Splunk Live!

I attended the Splunk Live! London event last Thursday.  I am currently in the process of assessing Splunk and it’s suitability as a security SIEM (Security Information and Event Management) tool in addition to general data collection and correlation tool.  During the day I made various notes that I thought I would share, I’ll warn you up front that these are relatively unformatted as they were just taken during the talks on the day.

Before I cover off the day, I should highlight that I use the term SIEM to relate to the process of Security Information and Event Management, NOT SIEM ‘tools’.  Most traditional tools labelled as SIEM as inflexible, do not scale in this world of ‘big data’ and are only usable by the security team.  This for me is a huge issue and waste of resources.  SIEM as a process is performed by security teams every day and will continue to be performed even when using whatever big data tool of choice.

The background to my investigating Splunk is that I believe a business should have a single log and data collection and correlation system that gets literally everything from applications to servers to networking equipement to security tools logs / events etc.  This then means that everyone from Ops to application support, to the business to security can use the same tool and be ensured a view encompassing the entire environment.  Each set of users would have different access rights and custom dashboards in order for them to perform their roles.

From a security perspective this is the only way to ensure the complete view that is required to look for anomalies and detect intelligent APT (Advanced Persistent Threat) type attacks.

Having a single tool also has obvious efficiency, management and economies of scale benefits over trying to run multiple largely overlapping tools.

Onto the notes from the day;

Volume – Velocity – Variety – Variability = Big Data

Machine generated data is one of the fastest growing, most complex and most valuable segments of big data..

 

Real time business insights

Operational visibility

Proactive monitoring

Search and investigation

Enables move from ‘break fix’ to real time operations insight (including security operations). 

GUI to create dashboards – write quires and select how to have them displayed (list, graph, pie chart etc.) can move things around on dashboard with drag and drop.

Dev tools – REST API, SDKs in multiple languages.

More data in = more value.

My key goal for the organisation – One log management / correlation solution – ALL data.  Ops (apps, inf, networks etc.) and Security (inc PCI) all use same tool with different dashboards / screens and where required different underlying permissions.

Many screens and dashboards available free (some like PCI and Security cost)  dashboards look and feel helps users feel at home and get started quickly – e.g. VM dashboards look and feel similar to VMware interface.

another example – windows dashboard – created by windows admins, not splunk – all the details they think you need.

Exchange dashboard – includes many exchange details around message rates and volumes etc, also includes things like outbound email reputation

VMware – can go down to specific guests and resource use, as well as host details. (file use, CPU use, men use etc.)

Can pivot between data from VMware and email etc. to troubleshoot the cause of issues.

These are free – download from spunkbase

Can all be edited if not exactly what you need, but are at least a great start..

Developers – from tool to platform – can both support development environments and be used to help teach developers how to create more useful log file data.

Security and Compliance – threat levels growing exponentially – cloud, big data, mobile etc. – the unknown is what is dangerous – move from known threats to unknown threats..

Wired – the internet of things has arrived, and so have massive security threats

Security operations centre, Security analytics, security managers and execs

  • Enterprise Security App – security posture, incident review, access, endpoint, network, identity, audit, resources..

Look for anomalies -things someone / something has not done before

  • can do things like create tasks, take ownership of tasks, report progress etc.
  • When drilling down on issues has contextual pivot points – e.g right click on a host name and asset search, google search, drill down into more details etc.
  • Even though costs, like all dashboards is completely configurable.

Splunk App for PCI compliance – Continuous real time monitoring of PCI compliance posture, Support for all PCI requirements (12 areas), State of PCI compliance over time, Instant visibility on compliance status – traffic lights for each area – click to drill down to details.

  • Security prioritisation of in scoop assets
  • Removes much of the manual work from PCI audits / reporting

Application management dashboard

  • spunk can do math – what is average stock price / how many users on web site in last 15 minutes etc.
  • Real time reporting on impact of marketing emails / product launches and changes etc.
  • for WP – reporting on transaction times, points of latency etc – enable focus on slow or resource intensive processes!
  • hours / days / weeks to create whole new dashboards, not months.

