Random Thoughts

Saturday, November 7, 2015 Posted by Corey Harrell
Things have been quiet on jIIr since I over committed myself. The short version is I had zero time for personal interests outside of my commitments, $dayjob, and family. Things are returning back to normal so it’s time to start working through my blog idea hopper. In the meantime, this post is sharing some of my recent random thoughts. Most of these thoughts came in response to reading an article/email, seeing a tweet, hearing a presentation, or conversing with others. 

~ We need to stop looking to others (peers, vendors, etc) to solve our problems. We need to stop complaining about a lack of resources, information, training, tools, or anything else. We need to start digging into our issues to solve them ourselves instead of looking for the easy answers.

~ As we work to better defend our organizations, we need to take to heart R. Buckminster Fuller's advice. "You never change things by fighting the existing reality. To change something, build a new model that makes the existing model obsolete." Our focus needs to be on building and improving the new reality while ignoring the haters who are stuck in the past.

~ We need to stop saying we don't have enough resources. We need to focus on our workflows and seek out ways to improve, automate, and become more efficient. Slight changes on existing workflows can free up resources for other areas.

~ We need to start using this new technology called Google. There is no such thing as a stupid question but there are questions that can be easily answered by doing a simple Google search.

~ Let's get our current generation tools working properly before talking about next generation. If we can't properly configure and use our current tools then getting a so called “next generation” tool won't solve anything.

~ We need to stop saying we need more training. We need to stop saying for me to do task X I need to be sent to training Y. We just need to realign our priorities to spend time on self-development. Turn off the TV, buy a book, build some virtual machines, conduct some tests, and analyze the results.

~ How about we talk more about detecting and responding to basic security threats. If we can't alert on commodity malware infections or web server compromises and have effective workflows triaging those alerts then hunting shouldn't even be in our vocabulary. Forget about hunting and focus on the basics.

~ Let's stop generalizing by saying if company X was monitoring their logs then they would had detected the compromise sooner. That is until there is more published practical information telling organizations how they can actually set up their security monitoring capability. If there is very little practical information or assistance about building a security monitoring program then we shouldn't be surprised when organizations struggle with the same complicated process.

~ On the same note and while we are at it. Let's also stop saying if company X looked into their alerts then they would had seen there was a security issue. We need to start providing more published information instructing others how to actually triage and build workflows to respond to those alerts. If we don’t share and publish practical information about triaging workflows then we shouldn’t be pointing out the failures of our peers.

~ Let's stop focusing our security strategy on the next new product instead of looking at how to better leverage our existing products. New products may address a need but we might be able to address the same need with existing products and use the money we save to address other needs.

~ Let's stop with the presentations and articles pretending to tell other defenders how to do something while the author says they are not saying how exactly they do it to prevent threats from knowing. This serves no purpose and is counterproductive since it’s actually not telling other defenders how to do something. What’s the point of saying anything in the first place?

~ Please let's stop adding noise to the intelligence sharing echo chamber. Whether if its products or conferences, most say we need more threat intelligence and we need to start sharing more. No other specifics are added; just that we need it and others need to share it. In the end we are just echoing noise without adding any value.

~ We need to stop saying how we have a shortage of talented security staff to hire. It is what it is. We need to start talking about how we can develop highly motivated people who want security as their career. We may not be able to hire talented security staff but we can definitely grow them to meet our needs.

~ We need to expand our focus on detecting and responding to threats from being primarily end point focused to server focused. A good percentage of articles, intelligence sources, and products talk about end point clients with very little mention about servers. How about detecting and responding to compromised web servers? How about database servers? How about CMS servers such as Joomla, WordPress, and Drupal? Our conversations are only talking about a part of our IT infrastructures and not the entire infrastructures.

~ We need to stop complaining that our management just doesn't get or take security seriously. The issue can be two things. Maybe we aren't communicating in a way for them to care. Maybe security really is not a high priority. Either way, we need to either: fix it, move on to another organization, or just accept it and stop complaining about it.
  1. You are now our Nietzsche: Testing network security with a hammer to see what rings true.

  2. At least one rang true; I had to Google the Nietzsche reference. I like the reference and thanks for making it.

  3. I'm with you on #11, Corey. That one in particular. Most of the others are what lead me to going on-site or deploying to perform an IR engagement, so I'm kinda okay with them. ;-)

    Numbers 12 and 13, as well.

    For number 7, a lot of what's discussed...no, wrong word...a lot of what is said about detected targeted threats can be extrapolated to be used to detect more general security threats. However, those things have to be read and understood, and then applied against an infrastructure. Many of the reactions I see indicate that folks want someone else to apply these processes to their infrastructure for them.

  4. As to #14, a great deal of what's discussed regarding endpoint detection also applies to servers...it's simply a matter of extrapolation. If those systems truly are a concern, we need to stop saying, "...but you didn't address servers or this application...", figure it out, and share it.

  5. Harlan,

    Thanks for the comment and it would had been easier to number the thoughts. I agree about people being able to extrapolate to a certain extent. In other situations it is not feasible; I didn't provide details behind the thoughts so as a reader it might be difficult to see this by the quote alone. For #7, one thing I was seeing were products being advertised to make you into a hunter and people talking about wanting to hunt even though they can't do the basics. In essence, the people and products is trying to convert a crawling baby into marathon runners. In this instance, it's better to focus on the basics. For those who know and are doing the basics then they can extrapolate information they see to apply to their situations.

  6. Corey,

    Unfortunately, I don't have your experience, so I'm not seeing the same things you are. What products are being advertised to turn IT staff into "hunters"?


  7. Another thought...it's unfortunate that posts such as yours get so little attention, and then subsequently input via social media...it's topics such as these that should be generating discussion, not just getting Likes....

  8. I'll hit you offline about the product but it was one of the driving things behind that comment. My hope is some of the comments make people self reflect about things. I've seen over the years the decline in discussions in DFIR community. Some lists that used to be really active are rarely used. A lot of blogs used to be maintained but now only a few are. Not sure why this has occurred though.

Post a Comment