risk Management. Risk Management has grown from a vertical role shared by multiple organizational executives into a separate horizontal practice in which a series of professionals can often dedicate entire careers. But what exactly is Risk Management? What is IT Risk Management? What is a Risk Management Framework? And why is it a vital component of an effective cyber security platform? For me, Risk Management is a rigorous business discipline that if applied and communicated correctly can ensure a business continues to achieve a strategy for profitable growth. It’s also the language of executives and one that cyber security executives should be extremely well versed in.

    Originating as a business discipline, Risk Management is the process of understanding what could possibly impact your company in a negative way, and having an action plan for each possible threat. Risk Management is about mapping and understanding the likelihood of these financial threats to your organization in a manner that looks at probability and severity.

    Read More »

    Responding to Incident Response: What is it and why do so many organizations have it?

    June 25, 2014 2:41 PM by Chandra McMahon

    Imagine this scenario. You’re awoken late at night by phone call. You answer, but before you can say “hello” you hear a familiar voice, “We’re so sorry to call you this late but...we’ve detected a system-wide breach in our network.” I’m willing to bet most CISOs (Chief Information Security Officers) think about that happening in some way, shape, or form before going to bed at night. I know I have. And can you blame us? Just a couple of months ago a report from the Government Accountability Office on Information Security showed that the number of cyber incidents reported by all Federal Agencies rose this past year by over 10,000 incidents. That’s about a 35 percent increase in one year!

    A system-wide breach can cost an organization millions of dollars in reparations and infrastructure-loss. Just as critical, a large breach can cost an organization even more in reputation. All too common, however, managers feel that simply having incident response (IR) services are enough to keep their organization from suffering a major attack.

    Read More »

    Proactive Protection: Lockheed Martin’s Blog Dedicated to Cyber Security

    June 13, 2014 9:04 AM by Chandra McMahon

    Welcome to the new cyber blog!  Every Monday, you can rely on this blog to give you detailed analysis and reporting about cyber security programs at Lockheed Martin. More than just news and more than just opinion, the blog is a thought-provoking examination of multiple levels of cyber security. And we'd welcome your feedback and suggestions as we forge ahead with this new endeavor.

    For a little information about your host, for more than 25 years, I've been at the forefront of the information technology industry. Recently, as Lockheed Martin’s Chief Information Security Officer, I was responsible for information security strategy, policy, security engineering, operations and cyber threat detection and response. Currently, I lead Lockheed Martin's unique cyber security capabilities and associated portfolio of information technology solutions including Cloud, Big Data and Mobility for our commercial clients.

    Few areas of technology change as aggressively or have as much impact as cyber security. Managing the risk of IT within an organization, therefore, often relies on a solid understanding of what cyber security is in the first place. How has it changed? And more importantly, where is it headed?

    Read More »

Chandra McMahon, Vice President, Commercial Markets

As Lockheed Martin's former Chief Information Security Officer, I now lead our team in delivering a portfolio of cybersecurity and information technology solutions and services for financial, utility, oil and gas, health and life sciences, telecommunications and high-technology customers.