Skip to main content

Response to Anup’s post “The Three Most Common Myths in Enterprise Security”



I don’t disagree per se with anything Anup’s is saying, however upon reading this I was concerned. I think that people that have been doing this a long time have a clear understanding, but I believe the target audience of Piss-Ohs (Paper CISOs) needs more detailed guidance.

Myth 1: We can patch our way to security
Even with the full understanding that you can’t patch your way to security, you are in fact negligent if you are not pursuing a target state of everything in your org patched on a regular approved cycle, including emergency patching for criticals, with all of your legacy issues managed from a risk perspective. And by that I mean, leadership is fully aware of the risk and have either chosen to accept it or look at alternate solutions going forward. From my perspective, legacy solutions should be run in a virtual sandbox environment such as ThinApp, to allow the end user desktop to be fully patched. Some people have also gone the VDI route with varied success rates. For many VDI has been difficult, expensive, and rejected by users. A small percentage has seen a great ROI, mostly on endpoint costs, as its fits better with their business model. I always prefer the App virtualization route, for stability of the app alone by giving the application admins much more control of the execution environment leading to improved uptime.

Key Take Away: You need to dedicate resources to keeping your computing environment patched, as its one of the easiest ways to not gift the adversary attack surface. Nobody should believe it’s a silver bullet, but show me a company that doesn’t patch by choice and I will show you they are victim to many skriddies and commodity malware, let alone advanced attackers. This is also a good way too keep down the noise in your environment to let your defenders focus on more critical threats.

Myth 2: We can train our users to not do "stupid" things
I agree with Anup on everything here, as similar to bombers in WWII, the targeted phishes always gets through. I think there also many people stating that end user security awareness training has been used for decades will little progress to show for it. I think your end game with any campaign, should really be to not have users fall for the obvious. That is the best you can hope for. And if you aren’t bench marking your self phishing activities, as well as rates for users reporting real suspicious email, you need to. I think you can make huge gains, but the risk never goes away. I also view most organizations as not properly using the carrot and stick. Lockheed Martin, for example, purports that they actually terminate users after 3 failed phishing events. I found that hard to believe, but I heard it in person at a conference. I’m pretty sure that is changing user behavior. Also, motivating people to improve with gift cards or event tickets seems to drive good participation. And honestly if you look at the problem, most InfoSec pro’s tend to treat emails with a certain amount of paranoia. You learned to look for grammatical errors, hover links, and analyze headers. They should have the mental capacity to do this also. This is way simpler than many company's expense systems. :-)

Key Take Away: If you’re not incentivizing and penalizing your users, in some form or another, to be responsible for the security of your company, you’re running your security awareness program wrong.

Myth 3: We can defeat targeted attacks by sharing signatures.
Anup was dead on with these comments. My add on to this discussion would be to delineate from signatures and indicators a bit more. Signatures tends to con-notate either IDS/IPS or AV signatures. Or for the more advanced, Yara signatures. I may be totally naive, but I feel if you are forward thinking enough to engage in intel/threat sharing you already understand the value of indicators and intelligence. Granted some shops are just taking feeds and deploying them without understanding, but I’m thinking more about multiple forms of threat intel all the way from indicator management to strategic intelligence. This has been covered well by Rick Holland and Wendy Nather. Also, David Bianco’s Pyramid of Pain spells out nicely was Anup’s is referring too. Essentially you want the valuable data in the top of the pyramid. Since I think threat intel sharing is nothing but goodness, I would not want anyone to read the original article and be steered away from it. If you have completed the foundational elements of your security program, you should get into this space. We can always learn more from our peers in the industry.

Key Take Away: Threat Intelligence sharing within trusted groups is very beneficial, as long as you are a good consumer of intel. And for god sakes don’t chase this if you haven’t done the basics first.

All in all, I enjoyed the article and I love the fact that Anup’s is challenging conventional wisdoms of InfoSec that are often distorted. I think everyone agrees that current approaches aren’t working and it’s time to move on. Let’s just not throw out the baby with the bath water.

The original article can be found here
https://www.linkedin.com/pulse/article/20141005161032-262891-the-three-most-common-myths-in-enterprise-security

References
David Bianco's Pyramid of Pain
http://detect-respond.blogspot.com/2013/03/the-pyramid-of-pain.html
Rick Holland's Threat Intelligence Buyer's Guide
https://digital-forensics.sans.org/summit-archives/cti_summit2014/Threat_Intelligence_Buyers_Guide_Rick_Holland.pdf
Wendy Nather's Threat Intelligence: A Market for Secrets
http://www.norse-corp.com/webinars.html?commid=115043#res

  



Comments

Popular posts from this blog

2020 SANS CTI Summit Notes

Unfortunately due to some back surgery I was not able to attend the SANS CTI summit this year, however I always try to take advantage of the great content SANS makes available. To help me out in synthesizing the information, I combined the context provided by those that were live tweeting which is useful when reviewing the slide decks. Hope you find this useful and well done @rickholland , @PDXbek , and @likethecoins , another great year of great content! Day 1 Secret Squirrels and Flashlights: Legal Risks and Threat Intelligence https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1579535253.pdf @CristinGoodwin Assistant General Counsel for Customer Security and Trust, Microsoft Boundaries and strategies to help analysts identify and manage legal risks while hunting, investigating, and responding "Have a principled approach to sharing, so when the crisis comes you don’t have to panic.” "What we call common in #threatinel sharing is what a l

FIRST Conference 2018 - Review (Kuala Lumpur Edition)

As apart of my new job, my employer is seeking to gain FIRST membership later this year. To support that goal, I was asked to attend the 30th FIRST Conference in Kuala Lumpur. For the travel weary, this is not a trip to take lightly. For me it was 3 flights and 28 hours total of travel just to arrive. I do have to say, the conference venue, the Shangri-La hotel is absolutely fabulous. Very nice, clean, and ultra courteous staff. The swag bag I was given at registration was also very nice, including 3 shirts, challenge coin, notebook, mini first aid kit, and a pretty decent backpack. I also have to say the lunch options for the conference are vastly superior to anything I have ever experienced. SANS and Blackhat could learn a few things. For a 5 day conference, you get a much greater value here. If you are interested in jumping straight the slides you can visit here . Opening The conference was kicked off on Day 1 by Thomas Schreck (@shrekts) who gave out some

SANS Cyber Threat Intelligence Summit 2013

     I recently attended the first SANS CTI Summit in Washington DC. While there was plenty of brain power in the room, and good discussions were to be had, overall it was just ok. There was a big focus on what CTI is and why you should be doing it, or at least consuming it. There wasn't enough discussion, aside from one talk, on how you should be doing it. It basically reinforced my beliefs that this is still very much a small, closed off club of insiders, where nobody is sharing tradecraft. I love that SANS is getting involved in this space though, and it sounds like Mike Cloppert will be writing a SANS course on Threat Intelligence in the future. I would very much be interested in that and I expect it would sell out quickly.      Mike Cloppert opened the day by discussing the old vulnerability centric approach focused on reducing attack surface as opposed to the new threat centric model focused on reducing the risk of the actual threats affecting your company. The key focus of