Ten Themes from Recent Conferences
I blogged recently about various conferences I've attended. I considered what I had seen and found ten themes to describe the state of affairs and some general strategies for digital defense. Your enterprise has to be of a certain size and complexity for these items to hold true. For example, I do not expect item one to hold true for my lab network since the user base, number of assets, and nature of the assets is so small. Furthermore, I heavily instrument the lab (that's the purpose of it) so I am less likely to suffer item one. Still, organizations that use their network for business purposes (i.e., the network is not an end unto itself) will probably find common ground in these themes.- Permanent compromise is the norm, so accept it. I used to think digital defense was a cycle involving resist -> detect -> respond -> recover. Between recover and the next attack there would be a period where the enterprise could be considered "clean." I've learned now that all enterprises remain "dirty" to some degree, unless massive and cost-prohibitive resources are directed at the problem.
- We can not stop intruders, only raise their costs. Enterprises stay dirty because we can not stop intruders, but we can make their lives more difficult. I've heard of some organizations trying to raise the $ per MB that the adversary must spend in order to exfiltrate/degrade/deny information.
- Anyone of sufficient size and asset value is being targeted. If you are sufficiently "interesting" but you don't think you are being attacked and compromised, you're not looking closely enough.
- Less Enterprise Protection, more Enterprise Defense. We need to think less in terms of raising our arms to block our face while digitally boxing, and more in terms of side-stepping, ducking and weaving, counter-punching, and other dynamic defenses.
- Less Prevention, more Detection, Response, Disruption. One of my laws from my books is Prevention eventually fails. Your best bet is to identify intrusions and rapidly contain and frustrate the intruder. You have to balance information gathering against active responses, but most organizations cannot justify what are essentially intel gathering operations against the adversary.
- Less Vulnerability Management, more System Integrity Analysis. Vulnerability management is still important, but it's an input metric. We need more output metrics, like SIA. Are all the defenses we institute doing anything useful? SIA can provide some answers.
- Less Totality, more Sampling. In security, something is better than nothing. Instead of worrying about determining the trustworthiness of every machine in production, devise statistically valid sample sizes and conduct SIA, tactial traffic assessment, and other evaluation techniques and extrapolate to the general population.
- Less Blacklisting, more Whitelisting. Organizations are waking up to the fact that there is no way to enumerate bad and allow everything else, but it is possible to enumerate good and deny everything else.
- Use Infrequency/Rarity to our advantage. If your organization adopts something like the FDCC on your PCs and whitelists applications, the environment will be fairly homogenous. Many organizations are deciding to make the trade-off between diversity/survivability and homogeneity/susceptibility in favor of homogeneity. If you're going down that path, why not spend extra attention on anything that deviates from your core load? Chances are it's unauthorized and potentially malicious.
- Use Blue and Red Teams to measure and validate. I've written about this a lot in my blog but I'm seeing other organizations adopt the same stance.
Have you adopted any themes based on your work or conference attendance?
Comments
There is a reason firewalls are default deny. That needs to be applied to everything.
Also, Less Enterprise Protection, more Enterprise Defense. I have to say, right now I'm not seeing it. Based on incidents I've responded to over the past, say, 2 yrs, my feeling on this is that you can't say that something isn't working and we have to do something else, when the first thing isn't being done right. If the boxer is to tired or clueless to raise his hands to block his face, how are you going to get him to side-step, duck and weave and use dynamic defenses?
Over the past year, I've seen more than a couple of intrusions that were the result of SQL injection attacks. The intrusions went on for some time before anyone was aware that there was someone else "in the room". When the victim was notified that the issue might be SQL injection, they had no idea where to start looking for logs.
If the boxer's basic instinct isn't going to kick in, how are you going to teach him dynamic defense?
Do you know of any examples of effective "System Integrity Analysis"?
I haven't seen anything formal in this area... it is being done right now by USAF hunter-killer teams though.
On a related note, the more I learn about what the US government is doing with respect to common desktop configurations and standardizing server security, the more I feel my own organization (a manufacturing company) is really just reinventing the wheel (and not always very effectively).
Vic Fichman
http://www.securityevent.net
@vic - Good site...would be nice to see it expanded to include as many InfoSec events as, say, Homeland Security, etc.
We whitelist at the datafile level on a per user basis. This provides an effective solution for the endpoint device issue as device usage is allowable only in the context of the data access request.
I disagree. Most major breaches have occurred because of oversight involving one machine. The one machine you do not worry about is the one a late night cleaning crew person or security guard will plug a keylogger into the back of or use to browse infected pornography sites.
I like the list, esp. #9. Question for you - do you feel like your #10 "Use Blue and Red Teams to measure and validate." is either distinctly different or in opposition to MJR saying that "Penetrate and Patch" is a dumb idea?