information security - bitpipedocs.media.bitpipe.com/io_10x/io_103284/item_495000... · 2012. 6....
TRANSCRIPT
june 2012 • Volume 14 • No. 5
®
I N F O R M A T I O N
SECURITY
Breaking Down
BarriersBusinesses and government agencies
work to overcome obstacles to sharing cyberthreat information.
PLUS: CLoUd SeCUrity • APPLiCAtion Monitoring
FROM OUR SPONSORS
Anywhere, anytimeWhether you’re in the office or on the road, using your laptop or your mobile phone, we protect you against the latest threats that infect your systems and steal your data. Integrated endpoint agents, gateway defenses and network-enforced security policies keep your mobile workforce working and your data secure. Let us help you stay protected. Join us at Sophos.com
Protecting your mobile office
e n d p o i n t e m a i l w e b d a t a m o b i l e n e t w o r k u n i f i e d
4InformatIon securIty n june 2012
EDITOR’S DESK
PERSPECTIVES
SCAN
RANum
ShARE AND ShARE AlIKE
TREAD CAREfully
uSINg SIm fOR APPlICATION mONITORINg
editor’s desk
Journalists accumulate piles of notebooks filled mostly with a lot of innocuous stuff. Most of it never makes it to print or online. Unless of course you have to write a column and don’t have one thing you want to write about and just want to do what’s affectionately known as a notebook dump in journalism circles. Enjoy.
PiPelines unDer attacKEarlier this year, I was lucky enough to get a dose of reality regarding SCADA security—or SCADA insecurity as the case may be. At the Kaspersky Security Analyst Summit 2012, Terry McCorkle, a researcher who has a day job with a major U.S. manufacturer, talked about a project he and fellow researcher Billy Rios took on examining the reachability of Human Machine Interfaces (HMI) online. HMI translates SCADA data into a visual representation of an indus-trial system, essentially building a flowchart of industrial processes. McCorkle and Rios found 95 easily exploitable vulnerabilities on these Windows-based interfaces living online. Attackers exploiting these vulnerabilities could in the-ory flip switches on pumps, HVAC systems and a lot more, putting anything from IT data centers to prison door systems at risk.
Fast-forward to May, when DHS’ Industrial Control Systems (ICS) CERT team issued an alert about an APT-style attack on multiple natural gas pipe-line organizations—most of those operating in the private sector. The ICS-CERT alert describes a familiar attack progression: a spear phishing campaign
of Pipelines, oracle and SQL SlammerIt’s time to de-clutter our collective notebooks. By MiCHAeL S. MiMoSo
5InformatIon securIty n june 2012
EDITOR’S DESK
PERSPECTIVES
SCAN
RANum
ShARE AND ShARE AlIKE
TREAD CAREfully
uSINg SIm fOR APPlICATION mONITORINg
editor’s desk
targeting particular employees leading to malware-based intrusions into these sensitive systems dating all the way back to December. The alert goes on to de-scribe how ICS-CERT is privately sharing information via briefings with pipe-line companies on the nature of the attacks and possible mitigations. Very little is being disseminated publicly other than a recommendation to follow defense-in-depth practices and educate users about so-cial engineering and spear phishing.
SCADA security is a joke; McCorkle and Rios have said so, as have many others who dig into these systems. Operators won’t take these systems offline to patch them for fear of break-ing processes. Also, there aren’t very many ef-fective automated patch distribution tools for industrial systems. All of this tends to make one skeptical when you hear saber-rattling about a particular attack. Why did ICS-CERT feel compelled to go public with an alert if it had been talking to the affected parties all along? Is it coincidental that public alerts about months-old attacks just happen to surface as a security in-formation-sharing legislation such as CISPA is prominent in the headlines? Who stands to gain and how? Sadly, too many questions, not enough answers.
arroGance anD oracle securitY: not an oXYmoronAdobe may have its share of security issues with its flagship products such as Flash and Reader, but at least you can expect a patch for known vulnerabil-ities. Can’t say the same for Oracle. Timeliness ain’t Oracle’s forte. Neither are complicated security patches. Oracle’s response to a zero-day vulnerabil-ity in its TNS Listener is laughable at best, arrogant at worst. Not only did the vendor apparently sit on the Oracle vulnerability for four years (that’s 1,460 days give or take a leap year or two), but once it got around to an update for the vulnerability in the April Critical Patch Update, it provided a workaround, not a patch. Seems a patch is too hard and won’t fix the issue until its next full release. “Such back-porting is very difficult or impossible because of the amount of code change required, or because the fix would create significant regressions…” Did we mention exploit code has been released? Seems the re-searcher who reported the bug back during the Bush administration got his
SCAdA security is a joke; McCorkle and rios have said so, as have many others who dig into these systems.
6
EDITOR’S DESK
PERSPECTIVES
SCAN
RANum
ShARE AND ShARE AlIKE
TREAD CAREfully
uSINg SIm fOR APPlICATION mONITORINg
InformatIon securIty n june 2012
editor’s desk
wires crossed; when he heard the problem was addressed in the CPU, he as-sumed patch, not workaround, and put up the details on Full Disclosure. Silly him; this is Oracle we’re talking about, where nothing can be taken for granted regarding security.
oDDs anD enDsn Mobile is hot, and we’re not above some bandwagon jumping. We surveyed
our readers recently about their mobile security habits, policies and processes, and the results are in—and noteworthy. Look for a full report in the coming month at SearchSecurity.com, but let’s just say there isn’t a critical mass of mobile device security policies out there; a heckuva lot of personal devices ac-cess and store work-related data, and most of you are still concerned primar-ily with device loss and looking for management help—access control tech-nology too.
n We’re a little more than six months away from the 10-year anniversary of the SQL Slammer worm, and a little more than a month away from the decade commemoration of David Litchfield’s Black Hat talk, which exposed the SQL Server vulnerability the 376-byte worm blasted through. Slammer is probably the most economical and effective piece of code in computing history. Less than 400 bytes slowed sections of the Internet to a crawl on that cold January 2003 Saturday morning. Slammer cemented the need for regular patching and probably sealed the deal for Microsoft to initiate Patch Tuesday (the first one was in October 2003). So if you happen to be at Black Hat next month and see David Litchfield, wish him a happy anniversary. n
Michael S. MiMoSo is the editorial director of TechTarget’s Security Media Group. Follow him on Twitter @Mike_Mimoso. Send comments on this column to [email protected].
7InformatIon securIty n june 2012
EDITOR’S DESK
PERSPECTIVES
SCAN
RANum
ShARE AND ShARE AlIKE
TREAD CAREfully
uSINg SIm fOR APPlICATION mONITORINg
PersPeCtiVes
The arraY anD complexity of information security threats is go-ing to rise significantly over the next two years, and businesses that fail to prepare now will struggle to handle the challenges later. While individual threats continue to pose risk, it is the combination of them, along with the speed at which attacks
may be launched, that provide the greatest danger. This increasingly complex threat landscape is comprised of:
n External threats that come from the increasing sophistication of cybercrime, state-sponsored espionage, activism moving online, and attacks on systems used to manage critical infrastructure in the real world.
n Regulatory threats that come as regulators grapple to implement legislation calling for greater transparency about incidents and security preparedness, all the while increasing requirements for data privacy.
n Internal threats that come as technology continues to develop at “tweetneck” speed, introducing new benefits but also raising the risk temperature as busi-nesses adopt them without fully assessing the security implications.
Preparing for these challenges requires a shift from traditional risk manage-ment. Businesses operate in an increasingly cyber-enabled world, and tradi-tional risk management just isn’t agile enough to deal with the risks posed from activity in cyberspace. Enterprise risk management must be extended to create risk resilience, built on a foundation of preparedness that assesses the threat
Building risk resilienceEnterprises need an agile risk management strategy to deal with today’s evolving threats. By SteVe dUrBin
8InformatIon securIty n june 2012
EDITOR’S DESK
PERSPECTIVES
SCAN
RANum
ShARE AND ShARE AlIKE
TREAD CAREfully
uSINg SIm fOR APPlICATION mONITORINg
PersPeCtiVes
vectors from a position of business acceptability and risk profiling. This means risk management can’t be the sole responsibility of the information security team; all business units—including human resources and marketing—must be involved. New attacks impact not just technology, but business reputation and shareholder value as well; we’re starting to see a clear link between attack and stock price performance.
