Recent attacks on HB Gary and RSA are evidence of Bruce Schneiers recent comment that “attacking a network is much easier than defending a network” and that “there might someday be the cyberspace equivalent of trench warfare, where the defender has the natural advantage”.
Q. What are the steps that can be taken to move towards such a defensive advantage?
A. By Simon Ractliffe,Commercial Director of earthwave
To exploit new opportunity, you must embrace new business and technology approaches, and throw open your doors like a sports arena to allow free passage of employees, customers,business partners, and service providers. So how do you have an open door policy and still protect, detect and respond when everyone is, or now looks like, an insider?
There are three success factors to consider:
1.Don’t make it about technology.
Advanced weaponry (technology) is rendered ineffective once the military reaches the city fringes. House-to-house combat is perilous for a nervous civilian population when the weapon is in the hands of a poorly trained trooper. The brain attached to the finger on the trigger needs to rapidly assess risk, and drive the appropriate response. And so it is with the corporate network. You need a sharp mind to make a technology guided, but informed ‘gut’ decision before invoking action that can potentially cause great harm or add the greater cost of delay, through escalation to a higher decision authority. You must detect and respond to rogue behaviour but not impact legitimate business transactions.You need to appreciate the parallels that now exist between defence of information infrastructure and urban warfare and policing.
2.Don’t attempt to replicate specialist capability.
Governments and corporates for years have strayed from core competency to try to out-gun the world’s big guns, in the name of attempting to gain some ill-conceived competitive advantage. All too often while attempting to invent a faster horse they end up nursing a lame camel. Hiring people, who buy technology, with the hope they will magically come up with world leading practice is foolhardy. Expectation that the competitive advantage of your bespoke development will offset the extra costs incurred, by avoiding the economies of scale of using streamlined specialists with critical mass, is even more foolhardy. Competitive advantage, and job retention for that matter, comes when your CEO is not the one being called upon to write the open letter announcing a recent breach.
3.Make it impartial.
Consider why the security guys out the front of your offices are not your employees, and then consider why the guys watching over your information security are on staff. More than ever we are seeing the confluence of monitoring technologies, and protect-detect-respond security practices with physical, technical and administrative coverage closely intertwined.
You must eliminate any possible conflict of interest that arises from requesting security outcomes that can expose parties in a position to flout or conceal. You need to be watching the doors and watching the doers.
Your staff, clients, business partners and service providers know where your treasures are kept and you have given them the keys. If you are not alerted when they lose their keys, (and of course they wont know either), or not alerted when they are subjected to pressures that drive them to act against you, then you will not have the ability to save you and your company’s reputation from untold damage.
When you engage the right combination of people, processes and technology to see the enemy come over the top, and repel them before they over-run your position, you will have achieved the defensive advantage.
It is your job to make sure that your business leaders understand this to be a significant competitive advantage.
Q. Your suggestion of not making it about technology makes sense when we see so many failed SIEM deployments. What is the difference between an inhouse SIEM deployment vs specialised Security Operation Centres such as those run by earthwave?
A. By Carlo Minassian,Founder and CEO of earthwave
We have witnessed failed SIEM deployments for years and over the past 12 months we have seen a lot more. The problem is that users do not typically understand what they’re getting themselves into. They fall prey to the vendor hype – “just send your logs to my SIEM and it will magically spit out what is bad”. This is a long way from the truth. SIEM technology is complex and requires enormous
man-power and investment to realise any kind of return.
As you know a typical SOC relies on People, Processes and Technology.
To replicate the people aspect you need a Watch Team (Security Analysts), a Response Team (Security Operators) and a Forensic Team. You need this team 24/7 and you need them trained (to be always ahead of the threat) in multiple disciplines and you need to figure out how to retain them.
To replicate the Processes, you need to follow best practices, with disciplines and systems to measure and monitor everything – and this takes a long time to achieve. Demonstrable best practice includes certifications against ITIL, ISO27001, PCI DSS, and DSD.
Finally a SIEM should be just one of many technologies used in a SOC. The earthwave SOC’s rely on a multitude of methods for threat analysis far beyond simply deploying a SIEM. In-house deployments often simply deliver garbage-in-garbage-out feedback loops. earthwave has spent the past 11 years defining security content as it’s applied to monitored devices. Use cases have been documented to provide baseline rules used in earthwave’s correlation engine for monitoring and alerting on security incidents. This is a constant work-in-progress as new rules, modifications, and optimisations are created over time.
