Amrit Williams, BigFix CTO, concludes his discussion about the Verizon Business 2010 Data Breach Report with Alex Hutton, Principal of Research and Intelligence at Verizon Business.

Subscribe in iTunes:

Subscribe with XML:

FULL TRANSCRIPT

Amrit Williams: Welcome! This is Amrit Williams, your host on Beyond the Perimeter, and today I am joined by Alex Hutton, Principal of Research and Intelligence with Verizon Business. Alex, thanks for joining me today.

Well, Alex, I would like to start talking about what organizations should be doing with this data. I mean, someone reads this today and they wake up on Monday, what type of suggestions, changes should they be making in their environment? What are the things that they should get out of this report in terms of — what’s the call to action?

Alex Hutton: Well, regardless of whether you are worried about internal or external, the first thing you should look at is identity and access management. On Page 45, there is a wonderful series of charts, they are column charts that are augmented with lines. The columns represent that frequency and the lines represent that impact.

If you take a look at — and this is what we call our unknown-unknown chart, where we kind of break out unknowns that are represented in the dataset by unknown assets, unknown data, unknown connection and unknown privileges. An unknown asset is like, oh, we didn’t realize we had that server. Unknown data is, wow, that data is actually on that server, uh oh! And so forth.

There is this amazing increase and utilization of unknown privileges that you will see there, just from — in 2007, below 20% of cases, to over 90% of cases involved unknown privileges, where there was an unknown. Identity and access management is significant.

The second is log management. I mean, this is a real problem and being able to find the information in your logs, but when 90% of the time it’s there, that indicates there is a potential solution, we just have to apply technology and imply intuition and ingenuity in order to find a real usable solution there.

I mean, in one case, there was a compromised system that had no increased business requirements, there weren’t more users, there wasn’t more transactions being processed or anything, but this particular server had seen over 400% increase in utilization. That should be an indicator that there is something wrong there.

So we do need to focus on understanding the systems that we have, and being able to find — I think the term that we use is, find the needle in the haystack there.

Amrit Williams: So I wanted to go back to the chart on Page 45, the unknown privilege chart, because it really is quite shocking, an increase from 20% to over 90% from 2008 through 2009 is — well, that is a shocking chart. Can you talk a little bit more about what unknown privileges is representing, how does that instantiate itself?

Alex Hutton: Sure. It’s an unknown user account or roles or responsibilities for a specific user account. They didn’t realize that, that user had access to do these sorts of things on the system. It really is identity and access management.

So basically, what we are representing there is, when I used to work with Pentest team, what we always used to look for was the blank SA password, that would give us the keys to the kingdom. That was years ago.

This is the same stuff. It is, holy cow! I didn’t realize that we had a blank password on that system. I didn’t realize that root on that system had these sorts of access to these sorts of other systems, all of these identity access management problems are represented there. It would be great to break those out. That’s something we hope to do in future reports, and to what exactly those are and how we are finding them.

But in terms of finding a solution and mitigating the risk, it’s actually pretty easy. You focus on audit, usable audits, account audits and so forth, in making sure that you are applying the right technology out of your budget, to make sure that you are not part of that increasing trend.

Amrit Williams: Have you seen any difference or variation between Windows-based servers or UNIX-based servers, in terms of how organizations — I know there are differences in terms of how organizations protect them and what technology is out there, but was there anything in the Data Breach Report or dataset that you guys looked at that indicated there was a higher probability of one type of system versus another that was susceptible to this in organizations?

Alex Hutton: We don’t really break that out.

Amrit Williams: The reason I ask is, because in dealing with organizations that have Windows Server Administrators versus UNIX Server Administrators, they act very differently and they tend to manage the systems in a very different way. It would be an interesting thing to dig into.

Okay. So you mentioned IAM and I think that’s great. I think putting everything under the umbrella of, anytime you can get visibility into the systems, how they are configured, how they are being accessed, and how they are being used, and then look for anomalies is definitely a good thing.

You mentioned log management, the ability to monitor, and I thought that was a great example of sort of anomalous activity that should have been looked at. Anything that you have seen over the last year or two that organizations are probably not looking at, that they definitely should? Because I think in these two areas, these are definitely areas where organizations can do a better job, but most people are aware of these. Anything that you think is different or a mind shift for how people might want to look at improving their security?

