There really is an Advanced Persistent Threat in your organization - its the fact that your infosec people don't understand the assets they are protecting. I will know you are serious about dealing with APT not when you go to conferences about it, institute processes, blog or buy more tools, I will know you are serious when your infosec organization is comprised of domain experts in the assets you are supposed to be protecting, not more gee whiz network security widgets. This APT is
Good APT analysis by Scott Crawford and Nick Selby on threatpost, but unfortunately their conclusions miss the main point the APT is in your infosec org. First they rightly say - "One thing we believe will not help: more of the same."
For sure, but will a real change happen? Probably not. Infosec as an organization is not in any position to deal with the issue, because the secret of security is that its not about security, its about assets, to wit:
the adversary may have the resources to back not only expertise in tactics, but such things as fundamental research which can be called upon as the need arises
But all is not lost they continue:
This also helps shift the focus where it needs to be. We have been far too lax, for far too long, in the way we think about how to counter threats of any kind.
Very doubtful, vast majority of infosec people come from network ops background. When confronted with a problem they run back to their comfort zone - the network. But this is a big problem because
It's high time we began setting our security goals to align with defense of what we hold dearest.
What almost every company hold dearest is NOT their network (but that's where infosec spends all its time/money), what they hold dearest is customers, users, identity, transactions, apps and data. Those don't get any focus from infosec, its a people problem, regardless of the threat infosec has the wrong background training, skills and focus to provide security to the enterprise. Expect more of the same until this changes.
If your infosec organization has an alignment to your assets - meaning roughly similar percentages of experts in domains like customers, users, identity, transactions, apps and databases, then you can say you are working on protecting assets. Most companies have a large ERP system like SAP or Peoplesoft, this contains the crown jewels. How many people does your infosec org have dedicated to securing these systems? Does your infosec group align its budget to the assets the business invests in or does it buy the things people talk about at conferences? Here's my advice - find a representative use case or transaction one that keeps your company in business. Trace it from end to end, starting with the customers and ending with your back end systems. Does your infosec org have deep domain expertise in each and every of the major areas that the use case transaction touches? If not, fix this organizational APT first.
So should we stick with DLP as the TLA of choice? :-)
Posted by: Jon | January 27, 2010 at 07:41 AM
Hi Gunnar -
Very insightful, and as Nick and I both responded under the Threatpost article, we fundamentally agree with you. However I fear our responses at Threatpost could be construed as being focused on broadening the scope & perception of IT/information security, when the points you make about the need for broader awareness and investment across the spectrum of all we hold dear - which means well beyond IT - are, I believe, entirely correct.
But as to whether this needed transformation will occur to the level of depth really required - I share your skepticism. As my comment under the Threatpost piece suggests, I think it will take more - perhaps far more - than the current focus on the advanced persistent adversary to precipitate something so fundamental. As I noted under our post, "I take little comfort from noting that throughout the history of risk management, transformational change has so often been motivated by transformational events (read: disasters), and we in IT have not yet had the equivalent of safety-of-life types of events that motivate building better systems in the aerospace industry, for example (and hopefully, I haven’t touched off a powder keg by alluding to the role of regulation in that example)."
But neither do I see this as a reason to despair or to sit on our hands. We do not do what we can do well enough yet, and we do not share what we can with each other enough to learn from actual incidents. I'm inclined to agree with the "New School" camp on this, and hope to see greater maturity in what we can do and share - before our adversaries force us to grow up faster than anyone would want.
Thanks for your interest, and for your insight,
Scott
Posted by: Scott Crawford | January 27, 2010 at 07:11 PM
FWIW - Mandiant has some informative presentations on APT.
http://blog.mandiant.com/
http://www.mandiant.com/index.php/news_events/presentation_archives
It's been a real eye-opener to understand a few of the compromise mechanisms. It certainly *does* convince you it's not "the network".
Posted by: Brian | January 31, 2010 at 07:42 PM