Keeping that in mind, let’s look at ways or-ganizations can plan for today’s threat vectors.
eXternal threatsSince businesses can expect to see a continu-ing increase in the frequency, sophistication and effectiveness of attacks, they require the capability to respond more quickly and effec-tively. Consider these five actions to prepare for today’s external threats:
n Ensure standard security policies and procedures, such as an acceptable use policy for employee-owned computing devices, are in place across the business.
n Develop your cyber-resilience by establishing a cybersecurity governance function—gather and share attack intelligence, assess your own resilience and develop a comprehensive response plan.
n Consider getting involved and shaping local cybersecurity initiatives, shar-ing incident data, and working with other organizations and industry bodies to build the foundations of resilience.
n Monitor the threat landscape for further developments. n Increase business leadership involvement in all of the above—this is a busi-
ness issue, not something solely for information security.
reGulatorY threatsRegulators and legislators the world over are trying to figure out the rules and statutes for an ever-changing environment. Clearly, changes that are business-friendly and allow innovation will be welcome, as will those that harmonize regulations across jurisdictions. There is always the danger, however, that
risk management can’t be the sole responsibility of the information security team; all business units must be involved.
9
EDITOR’S DESK
PERSPECTIVES
SCAN
RANum
ShARE AND ShARE AlIKE
TREAD CAREfully
uSINg SIm fOR APPlICATION mONITORINg
InformatIon securIty n june 2012
PersPeCtiVes
increased regulation will bring with it an increased cost of compliance, par-ticularly for the unprepared. Businesses can take these steps to better prepare themselves to respond to these regulatory threats:
n Adopt and practice a structured and systematic approach to assessing risk and meeting data breach and other transparency requirements.
n Monitor legislative and regulatory developments on a continuing basis and amend your data protection framework and information management proce-dures to reflect any changes, including privacy-related controls.
n Join and participate in industry and other associations to assess and influence policy—don’t assume the regulators will get it right.
internal threatsWhether it’s one person’s error that isn’t caught in time, or an old server that wasn’t upgraded because the plan was cut back, the result ends up the same. Whether it’s accidental, deliberate or malicious, the incident’s cost could easily be immensely out of proportion to the cost of prevention. However, internal threats are more than internal mistakes or deliberate abuse; they also come from the introduction of new technology, underinvestment in security functions, and the pace of technological changes. A business can coun-ter these internal threats by:
n Adopting business-wide information security governance and integrate it with other risk and governance efforts within the organization.
n Improve the integration of security across the business and elevate security reporting to a level with other governance, risk and compliance (GRC) areas.
n Understand your organization’s risk appetite and ensure the value of con-tinuous security investment meets the business need and is well spent; en-gage business leaders in this so they understand the implications of any zero-budget planning.
n Take ownership of coordinating the contracting and provisioning of busi-ness relationships with outsourcers, offshorers and supply chain and cloud providers. How secure are your suppliers? Ask them!
there is always the danger that increased regulation will bring with it an increased cost of compliance.
10
EDITOR’S DESK
PERSPECTIVES
SCAN
RANum
ShARE AND ShARE AlIKE
TREAD CAREfully
uSINg SIm fOR APPlICATION mONITORINg
InformatIon securIty n june 2012
PersPeCtiVes
n Monitor new business initiatives and get information security involved early, as an enabler.
With the speed and complexity of the threat landscape changing on an al-most daily basis, all too often we are seeing businesses left behind, sometimes in the wake of reputational and financial damage. They need to take stock now to ensure they are fully prepared and engaged to deal with these ever-emerging challenges. n
Steve Durbin is global vice president of the Information Security Forum (ISF), an independent, non-profit association. His main areas of focus include the emerging security threat landscape, cybersecurity, consumerization, outsourced cloud security, third-party management and social media across both the corporate and personal environments. He was formerly senior vice president at Gartner, where he was the global head of Gartner’s consultancy business.
12InformatIon securIty n june 2012
EDITOR’S DESK
PERSPECTIVES
SCAN
RANum
ShARE AND ShARE AlIKE
TREAD CAREfully
uSINg SIm fOR APPlICATION mONITORINg
CiSPA Wins industry SupportLegislation designed to provide the federal government with threat data from the private sector gains steam. By roBert WeSterVeLt
sCAN: seCUritY CoMMeNtArY, ANALYsis ANd NeWs
The Cyber Intelligence Sharing and Protection Act (CISPA), legislation designed to provide the federal government with threat data from private sector firms, is gaining wide support from security and tech companies.
Symantec and Verisign are two notable security firms that have signaled support of the cybersecurity legislation. Others are members of the Internet Security Alliance (ISA), a multi-sector trade organization that in-cludes AVG and Ratheon. Technology heavyweights Microsoft, IBM, Intel, Oracle, and Facebook also voiced support for the legislation. Supporters mainly praise the bill for fostering information sharing and also eliminating liability for sharing threat data with the government.
The proposed law, which passed the House in late April, aims to give the government some oversight into protecting critical infrastructure facilities that are owned by private-sector companies. CISPA amends the National Security Act and clears security vendors of any legal ramifications in sharing their cus-tomer data with federal officials. The program is voluntary and the hope is that it yields the NSA or the Department of Homeland Security and other agencies with more specific threat data on attacks targeting utilities, chemical render-ing companies, manufacturers and other organizations deemed essential to the protection of national security.
Symantec declined a request for an interview, but issued a statement praising the House for passing bill. Cheri McGuire, Symantec vice president for global government affairs and cybersecurity policy noted that another bill passed by
13InformatIon securIty n june 2012
EDITOR’S DESK
PERSPECTIVES
SCAN
RANum
ShARE AND ShARE AlIKE
TREAD CAREfully
uSINg SIm fOR APPlICATION mONITORINg
sCAN: seCUritY CoMMeNtArY, ANALYsis ANd NeWs
the House in April modernizes the Federal Information Security Management Act (FISMA).
“The combined effect of the bills passed this week is a positive step towards strengthening our nation’s overall cybersecurity posture,” McGuire said in the statement.
The other two organizations supporting CISPA include the Science Appli-cations International Corporation (SAIC), which works closely with DHS, and Carnegie Mellon University CyLab, which produces cybersecurity research.
The author of the bill, U.S. Rep. Mike Rogers (R-Mich.), said the bill’s pas-sage was due to a number of additions to the legislation addressing concerns by critics about how the threat data can be used and how long the federal gov-ernment can retain the data. There is a provision in the bill “encouraging” the private sector to anonymize or minimize the cyberthreat information it volun-tarily shares with others, including the government. It also says the threat data cannot be used by the federal government for a regulatory purpose and prohib-its the federal government from searching the information for any other pur-pose than for the protection of U.S. national security.
Unlike the concern and opposition to the Stop Online Piracy Act (SOPA), CISPA’s opponents are fewer in number. The Electronic Frontier Foundation is leading the opposition to CISPA, saying the bill reduces online privacy by giving security firms the ability to give potentially personal information to the government with little oversight.
Among the bill’s biggest opponent is the White House. The Obama Admin-istration has threatened to veto the legislation if it passes the Senate.
In a statement issued to reporters, Mozilla voiced its opposition to CISPA, stating that the bill has “broad and alarming reach that goes far beyond Internet security.” Opponents of the bill say that although the program is voluntary, no portion of the legislation requires the data to be scrubbed for anonymity.
“The bill infringes on our privacy, includes vague definitions of cyberse-curity, and grants immunities to companies and government that are too broad around information misuse,” Mozilla said in its statement. “We hope the Senate takes the time to fully and openly consider these issues with stakeholder input before moving forward with this legislation.” n
robert WeStervelt is the news director of TechTarget’s Security Media Group. Send comments on this article to [email protected]
14InformatIon securIty n june 2012
EDITOR’S DESK
PERSPECTIVES
SCAN
RANum
ShARE AND ShARE AlIKE
TREAD CAREfully
uSINg SIm fOR APPlICATION mONITORINg
A Chat With Marcus ranumSecurity expert and Information Security magazine columnist goes one-on-one with Brian Chess, formerly of HP, which in 2010 acquired his company Fortify Software.
Q&A With rANUM
marcus ranum Brian, thank you for taking the time to chat! I hope I’m not go-ing to frustrate you too much if we jump straight in to what I suspect is a pain point for you. It seems to me computer programming is a game of “one step for-ward, two steps back” and every time there’s a push for quality improvements, it’s immediately offset by something that seems to encourage throwing quality to the winds. Is it a lack of tools, or are the incentives wrong/backwards? Do people just not care if their programs are buggy or full of malware? I am still semi-stunned by the fact that most “Web programming” is done in an environ-ment of trial and error. Is that an accurate perception? What’s going on?
Brian chess This is a pain point for me, but perhaps not for the reason you suspect. I’ve recently taken off my code analysis hat and gotten back to writing some Web software from scratch. The last time I started this fresh was around 2000 when we were building the foundation that became NetSuite. Here are some of the things that stand out to me about software development practices, then and now:
Then: If you’re serious, you put your data in Oracle.Now: Choose between a few good open source relational databases and a
dozen or more non-relational and somewhat dubious young data stores (Couch, MongoDB, Cassandra, etc.).
