The fact is, we know a tremendous amount about the state of the threat environment, and the impact of both new threats and old vulnerabilities, literally on an hour-by-hour basis.  And it is critical information, knowledge every security professional must have just to do their jobs.  We need current information on the various species of malware in the wild, the exploits that are being leveraged, the patches that are available (and the ones that aren’t) and the social engineering and phishing strategies that make most successful attacks possible.  This is the kind of knowledge that allows organizations to target their resources most effectively, to learn from the failures of others, to be prepared for new attacks as they are detected, and to build viable and effective strategies and policies to best protect their data, their customers and their employees.

But if you stop and think about it, what we know isn’t all that valuable.  Every attack we read about, every exploit that is analyzed and patched, every vulnerability announced, every new strain of malware, all of it consists only of attacks that have been discovered.  In essence, we know a great deal about the failures, but much less about the successes.  In a sense, it’s like real-world crime.  All the criminals we know are in prison – that is, they failed at crime.  The successful criminals, the ones that we should be most worried about, are invisible because they have not been detected yet.

That’s very much the position of the modern information security professional.  We spend our days hardening our networks against the attacks we know are in play, train our users to be aware of the tactics of hackers that have been discovered, and monitor our networks for the signatures of known malware and hacking tools.  But what we really need to do is to think about the attacks that no one has detected yet, the ones that are silently compromising networks, stealing data and money and trade secrets RIGHT NOW.

The modern security infrastructure can no longer be dependent on third-party knowledge, signatures and history.  The attackers are smart people, and they move fast.  They have a stockpile of zero-day exploits and powerful hacks of which the security community is unaware.  Predicating your organization’s information security on stopping attacks that have already been stopped cannot provide real security, but rather a false sense that we have “done all we can”.

There is no complete answer, and perhaps there never will be.  But our side isn’t just standing still.  There is much more that can be done.  Security intelligence platforms such as Securonix are powerful tools to detect previously undetectable attacks.  By integrating all the available network, identity and security systems data and applying an advanced set of behavioral analytics, Securonix can detect suspicious and anomalous activities without having to detect the actual network breach.  Securonix doesn’t keep the attackers out – you have plenty of tools for that, and they work as well as can be expected.  Securonix prevents the attackers from doing catastrophic harm once they’ve compromised your other defenses.  And at a fraction of the cost of an enterprise SIEM solution, adding the power of Securonix to your security stack is clearly an important step in protecting your network.

It would be a crime not to!

Now, of course, there are untold hundreds of millions of cameras connected to the web.  The vast majority of them are standalone devices, running a rudimentary operating system a TCP/IP stack and a simple webserver.  You just connect them, point them at the target, and turn on the power.  It’s easy to forget that these devices are connected to both the internet and the corporate network, and any vulnerability in the on-board software might allow an attacker to access the network proper.  It’s not terribly surprising that we have a limited understanding of the design or architecture of such commodity devices.  They certainly aren’t built with network security in mind, and in a wireless networking environment there are no barriers to any employee or department installing an IP Camera.  To make matters worse, they are ubiquitous in home networks, monitoring everything from pets and children to wayward husbands.  With so many users accessing the corporate network from home, a vulnerability in one of those IP Cameras can lead to a compromised enterprise network, and the corporate IT staff has no way to ever discover these essentially embedded devices.

Vulnerability researchers from Core Security did an analysis of some popular IP Cameras last month and found a wide variety of simple, exploitable vulnerabilities.  Some were both typical and common, from code injection weaknesses to partial output streams available to unauthenticated users.  But they also found hard – coded passwords, built in back doors that give an attacker full control over the network device.  This sort of unnecessary, intentional security flaw would be unlikely in a modern enterprise network device, but it’s still the wild west in the world of consumer hardwared.  And it must be borne in mind that it is not just cameras – everything from thermostats to sprinkler systems to building access devices are being connected to the internet, and every one of these devices represents a threat to your network, your users, your customers and your data.

