Friday, November 14, 2014

The Growing Divide: InfoSec Practitioners vs. Climbers

The Problem
In our current age, where sound bytes, marketing reports, and short term quarterly focus rule the day, it’s getting tougher for the average corporate IT Security team to sort through the useless noise. One line of thought, which is particularly misguided and out of touch, is the belief that IT Security needs to be a “partner with the business”. What does that mean anyway? If you ask a dozen CISOs, you will likely get many different answers none of which the adversary would care about. Despite that, it has been the rallying cry for the types of vendors and consultants that focus on manipulating the C-suite to further their interests. What follows, will explain in detail why this concept is diverting IT Security from its true purpose of protecting the business in a narcissistic attempt to make heroes (aka promotions, bonuses, etc) out of paper IT Security leaders (aka PISOs)

The Reality
First things first, I’m a realist. There are both positive and negative connotations with this phrase.

  • IT Security needs to understand the business and what matters to them
  • IT Security needs to apply their understanding of threats to high value business functions
  • IT Security needs to build relationships within the business

  •  Security strategy by buzzwords is not effective
  • Fails to realize IT Security is not IT, which have vastly different goals
  • Implies yielding of risk acceptance & mitigation to business units and not corporate risk function

I agree wholeheartedly that the IT Security function needs to be business aligned. What that means to me is that they need to not only understand the business functions, but align their controls around what matters to them in ensuring goals are met. And of course, building relationships across the business is key to your ability to execute, and this is common sense and not specific to IT by any means. I have always supported the model of mapping what attackers want to what the business cares about. I call this a hybrid threat & data centric model.

On the flip side, I think we lose more of our security prerogative the moment we start creating roadmaps based on buzzwords. If you are a CISO, and one of your first goals is to get your CISSP in the first 6 months of your job that is a sign. If you need to bring in consultants and read Gartner for your strategy, there is another sign. If you repeat buzzwords in your presentations, that is yet another sign. The final sign, would be that your plan was only to be a CISO for 2 years before your next corporate rotation. Guess what you are the classic PISO (Paper CISO). It’s okay, most are, but guess what there is hope. But that will be a different blog post.

So what we have here is failure … failure to think for yourself and acceptance of group think. Based on the amount of breaches across all industries, I think it’s safe to say almost everyone has it wrong. A Home Depot IT leader literally said “we only want C level security”. More recently, it was made public that the USPS didn’t even have a 2-factor VPN. Was this because they were partners with the business and single factor was more convenient? So anytime some phrase like this becomes a buzzword, you should immediately put up your guard and realize it’s merely the talking head’s silver bullet of the moment. You can already see this, as more people have abandoned the term “partner with the business” for “business aligned security”.

Another major misconception is that IT Security should operate like traditional IT. This is fundamentally wrong in every sense. IT is actually a true business enabler. IT is specifically chartered to make things faster, better, and cheaper. IT delivers shiny new things to the business to the help them maximize revenue or service the customers better. IT Security is in conflict with this, as their goal is loss prevention and more specifically to protect the business from itself, not just outside threats. Does a partner with the business, tell them they have to apply critical patches (induce change) right before the busiest online shopping season? Does a partner with the business push back the rollout of a major website because it’s running Drupal on a single physical server with 3 year old Apache? Does a partner with the business have the ability to tell the CEO his baby is ugly? The job isn’t to win promotions and get accolades. The job is to be the protector of the business. That often means putting your personal career on the line to tell the business no, not because you can, but because it’s the right thing to do. No matter how eloquent you are, the business will never truly grasp IT risk and its consequences which come after the current fiscal quarter. It’s the equivalent of telling a starving person not to eat the cheeseburger in front of him, because next Tuesday you’re going to give him a fiber bar. Good luck with that.

The final problem I have with this phrase is that it yields way too much control to the project team or business unit. There is a reason corporate compliance and audit report to the board. They want to ensure risk is being appropriately managed and that the C-levels aren’t painting a different picture then the reality on the ground. Is it really appropriate for someone to accept risk, take a bonus, and move on before that risk ends up being a problem for the next person? This is one of the key flaws with the way IT risk is currently being managed and I expect this to largely change as cyber insurance, high premiums, and the required 3rd party audits start to ramp up in the coming years.

The Path Forward
  • Apply a heavy dose of skepticism to any buzzword that is being used by a vendor or consultancy. Trust me, their interests do not align with yours. A good rule would be to ask 5 Whys, to determine what they know about the subject beyond a surface level knowledge.
  • Hire a permanent or contracted technical deputy CISO to guide your program from strategy to implementation. This person needs to have verifiable experience defending organizations with a solid track record of accomplishments. 3rd party verification is often required to avoid hiring a good talker without true substance, hands on experience, and vision.
  • If you aren’t passionate about IT Security, confident enough to say no to the C-levels, and results driven, then it’s probably time to move on to a different role. The shareholders deserve better than that. And with the rules starting to change, where every breach is considered material, the seat is about to get hotter.

