RSA Security Summit London April 2014 – Keynote 2

The second keynote today was given by Dave Martin, VP & Chief Security Officer – EMC.

Tales From The Front Lines: Actionable Strategies for An Intelligence-Driven Security Program

This was a pretty good talk, covering at a high level a lot of topics;

The gap continues to widen!

–          Business wants faster, more agile, cheaper

  • But ‘keep us safe’
  • IT is not the only partner
  • IT is having an identity crisis (business can launch IT systems vis SaaS / PaaS etc without needing traditional IT involvement)
  • IT foundations are shaky

–          Technology change is relentless

  • Mobile, cloud, big data
  • Platforms, M&A

–          Changing compliance and standards

  • Privacy
  • Critical infrastructure

–          Attackers are getting smarter, sharing

  • Better and sharing than companies / law enforcement especially across geographic and political boarders
  • Training each other
  • Sold and free tools

Complexity will be the rule

–          Software defined Networks, data centres, everything!

–          Mobile really will be first – Pervasive access to everything, from everywhere, from everything

–          BYO… Device, Network, Data, Analytics, … Security

–          Commercial internet of things – everything from printers to vending machines want wired or wireless network and internet access.

Big is going to get bigger!

–          If you are not there already data is going to get big

  • Are you ready for this?

–          Traffic volume is going to get big

  • Can you build a big enough gateway?
  • Can you afford the internal bandwidth?
  • Will you see the traffic?
    • Will you be able to analyse and understand it??

You may hear that bandwidth is cheap, but can we scale it enough?

Monitoring and securing large bandwidth is not cheap – do your security and monitoring devices scale enough?

Can you really analyse and understand all the traffic?

What is normal?

What is abnormal / malicious?

How much traffic circumvents the main business gateways?  User with 3/4g modems, users working on their own devices connecting to cloud services?

 

The ‘Kill Chain’ now has a bad ending;

–          Recovering from a disruptive attack will mean going far beyond traditional resiliency

–          They will know your DR; failover is not enough!

–          How will you rebuild, restore when;

  • Your primary and DR is gone
  • 75% of your endpoints
  • DNS? AD?
  • Data is corrupted / compromised and this corruption is replicated to the DR copies

 

Ways to stay ahead..

Or maybe how not to drown!

Establish core tenets;

–          Traditional weapons are not going to work

  • Don’t be the cavalry, those are tanks

–          Raise the bar and don’t make it easy

–          Prevention in small doses, detection is key

–          What gives you visibility; makes you stronger (collect and analyse data)

–          When you detect, response is key (strong incident response process)

Be thoughtful and surgical;

–          Think closely about control decisions

  • What other behaviours are you encouraging or creating?
  • Are they worse than the original risk?
  • Carrots are more effective than sticks!

–          One size doesn’t fit all

  • Don’t boil the ocean
  • Perfection is a lost cause
  • How can we have the largest risk impact?
  • Target high value assets
    • Consider People, Process, Data, Geography
  • Largest population

Communicate and Educate;

–          Be transparent – let people know WHY

–          Make it personal

–          Do it often and with data

–          Business relationships

  • Change in the C suite
  • Power is shifting

Use leverage;

–          Our security teams are not growing!

  • ‘Trojan horse’ security projects;
    • SSO
    • Asset management
    • Change management
  • Embrace change- Make sure we are involved in defining requirements and design of new areas such as;
    • Automation
    • Mobility
    • Software defined
      • Networks
      • Data Centre

Areas of Focus;

Identity

–          Provisioning and onboarding

–          Role management

–          Map identity and log streams

–          Profiling; map users to

  • Devices
  • Applications
  • Systems
  • Behaviours

Data

–          DLP isn’t the final word

–          Consider data bankruptcy

–          Focus on visibility and analytics

  • High value asset
  • Point of creation or storage
  • Visibility at the large endpoint

–          Contain where possible – mobile and virtual

–          Leverage master data management programs

  • Define data owners and criticality

–          Evaluate data categorisation technology

Customer Experience

–          They have many choices and security isn’t on their list

  • Offer enterprise versions of consumer services

–          Can you trade experience for visibility?

–          Provide for safe, open access

–          Leverage SSO to better map identity

 

Supply chain and third party risk

–          Understand supply chains

–          Enforce contracted policies

  • Network Access Control

–          Reduce access

  • Virtual desktops
  • Review privilege

–          Third party risk services

Incident detection and response

–          Single UI and alerting for visibility – feed in data from controls, and add context

Resiliency and Recovery

–          Non traditional DDoS targets

–          Table top based on known attacks

Threat model based on existing Business impact analysis

These 2 keynotes were a great way to start the days presentations.

K

RSA Security Summit London April 2014 – Security Redefined

Today is a day out of the office at the RSA security summit in London.

The theme of the day is ‘Security Redefined’.

This is the concept of the ‘third platform’ of IT – billions of users, global locations, and many many devices accessing our systems.  We can no longer have the strong perimeter based security paradigm where we keep the ‘bad guys’ out, we need to have a security strategy based on detection and risk with the assumption that we can and will suffer compromises.

This is not a new concept, but it is good to hear the ‘security heavy weights’ (or larger less agile firms, take your pick 😉  ) in the industry talking about this.

As usual I’ll be summarising and commenting on the keynotes and other presentations I attend today.

K

RSA shell crew investiagtion

I was recently asked to summarise and comment on the recent RSA investiagtion and published report into the the ‘shell crew’ attacks, so thought I’d share this;

The Shell Crew attacks investigated by RSA IR are a clear example of what is usually referred to APT (Advanced Persistent Threat) attacks. They were able to persist for considerable lengths of time in various enterprises, all the while covering their tracks, updating malware and backdoors.  During the time they were inside the various enterprises their aim was to exfiltrate as much data and intellectual property as possible.

