You are currently browsing the tag archive for the ‘ORM’ tag.

Earlier this week, I started back up at TSA supporting their private sector critical infrastructure responsibilities under HSPD-7 and the NIPP.  Being new (well, new again), I just had to get on some of my recurring soap boxes.  One of them was our doomed-to-failure to security approaches.  (Nice to start off on an optimistic foot yeh?)  Pretty soon, the conversation narrowed down to the role of CERTs and incident response. In the middle of trying to explain how sending a bunch of guys in trenches to combat an enemy who could nuke from thousands of miles away was a waste of time, I had a revelation: The “bad guys”, with complete cooperation with the “good guys”, are creating a denial of service condition across the country and planet: a Responder Denial of Service – or, an “RDOS”.

What exactly is an RDoS? It works a lot like a syn-flood, which spins up a whole lot of blank connection attempts to a server. The server must receive these connections, wait for awhile to see if valid data arrives, then close them. The thing is, because the sender knows the connections are blank (and using things like botnets and such), it can generate a lot more connection attempts than the server can handle. Eventually, the server gets so busy that it fails to respond to real connections.

Now, think of how we handle “security”.  We religiously and studiously avoid building hardened, defensible systems from the ground up and rely on fixes, patches, and incident responders to cope with the eventual problems later (hoping all the while – in vain – that the attacks never come).

What we end up with, by and large, are systems that are so poorly constructed that it takes a large amount of effort to detect, confirm, respond to, and recover from attacks.  Further, while attackers can fairly easily attack multiple systems simultaneously, we require dedicated defenders/responses for much smaller groups of systems (or even individual systems).  This leaves us with an “RDoS”. Our security philosophies leave so much open that we can never, ever sufficiently resource our defenses at an adequate level. Everyone is occupied. Just ask your incident response vendors, teams, and CERT’s (over beers, of course), about their available resources vs the demand for their services, vs the large iceberg of incidents under the water that aren’t even talked about yet.

As I’ve said before: Good guys – you, we, have failed and will continue to fail if we keep going down this same road.  We can’t win until we change strategies completely. We need to embrace our failure and build systems which are defensible from the inside, which are measurably effective against operational/business objectives,  and which assume, from the get go, that sections and components have, are, and will continue  to be compromised. This hacking perimeters on, giving lip service to change control, and our complete inability to integrate cyber into our ORM and our ORM into our business decision making is a waste of time and resources. We’d be better off spending the money and time elsewhere if we’re going to keep doing security as badly as we do it now.

If anyone disagrees with this post, I’d LOVE to hear a rational argument as to why. (Really!)

(UPDATE: 08/06/10)

I really think some of Bruce Potter’s remarks at Shmoocon in 2009 are pertinent here:

People are getting owned a lot.
Trends

  • Increased success in getting past our defenses
  • Increasingly malicious motivations. The bad guys aren’t after web defacements
  • In spite of the above, we haven’t changed our methods. Its a lot of the same
  • Spear phishing and drive-bys are unabated.

What we have is a Maginot line…in depth
Of 66 million websites indexed by Google, 5 percent had drivebys.
These sites with drivebys weren’t just the risky underbelly of the web. It was every category of website. I don’t think that is surprising to anyone who has paid attention to security.
These findings were published last year in in USENIX.
The malicious content on these sites was then scanned using three top Antivirus vendors. The best detection rate among these three vendors was only 75%. The worst was 30%. These are untargeted attacks. Imagine the ability of an attack targeted at your organization to cut through your antivirus defenses.
So What do you do?

NAC? Most people don’t have that deployed even if they’ve bought it.
Firewall Internally?
Token authentication?
Change jobs?

(Needs Editing, but Im a bit stuck…so reviews and comments welcome.)

Years ago – in Mad Magazine – I saw an illustration of Alfred E. Newman sitting in a tire swing. At first glance everything seemed normal, but after a second if reflection I noticed that it was Alfred himself holding up the tire swing while sitting in it – a situation which obviously does not (heh) fly.

This is the image that came to mind when, after my last post on Data Visualization’s Lessons for Enterprise Security, I was asked questions like:

  • What does Operational Risk Management have to do with IDS monitoring directly?
  • What about better and more transparent auditing? Wouldn’t that help?
  • I don’t see how SABSA really applies to MSSP’s or IDS monitoring

My short answer is that no matter how you make your security tire swing or what you do while you’re sitting in it, as a security practice you have to be bolted to something independent that holds it all up. That’s “The Business” in case it’s not clear.

I’d like to address the IDS example, in particular, because I think it is very illustrative of the connection between detailed technical and high level business realities.  Please keep in mind that this is only a snapshot of the direct implications to a very small section of a much larger, very holistic process.  There are many secondary dependencies and repercussions which I do not address here (like tactical technical responses, incorporating lessons learned, strategic business decision making, etc.)

