Silicon Shecky

Infosec Practitioner

Connect

Solarwinds Sunbursts a Supernova: Early lessons learned

By Leave a Comment

There will be more fallout from Solarwinds to come. More companies will realize they are compromised due to either SUNBURST or SUPERNOVA (got to love the catchy, similar style names).

The question is what are you and your company going to do about it? What have you and your company learned?

Do not just throw money at this. Vendors will start trying to use this as a marketing ploy, especially to those that do in house development. If you do in house development, work on getting your Secure Development Lifecycle (SDLC) better. Do not over promise and over push your developers. If developers say they need some extra time for security testing, understand it will save you more issues in the long run. Understand that meeting compliance check boxes will not mean that security was met.

The rest of the corporate world should be doing a few things starting with your people and processes. Make sure that your company has in place a solid detection process, which includes enough staff, proper logging, solid SIEM/SOAR rules and notebooks, and a solid Incident Response plan. If your company is lacking in any of these, and that includes keeping people trained, it will be money well spent in the long term. Your company will get breached at some point and these processes plus properly trained people will always be needed. There is no perfect security, so detection is as important if not more important.

Understand there is no magic bullet. Security is a process not a destination, and burned out, overworked security people (especially in the SOC) do your company no good. Compensating by getting more and more tools without enough staff will cause burnout. People can only do so much in any given time. Make sure they get time off, and that means not disturbing them when they are off, if possible.

These are the lessons every company should learn from this situation.

 

 

EcoSystems, or Why the Security Tools Industry is making us less secure

By Leave a Comment

Warning: I will be dropping company names in this article based on items I use or have used. These are meant as examples only from personal experience.

We live in a world where we do not have enough eyes on things, we suffer from burnout, work long hours, and generally are banging our heads against the wall. We also live in a world where almost every single product we deal with markets itself as the magic bullet in securing our company. The lack of interoperability though is as much a security hole as any bug or technique used against us.

There is an old, and true saying: The more complex something is the more chance that it can be defeated by something simple. It is a statement we, the people working in the security field understand. We deploy “SIEMS” (actually a function of data/log collecting), Anti-Virus, EDR, Firewalls, IDS/IPS, Web filtering, deep packet inspection, and so much more. More and more frequently these are becoming walled gardens, and complex ones at that. They are not talking to each other very easily, and worse, they are making it harder at times for us to find the problems.

Log/Data collectors (SIEMS) are supposed to be the one stop shop. You send your data there, usually logs, potentially Netflow streams, so you can then cross-reference and analyze the aggregated data. Simple enough, and with the proper AI/Machine Learning it should make our lives easier. Now, think about this, how many companies put their own spin on log formatting? Recently I had to write a log parser for Cisco’s syslog format because it is not using the standard style, and therefor Graylog would not parse it on its own. A simple thing that does have standardization, and open source project using that standard, and a large highly respected company saying “We will do things our way, deal with it.” Reminds me of the arguments/issues over Microsoft not using standards properly. Along the same lines, let’s look at another Cisco product, Umbrella. Hey, they put things in their cloud, you use their dashboard, and there is no simple way to forward that data to a SIEM. You have to jump through multiple hoops. This does not even address the lack of proper reporting in the console, the clunky search system, and poor information on how the whole thing works (or doesn’t) in identifying people/computers.So now you have your SIEM dashboards open and this Cisco Umbrella Console open, Just to keep an eye on things since it is now a manual cross reference situation.

Now add in an EDR solution that again causes you to use either a specific SIEM (like Splunk), or their console. Again It doesn’t give you full information in the console, requiring you to make guesses based on the information it does provide. It also does not play nicely with built in security services, so you have to put in allow or bypass rules for files and directories. It doesn’t even update known software certificates in any normal time, although a different piece of software from the same company does. Talk about software in a silo. Same ecosystem not even working similarly.

So we have console number 3 opened. You are a small business and have say 4 people on your whole security team, if you are lucky. Add on that at least one of these items has to be extra monitored due to false positive potential being extremely high (EDR) that can have a major negative impact on the company’s bottom line. Again more complexity, more eyes needed on items, more work to do.

