Contrast the status quo with the new vision – Design Monday

Archive for the ‘Security Information Management’ Category

Contrast the status quo with the new vision – Design Monday

Posted by

“I want to be Batman.” This is the greatest answer I’ve received to the interview question, “where do you see yourself in five years?” 

I hired him. Of course.

If only stopping criminals and villains was as simple as hiring superheroes. But we need equipment. We need partners and support. And before we get our batcave and police commissioner Gordon, we first need to reach people. 

Leaders excite and engage people to get things done. We use strong clear communication that cuts through debate and doubt, and provides a solution we can agree upon. It takes strong visual and verbal communication.


One more thing about superheroes, what happened to them visually? The Golden Age and Silver Age comic books were full of bright bursts of primary colors. These days, superheroes have been drained of color. DC’s Superman’s original bright blue and bright red are so muted, they look nearly black-and-grey. Marvel has taken a similar approach. Looking at you, WandaVision. The Scarlet Witch isn’t scarlet but a dark burgundy. Modern heroes are a study in dark contrast. 

Christopher Nolan’s Batman trilogy takes the blame. The films defined the noir look which has played out across all recent comic book movies. But who inspired Nolan?

Visual Contrast

The answer is Johannes Itten from the Bauhaus. That’s Bauhaus the design school, not Bauhaus the band. t’s final form was in Berlin, where Ludwig Mies van der Rohe was the director. Before that, the Bauhaus was in Dessau, getting its start in Weimar in 1919. Many great names, and many great designs, trace back to this time. But in Weimar? In the start? There was Johannes Itten. 

Johannes Itten taught art and color at the Bauhaus. Had a blast doing so, from what we can tell. “Play becomes joy, joy becomes work, work becomes play.”

While with the Bauhaus, Itten studied colors, establishing the fundamental categories for contrast: hue, light-dark, cold-warm, complementary, analogous, saturation, and extension. This work, specifically with contrasting seasonal color palettes, inspires painters and artists to this day. And nearly a century later, Christopher Nolan would turn to Itten’s desaturated and muted color palettes when establishing the mood of The Dark Knight Rises.

Contrast is what makes the visual beautiful.

Verbal Contrast

The communications expert Nancy Duarte studied storytelling and presentations. She looked at superhero movies, she looked at boardroom talks. “After all this study, it was a couple of years of study, I drew a shape,” Duarte recounted on the TED stage. “There is this commonplace of the status quo, and you need to contrast that with the loftiness of your idea.” 

Duarte details her contrast model and shape in her presentation, The secret structure of great talks, and in her Resonate book.

It was a pattern I followed when establishing the vision for my monitoring program. I explained the status quo of audits and manual efforts. I painted the picture of automation and visibility. I showed where we were weak, and pitched how my team could be stronger. I leaned into the contrast. In the end? I obtained the funding for the SIEM and equipped my team’s Batman.

Contrast is what makes the verbal actionable.

Sell the Vision

“The objective laws of form and color help strengthen a person’s powers and to expand his creative gifts,” Johannes Itten once said. Duarte’s research shows similar laws of form and content strengthen a person’s persuasive powers. 

Explain your vision by contrasting what is and what will be. Use this approach to gain buy-in, support, and budget. That’s how hire the Batman, and that’s how we get those wonderful toys.

A noir color study in contrast.

This article is part of a series on designing cyber security capabilities. To see other articles in the series, including a full list of design principles, click here.

Hold a value, make a decision, change a life – Design Monday

Posted by

“Develop people, develop security.” That was our tagline for the SimWitty team. The order reflected our values and simplified decisions. What to prioritize, developing a skill in a teammate or getting a release out the door? When develop people comes first, the answer is clear.

“Make a loan, change a life.” That’s Kiva’s tagline. Kiva has significantly more impact on broader social issues than SimWitty ever had, and it’s barely a comparison. There is one thing both have in common: values reflected in slogans resulting in decisions.

