RSA conference Europe Wrap Up / Final Thoughts

I’ll keep this relatively brief as I have already covered this conference in some detail while blogging live from the event.  I think the write ups ended up around 12000 words in total across the three days!  I hope you have managed to read those covering content that was of interest to you – there was certainly a lot of information there that I found useful!

As usual with conferences like this some of the presentations had slight vendor bias, with an prime example being companies like EMC championing the need to prioritise spending from limited security budgets on more advanced tools for detecting and preventing longer term advanced threats (Advanced Persistent Threats – APT) at the expense of older more stable technologies such as AV.  EMC is currently selling and promoting products in this area..  This was followed by Symantec who obviously highlighted that they think AV is still critical and should continue to be invested in, unsurprising as anti-virus / anti-malware is still one of their key products and revenue streams.

On this point I fall between the two in that I completely agree AV is still important, but due to the maturity of the market and quality of most products you should be looking to drive costs down in this area while still maintaining an acceptable level of quality.  By managing costs in established areas and looking for end point solutions that cover multiple vectors such as AV, firewalling, DLP etc.  you should hopefully be able to free up budget to invest in some of the newer more advanced tools or improve key areas such as your log monitoring and correlation capabilities.

Overall the presentations remained fairly vendor neutral and contained loads of useful content.  Highlights for me included;

–          Wireless hacking demos

–          Man in the browser demos

–          Discussion around the state of the industry

–          Presentations on building a cyber-security capability and improving the way we in security can interact with the business

–          Presentations on the threat landscape

All of which were covered in the conference blog posts.

To wrap up my commentary of the conference, I’ll finish with a few of what were, for me, the key take away points;

–          Understand your environment and your industry – where is your data, what are your important assets and what are the key threats to your organisation.  If you don’t know this how can you know what to protect and how?

–          Following on from that, make sure you are protecting the right things and to correct level.

–          Read useful reports such as the Verizon Breach report – the data is frankly eye opening if you are not yet aware of the time most breaches take to be discovered and how poorly protected many businesses are (416 days and likely to rise..)

–          Become better at interfacing with the business – it is our job to make sure the decision makes at the highest level are aware of the risks and what they mean to our business / organisation.  Board level executives may choose to accept or ignore risks, but they should do with a full awareness of the threat landscape and our risks.  If the business / the board are unaware of the risks to the environment this is 100% our failing.  If they accept a risk and we are breached it is on them and they accepted the risk(s) with awareness they may be exploited.  If your organisation is exploited and the board / business were unaware then it is on us.

–          Finally it reminded me how much I love IT security and creating secure solutions and environments!  Take pride in what you do and do it well; jobs, money and peoples identities rely on us doing this right.

As always, feel free to ask if you want any more information, I’m more than happy to evangelise on these topics!

K

RSA Conference Europe – Cybercrime, Easy as Pie and Damn Ingenious

James Lyne, Director of Technology Strategy, Sophos

Sophos current see >200,000 individual pieces of malicious code every day.

Cybercrime is becoming very professional with easy to access tools;

Sites exist for testing and quality assurance of malware, e.g. www.virtest.com – this site scans your malware with multiple (44) different anti-virus products to see if it is detected.  The benefit of this service is that it uses the vendors AV engines and signatures.  The site carries the assurance that no results will be sent back to the vendor or shared in any way so you can be assured that your malware will not be added to existing malware databases.

Another example is Gwapo that has youTube videos advertising their DDoS service.

Ransomware is also becoming common with malware that encrypts your drive(s) and requires payment to unencrypt it.  Some ransomware become a lot more scary and malicious with threats that illegal content such as child pornography is encrypted on your computer and if you don’t pay within xx hours or days the police will be sent details of how to unencrypt it.  Ransomware can be particularly harmful and effective as it does not require administrative access, for example if you have access to company files etc. they can be encrypted with your limited access.

You can get easily access ‘crime-packs’ containing various tools for exploiting and attacking tool kits.  Examples include; Firepack, ice-pack, crimepack, blackhole etc.  Some of these even come with CR tools built in!  Additionally in keeping with the times some are available as cloud based services that you can subscribe to.  Many come with technical support contacts as well.

The tools have very simple gui based interfaces for creating your own malware based on existing payloads etc.  They are also very regularly updated with new code and make use of polymorphism to try and evade detection.

