Tuesday
Sep272011

MIRCON 2011

DateSep 27, 2011

I’m honored that my friends (special nod to Richard Bejtlich) over at Mandiant have invited me to participate in their second annual Incident Response Conference (MIRcon).  

 

I’ll be participating in a couple of different panel discussions on the “Management Track” at MIRcon.  These include topics like career growth for Incident Responders and discussions around insourcing/outsourcing for CIRT.  

 

I’d highly encourage anyone in the area (Alexandria, VA) on Oct 11, 12th to attend these sessions.  Mandiant does a great job putting the right audience(s) together with engaging topics.  Scheduled keynote sessions from Richard A. Clarke and Michael Chertoff should not be missed!  Of course I’ll be sure to share my thoughts post-MIRcon in the visiblerisk blog and I’ll tweet (@rockyd, @visiblerisk) and probably try out Google+ to relay thoughts and lessons learned during the conference.

AuthorRocky DeStefano | Comments Off | tagged , , , in
| Print ArticlePrint Article | |
Sunday
Sep042011

Plan "A" is never enough.

DateSep 4, 2011
Recent events in my area have made me update my personal response plan(s) to emergency situations for my family.  Since I was updating them I thought I’d share some tips I’ve learned over the years.  Of course you can get a more full list of ideas from http://www.ready.gov/, FEMA or your local emergency operations centers but hopefully this will help a few of you to prepare more robustly.
Lessons Learned:  Emergency Notifications may or may not occur proactively.  Once power goes out it’s even less likely notifications will occur.  Primary mechanism is emergency alert via radio/tv which is great if you have a battery powered radio on or available all the time.  (Lesson Learned: Alternative Energy and/or Batteries are your friend).
  • I absolutely recommend the following Reading/Preparation Guide: FedHealth’s  ”It’s A Disaster and What are you going to do about it”  These folks have walked through situations like Flood, Fire, Hurricane, Earthquake, Landslide, etc and put together some great ideas on specific preparation and mitigation strategies for each situation.  My specific advice - Put the book in your main bathroom to guarantee everyone reads it on a periodic basis (seriously).
  • Local News Radio (AM or FM):  This is one I overlooked being a addict of Pandora/iTunes/Spotify but thus far Local Radio has been very solid for updates especially on traffic (and when you’re driving watching TV/surfing internet can be difficult).  I didn’t even know what local stations existed here before tonight.
  • Local Red Cross Locations/Website/Phone Numbers.  I didn’t have these programmed in our phones before today.  Normally evacuations centers are local schools, most can accommodate pets (but not all).  Know where they are, how to get there and make sure your kids can do the same.
  • City/County Emergency Operations Center EOC website/phone - again should have had these pre-programmed in our phones.   Less important because you can dial 911, but good source of information if your trying to learn more about the situation and don’t want to overwhelm emergency staff. 
  • Twitter/Facebook/Google+ As of tonight - in addition to #hastags - I’ve started to create geographically localized Circles, Lists.  Easier to communicate with those affected, plan for alternatives, etc.  Potentially A very powerful tool.
  • Cell Phone:  Since 911 and DC Sniper events I’ve made sure my kids have them in their backpacks.   Now there’s obviously a downside to that, but the kids know that their phone’s primary function is as an emergency device, not entertainment.   Location Tracking via cell phone.   Tonight a friend’s daughter was stranded away from her family due to a wildfire.  Her family’s neighborhood was also put under evacuation orders and very quickly thereafter her house was without power.  This made positive contact difficult. Having location tracking on the cell phone helped but it was not perfect.  Emergency crews are way too overwhelmed to search for a single separated person, but you can use your contacts (phone, email, FB, and trusted twitter/G+ groups to help you search).  A closely related lesson learned here - every kid is getting an extended battery/case ASAP.  I will not have cell phone dying on them (or me) if I can avoid it.
General Tips:
  • Keep fuel level in cars above 1/2 tank.  Always.  Learned this lesson from spending many years in FL and through way too many hurricane seasons.  In an emergency power goes out, fuel pumps stop working and incredible lines form for any remaining operable ones.  Storms can be unpredictable and you may need to move out of harms way more than once do you have enough gas?
  • Keep cash, power outages mean increased difficulty in processing credit/debit transactions.  Usually I’d suggest an emergency reserve of 1 week to support your family (Lodging, Food, etc).  In some cases you’ll have time to grab clothes for a week in others (fire) you won’t.  Plan for worst case.
  • Important papers most can be replaced rather easily (Birth Certificates can be re-ordered, etc) if you’re going to prioritize passports are easily transported and relatively small.  I keep mine in a zip lock bag in a safe for grab and go purposes.
  • Contact Information - make an password encrypted doc available with contact information, personal information, etc available on a key ring USB device.  It’s possible your cell phone will get lost/wet/broken in the shuffle but generally people remember their keys for whatever reason.  Make sure you have plan a-z  thought through - who could you stay with for a week if you were ejected from your home tonight?  What if you could only drive North? or West?.  Plan ahead.  
  • Know your neighborhood - how wide are the streets? Are they wide enough to allow you to pass if there is an stalled car or accident blocking part of the road?  If not how many alternate exits exist to bring you to safety?  How many alternatives exist that put you in harms way (traffic jam or in the path of a wildfire/tornado)?  This will obviously vary by scenario so know them all.
  • Every time in response to real emergency events or after near misses - review what worked, what could have been better and refine the plan.
  • Last Lesson Learned for tonight - In your emergency kit add cell phone charger (It helps if your family standardizes on a single device or at least devices that can use the same type of charger). 
AuthorRocky DeStefano | CommentPost a Comment
| Print ArticlePrint Article | |
Saturday
Aug062011

