Thursday, January 26, 2012
I find it interesting how most clients ask me to help them write reports or alerts to monitor their enterprises for various different threats. This is, of course, to be expected in my line of work. What I often ask them is "What vectors into (and out of) the enterprise are you concerned with/do you want to monitor for?" Clients often find this to be a surprising question, but when you think about it, the question isn't really all that surprising. The most advanced analytic, the fanciest report, or the coolest detection technique aren't worth much if they aren't relevant to the enterprise they're being applied to, right? It's important to conceptualize and understand what it is you'd like to monitor for based on the vectors into (and out of) the enterprise you're concerned with. Once that is done, implementing those concepts is usually fairly straightforward. That's all well and good, but what if you don't know what vectors you ought to be concerned with? To that, I say, know your network! Study and analyze the data transiting the network and let it guide you towards an understanding of the vectors you might want to concern yourself with.
Wednesday, January 11, 2012
Boiling the ocean is one of my favorite phrases. As the phrase connotes, boiling the ocean is a process that will likely never converge to success, nor end. I am reminded of this phrase as I attend FloCon this week. The vast majority of people I work with professionally understand the need to make compromises and accept some imperfections in order to make progress operationally. In my experience, operational progress, though often imperfect, still leads to improved network security monitoring and security operations in infinitely more cases than taking a "boil the ocean" approach. In other words, an 80% solution at least gets you 80% of what you want and need, while waiting for everything to be 100% perfect will always get you nowhere. There are a few in attendance at FloCon for whom the compromises that operational personnel must make is lost on them. I can't think of a way to show them the other side, other than to put them in an operational environment for a year (or perhaps longer)....
Tuesday, January 10, 2012
I am at FloCon this week and enjoying the conference tremendously. I always enjoy FloCon, as it's a unique opportunity to catch up with peers in the community. It's also a great place to learn about different techniques and methods that people are using to analyze network security data. There was a presentation this morning from US-CERT that discussed some interesting analytical work US-CERT is currently doing. The presentation described some of the architecture, systems, processes, and procedures that US-CERT is using to perform analysis of various different types of data. The presentation was interesting, but it made me ask the question, "and then what?". All that analysis is great, but at the end of the day practitioners (like myself) need actionable intelligence and information that we can use to defend the networks we are responsible for. Unfortunately, we're not getting much in the way of actionable information and intelligence from US-CERT. As our national CERT, this is disappointing. My intention here is not to pick on or harass the analysts who work hard in service of our nation day in and day out. Rather, I'm hoping that the leadership in our government, and particularly the leadership within DHS will get a clue sometime soon. If I had a minute with the leadership I would ask them why they can't find some way to cut through the bureaucratic red tape and share information with a nation (and world) so desparate for it. After all, the security of our nation's most critical infrastructure depends on it, right? Analysis is great, but I am reminded this morning that analysis is not for analysis' sake. Analysis should serve some productive end, namely producing actionable information and intelligence for those who so desperately need it. Come on DHS -- get with the program.