Business of Security Webcast Featuring Brent Huston: December 7

Posted on November 23, 2011 by Mary Rose Maguire

Join the Business of Security to hear from Brent Huston, recent winner of (ISC)2 Information Security Leadership Award, who will lay out the need for and principles of performing detection in depth. Brent, CEO and Security Evangelist of MicroSolved, will share his research and hands-on experience that validates the leading approach for detecting threats against your most precious assets.

When: Wednesday, December 7th, Noon EDT
Where: GoToWebinar
Cost: Complimentary Register to attend live or to receive the event archive information for on-demand viewing at: http://www.businessofsecurity.com/

You’ll learn:

Huston’s postulate and why location matters
The detection in depth maturity model
The detection in depth focus model
Tools and approaches for doing detection in depth

Brent’s contribution to the community was recognized by (ISC)2 for employing the HoneyPoint Internet Threat Monitoring Environment (HITME) to alert critical infrastructure organizations whose machines are compromised. MSI provides pro-bono services to help them to mitigate the compromise and manage the threat.

Earn (1) CPE Group A credit for the CISSP and SSCP: This event meets the criteria for a Continuing Professional Education (CPE) activity for the Information Security and Risk Management domain.

MSI Strategy & Tactics Talk Ep. 15: Information Security for Credit Unions

Posted on November 18, 2011 by Mary Rose Maguire

Credit Unions have become popular over the past few weeks as societal trends have placed greater pressure on bank policies. What’s the scoop on Credit Unions and information security? Take a listen! Discussion questions include:

Supporting Credit Union swap through infosec

The “hactivist” group Anonymous and “Dump Your Bank Day”

Is infosec strong at Credit Unions?

Our approaching toward testing Credit Unions and banking apps

Panelists:

Brent Huston, CEO, Founder, and Security Evangelist

Adam Hostetler, Network Engineer and Security Analyst
Phil Grimes, Security Analyst
John Davis, Risk Management Engineer

Mary Rose Maguire, Marketing Communication Specialist and moderator

Click the embedded player to listen. Or click this link to access downloads. Stay safe!

The Detection in Depth Focus Model & Example

Posted on November 16, 2011 by Brent Huston

Furthering the discussion on how detection in depth works, here is an example that folks have been asking me to demonstrate. This is a diagram that shows an asset , in this case PII in a database that is accessed via a PHP web application. The diagram shows the various controls around detection in place to protect the data at the various focus levels for detection. As explained in the maturity model post before, the closer the detection control is to the asset, the higher the signal to noise ratio it should be and the higher the relevance o the data should be to the asset being protected (Huston’s Postulate).

Hopefully, this diagram helps folks see a working example of how detection in depth can be done and why it is not only important, but increasingly needed if we are going to turn the tide on cyber-crime.

As always, thanks for reading and feel free to engage with ideas in comments or seek me out on Twitter (@lbhuston) and let me know what you think.

Detection in Depth Maturity Model

Posted on November 14, 2011 by Brent Huston

I have been discussing the idea of doing detection depth pretty heavily lately. One of the biggest questions I have been getting is about maturity of detection efforts and the effectiveness of various types of controls. Here is a quick diagram I have created to help discuss the various tools and where they fit into the framework of detection capability versus maturity/effectiveness.

The simple truth is this, the higher the signal to noise ratio a detection initiative has, the better the chance of catching the bad event. Detections layered together into various spots work better than single layer controls. In most cases, the closer you get to an asset, the more nuanced and focus (also higher signal to noise ratio) the detection mechanisms should become.

That is, for example – a tool like a script detecting new files with “base64decode()” in them on a web server is much higher signal than a generic IDS at the perimeter capturing packets and parsing them against heuristics.

When the close controls fire an alert, there better be a clear and present danger. When the distant controls alert, there is likely to be more and more noise as the controls gain distance from the asset. Technology, detection focus and configuration also matter A LOT.

All of that said, detection only works if you can actually DO something with the data. Alarms that fire and nothing happens are pretty much useless tools. Response is what makes detection in depth a worthwhile, and necessary, investment.

How To Increase Cooperation Between SCADA/ICS and the IT Department

Posted on November 9, 2011 by Brent Huston

Here is a mind map of a set of ideas for increasing the cooperation, coordination and socialization between the ICS/SCADA operations team and their traditional IT counterparts. Last week, at the Ohio SCADA Security Symposium this was identified as a common concern for organizations. As such, we wanted to provide a few ideas to consider in this area. Let us know in the comments or on twitter if you have any additional ideas and we’ll get them added to a future version of the mind map. Click here to download the PDF.