Then: Java is cool.Now: Functional is cool. Choose Ruby, Python, Node.js, or Scala. (I’m a fan
of type checking, so we went the Scala route. And while the shine has come off
15InformatIon securIty n june 2012
EDITOR’S DESK
PERSPECTIVES
SCAN
RANum
ShARE AND ShARE AlIKE
TREAD CAREfully
uSINg SIm fOR APPlICATION mONITORINg
Q&A With rANUM
of Java, I still think the Java Virtual Machine is cool, and Scala runs in a JVM.)
Then: Internet Explorer sucked but it was pretty much the only game in town.
Now: The browsers are much better, but you re-ally can’t ignore IE, Firefox, Chrome or Safari. Qua-druple the testing fun!
Then: We did crazy things with JavaScript.Now: We build on top of somebody else’s crazy
JavaScript. For us, it’s Google Closure, which means our JavaScript goes through a compiler that under-stands type annotations before it goes out the door. Many bugs are squashed be-fore they meet the browser, but our ambitions have scaled way up too. “Crazy” isn’t user-specific form validation, it’s an entire application written in JavaS-cript that communicates only with the server via JSON.
Then: Want a server? Rack it.Now: Want a server? Click it. Or click a few times and have a whole bunch.
The world (rightfully) has some doubts about this whole cloud thing, but from a developer’s perspective, it’s awesome.
So in a little more than a decade, “Web programming” has become an en-tirely different game. It’s still evolving quickly enough that anyone who wants to keep up is forced into a lot of trial and error. You can’t look at this rate of change and believe anyone understands the long-term ramifications of the stuff they made up yesterday. And don’t think you can pick an older stack and just stand there. The new stuff allows you to build a lot faster. The economic advantage is huge. Oh, and the security people are going to force you to upgrade anyway.
marcus Your comment “You can’t look at this rate of change and believe any-one understands the long-term ramifications of the stuff they made up yester-day” makes my blood run cold. The security world is already desperate because of the huge code-mass that has been pushed into production already; we’ve been stuck in the world of “penetrate and patch” bug hunting for nearly 15 years, now, and we both know how well that has worked. What you’ve just mapped out is a software environment that is differentiating unbearably rapidly. Some of those frameworks are going to die, others are going to suck, and there are so many people that won’t even take the time to make a sober assessment of what
brian chess
16InformatIon securIty n june 2012
EDITOR’S DESK
PERSPECTIVES
SCAN
RANum
ShARE AND ShARE AlIKE
TREAD CAREfully
uSINg SIm fOR APPlICATION mONITORINg
Q&A With rANUM
has a rosy future; they’ll use whatever their favorite software blogger hero sug-gests, and that’ll be the next big business app. So the problem isn’t the lack of tools, it’s the profusion of environments, which makes it unlikely that the tools (which have to be environment-specific) will come along.
Brian Tools encode knowledge about what’s safe and what’s unsafe. Clever tool makers can encode their knowledge in such a way that the tool can auto-matically adapt to a wide range of scenarios and can be quickly updated when new kinds of problems emerge, but automation is still about preventing re-peat mistakes, not discovering the next new variety of problems. Don’t get me wrong, we’ve come a long way. We don’t have to wait for a human tester to find the next buffer overflow or SQL injection vulnerability. There are good ways (static and dynamic) to find brand new instances of those vulnerability types. But when the next new kind of vulnerability comes along, we’ll need new tool-ing to find it. So while a profusion of environments does make the job harder, it’s the rate of change (and the necessary lag involved in learning about what’s safe/unsafe and encoding it in a tool) that creates unavoidable exposure.
But I don’t want to leave the impression that all change in software devel-opment practices has been bad for security. There are more and more new sys-tems doing things like allowing for updates to their cryptographic primitives. We’ve seen enough change that we know today’s algorithms and key lengths won’t work forever, and we can build software that anticipates the eventual need for improvements. That’s cool stuff, as is the idea of creating attack-aware software in which a program’s notion of what constitutes an “attack” can be up-dated independently of the program’s functionality.
marcus I recently saw some nice things being said about Apple’s “game changer” idea of turning off a feature if it hasn’t been used. Apparently, the op-erating environment notices that you haven’t used the Flash Player (for exam-ple) and turns it off after a month of inactivity. Then, the next time you want to use it, it asks “Are you sure?” Seems like a fair idea to me, but hardly a game changer. The real point seems to be that our software environments still have a LONG way to go in terms of adding user-friendly checks to make sure the right thing is happening. I’m pretty pleased with my iPad and its constant desire to keep its software up to date. I’m still constantly gobsmacked that application whitelisting seems to be so slow catching on, compared to running antivirus
17InformatIon securIty n june 2012
EDITOR’S DESK
PERSPECTIVES
SCAN
RANum
ShARE AND ShARE AlIKE
TREAD CAREfully
uSINg SIm fOR APPlICATION mONITORINg
Q&A With rANUM
and getting malware. Where do you see this going? Are there any cool ideas the industry has been overlooking?
Brian Yes, turning off stuff you haven’t used in a while isn’t exactly a game changer, but there’s a lot to be learned from what Apple has done in the last five years. The walled garden is a powerful concept. Users relinquish a substantial amount of control over their devices and data, but they get substantial benefits in return. For example, the Apple app store is a form of whitelisting. Apple has done a less than perfect job of making the application approval process a se-curity screen, but the opportunity is there. And when bad code gets through, the mobile device management (MDM) service has the ability to revoke ap-plications after the fact. I don’t think these capabilities were built specifically for improving security, but they have great potential. For many years the tech industry has celebrated “open” systems (by that I mean systems that could be extended and built upon by the customer), but what I take away from watching Apple is that “open” is a major security burden.
So are we better off in the Wild West where developers can do as they like and consumers have a devil of a time making an informed choice, or is life bet-ter in the walled garden where Big Brother is always watching? Between iOS, Kindle and Windows 8, we’re going to learn more about the walled garden in the next few years.
marcus I don’t care if my garden is walled, as long as it’s good. Well, I’d better let you go, because I know you’re busy. Thank you for taking the time to talk.
Brian Exactly! Keep in touch! n
Your One Stop Shop for All Things Security
Nowhere else will you find such a highlytargeted combination of resourcesspecifically dedicated to the success oftoday’s IT-security professional. Free.IT security pro's turn to the TechTarget Security Media Group for the information they require to keeptheir corporate data, systems and assets secure. We’re the only information resource that providesimmediate access to breaking industry news, virus alerts, new hacker threats and attacks, securitystandard compliance, videos, webcasts, white papers, podcasts, a selection of highly focused securitynewsletters and more — all at no cost.
Feature stories and analysis designed to meetthe ever-changing need for information onsecurity technologies and best practices.
Learning materials geared towards ensuringsecurity in high-risk financial environments.
UK-focused case studies and technical advice onthe hottest topics in the UK Security industry.
Information Security strategies for theMidmarket IT professional.
www.SearchSecurity.com www.SearchSecurity.com
www.SearchSecurity.co.UKwww.SearchFinancialSecurity.com
www.SearchSecurityChannel.comwww.SearchMidmarketSecurity.com
Technical guidance AND business advicespecialized for VARs, IT resellers andsystems integrators.
Breaking news, technical tips, security schoolsand more for enterprise IT professionals.
sSec Fullpg Ad:Layout 1 2/5/09 11:39 AM Page 1
19InformatIon securIty n june 2012
EDITOR’S DESK
PERSPECTIVES
SCAN
RANum
ShARE AND ShARE AlIKE
TREAD CAREfully
uSINg SIm fOR APPlICATION mONITORINg
CoVer storY: threAt MANAGeMeNt
when creDit carD processor Heartland Payment Systems suddenly saw an uptick in fraud coming from outside the United States last year, the company didn’t just quietly handle it internally.
In the past, the company would have referred the issue to its internal secu-rity team to analyze and recommend an action. This time, John South, the com-pany’s chief security officer, had other options: He contacted members of the Payments Processing Information Sharing Council (PPISC), a group formed in 2009 that brought together Heartland and its competitors in the industry to share information on threats attacking their systems. He described what the
By Robert Lemos
SHAre And SHAre ALikeBusinesses and government agencies work to improve sharing of cyberthreat information.
20InformatIon securIty n june 2012
EDITOR’S DESK
PERSPECTIVES
SCAN
RANum
ShARE AND ShARE AlIKE
TREAD CAREfully
uSINg SIm fOR APPlICATION mONITORINg
CoVer storY: threAt MANAGeMeNt
company was seeing and how the attackers were operating.“We were able to validate that other processors were seeing the same pat-
tern and then take that pattern information directly to the U.S. Secret Service to help them and educate them in regards to the mechanism the attackers were using,” South says.
Because the incidents are still under investigation by law enforcement, South declined to describe any details of the event. However, Heartland’s response highlights a fundamental shift in infor-mation sharing.
