My Evolving Security Philosophy

From the very start of considering a move from IBM Security Systems to Bit9, I gave a lot of thought to my security philosophy.  I really do believe strongly in IBM’s security portfolio, and I wanted to make sure moving to Bit9 didn’t undercut my security philosophy.  Working for IBM taught me a lot about holistic security and how good security products are usable no matter if you have basic security maturity, or advanced.  I generally focused on the network side of security, mainly in SIEM and NIPS.  I’ve shied away from endpoint security (for the exception of dabbling in forensics and TEM), because it’s such a headache. Virus scan software is a joke, letting just about everything modern in.  Case in point with the recent attacks at the New York Times:

Over the course of three months, attackers installed 45 pieces of custom malware. The Times — which uses antivirus products made by Symantec — found only one instance in which Symantec identified an attacker’s software as malicious and quarantined it, according to Mandiant.

I see this all the time.  That’s why products like QRadar and IBM Security NIDS are so popular.  You have to fall back to the network, if can’t get control of the endpoint.  Why attack the endpoint?  It’s seems to be the easiest and most successful.  There’s typically three categories of attacks:

  1. Remote attacks launched from the internet (DoS, SQL Injection, etc.)
  2. Insider threats, and
  3. Infect an endpoint, then launch attack from within (phishing, drive-by downloads)

Network based protection is very useful at blocking and/or detecting all three of these attacks categories, but that leaves you with a perimeter based security protection.  With perimeter based security, one tries to tackle the channels of infections like email and web browsing.  There are tons of solutions that help with this, but nothing helps as soon as that endpoint walks out the door.  Network security should be used to protect infrastructure, not endpoints.

So what can be done to protect the endpoint?  IBM Tivoli Endpoint Manager does a lot to manage all the small stuff like patch management, software delivery, compliance, and virus scanning.  I say small stuff, not to dismiss its importance, but they are processes that should be in place already.  Having TEM take care of it all is just easier.

When I was at IBM and a customer was worried about the Insider Threat, we would use either TSIEM or QRadar to pull in system and audit logs.  What we usually found near pure chaos, since it’s very hard to figure out what is what within system logs.  The best approach I have found is using white list policies.  We would build profiles of acceptable behavior in an environment, filter it out, then analyze the rest.  It was a great approach and bled over into some of my other SIEM and NIPS scenarios.

The reason I bring this up is that one of the reasons I like Bit9’s software is that it employs a similar white list approach, but looks to be MUCH easier than the rat’s nest that is system and audit logs.

Let me summarize:

  • Network security is best when focused on protecting infrastructure like hosted applications and databases.  It loses effectiveness when trying to secure the endpoint.
  • As for hosted applications, security vulnerability testing and security development should be a closed loop.
  • Insider threats can only be managed if you are doing system and audit log analysis.  It’s a costly investment, but worth it to certain business sectors like banking and military.
  • Endpoint protection must include basic measures including patch management, lifecycle management, and basic written security policy.
  • I believe SIEM is critical to tie it all together and should be the single pane of glass.
  • Maturity in other security processes like identity management, access management, policy, compliance, encryption, and asset management help all your other security investments.
  • Overall security policy governance has to be tailored to the size and type of organization.

As I write this out, I see that going after endpoint security with Bit9 fits for me.  I am looking forward to learning more about its capabilities and how our customers would like to use it.


One day in Taipei

Taipei 101
Taipei 101
I am on a business trip in Taipei, Taiwan this week. It’s a TSOM/TSIEM deployment that I’ve been looking forward to for several months. I arrived late Saturday night, so I had one day to get all the sightseeing in I could. It’s the best way for me to get acclimated to the 13 hour change. If I stay in the hotel, I’m bound to fall sleep way to early. Here’s where I went today. If you are reading this to reproduce my itinerary, be forewarned – I like to walk. A lot. That last message came from my feet, who are not very happy with me right now.

The main tuned mass damper atop Taipei 101
The main tuned mass damper atop Taipei 101
I started the day from The Taipei City Hall MRT station and took a leisurely walk through the business district. I finally got to my first destination, Taipei 101, the world’ tallest building with the world’s fastest elevator. Okay, it WAS the tallest building in the world from 2004-2010. Those upstarts in Dubai had to out do them. It’s still the world’s largest sundial. And is has the world largest tuned mass damper sphere. What’s that, you say? It’s a big freakin ball that hangs in the middle of the building at the top, and it keeps the building from swaying too much. In fact, I never felt it sway. Unlike the Westin in Atlanta. There’s lots for a geek to fall in love with at Taipei 101. There’s a lot of technology and a lot of meaning into every aspect of the building (example:it has 8 segments of 8 floors).