Links with Google earth – can show all customer locations on a map – are we getting connections from locations we don’t support, where / what are our busiest connections / regions.

Industrial data and the internet of things; airlines, medical informatics (electronic health records – mobile, wireless, digital, available anywhere to the right people – were used to putting pads down, so didn’t get charged – spunk identified this).

Small data, big data problem (e.g. not all big data is a actually a massive data volume, but may be complex, rapidly changing, difficult to understand and correlate between multiple disparate systems).

Scale examples;

Barclays – 10TB security data year.

HPC – 10TB day

Trading 10TB day

VM – >10TB year

All via splunk..

DataShift – Social networking ‘ETL’ with spunk. ~10TB new data today

Afternoon sessions – Advanced(isn) spunk..

– Can create lookup / conversion tables so log data can be turned into readable data (e.g. HTTP error codes read as page not found etc. rather than a number)  This can either be automatic, or as a reference table you pipe logs through when searching.

– As well as GUI for editing dashboards, you can also directly edit the underlying XML

– Can have lots of saved searches, should organise them into headings or dashboards by use / application or similar for ease of use.

– Simple and advanced XML – simple has menus, drop downs, drag and drop etc.  Advanced required you to write XML, but is more powerful.  Advice is to start in simple XML, get layout, pictures etc sorted, then convert to advanced XML if any more advanced features are require.

– Doughnut chart – like a pie chart with inside and outside layers – good if you have a high level grouping, and a lower level grouping – can have both on one chart.

– Can do a rolling, constantly updating dashboard – built in real time option to refresh / show figures for every xx minutes.

High Availability

  • replicate indexes
    • gives HA, gives fidelity, may speed up searches

Advanced admin course;

http://www.splunk.com/view/SPCAAAGNF

Report acceleration

  • can accelerate a qualifying report – more efficiently run large reports covering wide date ranges
  • must be in smart or fast mode

Lots of free and up to date training is available via the Splunk website.

Splunk for security

Investigation / forensics – Correlation, fast to root cause, look for APTs, investigate and understand false positives

Splunk can have all original data – use as your SIEM – rather than just sending a subset of data to your SIEM

Unknown threats – APT / malicious insider

  • “normal” user and machine data – includes “unknown” threats
  • “security” data or alerts from security products etc.  “known” security issues..   Misses many issues

Add context  – increases value and chance of detecting threats.  Business understanding and context are key to increasing value.

Get both host and network based data to have best chance of detecting attacks

Identify threat activity

  • what is the modus operandi
  • who / what are most critical people and data assets
  • what patterns and correlations of ‘weak’ signals in normal IT activities would represent abnormal activity?
  • what in my environment is different / new / changed
  • what deviations are there from the norm

Sample fingerprints of an Advanced Threat.

Remediate and Automate

  • Where else do I see the indicators of compromise
  • Remediate infected systems
  • Fix weaknesses, including employee education
  • Turn the Indicators of Compromise into real time search to detect future threats

– Splunk Enterprise Security (2.4 released next week – 20 something april)

– Predefined normalisation and correlation, extensible and customisable

– F5, Juniper, Cisco, Fireeye etc all partners and integrated well into Splunk.

Move away from talking about security events to all events – especially with advanced threats, any event can be a security event..

I have a further meeting with some of the Splunk security specialists tomorrow so will provide a further update later.

Overall Splunk seems to tick a lot of boxes and looks certainly taps into the explosion of data we must correlate and understand in order to maintain our environment and spot subtle, intelligent security threats.

K

 

Requirements of a good Security Operations Centre

I have recently been thinking about and reading up on how to improve Security Operations Centres (SOC) to meet the constantly evolving environment and threat landscape in which we operate.  There are obviously many tools that are required from Network Monitoring to IPS (Intrusion Prevention System) to Log Collection and Correlation systems to Auditing and File Integrity Monitoring.

This post will however briefly cover the ‘soft’ side of the SOC and three key skills / processes that there seems to be agreement are required for a SOC to be effective and forward looking.

