Recently in Security Information Management Category

I don't like to admit this, but I am not always as tolerant as I would really like to be. Certain things that people do and say sometimes catch my attention and cause me to think less of them. An example is people who do not use very good grammar and spelling when they write. Anyone who uses "it's" in the possessive sense, e.g., "It's (sic) effects were great," loses a point or two with me, and I just cannot help it. The same is true of people who say things such as "Me and him are going to go to the concert tonight." I don't attempt to correct anyone's grammar and spelling unless I am proofreading something that someone has written--silence is, after all, golden. Still, poor grammar and spelling invariably help lower my impression of others to some extent.

Regrettably, my faults regarding tolerance (or lack thereof) are not limited to grammar and spelling. Having once been a player in the SIEM arena for almost three and a half years, I cannot help thinking less of people who make what I think are bad decisions concerning purchasing and using SIEM products. SIEM stands for Security Information and Event Management. It consists of what used to be two fairly independent functions, Security Information Management (SIM) and Security Event Management (SEM). SIM functionality mainly includes log aggregation, log management and reporting. SEM functionality mainly includes event analysis through event correlation and possibly other methods, alerting, incident response facilitation (including trouble ticket and case creation, updating and tracking), and helping analysts in achieving situational awareness by providing network topology and other displays that pinpoint where in a network and what specific hosts and devices have been affected by incidents.

Although "we hold these truths to be self-evident, that all men are created equal" may apply to humans, it definitely does not apply to SIEM products. Many of these products, some of which sell surprisingly well, include little more than SIM capabilities. People buy these products, install and stick them in some server room while these products aggregate data that people seldom or never inspect. These people also configure reporting to obtain reports that they seldom use until they get word that auditors will be visiting them in the future, and go merrily on their way, often with the assumption that they are obtaining a very favorable total cost of ownership (TCO) because they feel they are meeting some compliance requirements by having these mostly unused and not-all-that-functional products.

Are you kidding me? What SIM products lack can sink the proverbial ship of an organization nowadays. We are getting hammered with Advanced Persistent Threats (APTs), with all kinds of attacks coming from China, Russia, Belarus, the Ukraine, Brazil, and oh by the way, also the US. The number of zero-day exploits per week has never been higher. Additionally, hundreds of new types and variants of malware are released into the wild every day. And what do SIM tools do about all this? They just sit there blissfully ignorant, unable to detect and report attacks because they have little or no event correlation functionality. Or they may have event correlation capability in name only. Frankly speaking, the proficiency of detection rules in SIEM tools designed primarily to do log aggregation, log management, and reporting is downright abysmal.

For about the same price as a SIEM tool that delivers only SIM functionality, someone can buy a SIEM product that will not only deliver log aggregation, log management, and reporting, but also all the SEM functions that are so critical, given the plethora of security threats that we currently face. How shortsighted can those who buy products with SIM but not SEM capabilities be? I don't know, but I suspect they are also the kind of people who also use "it's" in the possessive sense...

It's a dangerous place out there--the cyberworld, that is. We have witnessed unparalleled changes and growth over the last decade, yet with these changes and growth have come an increasing number of attacks that are using a growing and more diverse variety of methods, many of which are unknown to the white hat community until after they are used. There is so much malicious code out there that we really have lost count of how many unique viruses, worms and Trojan horses exist. Many of the attacks are launched by government-financed technical gurus and well-organized gangs of cybercriminals intent on exploiting vulnerabilities to make money--not just some money, but a lot of it. As opposed to just a decade ago, the attacks are often unbelievably persistent to the point that the term "Advanced Persistent Threats" is becoming trite--like talking about "damaging automobile accidents." If an attack against a target fails, the perpetrators keep launching new attacks until one succeeds. And in general only one successful attack is all that the perpetrators need to reach whatever goal they have. It should then come as no surprise that more and more information security professionals are labeling today's attacks as "unstoppable."

