OpenFlow

Very good summary of what OpenFlow means to security by my friend Fernando.

The interesting part in his post is this one:

“Well, for all the power that OpenFlow offers, it can still only visualize flows in the context of L2-L4 attributes: what port is connected, what the IP address is, what protocol, etc... In the meantime, it comes as no surprise to anyone that the threat profile has long since changed to the application layers, exploiting Adobe PDF, Flash, SQL Injections, Cross-Site Scriptings, ... To me, what this will mean is that these higher-layer security controls - be they Web Application Firewalls (WAFs), Data Loss Prevention (DLP), Network Forensics, Host Security Agents ... - still need to intercept and inspect traffic.” 

That’s true, but the real value from OpenFlow is how it allows us to perform security interventions dynamically; you’ll still need to inspect traffic at higher layers to find trouble, but once  you’ve found reasons to believe there’s malicious activity going on OpenFlow can be used to selectively add more inspection capabilities and apply damage control measures.

It’s always good to get some new tools to our arsenal. The bad guys are far ahead in that aspect, so better start thinking about improving our instrumentation capabilities too.

1 Raindrop: Assurance of Assessments

An assessment is supposed to go up to the dart board and check to see if you got a bulls eye or how close you got. Having people throw darts and then going up to the board and drawing a bullseye around where the dart lands isn't helpful.

This kind of assessment is worse than useless, its harmful, its like giving people umbrellas and taking them back when it rains. being insecure is not the biggest problem, you can be insecure, know you are insecure and act accordingly. As Brian Snow said, the most dangerous stance is to assume you are secure when in fact you are not secure.

via 1raindrop.typepad.com

This is really an awesome post from Gunnar Peterson. I work with PCI everyday and I can tell you that poor assessments, either the official QSA ones or the internal ones performed by organizations trying to achieve PCI DSS compliance, are the main reason why PCI does not bring as much security as we expect. It's the land of cognitive dissonance where everybody thinks they are doing a great job just because the assessor said so.

Old stuff, always good to keep in mind

I'm happy to see how the security community is realizing the importance of detection and monitoring. I'm reading a lot of good stuff recently, but as there's a lot of "re-discovering" happening it's important to know the results of research done in the past to avoid falling into the same mistakes. That's why it's so important to whoever is thinking about security monitoring to consider the "base-rate fallacy". This paper written by Axelsson dates back to 1999, but the basic idea is still valid and must be always considered when we are designing a detection system. 

I won't write here about it, you can read it directly from Axelsson's paper. The basic lesson is to not spend too much time on being able to find every possible attack, the must important thing is to reduce false positives as much as possible. Otherwise, you'll end up with a huge team looking for needles in montains of hay. 

Automation and security

There is another great post by Brian Krebs at his blog Today, about APT. However, the best part of it is a quote from Cisco's Gavin Reid:

“One of the areas where we’ve failed as a security community is that we’ve got an over-reliance on automation,” Reid said. “We’ve sold this idea that we can automate it, in a way that will not only help your security staff identify threats, but that you can cut your staff down because these technologies are going to do the work of a lot of people. That has failed. We’re still stuck with [the reality that] you need smart people who understand computer, applications and networks, and a logging solution becomes a tool they can use to identify some of these things. Hopefully this has been a little bit of a wake-up call, and we can start looking at things a little differently and start putting people back into the equation.”

When you see organizations believing that their simplistic set of IDS or SIEM rules is enough for security, it's a sure sign that there's too much trust on automation.