There are a lot of jokes that start with the phrase, “How many people does it take …” But this post is no joke. I have been taking some heat over my comment that you do not need to know who is attacking you, you only need to focus on what you need to protect. As such, I felt the need to further explain myself.
The first complaint I get is that it is important for security professionals to know the tactics used by the attacker.
So my first question to all of you is, “How many people does it take to analyze attack vectors?”
We have forensic security organizations such as Verizon, Trustwave and Security Metrics that analyze attacks. We have security companies such as IBM/ISS, Symantec, Kaspersky and McAfee that analyze attacks. We have hardware/software vendors such as Checkpoint, Microsoft, Cisco and Palo Alto that analyze attacks. I would venture to say there are hundreds of reliable sources for the analysis of attacks. And yet, I am taken to task that you need to have your own analysis of attacks. These hundreds of other sources just are not enough for you to rely on? Really? If you are doing the correct analysis of your vulnerability scanning and penetration testing reports, your attack vector risks should be known and you should have either patched or developed mitigations for those risks.
And while they might be put together in a slightly different sequence, DDoS is still DDoS and a SQL Injection is still a SQL Injection. The bottom line is that the library of exploits available to an attacker is essentially finite. This is proven out by the statistics that the forensic firms publish year after year. As such, you should be able to monitor for all of these attacks fairly easily because they are all known quantities. Yes, there is the rare Zero-Day that turns up every so often. But, even those can be picked up if you have things configured and implemented properly. If you think about it, unless an attacker is someone that can develop their own exploit code (and 99% do not), they are limited to whatever exploits are available in the public domain of exploits and that is a known quantity. Take an inventory of what is available in Metasploit or Core Impact at any fixed point in time and you will see what I mean.
Then there is the group that argues that if you do not do analysis of the attacker, you cannot understand why you are being attacked.
So my second question is, “How many people does it take to give you an idea of why you are being attacked?”
This is pretty straight forward to figure out without some extensive and intensive analysis. In 99% of cases, you are being attacked for one or more of the following reasons.
- Your organization has sensitive information such as credit card numbers, bank account numbers, intellectual property or customer information that the attackers want.
- Your organization has produced a product or service that has been perceived to be a safety hazard, overpriced or other detriment to society.
- Your organization or an employee has publicly taken a stance on some issue(s) that has irritated some group(s) of people.
- Your organization has donated money, time, products or services to an organization viewed by some group(s) of people as questionable.
Read the reports published by the forensic firms. Read the news reports in the media. If you distill down that information, the reasons for attacks break down into these four basic reasons. Yet, security professionals continue to worry about the motivations of the attacker. If you think your attack is unique, you are wasting your time. The likelihood of your attack not being covered by these four primary reasons is slim to none.
I think these complaints just come down to the fact that doing the actual grunt work of security is just not very sexy work. There is no doubt about that fact. Ensuring the security of networks 24x7x365 is very, very monotonous work. And it is that very monotony that is one of the primary reasons why organizations get breached. People get bored with the monotony and they start to cut corners on procedures because, in their view, nothing is going on and, therefore, nothing will go on. Only rotation of people and tasks will address the monotony, but that only works for so long.
This is why security professionals turn to automated tools to minimize reliance on people to flag potential anomalies. Without tools, people get bored very quickly searching for the “needle in the haystack” through all of the data produced by all of the devices on your network. However, even with all of the necessary tools, correlation of information still requires people to bring all of the anomalies recognized by the tools together and determine if all of these anomalies warrant further investigation.
Even with the necessary tools, you are not out of the woods. One of the more common problems that we encounter is that organizations have not completely implemented those tools. How many of you invested in the cool intrusion prevention system and still run it in notification mode? Even then, those organizations that do completely implement the tools, do not always keep up on the “care and feeding” of the tools to ensure that the tools recognize the anomalies. The tools are current and up to date, but anomalies are not recognized because the tools are not properly configured and tuned to the organization’s current network configuration. Networks are not the static environments that a lot of people think they are. As a result, either the number of false positives is so high that personnel ignore the voluminous number of alerts generated or anomalies are just never identified by the tools.
It is not until someone finally recognizes an anomaly for a breach that it finally gets interesting. Then things become very interesting in a hurry. Unfortunately, the statistics from the forensic firms point to the fact that, if an anomaly does get recognized, it is often many months to years down the road from the original compromise.
And that is where security professionals need to get better. If you look at how long it took TJX to recognize their breach (years) versus how long it took Global Payments (months, but still counting), we are headed in the right direction. But when it takes attackers only minutes, hours or even days to get your information, months still does not cut it. We need to get to days or, better yet, minutes. That is the challenge security professionals face and that is where we need to focus our efforts.
The PCI DSS is a good foundation, but the requirements of the PCI DSS are not going to get us to our goal. We must go beyond the PCI DSS to get to our goal and that is a message that the PCI SSC and the card brands have consistently delivered. The PCI DSS is only a security baseline, the ante into the game. If you really want to be the best, you need to take your security game beyond the PCI DSS.
So let us start using the PCI DSS properly. If your organization can execute the requirements of the PCI DSS 24x7x365 at almost 100% compliance, then you are ready to take things to the next level. If you cannot achieve almost 100% compliance, then you need to work with your organization to get to that level. Breaches and data loss are never going to go away, but if all organizations followed this approach, the number of breaches and amount of data lost would significantly drop.