We have controls--plenty of them. Some of them (policies and standards, firewalls, intrusion prevention systems (IPSs), network access control systems, mantraps, fences and much more) help prevent attacks from succeeding. Some organizations, financial institutions in particular, are likely to deploy a wide range of preventative controls in an attempt to achieve "defense-in-depth," implementing layers of security so that if one layer fails, there will still be others to counter an attack. Some organizations do far better than others in using preventative controls, yet according to a multitude of sources, the number and cost of cyberincidents, in particular data security breaches, have sharply increased over time. A myriad of reasons why preventative controls have neither lived up to expectations and have not produced favorable a total cost of ownership (TCO) exists. In all likelihood the most critical one is that the black hat community is always one (and often more) move ahead of the white hat community when it comes to the proverbial game of cyberchess.

We also have plenty of detective controls--intrusion detection systems (IDSs), system and network event logging, network traffic sniffing, motion detectors, security guards in buildings, trip lights, content filters, security information and event management (SIEM) systems that collect, integrate and potentially even correlate information from all over a network, and more. The major idea behind detective controls is that as potentially good as protective controls are, they are far from perfect; there is not one of them that cannot be defeated or bypassed by a clever perpetrator. So, the idea goes, organizations need the ability to detect potentially adverse events that occur to determine whether or not they constitute an attack or other source of an outage or disruption. If so, intervention that reduces the amount of loss and damage can be initiated.

Reactive controls are the third and final type of control. Here we have automated incident response tools, incident response teams, business continuity and disaster recovery teams, chemical suppressant systems, self-adapting networks, anti-malware software that cleans malware infections, and much more. Without reactive controls, detective controls would be of little value, because detecting a malicious event without intervening accomplishes functionally nothing. At the same time, without detective controls, reactive controls would also be of little value.

So I'll get back to my original question. Which type of control, preventative, detective or reactive, works best? In theory the first should be the best, because top-notch preventative controls should be able to thwart all (or at least most) incidents. But something far different from theory is occurring with preventative controls today. They are working, but, well, just sort-of, and certainly not nearly as well as many of us have been led to expect. Consider, for example, the currently popularity of IPSs. A recent independent study show that several top selling IPS products did not even stop half of all attacks launched against the network they were supposed to defend in a test laboratory. One stopped only 17 percent of all attacks! Another similar study on anti-virus software showed that the majority of commercial anti-virus products did not even detect half of the Trojans that were installed in test systems in which the software was running. Defense-in-depth would help, true, but it is clear that the current generation of perpetrators is completely outwitting preventative control vendors.

So we turn next to detection. Unfortunately, IDSs have not fared a whole lot better than IPSs and anti-virus software when it comes to independent testing concerning detection proficiency. But when IDSs are at work providing one of numerous sources of detection information, the proficiency in identifying nefarious events can increase substantially if they are merely one of a number of sources of intrusion detection information. The same is true of firewalls, IPSs, anti-virus software, systems that send system logs to a central server, the output of network monitoring tools, and more. Collecting this all this information in a central location makes inspecting all this information possible, but chances are the amount of such information in a typical network is overwhelming for a team of technically proficient staff to inspect. So why not automate the analysis of the centrally collected information? Better yet, why not correlate the information, comparing each piece of input to models of the log and alert output that information systems and devices produce when cyberattacks occur and issue alerts when the information fits a model? By now, you should be getting my drift. SIEM technology makes proficient detection of potentially harmful events possible--it provides a way to make sense of volumes of information. Not all SIEM technology is equally proficient, however, but that is a topic for another blog entry.

Reaction is also potentially hugely critical, but it does not in my estimation reach the level of importance that detection does. The reason is that for the most part in the information security arena automated reaction mechanisms are not doing what they are needed to do as well as they should. For example, an automated reaction mechanism can send a command to a firewall to "shun" all incoming traffic from a particular source IP address, but there is a good chance that that IP address has been spoofed, something that may disrupt an ongoing set of e-commerce or business-to-business transactions. And I am sure you have heard how automated reaction mechanisms have malfunctioned, causing major lock-ups and disruption within IT environments. So for the most part, today's reaction mechanisms are manual, carried out by incident response personnel. It would thus be difficult to give reaction the nod as the type of control that works best.

