THE MAGIC OF SYMBIOTIC SECURITY Creating an Ecosystem of Security Systems

DAN CORNELL

¢ Founder and CTO of Denim Group

¢ Software developer by background (Java, .NET, etc)

¢ OWASP San Antonio, Global Membership Committee

2

JOSH SOKOL

¢  Information Security Program Owner at National Instruments

¢ Chair of the OWASP Global Chapters Committee

¢ Co-Chair of OWASP AppSec USA 2012 (October 23-26 in Austin, TX)

BUSINESS REQUIREMENTS

¢ We need an Intrusion Prevention System (IPS). ¢ We’ve budgeted $50,000 for it. ¢ Get us the best tool for our money.

How would you evaluate for purchase?

3RD PARTY REVIEWS

¢ Overall Ranking from SC Magazine Feb. 2011

1)  McAfee – 5 stars 2)  NitroGuard – 5 stars 3)  Top Layer Security – 5 stars 4)  Sourcefire – 4 stars 5)  CounterSnipe – 4 stars

INDUSTRY RANKINGS

1) McAfee 2) Sourcefire 3) HP 4) Cisco 5) IBM

COST

¢ Lowest cost from SC Magazine Feb. 2011

1)  CounterSnipe - $500/site 2)  NitroGuard - $6,495 3)  Sourcefire - $8,995 4)  McAfee - $10,995 5)  Top Layer Security - $12,495

FEATURES

ü  Zero-day threat protection ü  Inline protecting ü  Passive monitoring ü  Support for custom policies ü  Real-time alerting ü  Central management ü  Compliance grade reporting ü  High availability

THE INHERENT PROBLEM

¢  3rd Party Bias ¢  Incomplete Industry Rankings ¢ Cost is ALWAYS Negotiable ¢ Features are commodity

TOOLS ARE EVALUATED BASED ON CLASS FEATURES; NOT ON ENTERPRISE VALUE.

Fir

ewal

l

IPS

NA

C

Mal

war

e A

nal

ysis

Vu

lner

abil

ity

Mgm

t

ü Proprietary Protocols

ü “Greedy” Platforms

ü Tools Working in Silos

ü Duplication of Functionality

GAUGING ENTERPRISE VALUE Separating the Wheat from the Chaff

CONSUMER CAPABILITIES ü Events ü Alerts ü SNMP ü Syslog

CONSUMERS CAN BE “GREEDY”

Exploitation – Parasitism. The leech gains food and nutrients, but the host gains nothing from having a leech suck its blood.

PROVIDER CAPABILITIES ü Open API ü Open DB ü Data Export

SYMBIOTIC SECURITY

You can assemble an arsenal of best-in-breed tools that work together. Even smaller purchases can have a large impact.

SYMBIOTIC SECURITY IS NOT

¢ A piece of hardware or software you can purchase.

¢ A ranking system for vendors.

¢ A label you can slap on your new product.

SYMBIOTIC SECURITY IS

¢ A philosophy on how you evaluate purchases.

¢ A concept for creating an ecosystem of security systems.

¢ A means of making the tools we invest in more valuable to us.

BEWARE OF PSEUDO-SYMBIOSIS

¢ Single vendor with multiple product offerings that work together.

¢ Gives symbiotic functionality, but only within that vendors tool set.

¢ True Symbiotic Security is about being able to hand-pick your toolset and have them work together regardless of brand.

SECURITY TOOLS And Their Classifications

DATA IN SILOS

¢ Reputation data: Do I trust the source? ¢ Attack data: How am I being attacked? ¢ Vulnerability data: What attacks are my systems

vulnerable to? ¢ Asset data: What versions of O/S and software

am I running? ¢  Identity data: Who is using my systems? ¢ Data classification: Who should have access to

what?

DATA IN SILOS (CONT)

¢ Trust hierarchy: Who do I trust and who trusts me?

¢ Authentication data: Do I have access? ¢ Authorization data: What can I access? ¢ QA data: What has been tested? ¢ Trust boundaries: Is data crossing between two

trust levels?

MAGIC HAPPENS

¢ Should I accept packets from random IP X?

�  Reputation data �  Attack data �  Vulnerability data �  Asset data �  Trust boundaries

MORE MAGIC

¢ Should I allow random person X to download a file Y?

