Of specific note is the requirement to notify authorities and customers of data breaches within 24 hours.  Breach notification laws are not new and there are notification statutes in the U.S. at the state level.  But the breadth of the EU provisions, the 24-hour requirement, and the fines for noncompliance have seriously amplified the debate.

In particular, the 24-hour requirement has companies really nervous.  This is justified when you consider that the Verizon Business 2011 Data Breach Investigations Report showed that less than 5% of data breaches were discovered in the first 24 hours.   An article on the EU updates in CSO Online leads with the subheading “Many companies don’t have the sophisticated systems for identifying breaches in the first place”.

I have no sympathy here.  There are solutions that can detect an intrusion to corporate systems within minutes of the infiltration, so the lack of capability is not from a lack of technology.  Companies have long settled for shielding the perimeter with traditional approaches to defense from the usual suspects of IT security.  Forgive my lack of compassion, but the EU requirements are the bill coming due for stubbornly sticking with old approaches to new problems and blindly relying on the large IT security vendors rather than considering innovative solutions.

In the interest of disclosure, Triumfant does provide a solution that will detect a breach within minutes of the infiltration.  Triumfant is not a DLP tool, but what Triumfant will do is quickly detect an attack that gets past the company’s shields and provide a very detailed analysis of the attack within minutes.  Triumfant uses change detection and contextual analytics to detect the attacks that evade other security software, making Triumfant able to detect new malware attacks, detect targeted attacks, and detect the advanced persistent threat.  Security professionals tell me that the analysis Triumfant returns would take a seasoned security professional hours or days to produce.  We call this Rapid Detection and Response: the ability to detect the problem, provide actionable analysis, and remediate the attack within minutes of the infection.  Once the point of entry is identified, the company can then determine if data has been compromised, and if so, the extent of that compromise.

Companies continue to ignore the realities in front of them (such as the 5% statistic) and continue to pour their resources into shields.  Plugging in another appliance onto the network or installing another solution that requires prior knowledge to detect attacks won’t fix the problem.  Nor will blindly trusting the large IT security companies.

The time to look beyond traditional approaches and the usual suspects has not only come, it has passed.  Companies have resisted change for reasons only they know, but I suspect they are not willing to look past traditional approaches and embrace technologies that re-write their perceptions of how IT security tools work.

The EU requirements are not causing the problem; they are pushing the problem into the light.  And in doing so, they are also dragging into the light the companies that have too long ignored the changing realities of security.  Companies that were unwilling or unable to step into the light themselves.

In an InformationWeek article by Matthew J. Schwartz called “10 Security Trends To Watch In 2012”, Schwartz puts “Breaches now inevitable, say businesses” as number 1.  Number 1! Finally the message seems to be permeating the years of flat earth thinking in the IT industry and the broader market!

Quoting Schwartz:  ”The new mandate, then, is not just to maintain killer defenses, but also to have the right technology and practices in place to quickly detect when the business has been breached, and then to block the attack and ideally identify how the breach occurred and what might have been stolen.”

Well said.

This the exact concept behind what Triumfant calls Rapid Detection and Response.  Understanding that shields are not, and will never be, 100% effective and your organization will get breached.  It is, as Schwartz says, inevitable.  Therefore, Rapid Detection and Response is about detecting attacks that infiltrate machines as close to the moment of infiltration as possible, providing the analysis to make an informed response, and stopping the attack and repairing the infiltrated machine. It is about understanding that this not a DoD or NSA problem about detecting the Advanced Persistent Threat but the very hard reality that targeted attacks are getting through your shields.

What remains to be seen is how quickly this grasp of the inevitable will be followed by action.  The problem with the inevitable is that it does not wait for us to grasp it – it is happening all around us regardless.

(BTW, some of you Matrix fans may be surprised by my choice of picture. I searched relentlessly and could not find a single picture of the exact scene moment when Agent Smith delivers his “sound of inevitability” line.  I was disappointed. The Internet, it seems, is not yet 100% – much like the shields people trust too much to protect their endpoints and servers.)