As defined rules are assessed and revised, the number of false positives is reduced leading to a more effective incident identification and response programme. Collectively, the SOC Analysts monitor Asset Rule Knowledge then hammer out mitigation and security strategies to effectively deal with any identified incidents. This means where an event of interest is discovered, a corresponding mitigation strategy is defined to reduce or remove risk impact. All rules are reviewed over time to ensure changes to vendor code does not negatively impact rule naming conventions used within the SOC. Our security monitoring includes Global and Predictive Intelligence, Content and Context Aware Monitoring, Compliance Aware Monitoring, and Powerful Correlation.
Following is a short summary of each:
1.Predictive Intelligence is an outcome and use case based approach to monitoring. PI is a process of taking the ‘knowns’ and ‘unknowns’ about situations and entities of importance, and applying a reasoning framework around them to arrive at a set of conclusions that inform our decision making. By having more insight into unforeseen influences and consequences, it is possible to arrive at a justifiable position earlier, and make an educated, well reasoned decision faster. For example, at a very basic level, we know email administrators regularly read emails of other employees including their executives, sowith PI we can catch them doing it. There are several hundred similar use cases delivered through the earthwave PI.
2.Global Intelligence provides customers with the most comprehensive view of Internet attack activity. We combine the expert monitoring and management of earthwave Managed Security Services,with over 15 sources of global threat and security intelligence, to deliver the world's premier known and emerging threat early warning service.
3.Content Aware Monitoring maintains a content checklist that enables analysts to identify which events of Interest can be monitored by different classes of product (e.g. Firewall, IPS, VPN), and by specific vendors (e.g. Cisco ASA, Juniper SG, Blue Coat ProxySG). This table is further used to understand which products are capable of recording what in an effort to advise customers about their product purchasing decisions. These events are considered content-based because we are concerned with the actual content generated by a particular product.
4.Context Aware Monitoring reveals the Events of Interest (EOI) which are possible security incidents. These are ordered by earthwave’s security incident categories. This can be considered as a security rule dictionary which orders classes of attacks into defined categories. The events detailed here are considered Context-Based because we are concerned with the actual context surrounding why the event was triggered rather than specific event content itself. Content generally differs from one product to the next, so that information is included in the “Context-Free Events of Interest”.
5.Compliance Aware Monitoring provides incident category mapping, cross-referenced with security use-case categories against relevant industry and regulatory standards. This ensures our category mapping complies with such standards, and takes into consideration each standard and its value to earthwave’s incident response programme. Currently we monitor against ISM/ACSI 33, ISO/IEC27002:2005, PCI DSS 2.1, and SANS CAG 2.3.
6.Powerful Correlation includes:
- Identity & role correlation
- Real-time dynamic network correlation
- Real-time location correlation
- Multi-stage attack correlation
- Contextual correlation
So as you can now start to appreciate, the People, Process and Technology aspects of a SOC are almost impossible to replicate in any one organisation whose core business in not security operations. Unless the necessary level of investment and years of R&D is behind them, deploying yet another widget such as a SIEM is simply asking for trouble.
If you’re a CIO, an IT Manager or a Security Manager reading this and thinking you know better then arguably you deserve to fail.
Q.Will implementing any current best practice security controls prevent hackers from breaking in and stealing an organisation’s data?
A. David Kaplan,Regional Director, earthwave
No, I guarantee they will break in. The question is, will you be able to detect and respond before your information assets are compromised?
Q.I am interested to know more about your Predictive Intelligence. This is a term I hadn’t come across before. How does predictive intelligence play a role in incident detection?
A. Mark Thomas, Director of Threat Intelligence, earthwave
It is essential to recognise the evolution of sophisticated attacks, adversaries, and the growing number of resources at their disposal. Certainly with the increased demand for connectivity and the online social networking phenomenon, we must be prepared to address the underpinning security requirements. The notion that attackers will out-innovate and out-pace defenders is not new. It leads to better products, better processes but inevitably leads to more advanced threats.
