Filtering by Category: intelligence

Is Big Data Analytics for Security really just SIEM 2.0?

A lot of companies are now touting big data analytics that will find badness that your other security tools do not find.   Almost every pitch I see has something very much like the SIEM Funnel from 2005.  The assertion tends to say these solutions would have bubbled those two or three compromised Target servers up to the top.  It will be interesting to see what this segment of the security market looks like in two years. For those of us that bought into the SIEM market, we found out that a SIEM is very needy in terms of man-hours.  There are several reasons for this:

  • Getting all the data feeds going (no small feat in most companies)
  • Building network and asset models
  • Creating rules, dashboards, reports, etc
  • Tuning out false positives
  • Troubleshooting the inherent performance problems of processing hundreds of millions of events per day

In short, you spend a lot of time up front getting the system going and on-going effort to keep it running.

These new products want all your SIEM data plus many other sources like DNS queries, and netflow.  Think about that volume of data for a second.

Here are the typical promises for today's big data security platforms:

  • No rules to create
  • Zero (or very few) false positives
  • Scalability - these systems will not be over-run with data
  • Little to no analyst time required to find badness
  • Full kill chain visibility for compromises

I suspect the majority of these systems will fall short of the promises laid out above.  However, I do believe we will have some great tools a couple of years from now that will make us wonder if we really do need that SIEM.  Oh, and by the way, this is not a "SIEM is dead" post by any means.  There will almost always be a place for SIEM in the SOC environments.

How did Target get hacked?

Protection of windows means different things in different environments! If you follow the news, you know that Target got hacked to the tune of at least 110 million credit card numbers (and some PINs) lost.  But, how did it happen?  Hardly anyone is asking or answering that question.  You can find plenty of articles that tell you what happened once the attackers go in:  Memory scraping on the POS devices and servers, a Russian teenager, famous coders, etc.

My question is different.  How did they get in initially?  I think as an industry we focus too much effort on what happened after the attackers get it.  Do not misunderstand me.  We absolutely need to scope the breach, determine what happened, what was stolen, changed,  and such.

We need to spend more time, money, and technology on understanding exactly how the compromises are being made.  I was just talking with another security professional recently who was telling me what versions of Java that current variants of Zeus was exploiting.  Guess what?  Zeus doesn't exploit anything.  It does not take computers over.  Zeus is just a piece of software that can get installed by anyone with administrative access to the computer.  It is what some people call "Stage 2" malware.  In the Cyber Kill Chain, this would be the Install phase.

There is a whole world of what we call "Stage 1" malware.  Some of these software packages are also called "Exploit kits" as it has gotten pretty commercial.  Ones that come to mind are Blackhole, Cool, Phoenix, and others.  There are custom exploit tools as well.    In the Cyber Kill Chain, I'm talking about the Exploit phase.

The problem with what I'm asking is that it is not easy to find out how computers got exploited.  There are very few tools on the market that help give you visibility into Stage 1 malware.  FireEye and Mandiant (now one company) create tools to help.  Most of your anti-virus vendors really focus on Stage 2 malware.  In other words, they are looking for the malware that makes the news like Zeus and others.

Typically, Stage 1 malware (the real exploit) is deleted from the box after it's job is done and the Stage 2 (Zeus, BlackPOS, etc) malware is installed.  That's why it is hard to determine how the computer got "infected".

If we take the money we would spend on that latest silver bullet security product and double down on visibility and process, we can really cut down on large intrusions like the one at Target and now Neiman Marcus.

Here is a list of action items off the top of my head.  I'd like to drill into these in later posts.