Kiva had a challenge. While its goal was to change lives through loans to small businesses, most businesses weren’t completing the application. The conversion rate was less than 1 in 5. Kiva looked to make design changes to simplify the application process. Many suggestions were made. One suggestion was particularly counter-intuitive to the point of being controversial: give small businesses a deadline.

“The founder was appalled. By giving customers a deadline, the company would have to deny service to people who missed that deadline. Denying service, the founder argued, was not a part of their company values,” wrote Kristen Berman, founder of Common Cents and Irrational Labs, who championed the design work for Kiva.

Security leaders must bring a degree of clarity to their team. Our values must be clear. Our criteria must be clear. And how we’ll try things and evaluate decisions must be clear. For Kiva, that meant changing lives through access to capital, with the number of people who complete loan applications as one measure. What does it mean for a security team?

Berman’s team went to work and experimented with deadlines. The number of completed applications went up. They experimented with incentives for early completion. Application rates went up further. More small businesses than ever were completing applications, resulting in changing more lives than ever. The decision to move ahead with the approach was clear.

This series has covered security programs reflecting strongly held corporate values. It’s equally important that a security leader have strong personal values, and that these values are reflected within the team. As Kiva’s example illustrates, there are times when options, on the surface, run contrary to our values. The path forward is to have a clear definition of success within those values.

Clarity enables experimentation and innovation while remaining true to what we believe in. Security leaders design capabilities and lead teams that reflect their personal values.

A case study in behavior design to reflect values. Read about the Kiva app redesign here.

This article is part of a series on designing cyber security capabilities. To see other articles in the series, including a full list of design principles, click here.

Enterprisers Project: Expert advice on securing hybrid cloud environments

Posted by

Hybrid cloud should strengthen your organization’s security posture, not diminish it. But that doesn’t mean improved security is a default setting.

Excerpt from: Hybrid cloud security: 8 key considerations

Ensure you have complete visibility. Too often in modern IT, CIOs and other IT leaders have blind spots in their environments, or they focus too narrowly (or even exclusively) on their on-premises infrastructure, says cybersecurity veteran J. Wolfgang Goerlich, who serves as VP of strategic programs at CBI.

Now that companies and their end users can use hundreds of cloud-based apps, and multiple departments can spin up their own virtual server on an Infrastructure-as-a-Service platform, complete visibility across private cloud, public cloud, and traditional infrastructure is a must. A lack of visibility, says Goerlich, snowballs into much greater security risks than are necessary.

Read the full article:

This post is an excerpt from a press article. To see other media mentions and press coverage, click to view the Media page or the News category.

Monitoring attack paths

Posted by

SIEMs are used for establishing security controls and responding to attacks. From my SimWitty days to my new role managing VioPoint’s SOC, we draw a distinction between these two. For controls-based activities, we think in terms of use cases. A SIEM use case defines a particular way the SIEM gathers and reports on data. For threat-based activities, an abuse case that defines an attacker’s activity and how the organization would detect the activity. The use case drives value and the abuse case protects against value loss.

Abuse Cases Map Possible Paths

An abuse case begins by describing the attacker and their objectives. Who are they? What are they after? What tactics and techniques are these attackers likely to use? From there, the abuse case defines the path the attacker would take to achieve their objectives. For example, a typical abuse may include:

(1) External reconnaissance
(2) Initial breach
(3) Escalate privileges
(4) Persistence
(5) Internal reconnaissance
(6) Lateral breach
(7) Maintain presence
(8) Achieve objective

The modus operandi will thus be modeled for a particular threat.

The Final Step In Monitoring

The final step in using SIEM to respond to attacks is to overlay the abuse case with the technical controls. How would we detect and prevent a particular tactic used in persistence, for example? What about the lateral breach phase in an attack path? Thinking through these controls allows us to give ourselves credit for where we are doing well, and allows us to identify opportunities for enhancing the controls.

To get the most out of a SIEM, from a threat perspective, we create a set of high-level threat models and setup monitoring along the identified attack paths. A well-defined abuse case does just that.

