Triumfant real-time malware detection and remediation

As I’ve previously noted I’m on the advisory board for Trimufant (I’m at this page).  I’m hoping all CTO types will check out this company (and I’m also hoping you don’t mind me blogging about a company I’m advising.  After all, I’m associated with them because I believe they are a world-class outfit with a great capability).

In this post I want to bring your attention to a Triumfant press release .  It is an announcement that Triumfant now provides real-time malware detection and remediation.   Triumfant has long been the leading capability for discovering unexpected changes to computer endpoints, but with their new Triumfant Resolution Manager they build on their ability to deliver zero-day malware protection.  Read the rest of this entry »

My Opinion: NYT wants cyber security to be a divisive issue.

I just read an article that seems designed to keep spreading FUD (Fear, Uncertainty, Doubt) about the US government and the NSA.   The article is titled “Control of Cybersecurity Becomes Divisive Issue “.  It starts with an assertion stated as if it were a fact that says “The National Security Agency has been campaigning to lead the government’s rapidly growing cybersecurity programs”.

I bump into all sorts of people in the beltway, and there is a huge amount of buzz regarding cyber.  There is also a huge amount of pontification and rumor and hype, and I think Risen and Lichtblau have fallen for some of that. Read the rest of this entry »

Responding Strategically to Cyber Attacks

The last 12 months has seen a significant amount of progress in our
nation’s awareness of cyber threats and in our collective actions to
address the security of our IT systems.  However, a huge amount of work remains
to be done.

In a cyber context, the situation is a little like the one Winston Churchill described when he said: “This is not the end.  It is not even the beginning of the
end.  But it is, perhaps, the end of the beginning.” We in the cyber world have taken some serious blows, and we are shoring up our defenses.  But there is a long long way to go before our
objectives are met.

With this post I want to provide a snapshot of some of the progress of late.

1) CNCI: The Comprehensive National Cybersecurity Initiative provided a kickstart to many elements of the federal enterprise and facilitated coordination action by multiple agencies.  It was also an important evolution for Congress.  The changes to the federal budget and the intentions of agencies was very positive.  It is my opinion that the CNCI made a lasting positive difference in reducing unauthorized access into the federal enterprise and in enhancing resiliency of our systems. For more info see:

• CNCI reporting at CTOvision.com

2) The CSIS report and related actions/studies: This 8 Dec 2008 report is the result of hard work and collective study by some of the best brains in the cyber security world.  Commissioners on the study are a who’s-who of security and the quality of this report is a direct reflection of this fact.  The report offers recommendations on multiple hard areas and should be referenced by anyone making decisions in the IT arena.  A recent related development is the posting by SANS of the Common Audit Guidelines.  This is a fantastic step towards providing guidelines to enhancing security and functionality. Read the rest of this entry »

White House Conducting Review of Cyber

Followers of the cyber initiative and its related work have been strongly encouraged by the kickoff of a 60 day study tasked by the White House and led by Melissa Hathaway.  Melissa was named by President Obama to conduct this review.   As has been reported here in previous posts Melissa is one of the most effective, efficient senior executives in public service, and I have no doubt she will execute this task in a way that benefits the nation. 

As an update, the White House blog posted an entry on this study today.  It reads as follows:

QUOTE:

 
<!–

WhiteHouse.gov Blog

–>

White House Blog
Monday, March 2nd, 2009 at 11:14 am

Cyber review underway

John
Brennan, Assistant to the President for Homeland Security and
Counterterrorism, passed along this update about the ongoing review of
our nation’s communications and information infrastructure.

In response to President Obama’s
direction, the National Security Council and Homeland Security Council
are presently conducting a 60-day review of the plans, programs, and
activities underway throughout the government that address our
communications and information infrastructure (i.e., cyberspace). The
purpose of the review is to develop a strategic framework to ensure
that our initiatives in this area are appropriately integrated,
resourced and coordinated both within the Executive Branch and with
Congress and the private sector.

Our nation’s security and economic
prosperity depend on the security, stability, and integrity of
communications and information infrastructure that are largely
privately-owned and globally-operated. Safeguarding these important
interests will require balanced decision making that integrates and
harmonizes our national and economic security objectives with enduring
respect for the rule of law. Guided by this principle, the review will
build upon existing policies and structures to formulate a new vision
for a national public-private partnership and an action plan to:
enhance economic prosperity and facilitate market leadership for the
U.S. information and communications industry; deter, prevent, detect,
defend against, respond to, and remediate disruptions and damage to
U.S. communications and information infrastructure; ensure U.S.
capabilities to operate in cyberspace in support of national goals; and
safeguard the privacy rights and civil liberties of our citizens.

