Newflash:           Complexity does not mean or provide security.

Although there probably is a company out there that hasn’t purchased a firewall, isn’t running anti-virus software, and has no plans to implement intrusion prevention technology, there are plenty that have spent the equivalent of Ughanda’s GDP for the last 5 years on security technology. After 10 years of security work and countless conversations with peers, I have concluded all this spending is not solving the fundamental problem security set out to address: create safe and secure environments.

Why not?

The answer lies in why many business don’t have many of the generally accepted mainstream security technologies deployed. Complexity.

The complexity of security solutions and the perceived inability of security to meet dynamic business needs because of that complexity are some of the key underminers of security.

It almost begins to sound like a popular comedian’s tagline:

• If your security solution or product requires a triple PhD from MIT to operate, you might have a complexity problem.
• If your security solution or product has not been updated since men walked on the moon, you might have a complexity problem.
• If a 5lb block of swiss cheese has fewer holes in it than your security solution or product, you might have a complexity problem.

Sure there are all manner of security schemes on the market from network-based defenses and host-based defenses to security policy frameworks and security intelligence services to meet an organization’s security needs, but technology has only brought us to the place where we now need a room full of security experts pouring over event data or some artificial intelligence, akin to that of Skynet from the Terminator franchise, in order to determine whether our security is working or if the bad guys have just dumped the contents of the customer billing information database to a botnet-based auction system via a partner’s VPN connection using valid credentials they obtained through an infected email to an outsourced developer.

Fired up? Come back for part 2…

Security and Safety…

Ever notice the similarity between these words? Capitalists have been banking on the similarities, there are products and services offered for years that provide for security what they’ve provided under the umbrella of safety for years, insurance. Now average folks can purchase Security Insurance. Policy makers didn’t miss the boat either, they often interchange these words when addressing the public. Let’s take a closer look at these words and their contextual use.

Google security and you’ll likely end up at Wikipedia reading:

Security is the condition of being protected against danger or loss.

That’s funny, I tend to think of insurance when I read that statement, but that’s probably because of the implications associated with the word loss. Insurance helps to insulate the insured from loss by providing a means to recover, substitute, or recompense what has been lost or damaged. What about danger, that word seems more appropriate in physical security than logical security, yet in the physical security sense it draws in the word safety.

While you’re over at Wikipedia, click on safety and see what happens:

Safety is the state of being “safe” (from French sauf), the condition of being protected against physical, social, spiritual, financial, political, emotional, occupational, psychological, educational or other types or consequences of failure, damage, error, accidents, harm, or any other event which could be considered non-desirable. 

Undesirable events or effects is one of the things I think of when I think about what security is trying to manage or constrain, curious that it is part of the definition / description of safety. The various failures of safety lead to similar consequences when security fails, if you disagree consider what’s going on in Iraq. You have a “security” issue and a “safety” issue. 

Just something to consider the next time a “Security Issue” crops up.

Event management has evolved over the years from ICMP probes, snmp traps, and syslog data to a very sophisticated market place where a myriad of products await perspective technology shoppers. The underlying technology behind these products, can be described in essence as analytics, which is a vital part of any security environment, read on to understand the evolution and where we are today.  

The most secure environment in the world is not viable, if there is no mechanism for the security environment to alert the operators to malicious or suspicious activity! 

Technology is available today that reliably provides what I would describe as 2nd Generation Analytics for the health and success of deployed security systems. I say 2nd generation because Network Management and Systems Management software has been available for years that collected alerts and provided indications of hard and soft failures for specific vendor devices, but technology to determine relevancy and severity has been hot and cold.  

My favorite all time network monitoring program was simple and reliable, it worked so well Cisco included it in one of it’s management products; CastleRock SNMP. You could tell if a device or a link or a service was UP or DOWN instantly. Now everything from Cisco is java-based.

The original method of event processing was relegated to specific failure modes and had no means of identifying a security breach outside of a Denial-of-Service attack. This interrogation method of event management gave way to distributed event monitoring and event consolidation because the masses were sold on the idea that in order to determine the disposition of an anomalous event one must incorporate more security devices and more event data. 

