Monday, February 20, 2017

Top 10 InfoSec Mistakes

This is my Top 10 list based on what common mistakes I am seeing, which may be completely different from what others are observing. Please share your experiences to see where there is overlap or uniqueness.

1) No CISO Left Behind
Having a low performing CISO is in almost all cases a program killer. Not only is it bad for morale, it typically derails efforts to reduce risk and puts budget dollars on projects with very low ROI. One thing I have noticed is that C-levels and most BoDs are unable to adequately assess CISO performance. Its often only measured on personality and the pure luck of avoiding a public security breach. Conversely, many high performing CISOs get a raw deal when they experience a breach, yet have advanced the program further than any of their predecessors.

Recommend: Hold quarterly KPI reviews, including discussion of new KPIs at least annually. Maintain accountability of a CISO's time, specifically around time spent building their personal brand or with vendors, versus directly advancing the goals of the organization. 
2) Chasing Corns
It is all too common for organizations to flat out ignore doing essentials like prioritizing assets by risk, getting their employees properly trained, or auditing service accounts. Instead people tend to chase unicorns like deception technology, cyber pathogens, cyber camouflage, artificial machine intelligence, or becoming a producer of threat intelligence.
Recommend: Must have addressed or shown significant traction in the SANS Top 20 controls, before pursuing whatever hotness is being pedaled at RSAC. 
3) Tooltopia
Many of the Fortune 200s have never met a tool they didn't like. This seems to be very typical in organizations that have experienced a breach and bring in a new CISO that was failing, but came from big name company. They then proceed to spend all that money and still get hacked. Joe McCray was right.
Recommend: Do not allow CISOs to talk about tools by name, only capabilities and ensure that any solution purchase is fully operationalized before new projects can be initiated. Effectively force the CISO to strategize around people and process and don't let them use the tool crutch.
4) Wounded Knee
Guess what time it is? Its Monday morning and your management just read the latests news. Its time for the old knee jerk reaction and a bunch of stuff rolling downhill. This commences a colossal waste of resources, including a bunch of reply to all emails and meetings about meetings.
Recommend: Establish ground rules regarding this type of behavior. Limit the spinning up of massive conference calls or data calls, until an official severity or risk determination by a technical resource has been made. Also, I highly advise creation of a threat portal where such information can be proactively published to stakeholders.
5) Rockstar Recruiting
It's not news that if you throw big money at talent, some will take the bait. Where the chronic failure seems to be in actually retaining that talent. There is also a reason why most people feel the exit interview is a complete joke. How much more cost effective is it to ensure your existing people are happy versus continually have to rebuild your team? Also, ignoring people with passion but no experience is detrimental to your staffing. I don't see a lot of excuses for not always at least having one intern or noob that your are building up. And its important to take note of your staff who hoard knowledge and refuse to mentor.
Recommend: Document and escalate the underlying issues that are causing people to leave the organization early. I recommend reading this story for a classic case of HR failing to do their job. I also highly advise rewarding mentorship financially within your organization.
6) Failing to MFA All The Things
To me this is one of the best allocation of resources you can make with a very high ROI. Moving as many applications and servers behind two factor authentication as possible. This is the exact opposite of long term money pits like DLP or NAC. Also, hiding behind user convenience is no longer a defensible position.
Recommend: Start planing and executing today, not after a breach. Both Duo and Microsoft have affordable options.
7) Strategic Firewall
This isn't the firewall as you know it. If you are familiar with the Big4, there was a concept of keeping a firewall between the audit and advisory practice. Similarly for big banks, it was keeping the retail and investment banking business separate. This was there for a very critical reason. To avoid conflicts of interest and limit risky practices. Knowing this, you should not accept strategic advisory services from the company selling you solutions. They will only try to sell you products that give them the highest percentage of sale or allow them to wrap extra service dollars around. Unfortunately its never about advising on the best product because of repeatable tests and real world PoCs that haven been documented.
Recommend: Internal audit and the BoD compliance committee should be tasked with uncovering and addressing this serious conflict of interest.
8) Following the 20/80 Rule
Stop pursuing controls for niche security threats. Yes that threat may even be in the news (fake and real), but are you sure it applies to your organization or vertical? There seems to be an unhealthy obsession over zero days as well. I agree with others, you may not be important enough to get a zero used on you. 
Recommend: Use templates for creating your organizational threat models to avoid security theater. This will properly align your strategy to the threats you are facing. And if a threat actor decides to burn a zero day on your org, kudos to you because your actually winning. Also, please capture it and responsibly disclose it to the vendor.
9) Premature Nuke From Orbit
This is definitely one of my pet peeves. A SOC manager has mentally checked out and is just firing off reimage requests and never determining root cause. That AV alert may have just been nation state, but you will never know now. If your ticket says alert X fired, computer rebuild completed and nothing else you should be excommunicado from InfoSec club.
Recommend: Quarterly review of all SOC ticket closures to determine where no RCA was determined. In addition, establish documented process for harvesting indicators and context from internal incidents.
10) Logging/Tapping All The Things
This isn't all that horrible, but its still counter productive and very common none the less. Logging everything, including events of no security or audit value makes little sense. Then people turn around and store that same data for 5 or more years. Someone best described this as useless pools of liability. The same goes for overloading your network sensors with encrypted traffic or traffic from your core. There is not much ROI here and it creates a tremendous amount of noise for you security analysts.
Recommend: Implement a tiered logging strategy for retention and filter out log events or log types with no practical use. This has the added benefit of potentially reducing your SIEM licensing costs. If you plan on tapping everything, do not feed it into your analyst console until you have proven they are staffed well enough to monitor all internet gateways and DMZs.

