Disclaimer

● These opinions are mine alone and

in no way reflect the opinions

of my employer.● There is a crap load of

text in the slide-deck. I don't want the message

to be lost in my poor delivery.

Introductions

Will Metcalf, wmetcalf@idstotal.com, @node5

Open source community manager for Qualys. I work on the IronBee WAF team.

Founding member of the Open Information Security Foundation.

In the past I worked for OISF, Emerging Threats, etc. beating the snot out of open source IDS. In a previous life I was a security practitioner for local government/LE.

I have the hots for all security-related FOSS stuff.

something IS Wrong with our Model

INFOSEC STAFF IS OVERBURDENED

• Information security practitioners are faced with the insurmountable task of securing an ever-expanding amount of complex technologies.

• This problem is compounded by the rate of change in our industry. This is a real issue. To secure a technology you must truly understand how it works, right?

• Trying to consume raw data from intelligence sources, open or closed, can become overwhelming. Turning it into actionable intelligence for your organization is time consuming.

• The InfoSec pros I know tend to look at InfoSec as a way of life because they are passionate about their craft. Passion can be killed once this lifestyle is no longer a choice but instead a occupational requirement.

• If you think I'm full of crap but sense your security geeks may be approaching burnout, an ancillary presentation to this one, along with tips on how to keep InfoSec staff happy can be found here: http://vimeo.com/24650438.

Changing Landscape

• Historically InfoSec has been a “tower defense game” [1]. Defenders needed to know a little bit about broad range of technologies. This was a somewhat effective model when paired with a defender's view of the organizational terrain. With increasing complexity and dissolving network borders, this model becomes more difficult to pull off.

[1] David J. Bianco @DavidJBianco: “I don't get the fascination with tower defense games. I work in security, so that's pretty much my daily life anyway.”

As an Industry, we breed generalists

• Given the history of InfoSec programs in most organizations, i.e., needing to know a little bit about a lot of technologies, it's no wonder that as an industry we tend to breed InfoSec generalists.

• Unfortunately today most organizations need InfoSec staff with a multitude of specialized skill sets to provide adequate protection. The sooner that decision-makers realize we can't be experts in everything, the better.

Talent Shortage

• Given the generalist conundrum it should be no surprise that there is a severe shortage of specialized talent in the industry.

• Even if organizations (want|can afford) to hire specialized talent, they will often have trouble finding it. Most specialized talent today works for the vendors you purchase security products and services from. This compounds the problem of information asymmetry between vendor and buyer[2][3].

• Offloading certain problems to vendors/consulting firms with the desired skill sets might be OK, but be wary of arrangements where the external party has no prior insight into your organization and therefore cannot apply context to a problem. Boutique security consulting firms FTW!

[2] “Security derivatives: the downward spiral caused by information asymmetry,” by Josh Corman of the 451 Group http://www.the451group.com:80/report_view/report_view.php?entity_id=60884

[3]http://www.mandiant.com/uploads/presentations/SOH_092310.pdf

Threat Intelligence Products

• Many exist today but finding reliable, consistent, complete threat intelligence products is hard and/or cost-prohibitive.

• Having these products does not alleviate the need for in-house specialized skill sets to analyze the intel for applicability in the context of your organization. Without these skills threat intel products will probably have very low SNR once they enter your organization.

• An ancillary to this is the fact that security vendors/intelligence providers can realistically only provide coverage for a certain amount of technologies. Niche market technologies are often overlooked.

Intelligence Analysis is performed in silos

• Given a piece of intelligence, similar organizations within an industry may independently reach like conclusions about derived threats, their risk to the organization and how to mitigate the risk, i.e., preventative/detective controls.

• This leads to unneeded duplication of analyst effort.

We don't like to share

• Organizationally cultivated threat intelligence, while valuable to peers, is rarely shared.

• Some organizations believe that their investment into InfoSec should result in enhanced competitive advantage and therefore don't want to share.

• Others think participating in open chatter about threats will give away information about their infrastructure.

• While some industry information-sharing programs exist, M.O. for semi-open information-sharing programs tend to provide watered-down, high-level analysis with low resolution.

