Security and Risk Management Strategies Blog

Blogger: Dan Blum

There are two groups actively working to create a common event standard that allows event logs and audit records to be shared and understood across many products, and the good news is that they’re talking to each other:

• Common Event Expression (CEE) language, by Mitre 
• X/Open Distributed Audit Standard (XDAS), by Open Group 

The business benefits of creating a common event standard would be considerable:

• Reduced log management and security information event management (SIEM) system integration costs 
  • Reduced volume of event data and simplification of SIEM architecture 
  • Reduced need for (and increased effectiveness of) normalization 
• Reduced cost of integrating new solutions with security management infrastructures and frameworks 
• Lower cost of integrating event management and audit into cross-enterprise applications (such as federated identity management)
• Faster and simpler data exchange between organizations, vendors and incident response services supporting real time response to threats and attacks 
• Better forensics for a common defense 

Late last year, our Burton Group Security and Risk Management Strategies (SRMS) group decided to push the question of event standards with vendors, trade press, and standards groups. But we felt that we needed evidence of end user enterprise interest and involvement to start doing so. Happily, as we began researching the space, we found that Mitre’s CEE was being driven by the EU, NATO and DoD as well as log management and platform vendors. Burton Group held a conference call discussing common event standards and SIEM with members of the International Information Integrity Institute (I-4), and key stakeholders showed up. The Open Group reports that enterprises as well as vendors are getting involved with XDAS. Clearly, enterprises seem ready to focus on this topic.

Of course, there are challenges ahead. Not only is there no complete common event standard out in the field today, there are many partial standards or solutions, including Syslog; the IETF’s Intrusion Detection Message Exchange Format (IDMEF) and Incident Object Description and Exchange Format (IODEF); the Java Specification Request (JSR) 47 Logging API, WS-Management subscribe/publish APIs and so on. Any comprehensive standard released in the future should work with existing technologies like these as much as possible. Also, there are a number of complexities, including mapping event semantics between different systems, synchronizing time while managing clock drift, and maintaining dynamic event handling policies.

Fortunately, the Mitre and Open Group efforts are gaining traction. Mitre has put up a CEE web site and one can ask to subscribe to the CEE mailing list. Mitre has described its scope as covering standard event taxonomy/terminology, log syntax, log transport and recommendations on what types of events and data elements systems should log. Mitre’s specifications are in the draft stage, and publication for comment is “expected 2008” according to the website. That’s pretty indefinite. But we are told that while not complete, these draft documents will reflect a considerable amount for work that has already been done and can be built upon. It is positive that a CEE community representative says Mitre plans to begin by seeking comments on the underlying goals and requirements for event standards. But to establish a broadly accepted industry standard anytime soon, Mitre and the government/defense community it servers will have to accelerate overly lengthy document review cycles and possibly streamline handling procedures designed for classified information rather than open standards deliberation.

As my colleague Bob Blakley wrote in “An Auditing Standard: Has this rough beast's hour come round at last?” last July, Open Group revived prior work on a specification called “X/Open Distributed Audit Standard” (XDAS).  XDAS addresses the concerns necessary to build a robust distributed security auditing system in a mature and complete way, but its 1990s era C and UNIX interfaces need to be updated. Novell, whose Bandit Project incorporates XDAS, has contributed source code to a new open-source project called OpenXDAS (http://openxdas.sourceforge.net/) which makes an XDAS implementation widely available.

As these two standards efforts proceed, we hear mixed signals. There have been some indications of contention; for example, CEE representatives purport to have a strong emphasis on “simplicity,” while some observers have expressed concern that XDAS may be “too complex.” Of course, the other side of the argument could be that CEE will over-simplify issues, but it’s hard to have that discussion when specifications for CEE aren’t publicly available yet.

Fortunately, olive branches have been extended as well. During the Open Group meetings in January, 2008 Burton Group observed the XDAS and CEE leadership discuss ways they could coordinate and avoid overlaps. For example, CEE and XDAS could make sure that XDAS APIs become a CEE-compatible logging transport and, if both organizations produce data dictionaries for events, they could be perhaps formulated to use a common taxonomy and to avoid schema conflicts and overlaps. We’re also hoping that vendors such as Arcsight, Oracle and CA – who have been proactive about proposing specifications or encouraging the industry to create a common event standard – will be become part of the convergence on a common solution.

In the coming weeks and months, Burton Group will keep watching the event standards space and post more information on how matters develop. Please let us know by commenting on this blog if there are other standards efforts we should be watching, compatibility concerns to address, or other issues and questions you’re concerned about. We hope to continue being a voice for convergence and standardization that helps put the industry on the road to a common event standard by 2009.

Blogger: Trent Henry

Last week, security.itworld.com ran a piece talking about attacks against encryption.
Specifically, they raised the danger of attacks against data-at-rest (i.e., stored data) encryption.

This is something we pointed out in our VantagePoint TeleBriefing last year. (Score one for our prognostication.) We called it "Best Security Never" and warned our clients that increased use of encryption brings increased requirements for strong key management.

Personally, I think a greater risk is poor key archival. When an employee gets hit by a bus, you don't want to lose critical information encrypted on a local hard drive. However, attacks against key management infrastructure itself are also a legitimate concern. If bad guys are able to access individual keys (or, gasp, master keys), a company’s information confidentiality can be written off. If an adversary damages keys, information availability can be written off as well. These scenarios pose issues similar to today's stored keys in Kerberos servers or Active Directory instances. Enterprise-wide key management simply further exacerbates risk aggregation.

