Archive for the ‘Prevention’ Category


This year I was interviewed by Infotech Research Group pertaining to the difference between a SOC and SOF for a solution they were developing collateral.  Prior to the interview I prepared a response to their questions.  The data they were asking is very similar to questions I’m asked regularly around security operations solutions.  Therefore, I wanted to take this opportunity to put out some content around the core topics of security operations centers and functions. 

The fundamentals

What is the different between a Security Operations Center (SOC) and a Security Operations Function (SOF) and what is required to provide a state of the art intelligent security operations function?

To begin we must first clarify the difference between the two concepts.  In general a SOC is or can be a portion of the overall SOF.  A traditional SOC will usually focus around a SIEM whereas today’s security operations need to integrate multiple products and automate intelligence and response in real time. The traditional SOC was previously a large physical security command center.  Today the SOC has shifted into more of a function where many responsibilities are spread outside of the traditional physical command center.

We should not forget that one advantage of housing the security operation within the same physical location is the capability to easily segment, secure, and control the data within the environment.  When you start opening up the function you also open up access making it harder to secure the security data in larger environments.

1.0 and 2.0 what is the difference?

What are the key differences between a traditional SOC or SOF and the next generation solution (or version 2.0) and how is the next generation going to handle the newer technologies, as well as the continual changing threat landscape associated with big data, mobile computing, and social media?

The big difference is that monitoring is now no longer contained to inside organization and in many cases the data is not either, so in many cases you will be relying on third party organizations more.  That means you must have good processes in place with defined SLA’s to understand the capabilities of each provider.  Having a good understanding of the security for that third party environment will be critical to ensuring your data is not leaked.  Also having a good way to detect malware in the environment will also be important to help prevent lateral movement across the organization and its suppliers or providers.

Also, because of the advanced threats that specifically target individual personnel the next generation of security operations solution will eventually have to enter more into the home environment to protect those key targets.  Key executives that are targeted through their children or other family members will need to have some protections in place that help mitigate the risk.  These advanced threat actors will compromise another family member’s account by sending an email with a title like “homework help” or something similar to fool the victim.  Little does the parent know this was an attacker who hacked their kids account for the entire purpose of sending a word document with malware to attack the target executives work account eventually.

Some other items that will come more into play is real time threat intelligence.  Getting automated feeds in formats like STIX or open IOC with specific data that is relevant to your organization will become the norm for large enterprises.  In some cases even a private intelligence cloud will be used.

Why Implement a SOC or SOF in the first place?

Many of you may not currently even have a security operations function in place, however due to recent attacks you are wondering if this is the right fit for your organization.  To help with that decision understand there are usually two main drivers.

  • One is that the organization has had a series of major incidents and as a result needs to implement some type of monitoring and protection function.
  • The second driver is usually for increased profits.  The large MSSP or Telecommunications organizations will implement models to sell the managed SOF to their clients and therefore will build out operations.

At some point you really need to understand the threats to your organization.  Without a clear indication of the attacks the organization faces daily it will be hard to justify the cost of a SOC/SOF and therefore you may need to consider an outsourced option.

Responsibilities of the SOF

We know that security monitoring and incident response are obviously included at some level, but how about security devices maintenance, identity and access provisioning/de-provisioning, even security solution design and implementation.  Should those all be included?

Personally I don’t think device maintenance is a good function of the SOF.  My experience in the field having done penetration tests against organizations that have MSSP’s (Managed Security Service Provider) who perform both the security and maintain functions show that many items are typically neglected.  In short, the MSSPs can do everything from monitoring to maintenance, but in many cases they end up doing a poor job at everything because there is a lack of focus on one task.  For device management and maintenance the SOF should really only be involved with reviewing security compliance around device maintenance and involved in coaching or developing the processes to ensure out of compliance items are either removed from the network until updated.

