An Information Security Place

I was driving the ol’ trusty minivan yesterday with the family.  We were in the middle of a 7 hour drive, coming back from seeing my parents over Memorial Day, and the kids were watching a DVD of the new Teenage Mutant Ninja Turtles Fast Forward series.  One particular episode starred a character that was some kind of digital entity that acted like a virus and was trying to get to a main frame computer. 

The Cody character (great-grandson of the old Casey Jones character - for you old TMNT fans) was telling the entity that the main frame was protected by “a gazillion firewalls”, so there was basically no way she could break in.  She then said that she wouldn’t have to break in if Cody would just give her the password.

OK, I know this is a kid’s show, but come on!  A gazillion firewalls (whatever that means) can be bypassed by a single password?  This should be rated TV-M for graphically stupid security.  I know I will teach my kids different as they get older, but I am going to have to fight through all this mush inserted by shows like this. 

Of course, the violence and “almost-cursing” (the Turtles regularly say “OH SHELL!!” and “WHAT THE SHELL!!”) are totally fine.

Vet

And remember what it is really about…

Vet

Here’s my response to LV’s data in use post that has garnered some attention:

One thing my instructor in Taekwondo has taught me is that when sparring in competition, your opponent is at his most vulnerable when attacking. Basically, you wait for his move, then you use it against him. I liken data in use to an attack in Taekwondo. Data in use is when the data is most vulnerable. The opponent has to attack at some point if he is going to win the fight. Just the same, we have to allow the data to be used or it is useless.

Yes, I think it is a concern. But like you said, there is really no way to fully stop that data from being pilfered if the person who has access to it decides to use less technical means of theft. Technology can only carry us so far. Policies have to be the means to which we can prosecute if a less-than-ethical exec or other user. It doesn’t stop it from happening, and it can cripple the company if it is very valuable data, but hopefully the company has good procedures for weeding out bad potential employees.

Vet

The Mayan Calendar ends on December 21st, 2012 A.D.  Some say that day will be the end of the world.  I have heard of this before, but for some reason it was number 91 on Google Trends for May 21, 2007, and I thought it was interesting that it was there.

Looks like I better start living my life instead of trying to save for retirement and the kids’ college fund!

Vet

This picture is from my recent family trip to Seaworld.  But the reason it is security related is because I am wearing my ISSA hat.  Man, what a geek!

Vet

Oops…

Vet

Speaking of my blogging talk at TRISC, here is a link to it.  Keep in mind that any slides I create are usually just a shell for my talk, and my talk more often than not burst out of that shell.  I use slides for more of a pointer for something to talk about (just like a lot of people).  We discussed quite a bit more than what is in the slides you will see.

BTW, though I plan on writing more about my talk, I wanted to thank Martin and Cutaway for being props in my talk.  They both gave the talk some additional credibility.  They gave some great insights that really kept the discussion going.  Thanks guys!

Vet

I had a good time at TRISC yesterday.  It was cool to meet up with Martin and Cutaway again.  We had a good time in just the short time we got to hang out, and we even managed to record a couple of videos for Podtech.

There were some interesting talks yesterday.  One highlight of the day was meeting Mark Loveless, a.k.a. Simple Nomad.  Martin has met him and interviewed him before, so he introduced me.  He had an interesting talk and quick demo on techniques for evading IDS / IPS systems.  It was really cool hearing about his attempts at fingerprinting IDS / IPS systems.

There was also a pretty cool talk about translating vulnerability assessments by Doug Landoll.  The questions during and after his talk really highlighted how people still don’t know the difference between a vulnerability assessment and a risk assessments and a gap analysis.  That still amazes me. 

After Doug’s talk, he stopped me in the hall to ask me what I thought about the Certified Ethical Hacker certification.  I expressed some disdain for the cert by a sour look on my face, and he quickly agreed with my opinion.  But it turns out that our dislike for the cert were coming from different angles.  I don’t like it because I don’t like the furthering of the negative definition of the term “hacker”.  He doesn’t like it because he doesn’t want to introduce anyone to a client that has the term “hacker” associated with them.  He realized that the term had been hijacked, but he was looking at it from the aspect of the CEO / CFO who didn’t know any better.  I can see where he is coming from because that term can negatively affect business.  But I also think it incumbent upon us who really know what a hacker is supposed to be to help make the term a positive one again.  Doug and I also had some disagreement about whether or not companies should hire less-than-completely-reputable hackers because of their skills.  He made good points (like letting ex-child molesters watch your kids - good one Doug), but I still think that much talent is bad to waste.  And child molesters are sick, twisted people.  Black and gray hats aren’t mentally ill by definition.