Once again, the lesson is simple.  We have lost any ability we might have had to secure our network at the perimeter.  It’s increasingly difficult, if not impossible to even define where the perimeter is.  Two things are certain.  First, the network has vulnerabilities we don’t know about and can’t defend, and second, attackers often know much more about these vulnerabilities, what they are and, critically, WHERE they are, than we do.  Attackers both inside and external can compromise our security – if we can’t protect against them we MUST be able to detect them.  In this environment, a robust security intelligence solution like Securonix is no longer a luxury, but is rapidly becoming a very urgent necessity.

Systems and network administration is an endless balancing act.  On the one hand, availability, stability and performance are paramount concerns, while adding functionality and security are less well understood demands outside the IT organization.  Everyone has felt the wrath of the business side when a simple, benign ‘upgrade’ shut down critical applications or network segments for hours on end.  And with today’s large-scale enterprise data stores, a major shared SQL or distributed database can take the better part of a day to rollback and restart.

Plus, there is the resistance of the business operations leadership to roll out major upgrades in critical infrastructure due to cost, disruption and training issues.  Often, then, we find operating systems, web browsers and other critical pieces of the desktop computer environment running versions that are multiple updates behind.

Every now and then, it becomes apparent that this can be a false economy.  The maintenance of stability and availability in exchange for higher risk of security vulnerabilities is a classic Faustian bargain.  Just this week, we saw two glaring examples of the risk of keeping older versions of critical software in production past their useful lifespan.

In a classic “watering hole” attack on US nuclear weapons workers, malicious code was introduced into servers at the Department of Labor that utilized a zero-day vulnerability in Internet Explorer 8 to install the “Poison Ivy” backdoor trojan.  To make matters worse, in this case Poison Ivy had been modified so that it was only detectable by 2 out of 46 major anti-virus programs.  One of the keys to this attack is that the vulnerability only existed on IE 8.  Not only were newer versions unaffected, but IE 6 and 7 were similarly not vulnerable.  So the diligent Admin who, faced with a workforce still using Windows XP who had done the right thing and upgraded to the latest available browser, IE 8, found his systems to be suddenly at risk of infection by a virulent piece of malware.

The second example illuminates a different kind of obsolescence.  Using a previously unknown vulnerability in the Cold Fusion web server/content management platform, attackers were able to gain access to critical customer information at the server hosting company Linode.  There are indications that the Linode network was compromised for weeks before discovery.

Cold Fusion represents the potential risks of evolution and attrition in the server marketplace.  Ten years ago CF was a major website development and deployment platform, but as other, often open platforms have gained prominence, the earlier generation of proprietary systems like Cold Fusion have lost significant market share.  And as that happens, it is very common that the vendor’s investment in those aging, declining products is also reduced.  In the case of Cold Fusion, there has not been significant development work since 2009, and yet many large organizations, including government agencies and institutions, have continued to use the platform due to their large investment and institutional expertise.  But without ongoing development and a thriving user community, vulnerabilities can be discovered and quietly exploited over longer periods of time than for other, more modern products.

The lesson here is not a new one – keep all your systems upgraded and patched to reduce exposure to exploits and vulnerabilities.  Think of it more as a reminder of the critical nature of keeping your network and desktop infrastructure current.  But there’s also a reality check – we build and maintain our networks in response to more than just optimal technological imperatives.  And sometimes that causes us to make decisions that increase the vulnerability of our systems, servers, users and customers.  That’s why it is critical that the security infrastructure includes the analytics and intelligence to detect these attacks in real time without waiting for a signature or a patch.  In the absence of “perfect” security, there really is no option but to accept that some attacks are going to be successful, and we have to have a way to detect them before major damage is done.

And, as responsible information security professionals, we spend a lot of time thinking about how to protect against this unique threat. Obviously, the nominal starting point, the network perimeter, isn’t important in this case – we don’t want to keep these users out, we just want to identify the ones that go bad, and prevent them from doing major harm. Since their job is to make changes to the network, install hardware and software, change configurations and facilitate other employees access to data and resources, it’s going to take a LOT of intelligence to understand the difference between a catastrophe and another day at the office.