They used a variety of techniques from phishing and spear phishing (extremely targeted phishing) to web application framework attacks to gain entry, and once inside used many techniques including;

–          Web shells

–          Lateral movement, making use of RDP, psexec, open network connections and job scheduling via the at command.

–          Code signing of backdoor malware so it installed without warnings

–          Utilising SETHC RDP backdoor

–          Proxy tools installed on servers to avoid corporate proxies

–          Proxy away malwae that connected out using stolen credentials

–          Falsifying time and date stamps on malicious files

Prior to the attacks there were length periods of reconnaissance of the businesses and their technical footprint.

Looking at the tools and techniques used it appears they predominantly attacked Windows based systems

The example detailed involved a hack of a web server running a vulnerable version of Adobe ColdFusion, where the vulnerability enabled directory traversal.  This enabled them to access the password file for ColdFusion, download it and crack it (likely with rainbow tables).  The next step was to download and install web shells, backdoor software and various password cracking and hashing tools onto the server.

Some take away points include;

  • Details of the exploit were      clearly captured in the web server logs – highlighting the need for      proper log correlation and alerting.
  • They logged into the web      server with the Admin password within 10 minutes of stealing the hash – 2-factor      authentication should be used for web accessible accounts where possible.       If passwords must be used, a large salt must be added to the hashes.
  • Once they were on this      server they quickly moved to control / access many other servers on the      compromised network.
  • Various ‘entrenchment      methods used to ensure their presence was hard to remove including;
    • They used various web       shells from simple one lines ones all the way to advanced ones with       trojan like capabilities. Web shells are malicious files written in web       scripting languages.  They have some benefits over trojans such as       being rarely detected by AV programs, run within the web server so blend       with other traffic and hard to block, and no need to beacon home.
    • Registering malicious       DLLs so that the commands they run were interpreted by the malicious DLL       making them harder to detect
    • Modifying the       System.Web.dll file (this is a core.net       dll) enabling specifically crafted posts to the server that without a #       at the start would just result in a 404 page
    • Installation of       custom variants of the ‘Trojan.Derusbi’ malware.  This monitors all       open TCP ports on the server for a specific simple, but pseudo random,       handshake.  When it sees one it responds with a handshake.  The       remote user can then control the trojan with various obfuscated commands.        These include file traversal, starting / stopping processes,       uploading / downloading files, time stomping (deleting or modifying time       stamp related information on files – makes forensics more challenging),       opening reverse shells, locating and decrypting passwords stored in       browsers such as IE and Firefox.
    • Sethc backdoor –       replacing the setch exe with cmd or explorer, or making a registry change       to the setch entry.  If RDP is enabled, connecting, then pressing       SHIFT 5 times will then bring up CMD, explorer, or the debugger.
  • On top of this they also      downloaded a lot of other malicious files and ‘secondary tools’ including      many variants of the Derusbi trojan, notepad.exe (actually multi purpose      malware including proxy capabilities, time stomping, user impersonation,      Run As etc.), credential loggers etc.
  • The attack appears to      target Windows Server 2003, 2003r2 and XP variants. – ensure you are      using current versions of operating systems, and that they remain fully      patched
  • Obfuscation of code for the      various malware tools was heavily used.  While it is often not      complex to manually de-obfuscate the code, this technique helps malware      avoid detection by automated tools and also means the code / scripts don’t      look like they are code to the untrained eye if an admin or someone      stumbles across them.
  • Credential capture /      logging was attempted in various ways on compromised machines in the      estate including; Hash Dumping (grabbing hashes then likely using rainbow      tables to crack them), Keystroke logging, MSGINA (MS Graphical      Identification and Authentication – key part of MS logon process) man in      the middle, and hooking into authentication functions.

Overall this is a good, in depth report that really highlights both how easily an adversary can gain access to the corporate network, and how entrenched they can become across many servers in the network once they have a foothold.

Up to date, patched systems, defence in depth, and first rate logging, correlation and alerting are key factors in prevention and quick detection of breaches.

Detection and response are becoming increasingly important in a world where you will be compromised.

K

RSA’s First UK Data Security Summit – part 3: Defend with confidence against advanced threats

This talk covered three agenda items, with an obvious focus on RSA Security Analytics.

1. Why / how security investments need to shift

2. Building a SoC

3. Demo of the tool

Obviously I wont be capturing the Demo here, but below are my notes from this presentation;

Advanced threats are different…  Often following a similar set of steps;

– System intrusion – Attack begins – Cover-up discovery leap frog attacks – cover up complete, with the following characteristics;

  • Targeted
  • Stealthy
  • Interactive

How to defend;

  • decrease dwell time (time from successful breach until discovery)
  • speed response time (speed with which attacks are detected, and then remediated once discovered)

Relatively new attack discovered / named last year – ‘Waterholing’ – sit by the waterhole knowing prey will come to them – malicious users take over a site, knowing their targets are likely to visit it and trust it – then wait for them to arrive – malware etc. then delivered to users of the site.

Massive % of security spend currently on prevention, not detection..

71% of organisations have some sort of SoC (wider survey 66%)  most have plans to have one.  The question did cover from just some analysts who do investigations right through full on SoC capabilities.

SoC – level 1 adds, moves and changes, device health etc.

CIRC – manage security incidents, investigate suspicious behaviours, vulnerability analysis, threat management etc.