• High-resolution information-sharing programs generally exist among various researchers and vendors. This information is typically not available to outsiders as a counter-intelligence measure.

Interlude

You're probably thinking to yourself: “Oh, fantastic. Another 'this is our darkest hour' presenter. If I wanted to be depressed, I would have stayed

in the office, queued up the 'Requiem for a Dream' soundtrack and spent the afternoon scanning my NIDS logs for evidence of browser-

based exploits.”

Have no fear, true believer. I have a solution. Well, maybe.

Wild, Wild WEST

The InfoSec environment today is like the Wild West. If you're lucky, your org has a sheriff, The Security Guy. If you're really lucky, big enough and have enough cheese, you may have a couple deputies, Security Minions. But what happens when the opposing forces are

overwhelming?

Let's ask an expert.

WWMVPD

WWMVPD:What Would Mario Van Peebles Do?

He would form a InfoSec posse, of course.

MVP Alternative Course of ACTION

MVP may alternatively morph into a gun-toting InfoSec werewolf and try to handle things himself. He is sort of a wild card. I digress.

Our "Posse" Infosec Trust Groups

• Build information/resource-sharing agreements with other organizations under NDA in the same business sector, or in close physical proximity to you. Or form trusts to manage custodial arrangements of shared data.

• Orgs in the same business sector will face similar problems. Orgs closeby are probably easier to establish agreements with because dialogues are easier to maintain.

• Establishing trust groups among government organizations is probably much easier than with companies.

• In KC, the Mid-America Regional Council is already in place to foster such relationships among metro-area governments. Information sharing already exists between LE/other entities in these orgs. I mentioned @MARCKCMetro in a tweet on this subject. No response, WTF? :)

Yes, but Why?

• Ideally fosters the creation of specialized skill sets by offloading some tasks to the group. This allows practitioners to grow skill sets in areas that interest them.

• Have at your disposal specialized skill sets from other orgs. Having resource-sharing agreements for specialized skill sets would allow more efficient IR, because the parties involved would be able to apply preexisting knowledge about organizational context.

• The chance to offset cost and increase security posture. This can be accomplished in many ways, such as sharing security infrastructure. Think shared DNSBL servers, Cuckoo Sandboxes, (Dionea|Glasptof|Kippo) low interaction honey pots. You could also create trust group-supported solutions based on FOSS to save money or to fill gaps that vendors don't cover (read: TKL-based appliances).

Would You Like To Know More?

• One man's false positive is another man's actionable intelligence. Creating rules to look for activity that is of little value to you, but of high value to others is a win.

• Increasing visibility of the threat landscape by sharing security event data. Even if sanitized, data still has value when you are available for inquires about the data sets you produce. The same can be true for other items, such as performance data of WAF/IDS rules.

SHARING IS CARING

• Analyze data through information sharing portals. Projects like fordrop look promising, but it can be a frigging restricted-access wiki. Practitioners with areas of expertise can weigh in on detection/mitigation.

• When appropriate, publicly publish/share findings with larger InfoSec community.

• When I was at Emerging Threats, I tried to think about how I would tackle CVE-2010-3962 if still in OPSEC. I published my findings here: http://rules.emergingthreats.net/research/WMetcalf-CVE-2010-3962/. If exploitation was seen in the wild, the shared analysis dialogue may have gone something like this ...

Together we can do Something beautiful

• NIDS Guy: “This will be impossible to sig with NIDS outside of the obfuscated JS sigs that trip. Here are the alerts.”

• Log Analysis Guy: “Interesting, my process accounting audit logs show that iexplore.exe, fired off a notepad.exe process, which then fired off cmd.exe. I can sig this.”

• EMET Guy: “Using this combination of EMET settings for the iexplore.exe executable, I'm able to stop successful exploitation, and IE seems to function normally others please verify.”

• Proxy Guy: “This thing is trying to establish an SSL connection to a C&C server that is using a completely bogus cert. SSLBump + “sslproxy_cert_error deny all” is preventing the connection.”

• All Together in Unison: “Boy, I sure am glad we went to Will's talk and decided to start sharing.”

FIN