Posted on Leave a comment

Taking the Backroad to a Secure Enterprise

It is often the case that rapidly changing technology allows laggards to leapfrog leaders. Rather than follow the same path as the trailblazers, those who come behind can take a shortcut. A country in South America bent on joining the modern world does not have to string phone lines across its mountains and jungles to achieve universal access to communications. It can build an LTE infrastructure, allowing its people to skip the fixed line stage and jump right to the latest smartphones and apps for Facebook and Instagram.

So too can an enterprise that is poorly defended get ahead of the race to security. The very best security infrastructures can be found at large financial institutions and defense contractors. Both have been battling targeted attacks for over a decade. They have purchased, deployed, and staffed every new technology brought out to combat every new threat: banks to counter cybercrime, the defense industrial base (DIB) to combat cyber espionage.

In 2003 these organizations had firewalls and Anti-Virus. As worms managed to get by their defenses they deployed Intrusion Prevention (IPS) and patch management systems. Eighteen years later they have large staffs populating Security Operation Centers. They have deployed and are managing sometimes hundreds of separate security products, most of them plumbed to report to a SIEM (Security Information and Event Management) solution. They are well positioned to take the next step, which is to incorporate threat intelligence feeds and security analytics to hunt down intruders.

But what about the laggards?  Those that don’t have a CISO, have not kept up because they were under the blanket of misunderstanding:; “we have nothing worth stealing, who would target us?”

We know who the laggards are by the breaches we read about in the New York Times. Universities, retailers, movie studios, industrial control systems, and yes, even federal agencies.

What are the laggards to do once they finally come to that moment when they realize that they truly are targets of attack? Most appear to be frozen in the headlights of the threat. There is too much to do. They need help. They need funding. They need Congress to do something. How can an electrical utility in Detroit attain the same cyber defense posture as Lockheed Martin?

Do it backwards. Learn to hunt and kill intruders before investing in moats, barbed wire, guard towers, and walls.

Start with gathering information from your network. Collect netflow data from your firewalls, routers, and access points. Capture full packets where you can. The technology is there. All these devices just need to be configured to report what they see. Evidence of attacks is in that data. Botnet beaconing? Easy. Exfiltration of intellectual property? Even if it is encrypted you can see it going out. Lateral movement? It’s in there.

You can do this manually, but investing in hunting technology (I sit on the advisory board of one such technology vendor check out Sqrrl’s hunting platform) is the best way to leapfrog. You need tools that allow you to piece together disparate evidence of malicious behavior. You can set an alert for unusual traffic originating inside your data center and heading to China. But you still need to hunt down the root cause, the patient zero of a malware infection., It might be a vulnerable database server, or a mis-configured firewall.  What where the attackers after? Payroll servers? Customer data? Are they using your privileged access to one of your customers as a stepping stone? You can link all the artifacts to tell a story and answer these questions.

The day you start hunting for intruders is the day you start to improve your security.  Vulnerability management is one of the most onerous tasks for an IT department. The existence of a vulnerability in a critical system does not justify taking that system offline to patch it. But discovering an intruder on that system exfiltrating data justifies an immediate response. Revamping access controls is expensive and disruptive to operations. The day you discover someone logging in remotely using stolen credentials is the day you change your access policies and deploy strong authentication technology.

After only several weeks of hunting, finding, and stopping intruders, you will be able to justify expenditures for technology to reduce the work load of the hunters. Upgrading from the firewalls you bought when you first connected to the Internet to a modern full-stack gateway security appliance will stop a lot of noise. The root cause of many intrusions will turn out to be users clicking on links to malicious content. Deploy a secure web gateway to eliminate those issues.

Is there a particular database the intruders are after? Harden those servers, and encrypt that data. Are intruders getting access credentials? Get your IAM under control (Identity and Access Management).  Are you being targeted with bespoke malware that sidesteps your defenses? Deploy sandbox devices to detonate and reveal new malware. Are your suppliers and partners the source of attacks? Share information with them. Teach them how to hunt.

Coming at cyber security backwards in this way can quickly get you ahead of not only the technology curve, but of the attackers. You will have an elite team of experienced hunters equipped with the best technology. Your security program will be driven by defense, not compliance. You will know what to invest in. You will know how to deploy new IT projects without exposing yourself to new threats.

Let the attackers show you the way to securing your enterprise. You will be watching and on the hunt.

Posted on Leave a comment

Getting to Know the IT Security Industry

When IT-Harvest launched in 2015 we had grand plans to reinvent the industry research business. I had had four years of experience as a Gartner analyst and was frustrated at the lack of access to data. Of course Gartner had DataQuest which had been acquired for $80 million from Dun and Bradstreet in 1995. When it came time to generate a Magic Quadrant we would ask for the latest list of vendors and their revenue in a certain space like Firewalls or IDS.

But DataQuest got its numbers by surveying vendors and it has to be acknowledged that vendors are not always completely forthright when it comes to self reporting numbers. At one point DataQuest was telling me that CA had the biggest market share in IDS even though they did not have a product page for IDS and I had never talked to anyone who used CA for IDS.

IT-Harvest was going to change all that. When we got started we hired a developer to create an elaborate data entry tool for recording details about all security vendors. My task was to find them and assign them to a category. Our researchers, primarily located in Salt Lake City, would use the tool to fill in office locations, products, and key executives. Within six months we had compiled a database of 1,200 vendors and offered a subscription to that data for $4,500/year.

We were successful in getting subscribers but a strange thing happened. Not a single person ever logged into the tool we had invested so much in developing. They saw the real value in having access to the analyst–me!  So, after a brief hiatus, when I suspended IT-Harvest to be CMO of Fortinet, we abandoned the elaborate tools and subscription model and went with the traditional analyst model of retained access, white paper generation, speaking, and strategic engagements.

But I still need that data. Over the last several months we have repopulated the database. We are already learning a few things. There are now 1,930 vendors in our database and more to add as we discover them. I have developed a methodology for estimating company size that will be used to create market scope reports, which we will sell at a fraction of the $5-9K typically charged by market research firms. Those reports will be created quarterly so we will be able to extract trends from the data.

We will not use surveys at all. I have too many friends in the analyst relations profession to submit them to yet another lengthy spreadsheet to fill out. Besides, my numbers come from outside data so will not be subject to subterfuge like reporting revenue based on list price instead of actual sales.

There are lots of ways to skin the industry analyst cat. There are several attempts to crowd source product and company information. There are subject matter expert dating sites. And of course there are the Gartners, Forrestors, IDCs, and Ovums.  IT-Harvest will continue to focus on the IT security industry as it grows at 24% a year.  If we can keep pace we will be doing well.