The first of these is understanding the business and business systems in detail and being able to put any event in the context of the business.  Which systems are affected?  Which business processes does this impact?  What is the relative priority?  This means the team needs to understand more than just vulnerability x and y and their generic severity rating.  They must understand your business context and be able to effectively relate events to this.  Tools can also help here in terms of event correlation and scale of the issue, this is where the new breed of ‘big data’ real time analysis and correlation tools such as Splunk, Palantir, or Security Analytics.

The second key skill / process is that of effective incident handling. This must again focus on your specific business and the priorities in case of an event, such as evidence gathering, escalation, keeping services running, regulatory requirements.  The event must be related to these factors with an understanding of it’s impacts to your business.  The more effective and streamlined this process can be, the lower the impact will be when the inevitable issues from virus infections to ful scale breaches occur.

The third key area is around business processes.  Any process that involves users of the companies system will likely be key attack vectors.  Technology can’t ever stop all attacks – this is why social engineering is still the number 1 way any attackers gain a foothold in most environments.  The security team must work with the business to perform threat assessment and modelling sessions to understand the attack vectors and work with the users to minimise or mitigate them.  Solid user training, awareness and engagement will also help here.

Attackers who want to get into your system for whatever reason from financial gain to hacktivism are constantly changing and improving their game.  We need to work hard to keep up and keep them out or at least contained.  A well formed and smoothly functioning SOC that is closely aligned to the business is a key part of any organisations defence.

K

Using passwords for authentication

Recently when researching form my Masters project I came across some studies about users and password use.  I think we now know that passwords should be dead and replaced / augmented by something better such as two factor authentication using token or biometrics.  However many systems still rely on usernames and passwords.

In terms of business, in order to improve security many companies now add two-factor authentication when logging in remotely so the user enters their username, some sort of pin or password and a value from a hardware or software token.  This helps with the issues around passwords when remotely logging into systems such as when working from home, it does nothing to improve the security of logging in with just a username / password in the office.

The traditional assumption has been that it is OK to use just username / password when logging in from a more secure location such as the office when you are already connected to the trusted network.  Assuming your business uses modern operating systems that employ salted hashes for any password storage or transmission the issue it not with someone malicious managing to ‘sniff’ the password while it is in transit, or getting hold of the password store.  However what of the users who use the same password for multiple systems?  If your users log into insecure web sites using the same or very similar passwords to those they use to log into the secure business systems?

Studies have shown that nearly all users re-use passwords.

In addition users will tend to use the least complex, easiest to remember password possible – so while your businesses chosen level of complexity may have a password space of xxxxx passwords, the users passwords may actually tend to occupy a much smaller space, or be easy to guess despite meeting the password complexity requirements.

People will also tend to write down passwords that are too difficult to remember easily.

So I’d strongly recommend moving away from just relying on passwords and utilize some form of multi-factor authentication even within the office environment.  This is not as difficult as it may sound – most (all?) modern operating systems support multi-factor authentication out of the box.

If you cannot move away from just relying on passwords then a use education program is a must.  A good password is not just a complex one, it must combine complexity and being difficult to crack with also being easy to remember for the user.  If users can understand both the password policy and the rational for that, along with ways to come up with strong passwords that are easy for them to remember this will lead to a more secure environment.

Interestingly, we again come around to user education and training being a key component of a defense in depth security strategy.

K

Puppet introduction

Puppet is currently being deployed in the environment where I work, so I thought it would be a good idea to get at least slightly up to speed around how it works.  Like I am sure quite a few of you I am familiar with Puppet in terms of what it is and what it is commonly used for, in terms of it being an IT automation tool written in Ruby that can manage both *nix and Windows systems.

I didn’t however know much of the detail around exactly how it works and can be configured.  Given that there are probably others in a similar position who either need or want to learn a bit more about Puppet and system management and automation I thought I’d share a couple of the better introductory resources I found.

