Sunday, March 16, 2008

Thoughts from Several Conferences

Over the last several months I've accumulated several pages of notes after attending a variety of conferences. I thought I would present a few cogent points here. As with most of my posts, I record thoughts for future reference. If you'd rather not read a collection of ideas, please tune in later.

I attended the 28 Nov 07 meeting of the Infragard Nation's Capital chapter. I found the talk by Waters Edge Consulting CEO Jeffrey Ritter to be interesting. Mr. Writter is a lawyer and self-proclaimed "pirate" who works for the defendant by attacking every aspect of the adversary's case. As more lawyers become "cyber-savvy" I expect to encounter more of his type. Mr. Ritter offered three rules of defense.

  1. That which is unrecorded did not occur.

  2. That which is undocumented does not exist.

  3. That which is unaudited is vulnerable.


He also said "Litigation isn't about the truth... it's about getting money." He offered three questions to be asked of any evidence.

  1. Is it relevant?

  2. Is it real?

  3. Is it admissible?


Mr. Ritter mentioned three ediscovery-related sites, namely the Electronic Discovery Reference Model, the International Research on Permanent Authentic Records in Electronic Systems (InterPARES) project, and the Sedona Conference.

On 10-11 Dec 08 I attended several sessions of the Intelligence Support Systems for Lawful Interception, Criminal Investigations, Intelligence Gathering and Information Sharing Conference and Expo. I spoke at the May 07 event and attended an earlier conference in 2006. There is really nothing else like ISS World as far as I'm concerned. It's basically all about lawful intercept (LI). ISS World is heavily attended by police and vendors used to tapping phone lines, now confused by tapping IP traffic.

I thought comments by Alessandro Guida of ATIS Systems and Klaus Mochalski of IPOQUE were helpful. They noted that "traffic decoding," or representing traffic in as close a representation to what the user manipulated as possible, in a form friendly to investigators, is the big problem with LI today. They noted the difference between protocols and applications, since HTTP can be used for Web traffic, file transfers, mobile multimedia (all their terms), and so on. They said the four steps for traffic decoding are 1) classifying traffic; 2) correlating sessions; 3) extracting information; and 4) presenting content. They believe that "LI is becoming a data retention issue," because the volume of IP traffic manipulated by any end user is vastly increasing.

Dana Sugarman from Verint either stated the following or caused me to react with the following observations. "Security" typically focuses defense against a number of threats attacking a number of assets. LE, in contrast, focuses surveillance against a specific target, or perhaps several targets (a target being a potential criminal). Intelligence operations can focus on large numbers of threats or specific parties.

A few other themes arose at ISS World. "Application-specific lawful intercept" is the Holy Grail, meaning recording only the data necessary to render content useful to the investigator. Some judges are rejecting the idea that it is necessary or proper to monitor a suspect wherever he goes, rather than focusing on a method of communication (like a home telephone). Finally, most of the LI guys I met are former telecom people who seem to be reinventing the wheel. They are facing all of the issues we encountered with intrusion detection systems in the late 1990s. It would be amusing if it weren't sad too.

Finally on 25 Feb 08 I attended one day of the Institute for Applied Network Security 7th Annual Mid-Atlantic Information Security Forum. I went to the event to see specific people, including Angela Orebaugh, Ron Ritchey, Rocky DeStefano, Aaron Turner, Nick Selby, and Marty Roesch. I thought Phil Gardner's six themes were thought-provoking:

  1. Businesses will be, or already are, eliminating corporate computing assets in favor of personal computing assets. This is the "university model" I've blogged previously, meaning universities have been coping with student-provided endpoints on "corporate" networks for years.

  2. Information and physical security continues to converge.

  3. Risk of all forms is converging.

  4. NAC is a failure; "what does it even mean?" asks Phil.

  5. Data Leakage Protection is "stopping stupid, period." (I heard this repeatedly. Leakage is accidental and can possibly be stopped. Loss is intentional and cannot be reliably stopped.)

  6. Middle management who exist to manage techies are losing their jobs. In the end only executives and the techies themselves will be left.


At the talk on NIST by Orebaugh and Richey I pitched in vain my desire to see greater use of red teaming and time-based security. I think they thought I spoke in Greek, or was crazy. They would like to see NIST documents used to create a common security vocabulary. For the sake of the community I may try to adopt the definitions in NIST's Glossary of Key Information Security Terms (.pdf).

