The document discusses how information security practitioners are overburdened due to the increasing complexity of technologies and rate of change. It proposes forming "Infosec Trust Groups" where organizations in the same sector or region can share resources and intelligence to help specialize skills, increase efficiency, and reduce costs. Working together in these groups could help address issues like staff shortages and help turn raw intelligence into more actionable threat analysis.
Human Factors of XR: Using Human Factors to Design XR Systems
You Give Us The Fire We'll Give'em Hell!
1.
2. Disclaimer
● These opinions
are mine alone and
in no way reflect
the opinions
of my employer.
● There is a crap load of
text in the slide-deck. I
don't want the message
to be lost in my poor
delivery.
3. Introductions
Will Metcalf, wmetcalf@idstotal.com, @node5
Open source community manager for
Qualys. I work on the IronBee WAF team.
Founding member of the Open Information
Security Foundation.
In the past I worked for OISF, Emerging
Threats, etc. beating the snot out of open
source IDS. In a previous life I was a security
practitioner for local government/LE.
I have the hots for all security-related FOSS
stuff.
5. INFOSEC STAFF IS
OVERBURDENED
• Information security practitioners are faced with the insurmountable task of securing an ever-expanding amount of
complex technologies.
• This problem is compounded by the rate of change in our industry. This is a real issue. To secure a technology you must
truly understand how it works, right?
• Trying to consume raw data from intelligence sources, open or closed, can become overwhelming. Turning it into
actionable intelligence for your organization is time consuming.
• The InfoSec pros I know tend to look at InfoSec as a way of life because they are passionate about their craft. Passion can
be killed once this lifestyle is no longer a choice but instead a occupational requirement.
• If you think I'm full of crap but sense your security geeks may be approaching burnout, an ancillary presentation to this
one, along with tips on how to keep InfoSec staff happy can be found here: http://vimeo.com/24650438.
6. Changing Landscape
• Historically InfoSec has been a “tower defense game” [1]. Defenders needed to know a
little bit about broad range of technologies. This was a somewhat effective model when
paired with a defender's view of the organizational terrain. With increasing complexity and
dissolving network borders, this model becomes more difficult to pull off.
[1] David J. Bianco @DavidJBianco: “I don't get the fascination with tower defense games.
I work in security, so that's pretty much my daily life anyway.”
7. As an Industry, we
breed generalists
• Given the history of InfoSec programs in most organizations, i.e., needing to
know a little bit about a lot of technologies, it's no wonder that as an industry we
tend to breed InfoSec generalists.
• Unfortunately today most organizations need InfoSec staff with a multitude of
specialized skill sets to provide adequate protection. The sooner that decision-
makers realize we can't be experts in everything, the better.
8. Talent Shortage
• Given the generalist conundrum it should be no surprise that there is a severe shortage of specialized talent in the
industry.
• Even if organizations (want|can afford) to hire specialized talent, they will often have trouble finding it. Most
specialized talent today works for the vendors you purchase security products and services from. This compounds the
problem of information asymmetry between vendor and buyer[2][3].
• Offloading certain problems to vendors/consulting firms with the desired skill sets might be OK, but be wary of
arrangements where the external party has no prior insight into your organization and therefore cannot apply context
to a problem. Boutique security consulting firms FTW!
[2] “Security derivatives: the downward spiral caused by information asymmetry,” by Josh Corman of the 451 Group
http://www.the451group.com:80/report_view/report_view.php?entity_id=60884
[3]http://www.mandiant.com/uploads/presentations/SOH_092310.pdf
9. Threa Intelligence
t
Products
• Many exist today but finding reliable, consistent, complete threat intelligence products is hard
and/or cost-prohibitive.
• Having these products does not alleviate the need for in-house specialized skill sets to analyze the
intel for applicability in the context of your organization. Without these skills threat intel products
will probably have very low SNR once they enter your organization.
• An ancillary to this is the fact that security vendors/intelligence providers can realistically only
provide coverage for a certain amount of technologies. Niche market technologies are often
overlooked.
10. Intelligence Analysis
is performed in silos
• Given a piece of intelligence, similar organizations within an industry
may independently reach like conclusions about derived threats, their
risk to the organization and how to mitigate the risk, i.e.,
preventative/detective controls.
• This leads to unneeded duplication of analyst effort.
11. We don't like to share
• Organizationally cultivated threat intelligence, while valuable to peers, is rarely shared.