B-Sides: Lean on Me

DateAug 6, 2011

I thoroughly enjoy the focus on interaction with the audience at B-Sides events.  It’s like a backyard barbque without the annoying aunt or that family that only brings cole slaw and expects to enjoy a steak dinner.  You get to interact on a personal level with everyone from those just entering the field to D-Lister’s through industry luminaries.  Everyone that attends cares deeply about this industry. 

 

The thought that still resonates with me after Bsides is the personal nature of the conference.  It’s the family atmosphere, the relationships that get built or strengthened.  There was one talk in particular that echoed that sentiment very closely.   Sec Burnout.  A panel discussion with Jack Daniel, Josh Corman, Martin McKeay, Stacy Thayer, Gal Shpantzer and of course the audience. 

 

Prior to the talk the team did a basic survey and received 400 responses to their survey, which indicates to me great interest in the topic.  Perhaps its the stage of life I’m in or the struggles I’ve faced over the years but for me personally the technical/numerical results of the survey weren’t all that exciting.  Yes people are stressed, yes they take their job seriously, yes life could be better, but what got me hooked were the personal stories that followed.  Certainly this isn’t a topic limited to our career field but it may have been the first time people in our field were comfortably enough to talk about it openly.  They aren’t my stories to share so I won’t do them an injustice but I’ll just say it was powerful to watch and feel everyone react to these topics, specifically the downfall that can occur because of depression and how our coping mechanisms are broken at times. 

 

In all honesty I would have changed this session from sec burnout to “lean on me” because in the end that is exactly what it came to.  Build a community of friends and interact with them on a consistent basis (I fail at this miserably).  Many of us are empathetic and it can help to share the burden with others, if only to discover you’re not alone or that there might be alternate perspectives to consider.  For me this seems exactly like the transition I made when I left the military/intel fields.  I spent years dealing with stuff I couldn’t share with anyone, other than those that shared the mission with me.  It took years to normalize and learn I could be even better with the help of others.  How my wife puts up with me I’ll never know.  anyway…  The point is the same some of us are conditioned to not share, for various reasons and over time that winds up hurting us and those around us.  This was a stark reminder that many people share this or similar personality trait and that a simple act of human interaction can serve as a catalyst for growth.

 

Our Industry isn’t alone – I imagine many others suffers from this.  I see it in the LE and Medical fields and of course in the Military/Intel field -  anytime you internalize a sense of ownership that we all take in our work and the privacy or at times secrecy that is required in our work live things get hairy.  Sharing intimate details goes against our very nature. We all have periods of time where we fail to recognize is the value gained from sharing and we try to go it alone. You can have all the greatest coping mechanisms in the world but there will be times when the challenge(s) you face is/are too much for you to handle by yourself.  This talk was simply to state – there are others out there that feel the same way and we’re all willing to listen and help (and we might need you to do the same one day).

