Friday, March 20, 2009

Risk CIO round table

I participated in a CIO risk round table last year, I see the article is now online. Hat tip to Maverick for hosting yet another fun event.

Monday, March 16, 2009

Where's the Intelligence?

One of the most crucial and overlooked areas in information security is intelligence gathering. Let’s face it the guys who do this well are physical security practitioners. They know if they get this wrong someone could end up dead.

Intelligence informs us to make better risk management decisions. It buys us time and gives us an opportunity to react. Without it we end up making bad and potentially harmful decisions not to mention mistakes.

We've gotten better at identifying our assets and modeling threats, however we've made little head way in dealing with threat agents and the threats that they pose. They become vague and generalized assumptions.

In some sense rather than dealing with them, we've tried to outsource the problem with technology i.e. IDS, IPS, DLP, SIEM, etc. At best we now known when something bad happened but only if we were looking and if we knew what to look for. Problem is we can’t see much anyway because we’ve been encrypting anything that moves, oops! At least we'll be getting fewer alerts to action and the management reports are all green now.
But can we collect intelligence about threat agents and threats within the organization? Yes and we’ve been doing a good job in the application space for ages with behavioral systems i.e. fraud detection. But what about the rest of the stack? This has proven to be very problematic as anyone who’s ever tried to build an all encompassing log management system will tell you.

Indexing log events across the stack is a promising new paradigm. Although not a security vendor, Splunk have developed a technology that does just that. If you could index your landscape you could now ask it very interesting questions for example “show me all the users who accessed the network but didn’t log on via RAS or the access network”. We're literally sitting on volumes of useful intelligence that end up on tape.

We've been having a lot of fun with Splunk recently, we've developed a connector for SAP NetWeaver. It's going to be interesting to see how this new paradigm is exploited by security vendors and pracitioners.

Drop me an email at if you are interested in playing with the SAP NetWeaver application.

Friday, March 13, 2009

You don't win a war by defending yourself

Chris Hoff recently made this observations in a post about offensive computing and he's right. This is akin to carrying a gun in the real world to defend yourself, however this doesn't translate well into the wild west we call the internet. Fighting back can have significant unintended not to mention legal consequences.

The Metasploit site recently became the victim of a petty DDOS attack. Now the last person you want to DDOS is HD Moore and co. An amusing side effect though was that the victim could redirect the attack and basically flood anyone they wanted to by changing their own DNS entries. In theory they could have redirected the attack at individual attackers in the botnet systematically knocking them off the net, but they wouldn't know who was on the receiving end. Fighting back would be risky.

You may also find yourself on the wrong side conscripted into a fight you never knew or cared about. With aging and overloaded plumbing (dns, bgp, etc) it's hard enough to play fair. Guess it's time to layout the tar pits.