HoneyPoint HoneyBees Help Catch Sniffers

Posted on November 28, 2012 by Brent Huston

GlobalDisplay Orig

HoneyPoint has a component called a HoneyBee that can help organizations detect sniffing on their networks. The tool works like this:

HoneyBees are configured to talk to HoneyPoint Agents with a set of known credentials for an Agent emulated service
HoneyPoint Agent knows where the HoneyBees will be connecting from and those hosts are added to the local ignore list for that Agent
HoneyBees randomly create emulated “conversations” with HoneyPoint Agent in plain text, transmitting their credentials across the network for sniffers to pick up
The attacker or sniffing malware grabs the credentials through their sniffed traffic
The attacker or malware attempts to use those same credentials to authenticate to the HoneyPoint Agent
HoneyPoint Agent flags the authentication attempt as tampered traffic and alerts the security team to take action

By properly configuring the setup, this approach makes for a very effective tool to catch sniffing malware and attackers. Backing the credentials up with other detection mechanisms, such as in web applications and on AD forests can extend the approach even further. Our team has helped organizations stand up these kinds of nuance detection schemes across a variety of platforms.

Even though the approach seems quite simple, it has proven to be quite adept at catching a variety of attacks. Customers continue to tell us that HoneyBees working with HoneyPoint Agent have been key indicators of compromise that have led them to otherwise undetected compromises.

HoneyBees are just another example of some of the ways that people are using the incredible flexibility of HoneyPoint to do nuance detection more easily than ever before. Gaining vision where they never had it has paid off, and HoneyPoints ability to turn vision into intelligence has proven itself over and over again.

To discuss HoneyPoint, HoneyBees or other forms of nuance detection, get in touch with MicroSolved. We would be happy to discuss how we can help your organization get more vision all around your enterprise.

Audio Blog Post: Moving Toward Detection in Depth

Posted on May 23, 2012 by Mary Rose Maguire

Brent Huston, CEO and Security Evangelist for MicroSolved, Inc., explains how organizations need to move from a focus on prevention to detection.

Joined by MSI’s Account Executive Chris Lay and Marketing Communication Specialist Mary Rose Maguire, Brent maps out how an organization can get detective controls closer to the data and shows that IT departments can have a “payoff” if they pursue nuanced detection.

Click here to listen to the audio post!

Are You Attending the 2012 Central Ohio InfoSec Summit?

Posted on May 16, 2012 by Mary Rose Maguire

We’re excited to be a part of this year’s 5th Annual 2012 Central Ohio InfoSec Summit! Each year it keeps getting better and better, and this year is no different.

MicroSolved’s CEO and founder, Brent Huston will be presenting “Detection in Depth: Changing the PDR Focus.” Phil Grimes will also present “Attacking Mobile Devices” in the Advanced Technical Track.

There are other great speakers lined up. Included are:

Bill Hagestad, author of 21st Century Chinese Cyber Warfare
Jay Jacobs, a Principal with Verizon’s RISK Intelligence team, will focus on cyber crime
Curtis Levinson, who has served two sitting Presidents of the United States, two Chairman of the Joint Chiefs of Staff and the Chief Justice of the United States, who will be presenting on a balanced approach for survivability and sustainability in the cyber realm

There are more great speakers, plus over thirty vendors who help businesses stay secure. We hope to see you at the event! It promises to be a great time re-connecting with old friends, making new connections, and learning new approaches toward a proactive information security strategy.

See you there!

Discuss Detection in Depth at CMH ISSA Summit

Posted on April 30, 2012 by Brent Huston

On May 18th, I will be presenting on detection in depth at the CMH ISSA Summit. I look forward to a good discussion of the ideals, organizational needs, and maturity models. Given all of the focus on re-allocating resources from “prevention only” strategies to an equal spread across the core values of prevention, detection and response, this is likely to be a useful discussion to many organizations.

