Red Sky Weekly: Know before you buy!

Interestingly enough, nearly every large enterprise CISO that we at the Red Sky Alliance talk to tell us that they spend (at a minimum) hundreds of thousands of dollars on subscription security intelligence reports.  Every medium sized enterprise CISO (or if they don’t have one, their director if IT or CIO) tells us they harvest open source information for their security intelligence.  The small guys? Rarely do they use security intelligence at all.

And so what’s the problem with this model?

Not all data is created equally.

A lot of data doesn’t necessarily mean you have good data.  In fact, nearly all of the data needs to be qualified before use. An old friend, (Dr.) Vince Berk, is the founder and CEO of very cool company called FlowTraq. It's funny. When we talk, Vince says often “There is a fundamental difference between data and information. Information is the specific pieces of data that allow you to make actionable decisions. This means that two different people might find different bits of information in the same pile of data. As people's objectives and missions differ, they will need different pieces of data, "the right data", that is information for them.”

You need to ask, how will the data affect your current system when installed?  Will it block key suppliers? Often times, even the most popular services are used for bad.  Google’s domain name service (DNS), 8.8.8.8:53 for example, is often times called out as a command and control channel for malicious code installed in your network by the phisher du jour.  Google isn’t bad, but good tools are often times used for purposes other than intended. And will you base your defense spending on unqualified data? How do you know what to buy to protect yourself when your analysis is potentially based on low confidence information?

Let’s turn the model upside down for a moment shall we?

I’m taking this metaphor from Ed Amoroso, the CISO at AT&T. He’s a smart guy, and the metaphor

Source: USA Today

hit me like, well, a sandbag to the head.. so in fairness, he talks about using sandbags to stop the water that’s rising from the swelling riverbed as a metaphor for dropping boxes and boxes in front of a network for protection.. they both leak under the rising river!

So let’s think about this for a moment.. before you spend another dime on a sandbag that won’t protect you from that swelling riverbank, let’s take a smart look at what you should buy, what you should collect, and the data you must have, to help understand what’s going on in your network.

Here’s a start.

Monitoring (not protecting just yet) your network is a three-step process plus one more if needed (it will be):

1.     Identify as many command and control nodes as you can get your hands on.

2.     Install them in a good, perimeter based network flow monitoring and analysis suite

3.     Place inexpensive monitoring inside your network for a period of time (say, 30-60 days?) to help identify root cause, patient zero, and areas of weakness

4.     Be ready to pull egregious internal offending computers off the wire for analysis.  You will find a few.

Dr. Berk says the key to success in the info security space is finding the information in all the data. “This requires both an understanding of what you are protecting - what your mission is - as well as an understanding of the evolving threat to that mission. Only when we understand the nature of the threats, can we make decisions on what data is "information", and what data is just data.”

Here’s how it works. If you’re going to take this on yourself:

·      Obtain command and control (C2 for short) addresses information from any number of sources. Collective Intelligence Framework is a good starting place, but it won’t necessarily give you targeted adversary information. Red Sky Alliance focuses on advanced and other ‘determined adversary threats’ and can give you information on many of the botnets. Open sources will yield the same information, but with far more false positives. Best to pay for a good list and buy in.

·      Install FlowTraq at your perimeter. FlowTraq comes in both an inexpensive cloud-based option, and a slightly more expensive onsite form, but FlowTraq comes with a simple, easy to use interface for monitoring communications to/from your network. Use it to alert when users on your network are communicating (knowingly or unknowingly) with bad IP addresses or domains.

·      Install a simple client based monitoring solution on every computer on your network. When a network flow is identified communicating with bad actors, use the client based monitoring system to identify patient zero, and quickly follow the crumb trail across the enterprise looking for indications of other compromised machines.

If (when) you find badness, the live forensic system (the client based monitoring system) can be used to perform initial triage, but you still might want to pull the box(es) for analysis to figure out how bad it really is.  You should be prepared for this. It will happen.

I know this all sounds hard (and expensive) but it doesn’t have to be.  The solution can also be built, analyzed and monitored by a managed analysis provider.  A 30-60 day project might cost $25/computer per month for the troubleshooting and recommendations for going forward.

In an environment with 1000 computers, a month of monitoring, troubleshooting, prioritizing and strategizing is a fraction of the long term cost of that next sandbags -firewalls, IPSs, Host Based IPSs, enterprise AV project, or whatever you’re going to throw on the pile next. Red Sky’s Manchester, NH based Wapack Labs and it’s Lebanon, NH based partner FlowTraq will install a solution, monitor your network, and tell you where your current levy is leaking.  Armed with that information, you can purchase the protections you need not the protections you’re told you need.

Don’t guess. Don’t estimate. Call us.

Know before you buy (your next security sandbag).

