Sunday, June 24, 2012

America The Vulnerable

America The Vulnerable, “Inside the New Threat Matrix of Digital Espionage, Crime, and Warfare” by Joel Brenner provides a broad picture of the issues of cybersecurity in the early part of the 21st century. In many cases, the facts presented are not new but Joel Brenner has the ability to put them in context and provides an excellent look at the big picture implications of those facts.
Joel Brenner, is a former senior counsel at the National Security Agency and has extensive experience in counterintelligence. This background allows Brenner to describe in detail the structural and procedural challenges that the US government and industry face in dealing with the threats.
The book roams across the entire cybersecurity landscape. Brenner describes the economic and political motivations of other nations and they are leading them to do the things that they do. He details the Chinese, providing documented sources describing their objectives, motivations, and tactics.
Brenner presents a speculative case study on how a cyberattack from China might be used for increased strength in a diplomatic standoff around Taiwan. Very interested take that is different from many fear-mongers predicting cyber apocalypse, but offers a practical description as to how our weaknesses could realistically be used against us.
One of the key points made is that the increasing transparency due to electronic information leads to reduced secrecy for governments and reduced privacy for individuals.
In addition to the excellent survey of the challenges related to information security, Brenner offers prescriptions that both the government and the private sector can take to deal with the threats.
These include for the U.S. government:
  • Use federal purchasing to enforce higher security standards.
  • Forbid federal agencies from doing business with ISPs that are hosts for botnets, publish list of companies.
  • Remove anti-trust considerations to allow US firms to collaborate and share information on security.
  • Require Internet service providers to notify customers whose machines have been infected by a botnet.
  • Use regulations to stop utilities from connecting industrial control systems to public networks.
  • Use tax code to change behavior.
  • Increase research into attribution techniques and identity standards.
  • Increase research into verifiable software and firmware, and the benefits of moving security directly into hardware.
  • Increase research into an alternative Internet architecture.
  • Require disclosure of risks for utilities in bond documents.
  • Toughen public audit standards for cybersecurity.
  • The US should engage like-minded democratic governments in a multilateral effort to make Internet communication open and secure.
The recommendation for the private sector include:
    Clean up your act.
  • Control what’s on your system.
  • Control who’s on your system.
  • Protect what’s valuable.
  • Patch rigorously.
  • Train everybody.
  • Audit for operational effect.
  • Manage overseas travel behavior.
This is a very good overview for people outside the Information Security world, in addition to being an excellent reference for practitioners, as Brenner does not dive into the weeds yet provides a compelling view of the world today.

Saturday, June 9, 2012

Tackling ArcSight Express Configuration

The ArcSight SIEM platform is extremely powerful and capable of correlating an amazing amount of information. This information can overwhelm some people in getting starting to get value out of the solution. Here are some general thoughts on how to approach this challenge.
  1. Decide on what use cases you want like to implement first. Try proceeding one use case (I am using the term generically not in the ArcSight specific way) at a time so that you are not trying to boil the ocean.
  2. Decide what event sources are necessary for that use case to be sent to Express / ESM.
  3. Configure the SmartConnector software to send all of the data from those devices to the Logger or straight to Express depending on your architecture.
  4. When the events are sent to Express set up an Active Channel and review the event types that you are getting from those sources and determine:
    • What is irrelevant and filter them out on the connector and/or logger.
    • Figure out what is just as useful if you aggregate them and set up aggregation rules on the connector (Firewall connections for example).
  5. Check those event sources are categorized correctly and can utilize the standard content from ArcSight.
  6. Now that filtering and aggregation is in place for those event sources, work on rules and content to deal with that use case.
When you are correctly dealing with the security issues handled by that use case, then move on to the next use case and repeat the process.