2012: The End of Security Stupidity

Name: 2012: The End of Security Stupidity
Uploaded: 2017-11-28
Duration: 53 min 50 s
Description: Amit Yoran, Kevin Mandia, Ron Gula and Roland Cloutier Although the Mayans predicted the world would end at the end of 2012, I am predicting that 2012 will mark the end of stupidity in the world of information security. How much longer can we put up with: meaningless certifications, inadequate tech

BSidesSF · 201253:5047 viewsPublished 2017-11Watch on YouTube ↗

Speakers

Amit Yoran Kevin Mandia Ron Gula Roland Cloutier

Tags

CategoryCommunity War Stories

StylePanel

About this talk

Amit Yoran, Kevin Mandia, Ron Gula and Roland Cloutier Although the Mayans predicted the world would end at the end of 2012, I am predicting that 2012 will mark the end of stupidity in the world of information security. How much longer can we put up with: meaningless certifications, inadequate technical training, vendor point solutions that do not stop criminals and nation-state attackers, and hoards of industry know-it-alls that comment on everyone else's woes while secretly freaking because they themselves are probably owned as well. All will change in 2012.

Show transcript [en]

hi for those of you that don't know me my name is a meet i'm with RSA so here I am at besides trying to help community a little bit we're here to talk about security cloud apt Big Data no sorry that's private stuff so that's in the other building this is obviously a very informal panel the topic you know security the end of security stupidity in 2012 clearly not meant to be serious we'd like to do a lot of really stupid things as a community in 2012 we'll continue and I'm sure well beyond that into into 2013 as our you know likelihood of really solving any of these fundamental issues in the foreseeable futures is pretty close to

nil I'm what I thought was I called up a couple of a couple of guys that I've worked with or against for we're from 19 or so years to two currently and guys that are doing really interesting things in the securities in the security space have a lot of scars a lot of good experiences and I think right now are doing some very innovative very interesting things thinking outside the box so you're not gonna hear a whole lot about the AV being able to stop the apt or the IDs and and how sim is going to solve all of all of our challenges you're gonna hear about things that are a little bit you know less popular you

know not mainstream not where corporate America is necessarily spending all their security dollars but I think things that are having an impact in certain organizations or have a lot of promise in in what they're doing so I'm going to let Ron gula introduce himself and keep it off thanks a lot hi there I'm Ron gula I'm the CEO of tenable network security we do vulnerability scan you might have heard of a product called Nessus this is not a sales pitch we also do a variety of SIM and Network mod type of solutions the the thing that I want to talk about though is that you know from where we sit with that community of users out there we've seen

a lot of stupid I've seen people use necess and not leverage credentials right and I don't care what kind of scanner you're doing but if you just do a none credential vulnerability scan you're stupid that we can you stupid a lot today right use any word you want here my kids will see the recording and dad you said we couldn't use stupid though we're recording okay alright but prior to that I did the dragon intrusion detection system so I basically come from monitoring networks and not trusting the system and administrators to trying to get a point where were kind of full of confidence that you can look at your network and not be stupid about what

you're what you're seeing on your network as well as a controversial comment to start off I'll just say I think Anonymous is the best thing that's ever happened to our industry you're just checking to say anything else no actually that's another topic which you don't hear a whole lot about you know across the street but I think you know just to tee off that before moving along I think the anonymous series of of exploits is going to fundamentally change security a lot of enterprises far more than they realized today where you know they have a lot of experience identifying assets high value systems regulatory control data types or transaction systems and now all of a

sudden the attack surface of what they have to protect and what is exposed to them is just gone through the roof we're because brand is just so important Roland I think that's probably a good a good way to tee it off to to you to introduce yourself sure I'm Roland Cloutier I am NOT a CEO and I don't even play one on TV I am the chief security officer for ATP corporation and that is not the alarm company we're a global payroll and benefits company what does that mean we move a couple trillion dollars a year pay about a quarter of the mill the American workforce on a daily basis and we have the most social security numbers

outside of the Social Security Administration so you know security is kind of important to me operational-level so I'm a practitioner I don't invent products I beg guys like these guys to go then products for stuff we don't have so you know the the topic intrigued me because I have a list of stupid that you know gets me going every day but one thing when I've got a group of parrots like you in the room every day go fat fight the bad guys go you know you know try to address IT to make them more responsible for them but their environments talk to you know our technology partners and our businesses on on risk and why it's important for

them to invest in these areas all of these things you know I think are my job really is to get stuff moving in that direction I think from a practitioners standpoint what I what I'd like to get out there is is stupid just to look at security stuff right you know big data comments all the side you know security intelligence and you know all the new banners and all the new products that people want to come up with because it's a net you know the next big you know topic there's some you know reality-based in that and it's not stupid because the problem is we're so built to look at the IDS to look at the