The review will be completed by the end
of April 2009. At that time, the review team will present its
recommendations to the President regarding an optimal White House
organizational construct to address issues related to U.S. and global
information and communications infrastructure and capabilities. The
recommendations also will include an action plan on identifying and
prioritizing further work in this area.

Learn more about the administration’s Homeland Security priorities.

UNQUOTE

The fact of this White House blog entry is a huge signal that something has changed.  Openness on this topic was unthinkable just months ago.  We have also seen more direct work with industry groups on cyber, another positive step.

There is a great deal of work to be done in a very short amount of time.  What ever the result of this review is I’m sure it will be first rate and I’m ready to support it fully.  It is not often that I endorse something before it is done, but in this case I think it is the right thing to do.   There are too many bad things happening because of poor security, and too much of the economy is hurting because of it. 

For more on related topics see:

Foreign Spies Make Recession Worse and Steal Part of Our Future

and

The Future of Cyber Security and Cyber Conflict

Enhancing Security and Functionality At The Same Time

Have you ever been sucked into the false debate over how much IT spending should be spent on security?  I used to all the time.  Some folks point to a rule of thumb that goes something like “ten percent of the IT budget should be applied to security.”  That old school formula may well be part of the reason we got into the mess we are currently in.  It contributes to thoughts that lead you to think security can be separated.  By my way of thinking, 100% of the budget goes to security and functionality and that is the calculus.

Really, security is about ensuring information confidentiality, availability and integrity. And those constructs are totally connected to functionality of IT.   I try whenever possible to use the term security and functionality in the same context just to underscore that point. 

For example, the goal I continually push regarding security in the federal space is not just one dealing with security.  I put it this way:  “Security and functionality of all federal IT will be increased by two orders of magnitude in the next 24 months.”  Putting the goal this ways also underscores that it is not security vs. functionality.  Both need to increase. 

This goal also cries out for the need for metrics in security and functionality.  For functionality there are many customer focused survey methods that can help collect the right metrics.  For security, I think one metric stands out above all others:  Detected unauthorized intrusions.  There are many other important metrics for other dimensions of the security problem, but that one is key.  So, a goal that expects both security and functionality of federal enterprise IT to improve by two orders of magnitude will expect customer survey satisfaction to go through the roof, and will expect detected intrusions to drop significantly.  If there were 50,000 detected intrusions in 2008, there should be less than 5000 in 2010.  

That is a dramatic goal.  What makes me think it is achievable?  In part the dramatic action being put in place today in the federal space.  And in part by dramatic new technologies and approaches like private clouds and thin client computing and enhanced identity management and authorization methods.  But of more importance and more relevance than all of that, in my opinion, is the coordinated action and leadership underway by CIOs and CISOs and the security  experts in the federal space today.

As evidence of this incredible positive action I’d like to bring your attention to a release by a Consortium of US Federal Cybersecurity Experts on Consensus Audit Guidelines.  Details of this effort are at http://www.sans.org/cag/

The Consensus Audit Guidelines provide the twenty most important controls and metrics for effective cyber defense and continuous FISMA compliance.   These controls and metrics include:

Critical Controls Subject to Automated Measurement and Validation:

1. Inventory of Authorized and Unauthorized Hardware.

2. Inventory of Authorized and Unauthorized Software.

3. Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers.

4. Secure Configurations of Network Devices Such as Firewalls and Routers.

5. Boundary Defense

6. Maintenance and Analysis of Complete Security Audit Logs

7. Application Software Security

8. Controlled Use of Administrative Privileges

9. Controlled Access Based On Need to Know

10. Continuous Vulnerability Testing and Remediation

11. Dormant Account Monitoring and Control

12. Anti-Malware Defenses

13. Limitation and Control of Ports, Protocols and Services

14. Wireless Device Control

15. Data Leakage Protection

Additional Critical Controls (not directly supported by automated measurement and validation):

1. Secure Network Engineering

2. Red Team Exercises

3. Incident Response Capability

4. Data Recovery Capability

5. Security Skills Assessment and Training to Fill Gaps

The site at http://www.sans.org/cag provides more details on each, including detailed descriptions of the controls, how to implement them, how to measure them, and how to continuously improve them.   The site also spells out the fact that this is a work in progress and processes are in place to ensure this great effort remains relevant and maximizes our ability to protect ourselves.  