First for the disclaimers.  It is not the intention of this blog to express political views, and those views expressed are my own and do not represent Triumfant as a corporate entity.  My specific political persuasions are not important, but I am by no means a political animal or an activist.  I do fall squarely on the side of less government intervention.

First, SOPA and PIPA may have awakened some social and political awareness in the younger generations.  Jokes about Wikipedia aside, the fact that it went dark on a school night likely spiked awareness of the legislation like no other event could have managed.  PIPA was suddenly something to look up (but not on Wikipedia), instead of the cute sister of Kate Middleton.  Darkening the web sites that these generations rely so heavily on for their everyday life made some impression, and likely opened their eyes to a life where the Internet is not free.

Second, SOPA and PIPA woke up the general populace to the potential for censorship within our own country.  There were reports yesterday that several of the websites of key members of Congress were slowed to a crawl by the traffic to their sites.  The groundswell of opposition sent several senators and representatives backpedaling at a rate that can only politicians can.  Because of SOPA and PIPA, people now know that Congress is capable of trying to regulate that which they do not understand, and that which few if any of us want them to be regulating.

The World Wide Web is a obviously a two edged sword.  It has opened a world of information to our fingertips, created interesting new paths for communication, and created a new platform for commerce.  It also is a huge void full of cat videos, Lee Dewyze, and the Kardashians.  At its worse it is riddled with spam, malware, pornography of the vilest kind, and hate.   The dark side is a function of the unfiltered nature of the Internet, but censorship won’t make that go away – the bad will survive but the good will suffer.  We in the IT security business fight against the dark side of the Internet daily, but I dare say that most think it is a fair price to pay for the absence of censorship.

Lastly, SOPA and PIPA are a useful discussion point for the evolution of national and world economies to the realities of online commerce.  Debates about the demise of bricks and mortar businesses, digital rights management, and other related topics are not new.  But the businesses that don’t bother to evolve with the digital economy continue to look toward Washington to retain their old ways through bad legislation in the face of the natural forces of a changing market.  David Meerman Scott had a great blog post about this very idea on his WebInkNow blog yesterday.  Scott cites the music industry’s attempts to protect their long-standing business model as music moved into the digital age.  I also found this interesting article that contrasts Best Buy and Amazon.

It is my opinion that is not in the best interest of all of us to start down the path of censorship to protect the archaic business models of those who cannot evolve in an online world.  I think thanks to SOPA, PIPA, and Wikipedia, there are more of us who understand that principle, or were at least introduced to that principle, than there were before yesterday.  I don’t think we have seen the last of bills like these in the Senate, but I am confident that the citizens are better informed of the potential ramifications of such legislation and will once again take a stand.

Now if you will excuse me, I have a white paper to write now that Wikipedia is back online.

The story nicely shows how targeted attacks don’t have to use a cutting edge zero day exploit or some new DeathRay level malware to succeed.  In this attack, the attackers went after an Adobe vulnerability (since patched) called CVE-2011-2642 (first reported December 9, 2011) and leveraged exploit code that dated back to 2009.  The malware planted was the Sykipot Trojan, malicious code known to the IT security industry.

Too often I think that business people hear “Targeted Attack” or “Advanced Persistent Threat” and get a visual image of super smart adversaries in white lab coats creating exceedingly complex and sophisticated attacks.  They assume that targeted means specialty built attacks that take enormous effort to conceive, construct and deploy.  They see it as rocket science.  And in some ways, I think that they use these misconceptions to talk themselves into thinking that no one would expend such effort to target their systems and creating a false sense of security.  They apply the business concept of “barriers to entry” to presume they are safe.

As this analysis shows, a targeted attack can be cobbled together from spare parts on their workbench. The barriers to entry in regards to the technical side of targeted attacks are nominal and easily scaled. All it takes is a motivated and intentional adversary that believes that your systems have something of value, and you can be the victim of a targeted attack.

