1. Inventory of authorized and unauthorized devices.
2. Inventory of authorized and unauthorized software.

These two controls state that you should know everything about all the devices connected to your network (i.e., what they are, where they are, etc.) and the entire catalog of software resident on these devices (i.e., operating systems, revision levels, patches, applications, etc.). Since these things are in a constant state of change, you need to have some type of automated tools to detect and react to new or changing assets as soon as possible.

File this requirement under the old axiom, “you can’t manage what you can’t measure.” That said, think about how difficult it is to enforce these two controls. Employees are bringing mobile devices to work and demanding network access. Virtual desktops and servers are easy to provision, deploy, and change while physical device changes are now automated to keep up all this other activity. What about software? Employees are constantly accessing social networks or downloading the latest viral application.

While these issues are extremely challenging, the SANS 20 Critical Security Controls document contains great advice on implementing and automating each control. Here are a few of my thoughts based upon the SANS recommendation and my personal experience:

• Security processes and tools need to be integrated with other activities around asset, change, and configuration management. For example, lots of organizations use CMDBs to capture this information but many security tools don’t integrate with CMDBs and lots of security professionals have no exposure to CMDBs or IT frameworks like ITIL and COBIT. These systemic and technology issues need to be addressed up front to avoid visibility gaps or redundant processes.
• To ensure that only approved devices gain access to the network, SANS recommends the use of 802.1X. This brought me back to 2007 when I worked with several organizations (Identity Engines, Aruba Networks, Symantec, etc.) to establish an Open Source 802.1X supplicant, but few networking or endpoint vendors highlight 802.1X in their products. This has to change – 802.1X (or some other type of device authentication) should be part of the default configuration of physical and virtual devices.
• If 802.1X does happen, large organizations will need a new type of network identity server beyond basic RADIUS. My friends at Identity Engines nailed this concept until some ill-informed VC fat cat pulled the plug on the company (note: The technology was acquired by Nortel and now thrives at Avaya). Cisco’s Identity Services Engine is perfect for this growing requirement.
• Browser virtualization/sandboxing is also a growing requirement. I know there are lots of technologies but Check Point offers a great solution here.
• I know white listing/black listing is a pain but this has to be part of a full-featured solution. Grey listing is also important for those fringe use cases. When an unknown application shows up, it has to automatically trigger some kind of approval cycle, sandboxing, or other policies and controls.
• Why isn’t the private sector embracing the U.S. Federal government’s Secure Content Automation Protocol (SCAP) or something similar. Device security vendors like McAfee, Symantec, and Trend Micro should come together, line up behind SCAP, and push it to their customers.
• Look for virtualization to be used more extensively for security purposes, such as virtualized desktops with specific applications/workloads that run in a container.

You can read Jon’s other blog entries at Insecure About Security.

via Confusion over APT attacks leads to misguided security effort.

What’s missing? Granular detail about the network: network behavior, payload analysis, packet analysis, application-layer analysis, network performance, etc. from layers 2 through 7 of the OSI stack. Here are a few data points from the report which lead me to this conclusion:

1. 68% of organizations depend upon network management tools to determine if they are experiencing a cyber attack. The next closest response was “log file analysis” at 51%.
2. Of those organizations that have created or modified security processes in response to APTs, 52% have, “improved network traffic monitoring for attack patterns or other anomalous behavior.”
3. Of those organizations that have purchased new security technologies in response to APTs, 42% purchased network behavior monitoring technologies.

This and other data in the report tell me that large organizations really aren’t sure about what’s going on in their network. This impacts business operations AND leaves them vulnerable to attack–a lose-lose if there ever was one.

