Friday, October 21, 2011

Pick a standard and stick to it

Over the course of the last 15 years, I've watched information security grow and mature as a practice. One thing I've come to realize however is that the process end of the infosec business is more important than ever - especially in light of the new APT landscape.

Here's the story of two companies:

Company A and B are Global Tech companies.. Four years ago both companies were worth approximately $16B each.

Both companies suffered APT attacks over the course of the last four years.

Company A stuck their head in the sand hoping it'd go away.

Company B developed world class process using ISO for their infosec guidelines. They participated in information sharing with their peers, built a SOC, practiced response. The company created amazing process, practiced them, measured everything and fine tuned them until they got it right. When the attacks hit, they were prepared. The global organization is now wired for information security.

What happened?

Company A is still alive, but struggling. They lost the lions share of their stock value!

Company B is landing contracts all over the world, teaching others how to do best practice information security.

Who would you rather be? Not Company A you say? Take the following lessons learned and and go do it starting today!

Great information security organizations invest in three things...

    •    People
    •    Process
    •    Technology

People: My tale of two companies is very similar to another as told by Alan Paller of SANS. Alan talks of the "Story of Two Agencies".  I've seen it a couple of times. In short, he talks of two teams, both hit by APT actors. One team had solid technology but didn't have operating guidelines, training, analytic curiosity, or direction. The second team had basic technology with a highly trained, very curious team with practiced incident response processes... who do you think faired best? The second team of course! The team stopped the attacks with minimum damage, shared indicators with their peer community and was able to quickly implement controls to stop future attacks. Team one was completely owned. I hear this story repeated at least weekly, and heard it again today from companies I've been working with for the last couple of years. 

Process: Great process leads to great results. It's that simple. Information security teams who know what to do under 90% of the circumstances they will encounter -and have practiced those actions operated under the premise (a military phrase) "command by negation". Command by negation means that during conflict commanders can do whatever needed according to predefined rules/processes and have a pre-specified deep, practiced understanding of how they must execute. Information security teams must also have this same pre-specified deep, practiced understanding of how they must execute, and must not allow variance in process during times of attack. Pick your infosec model. ISO, NIST, ITIL, whatever.. just pick one. Then build your organization using sound process around one of these models. Do it right from the start. Get management buy-in, find your early wins, and don't stop normalizing the way you do business.

Technology: Tools and toys don't cut it. Knowing how to get the most out of your current tools by understanding exactly where they fit in your strategy, and as importantly where your gaps are, are critical. Find places where technology can replace repetitive manual processes (SE/IM, manual correlations, lookups, etc.), and leverage your people where they're strongest -analytics, response, operations.

How do you create a mature organization that can survive the fog of war created by persistent threats? By creating an organization who knows what to do every time. Plenty of options exist today... ISO, NIST 800, or ITIL are great places to start. For my day job, I 'matured' my organization by using the Capability Maturity Model Integration Services provider model (CMMI-SVC). Over the course of the last two years we undertook an aggressive process engineering and training agenda. When we started this undertaking, it took my team over 44 days to perform a single triage analysis of an APT event. Today it takes less than five and we're heading quickly to 72 hours with added automation.  For me, the recognition that we were a service provider of information security analysis services (we do only APT analysis in a public/private information sharing organization) lead me to the belief that process was every bit as important as the technologies used to manipulate data, and that if I didn't have people curious enough to work the process, nothing else matters. My team will fail. I've also watched CISOs in some very large organizations (approx 60 of them) go through similar process engineering exercises. Those who picked a standard (for information security) and implemented solid, repeatable process around those ISO, NIST, ITIL, etc., practices, are FAR more successful at battling APT today than those who don't. Don't be fooled into thinking you can survive without it. You can't. APT actors practice solid command and control and process. You must as well.

 More next time!

Sunday, October 16, 2011

On Information Sharing... Most companies don't know they've been had!

I saw an interesting piece of text from Mandiant the other day. It was prepared for testimony (I'm presuming to Congress) discussing APT. It went something like this...

“More than 90 percent of the breaches Mandiant responds to are first detected by the government, not the victim companies.” (Kevin Mandia, CEO of cyber security firm Mandiant Corp., in prepared testimony).

Dozens (probably more) examples prove this statement. Search the news. Generally companies fall into two main categories when they find out.. denial, or they fight. Denial rarely works, and fighting it results in rapid escalation. Regardless, your business is in danger.

So what's a company to do? Start thinking strategically. Come up with a plan for mitigating current badness already in the environment, WHILE maintaining business operations, AND planning for future strategies for minimizing or mitigating future attacks, AND ensuring you'll be able to operate in your new-found understanding that your networks are now untrusted.

This is where we start thinking about steps two and three in my previous post...

2.  Build solid process (for operation and incident response). Pick a model and stick to it.
3.  At this point you MUST start talking to your peers, and others. You wouldn't try and sell a product without knowing what your competitors (peers) are selling (what sells, and what doesn't). Why would you try and implement strategy without knowing how well your chosen processes will work (what works and what doesn't, before you spend any money!).

For now, start looking around... there are lots of public sources of information.. SANS, NCFTA, FIRST, and a newcomer, From a government assistance perspective DHS/US-CERT.

Be prepared. It's not a question of 'if', or 'when'. It's 'what are you going to do when someone tells you there's a problem?'

More next time.