Control Valuable Data By Using Maps

Posted on October 11, 2011 by Phil Grimes

As the battle rages, attackers look for every angle they can leverage in order to access your data. Our team has spent countless hours discussing the importance of identifying what ‘valuable data’ means (it is NOT the same for everyone), learning where that data lives, and understanding how it is accessed. Data flow mapping provides a useful tool that helps illustrate how data moves through any given process or system. When approaching this project in the field, we often see how compartmentalized our business processes are as each person, department, and/or unit knows a little about the target system/process. But when we take an in depth look, rarely does anyone understand it thoroughly! While this philosophy presents a challenge to any organization, the payoff can be priceless- especially in the case of a breach!

These maps are not only helpful to a new employee; but can also explain the system/process to an auditor or regulatory authority in a fraction of the time, and more thoroughly than most employees can. Realizing how our data is handled is vital to the next stage in protecting the data as the battlefield continually changes!

We have to focus on wrapping better controls around our valuable data. Don’t be discouraged by the challenge ahead. Instead, embrace the opportunity to help change the way the world thinks about Information Security! Nothing worth doing is ever easy, and applying this strategy to your environment won’t be either. But as we repeat the process over each facet of our organizations we become more efficient. After all, practice makes perfect!

The graphic below is what the finished product looks like. Yours will look entirely different, no doubt! Don’t focus on this map or this process, but on the underlying principle instead. By combining this with a network map, trust map, and surface map, we can create a comprehensive mechanism to provide useful, accurate intelligence that is easily parsed and processed on demand.

Why a Data Flow Map Will Make Your Life Easier

Posted on October 7, 2011 by Brent Huston

It’s impossible to protect everything in your environment if you don’t know what’s there. All system components and their dependencies need to be identified. This isn’t a mere inventory listing. Adding the dependencies and trust rela- tionships is where the effort pays off.

This information is useful in many ways

If Server A is compromised incident responders can quickly assess what other components may have been affected by reviewing its trust relationships
Having a clear depiction of component dependencies eases the re-architecture process allowing for faster, more efficient upgrades
Creating a physical map in accordance with data flow and trust relationships ensures that components are not forgotten
Categorizing system functions eases the enclaving process

Don’t know where to start? It’s usually easiest to map one business process at a time. This enables everyone to better understand the current environment and data operations. Once the maps are completed they must be updated peri- odically to reflect changes in the environment.

Click here to see an example of a Data Flow Map. The more you know, the better prepared you can be!

Apple’s iOS5 and the iCloud: Great Ideas, Huge Security Impact

Posted on September 29, 2011 by Mary Rose Maguire

Wondering how Apple’s iOS5 and the iCloud will affect your life? Check our recent slide deck that tackles some potential challenges as Apple gets ready to roll out their newest creation. In this deck, you’ll learn:

What is key
iOS5 idealism and reality
The good news and bad news
What do do and not do

As always, we’re here for discussion. Follow Brent Huston on Twitter to engage even more!

Chaos, Insecurity, and Crime

Posted on September 27, 2011 by Mary Rose Maguire

We recently presented the attached slide deck at an OWASP meeting and it was well-received. In it, you’ll learn:

What are the new targets for hackers?
The new crimeware model
What we’re seeing and what we’re not
Thoughts on controls

Feel free to contact us with questions. Follow Brent Huston on Twitter and engage him. He’s more than happy to talk security!

HoneyPoint Maturity Model

Posted on September 22, 2011 by Brent Huston

Many folks have asked for a quick review of the way HoneyPoint users progress as they grow their confidence in the product suite and in their capability to manage threat data. To help answer those questions and to give folks a quick way to check out how some folks use HoneyPoint beyond simple scan/probe detection, we put together this quick maturity model to act as a roadmap.

If you are interested in hearing more about a specific set of functions or capabilities, give us a call or drop us a line. We would be happy to walk you through the model or any of the specific items. HoneyPoint users, feel free to engage with support if some of this sparks a new idea for how your organization can deepen your own HoneyPoint use cases. Thanks for reading and stay safe out there!

MSI :: State of Security

Insight from the Information Security Experts

Category Archives: General InfoSec