Other functions such as identity access and entitlement reviews can be a part of the SOF, but usually this is not included based on a decision around corporate cultural.  Access control in many cases resides outside of the SOF or in an isolated SOF department and unless the organization can manage the cultural issues it will not work effectively in the SOF.  The SOFs function really should be to review and compliance check on access controls and violations of access.  We also need to be careful about giving the SOC too much capability because then the SOC becomes a single point of failure for security.

Overall some core items that should be provided by the SOF are:

  • Monitoring, alerting, threat analysis, correlation and intelligence
  • Incident response, investigation, malware and threat analysis, and serving as an extension of the forensic teams in some cases
  • Advisory on corporate security solution designs

Outsourcing the SOF

How do you determine then if the SOF should be outsourced or not?  There are several drivers in the decision making process that will determine if the function should be outsourced or not.  In almost all cases this is relative to cost or that fact that the organization does not have the appropriate skills in house.  In some cases the organization may also decide that it should not be investing in services that deviate from the core business goals.

Leveraging Centralized or Distributed Response Models

A challenge in many security functions is to determine the correct response model.  This really depends on the global extent and cultural diversity of the organization.  If the organization is global there will be many challenges if a central response team is implemented.  If you have to send someone onsite half way around the world it could take days depending on where in the world that person must fly.  Also you will run into challenges around language and VISA requirements.

On the other hand having a team that is distributed and speaks or reads multiple different languages is will enhance any response team in providing a timely and adequate response.  The time to location is quicker, command and control can be done while onsite (war room), and intelligence can be shared via the coordinating or central lead team.

Key Aspects of the SOF – People, Process, and Technology

To implement and maintain a successful SOF the right defense in depth strategy is required.

People – A successful SOF must have skilled staff that can think like the adversary.  This staff must also have technical knowledge and troubleshooting abilities to understand the threats and attacks.

Technology – The technology strategy at the most basic level must have several core components.  New generation malware detection at the network egress points and endpoints is a requirement.  A SIEM or correlation engine is necessary to integrate the logs of many technologies.  Finally some custom integration between the core network, endpoint, and SIEM products is required to automate as much as possible for both identification and containment of the threat.  Threat intelligence feeds will also become a core item in the next generation SOF to provide awareness of the latest trends as well as threats to the industry and its service providers.  Most current SOC functions try to increase the function with more analysis software.  The mistake with that is it requires the time of your skilled staff where as they should be looking to automate the analysis and containment tasks as much as possible and use a series of base products required to stop the attacks.  Some other SOF based solutions will talk about risk-based decision systems.  This is really just correlation and automation of high risk threats.

Process – For process there are several components.  Sound roles and responsibilities must be defined.  Automation of trouble ticking and remediation processes need to be in place. Threat risk assessments must be conducted to identify critical targets and the threat events that are high risk to the organization.  A SOF at many levels must be integrated into every important aspect of the business.  For example, if a hurricane is coming and the BCP department says we are on hurricane watch.  The SOF should be looking for phishing attempts leveraging the hurricane as an event to try and attack the organization suspecting that employees will be reading every email and website about the hurricane. 

Challenges within a SOF

There are hundreds of challenges to run a top notch next generation SOF, but there are some fundamentals that must be addressed.  Education of staff is critical.  Without the right skills the attackers will always hard to find in the organization and even harder to remove.  Ensuring that the operators follow the procedures with little or no exception and continually update information and tactics based on the threats facing the organization is important.  The management of the SOF must also make sure executive management understands the extent of the threat otherwise funding and other critical controls will be neglected or overlooked.  Also, everyone talks about implementing more process in the next generation SOF, but in reality the real solution is to take as much human interaction out of the process and automate analysis and protection. A solution for querying the endpoint and enforcing rules based on network detections, a solution for leveraging and automating multiple technologies, and a solution for using first detection malware appliances to forward blocking information into Firewalls and Web/email gateways; these are the critical improvements and challenges required to build out the next generation SOF.

