I’ll be going to FloCon this year – are you?

In a bit of fun and interesting timing it turns out I’ll be going to flocon in New Orleans this January.

Since I’ve spent the past 2-3 years doing business risk and security architecture, national sector level strategy, policy, etc….but now find myself getting into the technical details of building a CERT (ICS-CERT, specifically)…it’s suddenly time to get more up to speed on flows and how people are using them these days (Especially since I’d previously spent most of my time with firewalls and IDS data and not netflow / SiLK stuff).

My work on and release of pkviz this past weekend has helped a bit to get me re-focused on data analysis and playing with correlation tools and methodologies, but I’m still finding it odd going back to my earlier technology-centric security role  – which I’d thought I’d given up.  My head space has to be completely different than it was and I have to work around what some have called my fatalistic belief that technical security measures and analysis are doomed to fail in the face of our complete lack of interest in doing business risk architectures.

What scares me a little, though, is when I’ve been talking to people and doing research lately, it seems the state of the art of IDS, Flows, SEMS, SIEMS, network data analysis, etc. hasn’t changed all that much in the past few years. More vendors have sold more products, but they still do the same (questionable) things it seems. What gives? Am I off base?

Still, I’m pretty excited to get back into this type of thing and about the con. Who’s going to be there?

Packet Visualizer/Animator DONE! (ish) and Tool Posted for Download

Whew. I can relax.

For the past 2-3 months, I’ve been working on my first real Objective-C project (my iphone app is still going, it just took a back seat to this): An application that will read tcpdump output and animate the packets over time using their inherent byte / packet structure

And now…it’s up and in beta-ish quality. (Meaning it works, though some error checking and minor features arent quite where I want them.)

You can download it here for free: http://sintixerr.wordpress.com/pkviz-packet-visualizer-and-animator/

See it in motion here:

This project was important to me and has been a long time coming. I’ve wanted to write a packet visualizer since I first started working with data viz 5 or so years ago at NetSec and was using Advizor. That tool cost thousands of dollars per seat, didnt really animate (at least the way I needed), and only parsed CSV or databases. The free tools – like GnuPlot, just weren’t up to the task at all.

I also wanted something that could plot out data in interesting, pretty ways for some art projects I have in mind.

So, I originally started this time around on a quest to write a short python parser for tcpdump ascii hex output to put into <some generic viz tool> just to get started…but somehow I ended up writing a full-fledged visualizer (my first GUI project ever, I might add!). The learning process was a blast – I feel like I’m a much better coder for it – and I’ll be able to extend/expand on this to use for other art and security projects that are on my plate or are coming up.

I’m pretty excited about it. To see this finished through after years of whining to myself about it, procrastinating, and genuinely not having enough time, is pretty awesome. I’ve even already created a couple of cool shots that I’m happy to call “art” (granted, there is some photoshop processing here, but they’re both true to their originals!):

Anyway, Mac Users, check out the tool and let me know what you think!

Ruling Out Best Practices

So I was sitting in a critical infrastructure cyber security talk earlier this week and had a small revelation.  The talk itself wasn’t all that interesting – it was another attempt to collect and identify consensus best practices for critical infrastructure security from a governance point of view – but it still led me down a path that surprised me.

The authors of the paper being presented had done interviews and other research and derived a number of principles required for critical infrastructure cyber security governance based on what they commonly heard over and over. At the talk, we had break-out sessions where they were pinging us for our thoughts on their findings.  During the session, I realized that I’d heard it all before (obviously, right? It’s a consensus paper) and was wondering why we couldn’t get past the stale “wisdom” repeated ad nauseam without effect…when it hit me: the use of their paper might be directly opposite of what they might think it is, but it’s still useful!

The thought process is as follows:

1. Assumption: We all “agree” that cybersecurity for critical infrastructure is insufficient and we’re missing something.
2. Assumption: The paper represented the community opinion, to date, on what needs to happen for good cyber security
3. People are trying to improve security, but despite sporadic improvements, we haven’t made nearly as much progress as we think we should. Something is missing.

Conclusion: Whatever it is we need to do …..isn’t in that paper.  If we collect a series of best practices and community consensus on a topic where we generally consider ourselves to have failed, collecting that consensus should be used – instead of as a driver of activity – a hint at what won’t, by itself, get us where we need to be. The lists should be considered things to exclude as solutions to our unidentified sticking points, but the solutions themselves.

OWASP Podcast Roundtable with myself, Doug Wilson, Matt Fisher, and Dan Phillpot

You can find it here: http://www.owasp.org/download/jmanico/owasp_podcast_42.mp3

The topic was “FISMA” in the context of OWASP and, while I don’t really do web app security, I’m still a “managed assurance” guy for risk, and I think that fit in well with everyone else’s perspective.  That said, I hate listening to myself talk, so tell me what you think of how it came out – I haven’t listened to it yet!

