Something interesting is happening right now in the
Information Security community. I’m reading and hearing more and more
discussion, papers, blog posts refocusing efforts from preventing breaches to detecting
and responding. This is a great thing, and quite frankly it’s about damn
time.
Zane Lackey from Etsy posted a brilliant talk the other day
on Slideshare, and since I follow Zane I got the alert in my inbox and
immediately went to check the deck out. If you've not seen it, it’s right here,
titled “Attack-driven defense”. I love the slides, I love the
idea, but I was left wanting more. Zane’s ideas clearly work within Etsy – but how
many environments are there out there like this? While it’s clear that there
are many, many enterprises facing a similar level of threat, what is unclear is
how many of them can respond in the manner that Zane’s presentation outlined.
The challenge, in my opinion, is adapting the Tripyarn (love
the name of this…) framework that is clearly proprietary to Etsy to the broader
small-to-medium enterprise. Enterprises that don't have a Zane and multi-person
team which has the capability to write custom-code. Enterprises which rely on
Windows systems and servers more than they rely on Linux. Enterprises where the
present threat far outbalances the ability to play defense. This is the problem
space that I believe needs Zane’s framework and approach most urgently … right
now.
The trouble with approaches so customized to the environment
they’re developed for is they can’t easily be adapted elsewhere – except in
concept. The trouble with adapting a concept is that you need capability and
skill – that doesn't always exist plentifully in smaller organizations.
The challenge, then, is to build a “Tripyarn” framework
which can be adapted in environments from Fortune 100 massive enterprises, to
an enterprise which has a handful of IT security resources working through
keeping patches current and encrypting endpoint hard drives. What these types
of organizations need is a set of pre-build blocks (like Legos) that they can
put together as it fits their business and operating capability, but that still
provides some incremental level of benefit in detecting “interesting operational deviations” which may signal a compromise,
or at very least something interesting to go investigate.
I think tonight we may have seen the beginnings of this, and
I suspect before long there will be a group working together from enterprises
big and small, to deliver a defensive framework that isn't pattern-based so it
can’t be ”evaded” but that has great
effectiveness at detecting interesting things that have a high degree of being
important to security. I’m hopeful that Zane’s presentation and slides have
started something, finally, and that we’ll get past the “break everything”
over-focus on offensive breaking and get into a more offensively minded defense
that actually is innovative.
If this sounds interesting to you, let me know, there is
lots of room for ideas and collaboration here.
No comments:
Post a Comment