I have several thoughts about what this means:

1. Cisco is in a very good position to help address the network visibility problem since it owns most of the network. As such, it should investing heavily in network monitoring technologies for security as well as performance.
2. If anyone still needed a reason why RSA purchased NetWitness, here it is.
3. Look for the security industry to pay far closer attention to open source network monitoring tools like Suricata, HTTPry, and Sguil.
4. There is a huge data problem on the horizon and enterprises need to capture, normalize, and store terabytes of data while simultaneously analyzing this data in real-time. SQL databases are no longer a fit here.
5. Network monitoring pure-plays like Compuware, ManageEngine, NetScout, NetQoS, Net Optics, and Quest are missing a big opportunity if they don’t look long and hard at a network security monitoring play.
6. Monitoring is just the tip of the iceberg. With better data and analytics, CISOs can take automated actions to enforce granular policies. More on this soon.

Read more of Jon’s blog entries at Insecure About Security.

via Assessing the APT threat – Network World.

via Survey: Three Of Four Companies Say They’re ‘Likely’ To Be Hit By Cyber Attack … Again – Network Computing.

In my last blog, I presented some research from the report showing that security professionals tend to think of APTs as a unique type of threat–not just a marketing term. Okay, so APTs are unique, but are they dangerous? To find the answer, ESG asked 244 security professionals working at U.S.-based enterprise (i.e., more than 1,000 employees) the following question:

As a security professional, how concerned are you about APTs and the impact that APT attacks could have on vital interests such as national security and the economy?

Thirty-eight percent of security professionals were “very concerned,” 55% were “concerned,” and 7% were “neutral.” Not one security professional was not concerned.

As part of this report, ESG also created a taxonomy where we segmented enterprises by how prepared they were for APTs. Interestingly, 65% of security professionals working at organizations “most prepared for APTs” were “very concerned” while 35% were “concerned” about the potential impact of APT attacks on U.S. vital interests. In other words, security professionals with the most experience with APTs were also the most concerned.

I agree that the technology industry has co-opted and watered down the term APT. That said, security professionals who were presented with the NIST definition of APT voiced real concern about how damaging cyber attacks could be to our country. This data is therefore consistent with a statement made by FBI official Steven Chabinsky when he said, “The cyber threat can be an existential threat–meaning it can challenge our country’s very existence or significantly alter our nation’s potential.” If Chabinsky’s statement, combined with ESG’s data, doesn’t wake up non-believers in corporate boardrooms and Washington, nothing will.

Read more of Jon’s blog entries at Insecure About Security.

via Advanced Threats Touch Two-Thirds Of Enterprises – Informationweek.

via Almost 6 in 10 U.S. enterprises believe they have been targeted by attacks seeking sensitive data – eChannelLine USA.

http://www.enterprisestrategygroup.com/2011/11/apt/

When we started this project, there was a fair amount of debate about APTs. Was this type of attack real and unique? Or were “APTs” nothing more than a marketing term to add an alarming label to pedestrian types of cyber attacks? One of my contacts in Washington told me that many senators were actually dismissing APTs as hype created by the “cyber industrial complex.”

To find out whether APTs were indeed real, ESG surveyed 244 enterprise security professionals. Survey respondents were provided with the NIST definition of APTs and were then asked a number of questions about APTs with this definition as a baseline. ESG only surveyed security professionals familiar with APTs and had security management authority at their organizations.

So is APT just a marketing term? Not according to those with the most knowledge about cyber security. Half of the security professionals surveyed believe that APTs are a unique type of threat, while 48% believed that they are “somewhat unique” but share some similarities with past attacks (only 2% said APTs are not unique).

Alarmingly, 85% of organizations, “most prepared for APTs,” said that APTs are a unique type of threat. This is consistent with several conversations I’ve had with CISOs: most said that they didn’t think that APTs were anything new until they were attacked. As they watched APT attacks unfold, they were blown away by how they adapted, moved around the network, rooted themselves in systems, and used sophisticated (and often homegrown) innovation to fool security tools and remain stealthy.

If organizations possessing the most experience with APTs believe they represent a unique type of threat, shouldn’t we pay attention?

Read more of Jon’s blog entries at Insecure About Security.

via ‘Advanced persistent threat’ concerns boosting security budgets – Network World