Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Eyes on the ground: why you need security agents

282 views

Published on

Whether you build, buy, borrow, or steal it, you need a security agent on your endpoints. We can already hear your cries of "agent fatigue" and we sympathize. Any agent, no matter how lightweight, has costs associated with running it. Minimize those costs and get an agent, because you need the information that only an agent can harvest from the endpoint. We talk about various types of security agents, including their respective strengths and weaknesses. We explore how agents can interact and interfere with each other, and provide some tips for evaluating agents. We cover open-source, custom-built, and vendor perspectives, from cloud to IoT. We need information to do our jobs, and we need agents on our digital assets to provide that information.

Original presented at SOURCE Boston 2017: https://drive.google.com/file/d/0B26q0H40PvdZeVJyVGdXNmprUGM/view?usp=sharing

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Eyes on the ground: why you need security agents

  1. 1. @ncooprider@threatstack 1 Eyes on the Ground: Why You Need Security Agents Nathan Cooprider Software Team Lead
  2. 2. @ncooprider@threatstack 2 • often find yourself booting into safe mode? • regularly look for programs in the taskbar to kill? • look for reasons why your computer seems sluggish? • wonder why you pay for that thing on your computer? • get employee complaints about installed software? • look for ways to meet compliance requirements? • care about security? Do you AGENT FATIGUE
  3. 3. @ncooprider@threatstack 3 My day job: agent team lead
  4. 4. @ncooprider@threatstack 4 The path to agent acceptance! Acceptance Fatigue Cost Need Choices Evaluation
  5. 5. @ncooprider@threatstack 5 Security fatigue
  6. 6. @ncooprider@threatstack 6 Normalization of deviance Incremental and gradual erosion of normal procedures
  7. 7. @ncooprider@threatstack Normalization of deviance http://gunshowcomic.com/648
  8. 8. @ncooprider@threatstack 8 Agent fatigue "The term agent fatigue is widely used to describe this phenomenon on the desktop. Are viruses a problem? Here is an antivirus solution. Is command and control communication the problem? Here is a Host-based Intrusion Detection System (HIDS). Need to keep track of all the software and versions installed on a system? Here is a compliance agent. The list of agents goes on and on. Each agent serves a different purpose, communicates to a different control server, and is managed by a different group within the organization." Building an Intelligence Led Security Program by Allan Liska
  9. 9. @ncooprider@threatstack 9 Agent fatigue
  10. 10. @ncooprider@threatstack 10 Agent fatigue “I was talking to a financial services executive and he was asked ‘How does a startup approach you with something?’ and he said ‘Let me just tell you one hint: Don't sell me an end- If you need to put an agent on an endpoint. It's done’” Michael Figueroa Advanced Cyber Security Center Startup Security Weekly #31
  11. 11. @ncooprider@threatstack 11 The path to agent acceptance! Acceptance Fatigue Cost Need Choices Evaluation
  12. 12. @ncooprider@threatstack 12 • Licensing • Price per installation • Compliance complications • Workflow adaptation • Introduced latency • Full-on road blocks • Management • Additional attack surface • Interfering with host behavior Cost of running an agent
  13. 13. @ncooprider@threatstack 13 Cost of running an agent Monthly AWS BILL $10 $100 $1,000 $10,000 $100,000 1% $0.10 $1 $10 $100 $1,000 5% $0.50 $5 $50 $500 $5,000 10% $1 $10 $100 $1,000 $10,000 25% $2.50 $25 $250 $2,500 $25,000 • Resource utilization • Personel • CPU, network, memory, disk
  14. 14. @ncooprider@threatstack 14 Security maturity model AUDIT Baseline Your Environment and Meet Security Best Practices. CONFIGURATION AUDITING • ALERTING • WORKFLOW INTEGRATIONS MONITOR Continuously Monitor & Alert to Detect Vulnerabilities, Intrusion, & Meet Compliance Requirements. VULNERABILITY ASSESSMENT • FILE INTEGRITY MONITORING • USER ACTIVITY MONITORING INVESTIGATE Automatically Analyze Security Events to Determine Root Cause. USER SESSION PLAYBACK • DEEP PROCESS MONITORING • THREAT INTELLIGENCE PREVENT Prevent Progression on the Cyber Kill Chain. ISOLATE COMPROMISE • PREVENT LATERAL MOVEMENT
  15. 15. @ncooprider@threatstack 15 The path to agent acceptance! Acceptance Fatigue Cost Need Choices Evaluation
  16. 16. @ncooprider@threatstack 16 • Necessary features not available any other way • The network cannot give us the data • The host can give us the data • The hosts host our valuable assets • Not all agents equal • Past experience not indication of future #fail • Learn how to judge • Find best fit Need for an agent