Saturday, January 30, 2016

The saga of Norse and an industry indictment

I first interacted with Norse and Sam Glines in 2013, when they were making the rounds in St. Louis pitching their product. They showed up to our office with 3 people and another person on the phone. They couldn't really answer any of my technical questions, but were pleasant enough. I knew right away though, they had nothing to offer me as leader of an IT security program at a then Fortune 500 energy company. Because they had an office in St. Louis and I was keen to see them succeed, I gave Sam advice to the effect that in their current form they were only replicating what Damballa had already done years earlier and much better. I told him they were too early and needed to establish an actual threat intelligence team with experienced, industry recognized analysts. I also recommended they focus on nation state versus the commodity type data they were collecting in the "deep, dark, web". No idea what he actually thought of this, but I'm going to go out on a limb and say they were just focused on sales and brand building at this point. Despite the fact that, they were no where near being a actual threat intelligence company.

Fast forward to Blackhat the following year and the marketing blitz had begun. Norse made a big splash at the conference with their Viking swag and booth babes. I looked at their product again at this time and was surprised to see little had changed. Just a pew pew map and indicators of minimal value. Yet, the industry ate this up. The security hype cycle was spinning up and channel sales everywhere was happy to oblige.

In the summer of 2014, I was starting to look for a new job and even reached out to Sam, along with several other companies. I wanted to find out if they were planning on staffing any intel analysts in St. Louis instead of their main California office. At this point, I thought they still had a fighting chance to succeed if they could build off their marketing success and build a real intelligence capability. Fortunately for me, this never went anywhere and I landed my current role, which is one of the best jobs I have ever had. If Norse would have stayed in their lane, the odds are they would have grown into something. However, they made critical errors in judgement.

The beginning of the end occurred later that year when Norse comes out with flawed Sony attack attribution. They clearly embarrassed themselves and the FBI and other industry reporting confirmed as much. This fiasco started to sway broader industry opinion, that they were in fact a bunch of charlatans. And to be fair, it may just be that Tommy is an armchair intel analyst and neglected warnings of other more experienced people working there. Their credibility took another major blow when they put out a complete farce of a report with AEI on Iranian attacks. When you are willing to put out a garbage report for money, what does that tell you about the leadership?

I will first repeat what others have said. I'm sure there are great, talented people working at Norse who are getting a raw deal here. I wish them nothing but the best. However, I feel there are some serious systemic industry problems this has brought into the spotlight.

First, the "FOMO" money has gotten out of control. What was KMPG thinking investing $11.5 million into Norse? Did they not talk to any threat intel experts first to get their views? This was after their very public intel blunders, so there isn't an excuse. There is so much dumb money in the VC cyber market right now, that its propping up companies with vaporware and marketing gimmicks. It puts a black eye on us all, when we let this happen. If they would have just read great insights on the threat intel market by Rick Holland, Wendy Nather, and Robert M. Lee, they would have been more easily able to spot the skeletons in Norse's closet.

