Silicon Shecky

Infosec Practitioner

Connect

Year End Musings

By Leave a Comment

So here we are, the end of 2019. I know I have been lax on blogging this year, but I also have been a bit busier, both professionally and personally. I am planning on doing more posts in 2020 so stay tuned.

As I look back, it has been a good year professionally. I have started writing Python scripts and modifying those I find that do not quite do what I want to do what I want. Not great at it, but getting better. I have been learning KQL for Microsoft Defender ATP and wrote alerts that helped for the yearly penetration test at the office. I gave a talk at Circle City Con that was well received. I made it to my first GrrCon. I got to spend time with people I do not see in person very often, and make new acquaintances that could turn into friendships. For all of that I thank you.

2020 is shaping up to be a cool year. I can’t go into too much right now, since I do not want to jinx some things, but here are the cons I am planning or will be at:

  • Cyphercon (Definite)
  • Thotcon (Definite)
  • Circle City Con (Probable)
  • Blue Team Con (Definite)
  • GrrCon (Probable)

There might be more but nothing exact at this point.

As far as predictions go for this upcoming year, mostly it is going to be a lot of the same. There will be some sort of major items that comes up, be it a breach or vulnerability (probably both). We will still be trying to get better intelligence and stay in front of things. The community at large will have more drama, and that will cause tighter cliques to form, which is unfortunate.

I hope everyone has a great Holiday Season. May the New Year be good to all of you! Peace!

EcoSystems, or Why the Security Tools Industry is making us less secure

By Leave a Comment

Warning: I will be dropping company names in this article based on items I use or have used. These are meant as examples only from personal experience.

We live in a world where we do not have enough eyes on things, we suffer from burnout, work long hours, and generally are banging our heads against the wall. We also live in a world where almost every single product we deal with markets itself as the magic bullet in securing our company. The lack of interoperability though is as much a security hole as any bug or technique used against us.

There is an old, and true saying: The more complex something is the more chance that it can be defeated by something simple. It is a statement we, the people working in the security field understand. We deploy “SIEMS” (actually a function of data/log collecting), Anti-Virus, EDR, Firewalls, IDS/IPS, Web filtering, deep packet inspection, and so much more. More and more frequently these are becoming walled gardens, and complex ones at that. They are not talking to each other very easily, and worse, they are making it harder at times for us to find the problems.

Log/Data collectors (SIEMS) are supposed to be the one stop shop. You send your data there, usually logs, potentially Netflow streams, so you can then cross-reference and analyze the aggregated data. Simple enough, and with the proper AI/Machine Learning it should make our lives easier. Now, think about this, how many companies put their own spin on log formatting? Recently I had to write a log parser for Cisco’s syslog format because it is not using the standard style, and therefor Graylog would not parse it on its own. A simple thing that does have standardization, and open source project using that standard, and a large highly respected company saying “We will do things our way, deal with it.” Reminds me of the arguments/issues over Microsoft not using standards properly. Along the same lines, let’s look at another Cisco product, Umbrella. Hey, they put things in their cloud, you use their dashboard, and there is no simple way to forward that data to a SIEM. You have to jump through multiple hoops. This does not even address the lack of proper reporting in the console, the clunky search system, and poor information on how the whole thing works (or doesn’t) in identifying people/computers.So now you have your SIEM dashboards open and this Cisco Umbrella Console open, Just to keep an eye on things since it is now a manual cross reference situation.

Now add in an EDR solution that again causes you to use either a specific SIEM (like Splunk), or their console. Again It doesn’t give you full information in the console, requiring you to make guesses based on the information it does provide. It also does not play nicely with built in security services, so you have to put in allow or bypass rules for files and directories. It doesn’t even update known software certificates in any normal time, although a different piece of software from the same company does. Talk about software in a silo. Same ecosystem not even working similarly.

So we have console number 3 opened. You are a small business and have say 4 people on your whole security team, if you are lucky. Add on that at least one of these items has to be extra monitored due to false positive potential being extremely high (EDR) that can have a major negative impact on the company’s bottom line. Again more complexity, more eyes needed on items, more work to do.