�  Data classification �  Reputation data �  Authentication data �  Authorization data �  Trust boundaries

EVEN MORE MAGIC

¢ With Symbiotic Security the possibilities are limited only by the security ecosystem you’ve put in place.

�  Creation of WAF rules based on attack data. �  Is a targeted exploit actually going to affect the

system? �  Should I allow a system on my network?

DEMAND SYMBIOTIC SECURITY

¢ Let vendors know up front that you will be evaluating the effectiveness of their tool based on: 1.  Other tools in your environment their tool can

consume data from. 2.  Other tools in your environment their tool can

provide data to. 3.  The net increase in security for your entire tool

ecosystem and not just their tools siloed functionality.

THREADFIX Symbiotic Security In Action

THREADFIX - OVERVIEW

¢ ThreadFix is a software vulnerability aggregation and management system that helps organizations aggregate vulnerability data, generate virtual patches, and interact with software defect tracking systems.

¢ Freely available under the Mozilla Public License (MPL)

¢ Hosted at Google Code: http://code.google.com/p/threadfix/

27

28

ThreadFix Consolidates reports so managers can speak intelligently about the status and trends of security within their organization

29

Vulnerability Import • Pulls in static and dynamic results • Eliminates duplicate results • Allows for results to be grouped

30

Real-Time Protection Virtual patching helps protect organizations during remediation

31

Defect Tracking Integration

• ThreadFix can connect to common defect trackers • Defects can be created for developers • Work can continue uninterrupted

THREADFIX - SYMBIOTIC

¢ Vendor-independent ¢ Ability to consume multiple technologies (SAST,

DAST, IDS/IPS, WAF) ¢ Ability to produce output that can be consumed

by other tools (RESTful API) ¢ Mapping vulnerability data with operational data

in a bi-directional way ¢ Prioritization based on actual attack data rather

than suppositions

SUBSET OF SECURITY TOOL INTERACTIONS

DEMO

VENDORS: PLEASE SUCK LESS

¢ ThreadFix was created to solve a problem that security tool vendors have created. �  Proprietary protocols �  Lack of APIs �  Lack of standards �  Play nice!

¢ Some have been very helpful

�  File format info �  Beta testing �  And so on

YOU KNOW WHAT WOULD MAKE ALL THIS WAY EASIER? ¢  Common data standards!

�  Scanning tools �  Event logs �  And so on…

¢  Current efforts: �  MITRE Software Assurance Findings

Expression Schema (SAFES) ¢  http://www.mitre.org/work/tech_papers/

2012/11_3671/

�  OWASP Data Exchange Format Project ¢  https://www.owasp.org/index.php/

OWASP_Data_Exchange_Format_Project

36

SIMPLE SOFTWARE VULNERABILITY LANGUAGE (SSVL) ¢  Common way to represent static and dynamic scanner

findings ¢  Based on our experience building importers for

ThreadFix �  It “works” for real-world applications because we are

essentially using it

¢  Love to hear feedback �  Send me a request and I can share the document for

editing/annotation

¢  Online: �  https://docs.google.com/document/d/

1H5hWUdj925TtoZ7ZvnfHdFABe7hBCGuZtLUas29yBGI/edit?pli=1

�  Or http://tinyurl.com/cslqv47

37

SIMPLE SOFTWARE VULNERABILITY LANGUAGE (SSVL)

38

VENDORS WIN TOO

¢  Industry vetted standards for communication ¢ Niche products with enterprise functionality ¢ Maximize R&D time and money ¢ Vendors can excel where it matters the most

IDEAS TO FURTHER THE CAUSE

¢ Speak with Gartner about adding symbiotic characteristics to their evaluation criteria.

¢ Create a list of tools with symbiotic characteristics.

HELP US HELP THE COMMUNITY

¢ http://www.symbioticsecurity.com/

QUESTIONS

42

Josh Sokol josh.sokol@ni.com Twitter: @joshsokol www.joshsokol.com www.webadminblog.com

Dan Cornell dan@denimgroup.com Twitter: @danielcornell www.denimgroup.com www.denimgroup.com/

threadfix code.google.com/p/

threadfix (210) 572-4400