Following post-mortem analyses of how barriers to information sharing sty-mied the U.S. government’s investigation of the terrorist groups that went on to de-stroy the Twin Towers on 9-11, federal agencies and industry have pushed strongly for better sharing of information. For nearly a decade, however, progress has been slow, especially in sharing cy-berthreat information. Most industry sectors do not readily share information with the government or competitors, and barriers to sharing classified infor-mation block many government organizations from warning companies about possible attacks.
Companies like Heartland continue to take part in larger information shar-ing initiatives—such as, in Heartland’s case, the Financial Services Informa-tion Sharing and Analysis Center (FS-ISAC)—but they have also pushed out on their own. The major information sharing initiatives, such as industry infor-mation sharing and analysis centers (ISACs), tend to work for the largest par-ticipants, and while government sanctioned information sharing channels are working hard to be more nimble, smaller grassroots efforts have become the nexus for groups worried about cybersecurity.
“Through the PPISC, we were able to take security out of the competitive landscape and allow members to benefit from each others’ experiences,” South says.
Other industries and even government agencies that have felt their needs were not being met have created their own groups to better share cyberthreat information. State and local government have teamed up with law enforcement
“through the PPiSC, we were able to take security out of the competitive landscape and allow members to benefit from each others’ experiences.”
John South, CSO, Heartland
21InformatIon securIty n june 2012
EDITOR’S DESK
PERSPECTIVES
SCAN
RANum
ShARE AND ShARE AlIKE
TREAD CAREfully
uSINg SIm fOR APPlICATION mONITORINg
CoVer storY: threAt MANAGeMeNt
and created the Cyber Threat Intelligence Coordinating Group. In April, the health care industry announced that its own grassroots security information group, the Health Information Trust Alliance (HITRUST), had created a center to act as a hub for sharing information on attacks.
a tanGleD weBSuch efforts are a break from the large information sharing channels set up by the U.S. government.
At the center of government efforts to share cyberthreat information with industry is the U.S. Department of Homeland Security’s National Cyberse-curity Center (NCSC) and U.S. Computer Emergency Readiness Team (US-CERT). The Federal Bureau of Investigation’s InfraGard program works to in-form and educate companies in more than 80 locales and, in return, gathers intelligence on particular threats.
Yet those three groups hide a bewildering array of information sharing ini-tiatives and programs in the government that most companies never see.
The U.S. military collects and disseminates information through the Na-tional Security Agency’s Threat Operations Center (NTOC), the Department of Defense Cyber Crime Center (DC3), and the U.S. Cyber Command. Threat intelligence is also provided by the Intelligence Community Incident Response Center (IC-IRC). Information gleaned by law enforcement from criminal, coun-ter intelligence and terrorism investigations is collected, acted upon and dis-seminated by the National Criminal Investigative Joint Task Force (NCI-JTF).
On the industry side, information necessary for critical infrastructure pro-tection is processed through ISACs, as well as a number of regional, sector and governmental coordinating councils. State and local governments, for exam-ple, share threat intelligence and best practice information through the Multi-State ISAC and a network of fusion centers that help bring intelligence and law enforcement together. In addition, government agencies and critical infra-structure owners sit in a massive operations center, the National Cybersecurity and Communications Integration Center (NCCIC or “N-Kick”), which moni-tors for threats.
When it works, the large web of information sharing channels works well. Reports on attacks get reported up through channels such as the US-CERT and the NCI-JTF and information on the threats—such as indicators of compromise
22InformatIon securIty n june 2012
EDITOR’S DESK
PERSPECTIVES
SCAN
RANum
ShARE AND ShARE AlIKE
TREAD CAREfully
uSINg SIm fOR APPlICATION mONITORINg
CoVer storY: threAt MANAGeMeNt
(IOCs)—get transmitted back down to members.“If a company sees something new they want others to know about, my first
phone call is to the NCI-JTF, because I knew from there it would get to all the government parts,” says Phyllis Schneck, chief technology officer of McAfee’s global public sector group, who served for eight years as chairman of Infra-Gard’s national board of directors. “From there it gets to all the private industry pieces and even the intelligence community.”
However, these groups have their own mandates and, in many cases, hurdles to overcome before sharing information. (See page 25 “Top Secret”) Law en-forcement agencies, for example, will not share information and warn a victim of a possible attack, if it might threaten the eventual prosecution of a suspect.
“It’s a challenge on the operational side to advise the victim that they may be a victim, even though an attack has not taken place,” Pete Cordero, assistant
if your organization is:
Any size business
Critical infrastructure
Law enforcementMilitary
contact:
• infragard (FBi)• U.S. Computer
emergency readiness team (dHS)
• information and Analysis Center (iSAC)
• national Cyber-security & Commu-nications integration Center (nCCiC)
• national Criminal investigations Joint task Force (nCi-JtF)
• national Security Agency’s threat operations Center (ntoC)
for:
• industry and law enforce- ment connections, general threat information
• reporting and getting information on specific threats and attacks
• reporting and getting informa-tion on critical infrastructure threats and attacks
• response to real-time attacks and the dissemination of information on threats
• information on latest investi- gations and threats seen by U.S. companies and citizens
• Classified information on specific threats impacting the U.S. communications infrastructure
information sharing guideA high-level view of some cyber threat information sources
23InformatIon securIty n june 2012
EDITOR’S DESK
PERSPECTIVES
SCAN
RANum
ShARE AND ShARE AlIKE
TREAD CAREfully
uSINg SIm fOR APPlICATION mONITORINg
CoVer storY: threAt MANAGeMeNt
section chief with the FBI’s Cyber Criminals Section, told attendees at the RSA Conference 2012 earlier this year. “Especially when going to the victim may cause a problem in our ongoing operation to collect enough evidence to pros-ecute these individuals, beyond a reasonable doubt.”
While InfraGard, a sharing program run with the FBI, is a good place for any business to cut its teeth in the cyberthreat arena, it continues to be criti-cized for being a one-way street. Companies will report incidents to law en-forcement, but actionable intelligence about those incidents rarely comes back down through InfraGard to its approximately 48,000 members.
“InfraGard ends up being, not so much an information sharing organiza-tion, as a relationship-building organization,” says McAfee’s Schneck.
oVercominG oBstaclesIn some ways, the Heartland breach demonstrates the failings of early informa-tion sharing efforts, says South. Starting in late 2007, hacker Albert Gonzalez breached the company’s network using an SQL injection attack and, using that access, stole information on more than 130 million credit card accounts the following year. Other payment card processors had seen the techniques that criminals like Gonzalez used to breach Heartland’s system, he says.
“The indicators of the malware and attacks were available in the commu-nity, because other people had seen them, but they had no mechanism and no arena to share that information,” South says.
Such problems are being repaired, albeit slowly.The Multi-State Information Sharing and Analysis Center (MS-ISAC) is a
key success. Established in 2003, the association now includes all 50 states, three U.S. territories and 144 major local governments, including every state’s capitol. The MS-ISAC now has a person sitting on the floor of NCCIC. While the group originally focused on disseminating terrorism threat data and infra-structure protection information, cyberthreat sharing has become a major fo-cus of the group as well.
“If there is a credible threat to a bridge, you need to do your analysis as to the risk consequences of that bridge being destroyed,” says William Pel-grin, founder and chairman of the MS-ISAC. “You look at the human conse-quences, the financial consequences. It is very important to know what the cy-ber consequences would be. The light bulb goes on when you realize how much
24InformatIon securIty n june 2012
EDITOR’S DESK
PERSPECTIVES
SCAN
RANum
ShARE AND ShARE AlIKE
TREAD CAREfully
uSINg SIm fOR APPlICATION mONITORINg
CoVer storY: threAt MANAGeMeNt
telecommunications are running under those bridges.” The destruction of the Twin Towers on 9-11 also led to the disruption of tele-
communications, he says.It took a long time for the MS-ISAC to break through companies’ barriers to
sharing sensitive information, says Pelgrin. When he started the group, he had trouble getting companies to volunteer attack information. Initially, very few people shared information.
“A lot of times people didn’t share, not because they didn’t want to share, but for fear of blame or fear of impact on their intellectual property, which are real problems,” says Pelgrin.
Members develop trust over time, but another key to success, however, is to form smaller groups to help unserved portions of the membership to get their intelligence out and better information back.
The Payments Processing Information Sharing Council (PPISC) is one ex-ample of such a group. Another example: After helping to establish the MS-ISAC, Pelgrin brought a variety of law enforcement groups together to co-operate in criminal investigations. The new organization, the Cyber Threat Intelligence Coordinating Group (CTICG), identifies potential investigations
william pelgrin
25
EDITOR’S DESK
PERSPECTIVES
SCAN
RANum
ShARE AND ShARE AlIKE
TREAD CAREfully
uSINg SIm fOR APPlICATION mONITORINg
InformatIon securIty n june 2012
CoVer storY: threAt MANAGeMeNt
top Secretfederal cyberoperation centers are working to over- come barriers to sharing highly sensitive information
At 8:30 every morning, a who’s who of the U.S. government cyberworld meet on a conference call to take stock of the online threats of the last 24 hours.
