CyberSecurity Institute

Some examples of large security breaches resulting from poor security practices include a recent Distributed Denial of Service Attack (DDOS) against Spamhaus which clogged Internet lines leading Matthew Prince, Chief Executive of Cloud Flare, to compare the attack to a nuclear bomb.

From my discussions with top security professionals at leading security organizations, including Big 4 consulting and assurance companies, software such as Antivirus and Intrusion Detection and Prevention (IDS/IPS) are currently only marginally effective at catching security threats. In addition, many security solutions are installed out of the box with little modification or customization to the needs of each network, leading to reduced or ineffective defense.

For instance, Fireeye is a product that has developed a learning system that collects data on existing attacks from their subscribers using their custom tools. While hackers previously had the upper hand in combining security known weaknesses into highly complex attacks, Fireeye tools use the same method of sharing security breaches with each other to raise the defense profile of each of the subscribers on the network quickly.

In addition, VMware’s partnership with Cisco hardware networking products provides a robust, integrated security solution with a hardware provider that dominates the corporate LAN network device space.

Costs for adoption of OpenStack software are cheaper than VMware, but the system is newer and not as well documented. Most companies run both Linux and Windows servers, and I expect in a similar way VMware and OpenStack will coexist as solutions in the cloud space. In addition to a maturing product portfolio, IT leaders would do well to strengthen focus on security by hiring technicians with a proven security background, such as Information Assurance and Security professionals.

Link: http://seekingalpha.com/article/1324971-pandemic-cyber-security-failures-open-an-historic-opportunity-for-investors?source=feed

In MITRE’s five-day virtual war game, which the group played out in late January of 2012, the Blue Team was given a mission titled Operation Beggar’s Banquet, of killing a fictional terrorist leader named Richard Hakluyt. The scenario dictated that Hakluyt had holed up in a compound in the fictional People’s Republic of Virginia, (represented by the Red Team) which was in a state of cold war with the equally fictional Republic of New England, represented by Blue. Blue’s secret mission was to parachute a special operations group next to Hakluyt’s compound, which would use a laser designator system to help a gunship target the compound and blow it up, before deploying a Fulton Surface-To-Air-Recovery plane to retrieve the special ops team.

While the game was still in its first day of pre-action planning, Red’s hackers immediately breached Blue’s network and gained access to all of its mission plans, which had been stored on an internal wiki.

Stech and Heckman had worked on a so-called “denial and deception” system they called BlackJack, which they planned to use to create a parallel version of Blue’s network in real time to misdirect Red’s hackers with false information.

According to Heckman and Stech, Blue used those hacked accounts to feed Red a story about a member of Blue’s team who had foolishly planned to kill Hakluyt when in fact, a murder would be too politically incendiary to risk. Blue went on to create an alternate story that it planned to instead track and then kidnap Hakluyt by using information provided by a double agent within Red’s team that Blue called “Cotton Dollar.” Blue used its compromised accounts to feed Red information about when it planned to use its informant Cotton Dollar’s information to send a special forces team to kidnap Hakluyt during a trip outside the compound.

Richard Bejtlich, chief security officer with the breach response firm Mandiant, which recently detailed in a report hundreds of breaches by a prolific team of sophisticated Chinese government hackers, says that creating a fake playground for observing and misinforming intruders can be a costly and dangerous game. Or you have to do so much work setting up a juicy fake network that I pretty much guarantee it takes more time to set up than it takes the intruder to figure out that it’s fake.”

Link: http://www.forbes.com/sites/andygreenberg/2013/04/05/a-different-approach-to-foiling-hackers-let-them-in-then-lie-to-them/

After the analytics skirmishes, the other kind of “intelligence” came up, namely the number and variety of additional inputs to the algorithms: reputation, geolocation, indicators of compromise, or possibly the number of former government intelligence analysts in the research team (and/or on the board of directors).

And then it’s back to numbers: the number of external intelligence feeds that are used to enrich the data that the monitoring system processes.

Can one system produce data that is “more actionable” than another one, and if so, how do you prove it?

Not only will the data be processed “live” (which is supposed to be better than “real-time,” I understand – or maybe it’s the other way around), but it’ll be newer than anyone else’s data, still dewy from the data fields.

One thing’s for sure: buyers will still be wading through the marketing morass, trying to search out bits of dry land that will hold up to a purchasing decision. Not only will they have trouble differentiating vendors and their offerings; they’ll also struggle to find metrics that tell them when their monitoring is good enough.

Link: http://www.darkreading.com/security-monitoring/blog/240152343/is-there-any-real-measurement-in-monitoring.html