On the Maokong Gondola
On the Maokong Gondola
After that, I took a long walk to the Liuzhangli MRT station to do some urban exploring. I took the Wenhu Line to the end to ride the Maokong Gondola. I decided to wait in line for the “Crystal Cabins”, also called “Eyes of Maokong Gondola”, a plexiglass bottomed gondola. It was a great trip and the sights were as good as atop Taipei 101. I am a sucker for mountains, and these were quite nice. The gondolas go up and over several hills and traverse some steep valleys. At points the winds were really scary, but I made it up to Maokong Station safe and sound.

The "Tea House"
The "Tea House"
Now that I was safely up the mountain, I started to wander. I was heading in the direction of the Taipei Tea Promotion Center, but didn’t make it that far. I stopped off at a random tea house (this area is known at the Tea Gardens) called …wait for it… Tea House (they don’t have an English site, but they are at It was a very nice place and I was thankful that they had teenager on staff that spoke very good English and taught me how to make traditional tea. I had tea oil chicken (it sounded like the thing you eat in the Tea Gardens) and Oolong Four Seasons Tea, which was like a more flavorful green tea. I sat a while enjoy the quiet of the mountainside, listening to strange, but calming, birds calls.

Playing the saw in Taipei
With my unused tea in hand and a fresh water bottle, I hiked back to the Gondola station and then back to the Taipei Zoo MRT station. I went to the Zhongziao-Fuxing station to check out SOGO. It didn’t seem too different than an American mall, so I quickly left. Next stop was the Longshan Temple MRT station, and you guessed it, the Longshan Temple. As I walked to the temple, I walked through No. 12 Park. It was where all the men were. The park was jam packed with old Taiwanese men playing what looked like Xiangqi, but I wasn’t sure. It was an very interesting find, even more so when I found a street performer playing the saw. That’s some good stuff right there. I think she’s ready to move to the Appalachian Mountains.

Mengjia Longshan Temple
The Mengjia Longshan Temple
I crossed the street and entered into the Longshan Temple. It was very crowded, which made it surreal and spiritual. I walked around and took in the sounds of the chanting, the smell of the incense, and the dedication of the followers. There is something moving about watching a religious practice you know absolutely nothing about, beyond my 3rd grade teachings of “weird religions you’ll never see in the south”. They had very elaborate paper creatures, some that were hung up as to let people pray underneath them. Besides healing my spirit, I also let my feet take a rest, but not for long.

Bopiliao Historic Block
Bopiliao Historic Block
I had a pretty basic tourist map that indicated that other neat things were near. So I just picked a direction that kinda pointed me in the right direction. I didn’t find any of the things on my map. I did however find the Bopiliao Historic Block. It’s a couple of well-preserved and renovated streets and traditional shop homes from the Qing Dynasty (the last Dynasty before the Republic of China was created). It was a great discovery and I was taken on how “modern” it looked. Seems like the architecture here inspired architects back home.

Ximen Square
Ximen Square - looks familar, eh?
It was getting late in the day and I decided to call it quits. I plotted a round about way of getting to the Ximen MRT Station. I came across The Red House, which had a small bazaar around it. I browsed a bit, then tried again to get to the Ximen MRT Station. I got there, decided to take a break, and started people watching. Then I noticed something (see the picture to the left). This was Taipei’s Times Square. I sat for long enough to watch some crazy woman go ape shit on her man and to watch the crowds gather. It was time for the famed “Night Markets” of Taipei. I gathered up enough strength to do some more walking. The energy was high. The were street performers (really good ones – no saw playing), magicians, food vendors (I picked up two different types of unknown fruit), caricature artists, silhouette artists, and TONS of people. After getting nice and lost, I gave in and looked a Google Maps on my phone, only to realize that I was one block away from the MRT station.

