Archive for : March, 2013

IOC’s changing formal

In a webinar Feb  21st 2013 Mandiant had a discussion about the future of their OpenIOC Framework.

The OpenIOC is an extensible XML schema for the description of technical characteristics that identify a known threat, an attackers methodology, or other evidence of compromise.  Open IOC was created by mandiant, a Security company located in Virginia.  IOC stands for Indicators of Compromise.  The term may be used to refer to specific   artifacts left by an intrusion, or greater sets of information that allow for the detection or other activities conducted by attackers.  The term is also used as the name for a file in the OpenIOC format that contains a set of data.  The file extension for these files are .ioc. (From openioc.org)

The IOC has been in use without changes for the last 5 years. This is considerable long time for no changes, in an industry that changes everyday.  The OpenIOC is limited in its functionality and is due to be revamped.

They had a call for updating the format to be more flexible.  This is because the standard has several limitations.  One such limitation is There  is No “is”…  ;Their is is equal to contains.   The bottom line is it can’t breakup a string of words (example: your couldn’t find system within system32).  This limitation means that you have to create complicated IOCs.  Another example: the term “NOT” does negate, it  deselects an item from the list.

Things they want to change:

More than “is” and “contains”
– greater-than
-less-than
-starts-with
-ends-with
-Matches (regEx)
-Case sensitivity

Document Indicator Terms
-FileItm/MD5sum
-FileItem/FileName
-FileItem/FilePath
-FileItem/FullPath
-FileItem/PEInfo/Sections/Section/DetectedCharacteristics
-ProcessItem/SectionList/MemorySection/PEInfo/DetectedEntryPointSignature/Type

Define Operators
Is ==
Contains

Per Indicator Items
-Comments
-Scoring
-Special Handling
-Priotitize an Investigation (securly)
-Mange the Intelligence
-Share what we want easier

Take aways – Needs more operators, need more documentation, needs to be less tactical, needs community input and needs a new logo.

The future of OpenIOC is looking bright as the OpenIOC team starts towards updating and building a new OpenIOC standard.

Big Data Intelligence for Security

What is big data? And how can my organization use it with Security?

There is an idea  within Theoretical Computer Science that involves when working with algorithms to classify down into two categories. The first being complexity theory and the later computability.  Complexity theory looks at several factors when calculating the total completion time of a given algorithm.  It takes into account, how many cycles that algorithm uses then looks at it from a hardware stance.  How much ram, processing power and system resources is available to compute the given problem.  More often than not, you will be limited by the system resources you have available to you, as you are limited to run your algorithm on one workstation. For this reason Big Data has awaken a new sleeping giant “Big Data”.

Big data changes the way we think about system resources.  Within a Hadoop environment it will allow for these resources intensive algorithms to be run in a mater of minutes / hours as compared to days and weeks on a single system. Depending on the build type of the hadoop system it could even reduce your query time down to seconds. It is this revolution of data processing that has captured the attention of the professional world at large. It is this attention and the ingenuity of individuals who are shaping the future of “Big Data”.

How can Security play a role within the Big Data space? 

Big data can offer an organization insight into problems through the use of a data science engineer.  There has always been a need to processes data, but it has never existed as it does today. As we produce more and more data (logs, netFlow data (network traffic), emails, IT assets, Vulnerability assessments, Threat Intelligence reports, application and system behaviors, structured data and un-structured data), we need a way to efficiently carve that data up.  You can see that for big data to be successful you will need to have a variety of data available within the big data container.

In this way it will be highly automated, use advance data aggregation, event correlation, statistical and heuristical analysis and monitoring in real time. The currently limitations of computing power is also limited by the skilled professionals.  As you anticipate a need for big data within your organization, you may want to research the cost of hiring a data scientist. Find a good data scientist that can be security conscience can increase the power of your deliver-ables.

What type of information an you expect to get from your Big Data? 

Again, this depends on the data sources available to you and keep in mind that this is from a security standpoint.  You should be aiming your deliver-ables from the data collected and also from company objectives, large risk factors and even audit findings. Examples of data you can find hidden in your terabytes of data can include: persistence threats, insider threats, ad-aware and Trojan activity, data leakage, phis-hing attacks, .  It is also important to make sure that your data streams live into your hadoop environment.  This will insure that you can create real time alerts.

What skills do you need in house to accomplish Big Data for Security? 

Here is a list of in-house skills you will need to be successful in your big data mining.

  • Multivariate statistical analysis
  • Data mining
  • Predictive modeling
  • Natural language modeling
  • Content analysis
  • Text analysis
  • Social networking analysis

This list doesn’t include the technical skills needed to support the hadoop environment.

Conclusion:

It is important not to introduce a more complex and unyielding system into your security environment, but create your big data with several layers that will offset the complexity of hadoop and map reduce.  That being said, an investment into the big data for security is a huge task, which few are up to the task to accomplish.

I wait with anticipation for the future of Big Data for Security to unfold within the next few years. Now stating an opinion, I think that once the total cost of ownership comes down, this big data will help shape a more secure future from hackers and insider threats.  If with this next version of Big Data 2.0 we will see a level of automation once thought impossible.

 

post image

Giac 2700

logo (1)Are you looking into getting the GIAC 2700 certification.

Have you asked yourself these questions:

Is it part of your degree program?

Are you considering the CISSP to the GIAC 2700?

Why are you looking to get this certificate?

Do you need to work with the 2700 standards?

I received my GIAC 2700 certificate while getting my masters degree in Information Security and Assurance from WGU.  While studying for the GIAC 2700, I studied material for the CISSP which is similar to the CISSP.

If you can answer the above questions, you a step closer to choose your certifications.