Saturday, November 16, 2013

Red Sky Weekly - 11/16/13: Mind the Gap!

I had dinner at a local steakhouse last night. And as I ran through the menu, I found a new page --a picture of each of the cuts of steak laid out as a simple one-page guide to what each was --marbled, lean, expected taste/texture, etc. Why the new page? Evidently the restaurant (who'd been here for years) had a realization that the majority of their customers didn't understand the differences from one cut to another. As a result, they tended to order the same cut, over and over, without ever trying other possibly more expensive cuts.

Why am I talking about a steak dinner?

Because this week was busy. 0-days, new malware, shifts in TTPs, etc. For whatever reason, this week seemed much busier than others. It brought me back to a day when I operated as the Information Security Officer. The company did about $7 billion per year in sales, had roughly 35,000 employees in a few dozen locations around the world, and with partner and supplier connections, probably expanded the network to about 100,000+ people. We had export controls, consent decrees (court ordered firewalls between potentially competing internal businesses), and a dozen or so regulatory issues, including, like many of you, SOX and increasing government pressures from DSS, and others. My job? I managed information security for this entire environment on two people.. me and one other. We focused mainly on architecture and architecture reviews with almost no time to deal with testing final integrations -but we did do patch management really well. It was largely automated and relied heavily on the desktop teams. It didn't take long to realize we needed help. We were being targeted, and every run of the host-based scanners reported at least several hundred computers that needed to be looked at, troubleshot, investigated and probably rebuilt.

So what's the gap?

It's the space that lies between what actually needs to be done and what actually gets
done. It's knowing that you've got 800 machines showing up in that host-based scanner result, and finding out that you've actually got a problem, but having to simply burn and rebuild them without doing the forensics that might help stop it next time (and there WILL be a next time!). It's playing whack-a-mole for months before finally realizing that this just isn't working anymore. It's the complexity of interconnectivity of systems of heterogeneous systems connected to other systems of heterogeneous systems connected during acquisitions past; it's gaps in visibility across the network from the lack of uniform tools; it's not being able to touch every machine during an emergency. It's virtualization and clouds, and having to ask permission to take a box offline or leave it on for monitoring. It's the lack of trained personnel --not people lacking infosec training, but company training on the processes of intelligence handling, incident response, forensics, restoration and continued monitoring and protection.

The gap is knowing what must be done, but not having the ability to actually do it. It's a security intelligence provider offering victim notification a gig of indicators suggesting a large percentage of your company has been p0wned, but not having the instrumentation to even go find it. It's knowing intelligence could have prevented it, but not even knowing where to start.

Don't burn out. Don't chase your tail. Get organized. Get help. Mind the gap.

Red Sky can help mind the gap... the knowledge gap. What have others done when they had 800 machines show up with those same results you're seeing today? What worked, and what didn't? Ask them! With a few keystrokes you can ask the question, get answers, and possibly save yourself yet another overnight in the lab running forensics, banging your head against the wall. Others have been there before you.. and others will come after you. Perhaps you can help them with their gap!

Can't participate in a collaborative? Think Wapack Labs. There are lots of reasons why Red Sky might not fit, but that shouldn't stop you from getting the information you need. The lab handles other kinds of questions. "We've been bought and sold so many times... what's my network look like?" "Who keeps hacking us and what will make them stop?"

How do we help? We've got a great membership. We've got almost two years of ongoing conversations in Red Sky portals and several years of targeted incident response before that. The problem you're having today is probably one that someone else has already had.. so ask them. Need analysis and indicators? Check out the fusion and intel reports. We published two of them this week. Any more would probably be overwhelming, so we work hard to keep it simple and actionable.

On the 11th, we're having our end-of-year threat day. We'll have happy hour on the 10th as an ice-breaker, and a day of presentations and great conversation on the 11th. We'll have a line open for those who can't attend but want to be involved virtually. It's always a great day.

Want to join us? We're pushing hard as we come into the end of the year. Drop us a note. Let's set up a time for a demo!

I'm keeping it short today. Much to do before traveling tomorrow.
So until next time,
Have a great week!
Jeff