I am not sure why I missed a really good post at Taosecurity, maybe it was the size of the post and me being tired when going over his blog. This post is very important when thinking about IT security, so once again I remind myself to keep reading Taosecurity, even if I am tired :-)
Anyway, some of the key viewpoints, some new to me, some not:... don't think your security responsibilities end when the bottle is broken against the bow of the ship and it slides into the sea. You've got to keep watching to see if it sinks, if pirates attack, how the lifeboats handle rough seas, and so forth.
And there is an excellent list of suggestion for how to determine your enterprise "score of the game," and use that information to decide what you need to do differently.
Here are some headlines from the list:
- Standard client build client-side survival test. Create multiple sacrificial systems with your standard build. Deploy a client-side testing solution on them, like a honeyclient
- Standard client build server-side survival test. Create multiple sacrificial systems with your standard build. Deploy them as a honeynet.
- Standard client build client-side penetration test. Conduct my recommendation penetration testing activities and time the result.
- Standard client build server-side penetration test. Repeat number 3 with a server-side flavor.
- Standard server build server-side penetration test. Repeat number 3 against your server build with a server-side flavor.
- Deploy low-interactive honeynets and sinkhole routers in your (internal) network. These low-interaction systems provide a means to get some indications of what might be happening inside your network.
- Conduct automated, sampled client host integrity assessments. Select a statistically valid subset of your clients and check them using multiple automated tools (malware/rootkit/etc. checkers) for indications of compromise.
- Conduct automated, sampled server host integrity assessments. Self-explanatory.
- Conduct manual, sampled client host integrity assessments. These are deep-dives of individual systems. You can think of it as an incident response where you have not had indication of an incident yet.
- Conduct manual, sampled server host integrity assessments. Self-explanatory.
- Conduct automated, sampled network host activity assessments. ... The idea is to let your NSM system see if any of the traffic it sees is out of the ordinary based on algorithms you provide.
- Conduct manual, sampled network host activity assessments. This method is more likely to produce results. Here a skilled analyst performs deep individual analysis of traffic on a sample of machines (client and server, separately) to see if any indications of compromise appear.
In all of these cases, trend your measurements over
time...Don't slip into thinking of inputs. Don't measure how many hosts
are running anti-virus. We want to measure outputs. We are not proposing new
controls.
Key phrases: manual vs. automated and server vs. client, and proactive investigation.
Most of the info has been on his blog before, but all toghether yet another great post :-)
No comments:
Post a Comment