BSidesTO 2015 - Max Cizauskas - Weaving security blankets

foreign

weaving security blankets without further Ado the stage is yours thank you all so I'm Max zazowskis um this is my first talk as you've heard uh before I start has anybody heard of the old podcast the liquid Matrix security podcast so there used to be this podcast called the liquid Matrix security podcast and a while ago they were complaining that you know everybody was talking in the ecos ecosystem everybody who's uh in the Echo chamber right and so I took that as a call to actually do my own podcast uh called the insecurity podcast which is to reach out of the echo chamber and and get people who have uh who are interested in security who do

development jobs to consider security maybe small business owners get them the information that they need so that's what you'll see on all the slides ooh if I get closer it gets louder uh so I've also worked in the security industry for about 10 years now which is inconsequential but what is neat is the past four months I switched roles so I'm now the manager of uh endpoint protection for the cyber security team at CIBC and so this talk is the lessons I've learned so far having been there for 10 years um I've learned a lot of things that don't quite work the way that I'd expect them or want them to and now I'm actually in a role to change that

yeah definitely uh all right so benefits to you here's the sales pitch right after this talk you will know how to get more out of your systems currently you'll be able to get rid of the overlapping cruft that's on your systems and you'll be able to free up those resources to fill the gaps that you have uh is anybody suffering from agent fatigue you've got too many agents running on your laptop takes me five to ten minutes to boot this up before I can do like actual work show hands anybody all right are there other people in the room saying you whiny bastard we don't have enough of the security tools that we need to suffer those

problems so it's two sides of the same coin right it's ineffectively managing the things that you have so I'm gonna go into details into how to actually fix that so but first i'm going to talk about how my organization got here in the first place so in in my opinion uh some of the stuff that we've done has been we didn't have the proper coverage that we needed in the first place so when something went wrong right we had to react quickly maybe some people in the media were calling us out for not having something when we should have had it so so that's one area where you know we had insufficient coverage another thing

that we might have been chasing uh Blinky lights right and just doing these interesting features uh and not actually thinking through the whole ecosystem that this feeds into and then my personal Bane is um over time you know we've just been upgrading things as is the security industry started off so immature and it has grown so much the products the vendors are buying other vendors right they're that big that they can be doing these things and uh and while they do that the feature set increases but when we go to upgrade the product we're not looking at that we're in such a mad rush to get out the upgrade before this previous product that we're ongo's end of life

right just as is so how do we fix that we fixed up implementing a framework and a framework is very basically just a holistic view of the different components that make up a system so cyber security being the system that I work in right and it's got to incorporate all the different aspects of it for it to actually work right if you build like a two-legged stool it's going to fall over so what uh framework is not it is not products right when I was telling some vendor that I'm planning on you know discussing Frameworks they're like yeah get me in I'll help you build your framework no hold on um it's also not too detailed

right if you get too prescriptive in what you're assigning You've Lost That holistic nature of it and now you're pretty much down the capabilities roadmap and we'll get there but right now we just need something basic so that you can move you know from desktop to Cloud to servers to bring your own devices right and just have something that works for your organization that's repeatable across that and you build out different capabilities for those systems um but yeah it's just that basic so I know what you're thinking I've heard of these things before right so what about ISO standards 27032 there's one that's actually a guideline for cyber security it's really good it is really basic it and it's very

generalized it doesn't actually feel like something tangible that I can build around uh there's the nist framework for improving critical infrastructure and I imagine that's really good for critical infrastructure but I'm a financial institution um doesn't work for me one of my favorite things before getting into this and and actually trying to implement products and improve things was the Australian signals directorate top 35 pretty good key critical controls it is very good for desktops doesn't apply to mobile devices the closest that gets there is the Sans top 20 critical security controls and it's really good but I just you know I'm a skeptical person how do I know that at the end of the day