We must harness the power of existing technologies to provide more business value. This can be achieved through better incident analysis and detection methods. Throwing money at products to address security is not the right answer. Products are necessary but certainly not sufficient to solve our security challenges. Vendors have by and large failed to adapt to targeted attacks, and most are only interested in protecting against the broader and easier problems anyway. This does little to address the complexities, diversities, and increasingly surreptitious nature of threats like Advanced Persistent Threats (APTs).
We should be focussing efforts toward earlier attack detection and response. Whilst many regulatory compliance and audit requirements demand Incident Response (IR) testing on an annual basis, realistically this is too infrequent to be effective. It says little about the readiness of an organisations IR capabilities. As far as slogans go, if you only detect an incident once a year - it's not a good year! Attacks are occurring daily, they're ongoing, and they're imminent.
Understanding what to look for and how, effectively determines the success of any incident response programme. Moving beyond basic log analysis, organisations require security intelligence: honey-pots, sandboxes, commercial malware feeds, and proprietary tools. Of course we need processes, and the right people to make valid assessments. Having a SIEM solution only partially solves the issue. SIEMs can essentially be garbage-in-garbage-out feedback loops. The value is not in the collection of logs but in the analysis of them.
The dilemma of traditional incident detection methodologies is that they tend to work backwards. You have an end result and you must determine the initial cause. The process must assume an incident has occurred before an investigation takes place to determine the impact, attack vector and threat agent. By this time it's already too late. A better way to enrich the process is through predictive intelligence (PI). PI aims to discover attack phases when they are first initiated (reconnaissance), tracking each successive step (delivery) toward intrusion (exploitation) as it occurs in real-time. We can then monitor malware call-backs and payloads to provide a clearer picture of the attack profile. It's simple cause and effect; a forward-facing modern methodology diametrically opposed to traditional incident detection methods. It enables analysts to monitor, learn from, and respond to attacks as they occur. PI is about knowing what events each vendor's device produces, and understanding what pattern of activity indicates something nefarious. Feeding this kind of intelligence into a SIEM delivers the real value; intelligence-in-intelligence-out.
PI is a way of understanding the threat environment by collecting actionable information on known threat events as it pertains to an organisation. Each industry has a different threat landscape. And each organisation in each industry has a different risk profile. Threat events are profiled to create a use-case which serve as potential incident indicators. Using these threat models on a daily basis enables organisations to achieve greater visibility through the powers of aggregation, normalisation, and correlation. The end result is a more compelling IR programme .The earlier the detection, the quicker the response leading to the reduction in successful exploitation.
Q. Are there instances where it feels like the information security industry doesn’t learn from previous mistakes?
A. Andrew Bycroft, Lead Security Architect, earthwave
Absolutely, but it is not entirely the fault of the information security industry – it is as much the information technology product developers and technology adopting organisations for failing to run ongoing education programs who are to blame.
To illustrate my point with just one of many examples, I’ll focus on social media applications such as, but not limited to, LinkedIn, Facebook and Twitter. Most organisations permit social media access to some degree either because they see the potential it has for brand awareness, or because they have no idea how to stop access to it, with little to no regard for the security problems social media introduces:
- data loss
- identity theft
When it comes to general web and email applications, it seems the information security industry had all of those covered, but all of a sudden, new applications emerge and it is back to the drawing board creating new products to deal with old threats that target new applications. Of course, application developers focus on features rather than security, so that places the information security industry in reactive mode. Then there is lack of user education on the security dangers of social media applications, so once again that also results in organisations taking a reactive rather than proactive approach. In essence there are multiple parties at fault, but it is never too late to work together to start learning how to avoid similar security mistakes in the future.
Q. I wanted to ask you about DLP since this was the main topic of discussion at last year's AusCERT. How have Data Loss Protection strategies evolved over the past 12 months?
A. Tim Murphy, Regional Director, earthwave
Data Loss Protection (DLP) strategies need to be defined as to how they fit the problem and hence how effective they are in their solution. When first developed as a discipline in information security it was considered solved by prohibitive policy in preventing data flow in a given direction and deploying technologies of one sort or another to enforce this prohibitive policy, but prohibition does not work in any instance of human interaction, a workaround will more than likely be discovered and utilised. A great example of this is an education institution here in Australia that was trying to prevent research papers finding their way outside of the campus, so they deployed technologies to enforce this requirement.
