Eyes on the ground: why you need security agents

1. @ncooprider@threatstack 1 Eyes on the Ground: Why You Need Security Agents Nathan Cooprider Software Team Lead

2. @ncooprider@threatstack 2 • often find yourself booting into safe mode? • regularly look for programs in the taskbar to kill? • look for reasons why your computer seems sluggish? • wonder why you pay for that thing on your computer? • get employee complaints about installed software? • look for ways to meet compliance requirements? • care about security? Do you AGENT FATIGUE

3. @ncooprider@threatstack 3 My day job: agent team lead

4. @ncooprider@threatstack 4 The path to agent acceptance! Acceptance Fatigue Cost Need Choices Evaluation

5. @ncooprider@threatstack 5 Security fatigue

6. @ncooprider@threatstack 6 Normalization of deviance Incremental and gradual erosion of normal procedures

7. @ncooprider@threatstack Normalization of deviance http://gunshowcomic.com/648

8. @ncooprider@threatstack 8 Agent fatigue "The term agent fatigue is widely used to describe this phenomenon on the desktop. Are viruses a problem? Here is an antivirus solution. Is command and control communication the problem? Here is a Host-based Intrusion Detection System (HIDS). Need to keep track of all the software and versions installed on a system? Here is a compliance agent. The list of agents goes on and on. Each agent serves a different purpose, communicates to a different control server, and is managed by a different group within the organization." Building an Intelligence Led Security Program by Allan Liska

9. @ncooprider@threatstack 9 Agent fatigue

10. @ncooprider@threatstack 10 Agent fatigue “I was talking to a financial services executive and he was asked ‘How does a startup approach you with something?’ and he said ‘Let me just tell you one hint: Don't sell me an end- If you need to put an agent on an endpoint. It's done’” Michael Figueroa Advanced Cyber Security Center Startup Security Weekly #31

12. @ncooprider@threatstack 12 • Licensing • Price per installation • Compliance complications • Workflow adaptation • Introduced latency • Full-on road blocks • Management • Additional attack surface • Interfering with host behavior Cost of running an agent

13. @ncooprider@threatstack 13 Cost of running an agent Monthly AWS BILL $10 $100 $1,000 $10,000 $100,000 1% $0.10 $1 $10 $100 $1,000 5% $0.50 $5 $50 $500 $5,000 10% $1 $10 $100 $1,000 $10,000 25% $2.50 $25 $250 $2,500 $25,000 • Resource utilization • Personel • CPU, network, memory, disk

14. @ncooprider@threatstack 14 Security maturity model AUDIT Baseline Your Environment and Meet Security Best Practices. CONFIGURATION AUDITING • ALERTING • WORKFLOW INTEGRATIONS MONITOR Continuously Monitor & Alert to Detect Vulnerabilities, Intrusion, & Meet Compliance Requirements. VULNERABILITY ASSESSMENT • FILE INTEGRITY MONITORING • USER ACTIVITY MONITORING INVESTIGATE Automatically Analyze Security Events to Determine Root Cause. USER SESSION PLAYBACK • DEEP PROCESS MONITORING • THREAT INTELLIGENCE PREVENT Prevent Progression on the Cyber Kill Chain. ISOLATE COMPROMISE • PREVENT LATERAL MOVEMENT

16. @ncooprider@threatstack 16 • Necessary features not available any other way • The network cannot give us the data • The host can give us the data • The hosts host our valuable assets • Not all agents equal • Past experience not indication of future #fail • Learn how to judge • Find best fit Need for an agent

17. @ncooprider@threatstack 17 • Increased SSL/TLS usage • NIDS blind to 70-80% of the traffic post-Snowden • Needs specialized Network Processor hardware • Not an option in with cloud providers • NSS Labs paper documents situation https://www.nsslabs.com/linkservid/13C7BD87-5056-9046-93FB736663C0B07A/ • Vanished perimeter • Maginot line - defense in depth • Bring your own device and the like • Cloud - don’t let provider be SPOF NIDS not enough

18. @ncooprider@threatstack 18 Agent-only information

19. @ncooprider@threatstack 19 Protect the assets https://krebsonsecurity.com/2012/10/the-scrap-value-of-a-hacked-pc-revisited/