Buying into an ecosystem is fine and all, but most companies tend to look for what software will work best in their environment (or more often suck the least). These solutions though are requiring more and more complexity in our setup. So you add onto the bottom line by outsourcing your SOC. The question is how long until they actually understand the environment for your company to be useful? How much turn over is there, and how many other companies are they monitoring at the same time with their own limited resources? Oh and now you have another layer of complexity added onto the whole ordeal.

The truth as I see it is this. There is no money in security, only in the products. The more products are in their own silo and do not communicate, the more people are needed. It is a system that is predicated on making money and helping other companies make money. If companies used standards, and made it less complex so say you can have one product, a SIEM, that allows for all the cross referencing and dashboards in one place (like it is suppose to), we can start focusing more on the real issues. We also can stop burning out our security teams due to product overload. Proper developing of the products for human consumption is needed. Interoperability is needed.

There was/is a conspiracy theory that Anti-Virus vendors actually write viruses and release them to the wild so that their products are needed. In a similar vein we are actually seeing that same type of idea in the security field/industry. It is helping cause burnout, and a huge employment gap. Not enough eyes and then we wonder why it takes so long to notice breaches. AI, machine learning and automation are fantastic tools, but we still need the human factor to confirm and monitor them. It is time we started simplifying certain things to make us more secure and cut down the burnout.

Pain Point: The Announcement of the End of Derbycon

By Leave a Comment

For those who came in late, earlier this week Derbycon announced that its board has decided that 2019 will be the last year for Derbycon. This of course has been met with dismay, anger, and talk. The statement from Derbycon was it had to do with multiple things over multiple years taking a toll on them, professionally and personally, so they decided it was not worth running anymore after this year.

The first rule I learned years ago about doing something is when you stop enjoying it, do not do it, and move to something new. This is basically what the whole Derbycon decision actually boils down to. Yes, their have been publicly known instances where Social Justice Warriors (SJW) have gone too far. Yes there have been instances, like the whole Code of Conduct situation, that could have been handled better and way more quickly. Issues, similar or not, come up with every conference out there. I know plenty who are worried that Derbycon shutting down will embolden the SJW people and cause more conferences to shut down.

We have heard of the issues with HOPE. I have heard rumors of Shmoocon having complaints and issues. We all have heard complaints about Defcon, and Spacerogue even mentioned Thotcon have had issues that were handled behind the scene. So why have these other conferecnces not capitulate, where Derbycon did?

I am willing to speculate on the actual reason. The following is my own thoughts and opinions, I have no inside knowledge, nor have any direct affiliation with Derbycon. Logically it boils down to one of two ideas, and very well could be a combination of both.

First let us look at the organizers, in particular Dave Kennedy. I met Dave at the last Derbycon, seems like a nice, stand up guy who really wants to help the field as a whole. He owns Binary Defense and Trusted Sec, gets brought onto national news outlets as an expert, and is rather high profile. Recently he took to twitter to announce he was cutting back on twitter due to the way things were going for him on it. Speculation is that he was catching flack from people and wanted to make his twitter more professional. Still this shows that something was getting to him. I have to imagine that other board members were getting flack about things also, I mean look at how much gets tossed onto twitter as it is, so this is completely logical. It also takes its toll on a person. So the first idea is that it basically wore them out to where it is not fun anymore.

The second thought I had was that it was taking a toll on them in a professional sense. Perhaps less clients (I am not sure how many on the board work for Dave or own their own companies) or clients dropping them due to affiliation. Again, just speculation.

The truth is probably a little of column A a little of column B. The difference being that it became too much work, not enough fun, especially with how Derbycon has grown.

What hurts more is they way a good portion of the people who attend Derbycon look at it. It is a mid-size conference, easy enough to get to know people and meet people at. There is an overall cool vibe to it, plus the lobbycon is really good (although I understand it was better at the Hyatt due to the different layout). With so many supporters, the shutdown takes a life of its own.

Obviously with conferences having been around as long or longer than Derbycon, there are ways to get past the pain points. The odds that SJW will be able to shut down a conference on its own is very slim, and in this case it was just one of many things, but the most public situation that occurred. Does it suck? Yes it does. Will we go on? Yes we will. There are other conferences that are small to mid size that are available. Circle City Con, GrrrCon, Thotcon, Cyphercon, Wild West Hackin Fest, Shmoocon are just a few to be named. There are also tons of BSides out there to go to. None of them will actually be Derbycon, but we can make them as fun to be at. Thank you Derbycon for the great times.