As Robert’s story shows, companies cannot hide behind false presumptions that there is inherent complexity that reduces the odds that they will be the victim of a targeted attack or APT.  Companies need to step up to a rapid detection and response strategy as part of their IT security thinking.  Triumfant excels at detecting targeted attacks and detecting the advanced persistent threat, and is an example of solutions that can close the security gaps that leave companies open to such attacks.

First, I think the concept is a Gordian knot.  I need to learn about something I do not know.  I will learn by asking questions in a static, rigid format.  Okay, but if you don’t know about something, how can you hope to ask the right questions to get the information you need, or hope that your questions don’t inhibit receiving the real information you need, which you don’t know you need because you don’t know.  You don’t know what you don’t know, so how do you expect to ask questions so you will know.  See – Gordian knot.

Second, the amount of bias is staggering.  I will ask people who have a vested interest in swaying my thinking for the answers I need.  I will ask the vendors.  The vendors that are in a daily dogfight in a crowded and often confusing market where every vendor tells much the same story.  Vendors that hold Maslow’s proverbial hammer and will therefore put every answer in the context of the nail for which their hammer best drives.  Vendors that know before you ask that the answer to every RFi or RFP question is – surprise! – yes.  Vendors that are on commission for heaven’s sake!

Well, Jim, why wouldn’t I ask the vendors?  They are most helpful.  Some offered to actually write the RFI for me.  I see your point and that seems perfectly reasonable.  It frees you up to interview foxes to watch your hen house.

What really frustrates me about RFIs is the lost opportunity to get exposed to truly innovative solutions that the organization could actually use to fill very real gaps in their IT security.  Why?  because most RFI writers don’t know what they don’t know and therefore ask questions about what they do know: the same tired technologies that are at the heart of the very gaps that need to be filled.  RFIs are written from the sound bites from analysts and vendor web sites and industry pundits.  So what comes back is the same tired answers and nothing new is discovered.

You don’t know what you don’t know.  But what you do know is your problem, and that is where you should start.  You may not be ready to admit it publicly, but you know what gaps your organization has.  You know malware is getting past your shields, and you know that you are not equipped to know when and where. RFIs should not use vendor terminology or be bound by the solution de jour.

Write your RFIs to real, unfiltered gaps and problems, and provide a framework for vendors to provide solutions, but stay away from pre-dispositions.  Doing so will quickly sort marketing speak from real, innovative technology that is not more of the same.  Questions should be heavy on detail about the problem, but not have artificial fences or filters as to how the problem can be solved.  Old assumptions should be abandoned, because those assumptions were largely forged about attacks and attack techniques that have evolved exponentially and have shattered those assumptions.

Tell me your problem and open your mind to the answer.  Am I biased about my product?  You bet I am.  But give me the opportunity to honestly (yes, there are more honest vendors out there than you may think or have been led to believe) provide you alternatives that you may not have even heard about, much less considered when writing the RFI.  You may be surprised what is out there.  After all, isn’t that the point?

That is all for now, as I have some RFI’s to compete.  Let’s see. Question 1…(thoughtfully pondering)…”Yes”.

Savvy IT security guy that I am, I immediately smelled a rat and asked that my friend (who lives close by) bring the PC with the email to me.  After all, I did not want potentially malicious stuff on my machine.

Sure enough, everything about the email spoke of fraud.  The appearance and format of the email was not even close to looking like a professional email from a large company that does lots of business online.  The email address was suspect, and having been on an airplane or two (or a thousand), I noted that the flight number was not even close to the American Airlines flight numbering system.  Lastly, there was the ubiquitous .zip file attached, just waiting to be clicked.  An example fo the email can be found on the American Web site here.