Comments are very much welcome, as I realize this is a highly opinionated piece, that many people will find controversial.

Sunday, October 5, 2014

Response to Anup’s post “The Three Most Common Myths in Enterprise Security”

I don’t disagree per se with anything Anup’s is saying, however upon reading this I was concerned. I think that people that have been doing this a long time have a clear understanding, but I believe the target audience of Piss-Ohs (Paper CISOs) needs more detailed guidance.

Myth 1: We can patch our way to security
Even with the full understanding that you can’t patch your way to security, you are in fact negligent if you are not pursuing a target state of everything in your org patched on a regular approved cycle, including emergency patching for criticals, with all of your legacy issues managed from a risk perspective. And by that I mean, leadership is fully aware of the risk and have either chosen to accept it or look at alternate solutions going forward. From my perspective, legacy solutions should be run in a virtual sandbox environment such as ThinApp, to allow the end user desktop to be fully patched. Some people have also gone the VDI route with varied success rates. For many VDI has been difficult, expensive, and rejected by users. A small percentage has seen a great ROI, mostly on endpoint costs, as its fits better with their business model. I always prefer the App virtualization route, for stability of the app alone by giving the application admins much more control of the execution environment leading to improved uptime.

Key Take Away: You need to dedicate resources to keeping your computing environment patched, as its one of the easiest ways to not gift the adversary attack surface. Nobody should believe it’s a silver bullet, but show me a company that doesn’t patch by choice and I will show you they are victim to many skriddies and commodity malware, let alone advanced attackers. This is also a good way too keep down the noise in your environment to let your defenders focus on more critical threats.

Myth 2: We can train our users to not do "stupid" things
I agree with Anup on everything here, as similar to bombers in WWII, the targeted phishes always gets through. I think there also many people stating that end user security awareness training has been used for decades will little progress to show for it. I think your end game with any campaign, should really be to not have users fall for the obvious. That is the best you can hope for. And if you aren’t bench marking your self phishing activities, as well as rates for users reporting real suspicious email, you need to. I think you can make huge gains, but the risk never goes away. I also view most organizations as not properly using the carrot and stick. Lockheed Martin, for example, purports that they actually terminate users after 3 failed phishing events. I found that hard to believe, but I heard it in person at a conference. I’m pretty sure that is changing user behavior. Also, motivating people to improve with gift cards or event tickets seems to drive good participation. And honestly if you look at the problem, most InfoSec pro’s tend to treat emails with a certain amount of paranoia. You learned to look for grammatical errors, hover links, and analyze headers. They should have the mental capacity to do this also. This is way simpler than many company's expense systems. :-)

Key Take Away: If you’re not incentivizing and penalizing your users, in some form or another, to be responsible for the security of your company, you’re running your security awareness program wrong.

Myth 3: We can defeat targeted attacks by sharing signatures.
Anup was dead on with these comments. My add on to this discussion would be to delineate from signatures and indicators a bit more. Signatures tends to con-notate either IDS/IPS or AV signatures. Or for the more advanced, Yara signatures. I may be totally naive, but I feel if you are forward thinking enough to engage in intel/threat sharing you already understand the value of indicators and intelligence. Granted some shops are just taking feeds and deploying them without understanding, but I’m thinking more about multiple forms of threat intel all the way from indicator management to strategic intelligence. This has been covered well by Rick Holland and Wendy Nather. Also, David Bianco’s Pyramid of Pain spells out nicely was Anup’s is referring too. Essentially you want the valuable data in the top of the pyramid. Since I think threat intel sharing is nothing but goodness, I would not want anyone to read the original article and be steered away from it. If you have completed the foundational elements of your security program, you should get into this space. We can always learn more from our peers in the industry.

Key Take Away: Threat Intelligence sharing within trusted groups is very beneficial, as long as you are a good consumer of intel. And for god sakes don’t chase this if you haven’t done the basics first.

All in all, I enjoyed the article and I love the fact that Anup’s is challenging conventional wisdoms of InfoSec that are often distorted. I think everyone agrees that current approaches aren’t working and it’s time to move on. Let’s just not throw out the baby with the bath water.