What should CTOs think about this guidance?  As for me, I most strongly endorse it. In my mind the appropriate implementation of these controls will reduce unauthorized intrusions in any enterprise. 

The deeply respected community leader Alan Paller said it this way:

“This is the best example of risk-based security I have ever seen,” said
Alan Paller, director of research at the SANS Institute.  “The team that was
brought together represents the nation’s most complete understanding of
the risk faced by our systems. In the past cybersecurity was driven by
people who had no clue of how the attacks are carried out. They created an
illusion of security. The CAG will turn that illusion to reality.”
 

Please give these controls a read, and please help get them into the hands of the security and functionality professionals in your enterprise.

The Future of Cyber Security and Cyber Conflict

As I write this there is evidence that the Russian’s are once again
attacking another country through massive denial of service attacks. 
For a recap with analysis you will not see elsewhere see The Kyrgyzstan Cyber Attack That No One Is Talking About . 
This is not the first time that a major nation state has been accused
of launching attacks like this.  Russia has been implicated as responsible for two other large scale attacks (Estonia and Georgia).   In other
investigations China has been implicated of sponsoring/supporting
attacks designed to extract information.  These are very serious high
end attacks that are hard to mitigate, but organized crime is also
becoming increasingly capable, investing large amounts in R&D to
allow their continued ability to sap resources through cyber theft.  
In a recent example a payment processing company called Heartland
Security Systems admitted its security system had been breached and
millions of credit and debit card numbers were extracted.

I’ve previously written about the government’s response and many of us
have been strongly supportive of the efforts and activities of Melissa
Hathaway and the team of coordinators she assembled in government.  
Her approach has been viewed as very positive by all credible
observers and it is good to know she will be continuing to work to make
our nation safe in this area. 

It was also good to see the approach of the Obama team posted on the
Whitehouse.gov site.  In a homeland security policy statement six key
goals were articulated.  They are copied below:
   

Protect Our Information Networks

Barack Obama and Joe
Biden — working with private industry, the research community and our
citizens — will lead an effort to build a trustworthy and accountable
cyber infrastructure that is resilient, protects America’s competitive
advantage, and advances our national and homeland security. They will:

• Strengthen Federal Leadership on Cyber Security:
  Declare the cyber infrastructure a strategic asset and establish the
  position of national cyber advisor who will report directly to the
  president and will be responsible for coordinating federal agency
  efforts and development of national cyber policy.

• Initiate a Safe Computing R&D Effort and Harden our Nation’s Cyber Infrastructure:
  Support an initiative to develop next-generation secure computers and
  networking for national security applications. Work with industry and
  academia to develop and deploy a new generation of secure hardware and
  software for our critical cyber infrastructure.

• Protect the IT Infrastructure That Keeps America’s Economy Safe: Work with the private sector to establish tough new standards for cyber security and physical resilience.

• Prevent Corporate Cyber-Espionage:
  Work with industry to develop the systems necessary to protect our
  nation’s trade secrets and our research and development. Innovations in
  software, engineering, pharmaceuticals and other fields are being
  stolen online from U.S. businesses at an alarming rate.

• Develop a Cyber Crime Strategy to Minimize the Opportunities for Criminal Profit:
  Shut down the mechanisms used to transmit criminal profits by shutting
  down untraceable Internet payment schemes. Initiate a grant and
  training program to provide federal, state, and local law enforcement
  agencies the tools they need to detect and prosecute cyber crime.

• Mandate Standards for Securing Personal Data and Require Companies to Disclose Personal Information Data Breaches:
  Partner with industry and our citizens to secure personal data stored
  on government and private systems. Institute a common standard for
  securing such data across industries and protect the rights of
  individuals in the information age.

Another goal was in the Defense portion  of the Whitehouse.gov site which called for DoD to lead in operational defense.  It reads:

• Protect the U.S in Cyberspace: The Obama-Biden
  Administration cooperate with our allies and the private sector to
  identify and protect against emerging cyber-threats.

My assessment of these seven goals:  This is too important for us to kibitz on at all.  Now is the time for us to all form up on these goals and execute.  Collectively we have to move faster in all these areas if we are to lesson the impact of the thinking/changing/technologically advanced adversaries that face us.  I only add that we should keep bold visions in mind.  I really believe that security and functionality of IT are totally connected and should always be considered in the same breath.  And both can be dramatically improved, this is not a zero sum game where functionality is compromised by security.  I believe our goal should be, as I’ve stated before, that the security and functionality of the federal enterprise will be improved by two orders of magnitude over the next 24 months.  And I believe the cyber and CTO team of the new administration can deliver on that.

