Wednesday, January 10, 2007

The Revolution Will Be Monitored

I read the following in the latest SANS NewsBites:

Revised Civil Procedure Rules Mean Companies Need to Retain More Digital Data (4 January 2007)

The revised Federal Rules of Civil Procedure, which took effect on December 1, 2006, broaden the types of electronic information that organizations may be asked to produce in court during the discovery phase of a trial. The new types of digital information include voice mail systems, flash drives and IM archives. This will place a burden on organizations to retain the data in the event it is needed in a legal case.

Section V, Depositions and Discovery, Rule 34 of the Federal Rules of Civil Procedure reads, in part,

"Any party may serve on any other party a request to produce and permit the party making the request, or someone acting on the requestor's behalf, to inspect, copy, test or sample any designated documents or electronically stored information - including writings, drawings, graphs, charts, photographs, sound recordings, images, and other data or data compilations stored in any medium from which information can be obtained ..."

This ComputerWorld article adds:

According to a 2006 study by the American Management Association and the ePolicy Institute, more than half of those who use free IM software at work say that their employers have no idea what they're up to.

There are two ways to look at this problem. The first involves limiting the amount of data available, i.e., data creation. Brian Honan mentions this in his commentary for SANS:

Make sure to include how to deal with personal electronic devices such as PDAs and pen drives - hint best to prohibit their use in a corporate environment in the first place.

Yeah, right. Everything is going to have USB/Bluetooth/whatever connectivity and a flash drive sooner or later. We're already seeing this will cell phones and integrated cameras. It's almost impossible to not buy a new cell phone without a camera. One of my clients is considering banning cell phones with cameras in the office. That absolutely will not work. Who is going to enforce that policy? They don't have guards and no guard is going to strip-search employees to find cell phones with cameras.

The second way to look at the problem involves limiting data retention. In other words, don't save as much data and therefore have less data available for legal scrutiny. That is absolutely going to fail too. The trend across all sectors is to retain more information. Section 10 of the PCI Security Standard is just one example. Since 2003 the National Association of Securities Dealers (NASD) has required financial firms to retain IM for three years. The Securities and Exchange Commission (SEC) has already fined companies millions of dollars for not retaining email for at least three years.

I would not be surprised to see best practice evolve into requiring network traffic retention systems, perhaps at the session level or maybe even at the full content level. I would also not be surprised to see requirements for intercepting outbound encrypted traffic for inspection and retention purposes. The only reason we don't see those requirements yet is regulators don't understand how any protocol can be tunneled over any protocol, as long as the endpoints understand the mechanism involved.


Bob Huber said...

Agreed, at least in the financial industry the trend is for much more data retention. The problem then becomes data management. The cost for storage becomes monumental in a large environment. We had a requirement to be able to collect 120TB of log data every 90 days and the cost for that per month was on the order of $40,000+...and that wasn't all of our data, mostly system and security log data. Most of the major log retention solutions and SIM/SIEM solutions are fighting this battle now; hence, you see Network Intelligence getting bought by EMC, LogLogic increasing their event and device capacity etc.
At one time we also implemented argus on every single IDS we had, and loaded these files hourly to a central server. While these files were useful for all types of analysis, the amount of data we collected soon overwhelmed our capacity, even though it was netflow information only. This is definitely the direction we are headed and will play well into the hands of Niksun and Sandstorm’s NetIntercept…

Jason Meltzer said...

A certain large global firm I was with until recently has gone with the latter strategy, at least for emails. If messages were important to you, either print them or save them to a personal folder; otherwise, they are going in the bit bucket and officially are not retained after 30 days.

This wasn't in the US though... does it say what time period the information has to be available for? I'm expecting companies to go to a time-limited full retention strategy. That way there is not question as to what is available while placing some bounds on storage space at the same time. Albeit differing circumstances might dictate otherwise as mentioned by Bob above.


Anonymous said...

Richard, with regard to your comment about not having requirements ofr intercepting outbound traffic due to multiple protocol tunnels. Has anyone in the industry taken a look at exploiting enterprise management systems, combined with running multiple tunnels, to create an overlay network? Seems to me, that most IDS shops ignore traffic if it appears to be coming from authorized network/computer management tools by default. That's a perfect path, as it does not require 'hacking' the OSes/Apps directly, just take over the managmement system. Most of the leading vendors appear to have comms between agents and central controllers that are fairly easy to subvert/inject, etc., since the rpc variants most of the vendors use for comms can be subject to well-engineering exploits. I have seen ptacek/monstano talk at BH, and think that's something of interest to network monitoring types in that if you can't fix something, at least figure out how to 'monitor' it, so you can determine if something bad is going on.

If you want to hide on someone else's network, make sure you look like everyone else, mix in with the crowd/noise, and be the little thing that doesn't stand out. So look like standard administrative traffic/functions.

Attacking C2 systems has always been a military strategy, and if everyone is expected to live on the 'Net, and allow C2 of major functions of society, then shouldn't those systems be somewhat secure? Thanks for your thoughts in advance....