Thoughts from Several Conferences

Over the last several months I've accumulated several pages of notes after attending a variety of conferences. I thought I would present a few cogent points here. As with most of my posts, I record thoughts for future reference. If you'd rather not read a collection of ideas, please tune in later.

I attended the 28 Nov 07 meeting of the Infragard Nation's Capital chapter. I found the talk by Waters Edge Consulting CEO Jeffrey Ritter to be interesting. Mr. Writter is a lawyer and self-proclaimed "pirate" who works for the defendant by attacking every aspect of the adversary's case. As more lawyers become "cyber-savvy" I expect to encounter more of his type. Mr. Ritter offered three rules of defense.

1. That which is unrecorded did not occur.


2. That which is undocumented does not exist.


3. That which is unaudited is vulnerable.

He also said "Litigation isn't about the truth... it's about getting money." He offered three questions to be asked of any evidence.

1. Is it relevant?


2. Is it real?


3. Is it admissible?

Mr. Ritter mentioned three ediscovery-related sites, namely the Electronic Discovery Reference Model, the International Research on Permanent Authentic Records in Electronic Systems (InterPARES) project, and the Sedona Conference.

On 10-11 Dec 08 I attended several sessions of the Intelligence Support Systems for Lawful Interception, Criminal Investigations, Intelligence Gathering and Information Sharing Conference and Expo. I spoke at the May 07 event and attended an earlier conference in 2006. There is really nothing else like ISS World as far as I'm concerned. It's basically all about lawful intercept (LI). ISS World is heavily attended by police and vendors used to tapping phone lines, now confused by tapping IP traffic.

I thought comments by Alessandro Guida of ATIS Systems and Klaus Mochalski of IPOQUE were helpful. They noted that "traffic decoding," or representing traffic in as close a representation to what the user manipulated as possible, in a form friendly to investigators, is the big problem with LI today. They noted the difference between protocols and applications, since HTTP can be used for Web traffic, file transfers, mobile multimedia (all their terms), and so on. They said the four steps for traffic decoding are 1) classifying traffic; 2) correlating sessions; 3) extracting information; and 4) presenting content. They believe that "LI is becoming a data retention issue," because the volume of IP traffic manipulated by any end user is vastly increasing.

Dana Sugarman from Verint either stated the following or caused me to react with the following observations. "Security" typically focuses defense against a number of threats attacking a number of assets. LE, in contrast, focuses surveillance against a specific target, or perhaps several targets (a target being a potential criminal). Intelligence operations can focus on large numbers of threats or specific parties.

A few other themes arose at ISS World. "Application-specific lawful intercept" is the Holy Grail, meaning recording only the data necessary to render content useful to the investigator. Some judges are rejecting the idea that it is necessary or proper to monitor a suspect wherever he goes, rather than focusing on a method of communication (like a home telephone). Finally, most of the LI guys I met are former telecom people who seem to be reinventing the wheel. They are facing all of the issues we encountered with intrusion detection systems in the late 1990s. It would be amusing if it weren't sad too.

Finally on 25 Feb 08 I attended one day of the Institute for Applied Network Security 7th Annual Mid-Atlantic Information Security Forum. I went to the event to see specific people, including Angela Orebaugh, Ron Ritchey, Rocky DeStefano, Aaron Turner, Nick Selby, and Marty Roesch. I thought Phil Gardner's six themes were thought-provoking:

1. Businesses will be, or already are, eliminating corporate computing assets in favor of personal computing assets. This is the "university model" I've blogged previously, meaning universities have been coping with student-provided endpoints on "corporate" networks for years.


2. Information and physical security continues to converge.


3. Risk of all forms is converging.


4. NAC is a failure; "what does it even mean?" asks Phil.


5. Data Leakage Protection is "stopping stupid, period." (I heard this repeatedly. Leakage is accidental and can possibly be stopped. Loss is intentional and cannot be reliably stopped.)


6. Middle management who exist to manage techies are losing their jobs. In the end only executives and the techies themselves will be left.

At the talk on NIST by Orebaugh and Richey I pitched in vain my desire to see greater use of red teaming and time-based security. I think they thought I spoke in Greek, or was crazy. They would like to see NIST documents used to create a common security vocabulary. For the sake of the community I may try to adopt the definitions in NIST's Glossary of Key Information Security Terms (.pdf).

Rocky DeStefano and Brandon Dunlap talked about SIM. Their three recommendations were:

1. After deploying the SIM, disable all built-in rules.


2. Write rules specific to your organization, using the built-in rules as samples.


3. Have experts review the resulting output.

Corrolaries of these rules are:

• Deploying a SIM requires understanding your network to begin with. You can't deploy a SIM and expect to use it to learn how your network works.


• You can't use a SIM to reduce security staffing. Your staffing requirements will definitely increase once you begin to discover suspicious and malicious activity.


• You can't expect tier one analysts to be sufficient once a SIM is deployed. They still need to escalate to tier two and three analysts.

I liked John Schlichting's case study. It made me wonder why we bother blocking anything but specific IPs outbound. All we've done by restricting outbound protocols is force everything to be SSL-encrypted HTTPS traffic. Wonderful!