What was an interesting study was the reaction of my friend to all of this.  I have had a credit card stolen so I knew it was not the end of the world.  I also knew that the credit card companies actually handle fraud pretty well, so every second did not really count.  My friend was very nervous about the credit card being used to buy all manner of unseemly things all the while laying waste to credit ratings.

But most of all, I noted that the .zip file hung like a ball of yarn in front of an over-caffeinated kitten.  My friend so wanted to click on that file.  The psychological pull was palatable.

I walked my friend through the process of recognizing such an attack, and went to the American Airlines web page to demonstrate that the flight number on the email did not exist.  In fact, it was a digit longer than the field on the site for the flight number status.  Next I listened as my friend called American, and then the credit card company.  Both verified that no transaction had occurred and that this was part of a wide reaching scheme.  The American agent actually spent a lot of time walking my friend through the phishing concept at a high level an provided steps on how to dispose of the email without releasing the malware.  I was impressed.

I had several takeaways from the experience.  First, while the attack seemed amateurish and hackneyed to me, I was taken by how quickly my friend swallowed the hook and was quickly prepared to react.  The simple psychology involved was brutally effective, and I saw why such attacks succeed.  If a wide enough net is cast, someone will react the way the bad guys want.

Second, it reinforced the critical nature of the human element in IT security.  My friend is bright, educated, and computer savvy.  Yet that same person immediately and kinetically reacted to what was a cut-rate phishing attack.  People will always be the X-factor in IT security whether it be opening .zip files, shutting off their AV software, or gleefully inserting USB devices from any and every source.

Lastly, the experience screamed for the need for Rapid Detection and Response, because in spite of shields and protections the human factor can be leveraged to bypass or evade those protections.  Stuff gets through, and in front of me was a simple example of how.

I have to go, I just received another email from another friend who says he just got a confirmation for a flight to Atlanta he did not buy.  Seriously.

Advanced Persistent Threat: Solution – No, Effective Detection – Yes.  This post was actually written in January of 2010 but has been the most-read post on the blog.  The post addresses the qualifications of Triumfant as a viable and effective tool for detecting targeting attacks, including APT.

The UC Berkeley Breach – You Don’t Know What You Don’t Know. Another post written before 2011 that continues to resonate.  In fact, this post is a very early expression of what I now call Rapid Detection and Response – the ability to quickly detect the attacks that evade preventative software and quickly respond to the breach.

Trojan Horses, Payloads and Flamethrowers.  This post turns the most overused cliché in IT security – the Trojan Horse – on its ear to illustrate rapid detection and response and the folly of relying solely on perimeter defenses.  Not to mention gross misuse of literary license as I insert flamethrowers into classical mythology.

Sayano-Shushenskaya Accident A Model for What a Duqu/Stuxnet Combo Could Mean.  This post uses the incident at a Russian hydroelectric facility to illustrate what kind of terrorism could be performed with a Stuxnet style attack.  The images from a 900 ton turbine unit tearing free of its moorings seemed to provide readers a visual reference point for the potential of such attacks.

Purely Commercial Espionage – The Advanced Persistent Threat Targets Businesses.  The exact definition of APT is hotly debated, but most see it as cyber warfare at the nation state level and not an issue of commerce.  Regardless of definitions, this post explores the burden that commercial organizations are bearing from targeted attacks that extract intellectual property from U.S. companies, negatively affecting the economy.

Certificate Authorities Hacked – So Who Can You Trust? This post speaks to the corruption of the chain of trust caused by the hacking of several certificate authorities.  The important takeaway is that prevention mechanisms can be fail along a variety of vectors, so adding rapid detection and response is necessary and prudent.

The Emotional Barriers to Embracing the Presumption of Breach Doctrine.  Why, in the face of all statistics and other forms of evidence to the contrary, do people cling to the notion of the 100% effective preventative shield?  This post looks at the emotional component that prevents highly rational people from admitting that they are getting breached and taking the appropriate action. I think it is a concept worth exploring more broadly.

