Saturday, September 30, 2017

Why is security hard? (or maybe, If it Bleeds, it Leads?)


It appears Equifax has had its fifteen minutes of fame. It came and went as fast as the the winds shifted in Washington and another shiny story caught the eye of the press. But it made me think...

Anyone else remember Fred Giesler? Fred was a cool old guy that taught the information warfare program at the National Defense University at Ft. McNair. 

Fred ran a class on full spectrum information operations, and one of my favorite speakers was a CNN reporter that operated his own refurbished C-130 gunship, in which he operated cameras instead of guns in the side doors… and the quote I'll remember forever from this guy, and Fred, was "if it bleeds it leads"

And so it comes to Equifax. I saw this headline in an online security publication that I used to read often —today not as much, but this brought back a vidid memory of my days in information warfare training ..."if it bleeds it leads". I'm not sure who took advantage of who, but...


"Lawmaker rips Equifax for eschewing DHS's Automated Indicator Sharing program"

"Rep. John Ratcliffe, R-Texas, chairman of the House Cybersecurity and Infrastructure Protection Subcommittee, slammed Equifax, still reeling from a breach that affected 143 million Americans, for not taking advantage of the Department of Homeland Security's Automated Indicator Sharing program, designed to facilitate the sharing of threat indicators between government and the private sector."

According to a 2015 US Census Bureau report, 99% of the companies in the US are less than 500 employees. If that's the case, 1% (or less) of the security folks in the US know what it feels like to manage security operations (i.e. patching) in companies larger than 500 —right? And even a smaller, much smaller percentage operate in larger enterprise companies —of which Equifax is one with roughly 10,000 employees. 

I'd like to take a moment and offer a small education for Rep. Ratcliffe:

There is a ton of noise out there. You can't swing a dead cat without someone selling, pushing, or dumping indicators of compromise on you, and the DHS AIS program, while probably good enough for most, is, I would argue, likely not as good as the intelligence processed by the Equifax team today. In fact, I've had conversations with them in the past. I'm jealous of their malware processing capabilities. Even if Equifax had participated in DHS's AIS program, they would have had to sift through the noise to get to the good stuff… and my bet is, they probably had it already.

Assuming DHS had given them information on Struts (I'm certain they probably included it in their subscription, and I did see it in Infragard reporting), patching in large distributed enterprise environments is to say the least, difficult. Why?
    • Almost no company has full visibility into every computer on their network. Why? As companies grow, either through acquisition or organically, tools change, people change, and requirements for IT change —usability, storage, operational requirements, etc. Security must change too. Unfortunately, one can simply not reengineer the entire security posture with every change. Virtualization and cloud processing brought massive requirement changes for security but, even if the tools existed to manage all of these new advances in IT, budgets did not, and could not keep up. 
    • Assuming they had both full visibility and ability to reach every computer, in global companies, it still takes time to push. And since we know assuming makes and "ass of u and me", it's a safer bet that they probably didn't have full visibility. Full viz is nearly impossible.. In fact, I'd say it probably is.
    • There's a real shortage of skilled labor - Actually, maybe not a shortage of labor but a shortage of skilled labor —with all of those cloud, virtualization, and deep technical capabilities needed to operate in todays environment, there are no more one-size-fits-all security folks.
    • The Fog of War - Let's do some simple math. Equifax has ~10,000 employees. On any given day there will be 3-5% moves, adds, and changes. That equates to roughy 400 computers in motion every day. Add in those compromised, plus mobiles, plus tracking those in motion, and then dealing with the multitudes of alerts from the many technologies used to defend them. The numbers are staggering. This is absolutely nuts. Now let's go back to number one… almost no company (I'd argue large, or small) has full visibility and control into every computer on their network. I say again -staggering. The Fog of War changes everything —how you see the problems(s), which one(s) you handle first, and figuring out best how to use the limited resources that you do have.
    • Inadequacy of tools - Nearly every tool is Windows based. Unix, Linux, Solaris, BSD all require higher degrees of manual processing. While not impossible, accounting for patches, updates, system outages, and even simple inventories require higher levels of due diligence and manual processing.

I could do this all day. There are no less than 300 reasons that could have cost a simple miss —one that on that particular day, at that particular moment, something went wrong, leaving a hole exposed.

I do not fault Equifax.  I've said this many times in past blogs. I know exactly what it feels like to be a security operator in a large enterprise company. And, I know exactly what it feels like to be a security operator in a very small company. This is a hard business and I'd throw the bull sh*t flag at anyone who tells me that they have perfect security and could have prevented this. I'd throw the bigger bull sh*t flag at the person who says that by being a member of DHS's AIS program, the Equifax breach could have been stopped. Heck, my own marketing people urged me to write a blog that said that we'd seen information that would have stopped the breach. I could not, and would not. Others? Maybe. Not me. The Internet was not built to be secure, and adding layers upon layers upon layers of tools and technologies on top of this insecure foundation will eventually cause a massive failure. The fact that we trust it with nearly everything is a fools game.

I rarely pay attention to the security news anymore. There are a few to whom I will talk, but even then, I watch with one squinty eye to see if I'll be misquoted —and if I am, I don't talk to them again. The magazine that quoted Ratcliffe? I stopped reading them in 2002 when I was a new Cisco employee and they misquoted me; I took a real blistering from my co-workers for that one.  For some reason, every now and again, one of their stories pop up on my radar. I generally pass it by but this one? For whatever reason, I couldn't let it pass. I was compelled to write about it. 

In the mean time, nearly every time I see one of these headlines, my butt clinches and I smile. I think of Fred Giesler… if it bleeds it leads.

For Rep. Ratcliffe? Send me your computer. I'll bet a dollar it's not up on its patches :)

I have to laugh.