CIRC – even the specialists need to specialise!!

CIRCs can / should comprise the below 4 areas of responsibility.  Note, a person can have multiple roles, doesn’t need to be 4 people or more for smaller organisation1 – 4 suggested Tiers / areas of responsibility

  1. Front line – initial investigations, containment, triage, 24*7 etc
  2. Advanced tools, tactics and analysis – reverse engineering, host and network forensics, Cause and origin determination
  3. Analysis and tools support – Optimising the CIRC tools and processes; Integration, Content development, Reporting, Alert and Rule creation
  4. Cyber Threat Intelligence – understand the wider environment, analyse threat feeds, awareness of criminal / activist organisations etc.

EMC example – 1046 employees received a clear phishing email about fake wire transfers, 17 clicked on the link, 2 even clicked on the are you sure warning from the EMC gateway!  This sort of investigation should take minutes..  Does it for your organisation?

The maturity Journey – Control – Compliance – IT Risk – Business Risk

  • Your business needs to be moving from at least compliance to IT risk for levels 3 and 4 of the SoC to make sense.
  • Business, then IT risk SHOULD drive your security program and strategy.  Compliance is a byproduct of good security.
  • MSSP (Managed Security Service Provider)  – Make CIRC function more complete and affordable
    • What does it make sense to outsource from the CIRC functions?
      • Start with Tier 1, second most likely threat intelligence (as this can be somewhat stand alone, and an MSSP likely already has good contacts and threat intelligence they can share)
      • Tiers 3 and 4 can be, but these are harder and likely require in depth expertise and knowledge about the internal operation of the organisation.

To assist this organisations need;

  • Comprehensive visibility
    • view, collect and analyse everything
  • Agile analytics
    • efficient analysis and instigation of potential issues
  • Actionable intelligence
    • understand ‘normal’ aid identification and investigation of anomalies.  Make data machine readable
  • Optimised incident management

RSA Security Analytics is designed to meet these needs.  Well there had to be some product focus as it’s an RSA presentation..

My questions;

  • However, where does this fit into the overall business?
    • Can it be used by the wider business in order to offer a business wide solution to log management and analytics?

RSA response – Data is stored in Hadoop style storage so you can write tools to query it. But no there are no plans for them to provide any ops style dashboards and functionality that could be used by the wider IT team and the business.  For me this is a massive gap given the current market for log correlation and analysis type tools.  There is no way a business should want two of these solutions in place with logs shipped to both and all the associated licensing and management that goes with it.  Having two tools also leads to a potential situation where all logs may not get to the security tool and therefore you’ll miss potential threats.

So back to the talk;

RSA Security Analytics provides both a combination of both real time and longer term analytical abilities;

  • real time example – analysing data on the wire for attacks and suspicious behaviour
  • longer term – log on from two different locations – analyse distance between locations and time between logons 

Threat intelligence from feeds and incorporating business context. 

  • Look at all the data, use intelligence to narrow it down to provide a low number of real and useful alerts.

Security analytics demo;

  • Has full data set, can drill down to specific IP addresses, and the behaviour between it and others, identifies hacker tools etc.
  • Integrates with RSA threat feed etc.
  • Identifies high risk file types, windows cli commands etc.
  • Keeps suspicious IP address list from top suspicious IP list.
  • Can make network data back into the real data – e.g. can view emails as the email with cc etc, can view text files and images this looks a bit like man in the middle stuff – recompiles the actual conversation / traffic.
  • Currently a detective / investigative system.

5 take aways things you could do;

  1. Analyse current / goal security spend by prevention, detection and response.
  2. Honestly assess your organisations security maturity.
  3. Expand / build-out SoC/CIRC via on-premise or MSSP (or on premise MSSP).
  4. Invest in breach readiness processes.
  5. Evaluate your security tooling – is it too perimeter / signature based? Does it align with your security strategy and desired posture?

Overall this was a useful talk with quite a few good points and outside of the demo relatively little product and marketing talk.

I am however very disappointed that RSA are intent on keeping Security Analytics 100% focussed on security only.  It’s undoubtedly a good product in this space, but there are other products now that appear to offer similar levels of functionality in this space while also being genuinely good products across ops / application support / business users etc. and also being potentially more flexible and extensible.  Take a look at both Splunk and LogRythm.

K

RSA’s First UK Data Security Summit – part 1

On Monday I attended RSA’s first UK Data Security Summit at the Barbican.  Unsurprisingly this event had two main focuses;

– ‘Big Data’ – What it is, what it means to businesses and security, and how security can leverage it to look for anomalies and advanced threats.

– Security analytics – The relatively new RSA log correlation and analysis product.

The agenda from RSA was listed as;

  • Big data and the hype
  • The changing threat landscape
    • Cyber criminals, nation states, activists and terrorists
  • Balancing risk of attack and prevention against ability to perform key tasks

As with my recent Splunk Live! post, the below will be relatively unformatted, but hopefully still of use.

The day started with some keynote talks from Art Coviello, Eddie Schwartz and Andrew Rose;

Art Coviello – Intelligence driven security: A new model using big data

Arts’ talk focused on the rapid changes to the IT environment over the last few years, with predictions for the future as well, then moved into the historic and current security  model and what this needs to look like in the future.

70’s – terminals – 1000s users

90’s – PCs – millions users

2010 – Mobile Devices – billions users

Digital content;

2007 – 1/4 Zettabyte

2013 – 2 Zettabytes

2020 – 100 Zettabytes

5* more unstructured than structured data, and growing 3* faster.

Apps;

2007 – web front end apps

2013 – Theres an app for that

2020 – big data apps everywhere..