Alex Hutton: Well, let be back up first and say, it’s not just visibility, it’s also variability. So anytime you want to manage a process environment, you have to look at both. But in terms of answering the question, the one thing I want to do is stress, share information.

The FS-ISAC and various other organizations are really starting to get great apps, it’s a rapid sharing of threat information. We need to expand beyond that and start sharing all sorts of risk management information, not just information out of threat landscape and not just particulars about IP address ranges or types of malware.

The second thing that’s kind of interesting is the role, and this is part of unknown privileges, what we mentioned before, but the role of stolen credentials, the ability to detect and respond to credentials being stolen, even if it is just an overwhelming amount of false positives around, oh, I think I clicked on a phishing email or whatever. This is critical moving forward.

It is very easy. Remember we talked about economic efficiency in the threat landscape. This represents the most efficient thing that a threat agent can do. They can phish somebody or do some sort of web-based malware drive-by, steal credentials, and boom, they have got some level of privileged access. It’s really that simple.

The increase in the use of stolen credentials actually is kind of correlated to the increases in custom malware that we have seen, from 2006 until now. Increased custom malware is a trend that’s growing and continues to grow. So I think that’s interesting.

Take a look at PCI requirement section, and take a look at what you have — if your organization has to deal with PCI’s requirement, take a look at the kind of compliance rates that we saw, really poor compliance to the DSS across the board and the failure rates that this dataset represents, and kind of take that seriously.

Amrit Williams: Well, boy, I would love to be into PCI and this world of MySpace, but then I decided not to go there just yet. So I want to go back to something you said, because I think it’s really, really important and I think organizations are really challenged on that. It’s a great idea, which is to share information, and build that collective update. I know that you and several others have been big proponents of trying to support that.

What does an organization do though, because they have to balance, and I think I would like to get your perspective on, A, what they should do, and B, how they balance some of their concerns. And some of the concerns would be, I am afraid to share information, because I am afraid it’s going to keep me liable for something. Or I am afraid to share information because I think it’s going to have some impact on my bottom line somewhere down the line if it finds out there is a breach that results in a compromise of data that results in me having to take teams around it.

So A, what should companies do, what do they get involved in, how do they become part of that collective of information? And B, how do they maintain some level of anonymity, so that they can participate and contribute to the greater good without feeling like that’s going to result in some type of fine or negative impact to them somewhere down the line?

So we will take the first one, which is, what do they do, how do they share information, how do they get involved?

Alex Hutton: It’s going to vary from industry to industry. In the past, I have been kind of very involved in ISFA. I have been involved in other kind of industry security groups. And I think the first thing that any organization can do is make sure that you are going to those sorts of events, and basically issuing the PowerPoint and get into the network. I think that you will find that the value of ISFA meetings and 9:36 meetings, certainly is in the education, but it’s mainly the networking.

One of the great things that my friend, Dan Houser, he is an (ISC)² Board member, one of the great things that he did in the Columbus, Ohio area is start a program called the Security MBA. MBA stands for Masters of Beer Appreciation.

The Security MBA was just a collection of security individuals from financial sector institutions in Columbus, retail, whatever it was, but if you were a security geek and you were in Columbus, once a month, Dan found a vendor to kind of shuttle out $200-300 to buy appetizers and beer for everybody, and you go meet, and it would be extremely informal. Dan would have a number of topics.

You talk about the topics for a while, but what really happened was, people shared information about how they were managing, how they were taking vendor solutions and really making use of them and becoming effective. I think that’s the first thing to look at, is doing something informally and doing something locally.

I hate to sound like a bumper sticker about act local, but think global, but that really is a great first step.

Second thing that you can do is get involved. If your industry supports something, in information sharing, get involved in that. If it doesn’t, think about trying to start something with information sharing.

These sorts of things exist and it’s worth seeking that out. As I have been speaking at METROCON, and I have been speaking at Black Hat and so forth, it just becomes really apparent that we are not going to get any better at managing risk until and unless we have comparative analytics.

Comparative analytics for me represents the key to our success as an industry going forward. That’s comparative analytics over everything. So threat landscape, it’s the controls landscape, it’s the asset management that we do, it’s impact, understanding how much things even cost, even if you can talk in vague generalities, understanding how much you are looking at in terms of impact is important and how you can limit that impact.