If you are completely new to Puppet and want to find out what it does the ‘What is Puppet page is an excellent starting point;

https://puppetlabs.com/puppet/what-is-puppet/

The next link is a good introduction to coding with Puppet and nicely covers the fact Puppet is Declarative.  This can be a challenge for some people especially those with coding experience as most languages are Imperative which is quite a different style of explaining what you want the application to do.  Read on to find out more;

http://spin.atomicobject.com/2012/09/13/from-imperative-to-declarative-system-configuration-with-puppet/

I also found this three part series that covers what you need to set up and get running with Puppet with the minimum of extra information.  This is great if you need to get up and running quickly as much of the full documentation is more book like;

Part 1;

http://justfewtuts.blogspot.co.uk/2012/05/puppet-beginners-concept-guide-part-1.html

Part 2;

http://justfewtuts.blogspot.co.uk/2012/07/puppet-beginners-concept-guide-part-2.html

Part 3;

http://justfewtuts.blogspot.co.uk/2012/08/puppet-beginners-concept-guide-part-3.html

Finally if you want a full understanding of Puppet and have the time the Puppet Labs documentation is excellent and should remove any need to buy a reference book;

http://docs.puppetlabs.com/

K

 

Phishing; what is phishing and how to protect against it.

Phishing continues to be one of the key attack vectors against both individuals and corporations.

At a personal level it’s one of the most successful ways malicious individuals and groups have for stealing credit card details and identities.

At a corporate level it is one of the most if not the most common entry points into an organisation.  This is true even for the majority of the Advanced Persistent Threat type attacks that are discovered; while they may use many clever techniques to avoid detection once they are established the usual entry point is via some form of social engineering with Phishing being the most common social engineering attack.

It is due to this that I was recently asked to create a brief overview of Phishing covering what it is, why it is so prevalent, and what can be done to reduce the risk.  I’m sure most of you are aware what Phishing is, but I thought I would share some of the content of my recent presentation.

I started with a brief overview of what Phishing is;

•Phishing is a fraudulent attempt, usually made through email, to steal your personal information. The best way to protect yourself from phishing is to learn how to recognize a phish.

•Phishing emails usually appear to come from a well-known organization and ask for your personal information — such as credit card number, social security number, account number or password. Often times phishing attempts appear to come from sites, services and companies with which you do not even have an account.

•In order for Internet criminals to successfully “phish” your personal information, they must get you to go from an email to a website. Phishing emails will almost always tell you to click a link that takes you to a site where your personal information is requested. Legitimate organizations would never request this information of you via email.

Wikipedia has a longer version providing an overview of Phishing;

http://en.wikipedia.org/wiki/Phishing

This is actually a pretty good article covering a brief history of Phishing, various Phishing techniques, and some prevention / anti-Phishing tools and techniques.

I then went onto cover some further terminology around different types or developments of Phishing that have dramatically improved its effectiveness;

Phishing began as very generic, spam like emails.  These have over time become much more realistic and targeted in order to improve the chances of success for the attacker.  Various terms have been coined to describe these more targeted attacks;

•Spear Phishing refers to attacks targeted at specific individuals or groups of individuals such as employees of a company.  Attackers will gather personal and / or company specific information in order to improve their chances of success.

•Clone Phishing is where a legitimate email that contains attachments or links is cloned / copied, but with malicious attachments or links.  This exploits the trust that may be inferred from the email coming from a seemingly legitimate source.

•Whaling is a term for phishing attacks specifically targeting only very senior company executives.

•A further term recently coined in a blog post by Bruce Schneier was ‘laser guided precision phishing’ when describing some recent advanced phishing attacks.  The clear message is that these are getting better and harder to spot all the time, and these attacks are seldom stopped by technical means;

–“Only amateurs attack machines; professionals target people”

Basically Phishing continues to evolve with attackers spending time to do recognisance on higher value targets to make the attacks look as realistic as possible in order to increase their success rate.

The final part of the presentation covered some of the methods that can be employed to reduce the risk from Phishing attacks;

•Security / Phishing awareness and training.

–Phishme (or similar service) – this has a great success rate with figures such as 60% of users clicking on Phishme email links reducing to <10% after a few cycles.

–Broader training – regular communications from our department around security awareness and things to look out for.