Every time a technology was deployed, within days and sometimes hours the user base had found a way around the new technology deployment and data leakage continued. The IT department could not keep up with the leaks and deploying technologies to plug these leaks could not happen fast enough – it was nigh impossible. So a new strategy was employed. Remove all the technology gatekeepers, heavily publish the DLP policy and then police it by breach.
Using a given few individuals as example in their breach and publishing these breaches, word quickly got around that the IT department was monitoring every move and the DLP problem was solved. No more attempts were made to work around the policy and there was little actual gatekeeper technology deployed to prohibit traffic.
The key to this problem is not deploying technology gatekeepers, it is about quality monitoring and detection and subsequent notification of a breach. DLP has evolved into a complex detect and respond strategy not a technology selection process.
Q. One of the main security challenges associated with the NBN is that it provides the perfect platform for the increasing propagation of Botnets. Do you believe that organisations are using security technologies which can protect them from the ever evolving threat of Botnets?
A. Vinicus Engel, Lead Security Analyst, earthwave
I don't think so, they are investing heavily in security and we can see that but most technologies being used out there will certainly not be able to distinguish the activity of a modern Botnet client from a normal user doing work and going to websites.
Botnets are becoming stealthier and smarter by the day, the time when we could easily detect Botnet clients trying to communicate with Command and Control servers over unusual ports and protocols is long gone. Today's Botnets are increasingly blending in with normal traffic, we see Bonets being controlled through legitimate websites which have been compromised and the commands are embedded in the HTML code, HTTP cookies, social network websites, images with commands hidden in them and so on. People are getting very creative with ways to control the Bots and once they control one Bot within a network it is just a matter of time until it spreads.
I often work on incidents where the organisation has invested heavily in different layers of protection which go from the host all the way to the perimeter of the network and yet nothing is able to detect the malicious activity. Worse even, the activity is so well disguised that sometimes the veracity of the compromise is questioned until further forensics can be performed.
Q.What role can the CSO play in staying ahead of some of the security challenges of today?
A. Loris Minassian,– Co-Founder and CTO, earthwave
Working with our clients and their CISOs, it's evident that many of us face similar challenges. Today's CISOs are now expected to be responsible for not just security but also an appreciation of the business and it’s their job to help bridge the gap. Many organizations have matured over the years and now include security as part of their decision making process and their IT plan which ultimately ends up as part of their overall business plan. How a CISO responds to these challenges does vary considerably however. I've found that those CISOs whose response strategy is to be proactive best succeed in addressing these challenges.
It’s important to note that an organizations security starts with the CISO setting security policies using risk assessment but by no means ends there. If security is to be maintained, then a cohesive team is needed that supports the security practice put forward by the CISO. The importance of leadership is therefore paramount to being a successful CISO whereby the organizations security team instills, by resonating the organizations security practice towards each person within the organisation.
The role a CISO can play is to stay informed - some are but many struggle. A successful CISO should try and stay informed about all security aspects, from the latest hacking techniques to corresponding mitigation controls, from security standards to auditing requirements, from policies and procedures to security governance. More importantly, to be successful, a CISO needs to understand what risks an organization faces so that security can be tailored and aligned to protect the business.
Understanding and supporting IT governance, is a major key in staying ahead of security challenges. A successful CISO will understand and support the leadership, organizational structures and processes that ensure an organization's IT sustains and extends the organization's strategies and objectives. I particularly like how ISM defines security as being context dependent. That is, it moves away from the traditional CIA model somewhat and focuses rather on continuously meeting or surpassing a set of business objectives. I believe to be successful as a CISO, one needs to distinguish the difference between the two approaches and adopt the context base approach.
Finally, user awareness training and collaboration is key. A CISO needs to continually reach out to understand user behavior and strive to learn from the greater security industry by exchanging ideas and experiences with likeminded experts in the field. One major challenge is to keep up with the ever changing patterns of user behavior. To do so means that you can quickly identify areas of increasing risk and address these before it's too late. This is not something that can be easily achieved. What I believe to be the better approach in tackling this challenge is for the CISO to delve into the latest next-generation technology such as the iPhones and iPads.
The idea is to start using technology passionately in order to identify new security risks within the greater business context.