Also, it’s “National Cyber Security Awareness” month. What does that mean? Are we making everyone aware that we’re all 0wnz0red?  I like the idea – and socializing security was one of the recommendations that came out of the Estonia Ddos mess – but I have concerns about how the good intentions here aregoing to pave a specific road to a specific place.  The concern has to do with security productization.

You see, I have a suspicion that we’re not going to educate people about the nature of security. Or really that we’re going to get across how “security” is really this thing that everyone does all the name and we should stop treating it like this extra set of things we need to do -in addition- to actual requirements.

Instead, I think it’s going to come out as (from DHS’s website):

• Make sure that you have anti-virus software and firewalls installed, properly configured, and up-to-date. New threats are discovered every day, and keeping your software updated is one of the easier ways to protect yourself from an attack. Set your computer to automatically update for you.
• Update your operating system and critical program software. Software updates offer the latest protection against malicious activities. Turn on automatic updating if that feature is available.
• Back up key files. If you have important files stored on your computer, copy them onto a removable disc and store it in a safe place.

This is all admirable stuff, but it’s dogmatic. Dogma in security leads to blind trust in marketing and products.  Blind trust in marketing and products will never lead to secure systems or computers.

Yes, it’ll get us baby steps forward, but then we’ll be left with ye olde “I did what you asked me, isn’t that enough?” faith-based security and we’ll be in a pickle when we realize that, architecturally, we have some serious work to do to get where we want to be and no one is interested in doing more.

OWASP AppSec DC 2009 Coming Up – Remember to Register!

I just wanted to make sure everyone remembers to register for this great conference in DC this year.  From their website:

Press Release August 20th 2009 — Speaker Agenda Released and Registration Open!

We are pleased to announce that the OWASP DC chapter will host the OWASP AppSec 2009 conference in Washington, DC. The AppSec DC OWASP Conference will be a premier gathering of Information Security leaders. Executives from Fortune 500 firms along with technical thought leaders such as security architects and lead developers will be traveling to hear the cutting-edge ideas presented by Information Security’s top talent. OWASP events attract a worldwide audience interested in “what’s next”. The conference is expected to draw 600-700 technologists from Government, Financial Services, Media, Pharmaceuticals, Healthcare, Technology, and many other verticals.

AppSec DC 2009 will be held at the Walter E. Washington Convention Center (801 Mount Vernon Place NW Washington, DC 20001) on November 10th through 13th 2009.

Who Should Attend AppSec DC 2009:

• Application Developers
• Application Testers and Quality Assurance
• Application Project Management and Staff
• Chief Information Officers, Chief Information Security Officers, Chief Technology Officers, Deputies, Associates and Staff
• Chief Financial Officers, Auditors, and Staff Responsible for IT Security Oversight and Compliance
• Security Managers and Staff
• Executives, Managers, and Staff Responsible for IT Security Governance
• IT Professionals Interesting in Improving IT Security

Follow-up: “Mission Oriented” cyber security

Al McDougall from Evolutionary Security Management made the following point in response to my last post, and I thought it was useful to repeat it here:

“End result, the system view is lost because everybody works within their part of the behemoth but forgets about the mission.”

He’s right, of course. Furthermore: “Mission oriented” sounds “fuzzy” and people tend to blow it off, but it’s is not – it’s quite important.  In western culture, we seem to need to rush to go solve problems, without really ever trying to understand the nature of what we’re solving. This leads to all sorts of mayhem and things going wrong. We look back and can’t figure out why our solutions arent working or why they’re causing all these weird other problems.

What we need to do, instead, is spend our time groking the problems we’re wrestling with until we understand their deeper natures.  If we learn to ask sufficiently detailed questions, correct elegant answers will present themselves.  This, in many respects, is the essence of SABSA and Enterprise Architecture (although, especially in the case of the latter, an essence that is often missed).

In the case of cyber security, we absolutely blow past figuring out and AGREEING ON the nature of the problem and rush straight to the “solving” phase with perfectly predictable results.

My compatriots at TSA are asking me to, before I depart for INL,  transition my approach to the role of the SSA in the NIPP framework, but it really isn’t detailed or special. Fundamentally it is this: Figure out ahead of time what you’re asking and why. What is the mission being supported by cyber systems? What do you need to know to make sure those cyber systems continue to enable that mission? Start from the mission and work down. You’ll get there.

Hmm. Start somewhere and finish? That sounds like “Alice and Wonderland” – “start at the beginning and, when you get to the end, stop” – but it also sounds like a “process”. A “process” is what the NIPP lacks, yes? More to come…