Until next time,

Have a great week! Jeff

Red Sky Weekly: It shouldn’t be so hard!

I just read a piece in my RSS feeds where the head of NSA’s outreach to the corporate community for public/private partnering and information sharing was on the podium at the Chamber of Commerce. The speech was reported by Federal News Radio and posted to the internet, and as I read it, it took me back to two years ago when I left the government. I was the architect and operating director of the operational arm of the DoD public/private partnership run from the DoD Cyber Crime Center. It was called the DoD/Defense Industrial Base Collaborative Information Sharing Environment (say DICE --it's an acronym that could only come from the government!).

There were several reasons for my leaving, but the truth is, on the government side, the politics were a real bear, and I wasn't having much fun. For the government, the motivation became not as much about helping companies protect themselves, but more about budget and control. There were (are) big dollars in the federal budget associated with cyber, and everyone wanted their piece --NSA, DHS, DoD… and so the marketing machines spin up. The food fight begins. Messages become mixed, companies feel forced to work with all of them, and for many reasons, many do --but mostly out of concern for future acquisition and contractual concerns as Federal Acquisition Regulations go through updates to include cyber reporting requirements.

And you know what? The government should be able to work with the public. In fact, the government should work for the public. What does that mean? That means that NSA, and others, should willingly share cyber protective information and intelligence with the public, without the expectation of anything in return. The American cyber landscape needs help. Companies need help. So quit politicking and making speeches about how good it is. Quit asking companies to sign frameworks, and cooperative research and development agreements, and get security clearances.

Just tell us what you think we need to know, and don’t ask for anything in return.

It shouldn’t be that hard. But it is...
To demonstrate my point, I’m going to take this out of the cyber realm for a moment and show you a message that probably everyone, even non-smokers, will understand.

The surgeon generals of nearly every country in the world put messaging on packs of cigarettes. Some are more elaborate than others, but the same message appears on all -- “Smoking Cigarettes will kill you”, or in the case of this New Zealand pack of smokes, the message on the front is pretty straight forward, but on the back is a full page ad and a picture of a rotted foot! Why am I talking about the message on a pack of cigarettes? Everyone knows that cigarettes kill right? 

It works because this message is simple, ubiquitous, and because it’s been published for so long, that a very high percentage of the global smoker community knows…. They may choose to smoke, but it could (probably will) kill you. 

Now try this one.. I received this warning in an email from the FBI earlier this week. Sorry for the resolution.. It’s the banner that appears at the bottom of reports that get pushed out to tens of thousands of people from the the group formerly known as Infragard. It’s funny. Nearly everyone in my office has or has had a security clearance. Two of us were communicators in the military but neither one of us could actually decipher the meaning of this banner --instructions on how/where we could send or use this report. 

So, I’d like to share this reporting with members of the Alliance, but the banner is a ‘Warning’ --”(U) Warning:... It is subject to release restrictions as detailed in the Homeland Security Act of 2002, as amended… “ and “It is to be controlled, stored, handled, transmitted, distributed and disposed of in accordance with DHS and FBI policy for FOUO information…”

So what exactly does the Homeland of Security Act of 2002, as amended, say about release of information?

What is the DHS and FBI policy for FOUO information state? 

And what happens if I don’t know and share it with someone who might use it to protect themselves or their company but I inadvertently go sideways on these rules? Am I going to be fined? Go to jail? Will the black helicopters swoop down and take me away? Do I really need to go look this up?

Why is this so hard? 

When I talk about Red Sky Alliance, and why members join us, I tell them this…

Red Sky was funded by a group of companies who wanted to share information between themselves, or wanted to work with the government, but for various reasons were not able, or they just found it really hard. 

Why? In the beginning, most members fell into one or more of these categories:

They all just wanted help… but...

• Many weren’t invited to work with the intelligence community program (mentioned earlier);
• Some of the companies were not considered ‘critical infrastructure’ (and therefore couldn’t go, or didn’t want to go, to DHS);
• Or they were concerned with bringing in law enforcement (typically the FBI),
• Or they wanted to participate with the DIB folks under DCISE, but the doors, for various reasons, were closed to non-defense contractors,
• Or perhaps the rules associated with working with government information sharing (see the banner above!) turns off the companies to participating (that banner is only the beginning!)
• Or trusting the government with internal company data is a massive leap of faith that many will just not take,
• Or, they loved the services offered by current Red Sky analysts, and wanted to support us in our venture (THANK YOU!!!)

This is why we started Red Sky Alliance. There was an opportunity. It came in the form of fixing many of the issues associated with dealing with the government --heavy rules, DSS visits, CRADAs, costs associated with participating, high false positives rates (or, as one put it "criminally inconsistent" quality) of information received, trust issues, security clearances, etc. Again, a topic for another (very long) blog.

