Threat response hampered by information overload – but there is hope

Chester Wisniewski is a Senior Security Advisor at Sophos Canada. He recently visited Australia to speak at the Queensland Police Fraud and Cyber Crime Symposium.

Information sharing is critical in establishing a solid defence against adversaries. Wisniewski spoke at the symposium about what is being shared between the private sector, public sector and law enforcement, what is working and what can be done better.

“The classic approach to security is create a big, tall sandwich and keep adding layers,” says Wisniewski. “We’ve got our firewall, spam filter, web filter, antivirus. Then I get a next generation firewall with intrusion detection. We keep adding more things to the stack but the criminals have figured out that each one of these things being an independent entity can only judge something as good or bad based on a very narrow set of viewpoints”.

Citing the example of phishing emails, Wisniewski notes that email filters can only act on the information they have. However, it’s clear other tools might have additional information that could block more phishing attempts than the current email filters can on their own.

“The tools aren’t communicating with one another to make better decisions,” he says.

On the positive side, he notes that people and processes are improving to some degree.

One of the opportunities, says Wisniewski, is organisations such as AusCERT are doing a good job of informing people of potential and emerging threats. That means people are becoming aware of the threat landscape but there needs to be a way for that information to land in tools in order to allow humans to focus on more complex threats.

“The first step in doing this is figuring out what do we need to share and how do we need to share it – rather than rushing into this headlong,” says Wisniewski.

Despite many agencies such as the Department of Homeland Security in the USA and the Australian Signals Directorate locally encouraging, and even mandating, information sharing Wisniewski says that there’s a lack of understanding about what to share.

“We don’t know what to share – that’s really the problem. We have an MD5 checksum of a piece of malware and what is that? It’s not actually actionable because every time we see the malware it changes. But we need to make sure we’re seen to be doing something so let’s share it anyway”.

Wisniewski feels that industry will come up with what’s useful to share and start finding ways to share it.

“This mirrors what happened in the antivirus business 15 years ago. We had the same problem. We kind of stumbled through and created a organisation called CARO (Computer AntiVirus Researcher's Organization) where one representative from every AV company would visit and say what they were going to share and how they were going to do it. We defined an XML data format, determined what was useful to share – where the file was discovered, the date and time stamp using UTC and so on. Now, every time a malware sample comes into our lab it instantly gets shared with 130 other vendors in a defined format that they can automatically process and improve the protection in their products”.

Although today’s threats and challenges are more complex than those when CARO was established in 1990, there is a model for effective sharing that can be built upon.

Initially, determining what information is useful will come from vendors says Wisniewski. But over time vendors will share this information with each other and then private industry and governments joining as well so that have a complete picture of the threat landscape.

Despite the sophistication of the adversaries, Wisniewski suggested the “good guys” are still at a point of relative immaturity. We have access to huge volumes of data such as web addresses associated with malware and libraries of malicious source code but are overcome by the volume. So, there’s a need to develop better analytics tools so that responses and what is shared is refined.

But as things stand today, it’s almost impossible for corporates to manage the flow of information says Wisniewski. With so many security appliances installed within companies, there’s no shortage of log data but putting it all together before an attack is difficult.

However, over time Wisniewski believes tools will become widely available that collate and correlate threat data from a variety of sources that support action by those working against threatening adversaries.

Blast from the past!

Try our new Space Invadors inspired video game NOW

How far can you get ?