DPI to look at the you know the output for the other thing authentication of the structures to you know security security security but we're not actually seeing how the data is being used what the attackers are really getting at and by the guy by the by the way half the time there are real people on your infrastructure or they're bad people on your infrastructure using real people's ID getting real access right so we got to start looking at the whole picture we've got to start taking you know from from the applications both the good and the bad we have to start getting into you know machine learning and neural networks that are doing you know

advanced analytics for us based on a large amount of data I won't say Big Data cuz that's stupid but you know we have to get at you know taking taking AUSA's security risk and privacy practitioners up a step and saying listen we're responsible not for security but business operations protection because that's what we do and what does the business do well the last time you guys took a you know value chain of your business so you guys took a work of work of a product that you're supporting on the internet or whatever maybe and said this is how a patient gets its medication this is how somebody sells a car whatever business you're in and look

at all those points in between it said I need that data to tell me if something's going wrong so you know my point really is to to take it up a notch and and ask all of all security folks out there to stop looking at stupid security devices and look at the whole picture my name is Kevin Mandy I'm the founder of a company called Mandy incorporation we're a weird company in that we started the whole company based on the premise that security breaches are inevitable and I don't mean that to bring it down like debbie downer but we've throughout my whole crabbin respondent and security breaches since the mid 1990s and I always felt you

could have great security folks buying the right products investing the right amount of time and energy and we just always had a an end-around or Maginot Line that could break in so I've seen everything that fails my whole career and I've gotten to a point where I just believe security breaches are inevitable for points I'll probably talk about as we go through this is I've got six written so I'm just gonna pick for the six I got nine points here one is that we always try to dumb down security at the end of the day we gotta scale our experts I believe that so everybody that creates software wants to make it as broad and mainstream as possible but at

the end of the day they're due to need to be or there does need to be some security software like that witness that uh scales the experts that simple and I think that we keep trying to dumb it down to red light green light and everyone so on it's a little more complex than that be a couple of things to everybody talks about information sharing and community based defense well we're going to share as PDFs that are twenty pages long that we have to read through to try to figure anything out it's gonna be useless to us or the real way information sharing happens is hey a meet of you seen evil dicks Union Network because we're seeing equal dot

exe and it's asinine so if we're going to do community based offense there's a lot of changes app have to happen there and I can take and I'll talk about that at the practitioner level not policy or legal level because the policy and legal level will hold it up for another thirty and then we'll talk about a stop there those are the two things I guess the third would be compliance versus reality I see an adoption of tools without an adoption of people that can use them so we see a lot of and most of my experience is dealing with large companies and what they do is is buy stuff buy stuff buy stuff and a lot of

it's not doing what they needed to do and lastly I said for visibility what's funny I just you know I see presentations all the time we see a big pie chart and they'll say here's the map where we found on our network and I'll say well where did that pie chart come from and you'll get a different software piece of software and you'll say well is that 70% coverage 50% coverage 20% coverage and only I don't know that's that's lutely what we see that's like 82 ish % coverage nobody actually knows what's going on on every endpoint so what we do is we'll buy yeah at the network we might get 80% coverage go to

our endpoints get 40% coverage by third tour that gives us 82 percent coverage another tour buys us you know gets us 57% coverage of a problem and then all of a sudden something happens in you realize I have no idea how to get my fingers and all the data I need so um we've bought a lot of stuff and none of it works together it'll be like that for another 20 years we'll retire by the time this thing's this is our children's problem of me we should just go now yeah so Kevin you know at nowhereness obviously we spend a lot of time in the forensic space as you do and I know that our sales team is sometimes a little bit

shy to bring our CTO and out on sales calls because on occasion he's been known to say you're too stupid to use our product and I think that's builds on something that you you were started talking to you how do you how do you handle the the to stupid conversation I try not say I have a three old and one year old so I'm avoiding the word as well at the end of the day I think it's easy to make the first and for what we do we respond to a bunch of incidents and then we try to help folks determine if they've got that issue or not detecting and responding to incidents it's easy I think you can dumb down

detection the problem is that's the first inning knowing you might have a problems the first inning and then what to do about becomes more complex the unfortunate reality for the world I live in and for what we do you need some experts you're only as good as your best forensic I'm making up words here but it's a sort of treasure so the first inning where he compromised or not I think that's an easy question to answer at scale but what the bad guy did requires some expertise and even just knowledge of your network your business processes so yeah so he might be too stupid to run a product is definitely I definitely agree with that