So how did we fix it?

• Red Sky speaks PGP (and we're working on TLS). The government speaks SIPRNET. The two don’t talk. And with Red Sky, you don’t need any special gear, software, or DSS visits! Wuhoo!
• Red Sky only has UNCLASSIFIED data. Do you know how hard it is to find good unclassified threat data?  Certainly some of the government data might be cool, but it's nearly always classified, and therefore, unusable. We don’t use government data.. and we’ve written over 100 technical and intelligence reports anyway…  so here’s the dirty little secret.. the best stuff doesn’t always come from them! (shhhh.. we don’t want anyone to know!)
• With some of the government programs, “you get what’s in the fridge” (yes, someone actually said that!”). With Red Sky Alliance, you get what all of us have in the fridge…. and the membership casts a really, really wide net… 
  
  When was the last time someone showed you pictures of some of those pesky hackers, what they want, how they operate, and how you might protect your company from them… without making you sign a 75 year non-disclosure agreement, checking your clearance at the front door, after your long flight to Washington, requiring a DNA sample and placing a chip in your head? (just kidding about the chip… although, you might want to break out your tinfoil hat!)

Here’s the bottom line.. 

We do our best to make Red Sky simple, pain free, smart, completely usable, and timely… is it perfect? No, but we try really hard. Here’s how:

1. Red Sky data is completely unclassified. You can use it however you need to protect your company or your customers as long as you can maintain positive control over the data.
2. Unlike subscriptions, where most of the data gets tossed, many of our members tell us that they process and use every piece of information that we give them.
3. You get the ability to ask questions and share notes with companies large and small, who, just like you, only want to protect themselves.. and they are all experts in their field --just like you.
4. Red Sky will make your team more efficient. Even if you’re a small team and just realizing the problems of APT, targeted corporate espionage, or determined adversary threats, don’t repeat work. Ask the membership. They’ve been through it already. They know the pain. They know what the 24 hour workdays feel like, the uncertainty of it all, the nervousness of job insecurities when briefing the board, and best of all.. how to get through it.

It shouldn’t be so hard.

Don’t feel comfortable jumping into a collaborative just yet? Give us a call. We can help. 

Neuberger talks of NSA's efforts to help companies in three different options: general, targeted and operational efforts. 

Red Sky has, and does, deliver all three today:

General: The social network environment is a great way to share information. It's informative, assistive, and allows those who can use the data to pull from it and protect themselves. Companies share information, lessons learned, forensics and early warning. Our dedicated analysts take that data and turn it into something useful in the form of a Fusion Report and a list of indicators that go with that particular story.

Targeted: For the last six months, Red Sky's Manchester, NH based Wapack Labs has been writing targeted threat intelligence, technical fusion and warning products for folks who are members of the Alliance, but need help dealing with the data. In most cases, our requests have come from members who know they need threat intelligence but don't have the internal capability to do it themselves. Our job? Show them the wolves closest to the sled today, then what to watch for next, and then after that --all specific to the requester, not the general community.

Operational: Many of the Red Sky members are massive managed security service providers --Red Sky data is used in their MSSP operations to protect data. Heck at least one of our companies protects the government! Second, the Lab in Manchester hosts the backend of monitoring solutions that will allow us to ensure that your current MSSP isn't letting bad stuff through, or for those without an MSSP, the operational arm in Wapack can help you decide exactly what kind of protections you need to put in place.

It's all about money... but not government budgets. It should be about how companies should spend the money they have to protect the products or services they create.  

It shouldn’t be so hard.

It isn't in Red Sky.  I'll be running around the NY to DC corridor over the next two weeks. Give us a call. I'd love to show you how easy it is. 

Until next time,
Have a great week!
Jeff

Red Sky Weekly: Hackers Schmackers.. blah blah blah - DRONES ARE THE TIP OF THE ICEBERG

A few weeks ago the NASDAQ went down for three hours. The cause? Unknown. Stupid user trick?

Maybe. Might have been a misconfigured router, or it might have been a hacker. What struck me was listening to the news when they talked about what might have caused it, they called people talking about the option of it being a hacker something to the effect of doom-and-gloomers.

And then it hit me.

General Alexander, the dual-hatted commander of the National Security Agency, and the US Cyber Command has been shaking hands and kissing babies on Capitol Hill for years. He a busy guy, hawking his wares, scaring the hell out of congressmen --and all with good reason. I had a boss once that use to say “assume noble intent’, and of course, I do… but the messaging...

Security vendors and CISOs have been grabbing budget through campaigns of ‘fear uncertainty and doubt’ (FUD for short) for years, and not a month went by for several years when CSO Magazine or one of the daily online rags offered advice on the CISO communicating effectively the need for security (and budget) to upper management. We all did it. Me too.. the messaging was terrible but at the time, we scrapped for every dime.