•Make emails from external sources more obvious, such as by changing the display name on internal emails.

–This helps improve vigilance, however so many emails are received from external sources the benefit it likely limited.

•Disable links and attachments in emails from external sources

–Likely impacts many business processes, is a white list of all ‘trusted’ email sources feasible or maintainable?

•Ensure any heuristic and zero day type protections are functioning as designed to provide maximum protection from bespoke and new attacks.

•Enforce ‘least privilege’ – no users log onto any machine with administrative or root privileges, always use ‘Run As’ or Sudo for any actions requiring elevated privileges

•Ensure any browsers in use are kept up to date with any anti-phishing add ins / tool bars installed and functioning

•Black / White listing of acceptable sending domains.  White listing is more cumbersome, but more effective, black listing is easier (as with most security technologies) but less effective as it can only block known bad sites / domains.  Neither of these techniques will stop spoofed emails or emails from compromised ‘good’ sites / domains.

•Become involved with organisations / forums such as the Anti Phishing Working Group; http://www.antiphishing.org/

In conclusion I would wholly recommend a solid defence in depth strategy for your organisation when it comes to security tools and strategy, but I would also say that user training is a key component of reducing the risk from Phishing; if not the most critical component.

A great way to learn more, and help improve anti-phishing techniques is to get involved with organisations such as the Anti Phishing Working Group (link above).  They also offer some useful anti-phishing training.

It would be great to hear your thoughts on Phishing, and the user training vs. technical controls debate.

K

Gone to the dark side..

Of companies and operating systems..  As a long term Window and Linux user with very little experience of Macs I recently made the move to the word of Apple.  While this is outside of the scope of my usual posts that tend to relate to enterprise security and architecture, I thought I would share as this is a pretty fundamental shift in my personal computing world.

I’m still not a fan of Apple as a company as I’m fundamentally against the whole ethos of locking people into a specific ecosystem with the clear intention of letting you only use that companies products and making it very hard to shift away once all your music etc is in iTunes / iWhatever.

However as a piece of hardware I totally love the Mac Book Pro, and the retina screen is amazing.

First impressions of the O/S are that it is OK, I seem to be getting around alright, and the ability to drop to a Linux command line is a great help.  The multi touch mouse pad is excellent, as is the ability to use it to ‘right click’ on links etc.  which is a great help!

So far I’ve installed Chrome, M$ office for Mac, Parallels, VLC, a few utilities and photo editing software.

I’m also pleasantly surprised by the battery life, given that this is a fairly powerful i7 CPU, Nvidia graphics (with automatic switching to Intel) etc.  even with the screen reasonably bright, and running a couple of virtual machines it still lasts several hours on the battery.

Overall so far very impressed, amazing screen, excellent battery life, great performance even when running multiple VMs, I think in part due to the decent SSD, and all in a lovely, relatively light weight aluminium package.  As mentioned still not really a fan of Apple as a company, but then how many large profit driven businesses really care about anything other than maximising profit? But I am a convert to the Mac Book as a useful and great to use tool.

I’ll likely post the odd update during the year as I get more used to the O/S and start exploring the performance and features of the device.

K

13 Security Myths Busted.. My thoughts.

I was recently sent a link to an article covering what were described as ’13 security myths – busted’ and asked my opinion.  As it was a fairly light and interesting I thought I would share the article and my thoughts;

The original article can be found here;

http://www.networkworld.com/slideshow/86918/13-of-the-biggest-security-myths-busted.html?source=NWWNLE_nlt_afterdark_2013-02-21

Have a read of the myths and why they thin they are myths, read my thoughts below, and it would be great to hear your thoughts.

1. AV – Possibly not super efficient, but I think still necessary – they kind of mix apples and oranges with the targeted attack comment, as it is not designed for that, but it still prevents the vast majority of malware, and general attacks.  Possibly and an environment where literally no one runs with admin privileges and there is strong white listing you could do without AV, but generally I’d say it is still relevant and required.