but as an organization if you can't recognize that or that you're using the products incorrectly that's a big problem so in my opening comments I talked about doing credential scans with with nessus you can scan and and and we try our best to tell you the vulnerabilities you give us credentials to log on will tell you everything right well your organization might be stupid to not do that right and not look at that problem maybe you're really smart maybe from a compliance point of view you don't want to report on all those missing patches and have those security guys at arm's length so depending on who you are you could be smart layer dumb like a fox you know so

to speak or just stupid and need to go a bit further rollin you've over the wet at least the last two jobs to see so had a tremendous success in hiring really smart guys and building talent growing talent how do you find the mix where or how do you get people that are too stupid today get them smarter or how do you take your really sharp guys and scale them out what oh yeah we don't hire stupid people anymore actually you know we let our practitioners hire our practitioners right that that's that's our theory is it may take a hell of a lot longer than using your HR and recruiting people but if you hire really

super good people and we feel that they're quality individuals and they surround themselves with quality individuals then you'll naturally you know create people that want to join a good team so that's the kind of people that we look for but I think the better topic is the skill set is changing right when we're we're talking you know you know 10 years ago we're talking about having you know a risk portion of your job I'm just curious how many people do risk part time in here now ok so a few of you a lot of you will be doing it in the future it's just gonna be part of what you you know do but we never even thought that they'd

be required so what are we talking about now data analytics you know we're talking about you know deep analyst type understanding of you know multiple technology so we're trying to go find people that understand that where are we finding them folks from the labs right you know you know Cynthia Cynthia labs you know any place like that guys coming out of fort come you know people that are you know maybe grew up in in government for a short while and and got some really cool skills and then can translate that back into commercial use on our side we're also you know we're we're changing our organization to to represent that so if if we have quality engineers or you

know good and I mean quality engineer but you know good non stupid security engineers you know we'll take them and give them the opportunity to go grow into whatever field they want so for forensics right we can't live without forensics it's funny how many companies I go into that are my size or bigger you know fortune 100 companies and you ask them you know you wanted to have a discussion to do information sharing about you know forensics capabilities you're like where's your forensics team we don't have that how can you not right I mean that's just a basic skill that you need to have so we we take people that have grown up in in the environment

and driven them further into what they want to go do of course there's that and there's also the company that has a forensics team an incident response team and a team that hunts apt that was touched that's funny come on well I think I think that brings up least another question in my mind you know Kevin's practice our practice you know talks about visibility clearly agility is you know since you don't know what the next characteristic is going to be how do you prepare yourself to today to be able to answer the question that you should have been looking for a few weeks ago and also the critical role of threat intelligence in our business I think is

also similar to the types of research that you're doing how do you stay on the leading edge of vulnerability exploration and things like that so you know that there's really a couple things going on out there as far as vulnerabilities wells go there's more and more surface area out there there's a lot of attention that was brought up this year thanks to digital bond to project base camp you know PLC's different industrial control systems and whatnot I don't know about you I don't have a lot of that kind of gear at my house all right but that's the kind of stuff that I'm good I'm glad to be involved with because it takes the sort of Hollywood

scare tactics out of you nobody's gonna hack in and turn off power and and stuff like that so so in some cases there's partnerships with experts you know but when you start looking at other pieces of technology that aren't really getting a lot of attention iPhones right iPads you know things like that that stuff's kind of where Windows NT was you know a long time ago I mean I still remember going back to blackhat and Don when they presents key standard I'm saying does anybody have a remote for like NT four right of course we had 15 years of remotes after that once we added all this stuff on right so part of its planning for the future

so you know when you start looking at all the different kinds of technologies out there it's just a matter of really keeping up and what are the basics I still like to think about everything as a mall is it supposed to be on my network is it configured correctly is it patched is it being used correctly and I don't care if your system is PeopleSoft or a PCI e-commerce server or the CEOs iPad right if you can't answer those questions you're going to open yourselves to stupid malware you're going to open yourself to your nation-state attacks and depending on who you are you're going to have to suffer their consequences so you know I want to touch on that because people

always focus on the security people when there are issues and we have to figure out how to driving that it drive that out and by the way Ron I want to make you proud I still have a dragon network censor on my home network that works so you know the the the stupidity or acid entity is I'd like I prefer to call it on on on this whole discussion on visibility right if if I T is not logging Asuna tea it is today did you that one first so what carcass cumberbund and asininity those are the three words we got to use yeah jackassery is there too but I was gonna wait to use that one