The 5 People, Process, and Technology Requirements

There are various sizes of organizations and every SOF will be different in many ways, but with respect to people, process, and technology the simple and most effective measures for providing security to an organization are:

Technology

  1. Egress malware blocking technology covering both email and web vectors combined with a web proxy and spam filter.
  2. Application blocking and anti-virus software on the endpoints
  3. SIEM for centralized logging and correlation of information
  4. Global Risk and Compliance software for integrating security with other processes within the organization
  5. After that you will augment these core components with other software for compliance and other business requirements.

People

  1. Strong leadership
  2. A strong person in network and application security
  3. A strong person in risk management and security policy
  4. A strong malware and forensic skill on staff
  5. After that you can build out the team based on the scope and mission of the security function and leverage contractors or outsourced solutions.

Process

  1. Automation of as much process as possible
  2. A strong set of core policies and procedures for change control, incident response, alerting and reporting that focus on protecting the organization and its mission.
  3. Collection of metrics
  4. A process that modifies regularly to reduce detection, containment and remediation time
  5. A process to understand the real threats to the organization

Measuring Effectiveness

As a person running a SOF you will always be asked to prove the effectiveness.  Is there some important Key Performance Indicators (KPI) to help prove the value of the SOF?  This is a difficult question and each organization may have specific KPIs based on the goals of the organization.  However in general there are some core items that should be measured.

People

To help make sure each member of the SOF is working effectively, metrics around the roles and responsibilities for individual is important to measure.  This is important to help measure the skill level of each person and that each individual is working toward the mission of the SOF.  Therefore, measuring items such as:

  • Shift logs and components captured in shift logs
  • Hours analyzing events, hours automating, and hours researching

Together these items will help determine what you need to focus spending on and to help free up resource time in the future.

Technology

There are several items around the technology to measure including:

  • How many incidents over different time metrics (week/month, etc.)
  • Amount of incidents and events detected and the percentage of those that were automatically blocked or contained
  • Timeline breakdown for each incident (When it was detected, contained, remediated)
  • The breakdown of technology detection; there will always be overlap in detection, so this overlap should be measured to help effectively determine if a control is needed

Process

In the process area you will want to track several many different things to prove the effectiveness around the incident response process including:

  • Amount of time to resolve an incident
  • Estimated cost to resolve an incident
  • Increase or decrease in security spending over time (compare against protection metrics)

One of the other items that gets overlooked sometimes it to track the time it takes collect and report on the metrics.  Inevitably, a large portion of the documentation is manual, and collecting metrics is manual due executive presentable formats not existing.  The SOF will spend days at the end of each reporting period to generate the metrics and report to management.  If you can automate the collection and reporting by using a global risk compliance system, some sort of ticketing system, or by using some custom code then that will help immensely in the long run.


With all the healthcare industry regulations around data leakage there has been a decent effort put in place to protect individual records, however the healthcare organizations are still struggling to get this under control from both a physical and cyber perspective.

Even though the medical industry is still battling to protect sensitive records they are facing another more persistent problem.  These organizations are under attack because the adversary wants to understand the underlying business practices and to obtain important intellectual property. With the aging population and billions of dollars spent on research and development for drugs, these organizations have a good deal of market cap to lose.

The recent FireEye report shows that although Healthcare is not the top malware candidate it is continually targeted by these attacks.  Also notice that the energy sector which has been heavily targeted in the past few years is tracking less than the healthcare industry.

FireEye Stats

http://www2.fireeye.com/WEB2012ATR2H_advanced-threat-report-2h2012.html

 

To understand the extent of the threat another posting was released on March 14 titled “Medical Industry Under Attack by Chinese Hackers”.  Here is one of the key quotes from this article.