In closing, as imperfect as some of them are, all three, preventative, detective, and reactive controls, are necessary in the struggle to stave off today's cyberattacks. But if we are going to rely on one technology, it would be a good bet to rely on detective technology, especially if strong SIEM technology is used.

netForensics today announced that it has joined the Cisco Developer Network as a Registered Developer within the network security technology category. In addition, netForensics nFX Cinxi One v4.1 has successfully completed interoperability testing with the following Secure Borderless Networks system: Security Management. This interoperability testing helps ensure that netForensics nFX Cinxi One software easily interoperates with the following Cisco security products: ASA, IPS, IOS, ESA, WSA and CS-MARS. nFX Cinxi One also works with Cisco ASR, Access Control Server, CSA, CSA , Management Center, CatOS, Firewall Service Module, IDS, IOS, PIX and VPN products, and helps customers meet key security business requirements, particularly around compliance and log management. Read more>

netForensics today announced a new study, entitled "Security in a Down Economy: Limited Budgets, Less Staff, More Threats," shows a perceived increase in network threats throughout 2010 and into 2011. The study was conducted by netForensics during the week of June 7, 2010 to learn about the impact the economic downturn has had on organizations' security posture and budgets, and the potential consequences organizations will face over the next 12-24 months as a result. Read more>

netForensics today announced their 2010 Federal Customer User Group marks the company's 10th anniversary of providing security solutions to the federal market. The nFX Federal User Group is taking place today and tomorrow at the Westin Alexandria in Alexandria, VA. Read more>

In the below article Microsoft reviews the Waledac Botnet take down, as well as, mentions a number of botnet shutdowns that have recently taken place. The article also mentions sudosecure.net a Waledac tracking site

The article goes on to talk about Operation 49, a Botnet Take Down taskforce, an "innovative application of a tried and true legal strategy"

"On February 22, in response to a complaint filed by Microsoft ("Microsoft Corporation v. John Does 1-27, et. al.", Civil action number 1:10CV156) in the U.S. District Court of Eastern Virginia, a federal judge granted a temporary restraining order cutting off 277 Internet domains believed to be run by criminals as the Waledac bot."

"This legal and industry operation against Waledac is the first of its kind, but it won't be the last"

Microsoft Technet on Waledec-takedown

Related articles by Zemanta

• Waledac Botnet TAKEDOWN: Microsoft Wins Court Approval To Topple Botnet Army (huffingtonpost.com)
• Krebs on Security: Microsoft Ambushes Waledac Botnet, Shutters Whistleblower Site (boxofmeat.net)
• Botnet Army To Be Deactivated In Microsoft Takedown (huffingtonpost.com)
• With an unusual legal move, Microsoft disrupts rampant spam botnet Waledac (seattlepi.com)
• With legal nod, Microsoft ambushes Waledac botnet (news.cnet.com)
• Microsoft's Botnet War (robbiz1978.blogspot.com)

Yesterday at the Security Awareness for 2010 ISACA meeting in Philadelphia John Raezer delivered a welcomed presentation on Risk Management Effectiveness.

How Information Technology and Information Security Management must understand the Business Model. What are the key assets, what are their exposures and vulnerabilities,
and from the peril of a threat what would be the outcome. It is not only the identification or the recognition of a incident but what was the root cause and contributing factors, how does this information get included or relayed back to Business Intelligence information. What are the distribution of events not only in near real-time
but historically their severity, impacts, risk response, what policy and procedures were used in containment, mitigation, follow up step and what was the contributing factors,
who owns the Risk Relationships.

In his example on why Frameworks such as BASEL, COSO, COBIT, are so important was the highest thing that affected corporate reputation to it's business partners, customers, and suppliers was accounting irregularities. By far accounting irregularities had the highest corporate reputation risk of affecting your business with suppliers, business partners, and customers, he sited some recent banking incidents as an example of customer and partner distrust.

The need to study and understand what disruptive technologies will have an impact on business processes how many industries are using chaos theory for risk assessment, black swan events the unexpected, unexpected and how we must understand the Language of Risk, not only in the physical world but in the virtual world and that eventually he believed there will be Risk Management Accounting.

If you get a chance to read his presentation or see him speak on the values of risk management in the enterprise it is well worth the time.