we're you know it's someone's criminal right I mean you you go tell someone turn on a log so I could get information so I can tell you what's bad and you know and the stuff you do every day and the fact is uh we can't turn it on we'll kill the system well you should have scaled it you know you should you should have done something different if if we don't do the basic you know whatever the unit Verizon breach report says it's eighty six percent or ninety two percent this year of all you know of all intrusion hacks incidents issues and blah blah blah could have been stopped by basic you know prevention techniques that starts

with visibility into the IT varmint right in and so one of the absolute basics things we can do as practitioners is ensure that we go drive the heck out of that on a day to day basis because we're gonna figure out the apt stuff right we're going to learn about i/o CSI of's you know IO attacks io io e ie iOS we're gonna learn those and they're gonna change every single week but if we still haven't convinced the business IT to do the basic right things and we're not focusing that as 50 percent of our job to make sure they're doing it we're gonna be we're gonna be in the same spot two years from now so does that mean

wall ADP with an iron fist cream misery for all the user is like to talk about that later just just whitelist every machine and lock it down about VDI for the world so yeah I was gonna expound I think that 92 percent of everything can be prevented period can I get an amen with represent no matter what it is in hindsight everything probably could have been prevented I've just you mentioned vulnerability research before one thing I was gonna add that on to that is the stupid thing used to be to get all your vulnerabilities and just patch the high stuff right then it was patch the stuff that was CB SS scores of 10 right I get that I'm

done right but now it's okay I'm I scan my network get my list of phone plays and if there's a public exploit available for it I'll get those if I'm done there I don't have to worry about anything else and that's a trend that I really really don't like I mean if if you know the resources sure it's a great form of triage right but if that's your strategic approach to security no the same question could be asked on the exploit side Kevin have you prioritize you know at any large enterprise where there's multiple ongoing incidents at any point in time how do you guide your customers to prioritize looking at this system versus that system I think well

that's a good question because it goes down to how the customer prioritizes their own data loss you know if the CEOs losing their email that's usually deemed an intolerable event no nobody should be stealing the CEOs email on a monthly basis so that kind of brings us up I use pucker factor 5 to describe that event but a lot of we have a weird idea I mean quite frankly we find networks and we kind of figure out are they compromised or not and at the end of a day or two of analyzing it will say hey you're compromised you have 47 machines that are compromised 16 don't matter I almost feel like we're doing a vulnerability scan we're

literally classifying compromised as pucker factor one it was a drive-by shooting or botnet proper factor five live intelligence on the other end or you know human guy hacked a human person and you have something more to worry about but ultimately I think from a technical standpoint I can't classify how much something matters to our customers they have to figure out if they care or not about what they're losing well how do you prioritize the act not that ATP has ever had any security issues but historically if you dish out email you know it really depends because each attacks different right so I I see you know I talked to my buddy over at eBay Dave and you know

and he's worried about fraud me fraud and you know stuff they see on a daily basis massive I deal with other friends in the financial area and they're dealing with a lot of things like we are on the state-sponsored side so we see you know 50% of each of attacks that are you know intelligence based you would assume and and half that is you know trying to get it you know money you know trillions of dollars I think so when we prioritize we look at the you know the how its spread across the organization is this a onesie twosie thing is it all over the place we look at the level of skill believe it or not so we look at is

is the c2 traffic you know just awesome like they're doing you know once out nothing back you know you know type you know you know type of communications or is it just loud and proud botnet type stuff so there's a there's a multiple level but it's the skill of the assumed intruder attacker it is the type of potential information they have gotten that or getting at and it is the the level of potential exfil right so has something potentially gone out already or you know is there probability because we couldn't detect it in this specific portion of the environment you know that we need to go prioritize and and you know this is it everyday this is an

everyday battle Ron do you guys I was just asking Ron about any of the sort of community-based approaches if they're taking any XML type data structure is it across customer bases and things like that so the big news going on right now is the government's actually kind of leading in this space but the reality is is the government's really come with a bunch of standards to at least on the vulnerability and configuration sorry I'd literally assess millions if not hundreds of millions of computers here you would think that there'd be a giant database of every IP address in the government there's sea bees and their configuration with US capital so SK cyber scope yeah so does so it's making

a difference right I mean it's most of the people who criticize the government FISMA basically was a very procedural type of thing and you know it's kind of hard it to do this is we're trying to automate things a bit more right and then leverage content from Microsoft and vendors and stuff like that and they're doing really good there's no real sort of parallel to that for incidents sharing there's no sort of XML standard for giving a botnet list of IPs a list of bad guy DNS name that is that I don't get me wrong there is some sharing and stuff like that but there's no way to automatically at the same level of like

