Getting your Perception right – Security and Collaboration
If all security-related events were not connected and could be analysed with a closed system in mind, getting security measures right would be much easier. Technicians will probably yawn at this fact, but networks connect a lot of different stuff (think „series of tubes“ and many points between them). In turn this means that you can use this for your own advantage and talk to others on the network, too! This surprising conclusion is often forgotten despite the use of the term „Internet community“ and developers working together on intrusion detection signatures, malware analysis and other projects.
Stefan Schumacher talked about cooperative efforts to establish an international cyber defence strategy at DeepSec 2011. Securing infrastructure and implementing a proper defence in depth doesn’t rely on technical solutions alone. You need to establish procedures for communication and exchange of relevant information about security incidents as well. In the case of national defence this also incorporates political means. Basically you have to extend the work of the local CERT teams to nations. This is the bigger picture, but there is a „smaller“ one, too. Rivalling banks have finally understood that some form of cooperation is necessary to combat networked threats to their customers. To quote from an article in the Wall Street Journal: „security officials from Wall Street financial firms, including Morgan Stanley and Goldman Sachs Group Inc., are expected to meet with researchers from the Polytechnic Institute of New York University to discuss the creation of a new type of center that would sift through mountains of bank data to detect potential attacks, people familiar with the situation said.“
So this is good news, right? Well maybe; it’s definitely a start. However you have make sure that your data describing your „normal mode“ of operation and everything out of the ordinary such as security incidents can be compared. This is one of the prime constraints that must be met otherwise you cannot compare or talk about security. You could use standardised formats for incidents (such as IODEF or similar ideas). The hardest problem is to acquire solid data for detecting anomalies. To stick to the financial sector: You cannot retrofit fraud detection by buying a sufficient amount of black boxes. You need to define metrics and have some idea what to look for, exactly you do when designing and deploying intrusion detection systems. If your data is crap to begin with, no one will turn this crap into gold – except the attackers you are trying to find.