But there’s another thing we need to think harder about – exactly who are these insiders? Oh, sure, we know about the IT people, the support techs, the database and application people. But in these days of distributed computing and virtualization, you can have servers running in data centers all over the world, many of which have techs that you’ve never met, never vetted and don’t even know their names. A comprehensive understanding of your organization’s infrastructure is critical, but if we were to be honest, that infrastructure can be so dynamic and fluid that it may be an utterly forlorn hope. And if we find ourselves, once again, addressing security problems AFTER they have occurred, we are still in that traditional reactive mode, cleaning up the mess after the criminals have left and that is only if we actually get to learn about the attacks.

The story of Eric Gunnar Gisse is instructive on this point. Just another mid-level admin at Hostgator, he installed a backdoor process on almost 2800 physical servers, representing an unknown number of web, application and database servers. Using the backdoor he installed a stolen SSH key, allowing him to then gain root access to any of those servers from anywhere in the world. We know about this, because he was caught and arrested, but it gives us an opportunity to ask a very specific question: Would our existing security infrastructure have detected Eric’s rogue activities before they became a problem?

One of the powerful capabilities of the Securonix security intelligence platform is in its ability to provide more accurate and fine-grained behavioral profiles and peer group analyses. If it had been running at Hostgator, for example, the installation of those backdoor processes would have been flagged as a suspicious outlier, and could have been investigated as soon as the activity began. And certainly the use of an unauthorized SSH key would have given away the game immediately. The lesson here is not that insider attacks are hard to detect – we already knew that. The important takeaway is that “insiders” may not actually BE inside, but might be anywhere on the globe. And the question about the sufficiency of our existing security stack needs to be answered with brutal honesty – Organizations must elevate their capabilities to support full actionable security intelligence such as the ones offered by Securonix.

The problem confronting the security team at this point is that we’ve mostly stopped all the attacks that we know about but at the same time we also know with certainty that we don’t know about them all. So attention has to shift from hardening the perimeter to control access to digital resources to a more preventive security posture – the fast detection of actual attacks and exploits that are not prevented, or even recognized by the existing solutions.

In the network and information security world, there is not a tremendous difference between “mostly effective” and “massive failure”. 99% secure can be worse than no security at all, because we may have a false sense of security while the attacks and exploits that get through the current set of defenses are necessarily the most advanced, and therefore the most dangerous and costly. And in this case, technology does provide the only effective approach to closing the gaps and detecting unauthorized and malicious access. More than anything else, it is a big data analysis problem, where the massive amount of network user, identity, access, event and transaction data we are already generating contains pretty much all the information we need, but requires advanced intelligence capabilities in order to tease out the subtle differences between legitimate activities and fraud, vandalism or theft.

That’s the whole point behind the Securonix security intelligence platform. It doesn’t replace the network management and security tools you already have, it makes them more effective by integrating the data you are collecting from a disparate variety of tools and applying highly intelligent behavioral and peer group analysis to all that data, collectively. This empowers security managers to detect and investigate suspicious activities before they can become the next big data breach on the five o’clock news.

But over the last year or so, with the rise of so-called APTs (Advanced Persistent Attacks), it has become more acceptable to openly discuss the near-certainty of Chinese state-sponsored cyber espionage.  Companies in virtually every industry are coming to recognize that their most valuable asset was their data, and their data isn’t being effectively protected.  Then, in February, Mandiant released a report documenting six years of increasingly sophisticated penetrations and exploits from an organization they called APT1.  APT1, they had determined, was a special group under the auspices of the Chinese People’s Liberation Army with funding from the central government and technology from the state telecom entity.  Then, just last week, the US Congress passed an appropriations bill that included a provision limiting the ability of key American government agencies such as NSA, DOJ and NASA to purchase computer and telecom equipment from Chinese manufacturers.

So now we find ourselves in this new place, where we just know we are under sustained attacks from the most sophisticated, well funded organization of hackers in the world.  What does it mean?  We need to think about it at two levels. On the big picture level, the repercussions will be felt for years, in diplomacy, in trade regulation, in both government and business strategy, affecting everything from economic growth to matters of war and peace.  How long can US and European businesses continue to use China as a global manufacturing center while desperately fighting to keep their supposed “partners” from stealing their trade secrets?  What happens to those logistic relationships if the attacks continue?