a CVE if you will you know look for a way to do that or even things like what is a port scam right I can find a port scan with snort right I can look into net witness and-and-and and see hey there's a port scan right is that a sweep is that a botnet is it that those kind of standards aren't there and I'm hoping to see those things going that we were involved a little bit with the seee the common event enumeration and that was more about a replacement for syslog than you know classifying these things but I'm hoping it can be more like I know Mannion you guys were involved Richard Bayly was pushing out I forget

the name of the infrastructure but there's some more this information that people are thinking about this which is a good which is a good thing yeah and as a guy who spent a lot of time criticizing the government's security efforts I think Ron brings up an excellent point with s cap and if you haven't looked at any of those those standards they're actually one of the few areas where the government involvement and leadership I think has been in critical Kevin I know pushing standards I don't know if IOC s or standards at this point are they open was the the indicators of compromised effort all about I think I think back the snort I mean snort became for us at least the

threat intelligence for network based countermeasures I think we need to have a I think the private sector is going to come up with before the government does quite frankly I think all you need to have to have a standard of threat intelligence we can all share and have it meaningful and actionable is you got to be able to generate intelligence edit or manage that intelligence and share it but what we can keep sharing is PDFs Word docs and phone calls or we're gonna get our butts kicked forever so after 18 years of doing forensics we came out with schema we called open IOC or open I occu can call whatever you want at the end of the day we share intelligence

internally by sharing a darn file so if we respond as I say here today we're responding to 44 security breaches got the text and I'm looking at it thinking what we learned out of those 44 breaches today is portable by tomorrow because we're codifying the forensic steps that we need to recognize those things in other places so I think that the private sector ultimately that was going to come up with something I don't get widely adopted and then a standard will come out afterwards well how about your information sharing how do you handle incident data exchange or conversate conversations with your peers so I don't see anything private about I OCS I don't see anything private about

dll's of you know that there were hunting I don't see anything private about indications of fraud of how people are trying to tech money move in infrastructures I don't see anything private about it listen if it doesn't have an internal IP address of a customer their social security their bank accounts their antes their any of that stuff what the hell is private right there's nothing holding me back from sharing that so I'll probably be the first one to go to jail but I'm sharing it right so up in its you know I'm calling up you know Bank of America I'm calling up you know the you know the partners that we have across the financial industry at any time you know

I'll call the government you know I for all you know the kick in the teeth that we give the bureau's on a daily basis just because it's fun you know they they can actually turn around some really interesting data pretty quick and I'm not you know I'm not breaking law piling any violation of contracts I'm not you know so on and so forth so we share a lot of information and and we ask people to share back with us and whether it's true you know I'm sure some of you belong to the FSI sack or some of the bigger ones nc FTA so on and so forth those are great avenues for sharing and so we do

it all the time the reality is they've already done it to someone else someone else's most probably already figured out you know their intrusion mechanisms the multiple technologies they've used to do it so on and so forth so this this whole and you know I heard in the keynote this morning and I heard it in meetings yesterday well there's still a problem with information sharing I don't see the problem I mean I'm not gonna give you you know omits you know paycheck information although I have it but I will give you the information about how the person attacked what routes that came through the routing infrastructure through the internet they came through the providers and and everything else I

can to say hey you guys see and you know the this type of workflow before and didn't tell me what they did in your environment right so and by the way preventive techniques you know I have you know deep packet inspection I have these type of controls did you guys instantiate any type of new controls in this environment of zone and so forth and did you write a rule I mean it's kind of embarrassing the risk guys were doing this five years ago you know with sharing you know their risk workflows in matter of fact the last point I'd like to finish up on that around this whole information sharing thing is one of the

most stupidest things I've you know I've done and I got to check myself all the time in my position is I didn't write things down and I'm never making that mistake again so when we found something bad and we told someone to go fix it hey you got something in your VAR me to go fix it I didn't write it down and what happens they don't fix it right we found it they never fixed it someone broke it right and it becomes a problem in an emergency and now I get guys work and you know 18-hour shifts instead of 14-hour shifts right so you know this is this is the from us from from my practitioner standpoint is I'm

asking everyone stop the stupidity write it down hold people accountable and when your general counselor or whoever says get really write these things down it might be a compliance that is you're too damn bad right you know go fix it and have IT go fix it whoever else so yeah it's something having both writing things down during an incident during an activity during an investigation absolutely critical and then as you discover things to have a closed loop you know system make sure you get closure on all the things that you're identifying your problems well I know that's something you've been championing since the first early versions of your products oh absolutely I mean back back