2. This one is hard to know as there is so much FUD around.  It is clear that in many circumstances (stuxnet etc, Chinese APT , US government espionage etc.) that governments are investing huge sums of money and employing extremely bright people to attack and defend in cyber land.  I suspect much will never be known as the NSA / Mi6 / <insert secret government money pit here> are by definition very secretive.  Remember all the speculation around the NSAs ability to crack encryption in the past..

3. Totally agree – just look at most businesses and the trouble they have getting control of authentication via AD / IAM.  However, many are moving in the right direction though so maybe soon we’ll have everything in IAM and / or AD..

4. I think this one proves itself incorrect in the text – Risk management is needed, you just need to work on understanding your adversaries and the actual risks you face, which includes understanding their motivations and the value they place on your data and IP.

5. This I totally agree with.  I have already highlighted I don’t really like the fact we as an industry use the term ‘best practice’ all over our standards and policy documents etc – who defines what it is? Is it best in any specific environment with it’s support skill sets and technology stack etc?

6. Half agree they are a fact of life, however you can have effective responses and strategies around privilege control and application controls etc. to massively mitigate the risks these pose.

7. I can’t comment on this one, but most national infrastructures are inadequately protected and tend to rely on old legacy systems for many of their functions so this is probably try in the UK for much supporting infrastructure as well.

8. Completely agree with this.  Compliance is a useful checklist, but compliance with standards should be a by product of good secure design and processes, not something we strive for as a product in itself.  If provides a driver but is very much the wrong focus if you want to be secure rather than compliant.

9. Agree – CISO may own security policy and strategy etc., but security is everyone’s problem and everyone should be accountable for performing their duties with security and security policies in mind.  I’m a big fan of security awareness training as a regular thing to help educate people and keep security at the forefront of the way we do business.

10. Likely has been true, in the same way as Mac / Linux are ‘safer’ than Windows, as it has not been the focus of as much malicious attention and has not been carrying as much functionality and valuable data.  This is rapidly shifting though as we rely more and more on mobile devices for everything from banking to shopping to actual business.  So I think this one is rapidly if not already becoming a myth.

11. Agree – you can likely never be 100% secure if you want to have a life or business online.  I think it was an American who coined ‘eternal vigilance is the price of freedom’  we should work to be secure, but freedom both individually and as a business is too important and hard won to give up.  Obviously some personal freedoms to do whatever you want with corporate devices have to be given up, but I think my point stands as a general concept.  As the guy in the article says (and I do above) work to understand your adversaries, their motivations and tools.

12. Agree with this one also – continuous monitoring, trending and learning are key to understanding and preventing or at least capturing todays advanced long term threats such as APTs.

13. I agree with this final one as well, and have actually blogged about this before.  We live in an ‘assume you have or will be breached’ world.  Put the detective measures and controls in place to ensure you rapidly detect and minimise the damage from any breach.  Read last years Verizon data breach report..

It would be great to hear your thoughts on this light article.

K

Been a while.. and 2013 plans

I realised it has been getting on for three months since my last blog post.. Getting back into writing posts has been on my mind for a few weeks, but things in life have been extremely hectic recently!  Briefly life has involved getting engaged, planning a rather cool wedding and honeymoon, redecorating an entire house, and not to mention starting a new job.

Work wise I am now a Senior Security Architect for WorldPay which is pretty much exactly the role I have been aiming to get for some time.  As with most roles the first few weeks have been a hectic time of getting to know the company, policies and processes, people as well as rapidly picking up constructive work.

I thought I’d start this years blogs with an overview of some of my plans relating to work and learning for 2013.  Obviously as it’s now nearly the end of February I am using ‘start’ or the year fairly loosely!

So looking ahead for the year, what are my plans / projects for 2013?

1. Complete my Masters project;  Due to everything that has been happening I requested as have been granted an extension until May of this year to complete my project.  I have completed and passed the rest of my Masters, so this is the final piece between me and being awarded the post graduate degree.  With continuing to get to grips with my new role and everything else that is going on, this will be a challenge, but something I need to complete.

2. Improve my knowledge of secure, always available multi-site data centre networking; Network security is one of my key focus areas, and this links nicely with the environment I am currently tasked with ensuring the security of.