The so-called “8:30 Sync Meeting” brings together representatives from the top six agencies focusing on cyberoperations for the U.S. government: The National Security Agency’s Threat Operations Center (NTOC), the Depart-ment of Defense’s Cyber Command (USCYBERCOM) and Cyber Crime Center (DC3), the U.S. Department of Homeland Security’s Computer Emergency Readiness Team (US-CERT), the Federal Bureau of Investigation’s National Cyber Investigative Joint Task Force (NCI-JTF) and the Intelligence Commu-nity’s Incident Response Center (IC-IRC), part of the Office of the Director of National Intelligence (ODNI).
Sharing top-secret information is against the cultural grain of many of the groups but they are working to overcome those barriers.
“We operate at the top-secret level,” said Mary Robidoux, chief of technol-ogy, development and support for NTOC. “It is a big push for us to identify actionable information that we can push into the [lower] secret level and to allow the other centers to use the information.”
In a panel presentation at the RSA Conference 2012 earlier this year, the NSA’s Robidoux and representatives from the three other major agencies discussed the difficulties in sharing information, but also shared recent successes.
The focus is to create an operational picture of what is going on in cyber-space, says Major General David Lacquement, J-3 director of operations at the USCYBERCOM. “Ideally, we are able to identify a threat, develop a miti-gation scheme and put it in place before the enemy employs the threat against our network,” he says. —robert lemos
26InformatIon securIty n june 2012
EDITOR’S DESK
PERSPECTIVES
SCAN
RANum
ShARE AND ShARE AlIKE
TREAD CAREfully
uSINg SIm fOR APPlICATION mONITORINg
CoVer storY: threAt MANAGeMeNt
on which different law enforcement agencies can collaborate. In a recent case spearheaded by the CTICG, a single report of stolen in-
formation from a local college led to a massive investigation that discovered a group of hackers using the Qakbot attack tool to steal data and store it on four FTP servers, including one outside the U.S. Organizations in more than 17 states were found to be victims, Pelgrin says.
“We would not have been able to figure this out without the information sharing,” Pelgrin says.
The case underscores that the point of information sharing is to be able to take action, he adds.
“Information sharing as a goal does not work, information sharing needs to lead to an action,” he says. “If we all sit around the table and say, ‘The train is coming down the track, but you can’t tell anyone about it,’ I don’t want to know.”
The U.S. government has seen that focused groups can be more effective and wants to support companies that self-organize as suits their needs. During a panel discussion on information sharing at the RSA Conference 2012, Lee Rock, acting director of DHS’s US-CERT, assured such groups that the govern-ment would not interfere.
“We want to make sure the entities that have self-organized in the private sector … that we are collaborating and talking with them and not trying to dic-tate to them how to do their jobs,” Rock told attendees. “It is critically impor-tant, as there is no single entity that has the solution.”
GoinG small In late April, health care firms banded together to find their own solution. While there is an information sharing and analysis center (ISAC) for the gov-ernment’s health care agencies, it does not represent the health care industry.
Moreover, the ISAC model would not work well in the health care industry, says Dan Nutkis, CEO of HITRUST, which was formed five years ago to share information about security and compliance requirements in the industry. With some 400,000 organizations, including many single-doctor practices, health care companies range from the very small to very large.
“What we learned was that only a small percentage was capable of consum-ing the type of information we were disseminating,” Nutkis says. “You can’t
27
EDITOR’S DESK
PERSPECTIVES
SCAN
RANum
ShARE AND ShARE AlIKE
TREAD CAREfully
uSINg SIm fOR APPlICATION mONITORINg
InformatIon securIty n june 2012
CoVer storY: threAt MANAGeMeNt
have an ISAC if you are only supporting five percent of your industry.”In April, HITRUST announced it would create its own initiative for getting
threat information to its entire membership. Known as the Cybersecurity In-cident Response and Coordination Center, the group will communicate threat data to health care companies and up to the U.S. Department of Health and Human Services.
“Before it was like drinking through a fire hose,” says Roy Mellinger, chief information security officer for health care provider WellPoint. “Now, we can get information that is very tailored to our needs.”
With the small groups cropping up to fill the voids in information sharing, companies have more choices than ever before for gaining intelligence on what threats may come knocking on their firewall. And if firms find that attending InfraGard and joining an ISAC do not fit their needs, they can work with their own industry to create a group.
“On all fronts there are improvements that are occurring,” says the MS-ISAC’s Pelgrin. “It is easy to say that things aren’t working, but I think we have an obligation to make them work.”
robert leMoS is an award-winning technology journalist, who has reported on computer security and cybercrime for 15 years. He currently writes for several publications focused on information security issues. Send comments on this article to [email protected].
For a limited time only, purchase award-winning ESET NOD32® or Smart Security Business Edition products and receive an equal number of complimentary Exchange seats.
Promo code: 2012Q2PROMO
Special offer: Buy 1 license, get 1 free!
World’s No. 1 Antivirus and Internet Security
© 1999-2012 ESET. All rights reserved. Trademarks used herein are trademarks or registered trademarks of ESET. All other names and brands are registered trademarks of their respective companies.
Why choose ESET for malware protection?
• Fast scanning speed• Light resource utilization • Ease of manageability• Proprietary ThreatSense® for detection
of unknown threats
Valid 4/3/2012-6/30/2012. For terms, visit http://go.eset.com/us/q2promo-trial
2011
www.eset.com
Selected Antivirus Vendors (not a complete list)Source: www.virusbtn.com, May 1998 - December 2011
Virus Bulletin Awards Success ratio (%)
5025 75
76
78
93
92
73
68
100%
29InformatIon securIty n june 2012
EDITOR’S DESK
PERSPECTIVES
SCAN
RANum
ShARE AND ShARE AlIKE
TREAD CAREfully
uSINg SIm fOR APPlICATION mONITORINg
By Dave Shackleford
treAd CAreFULLyCapabilities such as encryption and DLP can be complicated in the cloud.
dAtA ProteCtioN
in DecemBer 2010, Honda experienced a data breach that affected 2.2 million customers. Names, email addresses, vehicle identification numbers (VINs), and credentials for a Honda portal were stolen from a database. The database, however, was not accessed within Honda’s infrastructure. This sensitive infor-mation was stolen from a cloud-based marketing service provider that Honda did business with. A year ago, cloud storage provider Dropbox pushed a code change that eliminated the password authentication system required to access users’ stored data, rendering any data from any account accessible to anyone who wanted to access it.
30InformatIon securIty n june 2012
EDITOR’S DESK
PERSPECTIVES
SCAN
RANum
ShARE AND ShARE AlIKE
TREAD CAREfully
uSINg SIm fOR APPlICATION mONITORINg
dAtA ProteCtioN
In addition, Dropbox drew criticism for maintaining control of users’ en-cryption keys, potentially making accounts and data susceptible to compromise should those keys fall into the wrong hands. Also, last year, Amazon’s Sim-ple Storage Service (S3) was found to be susceptible to a basic HTTP-focused brute-force attack that could expose customer’s data storage accounts.
As more systems, applications and data are moved into cloud provider envi-ronments, these types of stories are likely to become more common. How can users and organizations keep their data safe when moving to a cloud provider environment? Find out about data protection in the cloud as we detail the tech-nologies and challenges you’ll encounter as your organization sends and con-sumes data from the cloud, and learn what you need to do to protect it.
technoloGY challenGes to consiDerWithin virtualized environments, numerous virtual machines are housed on a single physical system, a condition known as multi-tenancy. The hypervisor software is responsible for maintaining segmentation and isolation between virtual machines. This can be augmented with open source or commercial vir-tual network and virtual security appliances or add-ons. However, there are still challenges to traditional security best practices that stem from multi-ten-ancy, such as separation of duties and system segregation.
n Policy: Different virtual systems and data sets may have widely differing clas-sifications and sensitivity levels. To ensure the proper security policy is applied to sensitive data, systems and applications that store or process this data are of-ten kept physically separate from others. However, in a multi-tenant environ-ment such as the cloud, this may not be feasible. In addition, ensuring inter-nal policies related to data handling and access control may be difficult when migrating systems and applications to a cloud provider. This can be a problem when integrating public cloud services to an existing private cloud (a hybrid cloud scenario), as well as during a wholesale migration of data and systems to a public cloud environment.
