Bejtlich on Silver Bullet Podcast
Gary McGraw was kind enough to interview me for his Silver Bullet Podcast. Gary is a real pro; he does his homework. After describing the interview process to my wife, she thought Gary's approach sounded like James Lipton and Inside the Actor's Studio! We talked about a lot of subjects and Gary tailored his questions to relate to my incident detection and response duties and relations to software security.Tweet
Comments
This is a great Interview. Thank you.
There are a few things I would like to add to the discussion.
1. Developers need to take SANS network and system forensics courses. Just educating them about writing secure code is only giving them half an education. I don't believe developers really understand the issues they are facing until they are wearing the shoes of their adversaries. Developers will see things from a completely different perspective once they understand exactly how systems are hacked and the difficulties in detecting malicious activity throughout the various OSI layers.
2. Network security monitoring instrumentation continues to be anemic. The tools required to catch hackers that know how to avoid tripping network-based intrusion detection systems don't really exist. It's one thing to be able to baseline normal activity and identify glaring obvious abnormal activity, but what happens when a hacker is using a communications channel that looks normal? The Zimbabwe example sited in the interview is a perfect example of something that is obvious to many of us, but what happens when the activity is coming from one's own country and looks legit? I cringe when people talk about using protocol analyzers to try and catch hackers, because as the size of a network increases, that task becomes increasingly impossible.
3. One very important and difficult security problem set that developers need to address, is how to detect anomalous activity resulting from the use of stolen credentials. Both the Zeus v3 banking Trojan and the World of Warcraft authenticator Trojan are examples of how hackers are stepping up their game to the next level. Many developers are unprepared to deal with this level of sophistication. Things are just going to get worse. Developers should start to consider base-lining normal user activity and doing retrospective analysis on compromised accounts to determine what can be perceived as abnormal activity. I know - not easy to do, but it's something to look at.
4. The security mindset and perspectives of developers, system admins, network admins and dedicated security personnel are very different. Even within the security profession itself, the individual disciplines have their own mindsets and perspectives. While everyone expects all of these groups to work together to make things secure, it's much easier said than done. While this may sound like a crazy idea to some, people really need to "walk a mile" in other people's shoes, no matter how difficult it is for them, to truly understand the issues and challenges that other groups are facing. This is especially true of non-developers that hate doing software development. Until we can all see the world through each other's eyes, security will continue to be elusive.
Cheers
1. Developers need to take SANS network and system forensics courses. Just educating them about writing secure code is only giving them half an education. I don't believe developers really understand the issues they are facing until they are wearing the shoes of their adversaries. Developers will see things from a completely different perspective once they understand exactly how systems are hacked and the difficulties in detecting malicious activity throughout the various OSI layers.
2. Network security monitoring instrumentation continues to be anemic. The tools required to catch hackers that know how to avoid tripping network-based intrusion detection systems don't really exist. It's one thing to be able to baseline normal activity and identify glaring obvious abnormal activity, but what happens when a hacker is using a communications channel that looks normal? The Zimbabwe example sited in the interview is a perfect example of something that is obvious to many of us, but what happens when the activity is coming from one's own country and looks legit? I cringe when people talk about using protocol analyzers to try and catch hackers, because as the size of a network increases, that task becomes increasingly impossible.
3. One very important and difficult security problem set that developers need to address, is how to detect anomalous activity resulting from the use of stolen credentials. Both the Zeus v3 banking Trojan and the World of Warcraft authenticator Trojan are examples of how hackers are stepping up their game to the next level. Many developers are unprepared to deal with this level of sophistication. Things are just going to get worse. Developers should start to consider base-lining normal user activity and doing retrospective analysis on compromised accounts to determine what can be perceived as abnormal activity. I know - not easy to do, but it's something to look at.
4. The security mindset and perspectives of developers, system admins, network admins and dedicated security personnel are very different. Even within the security profession itself, the individual disciplines have their own mindsets and perspectives. While everyone expects all of these groups to work together to make things secure, it's much easier said than done. While this may sound like a crazy idea to some, people really need to "walk a mile" in other people's shoes, no matter how difficult it is for them, to truly understand the issues and challenges that other groups are facing. This is especially true of non-developers that hate doing software development. Until we can all see the world through each other's eyes, security will continue to be elusive.