Devices;

2007 – Smart phones

2013 – dawn of really smart phones and smart phone / tablet ubiquity

2020 – Internet of things (everything from fridges to coke machines as well as all the usual phone / pc / tablet etc devices)

Social media

2007 – MySpace

2013 – Focus on monetizing

2020 – Total consumerisation of social media: absence of privacy..

Perimeter;

2007 – holes

2013 – is there a perimeter?

2020 – no direct control over physical infrastructure..

Threats;

2007 – Complex intrusion attacks

2013 – Disruptive attacks – can’t launch physical attacks over internet yet, but can be very disruptive

2020 – Destructive attacks? with no physical / user interaction required?

Historic security model;

  • Reactive
    • Perimeter based
    • Static / signature based
    • Siloed
      • Firewall, IDS, AV etc – all reactive, don’t play together or support each other

New model;

  • Intelligence driven
    • Risk based
    • Dynamic / agile
    • leveragable / contextual
      • Look for anomolys, be more heuristic / intelligent, work together – correlate events across the enterprise

Impediments to change;

  • Budget inertia: reactive model
    • 70% on prevention (likely more like 80 % in many firms)
    • 20% Detection and monitoring
    • 10% Response
    • Skilled Personel shortage
    • Information sharing at scale – industry groups, sharing data of attacks and breaches etc at ‘wire speed’
    • Technology maturity
      • Some commentary about archer, silver tail etc. RSA has bought or invested in

Look at security maturity model;

  • Stage 1 – Unaware (wish security would go away, install a box to fix it all)
  • Stage 2 – Fragmented (compliance gathering – focus on box ticking to get compliance rather than doing security right)
  • Stage 3 – Top Down (security understood but driven from management down, not yet pervasive)
  • Stage 4 – Pervasive (good security team, work with c-level on budgets etc)
  • Stage 5 – Networked  (working across the business and integrated with the business)

Big data transforms security;

  • Security management
    • Scalable to analyse all data
    • generates a mosaic of information
    • accelerates responsiveness
  • Controls
    • task specific
    • behaviour orientated
    • self learning
  • enables view of attacks in real time

Need this detailed analysis in order to prevent / see sophisticated attacks such as man in the middle and man in the browser

Intelligence driven security needs to be resilient, feed into controls and in and out of GRC stack (grc feeds into and educates controls.  controls feed into GRC to confirm compliance)

 

Eddie Schwartz – Embracing the uncertainty of advanced attacks with big data

Pecota forcasts – analytics platform used by bookies to work out odds one sports / sports players – baseball – movie – money ball.

– ‘big data analytics’ changed the way baseball players were assessed and consequently paid..

Facebook data mines images as well as text on your page to drive targeted advertising

Amazon etc. – preference engine – you bought this, you want these..

* They are information rich and using high quality analytics.  Why are we not using data like this in security?

Why? – too much time having to say yes we are ok, yes we pass xx audit..

Attackers do not have these checklists – they will work hard to breach any opening regardless of whether you are complaint with whatever regulation..

  • Read ‘the signal and the noise‘ – Nate Silver – why so many predictions fail and some don’t.
    • The signal is truth, the noise is what distracts us from the truth.

How much do we really know about our adversaries?

  • Are we researching the tools, techniques and processes of our adversaries
  • Do we know who they are?
  • Insiders, hackers, hactivists, criminal organisations, nation states etc.
  • Do we know what they look like?
    • Old world (SIEM) – finite, rule sets, wait for rule to be breached
    • New world – infinite – unknown unknowns, uncertainty, hackers may look like legitimate users – what signs can we look for to identify them?
  • Do we understand the ‘Kill Chain’ – Prepare, Infect, Interact, Exploit
    • Cost to remediate goes up dramatically as you move along the chain
    • detection sweet spot – when they first exploit / attempt to exploit – they have to reveal themselves, so fast detection here will catch / print before data exfilitration.

Need to move to more spend and more intelligence on ‘internal’ protection / detection / capture – away from the traditional perimeter.

What are your drivers for IT security investment?

34% compliance, 16% audit

ONLY 6% strategy!

Big data transforms security – 4 areas for shift..

  1. Security management
  • Comprehensive visibility – not just event logs – what are my critical processes, what information do I need to see to understand if they are at risk.
  • Actionable intelligence – must be available in a timely manner
  • Agile analytcs – security environment must be able to change as the environment changes – your environment is at least somewhat unique, also threat landscape changes
  • Centralised incident management – can security teams follow an incident from end to end? – many point solutions.. Do logs all go to one place, can they be effectively analysed?

2. Intelligence driven security

    • Ah-hoc – Bystander – End User – Creator; Crawl – Walk – Run – Advanced – World Class
    • Monitoring and detection, incident response, threat intelligence, systems and analytics; Where should we be – risk based – do you need to be world class in everything? Where do we need to focus, what are our risks?
    • Critical Incident Response Centre (CIRC) – Cyber threat intelligence, Advanced tools, tactics and analysis; Critical Incident response team, Advanced specialists

3. Live intelligence

 

  • Threat intelligence, rules, parsers, alerts, feeds, apps, directory services, reports and custom action.
  • Need long term technology, process and architecture plans
  • Visibility, control, governance, intelligence are all interrelated and must be considered as parts of a whole.

4. Risk based authentication

 

  • Active input – username, password, one time password, certificate, out of band, security questions, biometrics
  • access time, access location, geo location by IP, location by access point,
  • What does ‘good behaviours’ look like vas. ‘bad behaviour’; profile behaviour
  • Criminals cannot replicate your unique use profile.
    • Velocity, page sequence, origin, contextual information; velocity, behaviour, parameter injection, man in the middle, man in the browser.

