Research

Organizations continue to invest heavily to block advanced attacks, on both endpoints and networks. Despite all this investment devices continue to be compromised in increasing numbers, and high-profile breaches continue unabated. Something isn’t adding up. It comes down to psychology – security practitioners want to believe that the latest shiny geegaw for preventing compromise will finally work and stop the pain. Of course we are still waiting for effective prevention, right? So we have been advocating a shift in security spending, away from ineffective prevention and towards detection and investigation of active adversaries within your networks and systems. We know many organizations have spent a bunch of money on detection – particularly intrusion detection, its big brother intrusion prevention, and SIEM. But these techniques haven’t really worked effectively either, so it’s time to approach the issue with fresh eyes. Our Network-based Threat Detection series will do just that. By taking a new look at detection, not from the standpoint of what we have done and implemented (IDS and SIEM), but what we need to do to isolate and identify adversary activity, we will be able to look at the kinds of technologies needed right now to deal with modern attacks. The times have changed, the attackers have advanced, and our detection techniques for finding adversaries need to change as well. As always, we wouldn’t be able to publish our research for the awesome price of zero without clients supporting what we do. So we’d like to thank Damballa and Vectra Networks for potentially licensing this content at the end of this series. We will develop the content using our Totally Transparent Research methodology, with everything done in the open and objectively. Threat Management Reimagined Let’s revisit how we think about threat management now. As we first documented in Advanced Endpoint and Server Protection, threats have changed so you need to change the way you handle them. We believe threat management needs to evolve as follows: Assessment: You cannot protect what you don’t know about – that hasn’t changed and isn’t about to. So the first step is to gain visibility into all devices, data sources, and applications that present risk to your environment. Additionally you need to understand the security posture of anything you have to protect. Prevention: Next try to stop attacks from succeeding. This is where most of the effort in security has been for the past decade, with mixed (okay, lousy) results. A number of new tactics and techniques are modestly increasing effectiveness, but the simple fact is that you cannot prevent every attack. It is now a question of reducing attack surface as much as practical. If you can stop the simplistic attacks you can focus on advanced ones. Detection: You cannot prevent every attack, so you need a way to detect attacks after they get through your defenses. There are a number of different options for detection – most based on watching for patterns that indicate a compromised device. The key is to shorten the time between when the device is compromised and when you discover it has been compromised. Investigation: Once you detect an attack you need to verify the compromise and understand what it actually did. This typically involves a formal investigation – including a structured process to gather forensic data from devices, triage to determine the root cause of the attack, and a search to determine how widely the attack spread within your environment. Remediation: Once you understand what happened you can put a plan in place to recover the compromised device. This might involve cleaning the machine, or more likely re-imaging it and starting over again. This step can leverage ongoing hygiene activities (such as patch and configuration management) because you can and should use tools you already have to reimage compromised devices. This reimagined threat management process incorporates people, processes, and technology – integrated across endpoints, servers, networks, and mobile devices. If you think about it, there is a 5×4 matrix of all the combinations to manage threats across the entire lifecycle for all device types. Whew! That would be a lot of work (and a really long paper). The good news for this series is that we will focus specifically on network-based detection. Why Not Prevention? From reading thus far, you may think we’ve capitulated and just given up on trying to prevent attacks. Not true! We still believe that having restrictive application-centric firewall policies and looking for malware on the ingress pipes is a good thing. Our point is that you can’t assume that your prevention tactics are sufficient. They aren’t. Adversaries have made tremendous progress in being able to evade intrusion prevention and malware detonation devices (sandboxes). And remember that your devices aren’t always protected by the network perimeter or your other defenses at all times. Employees take the devices outside of the network and click on things. So your devices may come back onto the corporate network infected. That doesn’t mean these devices don’t catch stuff, but they don’t catch everything. Thus, if you are having trouble understanding the importance of detection; think about it as Plan B. Every good strategist has Plan B (and Plan C, D, and E) and focusing effort on detection gives you a fallback position when your prevention doesn’t get it done. So in a nutshell, it’s not either prevention or detection. It’s both. Why Not Existing Monitoring? You probably already spent a bunch of time and money implementing intrusion detection/prevention and SIEM to monitor those network segments. So why isn’t that good enough? It comes down to a fundamental aspect of IDS and SIEM: you need to know what you are looking for. Basically, you define a set of conditions (rules/policies) to look for typical patterns of attacks in your network traffic or event logs. If an attacker uses a common attack that has already been profiled, and you have added the rule to your detection system, and your device can handle the volumes (because you probably have 10,000 other rules defined in that device) you will be able to find that attack. But what if the attacker is evading your devices by