21. @ncooprider@threatstack 21 • Build vs buy • Open-source vs proprietary • Cloud, server, workstation, IoT • Kernel vs user • Visibility vs prevention Agent choices

22. @ncooprider@threatstack 22 • Do you understand all the issues that are involved - all the elements that go into the TCO? • Do you want to be a security company or do you want to be a secure company? Build vs buy

23. @ncooprider@threatstack 23 Open-source vs proprietary Open-source Proprietary Pros • Free to try before you buy • Free support • Open standards • Fewer bugs and faster fixes • Better security • Avoids vendor lock-in • Usability • Product stability • Ownership • Tailored support Cons • Reduced competitive advantage • Minimal support leverage • Usability • Increased business risk • Dependency • Software opacity http://www.optimusinfo.com/downloads/white-paper/open-source-vs-proprietary-software-pros-and-cons.pdf

24. @ncooprider@threatstack 24 • On the one hand: they’re all computers • On the other hand: REALLY? Cloud, server, workstation, IoT

25. @ncooprider@threatstack 25 Kernel vs user

26. @ncooprider@threatstack 26 Visibility vs prevention

28. @ncooprider@threatstack 28 Criteria • Cost • Service • Benchmarking • Sensors • Actuators • Integration Evaluating agents

29. @ncooprider@threatstack 29 • Total cost of ownership • All the “ilities” - availability, scalability, reliability, etc. • Talent • Care and feeding • Use what you get • Deploy the software • Look at the results • Tune performance Price and cost

30. @ncooprider@threatstack 30 • Training • Helpdesk • Management Service

31. @ncooprider@threatstack 31 • Easy to do wrong • Environment specific • Measure right thing • CPU • Memory • Network • Disk • Weigh appropriately Benchmarking

32. @ncooprider@threatstack 32 • Targets • Processes • Files • Network • Users • Configuration • Consider reliability • Perspective • Persistence Sensors

33. @ncooprider@threatstack 33 • More than just logging "Right now, logging in the cloud is an absolute complete unmitigated train wreck, as far as finding out where your data is" John Strand Enterprise Security Weekly #37 • Alerting • Severity • Context • Modification • Autonomous? Actuators

34. @ncooprider@threatstack 34 Integration

36. @ncooprider@threatstack 36 • Agent fatigue • Real and valid • Something we need to get over • Agents provide critical value • Vision on assets instead of around them • Attackers want hosts, not your network • Choose wisely • Evaluate along all criteria: Total cost, comfortable support, real benchmarks, useful sensors, actions beyond logging, and integrations Conclusion

37. @ncooprider@threatstack 37 Questions?

38. @ncooprider@threatstack 38 http://www.computerweekly.com/blog/David-Laceys-IT-Security-Blog/Countering-the-Threat-of- Information-Security-Fatigue http://www.washingtontimes.com/news/2014/aug/7/hayden-security-fatigue-on-the-rise-as-public-feel/ http://www.securitymagazine.com/articles/87014-dispelling-the-dangerous-myth-of-data-breach-fatigue https://www.nist.gov/news-events/news/2016/10/security-fatigue-can-cause-computer-users-feel- hopeless-and-act-recklessly https://sma.nasa.gov/docs/default-source/safety-messages/safetymessage-normalizationofdeviance- 2014-11-03b.pdf http://www.networkworld.com/article/2293335/infrastructure-management/fighting-back-against-software- agent-overload.html https://www.forescout.com/company/blog/death-taxes-endpoint-agents/ https://community.spiceworks.com/topic/1917877-poll-software-agents-take-them-or-leave-them http://wiki.securityweekly.com/wiki/index.php/SSWEpisode3 https://www.elsevier.com/books/building-an-intelligence-led-security-program/liska/978-0-12-802145-3 https://www.nsslabs.com/linkservid/13C7BD87-5056-9046-93FB736663C0B07A/ https://blog.threatstack.com/calculating-tco-the-real-cost-of-cloud-security Resources

39. @ncooprider@threatstack 39 Extra slides

40. @ncooprider@threatstack 40 Normalization of deviance

41. @ncooprider@threatstack 41 CAN I HELP YOU?