it's covering everything that needs to be covered I need something to tie it back into I still I still need a framework so that's great what is the magical one-size-fits-all framework for me hold on before we can get there some things we need to consider right Frameworks actually need to uh be based around the culture of your organization so some organizations uh build their own everything and that's fantastic for them there's no wrong approach whatever works for you guys right some people are open source tools and then they've you know become the experts of those tools other people uh you know my organization is more of a buy versus build organization so they'll want off-the-shelf products

they'll pay for support to do things and they will develop if they have to and then those other people that just want to Outsource everything and who am I to say that they're wrong right it's just different Frameworks that are necessary for different things so how do you get there first you need to think about what's important to your organization if there's an information security mission statement that's great to start at my organization has an information security policy most of them do right the information security policy has like an executive statement it's one or two lines you can take things out of uh that you then use to develop security principles this is the one password

security principles they've just released this uh it is fantastic it talks about privacy by Design which I'm a big advocate for right you don't just intercept everything and look into it if because the terrorists and children right so um you actually think about what you want beforehand and think about how you implement it that doesn't also have the you know nation state being able to control you from the oversight that they have or or that fear that somebody's watching everything you do uh there are obviously a crypto company so trusting the Math's a big statement for them uh people are part of the system so you know think about the behaviors of people and design for those

and openness I'm a huge fan of transparency and just being transparent in what they do that's why they made this public you know very forward thinking and know your tools which is you know as an endpoint guy super important for me to to know the tools that are across all of my different types of endpoints I only have like 90 000 of them to be concerned about but you know so how do you actually build this out let me take a drink of water

so first off for the corporate assets um knowing the assets that you have would be great that's not actually part of the slide but then you know the old school methodology of a vendor just selling you a silver bullet right is that preventative thing unfortunately it doesn't always work that way sometimes you need to detect things that are going wrong after the fact so if something makes it past your silver bullet then you start thinking okay I gotta respond I got to recover there's a compromise there if you're only doing these three things you're stuck in a vicious cycle you need to actually do analysis on the stuff that's making it through why is it

making it through like do do that root cause determination and then also do analysis on what's going on to other companies personally my favorite thing is learning from somebody else's Misfortune right vicarious learning is the only kind of learning I want to do uh unfortunately you know sometimes I have to learn from our own mistakes too which is cool I'm ready to do that right and then when you're learning from what other people are doing uh there's a whole concept of you know you can start deterring people right uh malware kits that are out there you can buy like you know botnets and and malware droppers and whatnot and they have these this concept called antis and if you're

running this software it won't execute as payload on you so that's cool how about we um start adding in some VMware dll drivers right so that it thinks it's in you know a researcher's machine and just says yeah it's not worth the time I'll go find somebody else to in fact and then you start incorporating this back in right you start building on this so uh unfortunately I'm not able to tell you the framework we have so I've given a couple cracks at it there's two images this one's logical points these are things that I think apply to most everybody obviously this whole thing is about building your own right so governance you know your policies your standards

um your GRC group that actually measures you against these uh the educational that you provide to your employees you know might be one line item there and then if you break this out further like you can break it out a couple degrees further but don't break it out too deep right remember you want to actually stop at a certain level of depth uh you know information oversight uh which would be your DLP or something like that right seeing what people do with the data once they have access to it do they zip it do they send it out um access management very classic one threat protection and projections what's coming against you um and then infrastructure protection which

is the area that I live in you know there's the physical if somebody comes up to your machine and takes it away something you want to build into your framework like I'm saying it's got to be very vague in general we'll get to the capabilities later if you're more of a graphical representation kind of guy here's another way of viewing it um so it starts off the center and it spiders out and I wouldn't want to get much more detail from the framework perspective than you know at the network and asset layer so once you've got this all defined uh if you go deeper than this you're talking about capabilities and that's what we want to do next but um we've got

to remember that capabilities aren't products themselves capabilities are uh features of that product maybe the features that you already have or requirements that you need to fill you know gaps that you have byproducts or processes so what do you do for capabilities how do you figure out what you want um you ought to take those framework pieces go a level deeper and then you've got to look around your organization and see what tools you're currently using and then you interview those people and you say from the tools that we're using how does it fill these capabilities that we want to achieve and is it deployed everywhere so you'll have you got to consider geographical regions that you have right so maybe in

