The Security Kitchen

Today I attended a local ISSA event, which featured a presentation by Marc Vael on Pandemic Continuity during Phase 6.

As you are all aware, the WHO has recently raised the pandemic alert for the Influenza A H1N1 strain to level six .

A Pandemic can have effect on your business and it is worth looking out for what you can do to mitigate that impact but imho, there’s some caveats too.

While pandemic influenza is hot news, it still is an event that happens about every 50 years.  Let’s do some math, starting from the known pandemic casualty numbers. The Spanish flu in 1918/19) killed 50 million people worldwide. there were 1,6 billion people alive at that time. That’s about a 3% mortality rate.  500.000.000 were actually infected, meaning 30%.  In our current day and time, about 2 billion people would be infected and an estimated 6.000.000 people would actually die from the disease.

Let’s see what impact this may have on our company … of 2000 employees.  600 may become ill, over a period of 2 years. Not everybody will get ill at the same day, Not everybody will be absent for the same amount of time, but about 60 employees will not return to their desk after they became sick.  600 absentees for an average period of 2 weeks, that’s 6000 mandays lost. at $30 an hour, this results in $1,4 mio lost, gone, down the drain. Additional losses can occur, business will slow down eventually so let’s double that number : $2,8k  lost, gone, down the drain. But wait … the chance that it happens … was once every 50 years !! That would actually mean that you can spend about $56k/year on pandemic planning …

That’s NOT A LOT FOLKS !! ok, it’s a basic calculation … but still : What the FUD ? There is not a lot of working groups you can fund with that over a prolonged period of time and it sure doesn’t buy a lot of Tamiflu doses, operational masks, gloves, soap, …

IMHO, if you have to start planning for a Pandemic now, you’re too late.  70 to 80% of what you can do in case of a pandemic should already be in your BCP Strategy. That is, if you have one

BTW, Brian Honan of BHConsulting.ie has written a blogpost on what you can actually try to do during pandemic situations : http://bhconsulting.ie/securitywatch/?p=664

Michael Jackson sung it best, but that is not what this blogpost is about.

In today’s IT environment, there’s an overwhelming load of challenges coming at you like an avalanche every single day.
Moreover, the challenges come from every possible direction you can look in.  Windows, Linux, Unix in your LAN, WAN, DMZ interconnected by highly available converged networks transporting data, voice and video which is generated and consumed by on-premise or hosted applications (say CLOUD !). It’s a tough job but someone’s got to do it. Right ?

As HR tried to put everyone into little boxes based on skill assessments, we grew apart.  We built high, enforced walls around our cubicles.  The *nix guys laugh at the Windows guys when there’s another virus outbreak.  They join forces when it’s time to curse at the network guys as the 24/7 network turns out to be, well, not so 24/7 anymore :-s The network guys (and girls…) pick up their voodoo dolls when the application people demands a ginormous amount of bandwidth or some unreasonable number of ports to open on the perimeter.  Everybody rolls their eyes when HR decides to use some new fancy app, cloudified of course, to try and manage their skills and at the same time make those little boxes even smaller.  The circle is oval.

Because we have compartimentalized our infrastructure management to a very high degree, securing it becomes mighty difficult. There is no Windows person who will accept authority from a Unix person, and vice versa.  This is bad people. It’s time for change !!!

If you are responsible for Information Security, you have to be platform agnostic.  Incident handling is not depending on the platform it is executed against.  Sure, somebody is gonna be responsible for realizing the vision you have defined, but in the end, they are all part of a big team.  It’s better to start out with a fight, settle it once and for all, and move on together.  Appointing someone responsible for [platform of choice] security and letting them do their thang doesn’t cut it anymore.

Bring all those great minds together, make them realize that they are not alone and put your joint energy in fighting this (unfair) fight together instead of against eachother.

Now y’all go hug eachother and have a mighty fine weekend !

for those who don’t know about OSSEC :

OSSEC is an Open Source Host-based Intrusion Detection System. It performs log analysis, file integrity checking, policy monitoring, rootkit detection, real-time alerting and active response.

It runs on

• Linux
• MS Windows
• AIX
• Solaris
• …

OSSEC installs stand-alone on a single system, in server mode or in agent mode. For the sake of this blogpost, I will assume that at least one server is used.  I will also not touch on the Windows installation.

Log Analysis

On a agent system, in ossec.conf, you define which log files will be monitored.  Any new events in this logfile will be transferred to the OSSEC server using a secured connection.  Note that there is no analysis of an event on the agent.

A server ‘decodes’ the event, pulling out critical information, this information is compared to rules. rules are extremely powerful in OSSEC.  You can define single rules, but you can also define rule trees. I will dedicate a seperate blogpost to rule trees, imho this is where the power of OSSEC is.  Alerts are triggered on a level between 0 (ignored) and 16 (attack occured).  Alerts can be logged and sent out in e-mail (or even SMS) to your incident handlers.

Ow, wait.  Your OSSEC server can be configured to be a syslog server too … and you can have all your appliances (firewall, switch, proxies, routers, mail security thingies, … forward logging to there.  Now you can correlate end-to-end logging, FOR FREE !!

OSSEC, in it’s turn, can provide it’s syslog output into another SIEM if need be.  It’s open,remember ? Open works both ways for OSSEC

System Integrity Checking

On the OSSEC client you define which directories need to be checked for file integrity. OSSEC will perform a scheduled analysis of the files in these directories and alert you when changes have been detected.  You have full granular control over the analysis schedule, low-risk directories can be checked on a daily basis, while high-risk directories can be checked every 20 minutes.  You can even exclude certain subdirectories (maybe because they contain files that change regularly and you’re ok with that …). I told you, OSSEC rocks !

Active Response

And it gets better !! You can trigger scripts based on the alerts OSSEC throws.  Now you can block access from a bad host entirely, remove execute permissions frm a file that was changed, stop a service …

OSSEC just turned in an HIPS, and it is still free …

Unfortunately, a lot of business are still wary of introducing Open Source solutions in their infrastructure. After all, who’s gonna support them?   Third Brigade, the owners of OSSEC, has recently been acquired by TrendMicro, who has vouched that OSSEC will remain Open Source and Third Brigade will continue to support the software.

If you are looking into HIDS/HIPS solutions, don’t forget to consider OSSEC. It’s a beautiful solution, and cross-platform to boot.  Don’t hesitate to ask questions if you get stuck !!

You can find more info about OSSEC here : http://www.ossec.net

If you are gonna try and learn OSSEC to the bone, consider buying this book.

Oh yeah, an OSSEC plugin was developed for Splunk too !!! read more here

I, for one, am an OSSEC aficionado.  Now you go download it … and tell me what you think.