n encryption: Encryption can be challenging to implement internally due to key management and maintenance, performance issues, and access controls. Ex-tending internal encryption platforms and capabilities into the cloud can seem
31InformatIon securIty n june 2012
EDITOR’S DESK
PERSPECTIVES
SCAN
RANum
ShARE AND ShARE AlIKE
TREAD CAREfully
uSINg SIm fOR APPlICATION mONITORINg
dAtA ProteCtioN
daunting at best. For example, how will administrators manage encryption keys for data and systems in the cloud? When encryption keys need to be gener-ated or revoked, how can this easily be accomplished for resources hosted else-where? Will cloud service providers (CSPs) need access to keys, and what kinds of risk will this introduce? For hybrid clouds, handling encryption may be less of an issue, but moving to a public cloud may pose significant challenges.
n DlP: Data loss prevention (DLP) requires a number of distinct technologies and processes to be effective. First, sensitive data needs to be fingerprinted so DLP monitoring tools can recognize the data based on string matching, file types and other attributes. Second, a centralized policy creation and imple-mentation infrastructure needs to be in place to push policy to DLP monitoring tools, and these monitoring tools need to be in place to inspect traffic on net-work segments and critical host systems alike. Finally, quarantine and response measures should be implemented to take a variety of actions when a poten-tial policy violation is detected. Implementing this in virtualized environments may be problematic due to resource constraints that result from installation of DLP software agents, or lack of virtualization integration options. Extending DLP to a CSP infrastructure may be difficult, especially in a multi-tenant envi-ronment where granular data protection policies are not available.
n monitoring: Security monitoring techniques using intrusion detection, net-work flow analysis tools, and host-based agents are common in internal data centers. However, ensuring systems are properly monitored in the cloud is a different story. In many cases, cloud providers may not allow or support ad-vanced monitoring technologies or processes, although some may offer this as a service.
encrYPtion in the clouD Fortunately, numerous data protection options are emerging for cloud envi-ronments. The first options for data protection in the cloud is encryption, and a variety of new solutions and tools can help organizations adequately control encryption keys, policies, and authentication and authorization associated with data protection in cloud environments where data and systems are dynami-cally migrated across platforms and even distinct data centers. For example,
32InformatIon securIty n june 2012
EDITOR’S DESK
PERSPECTIVES
SCAN
RANum
ShARE AND ShARE AlIKE
TREAD CAREfully
uSINg SIm fOR APPlICATION mONITORINg
dAtA ProteCtioN
Amazon Web Services (AWS) has a number of features that allow users to con-trol encryption keys and access methods. When new AWS user accounts are created, they are provided an access key that allows RESTful and Query proto-col requests to AWS APIs. Users can also create X.509 certificates that provide SOAP access to Amazon APIs, or a public-private key pair can be generated, with only the user retaining the private key (as in all asymmetric cryptosys-tems). Certificates and access keys can be rotated easily, and multiple keys and certificates can be used concurrently to access AWS accounts.
In private cloud and Infrastructure as a Service (IaaS) provider environ-ments, there are several options for encrypting data that minimize the need to redesign applications and re-architect system and network design. These in-clude the following:
n Volume-based encryption: While storage volumes are unmounted or offline (as backups, for example), data is encrypted and unreadable without explicit access using encryption keys. However, when cloud data volumes are online, any au-thenticated user can access data on the volume. This may be highly impractical in a multi-tenant environment unless providers manage access to volumes per cloud instance. In most provider environments, managing storage volume se-curity options will be a significant amount of work, because each customer would need specific encryption options, availability scenarios and access types.
n application-specific encryption: Custom applications may include encryption with keys and certificates, and this is often incumbent on the developers to en-sure key portability and encryption continuity is maintained when applications are moved to a cloud provider environment. In Platform as a Service (PaaS) environments, encryption APIs may be made available. In Microsoft Azure, for example, the SDK for developers exposes all common hashing functions such as MD5 and SHA1, as well as major .NET encryption libraries and capabilities. However, SQL Azure does not have significant encryption support, which may be a severe limitation to developers looking to leverage cloud-based database services in conjunction with Azure-hosted applications.
in most provider environments, managing storage volume security options will be a significant amount of work.
33InformatIon securIty n june 2012
EDITOR’S DESK
PERSPECTIVES
SCAN
RANum
ShARE AND ShARE AlIKE
TREAD CAREfully
uSINg SIm fOR APPlICATION mONITORINg
dAtA ProteCtioN
n File encryption: File encryption is likely the most flexible type of encryption for us within virtualized and cloud environments. Encryption is applied at the source, and managed by customers or third-party providers that act as “prox-ies” for key management and encryption policy application. Examples of cloud-based key management providers include Voltage Security and Trend Micro.
In addition to the built-in capabilities providers offer, a number of vendors offer products that may simplify cloud-based data encryption or protection of virtual machines. High Cloud Security is one company offering policy-based encryption for entire virtual machines, and the VMs stay encrypted when moved throughout a cloud provider’s environment. All key management and role-based access is defined locally before moving to the cloud, greatly simpli-fying the ability to migrate VMs without checking compatibility requirements in the CSP infrastructure.
Additional cloud-focused encryption providers include CipherCloud and Vormetric. CipherCloud provides a virtual appliance called the CipherCloud Security Gateway that natively integrates with cloud services such as Saleforce.com and Google Apps. This appliance can provide encryption, key manage-ment, tokenization, and user monitoring functionality, among other features. Vormetric, a more traditional encryption solution provider, has adapted its en-terprise encryption and key management platforms to extend this functionality into Amazon and other CSP environments.
inFormation liFecYcle in the clouDAnother critical element of data protection in the cloud involves the data lifecy-cle. Whether data is encrypted or not, customers should have a clearly defined data lifecycle, and ensure CSPs can maintain and support this, especially in the case of a business failure or other critical situation that could expose sensitive information. A reasonable lifecycle approach should include the following:
n retention: CSPs should state how long they retain data that relates to cus-tomer instances and applications. In many cases, this may be log data or other related information that potentially contains sensitive details about customer activities.
34InformatIon securIty n june 2012
EDITOR’S DESK
PERSPECTIVES
SCAN
RANum
ShARE AND ShARE AlIKE
TREAD CAREfully
uSINg SIm fOR APPlICATION mONITORINg
dAtA ProteCtioN
n Disposal: Under what circumstances do CSPs dispose of customer data? If the CSP goes out of business, or some other unusual scenario comes to fruition, contractual language should protect the customer by stating that CSPs will dis-pose of data in a secure manner. This may consist of destroying physical drives or using degaussing or disk wiping software.
n classification: Data classification can be simple to define, yet challenging to implement. For sensitive data within a cloud environment, organizations may want to ensure the data is appropriately segmented by using dedicated hyper-visor platforms or systems versus traditional multitenant scenarios. Most pro-viders offer virtual private clouds or standalone cloud servers for an additional cost, and this may be the best option for highly sensitive data.
DlP in the clouDData loss prevention is another common data protection technology that may require adaptation for virtualized and cloud environments. Following are sev-eral key considerations related to cloud DLP:
n Policy and monitoring: Host- and network-based DLP products need to finger-print sensitive data before they’ll be capable of detecting and preventing po-tential breaches. For customers who employ host-based DLP agents, software agents with a pre-existing policy can run on virtual machines in the cloud as long as the agent can communicate with policy and alerting systems. Network-based DLP may not translate effectively to a public cloud in any sense, as any monitoring tools in a CSP environment would need to be tuned to each cus-tomer’s data types and usage patterns. In a private cloud, and potentially in a hybrid cloud, DLP policies and monitoring can likely operate normally, as long as the DLP technology is compatible with the virtualization platforms in use. Most major DLP product vendors, including McAfee and Symantec, support DLP agents on virtual machines. Network monitoring may require some archi-tecture redesign, however, to ensure traffic from virtual switches is supported. Some providers such as Trend Micro and Palisade Systems offer DLP virtual appliances that can integrate into virtualized networks.
n incident detection and management: One challenge with cloud-based DLP is
35InformatIon securIty n june 2012
EDITOR’S DESK
PERSPECTIVES
SCAN
RANum
ShARE AND ShARE AlIKE
TREAD CAREfully
uSINg SIm fOR APPlICATION mONITORINg
dAtA ProteCtioN
the need to tightly integrate into an incident response program. Many CSPs do not provide in-house incident response services for customers, and others may not be able to adequately support event notification service-level agree-ments (SLAs) that trigger customer’s incident response programs internally. This means any DLP detection or prevention actions taken in the cloud, most likely from a software agent on IaaS-hosted virtual machines, may not quickly lead to investigations from either CSP or customer IR teams.
n Provider DlP controls: Technologies such as Websense Cloud DLP are attempt-ing to integrate traditional DLP policies and monitoring with SaaS cloud solu-tions such as Salesforce.com, as well as PaaS and IaaS cloud options such as Azure and AWS. Cloud-based security service providers like Zscaler are offer-ing DLP services specific to its hosted email and Web analysis services, which may be a good option for customers looking to outsource DLP entirely. Unfor-tunately, major CSPs do not offer robust DLP options that are the equivalent of customers’ in-house DLP today. Another point to consider is the internal CSP controls (including DLP), given the potential access to customer data and sys-tems by CSP staff. For this, look to a CSP’s SAS 70 or SSAE 16 report on internal controls to ensure DLP or other protective technologies are in place internally.
other consiDerationsIn addition to DLP and encryption, there are a number of other virtualization security tools and controls that can be implemented to help with data protec-tion. These include virtual protection appliances such as Juniper’s vGW series (which provides virtual firewall, intrusion detection and prevention, and pol-icy-based virtualization isolation) and HyTrust’s security appliance that enables control and audit over administration of the entire virtualization infrastruc-ture with a focus on policy and compliance. Numerous security configuration guides, such as those from VMware, Microsoft, Center for Internet Security (CIS), and Defense Information Systems Agency (DISA), can be leveraged to lock down virtualized components.
