Friday, January 18, 2008

2008 Predictions Panning Out

Almost one month ago I wrote Predictions for 2008. They included 2) Expect greater military involvement in defending private sector networks. and 4) Expect greater attention paid to incident response and network forensics, and less on prevention.

Relevant to number 2, today I read Intelligence Chief Proposes Wide Cyber Surveillance, which says:

US National Intelligence Director says government should be able to tap all email, file transfers, and Web searches..

In an interview scheduled to be published in Monday's forthcoming edition of The New Yorker, McConnell offers some insight into his long-awaited draft U.S. Cyber-Security Policy...

To accomplish his plan, the government must have the ability to read all the information crossing the Internet in the United States -- in order to protect it from abuse.

The plan gives government agencies the right to monitor email, file transfers, and even Web searches, according to reports. McConnell's proposals also include reducing the number of gateways between government computers and the Internet from 2,000 to 50, as well as implementing a dragnet to monitor electronic traffic.


Relevant to number 4, today I read
Tech Insight: Incident Response
, which says:

Incident response (IR) for many IT shops traditionally has been accomplished by cobbling together tools from various sources with a script-based tool that automates the collection of data from the suspect system. An IR team member or help desk technician is sent to investigate a problem, with a USB thumb drive in hand that contains the collection of tools. The tools are then run, and the output analyzed to detect the source of the suspicious behavior. It’s neither a quick nor efficient process.

All manual incident response is slow response, says Kevin Mandia, president and CEO of Mandiant. A key driver for organizations dealing with incidents, especially those in the financial sector, Mandia says, is speed and minimizing exposure: The IR team must be able to quickly grab information about the incident, determine what’s happening, and respond appropriately to minimize collateral damage...

With new products on the horizon, IT groups looking to streamline their current IR practices or to simply start an IR program for the first time, should keep an eye on evolving products and new releases due out in within the next month.


I plan to visit MANDIANT and HBGary within the next month. I have trial software from Technology Pathways to test. I have a copy of NetWitness Investigator Field Edition in my lab kit now. I have a copies of AccessData FTK 2.0 and Guidance Software Encase Forensic en route. There's a lot happening in the IR and forensic space, so I think 2008 will be a big year.

4 comments:

Ironwoodtree said...

So what do you think of the NSA plan? Do they have a response plan for all these horrible threats they detect? How are they going to weed out false positives? The plan stinks to high heavens to me.

Anonymous said...

Wow, talk about a dangerous precedent. I am glad that you bring this to light, because it definitely brings up the fact that the federal wiretapping laws are a little outdated. Nothing personal, but I don't need some government automaton watching me google, whether it is for porn, instructions how to make meth, or explosives. It starts as defense, until we get another right-wing religious nut job trying to force ridiculous notions of morality into office. I have more fear in my government with our president offering weaponry to the very country that it seems most "terrorists" are citizens of (Saudi Arabia) in exchange for oil then I do of some far fetched cyberattack. And hackers collaborated just fine through BBS'es before widespread consumer Internet usage, nothings stopping them from going back to avoid detection. in other words, more wasted tax money.

John Ward said...

Yeah.... not quite sure how I feel about that one... I don't quite believe the conspiracy theories, but I agree with the notion that I do not welcome military wiretapping civilian communications. As it stands right now, police and federal law enforcement need a judge to approve wiretapping where any "reasonable expectation of privacy" is violated. I don't remember off hand if Internet communications fall into that realm. Even if it does, I don't feel think the military should be immune to those laws, and I definitly do not think they should serve in any law enforcement capacity. That sets us down a slippery slope. I didn't hear any mention of an incident response plan, as the first poster pointed out. But we have a history in this country (at least until the last decade) of not welcoming federal involvement into our daily lives, I have a feeling that the first cases to reach a court as a result of this will see this policy go down the crapper, or at the very least be forced to massive oversight and fall into the government inefficiency we have all come to love.

Jim said...

Wow. What are they thinking? Might as well just stop allowing envelopes at the post office too.