The approach of 2nd Generation Analytics is: gather as much data as you can to determine the extent and impact of various events thereby achieving rudimentary correlation. 2nd Generation Analytics provided a means to blend events from an IDS with data from a deployed vulnerability system and determine whether a particular event is relevant, then optionally compare access logs on the webserver to determine success or failure of the attempt. 

Products are available that can consolidate alerts and alarms for supported platforms and events as well as push events in semi-standardized formats but as the above example suggests, an organization has to implement multiple technologies in order to know whether the data on the webserver is safe and secure.  

Alongside this 2nd Generation Analytics, is the notion of management systems for management systems. A Manager of Managers, MOM if you will, where the muscle of technology is wielded to integrate disparate management systems in the hopes of creating a single cockpit-style view of events. The key difference between the two being MOM requires underlying management systems to push processed event data into another management system while 2nd Generation Analytics solutions interact directly with the security environment or other infrastructure. 

1st Generation Analytics brought us device interrogation, 2nd Generation Analytics brought us consolidation and limited correlation, so what’s next? Minority Report? Shut down users or devices before they break the network? {Sounds like a great commercial idea for Cisco’s Self Defending Networks}

3rd Generation Analytic technology is entering the market place, but the technology needs maturization. Statistical Anomaly Detection and Behavioral Analysis are the current incarnations and there will no doubt be others, these technologies seek to apply complex mathematical techniques to events occurring within security environment and the rest of an organization’s technology infrastructure to make alerting and correlation decisions. The intent being to answer the question of ‘What is normal?’ by looking at the questions: How is this resource accessed, When is this resource accessed, Where is the user accessing this resource, etc, in hopes of understanding the answer to ‘Is my data safe and secure?’  

The validation for this technology will come with interpreting multiple data sources accurately and its ability to “learn” what is normal for company A that is abnormal for company B. There is a saturation threshold with this approach when too many event sources are being analyzed that results in something worse than False Positives, which is False Negatives: an organization is back to thinking they are secure because the analytics are unable to correlate some or all of the event sources and don’t process critical event information occurring from an actual breach. 

The evolution of analytics has brought improved monitoring and alerting for the security environment but analytics still suffer from the issue of fidelity, which becomes increasingly important with each successive leap in analytic technology. If the analytics are not trusted and not acted upon, then the security environment cannot fulfill its purpose, and the analytics become irrelevant.

Stay tuned, more to come…

Here you’ll find general rants on current events (why can’t we defeat these IED’s?), how to’s on various technical things (double-inline firewall for SCADA security anyone? or HTPC-style silent servers), insights into security, risk, compliance, along with anything else that happens to mind…

If there is something you’re looking for and don’t see it, drop me a line. I’m always happy to help.

I spend a great deal of trying to figure out how to do things and why other people have done certain things, so I thought by sharing I might be able to save others time and effort who have similar tasks.

 I am a technology consultant with a wide array of experience in computing, networking, security, business processes, best practices, and project management. I have worked for several small business owners as well as Fortune 500 companies in various industries ranging from Industrial Manufacturing and Telecommunications to Retail Outlets and Public Utilities. I started with Novel 3.12 and Visual Basic 4, moved to switched Cisco networks and MicroFocus Cobol talking to Oracle databases then moved on to MPLS VPNs on Juniper routers and hacking/testing smartphones. I’ve been the user, developer, architect, engineer, operator, on-call engineer, team leader, supervisor, manager, and staff manager.

 Along the way, I met up with the great folks at SANS and fell in love all over again with how things work they way they work and how I could make sure my employer / customers were kept safe from potential threats.

I obtained my first vendor certification on ’Windows NT Server 4.0 in the Enterprise’ back in 1997 and my Cisco CCNA expired years ago. I eventually moved on to three (3) different SANS certifications [ GCFW, GCIA, GCIH ] and re-certified on the GCFW before obtaining my CISSP.

If it routes, switches, or blinks I can fix it or tell you how to go about fixing it, in most cases. I don’t talk a lot, I learn more by listening and observing.

Come on in!