Buying into an ecosystem is fine and all, but most companies tend to look for what software will work best in their environment (or more often suck the least). These solutions though are requiring more and more complexity in our setup. So you add onto the bottom line by outsourcing your SOC. The question is how long until they actually understand the environment for your company to be useful? How much turn over is there, and how many other companies are they monitoring at the same time with their own limited resources? Oh and now you have another layer of complexity added onto the whole ordeal.

The truth as I see it is this. There is no money in security, only in the products. The more products are in their own silo and do not communicate, the more people are needed. It is a system that is predicated on making money and helping other companies make money. If companies used standards, and made it less complex so say you can have one product, a SIEM, that allows for all the cross referencing and dashboards in one place (like it is suppose to), we can start focusing more on the real issues. We also can stop burning out our security teams due to product overload. Proper developing of the products for human consumption is needed. Interoperability is needed.

There was/is a conspiracy theory that Anti-Virus vendors actually write viruses and release them to the wild so that their products are needed. In a similar vein we are actually seeing that same type of idea in the security field/industry. It is helping cause burnout, and a huge employment gap. Not enough eyes and then we wonder why it takes so long to notice breaches. AI, machine learning and automation are fantastic tools, but we still need the human factor to confirm and monitor them. It is time we started simplifying certain things to make us more secure and cut down the burnout.

R.E.S.P.E.C.T.

By Leave a Comment

“R E S P E C T! Find out what it means to me” – Aretha Franklin

The recently deceased Queen of Soul sang about Respect. Respect, something that should be given across the board, to everyone until they prove otherwise. Respect, which is one quality that makes people Rockstars in our industry. Respect, something that winds up lacking all too often.

There has been a <expletive> storm going on from Defcon and the hotels about security policies that have been put in place since the mass shooting last October. This has had to do with room checks and issues with them, especially for women. Now, I am not going ot get into it all, you can look up at Katie Moussouris’ Twiter timeline to get a full idea of the storm itself. The fact that this female in our industry, who is not just a “Rockstar” but a huge leader wound up having to argue with others in our industry about the fears and the way the room checks were handled shows a lot about us. It shows why there are movements to protect women, it shows why women do not want to go into our industry. If someone who should be respected and listened to has to put up so many explanations because people keep belittling her statements and not listening to her, imagine how the women who keep a low profile feel? The funny thing is that Katie (and the others) did not object to the room searches themselves, but the way they were handled, and the blind faith they were supposed to put into believing a stranger at their door (if they were not walked in on which has been documented also for both male and female attendees).

Let us frame this in another way. Think of the field we are in, and the red team tests that happen. Think of the social engineering. For that matter, look up the show on Nation Geographic which featured Jayson Street performing social engineering in Lebanon. He walks into banks, no ID needed just saying that he is from X and needs to check X on their computers. Physical pen test complete. We can sit back and listen to his stories from other engagements he has been on and shake our heads at why people are so trusting without ID, and yet we turned around when women in our field that know this and were trying to verify that strangers were who they said they were (possibly hotel security), and felt threatened and uncomfortable, and tell them they were wrong to feel threatened? Look at this information from the National Sexual Violence Resource Center:

 

  • One in five women and one in 71 men will be raped at some point in their lives
  • In the U.S., one in three women and one in six men experienced some form of contact sexual violence in their lifetime
  • 51.1% of female victims of rape reported being raped by an intimate partner and 40.8% by an acquaintance
  • 52.4% of male victims report being raped by an acquaintance and 15.1% by a stranger
  • Almost half (49.5%) of multiracial women and over 45% of American Indian/Alaska Native women were subjected to some form of contact sexual violence in their lifetime
  • 91% of victims of rape and sexual assault are female, and nine percent are male

We are supposed to be security experts. Yes our main area is that of 1s and 0s but that does not matter. Security is security. Katie had mentioned ways that the situation could have been avoided. Defcon’s organizers are investigating the situations with the hotels. Hopefully something good will come of this in the end, but the lack of trust in fellow information security practitioners is not going to be easily fixed. Those that lashed out at the people complaining about the way these checks were handled might not care about the trust they lost, but I do, because that reflects on our “community” as a whole. It shows that we are not as welcoming as we think. We have a long way to go. We need to learn from this, and fast.