2007 DOI: Day 9 - Help Wanted: Fortune Teller

CSOs need to increasingly flex their psychic abilities as exponentially increasing attack surfaces mean new controls must be targeted to protect the most likely targets, which are identified by discerning the true value of corporate business systems and increasingly sophisticated (and productized) security research. Network behavior analysis allows organizations to “react faster” by understanding network traffic dynamics, but integration with remediation solutions lag, forcing customers to continue to do the heavy lifting themselves.

Read the rest of the 2007 Incites here.

The problem of information security is very similar to the challenges of stopping terrorists. Basically, the attack surface is far greater than our ability to protect things. That means IT IS NOT POSSIBLE to close all the exposures. Thankfully, when we mess up people don’t die. I guess there is an advantage to being a security guy. But the point is the same, we need to choose wisely relative to where to spend our time and money and do a few Hail Mary’s that we have chosen well.

So how do we know what to focus on? It actually gets down to a combination of two distinct factors. The first is the value of the business system. Basically you don’t want to spend a lot of time or money on a system that no one would bother attacking or wouldn’t be material even if it were attacked. Yes, there are systems that fit into this category. Check out Step 1 of the Pragmatic CSO (www.pragmaticcso.com) for more detail on assessing the value of your business systems.

The second is the likelihood that a given attack vector will be attacked. A lot of my thinking here was a direct result of working at TruSecure a few years back. I saw that security “intelligence” was invaluable in figuring out where and what the bad guys were going to hit. We could help our customers focus on doing what’s important because we had a decent idea about what the bad guys were working on.

To be clear, your run of the mill security professional is in no position to try to penetrate Eastern European or Chinese hacker networks. That’s why you work with people and companies that are. Folks like VeriSign (via their iDefense group), Symantec, Cisco, CyberTrust and others have groups of research folks that spend their time figuring out where the bad guys are going, not where they’ve been. There’s a big difference.

Of course, back in 2003 life was much easier and the bad guys had far fewer ways to obfuscate and hide. Today, the identity of the true brains behind these crime networks are well masked, so it’s about assessing actions and determining consequences. It’s much harder to find and kill the head of the snake, so basically you then play the odds about where you think they will strike and protect those flanks first.

It’s very much like intelligence gathering in the “real world” as practiced by Governments. Security intelligence is definitely a growth business and will provide a way for security researchers to monetize what they do. This is great news for all of those folks that did their work for pretty much to be cool at Black Hat, not really for a paycheck. Every so often folks get their cake and can eat it too.

Given this infinite attack surface, what else can an organization do to protect themselves? The answer this time is in Step 7 of the P-CSO. It’s about operating and monitoring your environment. The point is that it’s very hard (if not impossible) to get “ahead” of the threat. But you certainly can react faster.

So get to know the traffic patterns on your network and get adept at figuring out if something is not right. Use new tools like network behavior analysis (NBA) to see what’s different. The network doesn’t care - it sees everything. The answer is there if you know where and how to look.

That being said I don’t see NBA standing alone for too much longer. It’s an inherent part of network protection and should be done by the folks that do the networks. Cisco already has something (sort of) and that means the other 7 dwarfs of networking need something too. The problem is there aren’t really 7 NBA-looking things to look at – so it’s probably a seller’s market for NBA in 2007.