Saturday, October 12, 2013

Red Sky Weekly: Know before you buy!

Interestingly enough, nearly every large enterprise CISO that we at the Red Sky Alliance talk to tell us that they spend (at a minimum) hundreds of thousands of dollars on subscription security intelligence reports.  Every medium sized enterprise CISO (or if they don’t have one, their director if IT or CIO) tells us they harvest open source information for their security intelligence.  The small guys? Rarely do they use security intelligence at all.

And so what’s the problem with this model?

Not all data is created equally.

A lot of data doesn’t necessarily mean you have good data.  In fact, nearly all of the data needs to be qualified before use. An old friend, (Dr.) Vince Berk, is the founder and CEO of very cool company called FlowTraq. It's funny. When we talk, Vince says often “There is a fundamental difference between data and information. Information is the specific pieces of data that allow you to make actionable decisions. This means that two different people might find different bits of information in the same pile of data. As people's objectives and missions differ, they will need different pieces of data, "the right data", that is information for them.”

You need to ask, how will the data affect your current system when installed?  Will it block key suppliers? Often times, even the most popular services are used for bad.  Google’s domain name service (DNS), 8.8.8.8:53 for example, is often times called out as a command and control channel for malicious code installed in your network by the phisher du jour.  Google isn’t bad, but good tools are often times used for purposes other than intended. And will you base your defense spending on unqualified data? How do you know what to buy to protect yourself when your analysis is potentially based on low confidence information?

Let’s turn the model upside down for a moment shall we?

I’m taking this metaphor from Ed Amoroso, the CISO at AT&T. He’s a smart guy, and the metaphor
Source: USA Today
hit me like, well, a sandbag to the head.. so in fairness, he talks about using sandbags to stop the water that’s rising from the swelling riverbed as a metaphor for dropping boxes and boxes in front of a network for protection.. they both leak under the rising river!


So let’s think about this for a moment.. before you spend another dime on a sandbag that won’t protect you from that swelling riverbank, let’s take a smart look at what you should buy, what you should collect, and the data you must have, to help understand what’s going on in your network.

Here’s a start.

Monitoring (not protecting just yet) your network is a three-step process plus one more if needed (it will be):


1.     Identify as many command and control nodes as you can get your hands on.
2.     Install them in a good, perimeter based network flow monitoring and analysis suite
3.     Place inexpensive monitoring inside your network for a period of time (say, 30-60 days?) to help identify root cause, patient zero, and areas of weakness
4.     Be ready to pull egregious internal offending computers off the wire for analysis.  You will find a few.


Dr. Berk says the key to success in the info security space is finding the information in all the data. “This requires both an understanding of what you are protecting - what your mission is - as well as an understanding of the evolving threat to that mission. Only when we understand the nature of the threats, can we make decisions on what data is "information", and what data is just data.”

Here’s how it works. If you’re going to take this on yourself:


·      Obtain command and control (C2 for short) addresses information from any number of sources. Collective Intelligence Framework is a good starting place, but it won’t necessarily give you targeted adversary information. Red Sky Alliance focuses on advanced and other ‘determined adversary threats’ and can give you information on many of the botnets. Open sources will yield the same information, but with far more false positives. Best to pay for a good list and buy in.


·      Install FlowTraq at your perimeter. FlowTraq comes in both an inexpensive cloud-based option, and a slightly more expensive onsite form, but FlowTraq comes with a simple, easy to use interface for monitoring communications to/from your network. Use it to alert when users on your network are communicating (knowingly or unknowingly) with bad IP addresses or domains.


·      Install a simple client based monitoring solution on every computer on your network. When a network flow is identified communicating with bad actors, use the client based monitoring system to identify patient zero, and quickly follow the crumb trail across the enterprise looking for indications of other compromised machines.
If (when) you find badness, the live forensic system (the client based monitoring system) can be used to perform initial triage, but you still might want to pull the box(es) for analysis to figure out how bad it really is.  You should be prepared for this. It will happen.

I know this all sounds hard (and expensive) but it doesn’t have to be.  The solution can also be built, analyzed and monitored by a managed analysis provider.  A 30-60 day project might cost $25/computer per month for the troubleshooting and recommendations for going forward.

In an environment with 1000 computers, a month of monitoring, troubleshooting, prioritizing and strategizing is a fraction of the long term cost of that next sandbags -firewalls, IPSs, Host Based IPSs, enterprise AV project, or whatever you’re going to throw on the pile next. Red Sky’s Manchester, NH based Wapack Labs and it’s Lebanon, NH based partner FlowTraq will install a solution, monitor your network, and tell you where your current levy is leaking.  Armed with that information, you can purchase the protections you need not the protections you’re told you need.


Don’t guess. Don’t estimate. Call us.


Know before you buy (your next security sandbag).

Until next time,
Have a great week! Jeff