Smart Home / IoT, Threat & Vulnerability Management (TVM) & B2C Delineation for Vendors

As the smart home becomes a reality (https://www.theverge.com/2017/12/20/16799918/homekit-vulnerability-details) so does the need to monitor & patch said smart home.

But, who from a vendor standpoint will own that market / responsibility (ISPs, Utilities, Alarm / Physical Security, AV software vendors, separate vendors: Amazon / Apple / Google / Staples: Geek Squad, B2C MSSPs / SOCs)?

The answer will vary depending on the jurisdiction / age of the house, though this wrestling match is sure to come.

So, wait & see how this shakes out, because change is coming for sure.

Are mobile app reputation services (MARS) legit?

Should enterprises invest in mobile security solutions explicitly for ranking the trust model of some apps?

It depends on what your use cases, requirements, user base, & relevant jurisdictions are.  However, most orgs should not need a MARS solution as MDM, MAM, & even MTD should be able to handle most threats.

InfoSec Leadership: Initaitive = Enablement

Many CISOs & senior InfoSec leaders catch heat for slowing down processing or saying no to new initiatives due to risk.  

However, when InfoSec leadership takes initiative, embeds SMEs into other teams (at least part time), & partners with the business, then enablement will happen as InfoSec has assisted in the design from a grassroots level.

Now shadow IT will most certainly always be around, & projects / business lines need to be agile, but collaboration is possible via proaction.

Equifax: Case Study in Poor Leadership

The former CISO of Equifax has been criticized for her lack of STEM academic background but, forgetting anyone's college major(s), the real issue here is the leadership deficiency blatently running up and down Equifax's management team.

https://www.wired.com/story/equifax-breach-response/

Wired paints a grim picture of Euifax's team, and response, as the article should.  At the end of the day, no one wanted to fall on their sword, and now they all are.  Reminscint of the movie Margin Call, executives want to survive to fight another day, but there are ways to do things in the business world and Equifax did anything but that. 

Your Third-Party Security Review Process is a Mess

Regardless of the control framework and / or process you utilize, most third-party review processes are poorly designed & inefficient.

On top of that, most orgs ask their vendors to maintain a level of security that said orgs cant follow themselves.

Amidst the Equifax breach, orgs will look to insert more vigor into their third-party review process, though few if any continuously monitor the security of their business ecosystem.

Instead of spending cycles completing matrices / spreadsheets, firms should invest in the following:

• A vulnerability scan / penetration test (of limited scope) before any legal documents are executed.
• An agreed upon remediation plan should be agreed upon too.
• A continuous monitoring / assessment agreement to ensure governance during the course of the contractual agreement.
• Recurring audits / spot checks on the security governance established / expected.

CASE STUDY: Security in Theory versus Security in Practice

Yesterday evening, as I approached my vehicle after a long (Mon)day with dry cleaning in one hand and my laptop bag in the other, I realized that my rear, driver-side tire was as flat as a pancake / crêpe. Fun times, especially since I parked on an incline!

After jacking up that side of the vehicle, and wrestling with the lug nuts, I was introduced to what I now know (thank you Google) is a security lock nut. Yes, I am mechanically challenged! 

After being unable to find anything in my vehicle that resembled a tool capable of removing said physical security safeguard, I called the dealership. Well, said nut (and the ability to remove it) is like a laser key, which is customized to each particular vehicle! Thankfully, a repair shop was across the street.

Research and interviews (e.g., my Lyft driver that evening, blogs) have shown that many drivers have lost or never received the tool(s) to remove a security lock nut, and therefore multiple individuals (such as myself) now ask: why? The answer is that this nut is a physical safeguard to negate stolen tires / rims / wheels. However, flat tires happen and people lose stuff.

So, learn from my experience. Before introducing the next great physical / logical / digital safeguard, think practically and verify whether or not that control is useful in practice / the field. Be pragmatic and kick the proverbial tires!

Orchestration is Great, But is it Secure

DevOps / DevSecOps are all the current rage, and that is great, but how secure is your environment?