Here’s a few things I observed today:

  • Man purses are IN. The vast majority of men younger than 40 had a man purse.
  • A high of 75 degrees F is really cold to the Taiwanese. Everyone had on jackets, many with big winter coats. I was the only person in a t-shirt. Which reminds me:
  • T-shirts do not make the cut for men’s fashion here. Everyone I saw had a collared shirt, collared jacket, or hoodie. I felt naked in just a t-shirt.
  • Electronics are more expensive here than in the US. Which I find odd, since a lot of them are made here. Example, the 360 Kinect is about $530 here.
  • There is a distinct lack of iPhones, but a smorgasbord of other devices. All of them full touch screens. Some of them have tiny iPhone sized screens, but most of them have larger screens. Some were huge phones or small tablets. I did spot one or two iPhones and at least one iPad, but this land is not dominated by Apple.

Well tomorrow I start my TSOM/TSIEM project and will probably work most nights on my other pet projects (like getting that TSOM/TSIEM to QRadar Transition Redpaper finished!). I am uploading all my photos to my Flickr account, if you care to see more. My sore feet and I are going to bed.

Why The TCP Attack Is Likely Bad, But Not That Bad

There’s been a bunch of new information released over the past few days about the potential big TCP denial of service flaw. The three most informative posts I’ve read are:

  1. Fyodor’s discussion of either the same, or a similar issue.
  2. Richard Bejtlich’s overview.
  3. Rob Graham’s take on the potential attack.

Here’s what I think you need to know:

  1. It is almost certainly real.
  2. Using this technique, an attacker with very few resources can lock up the TCP stack of the target system, potentially draining other resources, and maybe even forcing a reboot (Could this trash a host OS? We don’t know yet.).
  3. Anything that accepts TCP connections is vulnerable. I believe that means passive sniffing/routing is safe.
  4. The attack is obvious and traceable. Since we are using TCP and creating open connections (not UDP) it means spoofing/anonymous attacks don’t seem possible.
  5. Thus, I’d be more worried about a botnet that floods your upstream provider than this targeted attack.
  6. This is the kind of thing we should be able to filter, once our defenses are updated.


PCI DSS version 1.2 differences and updates

On October 1, 2008 the PCI SSC released version 1.2 of the PCI DSS requirements.  There are a number of changes as outlined previously in the update document.  The PCI SSC has established a life cycle process that will ensure the PCI DSS standard is revised and updated on a two year cycle.  What follows is a detailed outline of the differences between version 1.1 and 1.2 (some that have not been discussed previously) and the implications of those changes. (Unless otherwise noted, those items in quotations are taken directly from the PCI DSS or the update document linked above.)

Good dissection of the new reg from the PCI Blog.

Security metrics: more is not better

The shiny new version of SP800-55, renamed “Performance Measurement Guide for Information Security“, takes a rather different tack but is still quite long (80 pages in total, half of which are appendices).  I suspect the primary reason for its existence is to suport FISMA (the US Federal Information Security Management Act, essentially a set of information security policies mandated in law for US Government agencies) by imposing a standardized set of metrics that can be used to benchmark agencies and force the laggards to pull their socks up.  It remains a highly beurocratic and costly response to a genuine management problem.

Another draft NIST standard, SP800-80 “Guide for Developing Performance Metrics for Information Security“, emphasises the process of developing and implementing security metrics.  It includes a shorter list of STTCBM (‘candidate metrics’), but again takes a database approach with forms in the appendices characterising the metrics by ‘metric type’, ‘frequency of collection’ etc., details which, by the way, are organization and implementation-specific and really not that hard for grown-up security managers to figure out for themselves.

Read the full article on the (ISC)2 Blog.

TSOM 4.1.1 Available

Tivoli Security Operations Manager V4.1.1 is now available. To download this updated release support entitled customers should access the Passport Advantage Customer download site.

Tivoli Security Operations Manager V4.1.1 has been updated to include the following:

Additional Platform Support

* Added Windows 2003 SP2 64
* Added Red Hat Linux 5.x


* Tivoli Change and Configuration Management Database integration via Tivoli Application Dependency Database Manager
* IBM Tivoli License Manager Support
* IBM Support Assistant Support

New Capabilities / Enhancements

* IPv6 Tolerance
* LDAP Authentication
* Compliance Reports for PCI

Performance Measurement Guide for Information Security

NIST is pleased to announce the release of NIST Special Publication 800-55, Revision 1, Performance Measurement Guide for Information Security. This publication provides assistance in the developing, selecting, and implementing security performance measures to be used at the information system and program levels. These measures indicate the effectiveness of security controls applied to information systems and supporting information security programs.

Click here to download the PDF.