The Magic of Symbiotic Security

5,593 views

Published on

Throw out everything that you know about security tools today. No more six-figure appliances that only do one thing marginally well. No more proprietary protocols. We deserve better and we demand better. Envision a world where your security tools talk with eachother. They communicate and share data in order to leverage eachothers strengths and and help compensate for their weaknesses. They work together to solve problems. Envision "Symbiotic Security".

Symbiotic Security is a new term that was coined to describe the ability of a tool to consume data from other tools or provide data to other tools. As part of our research, we have examined various classes of tools on the market and identified these abilities in each of them resulting in a label of "Consumer", "Provider", or "Symbiotic". As a consumer of security tools, this completely revolutionizes the way that we make purchases.

As an example, let's pretend that you are purchasing a new Intrusion Prevention System for your enterprise. As you begin to evaluate the various tools from the Gartner Magic Quadrant, you quickly realize that they almost all have the same primary feature set. The key differentiator at this point aren't the rules or the hardware, but rather, the ability for the system to send and receive data with other systems. The IPS itself has some signatures and blocking abilities, but has zero relevancy data. Now, we give the IPS the ability to pull in vulnerability data and system configuration information from network and host scans and we gain relevancy. Add in some additional data on where the potential threat is coming from and now you have the data necessary to take a decisive action on threats. This new system is a "Consumer". Now, if you give the IPS the ability to send information to other devices on things like the source of relevant threats, those devices, like a firewall or HIPS, can now make intelligent blocking decisions as well. Our IPS now has "Provider" abilities. Since our IPS is labeled as both a "Provider" and "Consumer" it is deemed "Symbiotic". This convention can now be used both by the manufacturer to market the value-add of the device as well as a way for the purchasers to differentiate between otherwise similar devices.

In order to demonstrate the true powers of being symbiotic, we are releasing a free tool that epitomizes this concept. The tool, named ThreadFix, has been labeled as a "Consumer" because of it's abilities to pull vulnerability data from static and dynamic scanning tools, threat modeling, and manual penetration tests as well as alert logs and vulnerability details from IDS, IPS, and WAF products. ThreadFix has also been labeled as a "Provider" because of it's abilities to normalize the data consumed and pass it along to IDS, IPS, and WAF for action as well as to your bug tracking system for remediation tracking. Because it can serve both a consumer and provider role, we designate it as a "Symbiotic" tool.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
5,593
On SlideShare
0
From Embeds
0
Number of Embeds
3,151
Actions
Shares
0
Downloads
16
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