The original article can be found here

David Bianco's Pyramid of Pain
Rick Holland's Threat Intelligence Buyer's Guide
Wendy Nather's Threat Intelligence: A Market for Secrets


Wednesday, August 20, 2014

Lessons from Crumpton's Art of Intelligence

A few months ago, I finished reading Henry Crumpton's book, The Art of Intelligence: Lessons from a Life in the CIA's Clandestine Service. It was simply amazing and I highly recommend it for all the insights it adds to hidden conflicts the public will never fully understand. I will not be writing a review of the book however, but try to mirror some of the key points from the book into what we see today in the information security spectrum. While I would never attempt to equate the life and death struggles of patriots to the things we do in InfoSec, I believe in drawing from other realms to further our understanding of problems.

Diverse Backgrounds

(pg 64) "There was an overwhelming consensus, according to James, that whether in operations or analysis, the best officers were usually those who had accumulated a broad range of diverse and enlightening experiences prior to joining government service. These men and women developed more open, more empathetic views of others. With their accumulated perspectives, they could engage with a broader range of people. The could also recognize, question, and sometimes challenge the status quo." ... "But James noted, to his dismay, that at least prior to 9/11, many thought the CIA emphasized hiring officers with clean, "blank slates", rather than those with unique backgrounds and on-the-edge experiences. It was much easier to admit a new officer who adhered to the status quo, who migrated from parents to college to employment, than an unconventional adventurer."

This should be a no brainer, but surprisingly its not. Hiring managers continue to only want to recruit from their alma mater, or specifically only hire from certain roles like system or network administrators. And the most frustrating of all, they want to hire from their former employers, the Big4, Gartner, and others. It's obvious to the people that get it, that this causes problems, not the least of which missing out on better talent. It reminds me of a story I heard, where this former manager's best hire was a quadriplegic, who typed on his keyboard with a stick in his mouth, but was still more productive than fully able college graduates.

Big Picture, Remember Your Stakeholders Needs

(pg 97) "CIA operations fall into a larger political context, although sometimes CIA officers forget this. Intelligence serves a political purpose and supports policy makers and implementers. Our station was fortunate, because our ambassador understood and respected our work and used our product."

Yes I am guilty as charged. It's all too easy to get mired in tactical enterprise defense issues, and lose sight of the big picture and what your executive leadership really wants. It's important to have that meeting and outline specific goals, otherwise we are making bad assumptions or simply adhering to something generic like "protect the brand and reduce risk".

Cross Functional Teamwork

(pg 98) "To gauge counterintelligence risks, the CIA must understand the plans and intentions of other services, and the best means to do so is via unilateral sources within those services."

Everybody knows the last minute drama created by other teams lack of planning and communication. As InfoSec, we always need to be developing relationships in other departments and learning what is important to that segment of the business.

Lack of Threat Intelligence & Incident Sharing is Bad for Business

(pg 110) "The FBI sought justice, not prevention. Their information was potential evidence, which they had to protect for the prosecutors to use in court. The agents, for the most part, could not envision others outside the DoJ having a legitimate need for FBI-derived information. Sharing evidence as intelligence was anathema to them. Even the FBI's NY field office would not share information with FBI HQS, because of their incentive for a successful prosecution in the DoJ's Southern District of NY." ... "The FBI even referred to the "Chinese wall" constructed to prevent tainting evidence by sharing it with the intelligence community or anybody outside the prosecutor's office."

Companies with more mature IT Security operations need to understand there is more to gain by establishing trusted sharing with peer companies, then by going it alone. What's even more challenging, is when you have internal corporate groups at the same company refusing to share information for various political reasons. At minimum, withhold the context and exchange fresh indicators.

Rally Cry: Existing Methods of Security Aren't Working, Its Time To Innovate

(pg 120) "Conspiracy to Destroy Bureaucracy & Murder of Outdated Ideas and Methods"

If you're not here to improve things and drive change, follow or get out the way. Often times this can be a huge hurdle, when the roadblock in question is a politically connected corporate stooge.

Most Leaders Don't Get It, But Be Ready For When They Do

(pg 143) "It was late January 2000, in the aftermath of the Millennium Plot success. We were proud of our work. Although National Security Advisor Sandy Berger described it as our most successful counter-terrorist operation to date and thanked us, the administration and public seemed oblivious to the scope of the enemy's effort and our global surge to foil their terror plots. The failure of the administration to grasp the enormousness of the enduring threat was disappointing."... "Well, hard for us to fight when our leaders and our nation don't realize we're at war." ... "Listen, the time will come. it will be ugly. And the guys downtown will ask us to respond. We will. There will be blood in the sand."

There it is, plain and simple. The pendulum swings back and forth on IT security relevance within the company and executive attention rarely lasts longer than a fiscal quarter. Be ready to go with your wishlist, plan of action, and elevator speech.