  • Build visibility into networks and computers
  • Design an ecosystem to capture that visibility
  • Make it easy to search and narrow down events by time
  • Have your users send you anything they feel is suspicious
  • Determine what exactly got exploited each both by analyzing the events and user input
    • You need people to do this:  Analysts
    • This is where you get some of your best threat intelligence, by the way
  • Measure and track the exploits seen on your network
  • Research what vulnerable pieces of software are hit most often on your network
  • Uninstall that vulnerable software OR put a lot of rigor around patching those vulnerable applications
  • Feed current threat intelligence (not lists of 90000 bad IP addresses) into your detection platform
  • Measure time to detect and remediate exploits and work hard to lower that time.
  • Look for data leaving your company.   Show that to management.  Often.
  • Demonstrate the tie between the trend of exploits and data leaving the building.

There are companies and vendors that get this and are working hard to solve the problem as stated above.  Other companies just want to sell you "signature update" subscriptions on an annual basis and are not really interested in solving the problem wholesale.  The companies most interested in selling subscriptions are short sighted because there will always be a better mouse no matter how good we build the mouse traps!

Just remember:  Stage 1 malware (aka - The exploit) and kick-butt Incident Response is where the money is.  If you cannot get access to the computer, you cannot install your cool botnet or memory scraping software.  When the bad guys are successful, they will have time to stage these large hacks (ala Target, TJX, Sony, etc)  if the Incident Response team kicks them out quickly.

Until next time...


Wyman's Security Bites - Your daily security newsletter

Please check out my online security newsletter.   There is a link to it at the top menu of the blog as well.  Just click on News at the top.  These are news articles that are part of my constant stream of open source intelligence about IT security and management issues.  Mostly security. There are two editions of the newsletter daily.  Morning and Evening.  The morning edition comes at 0000 GMT and the evening edition comes at 1200 GMT.  To save you the time zone math, that is 0800 and 2000 US East Coast time.

I firmly believe a security professional needs to have daily input as to what is going on in the world.  This may have come from my military background.  Sure, we had closed sources of information, but pretty much everywhere I went there was CNN or something similar playing in the background.  The reason is simple:  Closed sources of information will eventually lead to a closed mind about what is happening as well as what is possible.  The world evolves very quickly if you're not paying attention!

So, subscribe today to my online newsletter today or at least get your own stream of external information to keep you informed on security events around the world.

What is a Cyber Intelligence Program?

There has been a lot of talk lately about putting intelligence into your security program.  You hear different terms:  Security Intelligence, Cyber Intelligence, Threat Intelligence, etc.   Most (not all) of the products and services I see revolve around either a SIEM or some sort of blacklist.    These all really do one thing:  Give you more information.  It is up to you to interpret that information and use it to help your company make better decisions.

The goal of any intelligence program should be to inform decision makers of the organization in hopes that they make better decisions.  Rarely can your CIO or CISO look at raw information and glean enough to make much difference in the way they think.  This is why your intelligence program needs to provide more than just information.

Objectives of an Effective Intelligence program:

  • Information - provide useful information to people who need it
  • Insight -  What does the information mean?
  • Warning - What is going to bite you?

This Information, Insight, and Warning must be tailored, timely, targeted, and relevant or it does not matter.  People will make the decisions they have to make with or without your judgements.

When you do your analytical job well you're at that nexus of "The World as it is" (fact-based view) and "The World as we would like it to be" (vision-based view).   This is where policy is created.  That creates tension, but you have to put yourself in that place.

If you are not in that place, you are less relevant or valuable to decision makers.  When you are in that place you're under some pressure.  You want to make sure you are objective, but you can't be so pure in your abstract reasoning that your analysis is not useful.  They may understand the beauty of your argument, but they ultimately still have a business to run and decisions to make.

Most decision makers got to their position because they understand their portfolio and are also pretty good analysts.  So, for them to listen, you have have to add some value.   The value could be confirming what they already know or challenging a view they got from somewhere else.

When your program is at it's best, you get no credit.  The desired end-state is educating decision makers to the point they have internalized what you gave them and they have better judgement because of it.


Intelligence Analysis and Dissemination by Dr Thomas Fingar

Q&A with Michael Hayden on CSPAN