The other level is the day-to-day reality of the struggle to secure our network infrastructure.  Can we protect our data in an environment where we know with a high level of certainty that we cannot prevent network penetration?  In essence, it comes down to a simple binary option.  We either find a way to harden the network so effectively as to keep these incredibly sophisticated attackers out 100% of the time, or we start to think about living in a world where the operative assumption is that the network is under attack and the challenge is protecting data and transactions in a compromised  environment.

If we accept the premise that we very likely have hackers in our networks right now, then the focus becomes one of detection and not just prevention, and the number of tools and solutions available in the marketplace plummets.  The idea that we must somehow develop the capability to detect an attacker using legitimate credentials and valid permissions, and differentiate his actions from those of thousands of other legitimate users is daunting.  It would require that we aggregate and integrate all our data, from user identities to permissions, from applications to transactions and apply some kind of big-data type intelligent analysis to all that data in real time so as to detect not the penetration, but the activities that give away the hackers actions.

Fortunately, some of the Securonix platforms most powerful capabilities are made for the fast detection of these very advanced and sophisticated threats .  We’re living in a brave new world, where the forces arrayed against us are more powerful and better funded than we are.  We need to confront this reality with intelligent solutions inside the network rather than continuing to believe that we can find a way to prevent the compromise in the first place.

Despite the money and resources being thrown into attempts to harden the network perimeter such as AV and Identity and Access Management tools, these attacks just keep on happening, and Information Security leaders are increasingly being forced to confront the fact that they do not know how to prevent them.  The thought that there are open doors into the most critical parts of their network infrastructure that they not only can’t close, they can’t even detect, keeps people in our profession awake at night.

There is no doubt that malware is becoming more sophisticated, using targeted phishing tactics coupled with constantly evolving social engineering and an in-depth understanding of network security systems to target either unusually vulnerable accounts or those with highly privileged access entitlements.  What it means is that the insider threat is a double – edged sword – your users may be unaware they are complicit in enabling attack vectors into the heart of the network.

In a recent survey from Bit9, more than half of global server administrators rated advanced targeted malware attacks as the greatest threat, and over a quarter of them said they had already been the victim of such attacks.  This increasing awareness of the virulence and effectiveness of these attacks is resulting in a change of attitude in the Information Security community.  No longer can security administrators ask “is my security infrastructure sufficient to protect my network, data and customers from most threats?”, but rather they must acknowledge “our IT security efforts have not been effective, and we need additional tools or resources to provide a reasonable level of security”.

But if the vast array of network security products and services available today are not sufficient to protect against these threats, what can we do?  What we need to do is think more broadly about what we expect from our security stack.  Why, for example, in 2013, should network user, identity and activity data remain completely un-integrated, separate silos of data that cannot be assembled into an integrated “Security Warehouse” sort of arrangement, so that correlations and relationships between disparate data types and sources can be discovered and analyzed?  For that matter, with all the leaps in big data analysis and machine intelligence that have been made in recent years, why can we not apply a flexible set of intelligent algorithms to that integrated data that can learn what normal behaviors look like in order to detect abnormal, suspicious user activity anywhere in the network stack in real time?  It is of very limited value to discover that your organization has been compromised by these advanced attacks long after the fact. If you cannot prevent them, you must be able to detect them as they happen.

Fortunately, this is precisely what Securonix does today.  The Securonix security intelligence platform functions both as a data integration tool for all your network, user and security data, and as an intelligence system for monitoring events and activities in real time.  In the Securonix platform, activity is correlated to actual user identity, behavior is measured against a profile baseline AND multiple peer groups in order to detect suspicious outlier behavior as it happens..  This is real, actionable intelligence you can act on immediately to safeguard your data and customers, and because of the broad array of data sources and the inherent intelligence of the platform, false positives are reduced to virtually zero.

There is no doubt that these attacks are taking place right now, and we have to face the very real possibility that operational IT security teams are falling behind in an arms race we just can’t afford to lose.  Why spend another day not knowing who – or what – is in your network?  Call Securonix today to arrange a demo or a free trial.

