Tag Archives: intrusion detection systems

Cognitive Dissonance and Incident Response

“In psychology, cognitive dissonance is the mental stress or discomfort experienced by an individual who holds two or more contradictory beliefs, ideas, or values at the same time, or is confronted by new information that conflicts with existing beliefs, ideas, or values.”

Festinger, L. (1957). A Theory of Cognitive Dissonance. California: Stanford University Press.

For your consideration, what follows is the hypothetical discussion between a Pointy Haired Fearless Leader and a Security Analyst regarding the possibility of an organization’s large, web application having been breached. The Frankenapp in question was creatively duct-taped together around the same time that dinosaurs roamed the earth. All characters appearing in this work are fictitious. Any resemblance to real persons living or dead, is because truth is often much funnier than fiction.

SA: There’s a possibility our Super Amazing Custom Web Application has been breached.

PHFL: (Breathes into paper bag as starts to hyperventilate. In between breaths) How did this happen?!

SA: Same way it always does. A user was phished.

PHFL: But why didn’t our Extraordinarily Powerful Security Tools that cost $$$$$ stop this?!

SA: Because they don’t always work. Especially when they don’t have all the data necessary to identify malicious activity.

PHFL: But we paid $$$$$ because the vendor said it would stop APTs!

SA: This isn’t an APT.

PHFL: But we have Super Powerful Web Application Firewalls!

SA: They’re still in learning mode, because the web developers won’t work with us to identify false positives. And a WAF won’t detect phished credentials. We need multi-factor authentication to prevent this.

PHFL: But MFA annoys the users. What about the network firewalls?!

SA: Our firewalls wouldn’t have caught this and our web filtering system hasn’t worked for months.

PHFL: Do we know what accounts were compromised?

SA: We don’t have enough data. We don’t really have many application logs and the ones we do have aren’t being sent to the  SOC to be correlated.

PHFL: Why wasn’t I told about this tragic and desperately horrible situation?!

SA: I’ve been telling you every week since I took the job. I even hired someone to sky-write it twice. I’m also working on an off-Broadway musical called, We’re About to be Pwned Because Our Visibility Stinks and Our Security Tools Are Broken.

PHFL: Well, this is clearly your fault.

Dilbert On Incident Response

Tagged , , , , , ,

Mythology and the OPM Hack

Seems like every security “thought leader” on the planet has commented on the OPM hack, so I might as well join in.

Although the scope of the breach is huge, there’s nothing all that new here. In fact, it’s depressing how familiar the circumstances sound to those of us who work as defenders in an enterprise. For the moment, ignore attribution, because it’s a distraction from the essential problem. OPM was failing security kindergarten. They completely neglected the basics of rudimentary security: patching vulnerabilities, keeping operating systems upgraded, multi-factor authentication for accessing critical systems, intrusion detection.

Being on a security team in an organization often means that your cries of despair land on deaf ears. Much like a mythical figure named Cassandra. She was the daughter of the Trojan king Priam and greatly admired by Apollo, who gave her the gift of prophecy. When she spurned his affections, he converted the gift into a curse. While her predictions were still true, no one would believe them.

As a recent Washington Post story reminded us, many in security have been predicting this meltdown since the 90’s. Now that IT has become a critical component of most organizational infrastructures, there’s more at stake and we’re finally getting the attention we’ve been demanding. But it may be too late in the game, leaving worn out security pros feeling like the Trojan War’s patron saint of “I told you so’s,” Cassandra.

Cassandra on TVM

Tagged , , , , , ,

The MSSP Is the New SIEM

In the last year, I’ve come to a realization about incident management. In most cases, buying a SIEM is a waste of money for the enterprise. The software and licensing cost isn’t trivial, some of them utilizing what I like to call the “heroin dealer” or consumption licensing model. The first taste is free or inexpensive, but once you’re hooked, prepare to hand over your checkbook, because the costs often spiral out of control as you add more devices. Additionally, for most small to medium organizations, the complicated configuration often requires a consulting company to assist with the initial implementation and at least one full-time employee to manage and maintain. Even then, you won’t really have 24×7 monitoring and alerting, because most can’t afford a large enough staff to work in shifts, which means you’re dependent upon email or text alerts. That’s not very useful if your employees actually have lives outside of work. Most often, what you’ll see is an imperfectly implemented SIEM that becomes a noise machine delivering little to no value.

The SIEM’s dirty secret is that it’s a money pit. Once you add up the software and licensing cost, the professional services you spend to get it deployed and regularly upgraded, the hardware, the annual support cost, and staffing, you’re looking at a sizable investment. Now you should ask yourself, are you really reducing risk with a SIEM or just hitting some checkbox on a compliance list?

Alternatively, let’s look at the managed security service provider (MSSP). For a yearly cost, this outsourced SOC will ingest and correlate your logs, set up alerts, monitor and/or manage devices 24×7, 365 days a year. An MSSP’s level-1 and level-2 staff significantly reduce the amount of repetitive work and noise your in-house security team must deal with, making it less likely that critical incidents are missed. The downside is that the service is often mediocre, leaving one with the sneaking suspicion that these companies are happy to employ any warm body to answer the phone and put eyeballs on a screen. This means that someone has to manage the relationship, ensuring that service level agreements are met.

While there are challenges with outsourcing, the MSSP is a great lesson in the economy of scale. The MSSP is more efficient in delivering service because it performs the same functions for many customers.  While not cutting-edge or innovative, the service is often good enough to allow a security team to focus on the incidents that matter without having to sift through the noise themselves. The caveat? While useful in the short-term, security teams should still focus on building proactive controls with automation and anomaly detection for improved response. After all, the real goal is to make less garbage, not more sanitation workers.

Tagged , , , ,

Failing Security Kindergarten

Now with APT detection and automated analysis to instantly identify cyber attacks!*

I’m fascinated by the continuously evolving hype-fest surrounding the latest “innovations” in security products. Not that our current methods couldn’t use some creative approaches, but the problem is that security leadership often gets dazzled by feature road maps that have as much substance as the wisps of smoke from a genie’s bottle. The media isn’t much help, often accepting the industry’s claims with little to no validation. Inevitably, organizations surrender to the glittering new toy, sinking their precious cash into something they thought would magically restore their faith in security. Then the harsh reality hits and they realize that the only impact the tool had was on their budget, failing to improve their security posture by even an angstrom. This is how organizations fail security kindergarten.

Most enterprises would be better served by investing in the ABCs of security: documentation, policy, procedures, and essential controls. I’m mystified by organizations that will invest over 500k in fancy breach detection systems, but won’t spend a dime on centralized log correlation. The sad truth is that the basics aren’t sexy. It’s hard to “sell” critical security controls such as account monitoring, data classification and handling standards when the news is filled with stories of China hacking health insurance companies. Maybe security professionals could make more of an impact by dropping the FUD and educating leadership about the necessity of having a solid foundation. Sprinkles are great, but they don’t mean much without a tasty doughnut underneath. Besides, sprinkles are for winners.donut

*An actual line from a security vendor’s web site.

Tagged , , ,
%d bloggers like this: