The recent news about Socialbot attacks confirm what most of us feared…that social networks are drunk with growth and not maintaining security practices commensurate with the attractiveness of their assets. At the heart of this threat, sadly, lies the human desire to trust – which has become “semi-automated” in social networks.

Social fabrics boil relationships down to simple transactions. By simply “liking” something, or “friending” someone, you create automated associations that lead to interactions – both good and bad. Social communities work on the notion of “automated trust,” and the paradigm that by taking those actions, you are prepared for all of the related consequences.  What’s more: in your social environment, your guard is down (for the most part). You trust that the information you are receiving is relevant and safe (sent by a friend, or because you “liked” something).

These trust mechanisms will make it very easy for the new frontier: mass-customized cyber-crime.

Social media vendors have enjoyed the ability to serve very indulgent communities with, only recently, the concern for increased controls and security.  It will be critical for these proprietors to take a continuous design improvement approach to their security practices. They will need to protect social networks with the same technology, people and process used by enterprises and government agencies, particularly large scale event collection, filtering and analysis.

It will also be their responsibility to educate users on the increasingly granular controls that are available, and enforce safe techniques in their community. I am speculating that the average participant does not fully understand or leverage the granular controls available in many online services. It’s important to determine what trust-level users want to exhibit and then recognize, outside of that sphere they create, everything else they share is available to the public.

We will be hearing more about Socialbots in 2012…

permalink

Is this realistic guidance or just the illusion of concern?

The US Securities and Exchange Commission just announced an order for organizations to disclose even “potential” data breaches.

We have always known that a large percentage of breaches are NOT disclosed. A letter sent to to the US Securities and Exchange Commission by several US Senators in May, 2011, cites a study by Hiscox showing 38% of Fortune 500 companies made a significant oversight - failing to report a breach of some sort.

We believe the number is much higher - and there are several reasons for this:

• In many cases, an organization is not even aware of a breach until they are contacted by a 3rd party
• In some cases, the organization impacted can’t track back how the information was placed at risk, or the events that took place which caused the breach
• Overall, the language governing breach notification requirements is vague - so it leaves the decision to each organization to interpret/decipher

That’s what makes the SEC order to now require companies to disclose even “potential” breaches even more interesting. It intends to hold organizations accountable, not just when a breach occurs, but even in cases where one is suspected. This will be tricky. If a large percentage of organizations don’t disclose SUCCESSFUL breaches, does the expansion to require the reporting of breaches that may have happened, seem possible?

It requires the SEC to provide very specific guidance and stronger definition of breach reporting requirements, several layers deeper than it has been defined in the past. Here are just a few of the challenges they will need to address:

• What is the definition of a breach? Is it when information is taken, or is it the nature of the information?
• How does one recognize a potential loss? As we have seen in several recent cases, a server may have been accessed by unauthorized users, but no data was stolen. Does that still count?
• What, if any, checks and balances can be put in place with external organizations to identify unreported risks? Will those external organizations perform solid diligence before raising a red flag? Will they report the potential breach to the impacted organization first or directly to a governing body?
• What guidelines will be used to ensure companies are adequately assessing and mitigating these risks?
• How will the increased reporting be resourced? Who takes the hit for false alarms?
• What are the penalties if a “potential” risk is not reported, but discovered through other means?

Again, a very interesting move - and one that needs to be taken seriously by proactive security practitioners who don’t want to be whiplashed by false alarms and panic. Collecting, storing and analyzing massive amounts of data one piece of the equation. The other is implementing a methodical approach to security event management. Here are just a few things to consider:

• Implement a combination of real time and long-range security information and event management - neither of these alone will catch every potential risk
• Collect data consistently - across the entire threat landscape. Focusing on just the network or endpoint will not be useful since breaches today impact multiple vectors
• Correlate/analyze that data methodically. Stove-piped analysis will not catch clever insiders or external attackers. Set thresholds, then look for variances and outliers
• Do all of the things you are already doing, in the way of security monitoring - just track it all so you can prove a non-event later

These are just a few of the points to think about…and again, I don’t think of this SEC guidance as game-changing. It just puts additional tension on already resource-constrained security teams to be more diligent in security event management. Read a few more best practices you should consider to make this easier…

permalink

Real Progress Being Made…With Big Data Challenges Ahead

President Obama issued an executive order which establishes an Insider Threat Task Force to prevent potentially damaging and embarrassing exposure of government secrets or classified information, such as those made public by WikiLeaks. In my opinion, this is a huge step in the right direction – providing both a framework for building out agency programs and specifics for cross-agency, centralized guidance and assessment of progress being made to address this threat.