Chef, Puppet, and others offer automation and orchestration, but have those environments been secured via IAM, TVM, and architectural perspective?  While these solutions offer add-ons, a secure design and incorporating the right controls from the get go, will help dramatically.

Process Governance & InfoSec / AppSec

Many shops spend an enormous amount of money on security solutions, external consultants, etc. only to have all that spend negated by poor processes.

It is the year 2017 and we continue to see orgs lacking the most basic processes (e.g., CAB, PMO / SDLC / DevOps, SCM).  All of the resources in the world will not provide an adequate level of protection against poor processes.

Enough Policy Exceptions Already

So many organizations struggle with policy exceptions.  While exceptions are a reality, the prevalence of them leads one to believe that risk management is not quite working.

While organizations try to pivot from risk to compliance focal points to enforce adherance to security / privacy best practices, the reality is that most entities are not agile, and they also lack the resources to migrate from legacy workdlows to secure processes and systems.

While the cloud and ITO / BPO of the past have promised more agility, many orgs leverage traditional internal models due to cost constraints.

GRC, risk management, and IT audit professionals have a legit argument to focus on policies, standards, and guidelines; however, for orgs to be and remain secure these days, an offensive, proactive model is more of a necessity.

Test Your "Active Shooter" Response

Outside of your physical security response, BCP / DRP planning should also be involved.

Don't forget about training / SETA resources too.

Does MBaaS Equate to Vendor Lock-in?

Sounds like it.  Another question would be as to whether or not to redesign old solutions (e.g., Python, Twisted, etc.) to embrace  this new era.....

The InfoSec value-add of using MBaaS like AWS's (https://aws.amazon.com/answers/mobile/aws-mobile-app-backend/) would certainly be enhanced IAM / IdM (one would think at least).  So, would that juice justify the squeeze?  TDB....

JavaScript Refresher

https://www.codementor.io/johnnyb/javascript-cheatsheet-fb54lz08k

Test Your Backups, Test Your Incident Response Plan, Test Your Business Ecosystem

Amidst all of the ransomware attacks, it is evident that organizations need to believe that it is not an if they will be subject to such threats, but when.

Tabletop testing is certainly necessary, though more comprehensive testing would be prudent as well.

Derivatives of Blockchain

Holochains (http://ceptr.org/projects/holochain) and other derivatives are making their way into this new ecosystem.

It seems that IoMT and other tech that requires firmware to have high level of integrity are the best use cases.

Dual of Cloud Silver Bullets: Aporeto vs RedLock

Both are flush w/ cash & both have stormed outta the gate for cloud security.

The question is who is there customer?  Many orgs have existing InfoSec investments that could be extended to the cloud via virtual appliances.  So, unless cloud security providers (CSPs) bundle these solutions in, I would think that large, Fortune 1000 companies wouldnt be early adopters.

TBD....

Ransomware & Incident Response: Thoughts from WannaCry, WannaCry2, & WannaCrypt0r

Lots of content has been created for detecting & dealing with ransomware; however, these past few days have seen a flurry of different attacks & thus require some specific after-action reports (AAR).

So, here are some observations / thoughts / notes:

• Many orgs do not have the budget to ward off ransomware, including: 
• Advanced threat protection (ATP) via: EDR, UBA / UEBA, UTM / NGFW / NGIPS / NGIDS
• Virtualization to segment legacy tech: SDN, SDS, hyperconvergence
• SIEM & TI
• SETA & CSIRT awareness notifications were slow & ineffective
• Close the patching gap....no more excuses
• We'll see this level of pandemic / infestation again...this is just a start.

So, folks will see this level of attack again & its up to them to be proactive & respond accordingly.

CISO Leadership Academy is Coming Soon

Watch out for the CISO Leadership Program, which will formally start this June....

OODA Framework for TI / DFIR / CSIR Process Engineering

THE OODA Loop (https://en.wikipedia.org/wiki/OODA_loop) can be used to develop workflows for TI / DFIR / CSIR, including leveraging TIMP implementations, like MineMeld (https://www.paloaltonetworks.com/products/secure-the-network/subscriptions/minemeld).

