Sunday, October 5, 2014

Response to Anup’s post “The Three Most Common Myths in Enterprise Security”



I don’t disagree per se with anything Anup’s is saying, however upon reading this I was concerned. I think that people that have been doing this a long time have a clear understanding, but I believe the target audience of Piss-Ohs (Paper CISOs) needs more detailed guidance.

Myth 1: We can patch our way to security
Even with the full understanding that you can’t patch your way to security, you are in fact negligent if you are not pursuing a target state of everything in your org patched on a regular approved cycle, including emergency patching for criticals, with all of your legacy issues managed from a risk perspective. And by that I mean, leadership is fully aware of the risk and have either chosen to accept it or look at alternate solutions going forward. From my perspective, legacy solutions should be run in a virtual sandbox environment such as ThinApp, to allow the end user desktop to be fully patched. Some people have also gone the VDI route with varied success rates. For many VDI has been difficult, expensive, and rejected by users. A small percentage has seen a great ROI, mostly on endpoint costs, as its fits better with their business model. I always prefer the App virtualization route, for stability of the app alone by giving the application admins much more control of the execution environment leading to improved uptime.

Key Take Away: You need to dedicate resources to keeping your computing environment patched, as its one of the easiest ways to not gift the adversary attack surface. Nobody should believe it’s a silver bullet, but show me a company that doesn’t patch by choice and I will show you they are victim to many skriddies and commodity malware, let alone advanced attackers. This is also a good way too keep down the noise in your environment to let your defenders focus on more critical threats.

Myth 2: We can train our users to not do "stupid" things
I agree with Anup on everything here, as similar to bombers in WWII, the targeted phishes always gets through. I think there also many people stating that end user security awareness training has been used for decades will little progress to show for it. I think your end game with any campaign, should really be to not have users fall for the obvious. That is the best you can hope for. And if you aren’t bench marking your self phishing activities, as well as rates for users reporting real suspicious email, you need to. I think you can make huge gains, but the risk never goes away. I also view most organizations as not properly using the carrot and stick. Lockheed Martin, for example, purports that they actually terminate users after 3 failed phishing events. I found that hard to believe, but I heard it in person at a conference. I’m pretty sure that is changing user behavior. Also, motivating people to improve with gift cards or event tickets seems to drive good participation. And honestly if you look at the problem, most InfoSec pro’s tend to treat emails with a certain amount of paranoia. You learned to look for grammatical errors, hover links, and analyze headers. They should have the mental capacity to do this also. This is way simpler than many company's expense systems. :-)

Key Take Away: If you’re not incentivizing and penalizing your users, in some form or another, to be responsible for the security of your company, you’re running your security awareness program wrong.

Myth 3: We can defeat targeted attacks by sharing signatures.
Anup was dead on with these comments. My add on to this discussion would be to delineate from signatures and indicators a bit more. Signatures tends to con-notate either IDS/IPS or AV signatures. Or for the more advanced, Yara signatures. I may be totally naive, but I feel if you are forward thinking enough to engage in intel/threat sharing you already understand the value of indicators and intelligence. Granted some shops are just taking feeds and deploying them without understanding, but I’m thinking more about multiple forms of threat intel all the way from indicator management to strategic intelligence. This has been covered well by Rick Holland and Wendy Nather. Also, David Bianco’s Pyramid of Pain spells out nicely was Anup’s is referring too. Essentially you want the valuable data in the top of the pyramid. Since I think threat intel sharing is nothing but goodness, I would not want anyone to read the original article and be steered away from it. If you have completed the foundational elements of your security program, you should get into this space. We can always learn more from our peers in the industry.

Key Take Away: Threat Intelligence sharing within trusted groups is very beneficial, as long as you are a good consumer of intel. And for god sakes don’t chase this if you haven’t done the basics first.

All in all, I enjoyed the article and I love the fact that Anup’s is challenging conventional wisdoms of InfoSec that are often distorted. I think everyone agrees that current approaches aren’t working and it’s time to move on. Let’s just not throw out the baby with the bath water.

The original article can be found here
https://www.linkedin.com/pulse/article/20141005161032-262891-the-three-most-common-myths-in-enterprise-security

References
David Bianco's Pyramid of Pain
http://detect-respond.blogspot.com/2013/03/the-pyramid-of-pain.html
Rick Holland's Threat Intelligence Buyer's Guide
https://digital-forensics.sans.org/summit-archives/cti_summit2014/Threat_Intelligence_Buyers_Guide_Rick_Holland.pdf
Wendy Nather's Threat Intelligence: A Market for Secrets
http://www.norse-corp.com/webinars.html?commid=115043#res