Wednesday, March 7, 2012

Treating the symptom

Today in the car I heard a credit card debt consolidation commercial that sort of drove me crazy. While there is a place for those companies the last line got to me - “If credit card debt is the problem, we are the solution.” Heads up there high speed - the real problem is you can't stop buying stuff you can't afford! Your credit card debt is just the visible symptom. Treating the symptom instead of the problem only lands you back in the same spot. This goes hand in hand with the diet pills that basically say take this magical pill to lose weight and that you don't even have to change your daily habits....like over eating and getting no exercise...which is what got you where you are.

You can see this same mentality in the InfoSec space. While breaches and infections occur for any number of reasons how many security tools are bought to address symptoms of the problem and not actually address basic things like secure coding, segregation/separation of data/duties, any/any rules on firewalls, etc, etc to get in front of issues. Of course the other challenge is buying tools that are then not staffed. That isn't usually the fault of the rank and file but for goodness sakes when you go to buy something at least do a bake off or make the vendor allow you to kick the tires a bit. We rush off to buy the latest and greatest with a one and done mentality and look back after a year and say “Damn tool didn't work.” Strangely that is a linear cause and effect model that often repeats itself.

So how do you make a change? Well in my LM/SIEM mind you can start of small but at least start monitoring SOMETHING on a regular basis. It almost doesn't even matter what it is or how often you do it. Ok not really but if you were to look at a daily, weekly, or monthly report where items are grouped, counted, and sorted in descending order you could at least address the top 1, 5, or 10 items and start cleaning things up or filtering them out of the report if they are 'false positives.' What sort of things? Depends on what is hot, needed, where your shop is maturity wise etc but some things that come to mind are
  • Failed logins grouped by username but also list counts by systems where they happened
  • Failed logins where the list is just privileged/system/task accounts – more operations oriented but hey it is a start and can make a difference when team X can't understand why something isn't working...
  • Outbound drops (big one)
  • Inbound destinations with firewall accepts for ports other than 80 and 443
  • Top sources/destinations with internal to internal drops – the report will show different things depending on if you use source or destination.
  • Top internal to internal source for 445 – high numbers will likely be legit and you can quickly weed them out or worms 
  • Top internal to external sources over port 25 – like above, your top sources will quickly be IDed as legit email servers or popped machines

The list above isn't an end all, be all but for those struggling or needing to get started...it is a start. The point is to get you familiar with your network, start to identify and whitelist some legit systems, establish somewhat of a baseline, and then start to address issues. While funny we have to move away from:

  1.  Install LM and/or SIEM
  2. ????
  3. Profit
Posted by at
Labels: ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)