As an example blockhole has features such as;

–          Blacklisting / blocking to try and prevent researchers from security companies accessing the application and infected machines

  • Only hit IPs once
  • IP blacklist
  • Referrer URL blacklist
  • TOR blacklist
  • Import blacklisted ranges (e.g. fro cloud services)

–          Auto updating / patching

–          Can target multiple client vulnerabilities simultaneously

–          Java 0-days almost as soon as they were available

–          AV scanning add ins to check if the attack is being identified by host AV systems

A few comments on adopting a more ‘offensive’ stance, this is a grey area and may be legally questionable in some jurisdictions so you should be careful when looking at these options.  Some options in escalation of scale order;

–          Bit of poking – DNS, name servers and ‘affiliations’

–          Web bug, image or alike

  • Pretty easy to legally get away with
  • Sadly basic information

–          Javascript. Web Shell. Querying more information

  • Borderline, depending on your jurisdiction

–          Full hog – exploitage

  • Oh, you didn’t patch Java in your system either? – use the attackers exploit, in this case java against their own jave based site / application
  • Where they are, what they are doing.

Two steps forward.. Using IPv6 as an example, many machines now have IPv6 on as a default, simple router flood attack available on current Backtrack etc. can max out CPU and even crash the machine.  You may not care about IPv6 yet, but if you are not disabling it or securing it you could be opening up new attack vectors in your organisation without realising it.  The message again is to understand your environment and the risks you face.

Key take away points from this talk are;

–          Consider upcoming technologies even if you are not using them yet

–          Consider any investigative / offensive moves very carefully

  • I’d recommend improving your forensics capabilities, gather solid, admissible evidence to hand to legal investigators

–          Watch the basics

  • Assumptions kill us
  • Yes people can be that silly

–          Everything in moderation – Hype hurts

On a closing not, the tools and sites mentioned in this post are real and currently accessible.  Search for and use with care and at your own peril!

K

RSA Conference Europe 2012 – Moving your SOC beyond the bloatware

Talk from Amit Yoran of EMC/RSA.

Where SOC in the title refers to Security Operations Centre.

Everything is evolving;

–          Organisations are evolving and changing rapidly – cloud, BYOD, new systems, new devices, new operating systems, new regulations

–          Data is evolving rapidly – explosive data growth, big data

–          Threats are evolving rapidly, with actors from petty criminals to organised crime to terrorists to anti-establishment vigilantes (think Anonymous – Hactivists) to nation states.

Existing security systems are ineffective;

–          Signature based – from AV to anti-spam to firewalls to IPS tends to look for known things and behaviours (signatures)

–          Perimeter orientated – Firewalls, IDS / IP, router security etc. still make up much of the focus.  We are becoming more and more porous or boundary-less.

–          Compliance driven – often at the expense of ‘real’ security and risk management.

Detection time is poor – many attacks go undetected for far too long.  How do we reduce this attacker free time or dwell time?

Focus needs to shift from I will stop breaches to I will be breached and how do we manage this and prevent / minimise damage.

Identified four impediments to change from the current;

–          Information deluge – too much information

–          Budget dilemma – so much hype and marketing, what do I spend limited budget on?

–          Cyber security talent – what talent do I have in my organisation, how do I leverage it, and scale the limited number of very talented peoples reach to work for the whole organisation?

–          Macro situational awareness – How are am I of my organisation, and of its wider operating environment?

So what can we do?

SIEM (Security Information and Event Management) has been a good start, but limited ability to deal with the complex, multi-faceted attacks of today.  Separating bad from good has become an increasingly difficult problem.

How do we understand what ‘good’ looks like.  Much more complex than just is it a valid login, ‘bad’ may be a complex set of apparently authorised transactions, that look very similar to ‘good’ activity.

Traditional SIEM is not enough –

–          Cannot detect lateral movement of attacks, or covert characteristics of advanced attack tools

–          Cannot fully investigate exfiltration or sabotage of critical data

–          Issues with scaling to collect, sort, and analyse large enough data volumes

Need better security analytics!

Incident response lessons learned;

–          Stop doing things that provide little value

–          Focus on securing the most important material assets to the enterprise and understand their risk exposure from people to processes to systems to data

–          Obtain a deeper visibility into what is happening on the network and what is known about the organisation and its users

–          Collaborate in real time with others more effectively and gain actionable intelligence

–          Measure performance across some established methodology or continuum (success, failure, compliance etc.) – but make them valid and don’t tune behaviour just to do well on the ‘test’!

Security operations require;

–          Comprehensive visibility

–          Agile analytics

–          Actionable intelligence

–          Optimise incident management

How do we improve understanding and analytics?

–          Security Analytics Warehouse

Scalable, centralised data warehouse for long-term data retention and deep intense analysis.

Visibility of – Logs, network data, raw content, reassembled content, enterprise events, enterprise data, flow, structured and unstructured data, host telemetry…

This must be backed with a powerful analytics engine to enable complex searches and analysis on these varied and large data sets.

This is a step beyond traditional logging / SIEM platforms.

Allows us to move to ‘active defence’ that gives the user ability to take action or automatically remediate common functions.  This turns a passive system into an active one, largely using existing infrastructure.  In turn this fuels actionable and effective workflows for the SOC.