Shift discussion in GRC from meeting compliance regulations to focusing IT and security staff on the key work

  • right assets and processes based on criticality and importance
  • assest intelligence, threat intelligence, event focus, investigations – Analyst prioritisation
    • requires accurate, timely and complete data.
  • read – Big data fuels intelligence driven security – RSA white paper

US – Data sharing bill – both businesses and liberal groups have objected.

  • how to share without compromising privacy.
    • criminals already violating our privacy every day
    • who should protect our privacy – benign government, corporations, criminals?
    • laws protecting customer privacy can make it hard not to breach laws protecting employee privacy in the EU?

 

Andrew Rose – principle analyst – security and risk management – Forester – ‘An external perspective’

Information classification – how mature

  • 26% have a policy that’s widely ignored, 28% have a policy for some data or systems..

The world we live in (largely as previous presentations)

  • Increasingly capable attackers (threat is real – activists, china etc..)
  • Budgets relatively static or slow growth, enough for triage of known issues, not whole treatment and improving security posture.
  • ROI – hard to define / prove – if not breached are we good or just lucky.  No good model seems to exist yet.
  • Yes rather than no security culture – have to work with business and enable – increase risk and complexity to deal with, but not necessarily staff and budget..
  • Competitive recruitment environment
  • Even the best firms have flawed security – e.g. RSA breach – have to prepare to fail!

Forester and IBM reports has IT at the top of the list of most important reasons for business success.

However business and IT (business especially) do not rate the success / competency of IT very highly – not agile, can’t accommodate change, can’t deliver projects on time etc.

 

RSA yearly IT security challenges included;

  • Third highest issue (76%) – changing business priorities
  • Forth (74%) – day to day tasks taking too much time
  • 8th (55%) lack of visibility of security – fixing this one will likely improve other issues at lot.
  • adoption of ISO / cubit etc not helping these keep getting higher up the issues scale

 Business innovation does not slow down because of security threats…

Complexity vs. manual ability – can better analytics help?

Vendors – vendor space is buzzing..

  • security commercialisation is in full swing
    • But what are the differentiators – everyone users the same buzzwords to sell products (e.g. big data, threat intelligence etc.)
  • Disruptors needed
    • need innovation, not re-hash or updates
    • services, not more hardware
  • solutions fragmented
    • how many products required to ‘solve’ security
    • what do I need now
    • what order should I buy them
    • what is the value / roi?
    • how much resource does it take to manage?
    • too many niche products – e.g. IAM, remove admin rights etc.  Need a ‘BIG’ tool / solution, to solve many / most issues and integrate existing products / solutions.

SIEM

5% get great value, 30% have not implemented, 65% get little or limited value

So is Big data the solution?

  • Big data just means lots of high velocity, structured and unstructured data – it is there to be used – so it is what you do that counts with it, not it in its self (my comment, not speakers)
  • supply chain complexity
  • technical complexity
  • internet of things

 

For me same conclusion as before – need something to aggregate and bring all the data together from apps, security tools, systems and then analyse it.  intelligent, fast correlation – look for real connections and real relationships – be mindful of coincidences in the noise.

 

2 books – anti fragile, signal to noise.

Common pitfalls –

  • starting with the data – need context and understanding as well.
  • overlooking the value of metadata.  data tagging increases value of data
  • believing more data is better
    • think simplicity and actionability

 Take away points;

  • Understand and identify your data
    • information classification is key – get this accepted and rolled out across the business
  • Be ‘hypothesis-led’ – think of what you cold do, not just what you know – then see if you can find the data to achieve it
  • Look for business partners for any big data initiative – again – one engines / dwh etc.

I’ll complete my write up of the day shortly, I hope you’re finding it useful.

K

Been a while.. and 2013 plans

I realised it has been getting on for three months since my last blog post.. Getting back into writing posts has been on my mind for a few weeks, but things in life have been extremely hectic recently!  Briefly life has involved getting engaged, planning a rather cool wedding and honeymoon, redecorating an entire house, and not to mention starting a new job.

Work wise I am now a Senior Security Architect for WorldPay which is pretty much exactly the role I have been aiming to get for some time.  As with most roles the first few weeks have been a hectic time of getting to know the company, policies and processes, people as well as rapidly picking up constructive work.

I thought I’d start this years blogs with an overview of some of my plans relating to work and learning for 2013.  Obviously as it’s now nearly the end of February I am using ‘start’ or the year fairly loosely!

So looking ahead for the year, what are my plans / projects for 2013?

1. Complete my Masters project;  Due to everything that has been happening I requested as have been granted an extension until May of this year to complete my project.  I have completed and passed the rest of my Masters, so this is the final piece between me and being awarded the post graduate degree.  With continuing to get to grips with my new role and everything else that is going on, this will be a challenge, but something I need to complete.

2. Improve my knowledge of secure, always available multi-site data centre networking; Network security is one of my key focus areas, and this links nicely with the environment I am currently tasked with ensuring the security of.

3. Continue to lead and contribute to the Cloud Security Alliance Security as a Service working group.  This has become a major project for me that I have been leading for nearly a couple of years now.  This is another one that also ties in nicely with my WorldPay role as I will also be covering cloud security and strategy as one of my responsibilities.

4. Various smaller / side tasks including getting round to taking my TOGAF exam, attending various useful industry conferences such as RSA and Infosec (work budgets permitting of course), along with being successful in my new role and progressing at WorldPay.  This may of course lead to further projects this year depending on the tasks I need to achieve as part of my role, I’ll obviously keep you posted around any of these I can publicly discuss.

