Being FIRST in Information Security

Exclusive Interview

Peter Allor is the Lead Security Strategist in IBM's Critical Infrastructure Group. He works at the forefront of information security, working with researchers to look at events, as they happen, to learn about new techniques that are being adopted by attackers from a protection perspective and how to deal with those in across distributed computing in the cloud. But he is on the board of directors of FIRST - the Forum of Incident Response and Security Teams and ICASI - the Industry Consortium for Advancement of Security on the Internet.

Now in its 25th year FIRST is a collective of major IT companies that has, since its inception, been aware that our systems are increasingly interconnected through the Internet and that incidents affecting one party have the capacity to spread quickly. That has fostered what Allor calls a "trusted forum" of first response teams where information exchange and cooperation on issues of mutual interest has flourished. There are now over 300 FIRST teams in almost 70 countries.

"FIRST doesn't try to be the operational response organisation", Allor told CSO in an exclusive Australian interview. We try to be the introducer of groups from various backgrounds. We say here are the processes you need to understand. You need to understand how we communicate and that you do it in a secure manner".

This is FIRST's great strength. With a huge pool of expertise and trust, they are able to mobilise the best people so that response teams have access to the greatest possible breadth and depth of support during a significant incident. When responding to an incident, there may be dozens of experts available to support a member organisation that is under attack.

FIRST also encourages organisations that are in areas of the world that don’t have that experience to join FIRST. These companies can, in some cases, have their costs covered. There are also events including conferences, symposia and local forums hosted by members.

An important element of FIRST's work is education of incident response teams.

"We held a meeting with some national CCERTs and we're talking about defining what some of those services are. We're having a meeting in London in February where we're talking to a number of national entities as well as non-profits. We'll invite members of the private sector who will join in an effort to make incident response training broader and deeper".

Allor said that the focus is not on training individuals involved in incident response but to train incident response teams as a collective entity.

"That's a matter of raising the security level of all of us. We need to depend on each other".

Over FIRST's 25-year history there has been a significant shift in the security landscape. When FIRST began viruses were the big threat. But today, the threats are far deeper in the fabric of our systems and infrastructure according to Allor.

"A lot of organisations haven't learned that. That's why we think incident response - getting that word out is very worthy'" he added.

Security professionals would be well aware that research published by Mandiant last year that provided the very scary statistic - the average time between breach and detection was 243 days. However, this year's report saw that time shrink to 228 days. Although this is still a significant period of time, it is an improvement.

"We've gotten better because we’ve become more aware," Allor told us. "Were better about communicating indicators of compromise. So detection is, or course getting better. But I really think that the protection part is what people don’t understand. I mean, look at Shellshock. We had protection seven years prior. To say it's all about detection and not protection is a misnomer. We're not defending properly", he said.

In looking at threats today, we asked Allor about the recent spate on threats targeting open source software such as Heartbleed and Shellshock.

"I go back into the mid 2000s to talk about how antiviruses were broken one after another. What was similar there? They were all written differently. But the architecture was the same".

The question then remains - is there a problem with open source?

"Open source deserves the same degree of focus on the security development lifecycle as does closed source. Is someone doing something with rigour? Are they doing dynamic testing? If so, how are they going through it? Then, how do you check your code in? There's an architectural review as you write. Then there's how you check it in. How do review it again and then put it into production and test it one more time".

From that point, there also needs to be a process for disclosing issues when they're found, added Allor.

"There's a discussion we need to do in the [open source] community that we need to do disclosure because the last time some of the work was done was in 2004 for the National Advisory Infrastructure Council about full disclosure guidelines. FIRST is probably going to accept a proposal from ICASI to set up a special interest group do that".

Many organisations see the cloud as a new threat surface and attack vector. However, Allor sees the cloud as an opportunity to deal with threats.

"Cloud is a wonderful opportunity. You can actually plan your way into it. So, from an organisational perspective you have a couple of layers that help make it work for you. The key is that I get to plan what I'm going to do with what data and what stakeholders and how I touch it. Then you're also doing your categorisation so now you say you need so much around it. That's part one. Part two is that you start seeing that as an industry we're looking at cloud and saying we need to provide an infrastructure and people are worried about it. So how do we provide a better way to set up and secure a cloud environment. The third part is how do we instantiate security."

So, given we operate in an increasingly complex world, what should your security strategy look like.

"Know your hygiene. You really need to know what you have in your network and what level or status is it at. Second, you need to have your defensive infrastructure metricked. In other words, situational awareness. There, you're looking to make sure you actually know what's happening in your network."

Allor is not in the signature-detection camp. "That's like saying I'm waiting to see the bolts flying to see if they're coming my way".

He believes that good protection rests on anomaly detection - understanding good behaviour and bad behaviour and being able to forensically chase it down.

"You're going to be in a constant stream of this happening. And you have to be able to determine and prioritise the most risk events in your organisation".

This article is brought to you by Enex TestLab, content directors for CSO Australia.