Realpolitik Often Trumps Logic

(pg 155) "To our frustration in CTC, the president's covert action finding included many caveats, e.g., we could only seek to kill UBL if it was part of a capture operation. Yet there was no apparent problem killing him with a cruise missile. This was silly. UBL had declared a war on the United States, by word and deed. He had partially destroyed our embassies in Nairobi and Dar es Salaam in August 1998 with truck bombs. he had attacked the USS Cole in October 2000. He had planned to kill thousands at the turn of the century, but CTC working with dozens of CIA stations and our foreign intelligence service partners had thwarted him." ... "I wondered how much of the parsed language in the finding was designed to protect their political reputations rather than protect the nation."

China is the largest stealer of intellectual property in the history of the world by volume. And yet companies are relocating their engineering, science, and manufacturing there. Corporate espionage is openly admitted in India, and yet we are off shoring many IT jobs there, that often include privileged user access. This makes zero sense in the long term, but making quarterly numbers and getting bonuses trumps the long term health of the company. This is easily one of the most disheartening aspects of our nations long term economic prospects and vitality of the middle class.

Success Breeds Contempt

(pg 186) "We are completely fucked. If we lose, we're blamed for everything. They hang us. If we win, everybody in this building hates us, and we're finished. They will shoot us in the back of the head. Some already hate us, because we have the resources and the authority. The Near East Division wanted command and control of this war, but the director stuck with us. So forget any career." ... "Do you think I give a rat-fuck about a career. We've got thousands dead. All I want is the mission. You gave it to me. I'm grateful." ... "Good harsh advice as usual. Just consider yourself dead professionally and  politically. Focus on the mission. There is nothing but the mission."

I have seen this too many times to not consider it the norm. New talent comes in and moves the bar more significantly in 6 months than other teams have in 4 years. You can guess what the institutionalized, lazy, bureaucratic reaction to that is. I once had a person, roadblock me so much they got "security" put into their job title to make the red tape even thicker. I would like to say by maintaining strong, friendly relationships with other leaders, this problem goes away, but that just isn't reality.

Don't Under Estimate Your Enemies & Plan For The Unexpected

(pg 226) "Whats the problem?" ... "Our medic, he's detailed to the CIA from DoD, and we're waiting on his clearance to join us." ... "Sir, its a no-go" ... "You have to be shitting me." ... "No sir. The secretary's office has refused his clearance to join us." ... "Why?" ... "I don't know, sir." ... "As the plane began to taxi, I sat in my seat strapped into the four-point belt buckle, wonder how in God's name could we win this war with a DoD so dysfunctional. Or worse, maybe these dickheads were more concerned about their administrative prerogative than saving the lives of our men on the battlefield. Whatever the reason and the motivation, the result was the same. We would be short a medic. The pilot pulled into the clear afternoon air over northern Virgina and turned to the east, toward Tajikistan."

While not really proved, there was some inference in the book that Rumsfeld was a major ruthless prick. This also has been corroborated in other books. I have seen people get clearances in 1 day, and they send these guys into the heart of darkness without a medic due to a clearance? Regardless from an IT context, we should never underestimate our external or internal threats. The one day you ignore or denigrate a threat, the next day your emails are on pastebin. And we need to be prepared to operate at less than full strength. Cross training your team is very important.

Corporate Communications & Public Relations Matter

(pg 244) "By now Massie had arrived in Alabama and informed Mike's parents. Bonk was still en route to California. The Pentagon issued a press statement that the fallen did not belong to the DoD. The statement was not coordinated with the CIA." ... "Why could they not wait another few hours, for God's sake, so we could inform Shannon? What did the Pentagon gain?" ... "Shannon was driving, listening to the radio. She heard the announcement, pulled to the side of the road and called me." ... "I just heard a report on the radio that an officer is down. The Pentagon says it's not one of theirs, so he must be ours. It's Mike, isn't it?" ... "I tried to image her on the side of California road, cell phone in hand, traffic whizzing past. She was now a young widow with three kids."

This story probably had the most emotional impact of any in the book. But it drives home the point, how much the accuracy, timeliness, and coordination of communication matters. While some argue that you want rapid notification, more times than not, its better to wait until all the facts are in and you have answers to the likely questions. You also want to have your playbook ready to go for how your PR & Corp Comms departments will handle breaches. Target and others have learned this the hard way.

Intrusion Fatigue & Professional Development

(pg 276) " Intellectually, I needed to place the last few years in some historical and theoretical context." ... "Professionally, an academic sabbatical would broaden my perspective and make me a better officer. I felt like the guy chopping wood with a dull axe who never took time to sharpen the edge, because he always had more wood to cut. I needed to quite chopping, sit down, take a deep breath, and pull out the file."

