Security Research

Keeping with my just in time philosophy, it's time to finish up the 2007 Report Card. Which is good timing since today is the last day of 2007. I wish you and all of those important to you a happy, healthy and prosperous 2008. See you on the other side (of the New Year).

Incite #9: Help Wanted: Fortune Teller

CSOs need to increasingly flex their psychic abilities as exponentially increasing attack surfaces mean new controls must be targeted to protect the most likely targets, which are identified by discerning the true value of corporate business systems and increasingly sophisticated (and productized) security research. Network behavior analysis allows organizations to “react faster” by understanding network traffic dynamics, but integration with remediation solutions lag, forcing customers to continue to do the heavy lifting themselves.

Days of Incite Link: http://securityincite.com/blog/mike-rothman/2007-doi-day-9-help-wanted-fortune-teller
Incite Redux Link: http://securityincite.com/blog/mike-rothman/incite-redux-july-13-2007

Final grade: C-

We saw the death of responsible disclosure in 2007, and that means security researchers are still big players, but they have leveled the playing field by disclosing vulnerabilities at the same time they tell the vendors.

Honestly, I don’t much care to weigh in on the good vs. bad side of disclosure. It is what it is and I can certainly see the rationale by many of the research folks out there who are done having a big vendor ignore their attempts to do the right thing. The arrogance of many vendors still perplexes me, but whatever…

Ultimately this Incite wasn’t about disclosure, the first part was about the business of security research – which never materialized. Why? Basically, end user organizations won’t pay for what they can get for free. Can they get a “hacker’s eye view” of a new vulnerability? No. Can they get a lot of security research folks take on the issue and the workarounds via the wonders of RSS? Absolutely.

Which is exactly what most organizations are doing. CSOs are staying current by monitoring the plethora of information sources out on the Internet. The folks trying to “sell” research just don’t have a compelling enough value proposition to get people to pay – so they won’t and that just reflects pretty pragmatic behavior. Who am I to argue with pragmatism?

The final piece of this Incite is pretty disappointing as well. Security monitoring continues to be a solution looking for a problem. Actually the thought leaders in this discipline (like Richard Bejtlich) know what the problem is – but the broad market isn’t listening.

I’ve harped all year on the need for organizations to REACT FASTER, and unless you are monitoring your stuff – I don’t know how you do that. But evidently other folks know better than me, since they continue to do the same old same old and figure the answer will be different. Our networks continue to be infested with bots, our machines compromised and things are not getting better.

Yet no one wants to slay the sacred cow of “proactive” defense, figuring that new algorithms will solve the false positive issues and allow us to block attacks that we’ve never seen before. Something’s got to give. Maybe 2008 will be the breakthrough year, where monitoring solutions are finally packaged in a way that every organization can use them, or maybe an open-source solution will appear to allow security folks to play a bit with monitoring and learn how powerful a method it is to secure things.

Whatever the answer, I sure hope we are spending more time in 2008 figuring out what is not normal, than blocking stuff we’ve never seen.

Check out the other posts in the Report Card series.

CSOs need to increasingly flex their psychic abilities as exponentially increasing attack surfaces mean new controls must be targeted to protect the most likely targets, which are identified by discerning the true value of corporate business systems and increasingly sophisticated (and productized) security research. Network behavior analysis allows organizations to “react faster” by understanding network traffic dynamics, but integration with remediation solutions lag, forcing customers to continue to do the heavy lifting themselves.

Read the rest of the 2007 Incites here.

The problem of information security is very similar to the challenges of stopping terrorists. Basically, the attack surface is far greater than our ability to protect things. That means IT IS NOT POSSIBLE to close all the exposures. Thankfully, when we mess up people don’t die. I guess there is an advantage to being a security guy. But the point is the same, we need to choose wisely relative to where to spend our time and money and do a few Hail Mary’s that we have chosen well.

So how do we know what to focus on? It actually gets down to a combination of two distinct factors. The first is the value of the business system. Basically you don’t want to spend a lot of time or money on a system that no one would bother attacking or wouldn’t be material even if it were attacked. Yes, there are systems that fit into this category. Check out Step 1 of the Pragmatic CSO (www.pragmaticcso.com) for more detail on assessing the value of your business systems.

The second is the likelihood that a given attack vector will be attacked. A lot of my thinking here was a direct result of working at TruSecure a few years back. I saw that security “intelligence” was invaluable in figuring out where and what the bad guys were going to hit. We could help our customers focus on doing what’s important because we had a decent idea about what the bad guys were working on.

To be clear, your run of the mill security professional is in no position to try to penetrate Eastern European or Chinese hacker networks. That’s why you work with people and companies that are. Folks like VeriSign (via their iDefense group), Symantec, Cisco, CyberTrust and others have groups of research folks that spend their time figuring out where the bad guys are going, not where they’ve been. There’s a big difference.

Of course, back in 2003 life was much easier and the bad guys had far fewer ways to obfuscate and hide. Today, the identity of the true brains behind these crime networks are well masked, so it’s about assessing actions and determining consequences. It’s much harder to find and kill the head of the snake, so basically you then play the odds about where you think they will strike and protect those flanks first.

It’s very much like intelligence gathering in the “real world” as practiced by Governments. Security intelligence is definitely a growth business and will provide a way for security researchers to monetize what they do. This is great news for all of those folks that did their work for pretty much to be cool at Black Hat, not really for a paycheck. Every so often folks get their cake and can eat it too.

Given this infinite attack surface, what else can an organization do to protect themselves? The answer this time is in Step 7 of the P-CSO. It’s about operating and monitoring your environment. The point is that it’s very hard (if not impossible) to get “ahead” of the threat. But you certainly can react faster.

So get to know the traffic patterns on your network and get adept at figuring out if something is not right. Use new tools like network behavior analysis (NBA) to see what’s different. The network doesn’t care - it sees everything. The answer is there if you know where and how to look.

That being said I don’t see NBA standing alone for too much longer. It’s an inherent part of network protection and should be done by the folks that do the networks. Cisco already has something (sort of) and that means the other 7 dwarfs of networking need something too. The problem is there aren’t really 7 NBA-looking things to look at – so it’s probably a seller’s market for NBA in 2007.

As I was flying last week and the general inconvenience of having to check my bag set in, I came to realize it was good, old-fashioned intelligence that got ahead of that terrorist threat. Intelligence gathering exercises are something we don't do enough of as a security community. That is the topic of this week's NetworkWorld column, and I think it's important.

Check it out and let me know what you think:
http://www.networkworld.com/columnists/2006/082806rothman.html