in the days with drag we had stuffed full packet capture for there was events so you could save that kind of stuff and people have to go and say hey what is this you know do some analysis on it and things like that but but today I mean as a vendor I mean I gotta tell you almost every vulnerability management and sin vendor is going to come out with a cloud-based solution whether there are customers can share it out it and that's good that'll help their customers but I kind of want it industry-wide you know I frankly don't care if you have my products or don't but you know if you want to participate in exchange stuff that

should be automatic right and that's that's probably the only thing I would build upon what you were saying is that the more you can make these things automatic the quicker you can put things out there and get them in in in people so even just just putting the blacklist and threat list whatever you want to call them out there being able get that built right in to your audience your dpi you know whatever you have out there the more that that can be automated that's pretty good so there's a lot of services either like your threat would you know that doves doing you can get lists of you know lots of indicators and things like that a lot of different vendors

consume that which is which is really cool there's a lot of other companies out there that do those kind of things I think the government wants to get involved right I don't think you're ever going to you know ever see the the PCI organization for example say well here's the list of sites that aren't valid anymore don't shop there you know but that's kind of what we need we can't have a political barrier for you know for sharing that kind of information and I don't know they'll ever be one place to go through all that communities and specific purpose-built Intel so I know folks have a dish of stuff or maybe open it up to

thank you I can take that it's gonna be important right no matter how much I push back and say I'll go to jail and blow up a block I really don't want to go to jail I don't look at an orange the the fact is that there are some the trade laws there are some privacy laws that are going to restrict you know components of the data of in so on and so forth so the capability for an organization to be successful in that framework and environment will be you know you got to make it anonymous somehow right you got to put it if you don't have to don't put on the switch if it's not if it's not important to if it

is important to you put on the switch scrub it before it goes up into the platform because you know other things people people have to think about is the the the power of the subpoena it's a beautiful thing right I use it all the time right you know we're having an issue let's go get a subpoena through a government entity go get the bad guys information and start tracking down so but it works two ways so if you put in a metric but ton and that is a quantifiable measurement into this you know information sharing clout you're going to get to you know a point where there's a lot of data therefore a lot of time

and if it's assigned to you your company your business is potentially your clients a subpoena serve yeah that doesn't feel good right one of the things I worry about we we have a breach of some sort there's a class-action suit and then the class action goes subpoenas that data and it's not anonymous and it has a lot of information about everything my team has done and then people start critiquing it right that concerns me so yeah there has to be some sort of anonymity capability within that platform whatever might be

do they have any role hell no let's repeat questions yeah so the question was should the government have a role in creating a like organization now I'm not and the answer was hell no the core the other thing and I put out to the rest of the panel is is there unto you is could they potentially participate right that doesn't mean I give them data and they put in what they want to back and it's know what I'm talking about could they be an active participate if the organization so decide right I say yes but you know they'd be up to the membership yeah I think comments on this when it comes to sharing intelligence I

would agree that having done it for 12 years it's it's it is anonymous when you look at the indicators themselves unless the CT channel goes back to I hacked the meet you ran calm there's no other there's no other intelligence in there that really gives away where it comes from but I believe a couple things that it sharing intelligence the wider spread you shared the unfortunately if it's not closed-loop it becomes less valuable that's just a fact that intelligence I actually think what works as you pick here you share it with and you pick whether you're anonymous or not because at the end of the day when you get a collection and we're already going

through this now Mandy and we have so much intelligence we're starting to rate it based on where it came from and yet crappy intelligence a lot of the times meaning it's just wow really doesn't apply it's a drive-by shooting I had 10 million people but it didn't have any real impact verses worthwhile intelligent so I think couple things one it should be closed loop to you pick your friends like Facebook on here you shared who you don't share with to be whether you're looking for the government to compel you to do so or not I think right now sharing Intel what the government is a tough one in a lot of ways because there's all stick no carrot

so until there's a carrot there and I don't know what it would be you know there's this legislation not it wasn't regulated legislation but regulations that say if there's a breach and it's material you need to report it and the best way to make a breach material is reporting it so figure that one out it I think that intelligence need to be shared as you think you need to share it but I would agree I don't I've been in doing this for a long time and I've seen a lot of companies share things I don't think it's in the spirit of any NDA or a bunch of other things put people behind bars we're trying to just solve a