So, first of all, at a process level, IDS monitoring is pretty simple:

Get data -> Evaluate nature of data -> Evaluate implications of activity represented by data ->Respond to and/or continue getting data

No matter what environment you’re in, if you’re looking at IDS data (or doing any other monitoring, really), you do these four things. If you look a little closer, though, you begin to see that they are (or should be) repeated iteratively. This is because there are really multiple levels – or layers – at which security data can be evaluated (which, incidentally, looks a lot like any other protocol stack). Let’s say, conceptually, that there are five of them:

  1. Universal Technical Standards: This layer would consist of measuring activity against RFC’s, Protocol Standards, etc. Things that -should- work the same everywhere.
  2. Environmental Configuration: Here, traffic is evaluated against local configurations that might change from network to network. This includes the configuration of OS’s, Web Servers, Infrastructure Devices, etc.
  3. Data and Information Control: What happens to data riding on your network and IT obviously falls in the area of concern for IDS analysis.
  4. Timing and Behavioral Thresholds: Are things happening more frequently than normal? Less frequently? Uptime? User logins? Memory Usage? etc.
  5. Business Rules: Is the IT actually doing something that directly affects the business? Are manufacturing robots shutting down? Are internal company secrets being sent to competitors? Are you spamming the military?

So what is the intersection between these layers and enterprise business architecture or operational risk management? It looks, initially, like the only direct overlap is in layer 5, right? Not true.

First, each of these layers requires some level of the business context provided by business security architectures to even be effectively evaluated.

For example:

  • To evaluate security data against potential technical standards, analysts need to know what technologies are in place and deployed and in what manner. Exceptions and outliers are especially important.
  • From an environmental perspective, analysts would be well served by knowing the security policies that the configuarations and environment are supporting. E.g., what actions the configurations trying to prevent  or support (in terms of the other 5 layers)
  • The need to know what data belongs to what data policies and what those policies say is also fundamental.  Data policies are tied to conceptual business architecture, which is tied to contextual business assets and requirements.
  • System behavior is evaluated in part by knowing things like business schedules and processes. Is payroll being run every 4th Thursday? Are people going to be logging in from all over the world, or just certain locations? Should lab systems pull data from production systems?
  • Knowing what business functions are important to keep running, to what thresholds, and how IT systems support those is crucial when trying to understand the big picture and put “events” in terms of “incidents”.  Additional, it should be kept in mind that things like “reputation” and “customer satisfaction” are also considered business assets to protect.  Organizations have a need to protect those as well.

Secondly, and maybe more importantly, if you actually look at the process flow (below) you find that the analysis process always rolls up to an evaluation at layer 5 (the business rules) of the analysis stack.

From a process flow perspective, there are absolutely no analysis scenarios that do not terminate before completing a layer 5 business analysis (At the bottom of image).


(Click Image for Full Size View)

idsentseccolorlines

How does this work?

Analysis begins at one of these five layers – which one is first doesn’t really matter (they are often, in fact, done in parallel). Data is received and is evaluated against the criteria at the layer in question. If there are no exceptions, the same raw data is evaluated against the next layer in the chain. If an exception is found at any one of these layers, the impacts of that exception are then evaluated at all layers. So, for instance, if an analyst notices that there are “funny packets” that aren’t normal TCP/IP traffic while evaluating against “Technical Standards”, he or she then looks to see what the potential technical, environmental, data, behavioral, and business implications are of that traffic. For each of those, the analyst follows the process as if he’d just received new raw data.

This continues to happen until the original data has been run up the entire stack and a final business impact has been determined. Sometimes the path there is short because the answers are known or obvious, or complete data is unavailable to make a determination, or the entire process is followed at a very detailed level. Regardless, the logical process holds true in all cases and there is either a potential business impact or there isn’t.

Read that again: There is either a potential business impact or there isn’t. Without context, IDS monitoring can never be a security function.

The value of IDS monitoring never gets realized if exception events are not tied to business operating requirements and risk appetite (which only business stakeholders can determine). If that linkage is not formally made or that appetite not assessed, IDS monitoring fails. None of the five analysis layers are inherently worth evaluating if a business context for them does not exist and most can’t even be evaluated at all without that context.

What provides this context? Business Security Architecture and Risk Management.

What’s interesting, though, is that these things don’t work when isolated to security, as the original blog post (and others) pointed out. If you limit the scope of your activities to “security”, you end up with the tire swing with no tree. You have to account for and model your entire business formally to achieve security, What this says is that business security architectures are, at a very real level, just business architectures. There is no material difference between the two.

But why would you need a full fledged business-wide process to get this information to you (or your analysts)? Because it’s really hard and expensive to do without the practice and culture in place enterprise-wide. You might brute force it and get your answers once without it, but trying to keep that information up to date would be completely futile.


In closing, I’d like to reiterate that I’ve only discussed business security architecture and operational risk management’s impacts technical security operations (looking up). Of at least as much importance is its role in aiding executive or management decision makers in correctly assessing and responding to risk. This is accomplished by providing a very clear line of sight from the trenches to business assets and risk appetite (looking down).

About Me

Jack Whitsitt

Jack Whitsitt

National Cyber Security. Risk. Multi-Dimensional Rainbows. Maker of conceptual lenses. Artist. Facilitator. Educator. Past/Future Vagabond. Drinks Unicorn Tears.

Follow me on Twitter

My Art / Misc. Photo Stream

IMAG0012

OI000002

OI000003

OI000005

OI000016

More Photos
Follow

Get every new post delivered to your Inbox.

Join 36 other followers