The Security Kitchen

On the last Risky Business podcast it was mentioned that companies would be able to reduce costs by enabling little known or previously unused features in their infrastructure, mostly focusing on IDS/IPS, AV, Webfiltering and other features in perimeter appliances.

This is an interesting idea but let’s take a step back.

From a business POV, I’d love to sell additional features but chances are that my customers do not have the manpower to manage those. The features mentioned are not as fire-and-forget types of things. First off, they will change the end-user experience, possibly hindering people in doing their jobs. But they will also generate tons of logs, which need to be analyzed and acted upon. You see, it’s not as easy as “enable the feature and be more secure”.

For me, there is one things you can focus on right now which can improve the security of your company and it won’t cost you a dime to kickstart it. Once you are clear about what you want/need to see and how you want to see it, you will also know which vendors to talk to, to build a cost-effective system.

Logging !

There is thousands of log messages to be captured every day.
All your appliances, switches, servers, even clients are generating messages every second. If you haven’t done anything to listen to what they are saying, START NOW !
Build a system that enables you to centralize logging for your infrastructure. Maybe you won’t be looking at it all day, every day, but make sure that it is there. Consider tools like Splunk , it’s free for the first 500MB of daily logging and it supports a lot of formats. It also allows you to drill down, correlate and report on events.

Reports require good metrics, consider buying ‘Security Metrics’ by Andrew Jacquith. Choosing the right metrics is paramount to effective systems management, Andrew does a fantastic job in teaching us how to choose them.

A last resource that I want to suggest regarding this subject is the wonderful site www.secviz.org, and another wonderful book by Raffael Marty called ‘Applied Security Vizualisation’.
It is one thing to collect logs and go through them manually, visualizing them using one of the dozens of methods Raffy explains in this book might prove invaluable for your company ! Remember that 70% of people are considered to be visual, understanding things better and easier through graphics than in plain text.

Another thing you might want to focus on is your security policy. You know, the thick stack of paper that gathers dust or keeps your desk level. Review it, rip it apart, reconstruct it. Make it a flexible framework of documents that support your security programme, instead of leaving it in it’s 2×4 function that it serves right now. Make security work for the people and the business.

On Saturday and Sunday, FOSDEM was happening in Brussels (Belgium) and since I didn’t make it to Shmoocon, it was a nice alternative. FOSDEM is a yearly gathering focusing on Free and Open Source (FOS, ha) development but they also feature systems and security track. I first learned about FOSDEM two years ago when HD Moore came over to present Metasploit 3.

This year there were 3 security talks scheduled, the first by the OWASP people, but I missed that talk because sunday morning is supposed to be family time. I have to keep the balance somehow.

The second talk was about FreeIPA, an open source alternative for Identity, Policy and Audit management. The talk wasn’t bad, it layed out how they approach the first build of the solution, based on the Fedora Directory Server and MIT Kerberos 5 as the main components. It also includes a CA (self-signed FTM, ugh), an Apache server to deliver a webbased admin interface, a command line, etc … etc … (it also includes a DNS server)

All in all FreeIPA seems like a nice hobby project to learn the concepts of IdM, Policy and Audit but I don’t feel the project has a real future. What amazed me is that while it touts the Open Source horns loudly, it sees itself as the solution that covers all IdM in a corporation revolves around. From what I understand, to use FreeIPA I have to make all the components in my infrastructure talk Kerberos. It may work in a greenfield approach, but I personally haven’t seen any greenfield IdM projects. For me, personally, IdM revolves around a) workflow and b) provisioning.
The solution does neither

The contradiction in the solution is also, while it pretends to be ‘Open’, it doesn’t feel that way. It tries to do everything by itself. A good example is the DNS server. I can’t think of an environment that doesn’t have a DNS server these days. Why would I want a new DNS infrastructure just to support FreeIPA ? The same for the directory server. I may have one (or more) LDAP directories in my environment, why not be open to what I have and deliver additional building blocks for a complete solution ? That, to me, is what Open is about.

From what I read on their website (instead of focusing what the presenter said) it seems like it’s meant to be a SIEM solution for Identity, Policy and Audit information. I’m a little bit lost now.

The third security talk was about Fusil, the fuzzer, by Victor Stinner, a French hacker. Fusil is a python library, mainly focussed on fuzzing command line programs. Victor gave a great talk, with good momentum (I could see he was nervous, but he didn’t have to be) and great slides. I loved this talk and the tool might be something to look at for all you security researchers out there that want to put programs to the test.

In the end, FOSDEM was nice. I had the chance to chat up with @security4all and of course I’m looking forward to FOSDEM 2010. See you there !