problem that's more widespread than just a single entity yeah when we were addressing this in the government they used to say we have a carrot and stick approach just stick to beat someone than a character poke them in the eye not exactly what what what is typically meant by carrying stick approach I think the anonymity point might work in closed communities but as Kevin said you know once you get into larger circles if you maintain it's difficult without understanding you know the source yeah what is the context and you know another thing that that we're doing that I think has helped lower the the sharing threshold within our own customer base is allowing people to share

characteristics but they're encrypted so that you know technically you know you can get at them if you violate license agreement and you know you do memory forensics on the boxes and things like that but the the intrusion characteristics are basically encrypted so that unless there's a hit you don't know effectively what the systems are looking for if you have a match then it yes does it call Bob at the following only number that's hopefully one way to kind of share without disclosing to lower that lower that threshold I think it's important to know where it comes from - because you're real smart guys that are sitting on the front lines are gonna be like where did this come from

we're smarter than they are and they almost need to know where it came from for them to be able to vet the intelligence to see if it's worthwhile I think we've got some folks with questions

[Laughter]

I think we're in the business of monetizing a pattern of take intelligence and go look for it go hunt on a daily basis that's really what we want to do the challenge that keeps us from giving everybody everything all the time is things like we can decrypt a lot in the situ and and we can decrypt RDP in certain circumstances and those types of things took us nine months to figure out or two months to figure out and we believe usually the criteria is actually an altruistic one that if we gave something to one person and went out it loses value for everybody else that being said there is no magic I haven't been able to write the criteria and I

think about this issue all the time because I think it's asinine to try to write it at the end of the day you got to analyze each piece of intelligence you have and say share it with the world share with your customers or keep it close hold for now and that's an unfortunate reality and share with different communities the SI satch is an example right they're gonna share within their community for a specific purpose the Dib defense industrial waste going to share within their community for specific purposes they're not going to share more broadly and then there's other communities you know dozens of internet-based you know community projects as well

we've got we're actually aggregating a lot of the community-based projects and licensed the ability to redistribute that threat intelligence through our freeware and other things so you know where it's not our intellectual property or content we're trying to facilitate you know a community-based approach but you know it's a careful it's a careful line when you look at things that are more proprietary it's more sensitive in communities I think he's advocating that the government monitors are the internet and just controls it all Chuck I would close loop by industry though I think because I think most of the threats we see start looking similar by industry you know and I would close it that way I

don't think the whole world needs to know about every single threat because at that point there is no network enabler for intelligence if it gets too big a network

let me touch on this I'm very involved in so I love to corrupt little minds right you take young people and you get early into the education cycle I'm talking like high school and into the university and college level and you will create the most fantastic set of people I think what the University of Maryland is doing I think what Norwich is doing I think what there's seven or eight really great colleges of universities I know about but they can't do it alone right it can't be just the the instructors and the professors and the practitioners going there and teaching you know part-time at night or whatever it's got to be us it's got to be us

opening up opportunities for you know students to come in and whatever guys that's under within your environment if you're gonna you know open up jobs for students do cochere so on and so forth you know normal things that you should be doing look to that I mean some of the best people I've ever hired started out their freshman year you know in came in in the summers and and worked and every year thereafter and then we hired right out of school and they and we have fantastic analysts right so get in early and often give them the projects if you're a big company I mean big companies here fortune 1,000 zarab of out of curiosity a few of you throw the

money at ten ten thousand dollars to a small college that has great students that can come in and do a project for you is not a lot of money because you're gonna spend that on recruiting fees anyways in the future you know white up those minds right and show them show them how really cool the stuff are you stuffed I almost didn't you stuff the stuff we do is right now because we we got a great job this is cool stuff it changes every day this is a great job we're making a difference

right no syllabus you know that this is actually historic because I'm about to say a second positive thing about government efforts on you know within one hour but the government is actually the NSF and NSA run with DHS run a cyber Corps program do a lot of funding and create these centers for academic excellence in cybersecurity sounds like a long government title because it is but they're actually taking a lot of undergrads and at the graduate level and and setting them through excellent training and I know a lot of folks have been hired through that program and they've you know really been a great source for for talent I think the other role for academia that is is really

underutilized is some of the longer-term fundamental research right we know general-purpose computing can't be secured so knowing we have compromised components how do we develop trustworthy environments and all sorts of you know when rollin talks about big data size you can talk about Big Data talk about large data security tells you yeah all the data analytics required to do right marketing notwithstanding the real behavioral analytics you know types of things that are required to do security going forward I think those are places where fundamental research is still required [Laughter]