Rocky DeStefano and Brandon Dunlap talked about SIM. Their three recommendations were:

  1. After deploying the SIM, disable all built-in rules.

  2. Write rules specific to your organization, using the built-in rules as samples.

  3. Have experts review the resulting output.


Corrolaries of these rules are:

  • Deploying a SIM requires understanding your network to begin with. You can't deploy a SIM and expect to use it to learn how your network works.

  • You can't use a SIM to reduce security staffing. Your staffing requirements will definitely increase once you begin to discover suspicious and malicious activity.

  • You can't expect tier one analysts to be sufficient once a SIM is deployed. They still need to escalate to tier two and three analysts.


I liked John Schlichting's case study. It made me wonder why we bother blocking anything but specific IPs outbound. All we've done by restricting outbound protocols is force everything to be SSL-encrypted HTTPS traffic. Wonderful!

9 comments:

Lance Spitzner said...

Richard, great stuff. One question, why focus on the NIST defintions? My concern here is that with the NIST we are becoming US focused. The rest of the world is migrating to using the ISO 27001 definitions, which I find in many ways simpler to understand. This will only make it hard for the US security folks to communicate with everyone else. :(

lance

Blake Darche said...

"I liked John Schlichting's case study. It made me wonder why we bother blocking anything but specific IPs outbound. All we've done by restricting outbound protocols is force everything to be SSL-encrypted HTTPS traffic. Wonderful!"

How true!

Richard Bejtlich said...

Lance, good comment -- but where can I download ISO 27001? I found definitions at this other site but the lack of general availability makes me less inclined to use them.

Anonymous said...

Richard,

The copy I have of ISO 27001 is licensed to an individual which leads me to believe it's not free to download.

"Middle management who exist to manage techies are losing their jobs. In the end only executives and the techies themselves will be left."

This is a disturbing trend. I consider middle managers to be executives in training. There are too many "executives" without formal education and experience in the business world as it is.

Richard Bejtlich said...

Anonymous,

That's a really good point about middle management!

John said...

ISO 17799 (ISO 27001 and 27002)- http://www.17799central.com/glossary.htm

Rocky DeStefano said...

Richard,

You always add value to these conferences. It was a pleasure having you interact with the rest of the folks during the SIEM Best Practices discussion at the Institute's recent forum.

On my new blog http://blog.decurity.com/ I just added some more context around SIEM Best Practices and will be adding more content over the coming days/weeks as I have time to get my thoughts out.

Rocky

Richard Bejtlich said...

Rocky, glad to see you blogging! I just added your feed to my watch list.

Anonymous said...

Re: 27001

The various standards organizations have little to sell to pay for their activities, so they sell standards.

Yes, I know that there is an argument for them to be open source, but that is not the reality of all of the standards world, or the publishing industry in general.

As with any justifiable library purchase decision, standards are a good investment.

You'll want a bunch of other ISO standards to go with your copy of ISO 27001 as 27001 only has a very short definitions section. As with all standards, at this point in the 27000 family's life, terminology is borrowed from other standards. 27001 lists some of these. Also, there will eventually be a 27000 family standard devoted to vocabulary. I suggest you watch Gary Hinson's http://www.iso27001security.com. He tracks changes in the 27000 family closely. He also maintains a Google Group that you can sign up for.

Right quick, you'll find out that you really want to look at some of the other standards families that surround the 27000 family - e.g.; ISO 14000 which is environmental management, ISO 9001 which is quality management...

The ISO 27000 family deals with Information Security Management Systems (ISMS), but draws heavily on other standards and best practices documents in the industry.

Alas, it is expensive to maintain a library of any kind. Consider this 27001 business to be like any other speciality. You need much specialized, and expensive, stuff on the shelf and on disk.

One set of resources that is not commonly discussed are the various Best Practices documents that BSI publishes. On the BSI site, you can find documents like BIP 0071:2005 - Guidelines on Requirements and Preparations for ISMS Certification based on ISO/IEC 27001. Yes, they cost money, though not much. As with other standards, most of the problem is finding them and ordering them. And, yes, some of these documents are only available in hard copy.

Buying the standards directly from ISO works great. You get them as PDFs and there is a strict license attached to each (e.g.; limited distribution, no distribution...)

As soon as I get the E-Mail thing figured out, I'll post a presentation on the 27000 family that I did.

Meantime, consider 27001 as the barest entry point to the wonderful world of international standards for infosec.

RayK