I also believe that DoD will continue to have a key leadership roll in cyber, since increasingly that domain is being used by military adversaries and our own military must be able to operate with knowledge that their IT systems are safe from adversary attack.    

More later.

CTOs, Global Cyberwar and Our Collective Future

If you are a technologist, please take a moment to download the PDF of the report by the U.S. Commission on Cybersecurity.  This report, titled Securing Cyberspace for the 44th Presidency, is the best proclamation of the challenges of cyber I have read.  It is also a roadmap that will help any trying to navigate these very tough issues.

I've been involved in things cyber for a long time.  My deepest
involvement began in December 1998, almost 10 years ago to the day.  
In all that time I've seen lots of studies and lots of papers and many
treatments of the issues.  But I've never seen one that captures the
complexities and the need for specific actions as well as this one. 

I'd really recommend you read every word, if you want to be considered literate in this field.   But if it will be a little while till you get to it, here are some key points:

The three major findings are:  1) Cybersecurity is now a major national security problem for the U.S., 2) Decisions and actins must respect privacy and civil liberties, and 3) only a comprehensive national security strategy that embraces both the domestic and international  aspects of cybersecurity will make us more secure.

The report makes a few points about the Bush Administration's Comprehensive National Cybersecurity Initiative (CNCI).  In general the give credit to that initiative, and call it good.  I agree, it is a great activity I've previously written about that is led by one of the most effective people in government today and has done great work.  But as the comission points out, the work of the CNCI is good but not sufficient. 

The biggest shock for me in this study:  The amount of funding on R&D for cyber security.  I have been looking into the many activities underway, and maybe that look made me deceive myself into thinking it was a well funded effort.  According to the comission, however, they estimate that the total R&D funding in the federal government for cybersecurity is about $300million.  Less than two-tenths of one percent of the total federal R&D.

The report has a great section on identity manangement. 

I am convinced the organizational approaches outlined in the study are the right ones as well.  There is only one place in our government where we can lead solutions to this challenge.  Where is that?  Hey read the report!

What else do I recommend CTOs do besides read the report?  I think one way we can all help the cybersecurity effort is to think through which standards bodies are the most important to engage with regarding security.   A few are here:
http://www.ctovision.com/2008/05/standards-organizations-ctos-should-track.html

One to watch regarding standards and security

In May 2008 I provided an overview of Standards Organizations CTOs Should Track.  Standards groups don't change that fast, so the list is still pretty much ok, but I was very light on industry consortia.  Industry groups can play a large role in setting and implementing standards.  Industry reps send the majority of thinkers to standards bodies and industry management decides what standards to follow or ignore.  Tracking industry consortia can be very important to the CTO. 

Since security is such a hot topic (see: The Future of Cyberspace Security and Melissa Hathaway Op-Ed on Cyber Security, for example ) I wanted to point out one I think we should all watch.  The Industry Consortium for Advancement of Security on the Internet or ICASI. 

Read the rest of this entry »

The Technology Implications of the Obama Win

There are several megatrends sweeping the technology industry today.  Some of them are about to be accelerated.  

I like to use five key topic areas to track megatrends in IT: 

- Convergence and trend towards unified communications and user empowerment
- Globalization and increasing internationalization of IT and demographic shifts
- Increasing open development of software and hardware
- Power, Cooling and Space (PCS) impacting data centers and every place computing is done
- Increasing pace of technology development and probability of disruption

Over the past two months two major events have occurred which are impacting these trends.  

The
first was the collapse of Lehman Brothers and the resulting cascading
effects on the financial industry.  The impact on IT spending and the
movement of more enterprises to grid/cloud computing because of that
are still being assessed, but for some thoughts see: Wall Street Crisis

The second was the Presidential election of Barack Obama.   

Read the rest of this entry »

Melissa Hathaway Op-Ed on Cyber Security

Below I'm going to post, in its entirety, the text of an e-mail I received from the ODNI notification service.   The subject is an op-ed written by Melissa Hathaway, a senior leader who has been spearheading significant coordination action in the federal government (opinion: Melissa is perhaps the most effective SES-level leader in the US government today, IMHO).

I wanted to post this in totality for a couple reasons.  One is it is something all of us should read.  Although I believe most readers of this blog will find no surprises in this op-ed, Melissa has a real talent for capturing information in easy to understand ways and I think we can all borrow lessons from the way she explains things. 

Read the rest of this entry »