Related articles by Zemanta

• Are You Ready to Implement a Supply Risk Solution? (spendmatters.com)
• ISA chairman assures nation: Your data is safe (go.theregister.com)

According to IT World Canada ,
A Microsoft-employed forum moderator had other advice. "For the people who installed [the update but] cannot start the computer normally, it is better to wait for the next stability and reliability update," said Arthur Li on Feb. 1. "Since there are thousands of different hardware and software configurations, it is hard for Microsoft to test the updates on all the different hardware and software configurations."

Microsoft Support

If there is one thing that makes everyone kind of nervous is the instability of new operating systems being deployed in the enterprise, with IE having control issues, there would be a concern that the OS would also have stability problems.

Jason Ross's presentation at the Blackhat DC conference related the issues about checkbox compliance, that companies are using checkbox compliance as a means to indicate whether they are secure. When in fact it should be deemed as the lowest possible level of acceptance a baseline of acceptance and he points out as others have that some of the largest privacy compromises of personal information were done at companies that had past their external PCI audits. Compliance is absolutely wonderful it enforces at least a baseline of requirements but it should not be used as a means that you have a seal that protects you from exploits and non-publicized
holes in the grid.

Jason points out the difficulties of detecting Malware in enterprise environments, that by the time the antivirus sends off an alert about a malware or virus being seen it's usually too late you have already been owned, as Dan Geer pointed out a few years ago at the Gartner Risk Conference it's hard to get exact metrics on what is happening because by the time that alert kicks off 6 other events have already happened that were not detected.

For IT and Security administrators that have been through some of these malware wars with Downloaders and Polymorphic attacks know that just because the antivirus says it's cleaning up there are way too many other things happening. I once saw some thing interesting it was a Polymorphic virus that was loaded on a system that had Microsoft's development studio on it, that we could watch as the polymorphic virus recompiled other malware from it's code that would attempt many ways to infect the machine and other machines quickly and one time there was a downloader. Even Microsoft writes about recovering the operating system and files from a known state from before this activity started unfortunately with out historical view of activity on this node and user that information and the correlation of events will be difficult.

Jason Ross points out the goals of malware now is to have Business support models. Their objective is not to be noisy but to be very quietly performing their tasks of infecting other hosts and using a network of hosts to make money and the use of malware like URL Zone and Monkif

In the presentation he talks about Spider Monkey - By Didier Stevens a tool for helping to analyze malcode. The use of SAN NETS to isolate malcode in action so that it can be analyzed to determine what it wants to connect with or what services or files it wants to abuse with Polymorphic viruses that constantly change it's usually interesting to observe them in action in a closed environment.

Years ago I can't remember the movie name, but the analyst in the movie were collecting them and keeping the code and binaries for sale and redistribution or modifying them in some way not to be detected.

Another point from the presentation is that Malcode writers are now writing them so they can not be easily detected by signatures by using multicode that each binary performs a small function of the code.

via this Black Hat briefing

• Internet Explorer could turn your Windows XP machine into a web server, Microsoft warns (guardian.co.uk)

• Massive blackhat SEO of 200K sites (ecombizcenter.blogspot.com)

HP Software Universe 2009

Last day here at HP Universe in Hamburg, talking about integrating Information Security Management more closely into the enterprise architecture and the system development life cycle. Enterprise Frameworks including the new NIST guideline for Special Publication 800-37 Rev. 1 and six step Risk Management Framework, highlights ITIL V3 and COBIT 4.1 frameworks call for information security to be closely aligned with the enterprise for effective Risk Management.

We have been talking about the new Standards and Guidelines concerning the harmonization of IT and Information Security Governance. With netForensics Sim One, information security management enterprise software, HP uCMDB, and HP Operations Manager Software integration, we can provide the proof that IT Operations Management and Information Security Management are working on the same vision of Domain Services for continual monitoring of enterprise services providing IT Operations and Information Security the ability to monitor the effectiveness of the control environment, promoting near real-time risk management.

If your looking for solutions to help you manage risk-based decisions with regard to the organizational information systems supporting their core missions and business functions, we already have it.