• Some organizations believe that their investment into InfoSec should result in enhanced competitive advantage and
therefore don't want to share.
• Others think participating in open chatter about threats will give away information about their infrastructure.
• While some industry information-sharing programs exist, M.O. for semi-open information-sharing programs tend to
provide watered-down, high-level analysis with low resolution.
• High-resolution information-sharing programs generally exist among various researchers and vendors. This
information is typically not available to outsiders as a counter-intelligence measure.
12. Interlude
You're probably thinking to yourself: “Oh, fantastic. Another 'this is our
darkest hour' presenter. If I wanted to be depressed, I would have stayed
in the office, queued up the 'Requiem for a Dream' soundtrack and
spent the afternoon scanning my NIDS logs for evidence of browser-
based exploits.”
Have no fear, true believer. I have a solution. Well, maybe.
13. Wild, Wild WEST
The InfoSec environment today is like the Wild West. If you're lucky,
your org has a sheriff, The Security Guy. If you're really lucky, big
enough and have enough cheese, you may have a couple deputies,
Security Minions. But what happens when the opposing forces are
overwhelming?
Let's ask an expert.
15. MVP Alterna tive
Course of ACTION
MVP may alternatively morph into a gun-toting InfoSec werewolf and
try to handle things himself. He is sort of a wild card. I digress.
16. Our "Posse" Infosec
Trust Groups
• Build information/resource-sharing agreements with other organizations under NDA in the same business sector,
or in close physical proximity to you. Or form trusts to manage custodial arrangements of shared data.
• Orgs in the same business sector will face similar problems. Orgs closeby are probably easier to establish
agreements with because dialogues are easier to maintain.
• Establishing trust groups among government organizations is probably much easier than with companies.
• In KC, the Mid-America Regional Council is already in place to foster such relationships among metro-area
governments. Information sharing already exists between LE/other entities in these orgs. I mentioned
@MARCKCMetro in a tweet on this subject. No response, WTF? :)
17. Yes, but Why?
• Ideally fosters the creation of specialized skill sets by offloading some tasks to the group.
This allows practitioners to grow skill sets in areas that interest them.
• Have at your disposal specialized skill sets from other orgs. Having resource-sharing
agreements for specialized skill sets would allow more efficient IR, because the parties
involved would be able to apply preexisting knowledge about organizational context.
• The chance to offset cost and increase security posture. This can be accomplished in many
ways, such as sharing security infrastructure. Think shared DNSBL servers, Cuckoo
Sandboxes, (Dionea|Glasptof|Kippo) low interaction honey pots. You could also create trust
group-supported solutions based on FOSS to save money or to fill gaps that vendors don't
cover (read: TKL-based appliances).
18. Would You Like To
Know More?
• One man's false positive is another man's actionable intelligence.
Creating rules to look for activity that is of little value to you, but of
high value to others is a win.
• Increasing visibility of the threat landscape by sharing security event
data. Even if sanitized, data still has value when you are available for
inquires about the data sets you produce. The same can be true for other
items, such as performance data of WAF/IDS rules.
19. SHARING IS CARING
• Analyze data through information sharing portals. Projects like fordrop look promising, but it can be a frigging restricted-access
wiki. Practitioners with areas of expertise can weigh in on detection/mitigation.
• When appropriate, publicly publish/share findings with larger InfoSec community.
• When I was at Emerging Threats, I tried to think about how I would tackle CVE-2010-3962 if still in OPSEC. I published my
findings here: http://rules.emergingthreats.net/research/WMetcalf-CVE-2010-3962/. If exploitation was seen in the wild, the
shared analysis dialogue may have gone something like this ...
20. Together we can do
Something beautiful
• NIDS Guy: “This will be impossible to sig with NIDS outside of the obfuscated JS sigs that trip. Here are the alerts.”
• Log Analysis Guy: “Interesting, my process accounting audit logs show that iexplore.exe, fired off a notepad.exe process, which
then fired off cmd.exe. I can sig this.”
• EMET Guy: “Using this combination of EMET settings for the iexplore.exe executable, I'm able to stop successful exploitation,
and IE seems to function normally others please verify.”
• Proxy Guy: “This thing is trying to establish an SSL connection to a C&C server that is using a completely bogus cert. SSLBump
+ “sslproxy_cert_error deny all” is preventing the connection.”
• All Together in Unison: “Boy, I sure am glad we went to Will's talk and decided to start sharing.”