― Sun Tzu, The Art of War

Despite all the facile metaphors in common usage, the “battle” between information security professionals and their various opponents, hackers and thieves in particular, can not in any way be viewed as a war.  That is due simply to the fact that the “battle” is entirely one-sided.  The ‘bad guys’ conduct offensive operations, and we try to block them, prevent them from achieving their goals or mitigate the damage they can do when they are successful.  It can’t be a war if only one side is attacking.

In a very real sense, it doesn’t have to be this way.  It’s not like the developers, engineers and architects in the business IT community are helpless. Indeed, just last year information security website DefCon Russia, run by Alexey Sintsov operated a particularly aggressive honeypot, one that was built specifically to be breached by SQL Injection. Unfortunately for the attackers, a successful penetration resulted in the surreptitious installation of a backdoor on the attacker’s system.  Sintsov is not a blackhat, so the backdoor was benign, coded to capture login and source IP information in order to deliver nothing more than a “gotcha” message.  And, it turned out, a surprising number of of the exploits were either ultimately ineffectual script kiddies or other white hats looking for vulnerabilities.

In general, we are constrained by laws and ethics from turning the digital battlefield into a digital minefield.  Regardless of our capabilities, we are limited to defending our perimeter and trying to prevent attacks and thefts.  Even with the best forensics, attackers can seldom be identified, and are often far out of reach and invulnerable to any consequences.  Adopting an offensive security posture, as attractive as it might be conceptually, isn’t an option that is available to those of us in the InfoSec field.  Or is it?

Just because we can’t turn the hackers tools against them doesn’t mean we have to sit back and play defense.  In the face of the current threat environment, merely reacting to an attack isn’t enough.  We MUST adopt a more aggressive, proactive approach to winning this fight.  But if hardening our systems isn’t enough, and we can’t counter-attack, what can we do?

The answer, just as it is on the real-world battlefield, is intelligence.  If we can imbue our systems with the intelligence to know clearly and with certainty who the users are, what resources they are accessing and with what permissions, and most importantly what they are doing, not just at the network level but at the application/transactional level, and if we can see it all in real time, we can fight back within the confines of our own networks.

Securonix is the only tool that lets you adopt a true offensive security posture.  By integrating all your network, user and security data, from logs to Directory Services and HR Data to IAM to DLP and Content Management to SIEM and other specialized security tools, Securonix lets you build a Security Warehouse where you can integrate all your critical security information in one place.  Then the Securonix platform applies a powerful set of behavioral profiling algorithms so that you can identify suspicious, risky or fraudulent activity as it happens.  No longer are you waiting for a vendor to update a signature or an auditor to discover discrepancies.  Now you have actionable intelligence, and the opportunity to stop insider attacks, APTs, hacktivists, even zero-day exploits before they can do any damage.

Above all the obvious financial and technical advantages to a more aggressive information security strategy, there is a tremendous satisfaction in moving from a reactionary/defensive security model to a proactive, real-time posture.  Instead of merely cleaning up the crime scene and looking for evidence, you can fight back on a level playing field.

.

We saw this endless InfoSec challenge played out in a very public forum last week when the former IT Administrator for the historically hapless city of Hoboken, New Jersey, Patrick Ricciardi, pled guilty to Federal hacking charges.  It seems the previous Mayor of Hoboken, Peter Cammarano, was forced to step down after being arrested on corruption charges in 2009, and Dawn Zimmer won a special election to become the new Mayor.  Unfortunately, many of the City’s civil servants, including Patrick Ricciardi, remained loyal to Cammarano and opposed to Zimmer, which split Hoboken’s management into two political factions.

Here is a link to the original story

With his expertise and access to the Government systems, it was a trivial matter for him to write a script that copied all the Mayor’s incoming and outgoing emails to an archive file on his computer.  Unfortunately for Mr. Ricciardi, one of the city officials he provided with the Mayor’s confidential emails printed one of them out and confronted her with it.  She, quite reasonably, but far too late, ordered a security audit that uncovered the archive file with the emails in it.

