Wednesday, March 19, 2008

Ten Themes from Recent Conferences

I blogged recently about various conferences I've attended. I considered what I had seen and found ten themes to describe the state of affairs and some general strategies for digital defense. Your enterprise has to be of a certain size and complexity for these items to hold true. For example, I do not expect item one to hold true for my lab network since the user base, number of assets, and nature of the assets is so small. Furthermore, I heavily instrument the lab (that's the purpose of it) so I am less likely to suffer item one. Still, organizations that use their network for business purposes (i.e., the network is not an end unto itself) will probably find common ground in these themes.

  1. Permanent compromise is the norm, so accept it. I used to think digital defense was a cycle involving resist -> detect -> respond -> recover. Between recover and the next attack there would be a period where the enterprise could be considered "clean." I've learned now that all enterprises remain "dirty" to some degree, unless massive and cost-prohibitive resources are directed at the problem.

  2. We can not stop intruders, only raise their costs. Enterprises stay dirty because we can not stop intruders, but we can make their lives more difficult. I've heard of some organizations trying to raise the $ per MB that the adversary must spend in order to exfiltrate/degrade/deny information.‏

  3. Anyone of sufficient size and asset value is being targeted. If you are sufficiently "interesting" but you don't think you are being attacked and compromised, you're not looking closely enough.

  4. Less Enterprise Protection, more Enterprise Defense. We need to think less in terms of raising our arms to block our face while digitally boxing, and more in terms of side-stepping, ducking and weaving, counter-punching, and other dynamic defenses.

  5. Less Prevention, more Detection, Response, Disruption. One of my laws from my books is Prevention eventually fails. Your best bet is to identify intrusions and rapidly contain and frustrate the intruder. You have to balance information gathering against active responses, but most organizations cannot justify what are essentially intel gathering operations against the adversary.

  6. Less Vulnerability Management, more System Integrity Analysis. Vulnerability management is still important, but it's an input metric. We need more output metrics, like SIA. Are all the defenses we institute doing anything useful? SIA can provide some answers.

  7. Less Totality, more Sampling. In security, something is better than nothing. Instead of worrying about determining the trustworthiness of every machine in production, devise statistically valid sample sizes and conduct SIA, tactial traffic assessment, and other evaluation techniques and extrapolate to the general population.

  8. Less Blacklisting, more Whitelisting. Organizations are waking up to the fact that there is no way to enumerate bad and allow everything else, but it is possible to enumerate good and deny everything else.

  9. Use Infrequency/Rarity to our advantage. If your organization adopts something like the FDCC on your PCs and whitelists applications, the environment will be fairly homogenous. Many organizations are deciding to make the trade-off between diversity/survivability and homogeneity/susceptibility in favor of homogeneity. If you're going down that path, why not spend extra attention on anything that deviates from your core load? Chances are it's unauthorized and potentially malicious.

  10. Use Blue and Red Teams to measure and validate. I've written about this a lot in my blog but I'm seeing other organizations adopt the same stance.


Have you adopted any themes based on your work or conference attendance?

14 comments:

Jim said...

On the subject of Blacklist/Whitelist, I agree 100%. I have been saying for a while that there is more bad then good in the world, so if we are going to enumerate something, lets go with the smaller item.

There is a reason firewalls are default deny. That needs to be applied to everything.

Keydet89 said...

Great stuff - now we just need someplace where a Dir, InfoSec or CISO can go and translate this into something they can use.

Also, Less Enterprise Protection, more Enterprise Defense. I have to say, right now I'm not seeing it. Based on incidents I've responded to over the past, say, 2 yrs, my feeling on this is that you can't say that something isn't working and we have to do something else, when the first thing isn't being done right. If the boxer is to tired or clueless to raise his hands to block his face, how are you going to get him to side-step, duck and weave and use dynamic defenses?

Over the past year, I've seen more than a couple of intrusions that were the result of SQL injection attacks. The intrusions went on for some time before anyone was aware that there was someone else "in the room". When the victim was notified that the issue might be SQL injection, they had no idea where to start looking for logs.

If the boxer's basic instinct isn't going to kick in, how are you going to teach him dynamic defense?

KM said...

Whitelist the approved apps. That will go a long way -- basically the first line of defense.

Joe said...

Richard,

Do you know of any examples of effective "System Integrity Analysis"?

Richard Bejtlich said...

Joe,

I haven't seen anything formal in this area... it is being done right now by USAF hunter-killer teams though.

Chris L. said...

Any idea whether the FDCC has begun to spill over into the private sector or is it primarily restricted at this time to federal organizations?

On a related note, the more I learn about what the US government is doing with respect to common desktop configurations and standardizing server security, the more I feel my own organization (a manufacturing company) is really just reinventing the wheel (and not always very effectively).

Richard Bejtlich said...

Chris L, I have heard of some .com's looking at FDCC for the very reason you cite -- why duplicate effort?

Vic Fichman said...

English, guys, English. Have mercy on us poor everyday web professionals (developers, street level system admin's, etc.) and hold a conference somewhere that ties everything in a package we can take home at the end of the week, and implement on the spot!

Vic Fichman
http://www.securityevent.net

G said...

@keydet89 - This looks like a pretty usable list to me! I think a pretty big company could pick those up and use them as guiding principles for a security strategy, don't you?

@vic - Good site...would be nice to see it expanded to include as many InfoSec events as, say, Homeland Security, etc.

Rob Lewis said...

@Jim, @Km,

We whitelist at the datafile level on a per user basis. This provides an effective solution for the endpoint device issue as device usage is allowable only in the context of the data access request.

Anonymous said...

"Less Totality, more Sampling. In security, something is better than nothing. Instead of worrying about determining the trustworthiness of every machine in production,"

I disagree. Most major breaches have occurred because of oversight involving one machine. The one machine you do not worry about is the one a late night cleaning crew person or security guard will plug a keylogger into the back of or use to browse infected pornography sites.

nettec said...

Nice list. But I think you left the most important aspect of security out - Personnel. I worked in a health care facility. It was one of 20 nationwide. The IT Director could not tell you what a byte was or what RAM stood for. My co-worker a LAN admin there for 10 years was worried about job security. Anyone they hired to work with her had "mysterious" issues with their computer. I got tired of repairing mine so I simply made an image and reimaged it every week or two when she purposely corrupted it. My predecessor suggested installing cameras over the computers! Like that would help. This IT Director and LAN Admin were at the top in charge of network security. In this environment your list would be meaningless. Sad to say but this is not isolated.

Alex said...

Hey Richard!

I like the list, esp. #9. Question for you - do you feel like your #10 "Use Blue and Red Teams to measure and validate." is either distinctly different or in opposition to MJR saying that "Penetrate and Patch" is a dumb idea?

dghnfgj said...
This comment has been removed by a blog administrator.