I’ll keep you all posted with my progress around these projects / tasks, along with other interesting things that happen during the year.  Hears to a productive and interesting 2013.

K

Cloud Security Alliance Congress Orlando 2012 pt3 – Day 1 closing keynote

Next Generation Information Security – Jason Witty

 Some statistics and facts to set the scene;

–          93.6% is the approximate percentage of digital currency in the global market!

–          6.4% cash and gold available as a proportion of banking and commerce funds..

–          45% US adults own a smartphone – 21% of phone users did mobile banking last year.

–          62% of all adults globally use social media

–          Cloud ranking as #1 in top strategic technologies according to Gartner – 60% of the public cloud will serve software by 2018

–          2015 predicted as the year when online banking will become the norm..

–          Nielson global trust in advertising report for 2012;

–          28,800 respondents across 56 countries – Online recommendations from known people and review sites 80-90%+used and trusted, traditional media, falling below 50% used and trusted.

–          NSA were working on their own secure smartphone.  Plans scrapped and now they are working on how to effectively secure consumer smart phone devices.  Consumer mobile devices are everywhere!

Emerging innovations; cloud computing..

–          IDC forecasts $100bn will be spent per year by 2016, compared to $40bn now.

–          By 2016 SaaS will account for 60% of the public cloud

Cost savings often cited as reason for moving to the cloud; however other benefits like agility, access to more flexible compute power etc. often mean cloud migrations enable better IT for the business and thus you can do more.  So increased quality and profit result, but casts likely remain flat.

Trends in Cybercrime;

Insiders – can be difficult to detect, usually low tech relying on access privileges

Hacktivists – responsible for 58% of all data theft in 2011

Organised crime – Becoming frighteningly organised and business like

Nations states – Since 2010 nation state created malware has increased from 1 known to 8 known with 5 of those in 2012.   Nation states now creating dedicated cyber-warfare departments, often as official, dedicated parts of the military.

 

Organised Crime – Malware as a Service

Raw material (stolen data) – Distribution (BotNet) – Manufacturer (R&D, Code, Product Launch) – Sales and support (Delivery, Support (MSI package installation, helpdesk), Marketing – Customer (Affiliates, Auctions / Forums, BotNet Rental / Sales)

Crime meets mobile – Android – patchiy updates as vendor dependant, many pieces of malware, but play store security getting better.

Nation states becoming increasingly active in the world of malware creation..

 

So, Next generation Information Security;

–          Must be intelligence driven

  • Customer
  • Shareholder
  • Employee
  • Regulatory
  • Business line
  • Cyber threat

–          Must be comprehensive

  • Anticipate – emerging threats and risks
  • Enable –
  • Safeguard

–          Must have excellent human capabilities

–          Must be understandable – need to explain this and ensure the board understands the risks and issues – PwC survey – 42% of leadership think their organisation is a security front runner.  8% actually are.  70% leadership thing info sec working well – 88% of infosec think leadership their largest barrier to success..

–          We cannot do this alone: Strong intelligence partnership management

Pending cybercrime legislation;

–          White house has stressed importance of new cyber security legislation.

–          Complex laws take time to review and pass; technology environments change fast.

–          Various Federal laws currently cover cybercrime – Federal computer fraud and abuse act, economic espionage act etc.

–          Likely executive order in the near future with potentially large cybercrime implications.

While this is a very US centric view, many countries or regions are planning to enact further, more stringent laws / regulations that will impact the way we work.

 

Intelligence driven: the next phase in information security;

–          Conventional approaches to information security are struggling to meet increasingly complex and sophisticated threats

–          Intelligence driven security is proactive – a step beyond the reactive approach of the compliance-driven or incident response mind-sets

–          Building and nurturing multiple data sources. Developing an organisational ability to consolidate, analyse and report, communicate effectively and then act decisively benefits both operational / tactical security and strategy.

–          Establish automated analytics and establishing patterns of data movement in your organisation

I recommend you review – Getting ahead of advanced threats: Achieving intelligence-driven information security – RSA report, 2012.  This can be downloaded from here;

http://www.rsa.com/innovation/docs/11683_SBIC_Getting_Ahead_of_Advanced_Threats_SYN_UK_EN.pdf

K

RSA conference Europe Wrap Up / Final Thoughts

I’ll keep this relatively brief as I have already covered this conference in some detail while blogging live from the event.  I think the write ups ended up around 12000 words in total across the three days!  I hope you have managed to read those covering content that was of interest to you – there was certainly a lot of information there that I found useful!

As usual with conferences like this some of the presentations had slight vendor bias, with an prime example being companies like EMC championing the need to prioritise spending from limited security budgets on more advanced tools for detecting and preventing longer term advanced threats (Advanced Persistent Threats – APT) at the expense of older more stable technologies such as AV.  EMC is currently selling and promoting products in this area..  This was followed by Symantec who obviously highlighted that they think AV is still critical and should continue to be invested in, unsurprising as anti-virus / anti-malware is still one of their key products and revenue streams.

On this point I fall between the two in that I completely agree AV is still important, but due to the maturity of the market and quality of most products you should be looking to drive costs down in this area while still maintaining an acceptable level of quality.  By managing costs in established areas and looking for end point solutions that cover multiple vectors such as AV, firewalling, DLP etc.  you should hopefully be able to free up budget to invest in some of the newer more advanced tools or improve key areas such as your log monitoring and correlation capabilities.