About my talk, I think it went really well.  It furthered my suspicions that a lot of people have no idea what blogs can do for them when it comes to gathering useful information.  Almost all of the group (about 25 people - small conference) did not read blogs.  Amazing. 

Anyway, I will post some more stuff about my talk later.  I have some meetings to go to.

Vet

Going to the TRISC show tomorrow in Austin.  I will be speaking on using blogs as a security research tool.  If any of my Texas readers are going, let me know.

I am also excited because my good friends and blogging buddies Martin McKeay and Cutaway will be there.  I haven’t seen them since the bloggers’ gathering at RSA, so it will be good to see them again.

Martin is the Cobia Product Evangelist over at StillSecure, so I am sure he will do some pimping while onsite. Cutaway, being the in-the-security-trenches guy that he is, is coming for some good old fashioned education (and to see my talk, of course).  I’ll be using them both as props in my talk.

I hope they both have a good time.  Unfortunately, I am only going to be there for the day and am leaving tomorrow evening, so I won’t get to hang out much.  But at least we’ll all get to catch up.

Vet

Great post at the Security Retentive blog about training developers on the basics of security.  This quote kills me:

I can’t even begin to count the number of discussions I’ve had with web developers who don’t understand HTTP basics, what the protocol actually looks like, what cookies really are, how browsers handle them, etc. They don’t understand TCP/IP, DNS, ethernet, etc.

I have never been and never will be a developer, so I don’t understand their world.  But it just seems so foreign to me that someone does not know the basics of IP and HTTP when they are developing products to ride on those very protocols.  Of course, security was not a factor for so long in development, so it is knowledge that needs to be developed (no pun intended), just like this post is pointing out.  Hopefully it is just a matter of willingness of developers, diligence by security professionals, and time for secure coding to become a habit.

Shameless employer plug: Accuvant’s Security Assessment group does application security assessments and also has courses on secure coding techniques. 

Vet

Looks like this guy might be getting some time in the pokey for passing himself off as a computer forensics expert and doing some expert witnessing in court cases.  Uhhh, not a good idea.  Can you say “Bubba”?

Vet

Andrew Hay took me to task a bit on my recent post about another SIEM eval install at an educational institution (it is a “suggested blog reading” post, so you will have to go down a bit to find his response to me).  Andrew does work for Q1 Labs, which builds a SIM solution called QRadar.  What Andrew said was that I was complaining about the price of SIEM without considering the cost savings it introduces, and I wasn’t being fair on the correlation issues.  Here is what he said:

Most people, just like Michael Farnum, complain about the cost of a SEM/SIM/SEIM solution without taking the time to think about the people power required to do the same task. Think of the sick days, vacation, salary, and compensation package money saved on a product of this nature. Michael also complains that the correlation doesn’t work. Sure, out of the box it may not be able to handle all security events properly but that is where tuning comes into play. Just like any piece of hardware on your network you can’t expect it work for every environment out of the box…it has to be customized to your environment and policies.

Here’s part of my response that I posted as a comment on his blog:

Andrew,

I never complained about the cost of SIEM, and I fully understand the load it can possibly take from having a dedicated resource watching logs. I am speaking from the standpoint of a reseller, and I am referring to what I hear from clients. Heck, I used to be a client, and I complained about it then as well.

A fact is that many companies do not have a dedicated resource to check logs now, so when they buy a SIEM, they are looking at pure dollars of the project, not a comparison to what it would cost to hire someone to do it. Most companies I work with never even consider that cost savings because they know it is not possible for a human to watch all of that and have a meaningful result.

And honestly, if they do have a resource looking at logs, do you think most companies go into a SIEM deal thinking about laying off a bunch of people when they implement it? Not the companies I deal with. Maybe the gargantuan enterprises do, but most reassign those people to other security and network tasks. So there is no tangible savings other than they have resources to put in other projects.

