Tuesday, December 3, 2013

Offense and Defense in your Infosec Department

It is now generally accepted that our job as infosec professionals is not to prevent compromise but to defend against it and operate in a compromised environment.  With that understanding the DFIR/infosec operations staff are the front lines of information security.

The operations team could be thought of as a sports team.  They need the right equipment, but nothing takes the place of practice.  And to practice you need a good practice squad.

Most large infosec departments have the staff to do this.  We have staff skilled in evaluating the security of products and tools.  Unfortunately, this body of staff is primarily focused on the acquisition side of infosec.

To fix this, lets switch things up a bit.  We probably already have 3 teams in infosec:

  1. Operations - DFIR responsibilities (they'll be the blue team)
  2. Engineering - Risk and Compliance responsibilities (they'll be the red team)
  3. Architecture - Stategic vision (they'll be the white team)
In this model, operation's primary role is to prevent, identify and remediate incidents.  Their secondary role is to generate high-level security needs and provide them to Architecture for implementation.

Engineering's primary role is to validate that security requirements are appropriate implemented in a product's design and to assess the risk of those not implemented.  Their secondary role, however, is to attack Operations.  Because their skill set should be the ability to identify security vulnerabilities, a measurable amount of their time should be used attacking the internal network.  

In this way, we pit operations against engineering in friendly blue vs red battle.  Both teams benefit from the continuous training and the enterprise information system benefits from the identification of security weaknesses that can be remediated.  If you play both offense and defense on your home network, when attackers come to your turf, they shouldn't stand a chance.
Architecture plays the final role.  Their primary role is to help translate Operations' needs into requirements and then into designs.  They also play the white cell role, providing an unbiased referee for the competition between Engineering and Operations.

In this way, we keep the task of operationally defending the network forefront in everyone's mind.  We also make sure that the security we build is truly derived from operational needs rather than 'gut feelings' about what should be bought.  We merge operations and acquisition into a single process without adding any additional organizations.  And because of it, everyone benefits.

Sunday, December 1, 2013

Unflattening a Flat Network – Adventures in Network Segmentation

In October I had the honor of speaking at the Lancope Vision conference about my experience in network segmentation.  I have spent the last few months establishing a program to segment a very large network.  It is based heavily on netflow and algorithmic identification of where enclaves should be.  I have finally cleaned up the slides for publishing.  Please read the notes along with each slide as they will be hard to understand otherwise.

(EDIT: Video of the talk can be found at http://vimeo.com/78941693)

Since giving the talk, I have done additional work.  I am currently working on other methods for cluster creation as well as identifying the interactions between clusters to help identify groupings of hosts.  This all also eventually leads to algorithmic profiling of a network, predominantly the legitimate usage.  The profiling algorithms could then easily be run against packet captures of malicious network traffic and new traffic compare to both the legitimate and malicious profiles to identify malice on a network.  This work is still ongoing.