Interestingly this talk links back to the those on SOA and big data from the service technology symposium, both identify the need to manage and analyse big data in real time or as near to real time as possible.  These points highlight how entirely disparate areas, in this case SOA / development and security, can have similar needs and come to the same conclusions.  Being able to meet the needs of your systems and application teams as well as your security team may help get your log correlation and analysis project approved.  Another reason for understanding your wider business teams and environment!

Also kudos to the presenter for remaining very vendor neutral despite working for RSA / EMC, there were hints of their products, but none mentioned and no sales pitch.

K

RSA Conference Europe 2012 Keynotes; day one part one

The first two keynotes were from RSA and were both very interesting with a LOT of valid points;

Keynote 1 – Art Coviello, Executive Chairman RSA.  Titled ‘Intelligence-driven security: The new model’

The vast majority of security spend is still for edge security and edge focussed monitoring, which is failing in this open world where attacks and breaches are to be expected.

Currently many people think that the security risks are overhyped, but is this true?  Organisation don’t like to reveal that they have been breached so how many breaches go unreported?  Verizon survey has also revealed the majority of breaches go undetected for a long time, if they are ever caught.  So how many organisations have been breached without even knowing it?  This was referred to as ‘the PR gap’ with the tip of the iceberg being what is known, but the unknown massive underwater part of the iceberg is the reality.

We must gain a better understanding of the situation.  How mature and sophisticated is your organisations security?

Proposed four levels of cyber security’

  1. Control – these likely have already been hacked and just don’t know it!
  2. Compliance – likely heavily regulated, but focus on compliance and tick boxes rather than stong governance leading to compliance.  Often caused by management and budgetary pressures
  3. IT risk – good understanding of IT risk, only slightly behind 4, but more tactical and IT focused than strategically aligned with the business.
  4. Business risk – This is where you should aspire to be, security fully aligned and working with the business, leveraging technology and processes in line with business strategy.

How do we get there? – Understand the issues;

–          Budget – pressures, how to best use it, how to justify it and highlight benefits and business cases

–          Security Talent – ensue your team is as good as it can be, are they passionate, engaged, and have an understanding of your industry.  The right team will drive security benefits and change, not just sit back, tick boxes or point further up the chain for reasons they are not acting.

–          PR Gap – explained above

–          Privacy Regulations – understand the regulatory environment your business is operating in.

Keynote 2 – Tom Heiser – President RSA – Intelligence Driven security.

–          Reconsider – our risks.  Move to a risk based approach to security. Understand regulatory challenges to this approach

–          Rethink  – Detection strategies and deploy continuous monitoring.

–          Harden Authentication and tighten access controls

–          Educate.. Educate.. Educate.. – Users, staff, regulators, media, auditors.  Obviously your business will focus on your staff and users, but the security industry also needs to get better at the wider piece.  Consider cyber security education around risks and phishing etc.  This point resonated with me as I come from an environment where we had various security awareness strategies from awareness weeks to educational phishing emails, and I have proposed this approach to my current employer.

Inevitability of compromise – Does not equate to accepting loss – New tactics and tools.  Moore’s law can apply to criminals as much as processors – criminals have more and more tools, last years military grade attack is this years scripted attack tool in the wild.  Example that Stuxnet derived attacks have been found in the wild and used against banking customers.

Improved monitoring and understanding will reduce ‘dwell time’ – how long the criminals can reside on your network.  If we assume breaches will occur (and they will), then minimising this dwell time is key to minimising risk.

This does require new tools.  Consider how we re-distribute budget spend.  Reduce spend on lower value services and premium priced tools such as AV and perimeter security.  Re-allocate spent to more advanced security solutions.

How to we access security knowledge?  How do we share information?  How do we ensure we protect privacy while we do this?  Currently nation states and criminals have much much better intelligence and information sharing processes than legitimate governments and organisations.

We need standardised ways to share information, ideally at machine speed – ‘standardised share act’.  This must be understood and driven from board level down, we as a security industry need to ensure we educate the board in business terms around policy and business risk.  How much does your board currently know about your organisations security stance and the risks you currently face?

We also need to be mindful of managing compliance and risk.  Just focusing on compliance does not necessarily reduce risk.  Remember the criminals can read the same compliance requirements you are meeting, so they know exactly what you are doing if you do not have a risk management / security program in addition to just meeting regulatory and compliance requirements.  This can be a challenge given the volume of compliance projects and budgetary constraints in many organisations, but needs to be considered.

We need a more proactive stance that focusses on intelligence, understanding, and education from user to board level.

Keynote ended with some comments on new RSA products and tools.

I really liked both of these talks, and think we really need to consider the points raised.

K

RSA Conference Europe 2012 – first impressions

As we sit down for the conference introduction and first keynote speeches I thought I’d share my first impressions of the conference.