 

This session is what made BSides for me.  Technical details are nice and learning is good, but what makes us great is supporting each other and pushing each other to be better – as people.  

AuthorRocky DeStefano | CommentPost a Comment | tagged in
| Print ArticlePrint Article | |
Thursday
Aug042011

Blackhat: Contact High

DateAug 4, 2011

Motivation is an intriguing thing.  For some it’s primarily intrinsic and for others it can be any number of extrinsic rewards neither is right or wrong everyone has their “drivers” and certainly they evolve as you grow and are influenced over time.  For me I’ve always felt the tug on my heart to do the right thing, or at least what felt like the right thing at the time.  That meant finding a mission I can believe in and care about and putting myself  “all In”.  Whether that meant serving in the AF or later supporting .mil, .gov and .com it’s always nearly the same. 

 

When I serve on the vendor side I always attributed my contribution to helping people protect (or at least have better awareness so they can protect themselves).  I’ve been able to easily identify my larger motivators.  That’s not so say they are enough.  This field can be frustrating as hell and can effectively deepen into depression when you see the same mistakes being make decade after decade.   It weighs on you – and you have questions like what impact am I really having?  Left alone those thoughts eat at your core and weaken you and therefore weaken everyone around you.

 

I’ve never been any more intelligent or gifted than anyone else around me, but if I’m “all in” no one will ever out work me, and I pride myself on that.  There’s a downside to that though, what happens if I’m not “all in”?  I’m still very good at whatever I’m doing but if I’m weakened by depression perhaps I’m nearly as effective as I could be, or perhaps I don’t recognize the value that I’m adding.  All in all it can turn into a vicious downward spiral.

 

What does this have to do with attending Blackhat, DefCon, B-Sides, Source, RSAC, Schmoo, etc? In a word - Everything. 

 

One of the things about being driven by mission is that you quickly learn you can’t do it alone, ever.  You need a team to cover you and to push you or drag you forward at times.   Coming to these events is a mental contact high if you engage at the right level.  The technical briefings are good and I get value from them, but for me not the type of “engagement” I’m talking about. 

 

For me it’s seeing execs of security companies or industry luminaries interact at a human level with everyone who walks up to them.  The smallest acknowledgement of an idea or counterpoint not previously consider delivered by a respected person can cause an interesting butterfly effect.  It may spark that person to go back and redouble their efforts, change course direction or sometimes to just bring things into focus more clearly and that small nudge can change the balance of a entire program.  And it works both ways.  We all gain from conversations.  Just the simple act of human empathy that we’re all fighting the same battle and knowing that we all care about the outcome more than the short term rewards is reinvigorating.

 

For me the InfoSec world is very much like being back in the Military.  We’re all fighting towards the same goals albeit probably unorganized and inefficient but we’re putting our best efforts forward to try make a difference.  My mission when I served was the “war on drugs” you want talk about futile efforts?!?!   I look at those days not with contempt or frustration but with reverence for the team of professionals I went to battle with.  I think about the leadership, motivation and trust our leaders gave us to find ways to win in the smaller areas we could win. 

 

In many ways this industry is very similar in that regard we just don’t always acknowledge the wins we do have – dedicated and supremely talented professionals willing to engage and push us towards better things.  We tend to get caught up in the ideals of perfection or in the losses that we sustain and forget to relish the small wins that surround us everyday and use the opportunities that our adversaries provide us as a catalyst for learning and advancing our mission.  We need to learn to not give our adversaries any more “mental” power over us by giving up or letting these battles deflate us.  There is a much larger war being waged and I confident we’ll continue to innovate and power through until we equilize the playing field.

 

I’ve lost sight on that (several times over the years) – maybe some others will resonate with my struggle, maybe not.  In any case, I appreciate all of you, your efforts, your skills and of course the sense of humor you maintain along the way.  This fight will never end and I’m ok with that – at least I am when I step back and realize how many people are alongside me pushing forward.

AuthorRocky DeStefano | Comment1 Comment | tagged , , in
| Print ArticlePrint Article | |
Wednesday
Aug032011

NetWitness Panorama: Even more context for Security Analysts.