you want to sir I'm gonna I mean I can sort out how we're doing it I mean so I know the guy who has the answer he's sitting right behind you you get a big bucket yeah so there's there's a there's a lot of ways to go at it first you have to you have to get the information and I can't say it enough and so what we're on this journey ourselves I wouldn't say we're a you know a tear you know tear one you know Intelligence Platform we're probably like a tier two meaning that work we have information our expert maybe at Tier three week we have information we are we are using that to

make intelligence decisions we're using analytical capabilities about the information that we have so having having the ability to get a lot of information one place having capability to run analytics against it is very very important having people come in and teach you what to look for right so at getting the the education the right people in place you know the the mandiant sethe records of the world so on and so forth they come in and teach that and then getting external information so we're talking a lot about what's in our infrastructure you know what other people can share with us but really have the good look at your industry who wants to attack you why

what they have done in the past what are their capabilities you're not going to have all that information right so using external third parties to provide that type of information and and that really having the right skill set and then do data modelling against you know the information you have I mean that's the very basic way I think you can get it and that's that's what we've started in the Rob we've started down and I'll give you a real simple one and if you've heard this fall asleep but this is one I use all the time we had a problem where we have 690 go-to-market platforms right that that deliver product product sets essentially and you go by cred you know

from somewheres in the deep deep dark corners of the Internet you one of our creds and you could test it login once against this platform you could do 690 times but we wouldn't see that because it was just one failure right so what do we do with our grandiose dataset I've refused to you the big data is that we were able to say anytime you know we run queries all day long anytime you see one failed login against more than one product let us now I mean wow you know the information we got off that day one just just totally change just totally changed our world I mean rocked our world and being able to provide a matte immediate mass amount

of protection to the organization into 60 million users you know that use the platform every day right so it's little things like that the it doesn't have to be this really cool I'm seeing the future right yet right we want to get to that point but it can be using that type of information on how to make a tional changes within your 690 products I thought our industry stunk

when it comes to you like you said

while security devices don't see it right I mean I mean the infrastructures to see it you gotta tie into the infrastructure we got to be able to get that information it should be it guys it's not about in our in our world it's not about product security it's about product quality right so it's mandated so we measure people people get paid on it right people that deliver products or infrastructure applications or enterprise people they have you know like a 20 think of it as a 20 point checklist if you're going to do this with this type of data you must do this and by the way that's in your MBA but so that's our way of getting people to

think about it's dude it's just part of your job right and not security people these are these are developers and engineers and so on and so forth so take that STL see and and take it way back up the stack and say no this is just the framework of how you develop anything in our private same thing we want like gooeys we want like portals we want like XY and Z right because it drives down the cost it's repeatable stre usable we're doing the same thing with security and making that in here's in just to get into the environment here's the check that says you're giving us all these logs and all the logs conclude all these

you know 16 things this is a big bucket I could comment on that we haven't learned from the penetration test right the pen test that got in today or a year ago or five years ago always resulted in patcher systems it was never in changed the configuration of your sim changed the configuration if you notice change the education level of your sock to look for this kind of stuff I mean we've been doing brute force password guessing and password sweeps for 20 years right every sin vendor out there can detect this kind of stuff very rarely does that sim get deployed to detected though so the technology I don't think there's any you know one-size-fits-all I think there's

you know at least when I use the term visibility obviously in the network side it's all about full packet capture collect everything once and then you'll be able to sift through and we'll try and do an al analytics Kevin's team don't speak for you but you know having the deep memory forensics and the system you know inspection capability on the host layer adds a whole different dimension - you know - to what we're doing I think historically you know when I criticize visibility it's more the the telemetry that's coming into the sim either you're not including infrastructure systems or the telemetry is coming from things that are signature based and not able to give you the

visibility that's required to see the things that matter we have a fight here it's the plan

look I'll go back one more question those a year how do you build an intelligence team the first thing you should do is talk to your management make sure you're building something that they want right because you might be able to get money if you don't have budget then you know hey maybe you can't go buy a similar commercial product but maybe you can use something free and at least know what your limitations are well I think we're are we out of time we're having to go for a three and a half minutes you want to be out of time doing it I think you got time for the one boss all right well stick

what is business wake up at two o'clock in the morning the things that most people in this yeah exactly prioritize your efforts your focus your activities on the things that matter most to the organization the critical this and leverage your threat intelligence because that should guide you too

yeah no I didn't say go scare the business I said what scares them what why can't they go deliver to China why to do no I said go to ask him what wakes them up because then you're gonna go find out the holes in their platform right great I appreciate everybody's well first let me thank the panel folks that have spent their entire careers in security and are doing you know really forward-leaning things and thank the audience you guys you guys were great thanks to your questions

2012: The End of Security Stupidity

Related talks