“Healthcare is listed as one of China’s priorities in its 15-year science and technology development strategy for 2006 to 2020“

“Many of these victims have technology or drugs that are a monopoly. If you are the first to market with some great new technology breakthrough or drug, and you get a profit from that research … it would definitely be an issue for the Chinese to target some of these“

http://www.darkreading.com/threat-intelligence/167901121/security/attacks-breaches/240150858/medical-industry-under-attack-by-chinese-hackers.html

 

As recent as March 20th an article in The Daily Briefing was posted stating:

“Rich Barger—chief intelligence officer for CyberSquared, a data security company—said his firm can confirm that at least three Chinese advanced persistent threat groups, or APT groups, have targeted medical organizations.”

http://www.advisory.com/Daily-Briefing/2013/03/20/Hackers-target-medical-organizations

 

As you can see the industry is definitely under attack and many healthcare organizations are more than likely compromised.  The unfortunate problem is that these companies are spending all their security money to focus on the leakage of personal and medical records, but they are still implementing the wrong controls to protect against a threat that impacts their entire business model.

If the healthcare industry does not shift its current security strategy and prioritize its spending on the right prevention controls then their data and business models will be complexly assimilated in the next decade.


Whether defending against common malware or some determined Nation State, being able to proactively detect attacks and changes in the organization are required.  The past year I spent a large amount of time helping several organizations setup and put in place the right people, processes, and technology to help defend against increasing security threats.  Although many organizations spend millions of dollars on technology and hire staff to monitor security 24/7 the organizations were still lacking two fundamental items.

  1. The people although good at monitoring lacked the attack and threat mind set.  The staff was not able to figure out when an actual attack was happening.
  2. Second the organizations lacked the basic security operations processes required to keep track and make appropriate use of the vast amounts of data.

As a result I spent the past few months developing a whitepaper that specifically addresses the primary components of a SOC, which can be used to help organizations setup a centralized core and embark on developing the correct operational processes.  Although I don’t address item number one above, this paper explains in detail the following.

  • Defining the SOC
  • Determining the Processes
  • Understanding the Environment that needs protected
  • Identifying the SOC Customers
  • Staffing the SOC
  • Managing the Events
  • Leveraging ITIL compliance

Creating and Maintaining a SOC – The details behind successful Security Operations Centers

If your organization is under attack and you have invested in more people and technology be sure to implement the right processes and build a foundation for future defense.


There has been a large amount of security information and recent attacks posted in the media.  We have Mandiant’s report on China as well as several issues concerning Java.  The pure volume of information over the past year has made it difficult to keep up without a combination sources.  As a result InfoSecAlways has done a few modifications to the site.  Please check out the new “Security Feeds” in the right column (4th Block Down).  This is a combination of about 20 different security RSS feeds piping into the blog now.  You can check the site daily to get the latest news and updates in the industry.

Also, check out the links page as there are several new Threat and Vulnerability links added.  These are great if you are looking for specific attacks, breaches, or threats.


Almost one week after the hurricane Sandy disaster and this is the scene within at least a 50 mile radius north of Manhattan.  New Jersey which was hit harder is probably much worse considering gas rationing is now in effect.

December 2007 Posting

On December 19th, of 2007 InfoSecAlways posted a blog article on Disaster Recovery Alternate Site Distances.   In that posting was sited the recommended distance in preparing for a hurricane.  The external study suggested an 85 mile radius.  InfoSecAlways suggested increasing that distance to 210 miles.  If Sandy was only a category 1 hurricane and the Tri-state area is affected as far north as Bridgeport CT the 85 mile is absolutely not acceptable.  Even gas is hard to get within that 85 mile radius.

One item that was not discussed in the previous blog article was gasoline.  For the past 4 days now this is the same picture everywhere at least 50 miles north of Manhattan.  This station in particular has had a gas tank delivery every day for the past 3 days.  Each night the station runs out of gas late in the evening.  In New Jersey and Staten Island there are stories about gas being siphoned from tanks and generators being stolen.  The situation appears to get worse daily and the lines even longer.