Overall the presentations remained fairly vendor neutral and contained loads of useful content.  Highlights for me included;

–          Wireless hacking demos

–          Man in the browser demos

–          Discussion around the state of the industry

–          Presentations on building a cyber-security capability and improving the way we in security can interact with the business

–          Presentations on the threat landscape

All of which were covered in the conference blog posts.

To wrap up my commentary of the conference, I’ll finish with a few of what were, for me, the key take away points;

–          Understand your environment and your industry – where is your data, what are your important assets and what are the key threats to your organisation.  If you don’t know this how can you know what to protect and how?

–          Following on from that, make sure you are protecting the right things and to correct level.

–          Read useful reports such as the Verizon Breach report – the data is frankly eye opening if you are not yet aware of the time most breaches take to be discovered and how poorly protected many businesses are (416 days and likely to rise..)

–          Become better at interfacing with the business – it is our job to make sure the decision makes at the highest level are aware of the risks and what they mean to our business / organisation.  Board level executives may choose to accept or ignore risks, but they should do with a full awareness of the threat landscape and our risks.  If the business / the board are unaware of the risks to the environment this is 100% our failing.  If they accept a risk and we are breached it is on them and they accepted the risk(s) with awareness they may be exploited.  If your organisation is exploited and the board / business were unaware then it is on us.

–          Finally it reminded me how much I love IT security and creating secure solutions and environments!  Take pride in what you do and do it well; jobs, money and peoples identities rely on us doing this right.

As always, feel free to ask if you want any more information, I’m more than happy to evangelise on these topics!

K

RSA Conference Europe 2012 – Moving your SOC beyond the bloatware

Talk from Amit Yoran of EMC/RSA.

Where SOC in the title refers to Security Operations Centre.

Everything is evolving;

–          Organisations are evolving and changing rapidly – cloud, BYOD, new systems, new devices, new operating systems, new regulations

–          Data is evolving rapidly – explosive data growth, big data

–          Threats are evolving rapidly, with actors from petty criminals to organised crime to terrorists to anti-establishment vigilantes (think Anonymous – Hactivists) to nation states.

Existing security systems are ineffective;

–          Signature based – from AV to anti-spam to firewalls to IPS tends to look for known things and behaviours (signatures)

–          Perimeter orientated – Firewalls, IDS / IP, router security etc. still make up much of the focus.  We are becoming more and more porous or boundary-less.

–          Compliance driven – often at the expense of ‘real’ security and risk management.

Detection time is poor – many attacks go undetected for far too long.  How do we reduce this attacker free time or dwell time?

Focus needs to shift from I will stop breaches to I will be breached and how do we manage this and prevent / minimise damage.

Identified four impediments to change from the current;

–          Information deluge – too much information

–          Budget dilemma – so much hype and marketing, what do I spend limited budget on?

–          Cyber security talent – what talent do I have in my organisation, how do I leverage it, and scale the limited number of very talented peoples reach to work for the whole organisation?

–          Macro situational awareness – How are am I of my organisation, and of its wider operating environment?

So what can we do?

SIEM (Security Information and Event Management) has been a good start, but limited ability to deal with the complex, multi-faceted attacks of today.  Separating bad from good has become an increasingly difficult problem.

How do we understand what ‘good’ looks like.  Much more complex than just is it a valid login, ‘bad’ may be a complex set of apparently authorised transactions, that look very similar to ‘good’ activity.

Traditional SIEM is not enough –

–          Cannot detect lateral movement of attacks, or covert characteristics of advanced attack tools

–          Cannot fully investigate exfiltration or sabotage of critical data

–          Issues with scaling to collect, sort, and analyse large enough data volumes

Need better security analytics!

Incident response lessons learned;

–          Stop doing things that provide little value

–          Focus on securing the most important material assets to the enterprise and understand their risk exposure from people to processes to systems to data

–          Obtain a deeper visibility into what is happening on the network and what is known about the organisation and its users

–          Collaborate in real time with others more effectively and gain actionable intelligence

–          Measure performance across some established methodology or continuum (success, failure, compliance etc.) – but make them valid and don’t tune behaviour just to do well on the ‘test’!

Security operations require;

–          Comprehensive visibility

–          Agile analytics

–          Actionable intelligence

–          Optimise incident management

How do we improve understanding and analytics?

–          Security Analytics Warehouse

Scalable, centralised data warehouse for long-term data retention and deep intense analysis.

Visibility of – Logs, network data, raw content, reassembled content, enterprise events, enterprise data, flow, structured and unstructured data, host telemetry…

This must be backed with a powerful analytics engine to enable complex searches and analysis on these varied and large data sets.

This is a step beyond traditional logging / SIEM platforms.

Allows us to move to ‘active defence’ that gives the user ability to take action or automatically remediate common functions.  This turns a passive system into an active one, largely using existing infrastructure.  In turn this fuels actionable and effective workflows for the SOC.

Interestingly this talk links back to the those on SOA and big data from the service technology symposium, both identify the need to manage and analyse big data in real time or as near to real time as possible.  These points highlight how entirely disparate areas, in this case SOA / development and security, can have similar needs and come to the same conclusions.  Being able to meet the needs of your systems and application teams as well as your security team may help get your log correlation and analysis project approved.  Another reason for understanding your wider business teams and environment!

Also kudos to the presenter for remaining very vendor neutral despite working for RSA / EMC, there were hints of their products, but none mentioned and no sales pitch.

K

RSA Conference Europe 2012 Keynotes; day one part two

Keynote 3 – Francis deSouza – Group president, Symantec – The art of cyber war, know thy enemy, know thyself

For many years IT was standardising on systems from the client to the server room.  Now we have BYOD, cloud etc.  IT is becoming more diverse with many more devices and data stored across multiple locations and hosting environments.