As organizations add more tools, gain more visibility, generate more alerts, it becomes quite common to get overloaded with incidents. Being stuck putting out fires all the time, isn't good for the company or you. You are more likely to miss things when your in constant crises mode. Also, not having time for researching, testing, learning, etc keeps your skill sets from being improved or your processes from being refined.

Vet your InfoSec Thought Leaders

(pg 276) "Policy wonks jawboned about the diplomatic gridlock of nation-states in the region.  Some counter-terrorism experts, many of them unfamiliar to me, predicted death and destruction for Central Asia, the Middle East, and the U.S. homeland. Hardly anybody commented on the intellectually corrupt ideology of AQ or on the people of Afghanistan. I thought of my discussion with Masood in early 2000 when he had stressed the importance of his people in any conflict. I wondered if any of these pundits had asked any Afghan what he or she thought."

There is no shortage of talking heads willing to repeat buzzwords on a big stage at conference or on the web. It's critical for industry to avoid group think and demand legitimacy out of our so called thought leaders. Pay close attention to the work experience and track record of anyone you are relying on for strategy.

Rapid, Adaptive Threats And Intelligence Driven Detection & Response

(pg 277) "That is to say, it is a definition of war that has neat beginnings and decisive endings, waged against a state, or more precisely, against its armed forces, accompanied by clearly defined objectives, 'end states', and 'exit strategies'." ... "Yet we are facing an era of war unrestricted by conventional boundaries. Cohen argued that we will face "wars that resist neat classifications of those who impart military doctrine at war colleges, or of politicians and generals who seek clarity and order when all is obscurity and confusion." ... "This war, unlike most others, has the potential to take new and dangerous forms with great speed and little warning." ... "This is why intelligence will be so critical, to help us diminish the "obscurity and confusion" and to understand the "new and dangerous forms".

The speed of innovation on the attackers side and the sheer number of increasing threats keep making our world even more asymmetric than years before. One of the best ways to make things more symmetric is to have a robust threat intelligence program. This is easier said than done, and it isn't just a data feed and some actor reports. We need to hunt those adversaries and implement security controls, not based on a cool vendor ranking, but by your specific actors TTPs.

Threat Intel is a Shiny Object

(pg 281) "The first is how ambivalent, cynical, or ignorant the U.S. public and many policy makers are about intelligence." ... "Policy makers were seeking to drive intelligence conclusions rather than letting intelligence collection and analysis inform policy." ... "Second, I was struck by the changing nature of warfare and the growing importance of intelligence in the is strategic context." ... "This was reflected in huge budget increases in the intelligence community and a proliferation of agencies with intelligence functions but little real strategic leadership or clarity. The intelligence community seemed unsure of its future direction, in large part because the policy makers failed to provide requirements and guidance. They needed to be responsible customers of intelligence."

We all know Threat Intel is the current hotness, but it's important to define concrete objectives and outputs from the stakeholders. I once had a boss ask that we hire a Threat Intel person because he saw a presentation at conference. I said it was too much of a jump in maturity when over a third of the corporate systems had various forms of known malware on them. Lets be clear, while there is tremendous value in Threat Intel, many orgs have no business attempting it until they build a stronger operational foundation.

Always Pursue Knowledge & Don't Be Afraid To Ask "Dumb" Questions

(pg 298) "A good intelligence officer cultivates an awareness of what he or she does not know. You need a dose of modesty to acknowledge your own ignorance - even more, to seek out your ignorance. Then the harder part comes, trying to do something about it. That often requires an immodest determination."

Lets face it, everyone is ignorant about something. No matter how much you think you know, someone always knows more. We should be so lucky to be in a field, where things are always changing and there is always something to learn. Also don't become accustomed to always getting corporate paid training with travel. In times of budget cuts, you have to take your own education into your hands. There are plenty of free and low cost ways to learn more and up your InfoSec game.

The Blame Game

(pg 310) "Moreover, why had the commission looked only at the intelligence failures? Why not the policy failures? Perhaps, I figured, because politicians and policy makers had set the rules and they constituted the entire commission. There were no incentives for policy makers to blame themselves. They were protecting their tribe. Not a single intelligence professional held one of the commission's seats. It was sort of like assembling a blue-ribbon commission to review a health care crisis without any doctors participating."

If you are not empowered to shape security strategy and operational processes, then it's pretty much a one way street. You are there to take the blame when things go wrong. The best approach is to take copious notes about all your efforts to reduce risks, especially when they were rebuffed. That just might save your job and those of your employees.