Bypassing IDS/NSM detection

Posted by

There are a number of ways an attacker can circumvent the protection of network security monitoring. He can use evasion techniques to avoid detection, or use diversion techniques to distract the defender. Here are a couple methods.

Protocol misuse. NetFlow and layer 1/2/3 statistics track hardware addresses, IP addresses, and TCP/UDP ports. Application layer detail is generally not analyzed and tracked. Any packet sent over port 80 will be assumed an HTTP packet, anything over port 53 a DNS packet, and so on. An attacker can send information over alternate ports to mask their activities. Alternatively, some protocols can be directly misused to carry out an attacker’s aims. For example, see the OzymanDNS app that tunnels SSH and transfers files over the standard DNS protocol. When application layer tracking is not enabled, an attacker has a blind spot that they can use.

Kaminsky, D. (2004, July 29). Release!, from Dan Kaminsky’s Blog:

Payload obfuscation. An attacker can also create a blind spot by obfuscating (or disguising) their application layer traffic. If application layer analysis is enabled, it may be utilizing pattern matching for application layer analysis. The attacker has to modify the packet or its payload enough to no longer match the pattern. Perhaps the simplest method is fragmentation, where the IP packet is broken into fragments. Any one fragment will not match the pattern detection. When the fragments get to the host computer, the host re-assembles the packet. The attacker’s payload is then delivered undetected.

Schiffman, M. (2010, February 15). A Brief History of Malware Obfuscation, from Cisco:

Timm, K. (2002, May 05). IDS Evasion Techniques and Tactics, from Symantec:

Denial of Service. A solid NSM solution is one that performs application layer analysis, checks for fragmentation, and negates common obfuscation techniques. An attacker then has options. Think of the smash and grab crimes, where the criminal gets in, gets what they can, and gets out quickly. The equivalent is the attacker who triggers the NSM in one area to create a distraction while they attack in another area. For example, an attacker launches a Denial of Service attack on a network link unrelated to their real target. Alternatively, the DoS targets the NSM infrastructure itself. If the attack is a quick raid of the victim’s network, such methods may pay off.

In sum, attackers can hide in the blind spots, cover their tracks, or make diversions.

Pentetration testing lab

Posted by

Security Information Management systems are meant to catch and report anything suspicious, right? So how do we test them? Creating a vulnerable network and exploiting it. The following tools can be used to create a testing lab to validate network security and web application security controls

Attack systems:

Back|Track — The most widely used and well developed penetration distro. The main disadvantage is bloat and lack of Hyper-V support. (Live disc; Slax; netsec)

Matriux — The new kid on the block, with a faster and leaner distro than Back|Track and native Hyper-V support. (Live disc, Hyper-V; Kubuntu; netsec)

Neopwn — A penetration testing distro created for smart phones. (Debian; netsec)

Pentoo — Gentoo meets pentesting. (Live disc; Gentoo; netsec).

Samurai Web Testing Framework — Specifically targeted towards web application security testing. (Live disc, Ubuntu, appsec)


Target systems:

Damn Vulnerable Linux (DVL) — The classic vulnerable Linux environment. (Live disc; netsec)

De-ICE — A series of systems to provide real-world security challenges, used in training sessions. (Live disc; netsec)

Metasploitable — Metasploit’s answer to the question: now that I have Metasploit installed, what can I attack? (VMware; Ubuntu; netsec)

Damn Vulnerable Web App (DVWA) — A preconfigured web server hosting a LAMP stack (Linux, Apache, MySQL, PHP) with a series of common vulnerabilities. (Live disc; Ubuntu; appsec;)

Moth — From the people that brought you w3af, Moth is a preconfigured web server with vulnerable PHP scripts and PHP-IDS. (VMware; Ubuntu; appsec)

Mutillidae — An insecure PHP web app that implements the OWASP Top 10. (Installer; appsec)

WebGoat — An insecure J2EE web app that OWASP uses for security training. (Installer; appsec)

Nessus Tip: auditing services on non-standard ports

Posted by

One security trick is to host network services on different ports. For example, a web server may be on 8080 or a database server may be on 3333; instead of TCP 80 and 3306 respectively. This is also an operations trick for scenarios that may have port conflicts, like clustering and nat’ing.