Key takeaways:

1) Major responsibility lies with agencies, who will have build and maintain a solid program for protecting against Insider threats…of course, within the boundaries of the usual data policies and privacy regulations. Two major requirements include:

• The identification of a senior official who is accountable for the program and compliance
• That agencies complete self-assessments to ensure compliance

2) An Insider Threat Task Force will be put in place to identify necessary and standard technologies required to achieve progress in detecting Insider Threats

3) A Steering Committee will be put in place for information sharing and safeguarding

4) The DOD and NSA are named as the key executive agents for the Executive Order – providing oversight, developing processes for auditing progress, and establishing policies for compliance

This is all encouraging – but let’s peel back the technology involved in situational awareness and the detection of an insider attack. In order to watch where people are going, what information they are accessing and what they are doing with it, you have to collect lots of data. For a single government agency, this is no small task. Thousands of government personnel with incredibly complex access rules/permissions based on the missions or programs they are on.

What makes matters even more complex is that typical insider attacks occur over extended periods of time: whether it is because the insider moves slowly to avoid detection all along, or because they stumble on an opportunity and gain confidence to capitalize on it over time. In order to effectively detect these long-lead attacks, data has to be collected and retained for longer periods of time.

How can security teams identify which user profiles and activities, buried in this vast landscape of event data, are worth noting, isolating and investigating?

Two things are clear:

• A combination of both real-time incident alerting AND longer-range forensic technologies are required
• An open approach to sharing security intelligence will accelerate learnings across the board

Both of these validate the Sensage architecture and approach. Our event data warehouse was built to deal with massive data collection and processing requirements, and our open access to the data allows for sophisticated and rapid analysis of suspicious events.

Sensage is already providing key technologies to government agencies and contractors, and this Executive Order should catalyze further focus on this critical problem. Be sure to check out SensageTV for my current perspective, and look for more as we watch this important new development!

permalink

Full disclosure: I am still coming up to speed on this. As the news was breaking this morning I received a tweet from Dark Reading behind which was a great summary of what’s known so far. Based on what I know so far, I would say that Citibank demonstrated some great practices in dealing with this breach.

First – Citibank was aware of the problem and came forward with a proactive message before some other source could expose them and create an immediate cycle of reactive statements and backpedaling. When you come forward on your own, you set the tone for the entire story.

Second – Citibank had facts and disclosed them effectively. They were able to state that sensitive information was not breached (no social security numbers, dates of birth, card expiration dates or card security codes CVV were compromised). They put the size of the breach in perspective, taking the potentially high impact of a 200,000 account breach and minimizing it by declaring that it represents only 1% of their North American accounts. Translation: Citibank is huge, we serve lots of customers, and this breach impacted only a tiny portion of those customers.

Third – Citibank noted that routine monitoring of their systems identified the breach so that they could take immediate action. This is the sort of proactive monitoring that I’ve been talking about. Citibank is not a client of SenSage, but that won’t prevent me from recognizing their effective practices in this domain : ) But seriously, this “self discovery” and the way it was disclosed (with the credibility of detailed facts) is critical because it gives us consumers more confidence that Citibank really was using the time between breach and disclosure to understand what was going on, minimize the impact and shift to open communication when the time was right for all parties.

Fourth – Citibank supplied guidance on how to be on the alert for phishing attacks looking to exploit this event with or without actual compromised data. They also made it clear that they are contacting impacted customers and undoubtedly are supplying the usual post-breach benefits such as credit monitoring. This last part is the most mundane and easiest to get right, but it’s only appreciated if you’ve done the harder stuff beforehand as noted above.

Breaches are not good. But there’s a right way and wrong way to handle them. Citibank executed pretty textbook if you ask me. And in this day where breaches are raining down on us almost daily, Citibank could actually gain on this event over time.

permalink

Around the world, we see increasing requirements for communications service providers to maintain and provide intelligence about their users. Yesterday, a bill was introduced in the U.S. House of Representatives that would require Internet service providers to retain subscriber IP address information for up to eighteen months. The stated goal of this legislation is to assist federal law enforcement in investigations into online child pornography and child exploitation cases. This is certainly a worthwhile endeavor, but the same effort could also be leveraged to assist in cyber-crime and cyber-terrorism cases.

The European Union has had this form of legislation in place since 2006 (Directive 2006/24/EC), and SenSage has helped more than twenty service providers comply with it by storing call detail record (CDR) data for up to two years as required by law. These systems have profoundly reduced the turnaround time for subpoenaed data pertinent to cyber-crime and cyber-terrorism investigations…in some cases from months to minutes or even seconds. What was a best effort process with unpredictable results, is now a proven process that law enforcement can anticipate and leverage in the context of its established checks and balances such as the subpoena process.

For the largest service providers, this means collecting billions of CDRs per day, managing petabyte-level data stores and processing thousands of queries per month with specific response time requirements. This is no small feat and leverages patented technology from SenSage, but in most cases the companies were keeping this data anyway and are now better organized in the way that they manage it.

Meanwhile, society benefits as the digital age rockets forward and law enforcement keeps pace…without slowing it down.

The newly pending legislation in the U.S. is an encouraging step towards achieving a better balance between digital lifestyles, necessary law enforcement and personal privacy. The U.S. can learn from the example set by the EU…perhaps even leapfrog it!

permalink