Many CSPs also offer numerous data protection tools and services that may be of interest. For example, Terremark (a Verizon company) offers managed IDS/IPS, firewall and application firewall, log aggregation and analysis, and in-cident response services. Akamai offers cloud-based DDoS and Web application
36InformatIon securIty n june 2012
EDITOR’S DESK
PERSPECTIVES
SCAN
RANum
ShARE AND ShARE AlIKE
TREAD CAREfully
uSINg SIm fOR APPlICATION mONITORINg
dAtA ProteCtioN
firewall services, among others. Even Amazon has some basic firewall and ac-cess controls for users built in, although these capabilities are limited and should ideally be augmented with other security products and services.
Ultimately, the state of data protection in cloud environments is still some-what immature. Most enterprise DLP products support virtualization technol-ogy to some extent, but this does not mean these virtualized systems and ap-plications can be easily extended into hybrid and public clouds without losing data protection capabilities. New services are emerging that can help to pro-tect data in SaaS and PaaS provider environments, although these are currently somewhat limited to email and Web traffic.
Encryption is a more reasonable option for many to secure data in the cloud, with varying degrees of support from CSPs and numerous implementation methods ranging from encryption of entire virtual machines to file and folder encryption and application-specific encryption in VMs and SaaS and PaaS en-vironments. As more organizations consider migrating data and applications to cloud providers, CSPs will need to enable broader support for encryption and DLP technologies. This will allow customers to ensure strong data protection controls are in place wherever their data is.
Dave ShackleforD is owner and principal consultant at Voodoo Security, senior vice president of research and CTO at IANS, and a SANS analyst, instructor, and course author. He is a VMware vEx-pert and has extensive experience designing and configuring secure virtualized infrastructures. He co-authored the first published course on virtualization security for the SANS Institute, serves on the board of directors at the SANS Technology Institute and helps lead the Atlanta chapter of the Cloud Security Alliance. Send comments on this article to [email protected].
37InformatIon securIty n june 2012
EDITOR’S DESK
PERSPECTIVES
SCAN
RANum
ShARE AND ShARE AlIKE
TREAD CAREfully
uSINg SIm fOR APPlICATION mONITORINg
By Joel Snyder
USing SiM For APPLiCAtion MonitoringSecurity information management systems aren’t just for network security monitoring anymore.
teChNoLoGY
enterPrises haVe aDoPteD security information management systems (SIMs) for their value in correlating, reporting, and alerting on network security. By feed-ing firewalls, intrusion detection and prevention, and vulnerability analysis into a common platform, network and security managers have a valuable win-dow, giving greater visibility and helping to clear out the noise.
Despite their name, though, SIMs can be used for more than network secu-rity monitoring. In many cases, the same tools can bring value to application managers if they’re used correctly. With attacks targeting the application layer, SIMs can help find security problems in enterprise applications that otherwise
38InformatIon securIty n june 2012
EDITOR’S DESK
PERSPECTIVES
SCAN
RANum
ShARE AND ShARE AlIKE
TREAD CAREfully
uSINg SIm fOR APPlICATION mONITORINg
teChNoLoGY
might get missed. But SIMs can do more than identify security threats: Any hard-to-find event or application performance issue can show up through care-ful analysis.
We’ll walk through the four steps application managers need to integrate applications into enterprise security information management systems and be-gin analyzing, reporting and alerting.
FeeDinG aPPlication Data into a simBefore you begin using a security information management system, you’ve got to start feeding it your application data. In the world of networking and secu-rity, this is easy because network and security devices universally support SYS-LOG, a way to ship log data over the network to a central point. SIMs love to get data via SYSLOG, so that’s always your first choice if your application supports it. You’ll have to work a bit harder for the rest of them.
For enterprise applications that send logs to Windows Event Log (Micro-soft Exchange is the most common candidate here), getting those into a SIM will be easy. Most SIMs already have a simple strategy to connect to Windows Event Logs, either using a SYSLOG converter that sends Windows logs out via SYSLOG, or through some native tool that pulls logs directly from Windows.
Applications that write standard log files or send their logs to databases will pose a greater challenge. Some SIMs have already dealt with this problem out of the box and have tools or daemons that will monitor databases for changes or watch log files as they grow. If your SIM doesn’t do that, you’ll need to fig-ure out some way to get those logs sent over. One approach is to wait for hourly or even daily intervals and use a batch procedure to copy the logs for the last time interval over to the SIM all at once. If your goals in using the SIM are more focused on reporting, correlation and forensics, then having a delay of an hour for logs to be sent over may be fine.
When you start thinking about what logs to send to the SIM, make sure you’re realistic about performance and about your goals. The temptation is to
With attacks targeting the application layer, SiMs can help find sec- rity problems in enterprise applications that other- wise might get missed.
39InformatIon securIty n june 2012
EDITOR’S DESK
PERSPECTIVES
SCAN
RANum
ShARE AND ShARE AlIKE
TREAD CAREfully
uSINg SIm fOR APPlICATION mONITORINg
teChNoLoGY
send everything, but some logs, such as back-end database logs, may be more than your SIM can handle. In general, you should start from the edge of the network and work your way backwards. Try and capture the full stack that rep-resents the application from beginning to end. For example, if you have load balancers in front of an application, you’ll definitely want those logs. This is doubly true if you are doing source network address translation (NAT), a com-mon strategy in load balancers for application servers because of the simplified deployment model. Without logs from the load balancers, you won’t be able to track transactions back to the true originating IP address or identify some types of denial-of-service (DoS) attacks. Keep going, including your Web front ends, application servers and database servers. If you’re adding logging for email, make sure you include the whole set of products: antispam/antivirus gateway, email relay, and finally, messaging server pieces.
As you work in toward the back end of the application, keep in mind the po-tential goals of SIM analysis: correlation and analysis, alerting, reporting, and forensics. If the logs don’t advance one of those goals, they aren’t going to help you much and will just clog up your SIM.
Parse, normaliZe anD store aPPlication DataThe difference between a SIM and a log storage system is in the ability of the SIM to “understand” the logs you send it, a process generally called parsing or normalization. If you expect to get anything useful out of your SIM, you’ll need to make sure it is able to interpret the logs, collect information from various fields, and generate reports, calculate rates, and correlate information across log entries.
In many SIMs, the parsing and normalizing are dark magic (OK, that’s a technical term) reserved to the SIM vendor’s engineering team. In that case, you’ll have to provide them with a sample of your log files so they can add the necessary logic to their product. You may also need to add fields to the SIM’s database, a task that can either be easy or next to impossible, depending on how flexible your SIM is.
At this stage, be prepared to give up --if your SIM vendor says you won’t be able to do something useful with these logs, don’t try and force a round peg in a square hole. Even if your SIM can’t parse and normalize your application log files, you can still get useful information from the logs. Unparsed log files,
40InformatIon securIty n june 2012
EDITOR’S DESK
PERSPECTIVES
SCAN
RANum
ShARE AND ShARE AlIKE
TREAD CAREfully
uSINg SIm fOR APPlICATION mONITORINg
teChNoLoGY
though, won’t give you good reports, statistics or analysis. For example, many SIMs will treat unparsed log entries as blobs of text, which would let you raise an alert on certain specific entries, such as fatal errors or security alerts. That’s not giving you the full value of a SIM, but alerting combined with some foren-sics and log search capabilities can make it worth your time to go down this path.
If you’re parsing the logs yourself or advising your SIM vendor, you’ll need to figure out which fields to pull out of each log entry. Focus on fields that will make sense for reporting, alerting, and corre-lation. For example, if you’re pushing email application logs over, you’ll want to try and track fields such as message ID, envelope-from, envelope-to, subject, and date as a bare minimum. When adding more complex applications, such as ERP systems, you’ll have to pick and choose fields from a fairly complex envi-ronment. Parse fields that will help you trace a transaction from the originating IP all the way back to the application. That means starting at the front end and moving back one level at a time, always looking for some way to link entries at one layer to the next. For example, if you have a load balancer changing IP ad-dresses, you’ll want to capture the original IP address and the changed IP ad-dress. Then, you can link Web server logs with the changed IP address to the original IP address by going through the load balancer logs.