Come ready with good questions. I will also be available throughout the Summit for break-out discussions, one-on-ones, and small team meetings. Please reach out via email, phone or Twitter to schedule a sit down. Otherwise, feel free to approach me in the halls and we can have an ad-hoc discussion if you want to learn more about specific detection in depth approaches.

I speak on Friday, May 18th at 11:15 am. I hope to see you there!

Information Security Is More Than Prevention

Posted on March 23, 2012 by Brent Huston

One of the biggest signs that an organization’s information security program is immature is when they have an obsessive focus on prevention and they equate it specifically with security.

The big signs of this issue are knee-jerk reactions to vulnerabilities, a never-ending set of emergency patching situations and continual fire-fighting mode of reactions to “incidents”. The security team (or usually the IT team) is overworked, under-communicates, is highly stressed, and lacks both resources and tools to adequately mature the process. Rarely does the security folks actually LIKE this environment, since it feeds their inner super hero complex.

However, time and time again, organizations that balance prevention efforts with rational detection and practiced, effective response programs perform better against today’s threats. Evidence from vendor reports like Verizon DBIR/Ponemon, law enforcement data, DHS studies, etc. have all supported that balanced program work much better. The current state of the threat easily demonstrates that you can’t prevent everything. Accidents and incidents do happen.

When bad things do come knocking, no matter how much you have patched and scanned, it’s the preparation you have done that matters. It’s whether or not you have additional controls like enclaving in place. Do you have visibility at various layers for detection in depth? Does your team know how to investigate, isolate and mitigate the threats? Will they do so in a timely manner that reduces the impact of the attacker or will they panic, knee-jerk their way through the process, often stumbling and leaving behind footholds of the attacker?

How you perform in the future is largely up to you and your team. Raise your vision, embrace a balanced approach to security and step back from fighting fires. It’s a much nicer view from here.

The Detection in Depth Focus Model & Example

Posted on November 16, 2011 by Brent Huston

Furthering the discussion on how detection in depth works, here is an example that folks have been asking me to demonstrate. This is a diagram that shows an asset , in this case PII in a database that is accessed via a PHP web application. The diagram shows the various controls around detection in place to protect the data at the various focus levels for detection. As explained in the maturity model post before, the closer the detection control is to the asset, the higher the signal to noise ratio it should be and the higher the relevance o the data should be to the asset being protected (Huston’s Postulate).

Hopefully, this diagram helps folks see a working example of how detection in depth can be done and why it is not only important, but increasingly needed if we are going to turn the tide on cyber-crime.

As always, thanks for reading and feel free to engage with ideas in comments or seek me out on Twitter (@lbhuston) and let me know what you think.

Detection in Depth Maturity Model

Posted on November 14, 2011 by Brent Huston

I have been discussing the idea of doing detection depth pretty heavily lately. One of the biggest questions I have been getting is about maturity of detection efforts and the effectiveness of various types of controls. Here is a quick diagram I have created to help discuss the various tools and where they fit into the framework of detection capability versus maturity/effectiveness.

The simple truth is this, the higher the signal to noise ratio a detection initiative has, the better the chance of catching the bad event. Detections layered together into various spots work better than single layer controls. In most cases, the closer you get to an asset, the more nuanced and focus (also higher signal to noise ratio) the detection mechanisms should become.

That is, for example – a tool like a script detecting new files with “base64decode()” in them on a web server is much higher signal than a generic IDS at the perimeter capturing packets and parsing them against heuristics.

When the close controls fire an alert, there better be a clear and present danger. When the distant controls alert, there is likely to be more and more noise as the controls gain distance from the asset. Technology, detection focus and configuration also matter A LOT.

All of that said, detection only works if you can actually DO something with the data. Alarms that fire and nothing happens are pretty much useless tools. Response is what makes detection in depth a worthwhile, and necessary, investment.

MSI :: State of Security

Insight from the Information Security Experts

Category Archives: Detection in Depth