3. Continue to lead and contribute to the Cloud Security Alliance Security as a Service working group.  This has become a major project for me that I have been leading for nearly a couple of years now.  This is another one that also ties in nicely with my WorldPay role as I will also be covering cloud security and strategy as one of my responsibilities.

4. Various smaller / side tasks including getting round to taking my TOGAF exam, attending various useful industry conferences such as RSA and Infosec (work budgets permitting of course), along with being successful in my new role and progressing at WorldPay.  This may of course lead to further projects this year depending on the tasks I need to achieve as part of my role, I’ll obviously keep you posted around any of these I can publicly discuss.

I’ll keep you all posted with my progress around these projects / tasks, along with other interesting things that happen during the year.  Hears to a productive and interesting 2013.

K

Upcoming webinar- The Perfect Storm: Managing Identity & Access in the Cloud

I will be leading an up coming webinar on Identity and Access Management (IAM) in the Cloud titled;

The Perfect Storm: Managing Identity & Access in the Cloud

In this webinar and panel discussion we will talk about the key issues surrounding the people, processes and systems used to manage applications and data in the cloud.  Topics covered will include;

  • Trends complicating secure cloud use;
  • Risks of unauthorized access, identity theft and insider fraud;
  • Challenges to IAM in the cloud;
  • Unique IAM considerations in the cloud;
  • Cloud features and functionality to improve IAM;
  • New approaches, including effective policy enforcement and the benefits of single sign-on;
  • Q and A panel session after the initial presentations.

This webinar is to be hosted by Tom Field of the Information Security Media Group, and we will by joined by thought-leaders from security vendors Ping Identity, McAfee and Aveksa, who will weigh in on how new cloud security solutions can help organizations improve IAM, as well as compliance, provisioning and policy management.

This should be a great presentation and discussion so please do register to view and participate;

http://www.bankinfosecurity.com/webinars/perfect-storm-managing-identity-access-in-cloud-w-303

The webinar will be first shown on Thursday 20th December 2012.  I hope to see you there!

K

Cloud Security Alliance Congress Orlando 2012 pt5 – closing keynote

Closing Keynote – State of the Union

Chris Hoff, who is the author of the Rational Survivability blog, gave a great closing keynote covering the last few years via his previous presentation titles and content.  I can recommend reading / viewing the mentioned presentations.  This was followed by a brief overview of current issues and trends, and then coverage of upcoming / very new areas of focus we all need to be aware of.

What’s happened?

2008 – Platforms dictate capabilities (security) and operations – Read ‘The four horsemen of the virtualisation security apocalypse’

–          Monolithic security vendor virtual appliances are the virtualisation version of the UTM argument.

–          Virtualised security can seriously impact performance, resiliency and scalability

–          Replicating many highly-available security applications and network topologies in virtual switches don’t work

–          Virtualising security will not save you money.  It will cost you more.

2009 – Realities of hybrid cloud, interesting attacks, changing security models – Read – ‘The frogs who desired a king – A virtualisation and cloud computing fable set to interpretive dance’

–          Cloud is actually something to be really happy about; people who would not ordinarily think about security are doing so

–          While we’re scrambling to adapt, we’re turning over rocks and shining lights in dark crevices

–          Sure bad things will happen, but really smart people are engaging in meaningful dialogue and starting to work on solutions

–          You’ll find that much of what you have works.. Perhaps just differently; setting expectations is critical

2010 – Turtles all the way down – Read – ‘Cloudifornication – Indiscriminate information intercourse involving internet infrastructure’

–          Security becomes a question of scale

–          Attacks on and attacks using large-scale public cloud providers are coming and cloud services are already being used for $evil

–          Hybrid security solutions (and more of them) are needed

–          Service transparency, assurance and auditability is key

–          Providers have the chance to make security better.  Be transparent.