Finding a Needle in a Haystack – Child’s Play! Another alternate take on a treasured IT security cliché – the needle in the haystack.  Specifically that finding a known thing – the needle – in a homogenous population – the haystack – was a far easier proposition than locating malware without a signature in the vast IT world. Too big to do in one post, it turned into a series of posts.

Virus Attacks U.S. Drone Fleet and the Need for Rapid Detection and Response.  Sometimes when you are trying to get some traction around a concept or term, the world throws you a bone.  As I was introducing the concept of Rapid Detection and Response, the story broke about the attacks on the C&C center for the U.S. drone fleet and how that was a perfect scenario for the concept.

Time to Put Your Antivirus Software on a Diet.  This was posted in late 2010 but got a lot of reader momentum in 2011.  The post is an answer to the question frequently asked when we present Triumfant: “Are you saying you replace antivirus tools?”.   As a bonus, it contains my favorite phrase of 2011: fusillade of FUD.

Well, that wraps 2011 for Exceptional Security unless something big happens that requires comment.  Otherwise, thank you for reading – it is always humbling to know that someone takes the time to read.

See you in 2012.

I find in such occasions that people ask about devices rather than about purpose – Nook, iPad, Kindle Fire.  I responded by asking them about what they wanted the device to help them do – what is the third level of why behind considering the device.  More times than not, that question is met with a confused gaze and a shrug.  My best guess is that this person has fallen for the marketing hype behind the device rather than fitting function to need.  The iPad is a great tool, but I know plenty of people who have their up for sale because they found it to be either less than they expected or a very expensive platform for Angry Birds.

The funny thing is that when I try to help people think their question through they sometimes become a bit put off at me because they have emotionally sold themselves on the device, often irrespective of that device’s real ability to perform useful tasks that would justify the purchase.

I see the same thing in the security market as new “it” (silver bullet) technologies come and go.  Executives read the magazine in the airplane seatback, see some well-turned advertising, or get swept into the analyst hype cycle.  They conclude that they need the new bright shiny object to (choose one or more)

• Make them “more secure”
• Protect them from the advanced persistent threat
• Shield them from the Cybergeddon (actually taken from a Web Site)
• Lower cholesterol, cure male pattern baldness, and end the common cold

My advice is to decide what it is you need from a security product, and then evaluate products against that need.  Whitelisting has been getting a lot of hype these days.  I have been at organizations where whitelisting is a perfect fit for their culture, their security philosophies, their staff, and their relative threat profile.  And I have been to organizations where it is easy to predict that whitelisting will not be a success for many reasons unrelated to the product itself.  I will also tell you that at many organizations, even a fabulously successful implementation of a perfectly good whitelisting tool will not ultimately fill the real needs of that organization.  And no, this is not a whitelist bashing as I could have chosen any number of technologies.

This is not, as they say, rocket surgery.  Step back from product hype and ask yourself what you need.  Determine your areas of risk – the gaps in your security.  Examine broader approaches to filling that need.  Only then should you begin to look at products within those broader approaches.  Steel yourself against the marketing hype of the latest bright shiny object and focus on what you want the tool to do. Don’t buy the latest bright shiny object and try to bend your problems to that product – the results will be predictable.

Don’t get me wrong – I am sure Angry Birds on an iPad is a great experience.  But budgets are tight, the adversary is relentless, and resources thin.  Shop wisely.

First, IT security is the land of really bad company names.  I won’t call out any here.  But, really?

Second, if it were your first time in an exhibit hall how could you possibly come to any rational conclusions?  Every booth seemed to promise the same thing and share the same set of bulleted claims to the point that I think you could have randomly redistributed banners and most booths would have not missed a beat.

Finally, I was struck by the fact the emphasis on prevention and the pursuit of the perfect shield is really sending a very loud message if the attendees were willing to see the forest for the trees. Of the 50 tables at the show, 47 were about preventing attacks, 2 were consulting shops, and one, Triumfant, was about detecting breaches.

