Well, I wouldn't say they're actually jumping ship but people are leaving at quite a frenetic pace right now. This is what happens when you hire people that are passionate about what they do for a living yet do not have the authority needed to get the job done. Sadly, this is all too common in information technology as a whole and especially within information security. Too often I think you get unqualified people who mismanage money because they lack the subject matter expertise to properly spend it. It is a given at the executive level that your technical skill sis probably not on par with those who work for you so listening and discerning becomes the critical skill when seeking funding. Being able to justify the funding requests is also a massive hurdle and this is often when we find out that an accountant is actually in charge of everyone.
This post from Richard Bejtlich's blog does a good job of explaining both the need for money and what you can do with it once you have it. So, what's the point here? The point is that you must find talented people to run your program and empower them, fund that program, and have a vision of what that program should look like. There must be a reasonable balance between security and convenience and you must always "sharpen the saw." Trying to have an infosec program without all of those elements is like trying to have fire without heat, fuel and oxygen.
If you don't follow Johnny Long on Twitter, (http://twitter.com/ihackstuff) or via his webpage, (http://johnny.ihackstuff.com/) I would encourage you to check him out. He's a great contributor the the Cyber Security field and also runs a neat organization. Hackers for Charity (HFC) is an organization that, I think, does some good in the world. You can read about them here:
At three of the four places I have traveled to over the past month, I have had the opportunity to meet a lot of vendors. As usual, there were a lot of new technologies and some really neat products to see out there. Unfortunately, you can never buy them all and the best thing for this year might not be the best in the long run for your organization. Some of the vendors I met that seem to be thinking long term for their product space and developing some great stuff are as follows:
Some of these folks have really been putting some dollars into research and development as they try to keep up with the ever-changing threat landscape. A few of them are branching out of their "comfort zone" and attempting to be much more comprehensive solutions. There is really some impressive technology on the horizon and on the shelf now. Thanks to these vendors, and the ones I am sure I forgot, as they try to help us provide a good layered model for the different environments we try to protect.
I finally made it back and have had quite an interesting week. The person I report to at work has decided to move on and I wish him well. I'm looking forward to seeing who will take the position and what their vision for us might be.
I was also able to get quite a bit of movement on one of my projects which will greatly help our current security posture. I had expected the project to not move quite so smoothly, as budgeting for the project has come and gone more than once. It also looks like the current money will allow a second, much needed, project to come to fruition.
I've also noticed that some folks have started reading this blog. I wondered how long it would take to ramp up. I thought the awesome picture would have made it go a little faster.
I have been enjoying my week at SANSFire in Baltimore taking the Network Penetration Testing and Ethical Hacking class.I haven't been pen testing fro quite a few months and was shocked at how quickly I had forgotten basic skills that used to be second nature. Fortunately my instructor, John Strand, is a great teacher and the course materials are written simply enough for even me.
During the past month I have gotten to meet several interesting groups of people that do some great things. More than one of those groups has extended an offer to let me join them and that is always extremely tempting. Currently, I have decided to stay where I am to try and make the program better. I really like where I work and think the place has loads of potential if we can just crawl out of 1999. We have some hurdles to overcome but I'm confident we can get where we need to be. Four weeks ago I spent six days in Henderson Nevada, last week was in Albuquerque New Mexico, and this week is Baltimore Maryland.
I believe this confidence comes from overcoming the very awesome mullet pictured on this blog.
I recently asked Richard Bejtlich why people with money haven't grasped the "Information Warrior" mentality. Much to my surprise he replied on his blog. Thanks Richard!
I just returned from a collaborative incident response exercise hosted by one of my sister sites. The threat landscape for cyber has not evolved, it has become a completely different animal. Host, or disk-based, forensics are no longer adequate and if you lack the ability to bit shift through a live memory image you are never going to see the newer more sophisticated attacks. This past week, I watched secure gmail get read on the wire, machines that appeared perfectly normal "phone home" to a remote location, and things which can't be mentioned here. Windows, Mac, and Linux pwned with ease by quite an elite group of nerds that were writing their exploits on the fly and plugging them into Metasploit for ease of execution. What did I do? I was the "blue cell" or defending team and acted as incident coordinator as the "red cell" was given 8 hours to attack us. During the initial 8 hours blue was only allowed to defend at layer 2 and our firewalls were set at "IP Any Any", and we scrambled to secure Windows, Linux, SCADA, Mac, and I think maybe a raccoon was even in there. The best part, when the "firing" began the blue cells didn't even know what was on their network or how it was architected.
If you would like to try this sometime, I would suggest you get a hold of Whitewolf Security. They set up the "range" and acted as exercise control(EC). As the blue cells noticed that we were set up to get pwned, some complaints began to get voiced. Fortunately, my hand didn't go up first and our EC leader made one comment about fairness "STFU." You may wonder why the blue cells were not actually allowed to defend from a traditional perspective, The short answer is that we have decided to "train like we fight." The computer you respond to is normally already jacked so you have to be in incident response mode when you get there. This exercise a gave a very real perspective on what that feels like.
I guess the question is "Can I have a good infosec program without spending a lot of money?" Well, "a lot" is a fairly relative term. I can say that cyber/information security programs are largely under funded pervasively in the industries that I have observed. Very few organizations including federal, local, and state governments adequately invest enough funds to defend their data. People with money to lose like banks, hospitals and businesses do a better job but even then maybe two of my customers over the past several years really put some cash into their defenses.
The quick answer is that you will get what you pay for. If you are a smaller organization, less than 500 nodes to defend, you might be able to defend yourself with one ninja and some open-source tools like Bro IDS, Snort, IPtables and the like. Once you grow beyond this, most of these require more interaction than you can afford personnel wise as you would have to dedicate an employee to IDS and one to firewall etc.. Investing in a commercial solution at this point will often provide more cost savings after the initial purpose as it allows your security analysts to multi task. I have often heard the "numbers" articulated as IT being 20% of your overall budget, and IT SEcurity being anywhere between 10 - 20% of that number. Once they are funded, where they sit in you rorganization's structure also becomes crucial. Hit me up for an org chart if you want one and I will customize it based on your organization's size, mission, and perceived needs.This is also better for your employees since they will not get bored with a single facet of security analysis and will tend to remain sharper over the long term. The question you get once you have greast analysts is "How do I keep these well-rounded, sharp security analysts?" That's will be somewhat unique to each individual, but the easy answer is "listen to what they say." They will often let you know what they need to do their job, an dmost people work in the field because they enjoy it.
For years there was only the ISS Internet Scanner, and it was truly a best of breed product. About three or four years ago, the ISS engine got so bloated that scanning a single /24 network could take hours. Tenable had a Nessus scanner for the Win platform but it also seemed fairly clunky and GFI Languard had a product but it wasn't really a competitor. The new Nessus Security Center is a really comprehensive tool for all platforms, but the back end is still *nix. The question might be, why do I need a Windows-based scanner and how come the win scanners don't work as well? I like to use Win-dee-oze and Linux for vulnerability scanning because the way they handle TCP is different. I personally think one of these platforms handles it much better, but I will leave that up to the reader. Nonetheless there is some merit in testing a platform frmo the same operating system for efficiency and effectiveness.
Currently, I am evaluating the latest Nessus against the Foundstone Scanner pictured above. McAfee is making some great strides in the security field having branched out from the anti-virus world a few years back. The Foundstone scanner has an efficient engine, and an intuitive interface. As always, results will be compared against the various scanners I have available in order to see who is the most comprehensive.
Stay tuned for some IPS comparisons in the near future between Tipping Point, McAfee, Cisco, and Juniper.