2013 personal review and 2014 plans

Happy New Year readers ūüôā

So it’s that time again, new year, new plans and all that.

Before I look ahead to my plans for 2014, how was 2013?

The educational highlight for 2013 was completing my Masters project and gaining my MSc in ‘Distributed Systems and Networks’.

I also managed to attend a few interesting conferences including Infosec, F5, and Information Security Forum.  Relevant notes from these events were uploaded to this blog throughout the year.

My education fail for the year was not getting round to taking my TOGAF exam. ¬†This is one of those things that looks like it may be career useful, but I am not particularly passionate about. ¬†I have completed the course and worked in environments where it is applied, so understand the framework and how to use it, however getting motivated to do the exam has failed to reach the top of my to-do list. ¬†I’ll see how this year goes, 2014 may be the year I get round to it.

Work wise it was all change in 2013 as well with my move from Canada Life to WorldPay in January. ¬†One of the best moves I have made, Canada Life was a pleasant place to work, but the slowest and least dynamic company I have ever been in.. Some people are very happy there, but it wasn’t for me! ¬†WorldPay is considerably more dynamic and being a payment processor places a high value on doing things securely which makes my roles as a security architect very rewarding.

There are a lot of changes happening at WorldPay so watch this space for updates on my career and where it si heading. ¬†One way or another I’ll definitely be staying the in the security field, and very likely architecture.

Which brings us nicely onto 2014..

From a work project perspective this year is still very much up in the air, some projects I definitely know about include;

РNew SIEM solution unifying the log correlation solution across the business,

РCreating security road maps and strategy,

– A considerable amount of application security and WAF (Web Application Firewall) work,

– Implementing APT (Advanced Persistent Threat) protection and detection,

– Supporting the design and creation of a new Security Operations Centre,

– Setting up various avenues to better integrate security with the wider business so we can communicate better with stake holders and customers,

– Several other things not yet ready for disclosure but I will update on what I can throughout the year.

One of my main plans for this year is to get more involved with the business as I am pretty good at staying abreast of security and the technical side of things, but don’t always have as much involvement and awareness of the business as I perhaps could / should.

As a starter for 10, given that my last three role have been in the financial sector I have recently started reading the economist which is surprisingly interesting.  I have also picked up a couple of projects such as the one mentioned above around communicating better with the business to aid this in my current role as well wider industry awareness.

Other than that 2014 will include my graduation ceremony, some conferences, and likely some further study.  Time permitting I may also submit speaking proposals to a couple of conferences, but this is very much a maybe.

I’ll also be working to implement some more of the tips from the Productivity Ninja to aid planning and organisation.

What are your plans for the year?

Here’s to a successful 2014!

K

 

 

RSA‚Äôs First UK Data Security Summit ‚Äď part 3: Defend with confidence against advanced threats

This talk covered three agenda items, with an obvious focus on RSA Security Analytics.

1. Why / how security investments need to shift

2. Building a SoC

3. Demo of the tool

Obviously I wont be capturing the Demo here, but below are my notes from this presentation;

Advanced threats are different…  Often following a similar set of steps;

РSystem intrusion РAttack begins РCover-up discovery leap frog attacks Рcover up complete, with the following characteristics;

  • Targeted
  • Stealthy
  • Interactive

How to defend;

  • decrease dwell time (time from successful breach until discovery)
  • speed response time (speed with which attacks are detected, and then remediated once discovered)

Relatively new attack discovered / named last year –¬†‘Waterholing’ – sit by the waterhole knowing prey will come to them – malicious users take over a site, knowing their targets are likely to visit it and trust it – then wait for them to arrive – malware etc. then delivered to users of the site.

Massive % of security spend currently on prevention, not detection..

71% of organisations have some sort of SoC (wider survey 66%)  most have plans to have one.  The question did cover from just some analysts who do investigations right through full on SoC capabilities.

SoC – level 1 adds, moves and changes, device health etc.

CIRC – manage security incidents, investigate suspicious behaviours, vulnerability analysis, threat management etc.

CIRC – even the specialists need to specialise!!