Non-standard TCP ports can cause vulnerabilities to be missed when scanning with Nessus. Nessus, by default, only checks known ports.

The workaround is to preload the plugins (for example, Apache and MySQL) and to set Nessus to check all ports. Under the scan policy preferences section, check “Probe services on every port” and “Thorough tests”. That will give you a more complete picture of the target’s security posture.

For more information, see:

Using Nessus Thorough Checks for In-depth Audits

Risk Management is prevention and Security Information Management is detection

Posted by

Risk Management (RM) is comprised of asset management, threat management, and vulnerability management. Asset management includes tying IT equipment to business processes. Asset management also includes performing an impact analysis to determine the relative value of the equipment based upon what the business would pay if the equipment was unavailable, and what the business would earn if the equipment was available. Threat management includes determining threat agents (the who) and threats (the what). For example, a disgruntled employee (threat agent) performs unauthorized physical access (threat 1) to sabotage equipment (threat 2). Vulnerability management is auditing, identifying, and re-mediating vulnerabilities in the IT hardware, software, and architecture. Risk management is tracking assets, threats, and vulnerabilities at a high level by scoring on priority (Risk = Asset * Threat * Vulnerability) and scoring on exposure (Risk = Likelihood * Impact).

Once prioritized, we can then move onto determining controls to reduce the risk. Controls can be divided into three broad methods: administrative or management, operational, and technical. Preventative and detective are the two main forms of controls. Preventative controls stop the threat agent from taking advantage of the threat. In the above example, a preventative control would be a locked door. Detective controls track violations and provide a warning system. For the disgruntled employee entering an unauthorized area, a detective control would be things like motion detectors. The resulting control matrix includes management preventative controls, management detective controls, operational preventative and detective controls, and so on for technical controls.

Security Information Management (SIM) is a technical detective control that is comprised of event monitoring and pattern detection. Event monitoring shows what happened when and where, from both the network and the computer perspectives. Pattern detection is then applied to look for known attacks or unknown anomalies. The challenge an InfoSec guy faces is that there is just too many events and too many attacks to perform this analysis manually. The purpose of a Sim is to aggregate all the detective controls from various parts of the network, automate the analysis, and roll it up into one single console.

My approach to managing security for a business networks is to use Risk Management for a top down approach. This allows me to prioritize my efforts for preventative controls. My team and I can then dig deep into the security options and system parameters offered by the IT equipment that is driving the business. For all other systems, I rely on detective controls summarized by a Security Information Management tool.

In my network architecture, RM drives preventative controls and SIM drives detective controls.

Nmap output to XML and SQL

Posted by

The Nmap port scanner has a handful of output options. It has its own proprietary format (-oN). If you want to play with the data, you can use XML output (-oX) or grep text files (-oG). The -oA will export in all three formats.

Why export to XML or grepable text? Typically, because you want to audit several IP hosts and store the results in a database.

A quicker method is to use the Nmap::Parser module with a Perl script. This method comes courtesy of Anthony Persaud. His Nmap-Parser automates reading the XML output and writing to SQL tables. MySQL and SQLite are both supported. Nmap-Parser is now up to version 1.19.

Use case: nightly IP scans of a subnet along with TCP scans of select hosts, as part of a security information management process.

LinkedIn Security Information Management Group

Posted by

I have been working on a Security Information Management (Sim) system for some many years, off and on. It started as a collection of WMI scripts that gathered information into a flat file structure. Initially these were only for system logs. More recently, I have moved to a SQL back-end and added network traffic captures and analysis. A few people have joined in my efforts and we hope to have software release within a year.

The SimWitty project has a website and a LinkedIn group. I hope you will come join us. We could use the help, particularly in C# development and SQL Server 2005 optimizations.