“If it bleeds it leads” is the mantra of our news. And cyber, while it doesn’t (hasn’t yet as far as I know) cause bleeding (at least in a non-warfare setting), it’s pretty sexy, but then, on a daily basis, even when reading my non-security related daily RSS, the news is filled with stories of unrelentless hackers stealing our stuff. It’s true, but the message is, many times steeped in artistic license aimed at keeping eyeballs on pages. Our messaging is terrible.

For some reason Jack Nicholson is in my head screaming “YOU CAN’T HANDLE THE TRUTH!”

Here’s my point. Readers, viewers and listeners are saturated. “Don’t tell us how bad it is Stutzman.” I’m thinking readers fall into one of a couple of categories.. Some are deep into the problem and deal with it on a daily basis. I think of them as the one percenters. The next group many already know something about the problem. Others? Perhaps they know and just don’t care. Or perhaps they know and have no idea what it means to them. Or more likely, they know and they care, but don’t have any idea what to do about it.

Let’s try this.. bear with me. It’s gonna get good...

• A US-made Predator sells for about $4.5 million
• IISS data shows that the US has at least 678 drones in service, of 18 different types.

Could Burger King survive if McDonalds duplicated the Whopper and sold it for 65 cents when Burger King sells it for $3.00? What if Burger King couldn’t file a cease and desist, but was forced to rely on the government's m4d diplomacy skills to stop the sale of the McWhopper? Yikes.

Maybe our messaging is wrong. I’ll be the first to admit that I’ve used the FUD approach to get budget a few times myself, but on a daily basis? Every piece that hits my inbox? Nope. I won’t do that.

So here’s a slightly different way to message...

• 678 drones sold by US companies at 4.5 million dollars each
• Corporations posted over 3 billion dollars in revenues on 678 drones.
• I’m betting this number equates to 100,000 jobs or more including the supply chain (electronics, avionics, hydraulics, integration, engineering, assembly, etc.).. not including long term maintenance and upgrades.
• The economic advantage gained by China through Comment Crew and others is enormous. According to the NY Times piece, Chinese manufacturers now sell the knock-off Predators for 1 million dollars each.

http://youtu.be/KXY2jpVdY0E

• Military advantage created through the use of drones is slipping. They can (will) be mass produced and sold around the world. And oh, by the way, our aviation supply chain is under attack like you wouldn’t believe. I’ve compiled a list of 66 companies (not Red Sky members) that are, in my opinion, hard targets. 27 of them are supply chain companies and 15 are in the aerospace business!

• Chinese manufacturers are selling knockoffs at 22% of the cost of our own. Do I really have to go back to McDonalds and Burger King?

• Shareholder value and earnings by financial institutions that bankrolled these efforts are missing out on their long term potential because CEOs in charge of our manufacturing base couldn’t figure out how to stop the bleeding of drone technology. Yikes again. As shareholders, can we ask for their bonuses back?

• Drones are the tip of the iceberg. Download our 2012 Annual Report for last year’s list. Espionage (corporate and APT) actors are hitting all kinds of targets from Military and Defense to Economic, Lawyers, Finance, Automotive targets, Energy Production, and Manufacturing.

Our messaging is wrong. All wrong.

BT BT

On Wednesday we participated in the Cyber Security Summit in NYC. I think it’s probably the third or fourth named Cyber Security Summit, but short of hosting at the Wye River or out in Aspen, this was an incredible event. I’m not a fan of driving in NYC, especially when Obama is in town, but this was good. I sat a panel on policy with some old friends, and now a couple of new ones, and the booth (our first shot at a booth) was busy all afternoon!

New members? We’re preparing to welcome our second Telecom into Red Sky. We’re really looking forward to working with these guys! This is a busy membership drive. The fall was crazy for us last year too, but this is great. Next week is booking fast, and we’re getting referrals from our current members. We got a note from an old co-worker today who said he’s been asked to set up a threat intelligence shop. He asked one of his major vendors who told him “if you really want threat intelligence, you need to join Red Sky” SWEEEEEEET!!!

Reporting? We authored three reports for members of the alliance --we’ve been writing targeted intelligence reports on a for-fee basis. We came to the realization about two weeks ago that we’d written over 100 reports for our membership. Why not use the processes we’ve developed to write company (or critical information) specific ‘targeted intelligence reports’ for those who need answers to specific questions.  Want to know about threats to specific projects (say, drones?!)? Ask us.

Thinking of joining us? The time is now. I sat with the head of a new threat intelligence shop last week. He’d just returned from an RSA Board meeting where the messaging resonated --EVERY CISO NEEDS THREAT INTELLIGENCE. We’re hearing that too.

Red Sky can help.   Drop us a note and set up a demo.

Have a great week.

Jeff