Offensive Security vs. Enhanced (Defensive) Security

Offensive / obfuscation tools (e.g., honeypots, bastion hosts, anti-reconnaissance: Microsoft NetCease) and techniques are now gaining more attention as of late.

So, while next-generation (defensive) security tools and techniques (e.g., behavioral analytics: UBA / UEBA via Cisco StealthWatch, binary sandboxing, advanced threat protection: ATP) are all the craze, InfoSec leadership will have to address prioritization for budgets and bodies.

Said prioritization may be assisted by identifying the defense-in-depth posture, as well as the threat environment.

Cybersecurity & Strategic Planning

Senior leadership in InfoSec functions need to perform annual strategic planning with budgets, staffing plans, project planning, etc.  However, this activity should not take a considerable amount of time.  Suggested timelines include one hundred and fifty (150) hours of aggregate effort.

Should strategic planning require more time an observation has been that a re-org / redesign may be required.  Said changes should focus on clarity with respect to roles & responsibilities, reporting structures, procurement / solution requirements, operational work streams, P&L, and vendor mgmt.  Furthermore, strategic planning activities should include both grassroots and  top-down involvement.

Digital Signatures Are Worthless Without Compensating Controls

Many orgs leverage crypto to verify software / firmware / patches / updates; however, many do not leverage integrity safeguards on the versioning of those platforms.

Checksums and other compensating controls should be utilized to ensure the stability of the platform in question.  Such methods would negate the rogue installation of software / firmware.

Ransomware Response: A Service Continuity Challenge

While many security solutions (e.g., CASB, ATP, MTD, DMARC/SPF, EDR) look to catch malware / ransomware threats before they are experienced, isn't the response to a ransomware incident a service continuity challenge?

 With proper RPO terms, as well as tested BCP/DR procedures, ransomware response should be relatively painless.  The real concern is your ecosystem, as many third parties wont have the same governance regarding BCP/DR as a large enterprise.

Vetting Security Policies

There always seems to be a considerable gap between policy development and execution.

This often stems from a delineation between the org that develops versus audits said policies.

Beyond administrative controls, many companies are now deploying security solutions (e.g., DLP, CASB, EMM/MDM, MAM, IAM/IDM, DMARC/SPF, ATP) w/ policy engines.  To implement either admin and/or technical safeguards and not validate their utilization is a noticeable risk.

Focus First on Mobile Threat Defense (MTD) or Endpoint Detection & Response (EDR)

A reality of corporate life is economics, defined as the allocation of scarce resources.  So, with finite budgets, what is an IT shop to do regarding malware protection outside of the data center?

While the prevailing opinion is that traditional anti-virus (AV) no longer works for contemporary threats, and the fact that mobile device management does not handle malware, EDR stands as the apparent silver bullet.  However, most EDR solutions do not extend to the mobile space, and due to that a MTD may be the better investment to embark on first for a distributed enterprise.

Additional decision points include: industry, allowance of local admin rights, how distributed is the enterprise, usage of local drives vs EDM / ECM (e.g., SharePoint, network file shares), and the global network topology.  

HIDS vs ATP vs Sysmon(d) vs EDR

While contemporary analysis shows that traditional anti-virus is becoming less and less useful, the question then becomes what next?

Well, for endpoints EDR makes sense, but what about server systems?

The answer to that depends on the industry & threats present to those server systems.  With that said, Sysmon(d) should be the lowest common denominator, w/ advanced threat protections (ATP) added for good measure when an organization has a (relatively) flat network.

If an organization has not invested in EDR & ATP, & realizes an enhanced level of risk, then a host-based intrusion detection system (HIDS) would be needed.

App Delivery Controller (ADC) vs Load Balancer

ADCs are load balancers on steroids (SSL offloading, enhanced compression / bandwidth utilization, WAF, reverse proxy, DDoS protections), while dedicated load balancers perform pure round robin transaction sharing.

For cloud-based apps, elastic load balancers (ELB) maybe consumed as a dedicated service (along w/ separate services: WAF, reverse proxy), while on premise Web apps should be leveraging an ADC for pure consistency & economy of scale reasons.

