Network Analysis

Keeping with my just in time philosophy, it's time to finish up the 2007 Report Card. Which is good timing since today is the last day of 2007. I wish you and all of those important to you a happy, healthy and prosperous 2008. See you on the other side (of the New Year).

Incite #9: Help Wanted: Fortune Teller

CSOs need to increasingly flex their psychic abilities as exponentially increasing attack surfaces mean new controls must be targeted to protect the most likely targets, which are identified by discerning the true value of corporate business systems and increasingly sophisticated (and productized) security research. Network behavior analysis allows organizations to “react faster” by understanding network traffic dynamics, but integration with remediation solutions lag, forcing customers to continue to do the heavy lifting themselves.

Days of Incite Link: http://securityincite.com/blog/mike-rothman/2007-doi-day-9-help-wanted-fortune-teller
Incite Redux Link: http://securityincite.com/blog/mike-rothman/incite-redux-july-13-2007

Final grade: C-

We saw the death of responsible disclosure in 2007, and that means security researchers are still big players, but they have leveled the playing field by disclosing vulnerabilities at the same time they tell the vendors.

Honestly, I don’t much care to weigh in on the good vs. bad side of disclosure. It is what it is and I can certainly see the rationale by many of the research folks out there who are done having a big vendor ignore their attempts to do the right thing. The arrogance of many vendors still perplexes me, but whatever…

Ultimately this Incite wasn’t about disclosure, the first part was about the business of security research – which never materialized. Why? Basically, end user organizations won’t pay for what they can get for free. Can they get a “hacker’s eye view” of a new vulnerability? No. Can they get a lot of security research folks take on the issue and the workarounds via the wonders of RSS? Absolutely.

Which is exactly what most organizations are doing. CSOs are staying current by monitoring the plethora of information sources out on the Internet. The folks trying to “sell” research just don’t have a compelling enough value proposition to get people to pay – so they won’t and that just reflects pretty pragmatic behavior. Who am I to argue with pragmatism?

The final piece of this Incite is pretty disappointing as well. Security monitoring continues to be a solution looking for a problem. Actually the thought leaders in this discipline (like Richard Bejtlich) know what the problem is – but the broad market isn’t listening.

I’ve harped all year on the need for organizations to REACT FASTER, and unless you are monitoring your stuff – I don’t know how you do that. But evidently other folks know better than me, since they continue to do the same old same old and figure the answer will be different. Our networks continue to be infested with bots, our machines compromised and things are not getting better.

Yet no one wants to slay the sacred cow of “proactive” defense, figuring that new algorithms will solve the false positive issues and allow us to block attacks that we’ve never seen before. Something’s got to give. Maybe 2008 will be the breakthrough year, where monitoring solutions are finally packaged in a way that every organization can use them, or maybe an open-source solution will appear to allow security folks to play a bit with monitoring and learn how powerful a method it is to secure things.

Whatever the answer, I sure hope we are spending more time in 2008 figuring out what is not normal, than blocking stuff we’ve never seen.

Check out the other posts in the Report Card series.

40% of the way there. Let's keep pressing forward.

Incite #4 - Trust No One

The “insider threat” continues to garner tremendous hype, but leaves customers struggling to figure out muddled offerings and providing disappointing results for early adopters. The NAC (network access control) bubble pops rather visibly in a maelstrom of confusion, forcing users to focus on solving specific problems (like visitor and contractor access) and implementing monitoring processes which result in checks and balances at all levels of the organization.

Days of Incite Link:http://securityincite.com/blog/mike-rothman/2007-doi-day-4-trust-no-one
Incite Redux Link: http://securityincite.com/blog/mike-rothman/incite-redux-july-10-2007

Final grade: B

Yes, customers continue to struggle with the idea of protecting against the insider threat. They all know it’s a problem, yet with the sheer number of things that need to be done – many organizations are stuck in analysis/paralysis mode. Do they do DLP first? What about NAC? What about just contracting the perimeter and installing a whole mess more firewalls closer to the data that needs to be protected?

We’ll talk about DLP later (Incite 6), so let’s focus on NAC now. Suffice it to say, everyone is acknowledging that the technology disappointed relative to expectations in 2007. How could it not? But what will 2008 have in store? Probably not a lot different. Can you hear the wails of the VCs with hundreds of millions invested in the space? The early adopters will continue looking at how to overhaul their campus networks and do it in a more secure fashion.

Everyone else will wait until they clean up the other projects, which are ahead of NAC on the priority list. Little things like IPS and the like. Yes, there are still folks in the mass market focused on IPS and not some of these other shiny functions that we spend most of our time dreaming about. NAC standards efforts will continue to lag, although the new, open source OpenSEA 802.1X supplicant effort will pick up steam – basically because there aren’t any other options.

But to me, the last clause is what is most important about this Incite and the reason this was only graded as a B. The security monitoring philosophy is not spreading as quickly as it should. So many security folks are still married to the idea of blocking everything and have not grasped the folly of trying to outsmart the bad guys. In one man’s opinion, focusing on REACTING FASTER and doing that through a strong monitoring capabilities is a lot better (and more sustainable). Maybe some more folks will start to get that in 2008. One can hope, no?

Check out the other posts in the Report Card series.

CSOs need to increasingly flex their psychic abilities as exponentially increasing attack surfaces mean new controls must be targeted to protect the most likely targets, which are identified by discerning the true value of corporate business systems and increasingly sophisticated (and productized) security research. Network behavior analysis allows organizations to “react faster” by understanding network traffic dynamics, but integration with remediation solutions lag, forcing customers to continue to do the heavy lifting themselves.

