Hack The Planet

Because if you don't, who will?

Monday, May 14, 2018

Why find the Unknown Unknowns…

Humans like to solve problems that are readily known or are easy, and ignore ones that take some digging or are difficult. We are lazy animals, but that is a good thing. System Administrators create scripts to eliminate repetitive tasks. This is good. We should work smarter not harder. The issue is when we disregard tasks, or threats because they take time and research. We in Information Security often fix the “known knowns” and hope that we aren’t impacted by the “unknown unknowns (UUs)”. We need to start bringing our unknown threats into the light of day, or a nice dashboard, so that we can act on them and protect our environments from them.

When we think of securing our information and our networks, we often start with our knowns. We know we need to defend our digital borders so we install firewalls. We know we need to protect our endpoints so we install anti-malware software. We may even know that we need to protect our data and we deploy a Data Loss Prevention solution, but I rarely see folks do this intentionally, and if they even have a solution it isn’t tuned and is a check box on some compliance form more than anything else. Admittedly that last one kills me because there are a number of solutions you can get that would have stopped any number of the breaches we have read about, and some we haven’t even heard about yet, but we don’t put the energy or budget into solving this one.

As we move to the more mature security environments you will find vulnerability scanning, looking for those known vulnerabilities, though an incredible 26% of companies said they didn’t have time to patch. Then you may introduce a Network Access Control solution, possibly from your network equipment vendor or one of the few remaining stand alone solutions, but again, I don’t see organizations actually utilizing the investments they have made in NAC. The list of solutions keeps growing as your organization matures, but often times the investment in tools does not mean that they are being deployed or tuned, and that your staff is being trained on them.

With more tools, comes more alerts, and with more alerts comes alert fatigue. I have walked into many a SOC (Security Operations Center) and found alerts all over the screens and analysts just sitting at their desks ignoring them. Like the boy who cries wolf, the alerts had trained the analysts to ignore them. The scary thing is any of those alerts could have been critical and truly important, but because of all the noise it would have been ignored with all of the others.

This is where have a good solution to monitor all of your tools, endpoints, logs and network data is necessary. If done right it will lower your alerts, so that your analysts can spend time on the most critical events, and it will also give you visibility into your environment so you can find those UUs. I have mentioned the NCTOC Top 5 SOC Principles before, and want to point out that number 2 on that list is visibility. We must build visibility into our environments, not just for the UU’s, but to alleviate alert fatigue and give your team their best chance at stopping a breach or other organization impacting event.

posted by holliday at 12:36 pm  

Saturday, May 5, 2018

The Art of Best Practices…

In Information Security “Best Practices” are commonly referred to, but rarely practiced. This is the cause of most of the breaches and hacks that plague us today.

One best practice that isn’t sexy, but is incredibly necessary is updating. This is often a battle with different business units, which means a breach is inevitable. Possibly the hardest part about being an information security professional is convincing the business to do what is best for it. This is where understanding the business, and being able to speak the same language as the executives is key. It also helps if you have the data to back you up, but that is another topic.

At RSA 2018, Dave Hogue, Technical Director for the NSA, discussed how they secure themselves from 0-days using their own principles, including hardening to best practices. We live in a world where our adversaries are able to engineer attacks for disclosed vulnerabilities faster than most organizations are able, or willing, to patch. If you would like to keep your organization secure, you will need to find a way to convince it to keep up with patches and follow as many other best practices as possible.

And if you need a list of best practices, there are plenty out there to choose from.

posted by holliday at 4:27 pm  

Powered by WordPress