How Many Threat Intelligence (TI) Feeds Are Enough?

MSSPs aside (as they can more easily achieve economies of scale), how many TI feeds should an internal SOC leverage?

Well, that depends on the quality of information.  With that said, several open source & commercial / subscription feeds would not hurt for cross-reference purposes.

Here are some feeds worthy of consideration:

• US-CERT
• CTIN
• Optiv
• Facebook ThreatExchange
• Crowstrike
• AlienVault
• SSLBL
• ZeuS Tracker
• Palevo Tracker
• Malc0de
• Binary Defense Systems
• Carbon Black / Bit9
• ThreatQuotient
• Anomali / ThreatStream
• ThreatConnect

ICSA, UL, CC....oh my! Do product certs mean anything?

Many (e.g., ISC2) certified pros will know CC (Common Criteria) for U.S. federal govt systems, but ICSA Labs (Verizon) & UL (Underwriters Labs) provide CC-like ratings too.

Who cares?  Well, these certs can be a benchmark, though many products that have achieved C&A ratings have been found to have backdoors.  So, they're imperfect, but better than nothing.

RASP or No RASP

Many orgs these days, especially regulated one's (and most are regulated), use some type of (dynamic) application security scanning tool (DAST: Qualys, Acunetix, WhiteHat) for Web application security.

With that said, fewer use edge protection solutions (e.g., WAF, DDoS) to "Band-Aid" findings, and fewer use static analyzers (SAST: CheckMarx, HPE Fortify, IBM AppScan) to find problems before they go to QA or into production.

So, a while back firms like Prevoty & HPE (& others now, like Immunio) have launched runtime application self-protection (RASP) solutions to further protect Java & .NET applications.  But what about Perl, Python, MEAN, LAMP, etc.? 

That's where an argument against RASP comes in.  At the end of the day, a solid secure development lifecycle (SDL), and existing investments should help negate the need for RASP.  Though, many orgs struggle to fix legacy bugs, let alone to fix w/in an acceptable remediation window.

Therefor, RASP, or no RASP, solely depends on the technology stack & time to remediate.

IoT Architectures & Solution Providers

As IoT gains steam towards critical mass & orgs look to embrace it, mgmt. must ask how to deploy it properly (e.g., design patterns: http://www.internet-of-things-research.eu/pdf/Converging_Technologies_for_Smart_Environments_and_Integrated_Ecosystems_IERC_Book_Open_Access_2013.pdf) & whom to leverage for SME-based services.

Amazon, Microsoft, & Cisco (among others) have now rolled out IoT mgmt. svcs; so, who to use?

Well, if an org has a considerable investment in one of these providers then go ahead & continue on.  But, if not, the question begs who do we leverage for authentication?  If an org has Cisco ISE deployed already, then leverage that.  Otherwise, stay w/ a cloud solution.

Integrated Crypto (e.g., TDE, DDM) vs Enterprise Crypto / PKI

While it may be convenient to deploy integrated crypto / PKI solutions for sensitive data stores (e.g., PII, ePHI, PKI) via TDE / DDM, more and more data leaves local databases and / data stores & goes to the cloud.

This is where an enterprise PKI solution will help organizations.  With holistic solutions, a tokenized, sensitive data element can proliferate / travel through the cloud or w/in an enterprise while still protected.

While expensive, highly visible, and risky, these endeavors will truly protect an organization from data breach / loss, etc.

Why Enterprise DLP Solutions Will Go Away

Large, traditional, enterprise DLP deployments will go away as organizations look to leverage multiple, integrated DLP solutions.  The reasons for this include:

• A focus on cloud & mobile solutions, & a migration away from on premise
• Consolidation of vendor solution capabilities (e.g., CASB, DLP, DCAP, RMS, DMARC, SPF)
• Portable / interoperable policies / rules (e.g., SCAP, CTP)
• A focus on agile deployments
• Cost / economies of scale

In essence, DLP will parallel HR-based ERP modules that have recently been migrated from on premise to SaaS solutions.

With that said, the real question is what else will be migrated away from on premise?