Second, what does this tell you about the VARs who championed Norse? Either they lacked the experience and skill to evaluate the product or worse knowingly pushed a bad product for points. I can't forgive this and neither should you. There is no value if a reseller just pushes anything that gives them a bigger sales percentage, instead of testing and ensuring it is a best of breed product or service. Customers deserve better.

Finally, I will echo what Robert M. Lee stated in his blog post. This outcome is not at all indicative of the broader threat intel product and services space. While I personally believe most companies are not ready for threat intel, there are several credible threat intel providers out there doing right by their customers. 

Things happen pretty fast in infosec, but to those in the know, this was a LONG time in the coming.

Monday, January 25, 2016

The People Problem - Part 1

Every new year begins with the best of intentions, and I am going to try to blog at least once a month in 2016. There was an absolutely fabulous post by Scott Roberts in January called Introduction to DFIR ( that I highly recommend reading. That along with my steadfast belief that being good at infosec is primarily dependent on people and not technology, has inspired my first blog post of the year.

More than anything, infosec is a problem caused by people that can only be effectively addressed by people. Whether it is coders introducing bugs, business leaders taking excessive cyber risks to accomplish near term business goals, or oblivious users clicking on links and attachments in phishing emails, it a people problem. To drive home this point, lets make an example. Based on the following organizational descriptions, which ones do you think are most secure and alternately which one would you want to work for.

Stark Industries
• CISO - Doug Steelman
• Director, IR & Forensics - Brian Carrier
• Director, Red Team - Dave Aitel
• Director, Threat Intelligence - Patton Adams

Massive Dynamic
• SEIM - ArcSight
• Forensics - Encase Enterprise
• IDS - SourceFire
• CTI - Norse

• SEIM - Splunk
• Forensics - F-Response, SIFT
• NSM - Custom Bro/Surricata sensors
• CTI -  ThreatConnect

I am not sure how other people would chose and what criteria they would apply. However for myself, it is clear that choosing to work for great people has the least amount of risk and the greatest amount of "top cover". My choice in order would be Stark Industries followed by Hooli. I wouldn't work for Massive Dynamic based on their choices. The key take away is that people matter more than anything when choosing either employment or how competent you expect that company to be in securing their information.

Most companies at least pay lip service to the idea that people are vital to success. However, there are some serious challenges in this space. Anyone can throw big money and big promises at a "cyber rockstar" and lure them in. Where corporations often fall flat on their face is retaining talent. Capable and motivated people will not sit around while you figure out what you want to be when you grow up. For instance, I once personally waited 18 months for network taps at a company and never got them. This was despite multiple meetings with network design and buy in from senior leadership. To add to the insult, there was already a tap aggregator in place! My time is worth more than that, so I decided to move on and it had nothing to do with money and everything to do with being in an environment where I could deliver tremendous results and succeed.

While the vast majority companies are self sabotaging when it comes to IT security talent retention, the ones who understand this will profit immensely. This brings me to the other big component of the people problem. There just aren't enough qualified candidates. Instead of whining about this at your elegant CISO roundtable dinners with a 24yr old single malt in your hand, take ownership of the problem. Talent has to be developed plain and simple. Every single person starts out knowing nothing. That is what I want to address starting in this post and a follow up one.

I think we need to develop infosec talent at an even lower level. Scott's great post is spot on for training up DFIR personnel, but I believe there are some fundamental IT skills that need to be in place first. The reason I believe this is that, there are quite a few people coming out of college "security" programs without critical foundational skills. And I'm not picking on edu, this is the case for the majority of entry level candidates regardless of background. Knowing something on paper is only the beginning of where you need to be at from a functional perspective.

IT Fundamentals for InfoSec

Operating Systems
1. Windows
2. Linux

4. Routing/Switching
5. Firewall/VPN

6. Web
7. Database
8. Programming Constructs

9. Collect & Analyze

10. Common Body of Knowledge
11. Malware
12. NSM
13. Live Response
14. Offensive Concepts
15. Defensive Concepts

Above would be my requirements for someone looking to get into a career in information security. I would expect them to have functional skills in items 1 through 9, followed by a basic understanding of items 10 through 15. Having this foundation ensures that a candidate is positioned to succeed in a junior IT security role. While there are always exceptions to the rule, I would strongly recommend anyone work 2-3 years in a general IT role before moving into security. It gives the person much more context and understanding of why things are they way they are and potentially insight on how to improve things. In part two of this blog post, I will detail out each of the 15 IT fundamentals, which in turn I hope will assist people looking to break into information security with a degree of competence.