Unintended consequences

One of the blogs that I follow is the Freakanomics Blog; the Freakanomics bloggers often deal with unintended consequences of actions that people take.

For example, this post posits that banning bottled water at schools in an effort to combat pollution will likely have an unintended consequence of an increase in sales of bottled soft drinks. Not only will there be a negligible reduction in pollution, soft drinks are obviously not as good for the body as water, so there will be health repercussions as well.

What does this have to do with technology? I have been thinking a bit about Microsoft's decision that they will be cutting thousands of jobs and the types of unintended consequences that this will create.

We already know Microsoft's track record when it comes to digital security, so I am predicting right here that Microsoft's job cuts will have negative unintended consequences in the digital security realm.

I am not an expert on the economy, I don't have ESPN and I usually don't make too many predictions, so I could be wrong, but I could be right.

Technology scares

About a year and a half ago, while waiting in line to use an ATM, the ATM froze-up and revealed that the operating system in use was Windows NT 4.0 Embedded. Not only was this in 2007, but the ATM was a new model that the bank was promoting as their new intelligent and feature-rich bank machine.

This used to be one of my favorite anecdotes about technology uses that not only irked me, but actually scared me.

That was until today when I read this story on Seclists.org.

The crux of this story is that a hospital disabled Windows Updates on their computers because some of their systems used Automatic Updates and rebooted during surgery. You read that right. Strangely the story focuses on how the hospital in question made itself more vulnerable to the Conficker/Downadup worm and not on the questionable use of Windows for critical hospital systems.

My immediate reaction to reading this was disgust and I had to question the necessity of using Microsoft Windows for critical hospital systems that have a life and death impact.

Trusted Source blog?

As I've said before, I am a big Secure Computing proponent because these were the firewalls that I cut my digital security teeth on. When Secure Computing introduced their Trusted Source blog, I was fairly impressed and followed fairly regularly.

In a previous post I mentioned that Secure Computing was being acquired by McAfee; curiously the last Trusted Source blog post is about the aforementioned acquisition. That post is available here.

You know what they say about coincidences right?

Three questions answered...

Richard Bejtlich was kind enough to answer my three questions on his blog recently. Thanks Richard!

There is one point to question number two that is very pointed and quite important when I consider why I do this type of work.

Richard stated that you are an analyzer of dashboards and not data if you cannot:

"Research activity for which there is no indicator, i.e., you can only see indicators and not any activity for which an alert did not fire"

For me personally, it is very important to be able to research traffic that did not generate an alert using my intuition and NSM knowledge. I should point out that this intuition is enhanced when digital situational awareness (DSA) and emotional investment is present.

One of the things that I have learned over the course of my career is not to place 100% trust in any one device or application. NSM principles tell you that the system will lie to you and the logs will lie to you and applications will also lie to you or will have deficiencies that encumber your investigations.

However if you have full-content data and are free to extract session and statistical data it is possible to detect attacks or malicious traffic that were not present in the alert data. This is why NSM is much more powerful than traditional IDS, but having the leeway and know-how to deviate from alert data necessary for this to be successful.

ArcSight ESM

I have been making good use of my ArcSight Certified Security Analyst (ACSA) certification this week as we have recently deployed ESM 4.0 at work and though I remain somewhat skeptical, I would like to state that I am coming around and may someday be an ArcSight believer.

Though this SIEM/SEM will never replace my preference for Snort and Sguil, the impossibility of using my preferred architecture at my current job is forcing my hand. So far ArcSight is doing a good enough job of coalescing disparate alert and other data such as syslog, etc into a single console and making it easy to perform analysis and escalations.

MSSP: Internal vs. External

There is a very interesting post on Richard Bejtlich's blog that debates the merits of internal and external managed security services. Richard's post was inspired by a reader of his blog researching the differences between building an in-house security department and contracing out to an MSSP.

This is a fascinating question for me because I am currently employed at an MSSP and have previously developed and deployed an internal Network Security Monitoring solution using Snort, Sguil and other Open Source tools.

Personally I think that if an organization is capable and willing to invest in developing its own internal managed security service, that this is the preferred choice. Keep in mind that it is possible to have an in-house managed security service and still contract 24x7 monitoring and other digital security tasks to an MSSP.

I know my opinion may seem somewhat heretical, but ultimately there are three areas that an MSSP cannot succeed in as well as a well trained and well run internal security department.

1. MSSP's cannot attain unadulterated digital situational awareness (DSA).

This is primarily because of a diffusion of authority that stymies efficiency and creates inertia through endless meetings and red tape. This is what I like to refer to as "ITIL Hell".

When you are running your own internal managed security service, you are afforded the luxury of autonomy and can therefore act quickly and efficiently in the company's best interest.

2. Lack of DSA creates a disconnect between the time of detection and time of notification and escalation of incidents because of the lack of context into client networks; for example it is sometimes difficult to distinguish traffic from different parter networks, etc.

Many times organizations are not always forthcoming with this information and this further slows escalation because analysts are forced to try to best-guess whether the traffic is legitimate or not.

3. There is no emotional investment in the ultimate digital security of a client's network. This does not mean that an MSSP does not care about client networks, but when an analyst is working different shifts each week and has alert data from many client networks to monitor it is impossible to care for one client more than another.

This lack of emotional investment may be the difference in going the proverbial extra mile during the analysis. Couple this with lack of context and lack of DSA and it is easy to understand why an MSSP is not as efficient at defending an enterprise when compared to an internal managed security service does.

So what does this all mean? Well that depends entirely on the personnel and organization. If the organization is both capable and willing to invest in developing an internal security department and has the good fortune of having capable personnel that have the emotional investment to build a defensible network architecture, then contracting security out to an MSSP is probably not the answer.

The reality is that many organizations do not have the capability or willingness, or perhaps do not have the personnel to do effective 24x7 Network Security Monitoring. This is the market that contracting out to an MSSP's is the right choice for.

First post 2009 and 1 year blog anniversary

As if by design this is the first post of 2009 and the 1 year anniversary of my first blog post! I had 35 posts in 2008, some moderately more interesting than others, but overall I enjoy blogging and intend to continue blogging and then some in 2009.

For the 3 people that regularly read this blog, I hope there is something here that helped out.