CIRCs can / should comprise the below 4 areas of responsibility. ¬†Note, a person can have multiple roles, doesn’t need to be 4 people or more for smaller organisation1 – 4 suggested Tiers / areas of responsibility

  1. Front line – initial investigations, containment, triage, 24*7 etc
  2. Advanced tools, tactics and analysis – reverse engineering, host and network forensics, Cause and origin determination
  3. Analysis and tools support – Optimising the CIRC tools and processes; Integration, Content development, Reporting, Alert and Rule creation
  4. Cyber Threat Intelligence – understand the wider environment, analyse threat feeds, awareness of criminal / activist organisations etc.

EMC example Р1046 employees received a clear phishing email about fake wire transfers, 17 clicked on the link, 2 even clicked on the are you sure warning from the EMC gateway!  This sort of investigation should take minutes..  Does it for your organisation?

The maturity Journey – Control – Compliance – IT Risk – Business Risk

  • Your business needs to be moving from at least compliance to IT risk for levels 3 and 4 of the SoC to make sense.
  • Business, then IT risk SHOULD drive your security program and strategy. ¬†Compliance is a byproduct of good security.
  • MSSP (Managed Security Service Provider) ¬†– Make CIRC function more complete and affordable
    • What does it make sense to outsource from the CIRC functions?
      • Start with Tier 1, second most likely threat intelligence (as this can be somewhat stand alone, and an MSSP likely already has good contacts and threat intelligence they can share)
      • Tiers 3 and 4 can be, but these are harder and likely require in depth expertise and knowledge about the internal operation of the organisation.

To assist this organisations need;

  • Comprehensive visibility
    • view, collect and analyse everything
  • Agile analytics
    • efficient analysis and instigation of potential issues
  • Actionable intelligence
    • understand ‘normal’ aid identification and investigation of anomalies. ¬†Make data machine readable
  • Optimised incident management

RSA¬†Security Analytics is designed to meet these needs. ¬†Well there had to be some product focus as it’s an RSA¬†presentation..

My questions;

  • However, where does this fit into the overall business?
    • Can it be used by the wider business in order to offer a business wide solution to log management and analytics?

RSA response – Data is stored in Hadoop style storage so you can write tools to query it. But no there are no plans for them to provide any ops style dashboards and functionality that could be used by the wider IT team and the business. ¬†For me this is a massive gap given the current market for log correlation and analysis type tools. ¬†There is no way a business should want two of these solutions in¬†place¬†with logs shipped to both and all the associated¬†licensing¬†and management that goes with it. ¬†Having two tools also leads to a potential situation where all logs may not get to the security tool and therefore you’ll miss potential threats.

So back to the talk;

RSA Security Analytics provides both a combination of both real time and longer term analytical abilities;

  • real time example – analysing data on the wire for attacks and suspicious behaviour
  • longer term – log on from two different locations – analyse distance between locations and time between logons¬†

Threat intelligence from feeds and incorporating business context. 

  • Look at all the data, use intelligence to narrow it down to provide a low number of real and useful alerts.

Security analytics demo;

  • Has full data set, can drill down to specific IP addresses, and the behaviour between it and others, identifies hacker tools etc.
  • Integrates with RSA threat feed etc.
  • Identifies high risk file types, windows cli commands etc.
  • Keeps suspicious IP address list from top suspicious IP list.
  • Can make network data back into the real data – e.g. can view emails as the email with cc etc, can view text files and images this looks a bit¬†like man in the middle stuff – recompiles the actual conversation / traffic.
  • Currently a detective / investigative system.

5 take aways things you could do;

  1. Analyse current / goal security spend by prevention, detection and response.
  2. Honestly assess your organisations security maturity.
  3. Expand / build-out SoC/CIRC via on-premise or MSSP (or on premise MSSP).
  4. Invest in breach readiness processes.
  5. Evaluate your security tooling – is it too perimeter / signature based? Does it align with your security strategy and desired posture?

Overall this was a useful talk with quite a few good points and outside of the demo relatively little product and marketing talk.

