Saturday, September 01, 2012

Red Sky | Beadwindow - New Fusion Report

This was an INCREDIBLE week for Red Sky. Here’s why:
  • We brought Beadwindow® online this week and will begin orientation sessions and account provisioning for government users from several cities, two states, and an ISAC.
  • Our new Director of IT starts Monday, I would like to introduce Rick Gamache.    
  • We had our first 0-day reported in the portal by a member, and issued analysis and a threat alert within only a couple of hours 
  • Fusion Report 22 published Monday night.
The details:

·      0-day Threat Alert: On Tuesday evening, following a tip and sample from one of the Red Sky® members, we released a threat alert to the Red Sky® community. The alert provided attribution and relevant data concerning a zero-day vulnerability being exploited in targeted attacks. As is typical in the portal, the alert was followed up by additional analysis and reporting from Red Sky® analysts and the membership.
·      We released Fusion Report 22 this week. FR12-022 provided a detailed analysis on malware and infrastructure belonging to a new actor. TTPs associated with the actor are consistent with other tracked APT activity originating from China. Red Sky members were given one new snort signature and 76 new indicators to search for (or proactively block) in their networks.
·      Beadwindow®! Using the same model as Red Sky Alliance, we opened a second portal under the name “Beadwindow®” this week. Beadwindow® is a separate portal offering the same level of commitment, process, operating rules, and hopefully (we’re sure it will!), results, to a members from the state, local, tribal, federal government, education, organizations, and also to others who may not wish (or may not qualify) to join the private Red Sky Alliance portal. A news release was posted on Monday morning this week, and as of tonight, has been picked up by over 1100 digital feeds around the world. Our announcement had a strong response, with membership requests coming in from government organizations, a major electricity producer and a national law enforcement organization.  Beadwindow® is a “private-public cyber partnership” and has approximately a half dozen early adopters from major cities and states, and analysts from Red Sky and an ISAC SOC starting on day one –covering critical infrastructures all over the country!
 
When I worked as a CISO, and just about every time I asked someone for money, the first question I was asked was "What are others doing about this?" The idea was that our CIO would spend just enough to keep up with the Jones's and maybe a little more if we could correctly articulate the need/requirement.

Do you want to know what your peers are doing? 

Ask them. It is far more cost effective to learn from other Red Sky Alliance members in either the Red Sky or Beadwindow portals than it is to go it alone. Learn to fend off cyber attackers smartly by asking your peers how they did it and employing their lessons learned. If you don’t talk because your lawyers are worried about antitrust, don’t worry about it. You’ll be probably be out of business soon anyway when you realize your G&A is broken through its four-point restraints and is heading through the roof. You must talk, and often, about how you’re protecting yourselves. Companies don’t give up proprietary information in the Red Sky portal. They exchange analysis, indicators and ideas of how to deal with different scenarios that are, on a daily basis, bombarding member’s networks with sticky, thieving malware, operated by trained professionals with real collection requirements. 

Last, I laughed out loud at a comment by Alan Paller this week. I love reading his commentary at the beginning of the weekly SANS email updates. It went like this...

Alan was referring to a piece in the news about a new rule being proposed by DoD, NASA and GSA (links footnoted below). His comments:
 

[Editor's Note (Paller): With the growing consensus that there is a minimum standard of due care in cybersecurity controls, and the fact that this proposed rule completely fails to meet that standard, and that the greatest losses of national security information were from the contractors' computers, (Wait, here it comes. I LOVE the next part!) whoever is managing the authors of this half-rule should assign them to some less important responsibilities and get people who understand the threat and the controls to write the rule. 

Rules are expensive to create (millions), take seemingly forever to vet through everyone who may have a stake, and there's no guarantee that even after all of the consultants, legal review, Washington process, publish for comment, public comment, (you get the picture) that anything is going to move forward. Add to that the fact that many of the rules are authored by consultants who rarely have actual information security experience (they may be great writers, but have little or no operational infosec experience). There's just nothing simple in DC is there?

It's to bad.

Until next week,
Have a great Labor Day weekend all!
Jeff






[1] http://www.nextgov.com/cio-briefing/2012/08/white-house-plans-regulate-contractor-computer-security/57668/?oref=ng-HPtopstory
http://www.bizjournals.com/washington/blog/fedbiz_daily/2012/08/feds-propose-rule-to-hold-contractors.html
https://www.federalregister.gov/articles/2012/08/24/2012-20881/federal-acquisition-regulation-basic-safeguarding-of-contractor-information-systems#h-4