And when it comes to correlation, yes the brains are there if you setup the rules correctly. What I didn’t quantify (and I should have - sorry) is that people want the intelligence more built in, with a way of discovering and mapping out the network and having more intelligence on knowing what devices “should” be considered important. Kind of a suggested model and then let you cut it back and change it how you see fit, rather than a complete blank slate. That’s what I meant when I said we will always have that gap.

Oh, and Andrew, nice picture on your about page.  I am sincere when I say that.  Bald is beautiful.

Vet

I went to another client of ours from an educational institution (this time in Dallas), and they were similar to the client I spoke of in my last post.  However, this site seemed to be a bit more proactive when it came to security, and he didn’t seem near as stressed as the other client.

But the security posture (or lack thereof) is not what I want to talk about today.  What I want to write about is that both of the educational clients I have seen over the last few days have been putting in SIEM evaluations.  Actually, they are really doing Proof of Concept (POC) installs, which is a little more on the level of serious consideration of the product.  And this is not just limited to our educationoal clients.  We (meaning the Accuvant Dallas and Houston areas) have already done several evaluation and POC installs for Network Intelligence, er…. RSA enVision over the last few months, and I believe at least two of those have resulted in a sale, so this is something people are serious about.

A major complaint about SIEM is price.  Often that results from companies that have a big enterprise and are in need of a distributed SIEM environment where there are collectors at mutiple sites and a brain in the middle to handle the sorting, correlating, etc.  Also, big environments often need large amounts of storage for their logs, and this can also result in extra cost of they don’t have a good SAN infrastructure in place or want to isolate those logs.  This a very valid comoplaint, but it seems to be one that os not going too go away very soon.  The demand for this solution is not dwindling in my experience, so capitalism is in play.  Of course, if someone wants to walk in with a good product and start undercutting everyone to gain marketshare, then I would think this is a great time to do it.

Another complaint is that the correlation just doesn’t work, that you can’t replace a human that knows the network with a computer that is limited to what rules you give it.  From my point of view, this is getting better and better.  I have seen some very nice examples of correlation (fairly simple examples, but the intelliegence is getting there), though there will always be that gap.  Well, at least until we get to the level of C3PO or Data.

As a compliance widget, SIEM is often a good tool, if you can afford a tool that just gets auditors off your back.  SOX requires companies to consolidate and review logs for controls over financial systems, so this can satisfy that checkbox if you just want a “good enough” scenario (which I recommend against strongly).  Often the reports that come built in on these boxes give some good info, and they look for an auditor, but always remember that compliance does noot equal security.  HOWEVER, if you are trying to get a SIEM solution in place to help your security posture and you need a reason that management might bite on, then compliance can often be what you are looking for.

Vet

Monday and Tuesday found me working on an eval install of the NitroSecurity NitroView SIEM product at a local educational institution in the medical center (I did a quick write up on them a few days ago - my opinion has remained pretty much the same now that I have seen the product warts and all).  My last job as an information security manager was at an institution with an educational background, so I am somewhat aware of how these places work when it coomes to their freedoms, but I frankly never get used to the openness of these places when it comes to the Internet and security.

Basically, these guys don’t have any private network at all.  All boxes have public IPs on them.  That doesn’t mean that all devices are directly accessible via the Internet, but it seems so foreign when you see it.  But the real problem is that they really cannot control any access to the Internet and have to fight an almost purely defensive / reactive battle for security.  I wrote at Computerworld about us catching an attack while we were installing the SIEM product, and that was pretty neat to see.  But it was really not even a drop in the bucket for these guys.  They pretty much spend all day watching these exploits happen and then cleaning them up. 

One of the analysts there tracks bad networks as best as he can and sets up IDS rules that alert him when traffic is seen from these IP’s.  Anyone who has been in security for a month knows that is a losing battle.  It is just crazy what they have to do. 

Of course, it is kind of exciting as well since these guys get to really play and see the latest stuff.  Makes me think that these guys need to be getting paid a stipend from 3com, McAfee, et al so they can let them know about some of these trojans they see before the major players know about it.  Pure and simple, this is an untapped resource.  The same analyst regularly sees malware that the major AV vendors don’t know about (and quite a few of the more nible minor ones as well). 

Of course, that analyst probably can’t work with those vendors due to employment, but there are ways around that, like submitting problems anonymously.

Vet