I am however very¬†disappointed¬†that RSA are intent on keeping Security Analytics 100% focussed on security¬†only. ¬†It’s undoubtedly a good product in this space, but there are other products now that appear to offer similar levels of functionality in this space while also being genuinely good products across ops / application support / business users etc. and also being potentially more flexible and extensible. ¬†Take a look at both Splunk and LogRythm.

K

Requirements of a good Security Operations Centre

I have recently been thinking about and reading up on how to improve Security Operations Centres (SOC) to meet the constantly evolving environment and threat landscape in which we operate.  There are obviously many tools that are required from Network Monitoring to IPS (Intrusion Prevention System) to Log Collection and Correlation systems to Auditing and File Integrity Monitoring.

This post will however briefly cover the ‘soft’ side of the SOC and three key skills / processes that there seems to be agreement are required for a SOC to be effective and forward looking.

The first of these is understanding the business and business systems in detail and being able to put any event in the context of the business. ¬†Which systems are affected? ¬†Which business processes does this impact? ¬†What is the relative priority? ¬†This means the team needs to¬†understand¬†more than just vulnerability x and y and¬†their¬†generic severity rating. ¬†They must understand your business context and be able to effectively relate events to this. ¬†Tools can also help here in terms of event¬†correlation¬†and scale of the issue, this is where the new breed of ‘big data’ real time analysis and correlation tools such as Splunk, Palantir, or Security Analytics.

The second key skill / process is that of effective incident handling. This must again focus on your specific business and the priorities in case of an event, such as evidence gathering, escalation, keeping services running, regulatory requirements. ¬†The event must be related to these factors with an understanding of it’s impacts to your business. ¬†The more effective and streamlined this process can be, the lower the impact will be when the inevitable issues from virus infections to ful scale breaches occur.

The third key area is around business processes. ¬†Any process that involves users of the companies system will likely be key attack vectors. ¬†Technology¬†can’t ever stop all attacks – this is why social engineering is still the number 1 way any attackers gain a foothold in most environments. ¬†The security team must work with the business to perform threat assessment and modelling sessions to understand the attack vectors and work with the users to minimise or mitigate them. ¬†Solid user training, awareness and engagement will also help here.

Attackers who want to get into your system for whatever reason from financial gain to hacktivism are constantly changing and improving their game.  We need to work hard to keep up and keep them out or at least contained.  A well formed and smoothly functioning SOC that is closely aligned to the business is a key part of any organisations defence.

K

RSA Conference Europe 2012 ‚Äď Moving your SOC beyond the bloatware

Talk from Amit Yoran of EMC/RSA.

Where SOC in the title refers to Security Operations Centre.

Everything is evolving;

–¬†¬†¬†¬†¬†¬†¬†¬†¬† Organisations are evolving and changing rapidly ‚Äď cloud, BYOD, new systems, new devices, new operating systems, new regulations

–¬†¬†¬†¬†¬†¬†¬†¬†¬† Data is evolving rapidly ‚Äď explosive data growth, big data

–¬†¬†¬†¬†¬†¬†¬†¬†¬† Threats are evolving rapidly, with actors from petty criminals to organised crime to terrorists to anti-establishment vigilantes (think Anonymous – Hactivists) to nation states.

Existing security systems are ineffective;

–¬†¬†¬†¬†¬†¬†¬†¬†¬† Signature based ‚Äď from AV to anti-spam to firewalls to IPS tends to look for known things and behaviours (signatures)

–¬†¬†¬†¬†¬†¬†¬†¬†¬† Perimeter orientated ‚Äď Firewalls, IDS / IP, router security etc. still make up much of the focus.¬† We are becoming more and more porous or boundary-less.

–¬†¬†¬†¬†¬†¬†¬†¬†¬† Compliance driven ‚Äď often at the expense of ‚Äėreal‚Äô security and risk management.

Detection time is poor ‚Äď many attacks go undetected for far too long.¬† How do we reduce this attacker free time or dwell time?

Focus needs to shift from I will stop breaches to I will be breached and how do we manage this and prevent / minimise damage.