my case it's different in a branch than it is in a data center than it is on a laptop right or or in Asia versus here and then what you do is you map it out so here's a matrix of capabilities right so you list out your capabilities you list out the products that you have and you list out how those fill it so in this list the X's are you know actually used capabilities the O's are licensed but unused capabilities and the blanks are just completely missed so you can see here product c and e overlap in capability three so why is that is it a geographical a reason is it a platform difference

or you know maybe that maybe two people don't actually know what the others are doing and they've gone down their own Road uh and then you know there there's uh capability four that's not actually being met at all so this is a gap so it's inefficient to have these overlaps and gaps and you want to deal with that what about a lot of companies do threat modeling right so

from a risk approach you can say okay so how would I defend against this nation state how would I defend against um you know my HVAC vendor having access to a system right so you take real world scenarios and you use those against your capabilities and your framework to see how you would be covered uh another thing is you know you approach your gaps remediation from uh from a risk prioritization hopefully your organization has a strong risk ranking level and but remember that it's you know what's the impact going to be if something goes wrong and what's the likelihood of it and so once you've got these things mapped out once you've got your capabilities

mapped out we haven't actually talked at all about the effectiveness of these tools right you could have all the capabilities are basically the vendor's glossies right saying what the product does you guys could be terrible at doing it right from an organization perspective or the tool could completely fail to actually meet what it says on the glossy so you need to actually get into these political discussions now you go back to the people and say I have these tools that are overlapping in this capability we want to eliminate some of this overlapping and wasted resources why have five people doing essentially the same thing when I can reallocate those resources to to look at our gaps

so then you have the effect in this discussion so we get from you know this immature you got a lot of overlap there there's some Gap areas right and hopefully we'll get to this handsome full coverage functional

and and that's as far as we've gotten so um I'll take questions now if anybody has any thank you

no questions there's a oh there you go in the back

right so um so I'd like to say that it's one of our principles I took that from one password it's their principles uh the question was privacy by Design is the second time that I'm seeing it in a slide uh why why is it important for information security so uh I'd say that the default of not doing that is you know what we're seeing in in c51 right or or some of the other uh legislations that we're seeing around the world and that is it's so much easier just to capture all of the information and uh and then use it for your own department but then you're assuming that all of your employees are good you're assuming

that you know we won't get to a totalitarian state in some time you know look at you know some some places in the Middle East look at what Egypt's done with this they've actually put journalists in jail because Tor right for no better reason than that so any other questions yes down there sorry why did I open with the agent issue it's just personal frustration for me right it takes me 10 minutes to log in to do work that's unacceptable um you know too much security is not good especially when we have gaps that we need to address so how can I sell putting another agent on a desktop right to actually address something that

we're not doing correctly while I've got you know three different antivirus vendors running different functions of products on my desktop I wanted to get the guy going to pop you in the back no okay go ahead and Hayden

so uh you the question is the question let me see if I got this right for those companies that Outsource everything how do they build a framework that works for them

building an internal framework so I can't actually answer that question because because we don't Outsource everything we don't Outsource everything everything yes in the back

so the question is where do I see more technical overlap and the answer is you know our workstations we've we've been dealing with symptoms on the workstations right we have dmz's we have other different types of protection that formulate the defense in depth that we think that we need we're coming to grips that there's you know maybe a need for more information out there uh part of that framework you know one of the things that I want to do is put uh hunting pots out there that'll actually detect if something's getting through right into the DMZ so uh yeah um so so the desktops is where all of the agents pretty much are this in the front

oh those those

Allen

so I I might have if I wasn't so jaded from my over 10 years of experience uh so so no no particular surprises on on the nature of overlap I'm afraid where it came from uh yeah so that was my analysis up front is just you know chasing after that's my opinion I don't know for sure that's the fact but that's what I think uh so I'm going to give this to the gentleman in the back as a prize

he's asked the most questions and uh simply for going first he hasn't received one yet