A gasoline crisis affects both individuals and corporations.  Employees will not show up to work out of fear of theft or running out of gas.  This is especially true if they have power issues that require a generator.  Individuals will be forced to deal with personal items and work becomes secondary.   If a business operates as a supply chain, taxi, or delivery organization, which is dependent on transportation, it may be very difficult to operate due to lack of gas or increased traffic as a result of lines.

What to do?

Unfortunately gas is an absolute requirement for both individuals and corporations to operate effectively.  Individuals should know several different items that can help in the event of a disaster.

Siphoning gas is difficult on most new cars.  These cars contain a siphon screen that prevents hoses from going into the tank.  In dire situations removing the fuel filter allows access to the gas.  Remember lawn mowers and other house hold items may have gas if needed.

Generators and gas tanks will get stolen.  Staying is a disaster zone is not recommended even within a few days after the disaster.  Wait at the alternate location for several days until power is restored, supply chains can provide food, and any other immediate crisis has been resolved.

On the other hand corporations will need to provide an alternate means of connectivity for office and technology based jobs.  Use a good mobile provider that can bring a generator to the corporate office or enable the business to connect at a remote location.  Organizations like Agility Recovery are experts at providing these services and other mobile solutions.

Corporations that require gasoline to operate the business should have conducted the proper analysis and considered the supply of gasoline a mission critical process.  As a result these businesses must purchase a series of large tanks and should consider owning their own gas stations with back up supply chains in place.  These gas supply tanks and stations must be protected with the proper physical security mechanisms such as anti-siphon devices on tanks and secure fencing perimeters around the gas stations.

Recommended Distance

Gas is a critical resource and the effects during a hurricane can be substantial since it is required for heat, food, transportation, and much more.  Based on hurricane Sandy the distance required to provide a solid gasoline supply chain is around a 100 mile radius from the center point of the storm.  Both employees and corporations need to consider the type of disaster and its radius.  The radius should be considered for all resources and the supply chain for those resources.  Otherwise things may come to a halt when there is no gas left to buy at the station.


The first annual Brain Tank conference – Small but effective!

There are good and bad things about small Hacker cons.  The good was that you have time to talk and figure things out with other people much more effectively than some of the larger conferences.  The bad is that larger conferences tend to have many items for purchase to help you improve your skills.  These items were not available at the Brain Tank con.  Overall the mix between Hacker/Maker proved interesting and informative for the presentations that I watched.  It was also good for those of us looking to get in more experience in the Lockpick Village hosted by Toool.  However, if you were looking for additional picks or tension wrenches this was not the place. 

http://toool.us/

Overall the event had about 150 people and was a good time helping gain more experience.  This event surely will grow over time and eventually have to relocate to a bigger space than that provided by A220.org.


Hackers & Agents the card game is in full swing.  The game is continuing to evolve with several add on packs coming out soon.   If you like encryption puzzles there is a new encryption card in the deck with added difficulty.  Check out the Facebook page for any new updates.  Also there are several tutorials and graphics posted to help with normal game play.

http://www.facebook.com/hackersandagents

On another note I will be hanging out at the Hacker-Maker conference in Rhode Island this weekend doing more locking picking and handing out a few decks.

http://thebraintank.com/

I ran into a Schalge Everest lock giving me a challenge so if you are into lock picking I think its important to have a tension wrench that enters from the top.  I’m hoping the lockpick village at the Brain tank has some good practice locks.

http://www.lockwiki.com/index.php/Schlage_Everest


Lock picking has long been a method of access to information.  Professionals engaged in physical security reviews or social engineering assessments currently are the main security professionals using these methods.  We’ve all picked the weak file cabinet lock at work or maybe even jiggled a key of a similar type to get access through a door, but how important is it really for security professionals to know this skill.