A few weeks back at BSidesATL, I sent out a Tweet that kind of summed up my view of things. It was prompted by an email from a fitness company with the subject line “Embrace Discomfort.” Of course they were talking about the pain of whatever fitness regimen you follow. Not me. To me, comfort is uncomfortable. I guess I have always been this way. Taking risks isn’t risky from where I sit. In fact playing it safe feels dangerous. Of course I don’t take stupid risks and put myself in harm’s way. At least I don’t any more – now I have a family who depends on me. But people ask me how I have the courage to start new businesses and try things. I don’t know – I just do. I couldn’t really play it safe it I tried. Not that playing it safe is bad. To the contrary, it’s a yin-yang thing. Society needs risk-takers and non-risk-takers. However you see yourself, make sure you understand and accept it, or it will not end well. For instance some folks dream of being a swashbuckling entrepreneur, jumping into the great unknown with an idea and a credit card to float some expenses. If you are risk-averse that path will be brutal and disappointing. Even if the venture is successful it won’t feel that way because the roller coaster of building a business will be agonizing for someone who craves stability. Similarly if you put an entrepreneur into a big stable company, they will get into trouble. A lot of trouble. Been there, done that. That’s why it is rare to see true entrepreneurs stay with the huge companies that acquire them, after the retention bonuses are paid and the stock is vested. It’s just soul-crushing for swashbucklers to work in place with subsidized cafeterias and large HR departments. I joked that it was time to leave META Group back in the mid-90s, when we got big enough that there were people specifically tasked with making my job harder. They called it process and financial controls. I called it bureaucracy and stupid paperwork. It didn’t work for me so I started my own company. With neither a subsidized cafeteria nor an HR department. Just the way I like it. –Mike Photo credit: “2012_05_050006 Road to Risk Takers Select Committees” originally uploaded by Gwydion M. Williams Have you registered for Disaster Recovery Breakfast VII yet? What are you waiting for. Check out the invite and then RSVP to rsvp (at) securosis.com, so we know how much food to get… The fine folks at the RSA Conference posted the talk Jennifer Minella and I did on mindfulness at the 2014 conference. You can check it out on YouTube. Take an hour and check it out. Your emails, alerts and Twitter timeline will be there when you get back. Securosis Firestarter Have you checked out our new video podcast? Rich, Adrian, and Mike get into a Google Hangout and.. hang out. We talk a bit about security as well. We try to keep these to 15 minutes or less, and usually fail. March 16 – Cyber Cash Cow March 2 – Cyber vs. Terror (yeah, we went there) February 16 – Cyber!!! February 9 – It’s Not My Fault! January 26 – 2015 Trends January 15 – Toddler December 18 – Predicting the Past November 25 – Numbness October 27 – It’s All in the Cloud October 6 – Hulk Bash September 16 – Apple Pay August 18 – You Can’t Handle the Gartner July 22 – Hacker Summer Camp July 14 – China and Career Advancement Heavy Research We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, with our content in all its unabridged glory. And you can get all our research papers too. Endpoint Defense Essential Practices Essential Practices Applied Threat Intelligence Building a TI Program Use Case #3, Preventative Controls Use Case #2, Incident Response/Management Use Case #1, Security Monitoring Defining TI Network Security Gateway Evolution Introduction Newly Published Papers Cracking the Confusion: Encryption & Tokenization for Data Centers, Servers & Applications Security and Privacy on the Encrypted Network Monitoring the Hybrid Cloud Best Practices for AWS Security Securing Enterprise Applications Secure Agile Development Trends in Data Centric Security Leveraging Threat Intelligence in Incident Response/Management The Security Pro’s Guide to Cloud File Storage and Collaboration The Future of Security Incite 4 U We’re hacking your stuff too, eh! All my Canadian friends are exceedingly nice. I’m sure many of you know our contributors from up North, Dave Lewis and James Arlen, and there aren’t any nicer people. They are cranky security people like the rest of us, but they somehow never seem cranky. It’s a Canadian thing. So when you hear about the Canadians doing what pretty much every other government is doing and hacking the crap out of all sorts of things, you say, “Eh? The Canadians? Really?” Even better, the Canadians are collaborating with the NSA to use social engineering and targeted attacks to “garner foreign intelligence or inflict network damage.” The spinmeisters were spinning hard about the documents being old, blah blah blah. Maybe they need a little Rob Ford action in the cyber department to give us the real low-down. But you know what? I’m sure they were very polite guests and left everything exactly as they found it. – MR He had me at Manifesto: I love a good manifesto. Nothing gets the blood moving like a call to arms, to rally the troops to do something. My friend Marc Solomon of Cisco advocates for CISOs to write their own manifestoes to get the entire organization thinking about security. I’m not sure how you make security “a growth engine for the business”, but a lot of his other aspirations are good. Things like security must be usable, transparent, and informative. Yup. And security must be viewed as a “people problem,” which really means that if you didn’t have all these pesky employees you would have far fewer security problems. Really it’s a sales document. You (as CISO) are selling the security mindset to