Tuesday, July 24, 2012
If you are one of the people that believes by implementing one or more security tools will prevent or help protect you from being hacked, think again. First off, an apology to all my colleagues that work for vendors, many of whom I respect, trust and admire.
IPS, IDS, File Integrity, Anti-Malware, Patching solutions, Logging solutions, VPN's, Vulnerability scanners, Pen Testing tools, Code scanners, Mobile Device Management, the list is endless.
All of us in information Security budget for serious dollars to buy all the fancy gizmos, widgets and InfoSec gadgets we are about to see at BlackHat, DefCon and BSides in Las Vegas this week. Not to mention the budget we ask for head count.
So "Why do security tools fail us"? because we fail at implementing to the best ability of not only the tools total ability; but the new owner/user/admin's lack of knowledge of the tool and what it can and CAN'T do. Some tools just can't do what we want.. it's reality.
Most importantly it is the failure of the vendor or person implementing the solution to understand how to apply the "real world of the organization" to the product and tweak it if you will to the unique things the owner will need it for.
Ask the vendors you are considering purchasing a solution from, or more importantly the person that will be implementing your next security solution this question. "What security incident did you implement this tool for and what tweaks did you have to make over the default implementation to detect, deter, monitor and alert on the incident so a similar incident would not go undetected"? I think you will be shocked by the response.
I worked for HP for many years and implemented many products and yet I was also guilty of the "it's an engagement, installed, working, doing stuff... I'm done, bill the client, next" mentality of a vendor and consultant. Some engagements went on long enough we did some real good, most I left wondering what would happen with the solution or effort we put forth, would it last or is it just to pass compliance at that moment? couch couch.. PCI.. cough.. SOX... cough....
What is lacking in every single security tool is critical thinking and practical real world application of the tool to a real world incident or event specific to YOUR environment.
The default installation of a File Integrity solution will NOT catch a piece of malware being placed on your systems in many directories. Why?, because many directories like Windows and their sub-directories are noisy and would generate alerts up the wazoo making the tool noisy and worthless to many. You may find it in the forensics folder, but how does one review hundreds or thousands of forensic folders? How can you tell a patch from malware when they are named the same? Where would a hacker place their Malware anyway? Windows? System32? SysWOW64? ProgramData? Local? LocalLow? Temp? bin? etc?
Have you tweaked your IPS and the alerts to detect real SA, Admin, root failures that differ from the pattern of an Administrator or does your solution just log it as an event? What about your logging solution? If you do not have a logging solution today, you should! In fact it should be the #1 item in your budget !!! Send your syslogs, Event logs and YES, even workstation logs to a central log server. If you have a log solution have you created reports and alerts to known conditions that are bad? Do you know what is normal behavior of administrators so you even know what is suspicious activity? If you are not a log management fan.. talk to me and I will change your mind, or at least make you think seriously about the subject.
Everyone has Anti-Malware, does it work ? Sure it goes off for stuff it knows about, but what does it do for REAL PITA (Pain In The Ass) Malware, not the annoying crap that your users catch surfing and opening emails, but the 0-Day, Duku, Stuxnet, Flame type malware that there are NO signatures for? Does it even have a feature/option to detect nefarious activity by a ne'er-do-weller? What I would I ask an Anti-Malware vendor would totally vary from your questions.. trust me.
This is where head count and budget come into play. Do you have people that have experienced, lived or recovered from one or more of the REAL PITA Events that all of the above would have missed in a default installed configuration and had to recover from a PITA event? If not... seek out and hire one or more of us to tweak your security tools to do everything they are capable of that product training and the vendor that installed it unfortunately do not know enough about, nor can they. I left consulting 4 years ago to get more personal ownership and live in the trenches... boy what a learning experience that has been, but I am better for it for sure.
It is these truly experienced folks that were/are on the front lines that have critical thinking skills you want and are after.. they are the only thing that will keep your security tools from failing you when the poop hits the fan. They are not taboo because they were involved with the major incident at XYZ Corp... they are seasoned at a real world incident. If a candidate can convey what they learned and how they could help you improve your security posture, you have struck pay dirt and maybe your security tools won't suck any longer...
Assuming management will budget for the head count and cares ;-)
Find me at BSidesLV or DefCon to discuss.