Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

4/28/2015
11:00 AM
Rick Gordon
Rick Gordon
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
100%
0%

Note To Vendors: CISOs Don’t Want Your Analytical Tools

What they need are solutions that deliver prioritized recommendations and confidence in the analytical rigor behind those recommendations to take meaningful action.

In his March 20th Cyber Intelligencer, Anup Ghosh nailed it with his description of the failure of the security industry’s traditional ‘Prevent, Detect and Respond’ strategy. As Anup proposes, given the state of our collective failure, a move toward a strategy that is focused on Containment, Identification (of compromised assets and adversaries), and regaining Control of compromised networks is a more sound approach.

In his piece, Anup correctly indicts the purveyors of detection tools, who:

[have] only succeeded in producing prodigious alerts and data dumps that understaffed and over-worked security teams now have to wrestle with.

Few organizations have enough resources to sort through the volume of alerts their solutions provide and the terabytes of log data required to derive actionable insight at the speed and scale that is required.

As the industry and our customers move forward toward identification and control, information security capabilities will necessarily evolve away from emergency response and dispatch playbooks and toward more sophisticated analytical approaches. Unfortunately, given that the population of information security personnel with strong intelligence and analytical skills is about as abundant as Valyrian steel, if we don’t alter the way these tools are delivered, we are destined to fail again.

Of course, well-funded purveyors of analytical tools who have effective sales and marketing teams will be able to sell their expensive on-premise tools to large government information security organizations and the Fortune 100. But, given the volume of their data and the speed with which customers need to take action, they won’t be happy with their results.

Ironically, the good news for these vendors is that the rest of the market can’t afford to deploy their capabilities. How many non-Fortune 100 companies do you know who have advanced threat intelligence cells and big data log analysis infrastructures? So at least they won’t be angry and disappointed.

At the end of the day, I believe that even large company CISOs really don’t want to buy analytical tools. Rather, they simply want prioritized recommendations and enough confidence in the analytical rigor behind those recommendations to confidently take meaningful action.

To us and other venture capitalists who are funding cybersecurity startups, the winners are going to be companies with solutions that invert the analytical process – providing prioritized actions based on rigorous analysis and shared intelligence, and walking customers backwards through the analysis only if they care. Using machines versus people to triage massive volumes of intelligence based on relevance and risk to an organization is inevitable. Solutions that leverage more affordable As-a-Service delivery models that enjoy economies of scale for both computational resources (i.e., elasticity) and analytical human capital make the most sense.

At Mach37, we agree with Anup. We continue to prospect for and invest in solutions that will deliver affordable advanced intelligence and analytical capabilities to satisfy the growing need for identification and control. We believe these solutions will allow us to avoid the mistakes of the detection vendors, finally getting it right this time.

Rick Gordon is an expert on security technology, business strategy, and early-stage venture development. He currently serves as Managing Partner of Mach37 TM, a cyber security market-centric accelerator developed by the Virginia Center for Innovative Technology. MACH37 ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
TedR220
100%
0%
TedR220,
User Rank: Apprentice
5/4/2015 | 11:43:39 AM
What if the needle isn't there?
Rick, great article and spot on.  My issue with most of the Big Data Analytic solutions is their dependence on logs and alerts.  Malware and malicious insiders are becoming increasingly good at NOT generating log entries, and obfuscating their actions.  What this means is it doesn't matter how good a haystack puller you have, if the needles aren't there, you won't find anything.   We need solutions that detect malicious behaviors in real-time even when there are no log entries. 
gregtennant
50%
50%
gregtennant,
User Rank: Apprentice
4/29/2015 | 10:33:55 AM
Could Not Agree More
You are spot on Sir.

I would add that containment security can no longer be an emergency response plan or have udder absence from the IT security vocabulary.  I have been writing about containment fro over two years so it is great to find people that actually get it and care about it.  

There are two types of containment approaches. 1) Spot or Surgical Containment - which is dependent on SIEM functionality to enable a containmenmt action (note this approach is only as good as the data loaded in the SIEM).  2) Structural - which relies on physical or virtual end-to-end segmentation of the networks to eliminate shared routing and security elements that can be exploited for breach propagation.  Quite frankly both are required and they are harmoniuos if implemented correctly.

When I was at Cybera we pioneered containment through virtual application networks (SDN WANs) and had implemented over 70,000 sites implemented globally with companies like Shell, Verifone, ExxonMobil and Little Ceasers.  I have yet to see a viable structural containment solution on the market besides Cybera's.

If you want to read more about containment security see my blog at containmentsecurity . net
mseward57
50%
50%
mseward57,
User Rank: Apprentice
4/28/2015 | 8:32:27 PM
Let’s not get lost in the semantics
Containment (post-initial compromise and prior to data exfiltration) is just about only thing all of us should be focused on. Those that think they can Prevent attacks believe the hype from perimeter security solution vendors who are still selling security products built on top of constructs from the 1990s. There will be no silver bullet solution due to an ever expanding attack surface, the creativity of the attacker, and human IT services users that will always click on something, surf to a bad website and down load malicious code.