This means security teams need to take oh-so-careful measures to protect their central key stores. But this protection is by no means the whole story. When Burton Group talks about encryption, we discuss the entire "supporting cast" of requirements: proper user authentication, cipher implementation, administrator controls, etc. So although key management--and potential attacks against keys--is an important consideration, it's just one of many things that a well-architected enterprise encryption solution should address....

Blogger: Trent Henry

Time flies when you're having fun.

(Or perhaps it's just flying because of my age...)

Either way, Burton Group's Catalyst Conference isn't too far away, and it's time to line up speakers.

Our guiding theme for 2008 is “security vital signs,” which includes assessing the vital signs and trends in the security market and measuring vital signs for security success within enterprise security programs. These themes are organized to push forward the areas of:

• Metrics: what should enterprises be counting and measuring, and communicating upstream?
• Host admission and network controls: what are the business drivers, trends, and architecture for layered network protection and endpoint assessment?
• Data protection and encryption: amid the trend toward information-centric security, how can enterprises properly manage encryption, keys, and related controls?
• “GRC”: what is the market messaging (and confusion) around governance, risk management, compliance, and how should the enterprise get value from the processes, even when tools are lacking?
• Going global: what are the appropriate management models and solutions in increasingly geographically diverse and multi-jurisdiction large organizations?

We'd love to have people put together some abstracts for these or related topics. Check out the submission form linked from www.catalyst.burtongroup.com/na08/SpeakersAbout.html.

Hope to see you in San Diego!

Blogger: Trent Henry

It sounds so august: "CYBER STORM" (ok, officially it's just plain ol' "Cyber Storm," but a title like that begs for caps).

What is it? Or rather, what was it? The "National Cyber Exercise" was a 2006 Homeland Security (and other federal agencies) sponsored simulation of computer and network attacks. Here's the specific detail from a DHS slide deck:

• Provided a controlled environment to exercise State, Federal, International, and Private Sector response to a cyber related incident of national significance
• Large scale exercise through simulated incident reporting only – no actual impact or attacks on live networks
• Specifically directed by Congress ... and coordinated with DHS National Exercise Program

In short, the exercise objective was to pretend that a faux "Worldwide Anti-Globalization Alliance (WAGA)" was attacking U.S. and international interests, and determine how public and private sector targets responded.

Cyber Storm is of interest now for two reasons. First, late last month the Associated Press received a redacted summary report of the exercise results (two years after its Freedom of Information Act request). They found a number of interesting things, many detailed here: news.wired.com. One delicious fact--which supports Burton Group's perspective that insiders are a significant danger--is that someone attacked the off-limits exercise control computers, most likely a participant. When exercises have embarrassingly bad outcomes because people don’t follow the rules, it frequently turns out that the rules have been designed to produce an unrealistically rosy picture of reality. The fact that this happened should be taken as a sign that the exercise conditions were unrealistic, and that in a real incident the results would be even worse than those shown by the exercise. There are many historical precedents for this.

Another important fact, reported by the AP, is that "key players didn’t understand the role of the premier U.S. organization responsible for fending off major cyber attacks, called the National Cyber Response Coordination Group, and it didn’t have enough technical experts." This suggests that there's confusion in the public-private partnership for attack response, and we need better escalation procedures and fuller participation of private companies (who, by some accounts, own 85% of U.S. critical infrastructure).

This brings us to the second reason for interest in this story: Cyber Storm II. That's right, a repeat of the exercise is taking place in March 2008. DHS spells out the mission here: www.us-cert.gov/reading_room/infosheet_CyberStormII.pdf. In addition to expected public-sector agencies, "private sector players from the Information Technology (IT), Transportation (Rail and Pipe), and Chemical sectors along with multiple Information Sharing and Analysis Centers (ISACs) are scheduled to participate."

Here's what's weird: no one's discussing the exercise. Actually, I'm guessing that's not strictly true. Who's not discussing it is Burton Group clients; and they represent hundreds of the largest organizations in the world and own/operate important global infrastructure. These organizations routinely ask us probing questions about information protection, incident response, security program management, and the like. I'm pretty surprised that Cyber Storm hasn't come up. Not even once.

Now, there are some possible reasons for this. First, DHS might be asking people to keep quiet for national security reasons. I could possibly buy that argument. Outside the exercise participants, too much knowledge could be a dangerous thing (and even among participants, could taint the exercise results). On the other hand, if the exercise results show that there is a problem to be fixed and that there’s a shortage of technical experts, thought-leading third parties (such as, I might add humbly, Burton Group) should be among the first people both our customers and DHS turn to – us and security consulting firms. If they’re not looking for such help, then I'm concerned they’re sweeping the problem under the rug. Second, enterprises might not feel that industry analysts are important pieces of this particular puzzle. Again, that's something I could buy--but it's at odds with the other intimate advice we offer to security planners, including security architecture for major systems. Third, our client list simply might not intersect with the invited participants, which, while plausible, means that some really important players are being ignored.

Here's what makes me nervous: the possibility that DHS isn't really involving the private sector. That is, amid the massive list of prospective Federal, State, local, and international government participants, individual companies are but a miniscule component. Given the importance of financial services, energy, and other private sectors, this prospect gives me pause. We've heard anecdotes from clients that FBI Infragard and other public-private security contact points aren't fulfilling their promise. Although there's talk of partnership, in the end most organizations don't have clear lines of escalation or incident response to federal authorities. It's my hope that Cyber Storm and its progeny begin to close this gap. But so far, no one's talking.

So help me understand: Is the National Cyber Exercise adequately exercising all stakeholders? If so, please speak up! If you can, let me know...