Identified four impediments to change from the current;

–¬†¬†¬†¬†¬†¬†¬†¬†¬† Information deluge ‚Äď too much information

–¬†¬†¬†¬†¬†¬†¬†¬†¬† Budget dilemma ‚Äď so much hype and marketing, what do I spend limited budget on?

–¬†¬†¬†¬†¬†¬†¬†¬†¬† Cyber security talent ‚Äď what talent do I have in my organisation, how do I leverage it, and scale the limited number of very talented peoples reach to work for the whole organisation?

–¬†¬†¬†¬†¬†¬†¬†¬†¬† Macro situational awareness ‚Äď How are am I of my organisation, and of its wider operating environment?

So what can we do?

SIEM (Security Information and Event Management) has been a good start, but limited ability to deal with the complex, multi-faceted attacks of today.  Separating bad from good has become an increasingly difficult problem.

How do we understand what ‚Äėgood‚Äô looks like.¬† Much more complex than just is it a valid login, ‚Äėbad‚Äô may be a complex set of apparently authorised transactions, that look very similar to ‚Äėgood‚Äô activity.

Traditional SIEM is not enough ‚Äď

–¬†¬†¬†¬†¬†¬†¬†¬†¬† Cannot detect lateral movement of attacks, or covert characteristics of advanced attack tools

–¬†¬†¬†¬†¬†¬†¬†¬†¬† Cannot fully investigate exfiltration or sabotage of critical data

–¬†¬†¬†¬†¬†¬†¬†¬†¬† Issues with scaling to collect, sort, and analyse large enough data volumes

Need better security analytics!

Incident response lessons learned;

–¬†¬†¬†¬†¬†¬†¬†¬†¬† Stop doing things that provide little value

–¬†¬†¬†¬†¬†¬†¬†¬†¬† Focus on securing the most important material assets to the enterprise and understand their risk exposure from people to processes to systems to data

–¬†¬†¬†¬†¬†¬†¬†¬†¬† Obtain a deeper visibility into what is happening on the network and what is known about the organisation and its users

–¬†¬†¬†¬†¬†¬†¬†¬†¬† Collaborate in real time with others more effectively and gain actionable intelligence

–¬†¬†¬†¬†¬†¬†¬†¬†¬† Measure performance across some established methodology or continuum (success, failure, compliance etc.) ‚Äď but make them valid and don‚Äôt tune behaviour just to do well on the ‚Äėtest‚Äô!

Security operations require;

–¬†¬†¬†¬†¬†¬†¬†¬†¬† Comprehensive visibility

–¬†¬†¬†¬†¬†¬†¬†¬†¬† Agile analytics

–¬†¬†¬†¬†¬†¬†¬†¬†¬† Actionable intelligence

–¬†¬†¬†¬†¬†¬†¬†¬†¬† Optimise incident management

How do we improve understanding and analytics?

–¬†¬†¬†¬†¬†¬†¬†¬†¬† Security Analytics Warehouse

Scalable, centralised data warehouse for long-term data retention and deep intense analysis.

Visibility of ‚Äď Logs, network data, raw content, reassembled content, enterprise events, enterprise data, flow, structured and unstructured data, host telemetry‚Ķ

This must be backed with a powerful analytics engine to enable complex searches and analysis on these varied and large data sets.

This is a step beyond traditional logging / SIEM platforms.

Allows us to move to ‚Äėactive defence‚Äô that gives the user ability to take action or automatically remediate common functions.¬† This turns a passive system into an active one, largely using existing infrastructure.¬† In turn this fuels actionable and effective workflows for the SOC.

Interestingly this talk links back to the those on SOA and big data from the service technology symposium, both identify the need to manage and analyse big data in real time or as near to real time as possible.  These points highlight how entirely disparate areas, in this case SOA / development and security, can have similar needs and come to the same conclusions.  Being able to meet the needs of your systems and application teams as well as your security team may help get your log correlation and analysis project approved.  Another reason for understanding your wider business teams and environment!

Also kudos to the presenter for remaining very vendor neutral despite working for RSA / EMC, there were hints of their products, but none mentioned and no sales pitch.

K