 

Containment means we (finally) acknowledge that attackers know we all have the basic stuff at the perimeter and what they want to hack a human for credentials or have malware do it for them. In many organizations this is a fundamental disconnect. I don't think anyone can say that businesses have any real strategy for detecting attackers that leverage stolen valid user credentials.

 

The key is to be able to have a system that understand and learns what credential activities and access characteristics are normal for all an organization's users, peel all that away and see what's left. This leads to the identification of compromised user accounts. With this visibility we can draw conclusions about what assets have been compromised before the data walks out the door. There were a few of these user behavior intelligence solutions on exhibit at RSA.
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
4/28/2015 | 1:35:57 PM
Re: Spare Us the Sales Hype
When it comes down to it any informed individual understands that there is no silver bullet. With these solutions however there needs to be a cost model for implementing security safeguards and the value cannot outweigh business values such as revenue, etc. As much as we instill value into the business side of organizations we need to acknowledge and understand their justifications as well. If business generation becomes unsustainable due to cost of implemented solutions, then security will indefinitely take a step backwards as the business goes under. As stated, many smaller organizations do not have the financial backing to implement a comprehensive security solution so they do the best of breed approach while although optimal will not yield the best results.

Education is a huge need as its inexpensive and its not as prevalent as it should be. This is a great point as education can help alleviate some of the pitfalls from a light security blueprint.
hackdefense
50%
50%
hackdefense,
User Rank: Apprentice
4/28/2015 | 12:56:08 PM
What's wrong with "Response"?

One could argue that "Containment, Identification and Control" are all part of "Response," or even take a more nuanced view and say that it's just an extension of Prevent-Detect-Respond.

IMHO, the issue isn't that Bruce Schneier's description of the procses of security is wrong, it's simply that HOW we Prevent, Detect and Respond have evolved with better tools over the last 15 years (thanks, in part, to better vendor tools - an opposite conclusion of this article). One could argue Containment is a form of Prevention, such as through virtual segmentation and other layer 2-7 adaptive security measures not available 15 years ago. Identification is a form of Detection - while some companies may struggle with traditional SIEM-in-a-SOC approaches, there are many that are have excellent SIEM deployments including layering on machine learning anomaly detection, sandbox technologies, and data recording/analysis. Lastly, Control is just another part of Response, towards the tail end of the typical IR cycle.

I'd like to see a matrix of benefits of both approaches. I think the heavy overlap will show that there's nothing wrong with the original Process of Security. From Bruce in 2000: https://www.schneier.com/essays/archives/2000/04/the_process_of_secur.html

RetiredUser
100%
0%
RetiredUser,
User Rank: Ninja
4/28/2015 | 12:23:24 PM
Spare Us the Sales Hype
In addition to methodology, the Security industry needs to be rid of the software outfits that are all hype.  As anyone who has sat in front of a pentesting GNU/Linux distro, no one tool does it all.  What you need are experienced programmers/hackers/techs who understand how to address each ecosystem and the context of potential or actual intrusion events, review the data, select the tools required for each situation/ecosystem/device, and implement an evolving strategy.  But unfortunately, many of those disillusioned business owners are also victims of sales hype, having purchased software solutions that don't offer evolving strategy, don't offer people with experience, and claim or suggest they have "the" fixall solution.  We need more education out there as to what Information Security is and how to do it properly.
I 'Hacked' My Accounts Using My Mobile Number: Here's What I Learned
Nicole Sette, Director in the Cyber Risk practice of Kroll, a division of Duff & Phelps,  11/19/2019
DevSecOps: The Answer to the Cloud Security Skills Gap
Lamont Orange, Chief Information Security Officer at Netskope,  11/15/2019
Attackers' Costs Increasing as Businesses Focus on Security
Robert Lemos, Contributing Writer,  11/15/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industry’s conventional wisdom. Here’s a look at what they’re thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-2079
PUBLISHED: 2019-11-22
A cross-site request forgery (CSRF) vulnerability in the Activity module 6.x-1.x for Drupal.
CVE-2019-11325
PUBLISHED: 2019-11-21
An issue was discovered in Symfony before 4.2.12 and 4.3.x before 4.3.8. The VarExport component incorrectly escapes strings, allowing some specially crafted ones to escalate to execution of arbitrary PHP code. This is related to symfony/var-exporter.
CVE-2019-18887
PUBLISHED: 2019-11-21
An issue was discovered in Symfony 2.8.0 through 2.8.50, 3.4.0 through 3.4.34, 4.2.0 through 4.2.11, and 4.3.0 through 4.3.7. The UriSigner was subject to timing attacks. This is related to symfony/http-kernel.
CVE-2019-18888
PUBLISHED: 2019-11-21
An issue was discovered in Symfony 2.8.0 through 2.8.50, 3.4.0 through 3.4.34, 4.2.0 through 4.2.11, and 4.3.0 through 4.3.7. If an application passes unvalidated user input as the file for which MIME type validation should occur, then arbitrary arguments are passed to the underlying file command. T...
CVE-2019-18889
PUBLISHED: 2019-11-21
An issue was discovered in Symfony 3.4.0 through 3.4.34, 4.2.0 through 4.2.11, and 4.3.0 through 4.3.7. Serializing certain cache adapter interfaces could result in remote code injection. This is related to symfony/cache.