  17. 17. @ncooprider@threatstack 17 • Increased SSL/TLS usage • NIDS blind to 70-80% of the traffic post-Snowden • Needs specialized Network Processor hardware • Not an option in with cloud providers • NSS Labs paper documents situation https://www.nsslabs.com/linkservid/13C7BD87-5056-9046-93FB736663C0B07A/ • Vanished perimeter • Maginot line - defense in depth • Bring your own device and the like • Cloud - don’t let provider be SPOF NIDS not enough
  18. 18. @ncooprider@threatstack 18 Agent-only information
  19. 19. @ncooprider@threatstack 19 Protect the assets https://krebsonsecurity.com/2012/10/the-scrap-value-of-a-hacked-pc-revisited/
  20. 20. @ncooprider@threatstack 20 The path to agent acceptance! Acceptance Fatigue Cost Need Choices Evaluation
  21. 21. @ncooprider@threatstack 21 • Build vs buy • Open-source vs proprietary • Cloud, server, workstation, IoT • Kernel vs user • Visibility vs prevention Agent choices
  22. 22. @ncooprider@threatstack 22 • Do you understand all the issues that are involved - all the elements that go into the TCO? • Do you want to be a security company or do you want to be a secure company? Build vs buy
  23. 23. @ncooprider@threatstack 23 Open-source vs proprietary Open-source Proprietary Pros • Free to try before you buy • Free support • Open standards • Fewer bugs and faster fixes • Better security • Avoids vendor lock-in • Usability • Product stability • Ownership • Tailored support Cons • Reduced competitive advantage • Minimal support leverage • Usability • Increased business risk • Dependency • Software opacity http://www.optimusinfo.com/downloads/white-paper/open-source-vs-proprietary-software-pros-and-cons.pdf
  24. 24. @ncooprider@threatstack 24 • On the one hand: they’re all computers • On the other hand: REALLY? Cloud, server, workstation, IoT
  25. 25. @ncooprider@threatstack 25 Kernel vs user
  26. 26. @ncooprider@threatstack 26 Visibility vs prevention
  27. 27. @ncooprider@threatstack 27 The path to agent acceptance! Acceptance Fatigue Cost Need Choices Evaluation
  28. 28. @ncooprider@threatstack 28 Criteria • Cost • Service • Benchmarking • Sensors • Actuators • Integration Evaluating agents
  29. 29. @ncooprider@threatstack 29 • Total cost of ownership • All the “ilities” - availability, scalability, reliability, etc. • Talent • Care and feeding • Use what you get • Deploy the software • Look at the results • Tune performance Price and cost
  30. 30. @ncooprider@threatstack 30 • Training • Helpdesk • Management Service
  31. 31. @ncooprider@threatstack 31 • Easy to do wrong • Environment specific • Measure right thing • CPU • Memory • Network • Disk • Weigh appropriately Benchmarking
  32. 32. @ncooprider@threatstack 32 • Targets • Processes • Files • Network • Users • Configuration • Consider reliability • Perspective • Persistence Sensors
  33. 33. @ncooprider@threatstack 33 • More than just logging "Right now, logging in the cloud is an absolute complete unmitigated train wreck, as far as finding out where your data is" John Strand Enterprise Security Weekly #37 • Alerting • Severity • Context • Modification • Autonomous? Actuators
  34. 34. @ncooprider@threatstack 34 Integration
  35. 35. @ncooprider@threatstack 35 The path to agent acceptance! Acceptance Fatigue Cost Need Choices Evaluation
  36. 36. @ncooprider@threatstack 36 • Agent fatigue • Real and valid • Something we need to get over • Agents provide critical value • Vision on assets instead of around them • Attackers want hosts, not your network • Choose wisely • Evaluate along all criteria: Total cost, comfortable support, real benchmarks, useful sensors, actions beyond logging, and integrations Conclusion
  37. 37. @ncooprider@threatstack 37 Questions?
  38. 38. @ncooprider@threatstack 38 http://www.computerweekly.com/blog/David-Laceys-IT-Security-Blog/Countering-the-Threat-of- Information-Security-Fatigue http://www.washingtontimes.com/news/2014/aug/7/hayden-security-fatigue-on-the-rise-as-public-feel/ http://www.securitymagazine.com/articles/87014-dispelling-the-dangerous-myth-of-data-breach-fatigue https://www.nist.gov/news-events/news/2016/10/security-fatigue-can-cause-computer-users-feel- hopeless-and-act-recklessly https://sma.nasa.gov/docs/default-source/safety-messages/safetymessage-normalizationofdeviance- 2014-11-03b.pdf http://www.networkworld.com/article/2293335/infrastructure-management/fighting-back-against-software- agent-overload.html https://www.forescout.com/company/blog/death-taxes-endpoint-agents/ https://community.spiceworks.com/topic/1917877-poll-software-agents-take-them-or-leave-them http://wiki.securityweekly.com/wiki/index.php/SSWEpisode3 https://www.elsevier.com/books/building-an-intelligence-led-security-program/liska/978-0-12-802145-3 https://www.nsslabs.com/linkservid/13C7BD87-5056-9046-93FB736663C0B07A/ https://blog.threatstack.com/calculating-tco-the-real-cost-of-cloud-security Resources
  39. 39. @ncooprider@threatstack 39 Extra slides
  40. 40. @ncooprider@threatstack 40 Normalization of deviance
  41. 41. @ncooprider@threatstack 41 CAN I HELP YOU?

×