Depending on your log management strategy, you may want to set a shorter expiration date for application-layer logs than other logs you’re collecting. Most application stacks are going to have their own log management systems, making the SIM a duplicate of what’s already being collected elsewhere. In that case, keep what you need for your reporting, alerting and forensics require-ments, but don’t look to your SIM for long-term log archiving if that’s going to mean keeping two (or more) copies of everything in two different systems. Most SIMs have built-in reporting tools that will provide some trending infor-mation, but unless there is specific report for application-type logs, you’re not going to get much useful trend data over the long term. That means there’s no point in saving three years worth of application logs if you never go back more than three months in forensics.
don’t look to your SiM for long-term log archiving if that’s going to mean keeping two (or more) copies of everything in two different systems.
41InformatIon securIty n june 2012
EDITOR’S DESK
PERSPECTIVES
SCAN
RANum
ShARE AND ShARE AlIKE
TREAD CAREfully
uSINg SIm fOR APPlICATION mONITORINg
teChNoLoGY
writinG Business rules anD alertsA SIM will never know what you want to do with your logs unless you tell it. All SIMs are rule-based, which means rules are going to be the best way to add value to the task of looking at application logs with your SIM.
Writing business rules isn’t the most fun part of this exercise, but it is the one that leverages the power of the SIM best. When you begin feeding applica-tion data to the SIM, you’ll want to focus on two fronts: reusing existing rules and writing new ones to leverage new types of data.
If your SIM has parsed and normalized log files properly, then some of your existing rules will probably apply. For example, a login failure on a database server will be caught by the same rules you have looking for login failures on Web servers or firewalls. This is what you want—you want your application log messages to look as close to existing log messages as you can, so any business logic you’ve put into your SIM will apply to new applications.
However, you will probably have other rules that are specific to your appli-cations. Most SIMs can watch for regular expressions in individual log entries, patterns and rates of one type of log entry, and correlation between two (or more) entries. Application logging can take advantage of each of these features.
For example, the MySQL database will log “slow queries,” ones that take more than ten seconds to run. If you get five of these a day, or even 50, that may be normal, but if the rate of these suddenly jumps up, you want to know about it. This is an ideal job for a SIM, which can dig out slow queries from all
glossarythere are a lot of acronyms for the same technology.
Call it what you will: security information management, security event man-agement, or some combination of letters, the difference between SIM, SEM, SEIM, and ESM is marketing.
Security information managers (SIMs) accept security and networking information from multiple sources within the enterprise and analyze it to provide a higher level of understanding. —joel snyder
42
EDITOR’S DESK
PERSPECTIVES
SCAN
RANum
ShARE AND ShARE AlIKE
TREAD CAREfully
uSINg SIm fOR APPlICATION mONITORINg
InformatIon securIty n june 2012
teChNoLoGY
the other logged messages and let you know when the rate goes above a thresh-old. Or you may have certain queries that you know will be “slow,” but want to know about any others. That’s a good use for the rule-based engine in a SIM, because the engine should be able to correlate different log messages together to catch the interesting ones.
Business rules can be simple if you want to just look for regular expressions. For example, you may want to be alerted whenever certain banned IP addresses try to connect to the application, or if a user with a disabled account tries to log in. And if you want to identify application-layer attacks such as SQL injection, for example, it’s easy to write a handful of rules that look for sequences such as “xp_” in traffic going towards a normal Web server.
As you’re writing business rules, don’t forget the value of combining sources of information from outside the application with your application logs. For ex-ample, you may already have IDS/IPS events being sent to the SIM. Those can be correlated with logging to filter out problems that have already been solved at the network layer, or to help identify more information about suspicious transactions.
The last step of real-time log analysis is alerting: telling someone or some-thing about whatever you’ve found in the logs. Each deployment will be dif-ferent, but if your SIM is already installed, you’ll want to try and fit smoothly into the existing alerting strategy. However, you may find network and secu-rity teams have a different way of looking at alerts since they are more focused on real-time issues, (“something bad is happening right now!”) while applica-tion logs are often more useful seen over a longer period of time, such as a day or a week (“here are all the interesting slow queries from last week”). Don’t be afraid to point this out to the team managing the SIM so they don’t get the wrong idea about what’s most important to you.
usinG sim to hanDle rePortinG, archiVinG anD ForensicsSecurity information management systems can help you with reporting, foren-sics (looking backward at logs to understand the root cause of problems), and archiving of your application logs. If your application is long-standing, you may already have strategies for all three of these activities. Just because you’re add-ing a SIM into the mix doesn’t mean you have to change your strategy for long-term log retention. With compliance regimes requiring three to seven years of
43InformatIon securIty n june 2012
EDITOR’S DESK
PERSPECTIVES
SCAN
RANum
ShARE AND ShARE AlIKE
TREAD CAREfully
uSINg SIm fOR APPlICATION mONITORINg
teChNoLoGY
logs, SIMs and their high-speed databases can be an expensive alternative to a simple log server.
Regardless, whether you’re using the SIM for archiving and forensics, you want to filter logs going to the SIM. For example, many applications can write detailed debugging information as well as normal transaction information in their log files. That debugging information might be useful to the application manager, but not so useful to the SIM. You can filter either by ignoring some events when they arrive at the SIM or by filtering them out before sending from the application to the SIM. Which technique you use depends on your application tools and your SIM, but the best approach, if your SIM supports it, is to filter out at the SIM. This way, you can easily increase the types and level of logs you save at the SIM without having to go back to the application manager and ask them to change anything.
Reporting can be a mixed bag with SIMs when trying to add application logs into the mix. If you are generating your own alert data based on correlation and analysis of logs, then reports on your alerts will be invaluable. However, don’t be disappointed with stock reports. The off-the-shelf SIM reports are likely to be aimed more at security-type events, and may not be adaptable to the kinds of things you want to summarize and count in your application logs.
Adding application log data to your enterprise SIM can bring a wealth of in-formation and give you new insight into what is going right, and wrong, with your enterprise applications. However, SIMs are focused on security and the path to non-security data from application logs can be arduous, involving the SIM vendor and work on your part. A successful integration will take time, but will increase your security and application awareness all at the same time.
Joel SnyDer is a senior partner with consulting firm Opus One in Tucson, Ariz. He has worked in IT for more than 25 years. Send comments on this article to [email protected].
reporting can be a mixed bag with SiMs when trying to add application logs into the mix.
EDITOR’S DESK
PERSPECTIVES
SCAN
RANum
ShARE AND ShARE AlIKE
TREAD CAREfully
uSINg SIm fOR APPlICATION mONITORINg
editorial directorMichael S. Mimoso
editorMarcia Savage
senior site editorEric Parizo
senior managing editorKara Gattine
director of online designLinda Koury
columnistsMarcus Ranum,
Lee Kushner
contributing editorsMichael Cobb, Scott Crawford,
Peter Giannoulis, Ernest N. Hayden, Jennifer Jabbusch, David Jacobs,
Diana Kelley, Nick Lewis, Kevin McDonald, Gary McGraw,
Sandra Kay Miller, Ed Moyle, Lisa Phifer, Ben Rothke, Anand Sastry,
Dave Shackleford, Joel Snyder, Lenny Zeltser
user advisory boardRich Mogull, Securosis
Chris Ipsen, State of Nevada Tony Spinelli, Equifax
Nick Lewis, Saint Louis UniversityRichard Bejtlich, Mandiant
Seth Bromberger, Energy Sector ConsortiumPhil Agcaoili, Cox Communications
Diana Kelley, Security CurveMike Chapple, Notre Dame
Mike Hamilton, City of SeattleBrian Engle, Health and Human Services
Commission, TexasMatthew Todd, Financial Engines
vice president/group publisherDoug Olender
associate publisher Peter Larkin
techtarget275 Grove Street, Newton, MA 02466
www.techtarget.com
©2012 TechTarget Inc. No part of this publication may be transmitted or reproduced in any form or by any means without written permission from the publisher. For permissions information, please
contact The YGS Group.
about techtarget: TechTarget publishes media for information technology professionals. More than 100 focused
Web sites enable quick access to a deep store of news, advice and analysis about the technologies, products and processes crucial to your job. Our live and virtual events give you direct access to
independent expert commentary and advice. At IT Knowledge Exchange, our social community, you can get advice and share solutions with peers and experts.
Cover: Robin Bartholick/getty Images
44INFORMATION SECURITY n JUNE 2012