Employees like Patrick Ricciardi are what we call HPAs – Highly Privileged Accounts. Many of them are your best employees, but every now and then, one may go rogue, and that can represents a very serious risk to your business.  What is needed is a way to monitor not just access, but behavior, no matter what system, IP address or account they use to try and mask their activities.  A system with the intelligence and the vision across the network and application stack to understand who these people are and what they’re actually doing – in real time.  Forensics is not enough – mitigation is not enough – with some threats the only viable option is prevention.  IAMs can’t prevent these threats.  Neither can SIEMs.  When the access is legitimate, it is only the behavior that gives the rogue activity away.  Securonix would have flagged this activity even as Mr. Ricciardi was implementing it, allowing security personnel to lock it down and investigate it before any data was compromised.

Most people would agree that prevention through intelligence is a much better outcome than a high-profile federal prosecution.  That option exists today.

Mostly this is a seesaw battle of incremental change, new exploits and new patches.  Systems penetrated, lessons learned, networks hardened.  But every now and then, there is a breakthrough. Whether it’s the “Love Letter” virus or SSL, some changes are revolutionary rather than evolutionary.  In the early part of this century, that’s how we saw SIEM.  It was a game changer, essentially a plug-and-play tool that would allow us to secure our networks, detect penetrations and prevent theft.  Of course, like many declarations of victory over the forces of darkness, this one is turning out to be premature, and substantially overly optimistic.

Most of the larger enterprises have implemented some kind of SIEM technology at this point, and they are universally beginning to speak out about their dis-satisfaction.  This is not a “silver-bullet” technology, they are saying, but another large, complex software layer that consumes significant human resources, demands substantial compute resources and returns a great deal of data that offers little in the way of real, useable intelligence.  Often, the problem is not what the SIEM doesn’t do, but rather what it does.  At the end of the day, the goal is to prevent attacks, but when that isn’t possible, at least to detect them.  And this is where the SIEM, along with the IAM and DLP tools break down.

Most security practitioners at larger enterprises where SIEM is deployed have always known it was not a silver bullet to solve all their technology security problems, but more of a next step in the evolution of a layered security approach. SIEM technology promises many robust solutions to security needs, such as correlation, log centralization with consolidation, console reduction and finally the ability for less trained engineers to be a first step in the defense of a company’s high value financial targets. While SIEM does well when properly installed, maintained and staffed it is only capable of what its engineers directly program it to do. The adage ‘garbage in garbage out’ comes to mind. SIEM has met some of the promises but has created others problems, one of which is what some people have called a data explosion. Data explosion means that rather than reduce the number of alerts and logs, it has increased them exponentially. To solve this problem we need to move away from traditional correlation and IDAM systems and toward Security Intelligence.

The main difference between traditional SIEM and Security Intelligence is in the techniques and technologies used in Security Intelligence. A typical SIEM can provide you with top talkers in an AD environment but is hard put to tell you if those top talkers are exhibiting normal behavior of like others in their peer groups or do they pose an actual risk/threat. Securonix with its purpose built techniques and technologies is made for this type of intelligence and can scale to millions of identities. SIEMS generally can’t scale to millions of identities because their schemas were developed with security events, not identity data in mind.

Smart people are working very hard to penetrate our network defenses and steal information, funds or credibility.  If we assume that there is some solution that can prevent all those attacks, even those that employ zero-day exploits or compromised accounts, we will find ourselves more vulnerable, rather than less.  A third of IT departments who have implemented a SIEM would remove it if they could, according to a recent survey. That same survey found that more than half of IT departments have had to dedicate at least 2 full-time employees to running their SIEM.  And even with all that, they get so many hits they have no way to act on them in real time.

What’s the answer? Well, we’re still working on that. But one thing we can do is use big data analytics and intelligent algorithms to integrate SIEM data with other data sources, such as syslog files, IAM, DLP and HR Data and to develop a behavior-based view of your network activity, correlated to actual identities.  That way, you can see outlier and anomalous user behavior in real time, regardless of the account they use or the entitlements they are granted.  The result?  Real, actionable intelligence you can use to protect your users, your customers and your IP in real time.

The point is that you don’t lack for data.  What your systems lack is intelligence.  That’s what Securonix does. It’s the piece you’re missing.  Check it out – ask us for a demo today.