The Techno Security & Forensics Security Conference is held in conjunction with the Mobile Forensic Conference each year in Myrtle Beach, SC. Both conferences are primarily geared towards forensics types. Each of the main days (there are pre and post-con classes like most conferences) starts with a keynote speaker. Today's was Mandiant's CEO, Kevin Mandia. Some of the things I wrote down from the keynote:
State of the Hack Keynote:
Mandia comes from a military background (USAF officer). When he looked out at the private sector and thought about the types of attacks the military was fending off, he felt corporate America was really a bunch of "sitting ducks." Another analogy he used was as an "Ultimate Fighting Champion mugging your grandmother." That's part of what led to the creation of Mandiant. Based on how the rest of the talk played out, there's some credence to his position.
At this point, he feels that small and medium size firms don't have a chance. They either have little or no IT security budget and they have very vulnerable end users. Small and medium sized firms aren't off the radar for attacks by APTs, either. For instance, he kept citing that the Chinese were funneling some of their attacks through a florist business.
In other words, we're all potential targets. We're bigger targets if we're educational institutions due to the difficulty locking things down.
What is defined as victory has slipped from when I was primarily a security architect. We believed security should be with the view of when someone gets in, not if. However, we still tried to "gear up" to prevent the if. Nowadays, forget it. Victory is defined based on the time you can detect the threat and close it down. If you can do it in 4 hours, you're a superstar. If you can accomplish it in a couple of days, you might still be okay. The reason for his view of this was that the attackers typically take a little time before getting the breach and beginning active steps by a human. This isn't always the case, however. Mandiant has seen a Chinese response from break-in to a human operative actively attacking in as little as seven monites. The best he has seen is a particular defense contractor that is averaging 30 minutes.
This made me think about how many companies are postured to respond in such a way.
Another thing he pointed out is that most of the breaches they investigate the firms have pretty good IT security. Most are meeting compliance requirements. For instance, every time in recent memory they've gone and noted anti-virus has been up to date (how many of you have seen that on an audit). The takeaway from that is current endpoint protection is effectively useless.
The reason it's all useless is that the method of attacks have changed dramatically. It used to be that we went after technical exploits. I think about it like sappers tunneling under the castle wall. We were looking for a technical vulnerability to exploit. Nowadays it's almost all human. Attackers are researching who are in these companies and then sending targeted emails, spear phishing, which either contain malware or links to malware or sites which take advantage of browser vulnerabilities. All it takes is one. That's why the security posture has changed.
However, it's not all malware. They're grabbing passwords. They're making use of social engineering. There's a lot of "no tech" mechanisms being employed. For instance, at one technical company, 51 computers were compromised but only 12 had malware.
Once again this shows us that humans are the weakest link in security. Mandia didn't have good answers that would be acceptable to industry on how to solve this. No one does at this point. Yet another reason for the current security posture.
Convergence of Digital Forensics and eDiscovery:
This is the other talk that hit me as significant and not so overly technical that it's of value to data and standard IT professionals. This was a panel discussion.
Basically, digital forensics was built around the model of trying to examine thoroughly a desktop or a couple of laptops. If you want evidence of it, go look at the more recent computer forensics books. Basically, how to sniff out every detail on a particular Windows or Max OS X system. This isn't going to work. Just as the amount of data has exploded in industry, it has exploded everywhere. Case in point: one investigation by one of the panelists required the investigation of all the assets of 1,500 data custodians. You can imagine how much data that is. Another panelist cited a case that really rocked him and made him realize the shift was when he was asked to examine 11 TB and 65 mobile phones. If you go to the "bits and bytes" level typical of old school computer forensics, you'd spend a lifetime, literally, pulling out all the useful information.
The solution is to bring eDiscovery tools to bear. This allows us to filter and pare down the amount of data. It also means being able to bring in SMEs to view the data. For instance, a particular email may be meaningless to a forensics investigator. However, the key word or data profile triggered. Upon looking at it the forensics investigator realizes it's HR related and can bring in an HR resource to analyze the information. This leads to getting to the right information, but using different methods.
Using eDiscovery doesn't mean losing chain-of-evidence or anything else that would compromise the ability for evidence to be admissible in court. If proper procedures are followed, data shouldn't be altered. MD5 and SHA1 hashes should match up. However, when you're faced with hundreds of TBs of data, you now have a fighting chance to get at what you need in a timely manner. If we don't go down this road, nothing comes to trial, whether civil or criminal, and the costs are horrendous.
As a data professional, this got me to thinking that this is an area where our expertise, filtering and working with data, would be of great benefit. Unfortunately, I haven't run across many who have feet in both fields.
I'm definitely looking forward to tomorrow.