Recently having purchased a lock pick set and several training locks I found it was extremely easy to pick the locks.  I went through a 6 set training lock package in just a few minutes and then an advanced 4 set in even less time.  I’ve read a lot prior to the purchase and even have made picks out of street cleaner bristles, but very little practical knowledge.  After moving on to master locks, etc. I found it was a little more difficult initially, but if you just sit down watching TV and practice picking the lock it becomes easy after a while.  Now there are some very complex locks and I continue to learn and understand more about these locks.   In any event, unless the lock implements very strong controls, picking the lock is done easily.

It is important that security professionals understand lock picking to grasp the risk.  Many professionals really only talk security and don’t really practice it.  The auditor comes in and says you need to put in badge readers because there is no accountability, etc.  These people really don’t understand the simplicity of lock picking or the real weakness.  Not that I’m anywhere near a professional at it.

  • How many locks at your work environment are key locks?
  • Is there sensitive information in these areas?

As professionals we should not underestimate the simplicity of lock picking.  If you are serious about security you really need to get some lock picking practice and understand the risks associated with standard locks.

If you are interested in learning more you can learn lock picking at Defcon and ShmooCon

In addition, if you continue as a hobby I would recommend becoming a member of the following site.

http://www.lockpicking101.com/


Wikipedia truly is amazing.  Check out the list of worldwide security conferences.  This is a great place to look for any professionals wanting to speak or attend high profile conferences.  Definitely a good site to add to my links page.

 http://en.wikipedia.org/wiki/Computer_security_conference


Rogue Russian entities in the advertising industry take millions and the entire company disappears. Poor security programming techniques from offshore entities expose cross site scripting flaws in 50% of the companies websites. In any event more and more security weakness is exposed by the poor practices associated with a vendor, partner, or other third party business entity. These third party entities and the services they provide can cause great exposure resulting in large scale financial problems to the host organization.

 
What can be done?

Security of third party entities can be accomplished in many ways, but it has to start with the relationship and contracts in place. Once there is a contract then each practice can be broken down. Third party security assessments typically include two main practices. These are:

  1. Technical Security Testing
  2. Checklist Validation Assessments

Technical Security Testing usually involves network vulnerability scanning, penetration testing, application testing, and sometimes security configuration reviews. This approach occurs when a third party is contracted to assess the host organization. This is a third party assessment however this situation addresses contracting a third party to perform the assessment. The other focuses on assessing the host organizations third party service providers, not contracting a third party to perform an assessment.

Checklist validation assessments are commonly used for assessing ones service providers. One of the most common used tools for this practice is supplied online by Shared Assessments. The Shared assessments questionnaire and agreed upon procedures guides are used in many different countries around the world. They are very comprehensive and allow for customization if required. The core components that make this tool fantastic for third party risk assessments are:

  1. Excel based checklist format which can be auto compared against a configured baseline
  2. Comprehensive list of standard questions that map to some different compliance regulations

The Shared Assessments program has done a good job explaining the tool use and to avoid repeating the information that is clearly explained online the focus will be to explain leveraging the tool to build a third party assessment function in the organization. Building the third party assessment requires some dedicated resource time for the following responsibilities.

  • Determining the assessment schedule and prioritization
  • Customizing the questionnaires
  • Phone and email follow up to third parties
  • Onsite review and validation (if applicable based on the assessment type)
  • Providing reports to management and third party entities
  • Follow up on remediation efforts

 

Shared Assessments – Useful

Back in 2009 my blog entry was titled “BITS Shared Assessments – Useful or Not”. After several more years and reviewing hundreds of clients it appears this is now the predominantly used assessment practice. Organizations have used the main content and questions then customized and integrated them into formal programs. I still find the validation component one of the weakest links, but in some cases that also falls on the assessor. To help mitigate the risk organizations should be looking at some kind of technical and checklist testing of their entities. Using both of these will help make up for deficiencies in the checklist based approaches.

I encourage others to comment if they have seen different standards for third party assessment especially those around the checklist and validation approach. As today the Shared Assessments appears to still be the number one choice implemented and used based on my experience with other companies.