What does this mean for IT security?  What model do we need?

Historically IT security has been defence only and point / issue based. – you get viruses so install AV etc.

We need to look more holistically and look at how we defend against multi flanked attacks and advanced persistent threats.  Also consider how we can use the attack against the attacker or to catch the attacker (think Aikido).

What do we mean by multi flanked?  Attacks are now increasingly using multiple, seemingly independent attacks, many of which are just diversions so we miss the real attack.  When we are busy or focusing on a specific task we often miss obvious things.  Look up ‘how many times did the white team pass the ball’ for an example of this!

Phishing attacks are also getting much more advanced and sophisticated, these are now one of the primary ways attackers use to gain a foothold.

An example of this was a recent attack on a bank that used a phishing email to gain access to a bank.  The gang then launched a DDoS attack on the bank, while the bank was rushing around trying to keep their site up and prevent the attack being successful.  The gang then used the malware installed via the phishing email to steal bank and ATM details.  They then passed these to their monetising team who created ATM cards, distributed these to hired people who all went to ATMs, and withdrew cash.  This attack walked away with $9M in a couple of hours.

The attackers also do things like ensure they use cards in ways that look legitimate and at times customers (the legitimate card holders) are less likely to spot the use quickly.

How do these gangs create these massive data centres of compute power yet remain invisible to legal organisations such as Interpol, the FBI etc.  Sophisticated organisations sell ‘bulletproof’ solutions hosted in one country, managed in another, sold in yet another etc.  This is a real market where actual marketing is used, and there is great competition and price pressure – it is a lot cheaper than you think!

There is also the ‘democratisation’ of cyber warfare tools – this follows neatly from the previous talk – increasingly complex and advanced tools are available more and more readily.

On the other side of this is the huge increases in what we are trying to protect – we have more and more complex systems and every growing data volumes.  The volume of data stored is likely to increase by 40 times from today’s levels by 2020!

What does this mean for the security industry?

We need to improve our intelligence;

–          What do they want?

–          What are our key information assets?

–          Out of all of our data which is critical, and which is ‘garbage’?

–          What is happening in your organisation?

–          How are the criminals working and what attacks are they using?

–          Look holistically – what is the campaign they are using, and what are the weaknesses of their campaign?

–          Who are the actors in the campaign?

Our intelligence and security need to be more agile – we need to improve our understanding of what is happening and the unknowns and unexpected things we discover.  Is our security agile enough to change to deal with these new and unexpected things?

Brief comment on having powerful defences and AV (well this is Symantec..)  Good point on reputation based computing – if we have never seen this file before should we trust it?

————-

Keynote 4 – Adrienne Hall – General Manager, trustworthy computing, Microsoft – Risks and Rewards in cloud adoption

Microsoft Security Intelligence Report release 13 is available for download as of today, and is available here;

http://download.microsoft.com/DOWNLOAD/c/1/f/c1f6a2b2-f45f-45f7-b788-32d2cca48d29/Microsoft_Security_Intelligence_Report_Volume_13_English.pdf

A great overview of the report can be found here;

http://blogs.technet.com/b/security/archive/2012/10/09/microsoft-security-intelligence-report-volume-13-now-available.aspx

Microsoft has also released some very helpful, open source, security tools;

–          Attack Surface analyser

–          Anti-cross site scripting library

http://aka.ms/securitytools

Microsoft recently commissioned a cloud computing survey.  This was carried out by an independent survey company so vendor neutral around current barriers and benefits.  The full results can be found here;

http://aka.ms/cloudsurvey

Unsurprisingly, perceived security risks are still the top barrier, however from those who have adopted the cloud 54% stated they have improved security along with 47% who managed to make cost savings on their overall security spend.  The perception and reality currently do not appear align..  How do we address these barriers?

Improve transparency;

–          Collaborate to share information and guidance e.g. Cloud Security Alliance (CSA)

–          Drive and support industry standards

–          Commit to transparency in cloud offerings

Microsoft has just released a cloud security readiness tool that can be found here;

www.microsoft.com/trustedcloud

This is a survey tool that will allow you to assess both the security of your current environment and your readiness for cloud adoption / migration.  This is a free tool that will help you plan a cloud migration regardless of the technologies or cloud providers you intend to use.  To ensure vendor neutrality this links in with and is based on the CSA Cloud Controls Matrix.

The output of this survey is a report for your organisation which understands controls relevant to your industry and regional location.

Talk summary – Stay informed; Embrace standards, best practices and transparency; Weigh the risks and rewards.

Overall this talk was lighter than the others and fairly Microsoft focused, but had some good points and highlighted some useful tools.

Note, at the time of writing the ‘aka.’ links are giving 404 errors, I have email Microsoft and asked for this to be resolved.

———-

Keynote 5 – Herbert Thompson – Program committee chairman, RSA conference – Security the human: Our industries greatest challenge

In security we set up situations where people are designed to fail especially if they are not security savvy or paranoid.

–          Links in emails – how do we know which are real and which are malicious?

–          What do we do about site certificate errors?

–          What do we do when a site wants us to download a file?

Security currently treats everyone the same regardless of knowledge or talent.  One size does not fit all.  Think of car insurance; you have to answer many questions, and the outcome is an insurance quote tailored to your risk profile.

We need to be the people that help the business understand the risk; enable them to make decisions and embrace change with a full understanding of the risks of doing so.

Very light talk, but great point around understanding and managing risk appropriately.

K