2010 – Public cloud platform dependencies will liberate of kill you – Read ‘Cloudinomicon – Idempotent infrastructure, survivable systems and the return of information centricity’

–          Not all cloud offerings are created equal or for the same reasons

–          Differentiation based upon PLATFORM: Networking security, Transparency/visibility and forensics

–          Apps in clouds can most definitely be deployed as securely or even more securely than in an enterprise

–          However this often required profound architectural, operational, technology, security and compliance model changes

–          What makes cloud platforms tick matters in the long term

 2011 – Security Automation FTW – Read ‘Commode computing – from squat pots to cloud bots – better waste management through security automation’

–          Don’t just sit there: it wont automate itself

–          Recognise, accept and move on: The DMZ design pattern is dead

–          Make use of existing / new services: you don’t have to do it all yourself

–          Demand and use programmatic interfaces from security solutions

–          Encourage networks / security wonks to use tools / learn to program / use automation

–          Squash audit inefficiency and maximise efficacy

–          DevOps and security need to make nice

–          AppSec and SDLC are huge

–          Automate data protection

2012 – Keepin it real with respect to challenges and changing landscape – Read – ‘The 7 dirty words of Cloud Security’

–          Scalability

–          Portability

–          Fungibility

–          Compliance

–          Cost

–          Manageability

–          Trust

2012 – DevOps, continual deployment, platforms –  Read – ‘Sh*t my Cloud evangelist says …Just not to my CSO’

–          [Missing] Instrumentation that is inclusive of security

–          [Missing] Intelligence and context shared between infrastructure and application layers

–          [Missing] Maturity of “Automation Mechanics” and frameworks

–          [Missing} Standard interfaces, precise syntactical representation of elemental security constructs

–          [Missing] An operational methodology that ensures and commone understanding of outcomes and ‘agile’ culture in general

–          [Missing] Sanitary application security practices

What’s happening?

–          Mobility, Internet of Things, Consumerisation

–          New application architecture and platforms (Azure, Cloud foundry, NoSQL, Cassandra, Hadoop etc.)

–          APIs – everything connected by APIs

–          DevOps – Need to understand how this works and who owns security

–          Programmatic (virtualised) Networking and SDN (Software Defined Network)

–          Advanced adversaries and tactics (APTs, organised crime, nation states, using cloud and virtualisation benefits to attack us etc.)

What’s coming?

–          Security analytics and intelligence – security data is becoming ‘big data – Volume. Velocity. Variety. Veracity.

–          AppSec Reloaded – APIs. REST. PaaS. DevOps. – On top of all the existing AppSec issues – how long has the OWASP top threats remained largely unchanged??

–          Security as a Service 2.0 – “Cloud.” SDN. Virtualised.

–          Offensive security – Cyber. Cyber. Cyber. Cyber…  Instead of just being purely defensive, do things more proactive – not necessarily actually attacking them, can mean deceiving them to honeypots / honynets, fingerprinting the attack, tracking back the connections etc. all the way up to actually striking back.

Summary;

–          Public clouds are marching onward; Platforms are maturing… Getting simpler to deploy and operate and the platform level, but have heavy impact on application architecture

–          Private clouds are getting more complex(as expected) and the use case differences between the two are obvious; more exposed infrastructure connected knobs and dials

–          Hybrid clouds are emerging, hypervisors commoditised and orchestration / provisioning systems differentiate as ecosystem and corporate interests emerge

–          Mobility (workload and consuming devices) and APIs are everywhere

–          Network models are being abstracted even further (Physical > Virtual > Overlay) and that creates more ‘simplexity’

–          Application and information ‘ETL sprawl’ is a force to be reckoned with

–          Security is getting much more interesting!

This was a great wrap up highlighting the last few years’ issues, how many of these have we really fixed?  Along with where we are now, and a nice wrap up of what’s coming up.  Are you up to speed with all the current and outstanding issues you need to be aware of?  How prepared are you and your organisation for what’s coming up?  Don’t be like the 3 monkeys.. 😉

While the picture is complex and we have loads of work to do, Chris’s last point aptly sums up why I love security and working in the security field!

Lastly, have a look at Chris’s blog; http://www.rationalsurvivability.com/blog/ which has loads of interesting content.

K