Security Summer 2014

This summer is shaping up to be rather action packed.

Conferences:

  • BSides Pittsburgh is June 6th.  I’m organizing this one, so hopefully it is good.
  • BSides Cleveland is in July.  I had attended the last one in 2012.  I’m a little concerned about it being in a bar.  I’ve heard negative things about ThotCon primarily being a drinking event rather than a learning event.  In any case, I will be attending.
  • BSides Las Vegas is in August.
  • DEFCON is in August.

Local News:

Pittsburgh should be interesting this summer.  First is the report that Alcoa, ATI, U. S. Steel, USW, and Westinghouse were all breached in 2010. Now is a report that UPMC was breached.   The banks were poaching talent and buying technology last year during Operation Ababil.

Major Tech News:

I’m not convinced Heartbleed is as big of a deal as the rest of the community is making it.  Everything internet accessible that matters should have already been patched by this point.  There will be vulnerable internal systems, but that is just another easy pivot for attackers to use.  Most networks already have plenty of easy pivot points, adding some more doesn’t seem to significantly change the landscape.

I think Windows XP will be the big issue.  Sure, Microsoft has patched some vulnerabilities, but I predict more this summer.  Dropping malware on Windows XP systems this summer is going to be the big thing.  This gets you in to the network.

Building Up Security

Why is it so hard to properly build a security team?  I’ve witnessed both failures of building a security team.

First was a case of more people but no tools.  The team was extremely bored and created work to make themselves busy.  Very few people seem to want to spend all day viewing logs in security.  The group obsessed over big brother activities.  Instead of worrying about security, they worried about employee behavior.  I’m sure HR was happy, but the organization was by no means any more secure.

Second was more technology.but no people.  Technology was acquired and placed on the network.  There weren’t people to properly implement not manage it.  Sure, there are more firewalls on the network. but are they protecting anything?  Not with any-any rules.  Placing network sensors but ignoring the alerts doesn’t make the network any more secure.

Why is it so hard to get approval for people and technology?  Every time I start hearing a company is amp’ing up their security presence, I have concern over what they are actually doing.

State Of My Splunking

I love Splunk.  I run it at work and I run it at home.  For the most part, Splunk just works.  This post will serve as a warning  for others looking to deploy Splunk professionally.

I was initially running it at home prior to running it at work.  Offering 500MB / day for home users is awesome.  Between free Splunk, free Nessus, Bro, and DD-WRT, I feel like I’ve got a pretty nice setup at home.  This blog post will continue to be updated as my Splunk instances are updated.

Issues / Observations

  • The Splunkbase Apps are mostly garbage.  I use the Technology-Addons a bunch, but most of the dashboards provide me little value.  I was warned that I’ll likely be building all my own Dashboards and Views, but I didn’t believe anyone.  I should have listened.
  • If you don’t already have logs going to a syslog server or some sort of log aggregation system, you are doomed.  No one seems to be able to estimate their log volume, myself included.
  • Some systems have really terrible logs.  Cisco’s logs are all over the place.  Each module in the ASA has a wildly different logging format.  You’d think Cisco would try to implement uniform logging across their platform.  Microsoft DNS logs are another example.
  • If you are integrating multiple instances of a system, but each owned by someone else, expect pain.  I’ve got some admins that prefer an agent while others prefer WMI.  I’ve got some Linux admins that would prefer to FTP me logs while others like syslog.  I’ve got some admins that prefer log format A while others prefer format B.