This is an article I have to render an opinion on as it is a great example of 'What the heck have you been working on all these years?'
The Ernst & Young article may be found here discussed on Naked Security:
65% of larger corps stated 'Financial' as a reason they are unprepared for a large Cyber event and 71% of small Orgs under $10million. So let me get this straight, you have staff, you have bought many tools and most likely since this is an E&Y poll, you follow some sort of compliance framework.
In Wendy Nathers talk at LasCon in Austin she discussed the results of a poll that she asked industry experts to pick the technologies if starting from scratch for a 1000 person company... What did the list look like? I shouted out "PCI", and the next slide said... PCI.
I was even bold enough to state that I didn't need all that technology to practice "real security," that myself and another qualified InfoSec pro could do it with a few tools, if exploited properly. Of course someone pointed out that I would never pass an audit and he is correct. As a former State of Texas InfoSec resource I understand compliance all too well and years at HP dealing with SOX, PCI, HIPAA, ISO and others, I understand too much how compliance is a time sucking, resource pig that does not achieve what we really need to secure our companies and nation.
So why are so many not prepared for a cyber attack? In doing many presentations I ask the following question, "How many are confident their environment is malware free, or once you find malware that the system is malware free?" How many hands do we get? 0-1 per Preso!
Why is InfoSec so broken, or lack confidence? I blame compliance. I have stated compliance does not equal security as too often it is achieved by an auditor saying "Check, you pass". There is no real evaluation of how you are actually doing at security defense. Many say get Penetration Testing regularly to test your defenses. I say "Phooey" to that as well, it proves little that your defenses are good enough.
Most Pen Testers I know will find a way in or fool a person to 'Click on That', just look at Trustwave's report on hacking a reporter who asked them too and knew they were coming! There is merit in Pen Testing, but I feel most people, say 96% will fail the Pen Test. Why? Because the way we currently think about Information Security, in that compliance frameworks like Implementing PCI will make you secure enough, but people, almost everyone is getting popped and they have some basic security framework in place.
"Real Security" is a dirty in the trenches kind of work. HackerHuntress stated people didn't like Blue Team jobs because it is "hard" and I said "No it's not"... We talked some and agreed in the end it is management and lack of trained staff that can do what I and others I know that are complete defenders can do. Maybe we just don't know how, or lack confidence to defend all that is good.
We don't need to train the users and create and give more Employee Awareness as the E&Y article indicates. We need to teach 'Real Security' to the in the trenches blue team defenders that are employed at many, if not most companies. We need to teach them how to actually detect and respond to any size Cyber event and do so at the speed of business so that they may move on and you can get back to defending your network. And the policy statement... Really? Did E&Y not read that employees will disregard company policies where BYOD was involved? We already know they surf non-business related sites on work systems because they can. What makes anyone think policies will prevent anything? They are guides on how to do things, or how a person will be reprimanded if caught. Policies are regularly broken and the Internet has become an entitlement to most employees these days... Take it away and see what happens, I dare you!
This is why I do presentations on malware, logging and I challenge people at talks, to inject some thinking, to get people thinking, 'Is there another way?' Thawt Leadership I think it' scaled ;-) I share what I know about logging and malware at local ISSA 1/2 day and all day events, I do presentations at many Cons all to educate and share the love and a new way of thinking.
Most people I talk with do not have the basic Windows auditing tweaked to actually record the events needed to detect a Cyber Attack of any kind. If they do, they have not refined their audit rules and are not alerting via email to real actionable events. They also do not monitor well known locations for malware or suspicious changes to a Windows system and sending that to the logs either. Example; How many of you have enabled the Advanced Auditing Security 'create files' property for one or more Windows directories (Windows, System32, Drivers, WBEM) to detect if a new file, not replaced files by Windows Update, but new files like malware are recorded and sent to you via email by your logging solution? Implement and refine this feature alone and you are well underway to detecting a small to large Cyber Attack! Don't leave out actually enabling the Windows Audit Policy as it (Yay Microsoft) is off by default and record success of privileged items and others of course.
Logging is HUGE to being prepared for a Cyber event of any size. It can detect behavior of a Malwarian or Bad Actor reaching beyond a compromised system. It can also allow defenders to report on who did what, where and when, but not why unless you ask them. If you also monitor key locations across your Windows systems for file additions or changes you can detect odd files, which if happening from one system to many is also suspicious and can be alerted via email if you have a solution that can do this like BigFix, Tanium or others.
We also have to give up on spending tonnage of $$$$ on protecting the endpoint. It WILL get popped if you allow users to surf the InterWebbings without strict controls. Bad sites serving up malware are all over and the majority are on legitimate websites. No, FireEye will not prevent all this threat, what about Thumb Drives? Or users on their company laptops surfing outside the company when not protected by your proxy solution like FireEye? The endpoint WILL get popped and InfoSec really needs to move more towards Detect and Respond to this threat in their budgets and focus less on prevention to move forward. Start thinking like hackers and be a detective, not a preventive InfoSec program as it will serve you well and prepare you for any size Cyber event.
So I leave you with this to consider...
1. What is 'Real Securiy' to you?
2. Do you have a robust logging solution in place?
3. Do you alert to the items I stated above?
4. Have you attended a local BSides event to interact with the people in the know?
5. Do you believe you have the people that can learn these tricks and skillz?
Or do you just believe compliance will get us there?
Let me know your thawts at the next Con.
#InfoSec #Logging #Malware