The Magic of Symbiotic Security

  1. 1. THE MAGIC OF SYMBIOTICSECURITYCreating an Ecosystem of Security Systems
  2. 2. DAN CORNELL¢  Founder and CTO of Denim Group¢  Software developer by background (Java, .NET, etc)¢  OWASPSan Antonio, Global Membership Committee 2
  3. 3. JOSH SOKOL¢  Information Security Program Owner at National Instruments¢  Chair of the OWASP Global Chapters Committee¢  Co-Chairof OWASP AppSec USA 2012 (October 23-26 in Austin, TX)
  4. 4. BUSINESS REQUIREMENTS¢  We need an Intrusion Prevention System (IPS).¢  We’ve budgeted $50,000 for it.¢  Get us the best tool for our money.How would you evaluate for purchase?
  5. 5. 3 PARTY REVIEWS RD¢  Overall Ranking from SC Magazine Feb. 20111)  McAfee – 5 stars2)  NitroGuard – 5 stars3)  Top Layer Security – 5 stars4)  Sourcefire – 4 stars5)  CounterSnipe – 4 stars
  6. 6. INDUSTRY RANKINGS 1) McAfee 2) Sourcefire 3) HP 4) Cisco 5) IBM
  7. 7. COST¢  Lowest cost from SC Magazine Feb. 20111)  CounterSnipe - $500/site2)  NitroGuard - $6,4953)  Sourcefire - $8,9954)  McAfee - $10,9955)  Top Layer Security - $12,495
  8. 8. FEATURESü  Zero-day threat protectionü  Inline protectingü  Passive monitoringü  Support for custom policiesü  Real-time alertingü  Central managementü  Compliance grade reportingü  High availability
  9. 9. THE INHERENT PROBLEM¢  3rdParty Bias¢  Incomplete Industry Rankings¢  Cost is ALWAYS Negotiable¢  Features are commodity
  10. 10. TOOLS ARE EVALUATED BASED ON CLASSFEATURES; NOT ON ENTERPRISE VALUE. ü Proprietary Protocols ü “Greedy” Vulnerability Mgmt Malware Analysis Platforms Firewall NAC IPS ü Tools Working in Silos ü Duplication of Functionality
  11. 11. GAUGING ENTERPRISE VALUESeparating the Wheat from the Chaff
  12. 12. CONSUMER CAPABILITIES ü Events ü Alerts ü SNMP ü Syslog
  13. 13. CONSUMERS CAN BE “GREEDY” Exploitation – Parasitism. The leech gains food and nutrients, but the host gains nothing from having a leech suck its blood.
  14. 14. PROVIDER CAPABILITIES ü Open API ü Open DB ü Data Export
  15. 15. SYMBIOTIC SECURITY You can assemble an arsenal of best-in-breed tools that work together. Even smaller purchases can have a large impact.
  16. 16. SYMBIOTIC SECURITY IS NOT¢  A piece of hardware or software you can purchase.¢  A ranking system for vendors.¢  A label you can slap on your new product.
  17. 17. SYMBIOTIC SECURITY IS¢  A philosophy on how you evaluate purchases.¢  A concept for creating an ecosystem of security systems.¢  A means of making the tools we invest in more valuable to us.
  18. 18. BEWARE OF PSEUDO-SYMBIOSIS¢  Single vendor with multiple product offerings that work together.¢  Gives symbiotic functionality, but only within that vendors tool set.¢  True Symbiotic Security is about being able to hand-pick your toolset and have them work together regardless of brand.
  19. 19. SECURITY TOOLSAnd Their Classifications
  20. 20. DATA IN SILOS¢  Reputation data: Do I trust the source?¢  Attack data: How am I being attacked?¢  Vulnerability data: What attacks are my systems vulnerable to?¢  Asset data: What versions of O/S and software am I running?¢  Identity data: Who is using my systems?¢  Data classification: Who should have access to what?
  21. 21. DATA IN SILOS (CONT)¢  Trust hierarchy: Who do I trust and who trusts me?¢  Authentication data: Do I have access?¢  Authorization data: What can I access?¢  QA data: What has been tested?¢  Trust boundaries: Is data crossing between two trust levels?
  22. 22. MAGIC HAPPENS¢  Should I accept packets from random IP X? —  Reputation data —  Attack data —  Vulnerability data —  Asset data —  Trust boundaries
  23. 23. MORE MAGIC¢  Should I allow random person X to download a file Y? —  Data classification —  Reputation data —  Authentication data —  Authorization data —  Trust boundaries
  24. 24. EVEN MORE MAGIC¢  WithSymbiotic Security the possibilities are limited only by the security ecosystem you’ve put in place. —  Creation of WAF rules based on attack data. —  Is a targeted exploit actually going to affect the system? —  Should I allow a system on my network?
  25. 25. DEMAND SYMBIOTIC SECURITY¢  Let vendors know up front that you will be evaluating the effectiveness of their tool based on: 1.  Other tools in your environment their tool can consume data from. 2.  Other tools in your environment their tool can provide data to. 3.  The net increase in security for your entire tool ecosystem and not just their tools siloed functionality.
  26. 26. THREADFIXSymbiotic Security In Action
  27. 27. THREADFIX - OVERVIEW¢  ThreadFixis a software vulnerability aggregation and management system that helps organizations aggregate vulnerability data, generate virtual patches, and interact with software defect tracking systems.¢  Freely available under the Mozilla Public License (MPL)¢  Hosted at Google Code: http://code.google.com/p/threadfix/ 27
  28. 28. ThreadFix Consolidates reports so managers can speak intelligently about the status and trends of security within their organization 28
  29. 29. Vulnerability Import • Pulls in static and dynamic results • Eliminates duplicate results • Allows for results to be grouped 29
  30. 30. Real-Time Protection Virtual patching helps protect organizations during remediation 30
  31. 31. Defect Tracking • ThreadFix can connect to common defect trackers • Defects can be created for developersIntegration • Work can continue uninterrupted 31
  32. 32. THREADFIX - SYMBIOTIC¢  Vendor-independent¢  Ability to consume multiple technologies (SAST, DAST, IDS/IPS, WAF)¢  Ability to produce output that can be consumed by other tools (RESTful API)¢  Mapping vulnerability data with operational data in a bi-directional way¢  Prioritization based on actual attack data rather than suppositions
  33. 33. SUBSET OF SECURITY TOOLINTERACTIONS
  34. 34. DEMO
  35. 35. VENDORS: PLEASE SUCK LESS¢  ThreadFix was created to solve a problem that security tool vendors have created. —  Proprietary protocols —  Lack of APIs —  Lack of standards —  Play nice!¢  Some have been veryhelpful —  File format info —  Beta testing —  And so on
  36. 36. YOU KNOW WHAT WOULD MAKE ALL THIS WAYEASIER?¢  Common data standards! —  Scanning tools —  Event logs —  And so on…¢  Current efforts: —  MITRE Software Assurance Findings Expression Schema (SAFES) ¢  http://www.mitre.org/work/tech_papers/ 2012/11_3671/ —  OWASP Data Exchange Format Project ¢  https://www.owasp.org/index.php/ OWASP_Data_Exchange_Format_Project 36
  37. 37. SIMPLE SOFTWARE VULNERABILITYLANGUAGE (SSVL)¢  Common way to represent static and dynamic scanner findings¢  Based on our experience building importers for ThreadFix —  It “works” for real-world applications because we are essentially using it¢  Love to hear feedback —  Send me a request and I can share the document for editing/annotation¢  Online: —  https://docs.google.com/document/d/ 1H5hWUdj925TtoZ7ZvnfHdFABe7hBCGuZtLUas29yBGI/ edit?pli=1 —  Or http://tinyurl.com/cslqv47 37
  38. 38. SIMPLE SOFTWARE VULNERABILITYLANGUAGE (SSVL) 38
  39. 39. VENDORS WIN TOO¢  Industry vetted standards for communication¢  Niche products with enterprise functionality¢  Maximize R&D time and money¢  Vendors can excel where it matters the most
  40. 40. IDEAS TO FURTHER THE CAUSE¢  Speak with Gartner about adding symbiotic characteristics to their evaluation criteria.¢  Create a list of tools with symbiotic characteristics.
  41. 41. HELP US HELP THE COMMUNITY¢  http://www.symbioticsecurity.com/
  42. 42. QUESTIONSJosh Sokol Dan Cornelljosh.sokol@ni.com dan@denimgroup.comTwitter: @joshsokol Twitter: @danielcornellwww.joshsokol.com www.denimgroup.comwww.webadminblog.com www.denimgroup.com/ threadfix code.google.com/p/ threadfix (210) 572-4400 42

×