DateAug 3, 2011

 

 

Back in April I suggested the following to EMC/RSA in response to the acquisition of NetWitness:

 

My advice to EMC is very simple.  Let NetWitness run wild.  It’s a family that can deliver you to greatness if you allow them to lead the way.  Amit Yoran, Tim Belcher and the entire team at NetWitness deserve your complete attention and support.  NetWitness has accomplished amazing things because from day one they understood the simple fact that the data is important but being able to understand and interact with the data is crucial.”

Fast forward to today, just 4 months after the deal was announced and NetWitness is already introducing an entirely new product, interestingly named (at least to me)* NetWitness Panorama.  Wow.  If I was the acquiring organization I can’t begin to imagine a better scenario than the team we brought in to solve a particular market segment continuing to kill their core market and then getting comfortable enough to branch out and address an even broader market in a very meaningful manner. 

NetWitness develops products based on the core belief that the analyst needs to interact with the data, not just have it and/or search it, but to truly be able to use the information in a manner they choose.  This has always set them apart from their competition.  Using that framework they were able to quickly innovate and execute.  This is exactly how this sort of things should occur and I applaud RSA for allowing this to happen! 

The most important piece by-product of this announcement is that NetWitness is showing the world that they have RSA’s full attention and support.   Whether that support within RSA was “given freely” or “aggressively taken” doesn’t matter, it is externally obvious that Amit, Tim and the team are serious about making RSA a better security company.  I don’t think this point can be overstated, by allowing NetWitness to simply do it’s thing, RSA is a better company in terms of market trust, product functionality and applicability and ultimately in future earnings. 

 

About Panorama:  Very few companies get a “flyer” from me about code not in GA yet, but I think we can all agree NetWitness lives up to it’s promises so I’m more than willing to take them at their word for now (I’ll verify it later). Here is what I understand so far about the product.   

Analytics:  Pivot just like NW Investigator through logs.  Imagine that an analytical technique that uses the context of the data at the core of the process instead of as an afterthought to having logs and figuring out what you want to do with them.

Context: View Log information and NetWitness Meta in the same window and pivot amongst them?  Pretty sweet.  

Reporting:  Nothing of note in the PR but I’m sure extensive reporting won’t be far behind but instead of 1000+ reports that are possible I’m hoping they’ll focus on the “n” that might actually matter to someone.

Integration:  As the very carefully worded* press release notes there this new product ill have to play nice with EnVision for some time period.  Seems Envision 4.1 release includes code that allows for the products to work in conjunction with one another.  EnVision pulling the various data sources into Panorama for instant and detailed analysis. There is probably an entire suite of RSA technologies that can benefit from output or provide input into this product.  I don’t think technology is a hurdle there.  Should be quite interesting to watch this product evolve over time.

Speeds and feeds: From what I’ve come to understand from the team the speed of ingest/interaction will be very concerning to the competition.  When I can get my hands on it I’ll be happy to confirm those details with more specifics.  

The Press release indicates 10X search responsiveness over EnVision alone.  I never like multiplying by 0 but in this case I’ll take it to mean that with the information available in NW you’ll be able to use it immediately and extensively without having to wait hours.

I don’t yet have confirmation as to whether or not there will be a Freeware / Personal use version made available (hint, hint) but I’m hopeful that they’ll follow what both Splunk and ArcSight’s did in that regard and continue to support the vast freeware community NetWintess has cultivated over the years.

Availability:  Q4 (after Beta period in Q3).  I’ll revisit this once it hits GA and give more feedback on likes/feature requests.

All in all – I’m surprised and very happy for both teams.  Sounds to me like the stars aligned fairly well thus far and I’m hopeful that trend will continue to gain momentum!

*Quirky Note:  The name Panorama should get a nice rise out of the ArcSight/HP Team – at least those that took the time to comprehend what the ArcSight name/logo represent.  It is a direct shot across the bow so to speak.

*The PR is overflowing with concepts I’d love to dig into - words like “module” versus product and then fully describing vastly different deployment scenarios ranging from “augmenting” EnVision to working independant of SIEM altogether.   It will be interesting to watch where this heads over time. 

AuthorRocky DeStefano | Comment1 Comment | tagged , , , , , in
| Print ArticlePrint Article | |
Page 1 2 3 4 5 ... 13 Next 5 Entries ยป