Saturday, June 14, 2014

Red Sky Weekly: Reflections on a great career...

I spent Thursday morning at the retirement ceremony for an old friend - CWO3 Eric Slater, USMC

And while it didn't hit me then, in the quiet of that afternoon, when my email finally settled down, smoking a cigar on the back porch, I had the opportunity to reflect on what an amazing career this has been. And the idea that his and mine intersected made it only that much better.

Eric and I worked together at the Office of Naval Intelligence (ONI) in Washington in the late 90s. We've stayed in touch over the years, occasionally over a beer and cigar at a local watering hole, but today, when I think back, it hit me like a ton of bricks. For those who started in this field -this amazing field of information security, like Eric and I (and many others), the realization that many of the things we did in the late 90s really shaped many of the things we do today. This was a time of massive experimentation, a lot of failures, a lot of successes, and best of all, a WHOLE lot of FUN!

At the time, we were one of the few places in the DoD allowed to partner with Carnegie Mellon's Software Engineering Institute. Our entire team were signed on as Visiting Scientists (I think the correct term was Resident Affiliate??), regardless, during this tour we worked with many great folks, but one in particular impacted the world of cyber in the most profound way. We worked with this really cool old guy -Suresh Konda (Dr. Suresh Konda), who was building the prototype of SiLK --or for those of you who don't know SiLK, think Einstein. This small invention was a means of monitoring and analyzing network flow information. For the uninitiated, think 'cell phone bill'; a detailed list of who called who, how long the session lasted, and a few other tidbits of information.  Our role in this was the behavioral analysis of roughly 3500 intrusion cases where we systematically coded the motivations, behaviors, and actions taken during an attack. Think LM's Kill Chain, only 15 years ago. If you've heard me say it once, you've heard me say it a thousand times, What's old is new again and temporal connectivity to map interception and defensive locations is not new. The idea at the time was this -we could temporally connect a bunch of disparate attacks and then code them into SiLK, and when an attack occurred that matched one of our profiles, we'd have the ability to know --quickly. And although early versions were mostly manual, those (then) manual processes are now automated and built into almost every network security device. And our first victory, the one that worried us most at the time, was the low and slow attack... one packet daily over the course of several months.. and yes, we tracked several. 

At the same time, many of those behaviors that we coded were used in ways that (then) were cutting edge --but today are considered routine. And the best part? That was only the beginning.

Eric worked with another Marine in Pittsburgh with the early malware guys and analysts. Gil (another teammate) and I worked with Suresh. We took those models and built them into processes used in Intrusion Detection Systems, behavioral analysis tools, and more.

Eric went on to build the Marine Corps schoolhouse that taught many of those techniques, how to recognize them, and then, how to mitigate those risks. So this morning, after a cutting edge career, I was proud to watch him retire. He retired as the Ops Boss at Lima Company. For those of you who know what this is, you know its pretty cool. For those of you who don't.. we'll I'll tell you, it's pretty cool!

BT BT 

While I was off playing Marine, the team was busy. 

In one of the pieces published this week we told a story (actually not just a story, but a great piece of analysis!) about the Tunisia Hacker Team. The story developed because a source gave us a tip and that tip turned into a question and that question turned into a really great story. Today, we know far more than what was previously known in open source reporting because we had data that was begging to be asked questions.

Often, the answers to a problem are there but it requires a bit effort, a little luck, and a lot of patience to discover them. Behind every hack, breach, and DDoS is a story. So what story does your SIEM going to tell you? Your firewalls, IDS, and systems are full of stories to be told. Maybe the story is one of a really good security team or may one of team that is in need of assistance. Often, at Wapack Labs, we run into organizations that never asked the questions in the first place!

Fact is, story telling takes time, which is something most security teams don't have the luxury of having. Maybe you know the "what?" or maybe even the "why?" but when it comes to the "who?", things start getting a little fuzzy.  

So here's the deal. I had a great week fly fishing in Tennessee last week. During one of our late night bourbon lubricated conversations, we talked about spend strategies for CISOs worried about risk. We described it differently, but the thought process is the same. Spend money to defend against the threats to your company first. Spend money to defend against threat to your industry second, and spend money on the broad based cross sector threats next. 

Where does this information come from? Red Sky Alliance members are cross sector. You get everything from industry happenings to broader trends. Wapack Labs gives you focus. Are you a banker? We know a little bit about banking. Manufacturer? We can do that too. Heck, we did a piece on counterfeiting not that long ago. 

The "bringing together the meaning of why we care, and what story the intrusion tells" is something we do well, really well. What does this mean to your business? Every question can be answered with data and every piece data is waiting to be questioned. 
And if you thought I'd walk off without talking current events...
  • Certainly, the Tunisia Hacking Team is banging the heck out of the Brazilians right now.
  • Cyber Berkut is running a new DDoS tool against Ukrainian targets.
  • I'm dying to see how ISIS is using Cyber in Iraq.
  • What do the WEBC2 indictment confirm about the Chinese operational procedures?  
  • And where is Edward Snowden? I miss that guy! I've gone almost two whole weeks without my Snowden fix. What's he gonna leak next?!
We're watching it all. And having a hell of a lot of fun doing it. Hell, you can't make this stuff up! The truth is SO much better than fiction! I love my job!

And last, but certainly not lease, our Threat Day is coming up this week. We're headed to Tampa for happy hour at the Pebble Beach Country Club, followed by a day at a member location talking security. If I don't see you there, maybe I'll see you at Gartner the following week. I'll be the one with the Red Sky shirt!

Want to talk Red Sky Alliance? Wapack Labs? Are you taking over as a new CISO? Think about a baseline assessment. Send us your logs and we'll tell you what we know. It's a great starting point for a new CISO (I promise... you'll get your budget!). Drop me a note. We're here to help.

Until next time,Have a great week!Jeff