Why we keep doing security wrong

Grant Cohoe

About Me

• System Administrator– RSA (The security division of EMC)

• OpComm Director / Sysadmin / Chairman– Computer Science House @ RIT

• ISTS Team OpComm (“Team Uptime”)– 3rd place 2011, 2nd place 2012

What we do

• Rely on perimeter defenses• Overlook the most vulnerable• Security is an achievement

PERIMETER DEFENSES“Shields are up captain!”

Perimeter Defenses

• Firewalls• NAT• Proxies• IPS

Firewalls

• Host-based– Windows Firewall, iptables, pf– Drill holes!– No one filters outbound traffic

Firewalls

• Network-based– Cisco ASA/PIX, CheckPoint Gateway, etc– Drill less holes, but worse ones• Example: SSH

Firewalls

• Great for the majority of badness• Wont stop the real badness

NAT

• Non-routable private IP addresses• No one can get to you directly?– WRAUNG!– Example: Adjacent Router

Proxies

• Traffic interception/filtering• Not particularly useful• Hostname vs IP blocking

IPS

• Look for malicious activity and stop it– What/who defines “malicious”?

• Often very specific targets

Perimeter Defenses

• Very Static• Bypassable• Good for the 99%, not for the 1

OVERLOOK THE MOST VULNERABLE“No one will ever attack this”

VoIP Phones

• Rely on a trusted network infrastructure• Do little to no verification of configuration• Desktop bugging devices

Printers

• Rarely segregated (dedicated printer network)• Bad software• No firewalls• Springboard for more advanced attack

Home Gateways

• Terrible software

SECURITY IS NOT AN ACHIEVEMENT“One does not simply become secure”

Achievement

• “Make us secure”

Typical

EquipmentMonitoringResponse

Achievement

• High CapEx– Equipment, infrastructure

• Low resources to monitor– No SOC monkeys, investigators

• Even less to respond– In a crisis, you can’t move

Process

• Continuously monitor and respond to issues

Ideal

EquipmentMonitoringResponse

Process

• Moderate CapEx– Different equipment, infrastructure

• Moderate resources to monitor– 24/7 staffed SOC w/ investigators

• Moderate resources to response – System management tools, live network mapping,

etc

SECURITY ANALYTICSCloud, big data, buzzword, buzzword

Security Analytics

• Real-time holistic intelligence platform• Gather data from many sources• Compare against profiles• Replay entire sessions and content

Security Analytics

• Making available data accessible

Security Analytics

• As things happen, log them– Wireshark everything and store it– Server logs– Active Directory events

• If anything seems weird, analyze it

Profiles

• Old-and-busted approach:– Someone is trying to get into Oracle

• New hotness approach:– Josh is authenticated to the VPN– Jeff is authenticated to AD– Nick is trying to get into Oracle

Session Replay

• Server access logs tell you when something happened

• Wireshark lets you replay the network traffic• Get the badness into a secured environment• Poke at it

Security Analytics

• Analysis and response in minutes– Rather than days

Summary

• Don’t rely solely on perimeter defenses• Don’t overlook anything no matter how small• Security is a process, not an achievement• Security analytics should be a thing

Contact

• Web: http://grantcohoe.com• Twitter: @grantcohoe