Read the rest of the 2007 Incites here.

The problem of information security is very similar to the challenges of stopping terrorists. Basically, the attack surface is far greater than our ability to protect things. That means IT IS NOT POSSIBLE to close all the exposures. Thankfully, when we mess up people don’t die. I guess there is an advantage to being a security guy. But the point is the same, we need to choose wisely relative to where to spend our time and money and do a few Hail Mary’s that we have chosen well.

So how do we know what to focus on? It actually gets down to a combination of two distinct factors. The first is the value of the business system. Basically you don’t want to spend a lot of time or money on a system that no one would bother attacking or wouldn’t be material even if it were attacked. Yes, there are systems that fit into this category. Check out Step 1 of the Pragmatic CSO (www.pragmaticcso.com) for more detail on assessing the value of your business systems.

The second is the likelihood that a given attack vector will be attacked. A lot of my thinking here was a direct result of working at TruSecure a few years back. I saw that security “intelligence” was invaluable in figuring out where and what the bad guys were going to hit. We could help our customers focus on doing what’s important because we had a decent idea about what the bad guys were working on.

To be clear, your run of the mill security professional is in no position to try to penetrate Eastern European or Chinese hacker networks. That’s why you work with people and companies that are. Folks like VeriSign (via their iDefense group), Symantec, Cisco, CyberTrust and others have groups of research folks that spend their time figuring out where the bad guys are going, not where they’ve been. There’s a big difference.

Of course, back in 2003 life was much easier and the bad guys had far fewer ways to obfuscate and hide. Today, the identity of the true brains behind these crime networks are well masked, so it’s about assessing actions and determining consequences. It’s much harder to find and kill the head of the snake, so basically you then play the odds about where you think they will strike and protect those flanks first.

It’s very much like intelligence gathering in the “real world” as practiced by Governments. Security intelligence is definitely a growth business and will provide a way for security researchers to monetize what they do. This is great news for all of those folks that did their work for pretty much to be cool at Black Hat, not really for a paycheck. Every so often folks get their cake and can eat it too.

Given this infinite attack surface, what else can an organization do to protect themselves? The answer this time is in Step 7 of the P-CSO. It’s about operating and monitoring your environment. The point is that it’s very hard (if not impossible) to get “ahead” of the threat. But you certainly can react faster.

So get to know the traffic patterns on your network and get adept at figuring out if something is not right. Use new tools like network behavior analysis (NBA) to see what’s different. The network doesn’t care - it sees everything. The answer is there if you know where and how to look.

That being said I don’t see NBA standing alone for too much longer. It’s an inherent part of network protection and should be done by the folks that do the networks. Cisco already has something (sort of) and that means the other 7 dwarfs of networking need something too. The problem is there aren’t really 7 NBA-looking things to look at – so it’s probably a seller’s market for NBA in 2007.

NAC, NAC?
Who’s there?
Confused.
Confused who?

You know who, don’t you? NAC is this year’s PKI. Everyone wants to believe it’s the year of NAC. But I suspect most customers will be sorely disappointed in what they achieve to deter the “insider threat” with NAC this year.

Why? Because solving the insider problem is complicated and multi-faceted. It’s about more than just checking the AV and patch levels on devices connecting to the network. It’s also about more than access control and worm mitigation. And that doesn't even scratch the surface on the data/information security issues related to the "insider threat."

It’s about all three and architecturally, that’s going to be a hard problem to solve in 2007. Why? Because rip and replace is not an option. Unless you have a money tree out back.

The good news is that based upon numerous conversations and validating evidence, customers are starting to figure out what they need. Of course, knowing what to buy and actually buying it are totally different. NAC is still a very early market and will remain as such for another 2-3 years.

Can you hear all the VC’s shuddering? After throwing hundreds of millions of capital into a market sector, the last thing these guys want to see is a market still 2-3 years from major revenue acceleration. But it is what it is. You can’t push on a string, though many players in the NAC business will try this year.

Another dynamic that will muddle things is just the sheer number of vendors. If feels like the anti-spam business 2-3 years ago, but with a less defined value proposition. After the initial wave of buying, anti-spam leveled off (late 2005 to mid-2006). There were too many vendors, too much confusion, not enough differentiation. Customers waited for some consolidation and shake-out and it was only with the wave of image spam in Q4 of 2006 that they started buying en masse again.

The problem is the early adopters are only starting to roll their NACs, and the market is oversaturated. I don’t envy anyone trying to sell NAC nowadays. 10 vendors in a deal saying the same exact thing is no fun for anyone.

So what’s a customer to do? Tread carefully. Kick the tires. Figure out your real requirements. And probably repurpose existing devices (like SSL VPN) to do poor man’s NAC for the short term. Unless you have some very specific requirement that forces you to buy something today, don't. And if you do, don't get married to whatever solution you pick. It's TACTICAL. Manage expectations that you will be looking at other stuff in a year or two.

Something like network behavior analysis could also be helpful, at least to pinpoint some weird traffic patterns. In a perfect world, you’d like to actually block the weird stuff. But as a first step, knowing about it is useful.

Another benefit to more aggressive monitoring on the network is that the network doesn’t care who you are or what your job title is. There are no “freebies” for important folks. No ways to skirt the monitoring or enforcement mechanisms. And in an environment where the CEO is perhaps more likely to be dirty as a run of the mill worker – you can’t assume anyone is clean.

Trust no one. It will save your ass.