Notice I said breaches.  I realize that everyone talks about detecting attacks as the recognition needed to prevent attacks.  Triumfant is distinguished in that we detect successful attacks – the ones that get through the defenses.  Therefore, we detect breaches.

And now for the epiphany: shouldn’t the vast number of prevention solutions and all of the noise really tell you something about prevention?  If shields are working so darn well, then why do we have hundreds of shield solutions in the market?  Why does your endpoint solution (AV vendor) continuously have to add layer upon layer of new technology?  Why are you neck deep in the spent shell casings of silver bullet technologies that will finally provide you with the 100% of myth and legend?

Repeat after me: Attacks get through your shields.  Attacks get through everyone’s shields.  You have been breached.  You can buy every prevention product on the market and you will continue to be breached. And no, this is not all about exotic targeted attacks and the advanced persistent threat.  Sometimes it is just basic, opportunistic malware that gets through.

It gets worse.  You are not prepared.  You do not have the tools in place to detect a breach.  The Verizon Business Data Breach Investigations Report showed that you will only find it yourself 6% of the time.  You are unprepared to detect successful attacks, yet you continue to shop for silver bullets instead of facing the hard truth.

I am talking about the ability to detect a breach within minutes of infection, alert the proper personnel, and return detailed actionable information. If you choose wisely, you may even get a solution so sophisticated that it can build a remediation for the breach, stop the malicious software, and repair the machine (including collateral damage) also within minutes of the infection.

My big takeaway from my time at the shows was really quite simple: the noise and confusion of the security shows and the broad infosec market is actually telling you something if you step back and listen.

To recap my post, I told the story of the 2009 Sayano-Shushenskaya plant where a 900-ton turbine unit lifted 50+ feet into the air due in-part to the failure of an anti-vibration program.  Tragically, 75 people lost their life in the accident.  The region lost a 6,500 MW power station through at least 2014, and power outages affected industrial production on a broad scale.  My point was that a hack of industrial control programs and SCADA devices could disrupt critical infrastructure or be used for industrial blackmail.

The post makes a point that hacks need not be complicated – shutting off a vibration control program being a good example.  The post also ties back the recent Duqu and Nitro attacks as a great example of tools being used by adversaries to gather data to pull off such hacks.

Suddenly this dumb country boy looks prophetic.  Stories began to break last week that an Illinois water plant was hacked and a water pump was rendered inoperable (destroyed feels a bit extreme here) through a hack on industrial control systems on November 8.  The sophisticated method used by the hackers to cripple the pump?  They turned the SCADA system on and off repeatedly until the pump burnt itself out.

Those shifty hackers! They managed to subvert the oldest, most tried and true technique for fixing almost anything electronic – turning it off and turning it back on.

Seriously, this is the first attack (we know about at least) on a SCADA/industrial control system since the story broke about Stuxnet.  Given how quickly DHS stepped in to deny it was a hack, I think it is safe to assume there have been others.  Not quite as dramatic as a 900-ton turbine unit destroying a hydroelectric plant, but no less effective in disrupting infrastructure.  Regardless, I think we are seeing the adversary try new tradecraft on smaller utilities that are less heavily protected than their brethren serving large populations.  The proverbial velociraptors systematically testing the fences.

My next prediction? You will see more such stories in the near term as the exploration process continues and the tradecraft is refined.  Some industry analysts, pundits and experts will call concerns about such attacks marketing FUD and over reaction.  As the stories grow more frequent, people will get numb to the warnings.

Until something happens that is truly disruptive.  My last prediction: it is not “if” but “when”.

Update 12/1/2011:

Wired Magazine has confirmed that there was actually no hack per the official stance of the FBI and DHS.  This article contains a summary of the circumstances behind the reported hack. I stand corrected.

It should be noted that an article in Information Age actually used an FBI source to report that SCADA systems had been compromised elsewhere.