So that’s a second thing, is seek something formal. If it doesn’t exist, think about building it; Google Groups are free.

The last thing that I would encourage folks to do is download and use our freely available VERIS framework. I know this is going to sound like a vendor pitch, but one of the things that has made the past so successful is that the risk team here has used a framework to take the incident narrative; first, this bad thing happened, then that bad thing happened, and turn that narrative into metrics, the metrics that you see in all the wonderful charts and graphs here.

But what’s great is, once you have that commonality, you can basically take anything, put two different folks in a room, and get them with two different cases, and get them to provide you information on the same to same basis.

So VERIS is freely available, anybody can download it. It’s at verisframework.wiki.zoho.com and start using it.

It’s what made the Secret Service — so one of the things, besides their willingness and their cooperation, one of the things that made this report actually be able to happen is this common framework. They were able to take VERIS and get metrics on a same to same basis as our IR team.

They even developed, I think, an in-house application hub, frame their incidents in a VERIS context.

So that’s the other thing, is get involved in something like VERIS or VERIS itself if you are into sharing incident information, but make sure that you have the language to talk to somebody else in a same to same manner. Those are the three keys.

Amrit Williams: What about the question of anonymity, because I think this is a challenge that — I mean, I think most people want to be able to be part of the collective, to help with the comparative analytics, it helps all of us, but they really struggle with that question of anonymity.

Do you have any ideas around how we better support anonymity while supporting these collectives, and is VERIS — I am not familiar with it, I have to be honest, does that framework provide some level of abstraction from details but allow people to get the information they need?

Alex Hutton: Yeah. Well, that’s one of the things that VERIS is designed to do. There is a demographic section where you kind of describe the victim organization, and you can be as — it’s designed to be fairly general and vague, we are in the financial services industry and we are between ten and a hundred thousand employees and so forth, rather than specifically say, yes, we are a financial institution in 14:27 Washington with 157 employees.

But I will challenge us with — information sharing is going on, we just have to foster and seek that out. The ISACs are a prime example of that. In setting something up with rules and NDAs, I mean I-4 has been doing this for ages through — setting stuff up with NDAs is pretty easy, and bilateral NDAs, you can go Google any number of really good and strong bilateral NDAs.

What you need to do in terms of selling it internally is really kind of figure out — for the listener, in terms of selling it internally is really kind of figure out, okay, what’s the risk reward, and how do I coach that in a PowerPoint for people that I have to go sell the idea of sharing information with my peer groups?

The risk is, somebody might find out we had an incident. Gee, we are imperfect, just like everybody else in the industry. The reward is, I get comparative analytics. I get better information.

So designing a process and program around sharing information before you go sell it and say this is the benefit for taking this risk, that’s the key piece that people need to do in terms of selling it.

Amrit Williams: I think that makes a lot of sense. Alex, I really appreciate you joining us today. I would like you to — I am imagining that there is actually somebody out here that doesn’t know how to use Google, if they were interested in obtaining the copy of the Verizon Data Breach Investigations Report, what address would they go to?

Alex Hutton: The best place is VerizonBusiness.com/products/security. There will be a link right on to your right there.

Amrit Williams: Okay. What about the VERIS framework?

Alex Hutton: The VERIS framework is found at verisframework.wiki.zoho.com. That’s a non-Verizon website that’s hosted that’s meant to be community based, and there is a public kind of creative comments like license surrounding it all.

Amrit Williams: Does Verizon support services like, let’s say somebody wants — has questions about the report itself or wants to somehow participate and they are not using Verizon for forensics or investigations, how can they involved?

Alex Hutton: The first thing to do would be send us an email. There is an email of DBIR, Data Breach Investigations Report, so dbir@verizonbusiness.com, and that will get to the risk team.

Amrit Williams: Well, that’s fantastic! This has been a pleasure to have you on Alex. Hope that I can have you on again, and hopefully we can meet each other sometime face-to-face, seeing that we know each other.

Alex Hutton: I would really like that. Thank you again for having me on. I hope this was useful to you and to your listeners.

Amrit Williams: It absolutely was. You were a pleasure to have on. Thanks a lot Alex.

Announcer: You have just listened to Beyond the Perimeter, sponsored by BigFix Inc. Views expressed on this podcast are the personal opinions of podcast participants and do not reflect official positions of their employers or BigFix.

Thanks for listening.