This is certainly a much slicker and more professionally run event than the service technology symposium I recently attended.  Given the size of both the organisers (RSA / EMC) and the exhibitors (Microsoft, Symantec, Qualys etc.) this is I suspect to be expected.  The only blight on the event for me so far was my mistake of buying a ridiculously overpriced Costa coffee (£4.40 for a regular latte anyone) when I could have grabbed a free one outside of the keynote room!  So the first lesson of the day is never use a Costa that is in a hotel.. and they don’t even give you points on your costa card..

Onto more interesting matters, there are a lot of great keynotes and presentations lined up over the next 3 days with keynotes from heavyweights such as Bruce Schneier and Jimmy Wales, presentations covering everything from secure agile development to in depth research into recent hacks, book signings and even a hactivist movie on Wednesday evening.

In a similar manner to my last conference I’ll provide overviews of the days along with more in depth details of some of the better / more interesting talks.  Look out for several upcoming posts on the themes of the conference!

K

News and upcoming events

There are quite a few interesting, and for me exciting, things coming up over the next couple of months so I wanted to provide a brief update around these and some upcoming posts I’ll be making;

1.  I’ll be speaking at the CSA summit at RSA Europe!  This is a cloud security event on the afternoon of Monday 8th October, just prior to the main conference.  I’ll be giving a presentation about SecaaS (Security as a Service) and the SecaaS working / research group covering research we have done, the previous and recent publications and where we plan to go next.  The talk may be recorded, if it is I will post a link to it here, and I’ll also be uploading my slides.  The list of speakers and more information about the event can be found here;

https://cloudsecurityalliance.org/events/csa-summit-at-rsa-europe-2012/#_speakers

2.  I’m attending the Service Technology Symposium in London on the 24th-25th September; this is an annual event covering various aspects of Cloud, SOA (Service Orientated Architecture) and Service Technologies.  Examples of the conference tracks include;

–  Cloud architecture and patterns,

– Enterprise Cloud architecture

– Service Engineering

– Governance frameworks

– REST and web services

I’ll likely be following various portions of the tracks relating to cloud architecture, patterns and governance.  Expect various posts relating what is discussed.

3.  I am attending the RSA conference Europe in London from the 9th through the 11th October.  This years conference heading is ‘The Great Cipher; Mightier than the Sword’.  The premise of this is that sharing knowledge and learning at event such as this is the key to staying ahead of the bad guys.  Looks to be loads of great talks from people like Bruce Schneier et al; again look out for various posts on what I learn and what is discussed during this conference.

4.  Security as a Service Implementation Guidance v1.0 is about to be published.  10 documents covering each of the 10 categories of service we identified last year are going to be published any day now.  This has been a pretty large undertaking bringing a disparate group of predominantly volunteer contributors together across the 10 different subject areas to produce a (relatively) coherent whole!  Although this is just v1.0 and will likely receive various updates it is a great step forward for anyone wanting to implement or just better understand Security as a Service.  I’ll provide an update post when these a officially out the door and available for public downloading.

And of course my Masters and the next steps of the SecaaS research group will also be continuing.

Lots coming up; keep checking back!

K

Attack Mitigation – Assume the worst

I have recently been catching up on what was happening at the RSA conference from San Francisco this year and what some of the key security trends are.  One thing that has jumped out is the move from ‘we can protect you’ to you are or will be hacked so what can we do to mitigate the damage and catch the malicious individual or group.

This has been coming for a few years with the increasing use of cyber-warfare by governments and the military, and the emergence of APT (Advanced Persistent Threat) where well funded criminal gangs will expend a lot of time, money and skill to gain long term and potentially subtle footholds in company systems.  These factors, along with all the ‘standard’, existing threats and continued successes of social engineering attacks such as Phishing have lead many security leaders to suggest that you have likely already experienced a breach and you will, not may, experience breaches in the future.

This is backed up by research from the Ponemon institute that suggests 70-80% of organisations have experienced a data breach within the last 20 months.

So in addition to the standard perimeter and control type solutions there are now vendors and consultancy firms offering solutions to limit the damage that occurs when these preventative measures fail, and at the same time capture as much information as possible to aid in the tracking down and capture of the attacker(s).

This is an interesting wake up call for both the security industry and all companies – the protective measures we have relied upon for years work, but they are far from infallible and will fail when face with a concerted effort or a duped user who already has system access.

A couple of interesting references covering this in more depth;

Dark Reading – http://www.darkreading.com/advanced-threats/167901091/security/news/232602708/security-s-new-reality-assume-the-worst.html

Bruce Schneier – http://www.schneier.com/blog/archives/2012/04/attack_mitigati.html

The Dark Reading article is particularly interesting, and it’s well worth reading both sections.

Remember – your company’s systems will be breached.. What will you have in place to minimise the damage and assist in preventing the attackers from doing the same to more organisations?

K