Table of Contents
- What is a Security Thought Leader - Updated November 18th, 2009
- Framework for Security Thought Leader Interview - August 26th, 2009
- Daniel B. Cid, Sucuri - November 21st, 2013
- Dominique Karg, AlienVault - November 20th, 2013
- Lance Spitzner, Securing The Human, founder - Updated November 29th, 2012
- Bill Pfeifer, Juniper Networks - March 4th, 2011
- Chris Pogue, Senior Security Analyst - July 8th, 2010
- John Kanen Flowers - May 26th, 2010
- Kees Leune, Leune Consultancy, LLC - February 13th, 2010
- Joel Yonts, CISO - February 12th, 2010
- Maury Shenk, TMT Advisor, Steptoe & Johnson - January 31st, 2010
- Chris Wysopal, CTO, Veracode - January 27th, 2010
- Amir Ben-Efraim, CEO, Altor Networks - November 25th, 2009
- Ed Hammersla, COO, Trusted Computer Solutions - Updated November 19th, 2009
- Amit Klein, CTO, Trusteer - September 27th, 2009
- An Interview with Ron Gula from Tenable about the role of a vulnerability scanner in protecting sensitive information - Updated August 13th, 2009
- A. N. Ananth, CEO, Prism Microsystems, Inc. - August 7th, 2009
- Jeremiah Grossman, Founder and CTO of WhiteHat Security - Updated April 24th, 2009
- Mike Yaffe, Director of Product Marketing, Core Security Technologies. - April 15th, 2009
- Chris Petersen, Chief Technology Officer, LogRhythm - March 13th, 2009
- John Pirc, IBM, ISS Product Line & Services Executive: Security and Intelligent Network - February 17th, 2009
- Leigh Purdie, InterSect Alliance, co-founder of Snare: Evolution of log analysis - January 28th, 2009
- Bill Worley, Chief Technology Officer, Secure64 Software Corporation - December 9th, 2008
- Doug Brown, former Manager of Security Resources, University of North Carolina at Chapel Hill - October 30th, 2008
- Amrit Williams, Chief Technology Officer, BigFix - June 30th, 2008
- Andrew Hay, Q1 Labs - May 13th, 2008
- Gene Schultz, CTO of High Tower - April 4th, 2008
- Tomasz Kojm, original author of ClamAV - April 3rd, 2008
- Bill Johnson, CEO TDI - April 2nd, 2008
- Gene Kim, Tripwire - March 14th, 2008
- Kevin Kenan, Managing Director, K2 Digital Defense - March 14th, 2008
- Leigh Purdie, InterSect Alliance, co-founder of Snare - March 7th, 2008
- Marty Roesch, Sourcefire CEO and Snort creator - February 26th, 2008
- Dr. Anton Chuvakin, Chief Logging Evangelist with LogLogic - January 28th, 2008
- Kishore Kumar, CEO of Pari Networks - Updated January 28th, 2008
- Interview with Dr. Robert Arn, CTO of Itiva - November 1st, 2007
- Interview with Charles Edge - September 15th, 2007
- Ivan Arce, CTO of Core Security Technologies - Updated May 6th, 2009
- Mike Weider, CTO for Watchfire - Updated July 23rd, 2007
- Interview with authors of The Art of Software Security Assessment - Updated July 9th, 2007
- Ryan Barnett, Director of Application Security Training at Breach Security, Inc. - June 29th, 2007
- Dinis Cruz, Director of Advanced Technology, Ounce Labs - June 11th, 2007
- Brian Chess, Chief Scientist for Fortify Software - June 9th, 2007
- Caleb Sima, CTO for SPI Dynamics - Updated May 29th, 2007
- An Interview with David Hoelzer, author of DAD, a log aggregator - May 1st, 2007
Gene Schultz, CTO of High Tower
Stephen Northcutt - April 4th, 2008The Security Laboratory is pleased to interview Dr. Gene Schultz, one of the most experienced security practitioners in the field, and we certainly thank him for his time.
Gene, my experience with audit, and log collections begins with something you said in one of your security classes back in 1997. You said, at least turn on logging so that, if something ever happens, at least you have somewhere to start looking for answers. I still remember and live by that advice and it has helped me more than once. If you were giving advice to the home user / small office user related to logs, what would that advice be today?
In today's Windows systems, security logging is enabled by default, so the situation is now somewhat different in that users simply need to leave security logging on. Those who feel they need more logging can enable more Event Categories, because only a few Event Categories are by default enabled. Additionally, if users deploy personal firewalls, which have become essential in achieving defense in depth for PCs, they will also be able to obtain additional log data, as well as alerts that can help them learn about attacks that have occurred against their systems.OK, and what is your basic advice for the corporate world, I promise we will drill down into the details later!
In the corporate arena, some minimal level of logging also needs to be enabled, and additional log data from personal firewalls also needs to be collected. In this arena, however, automated log data aggregation and correlation, the kind of functions that Security Information and Event Management (SIEM) tools perform, are a necessity. Trying to manually access and analyze log data from a plethora of PCs (as well as other types of hosts) is too unwieldy and costly a task for technical staff--automation is necessary.Thank you for that. I remember your classes, you were a great instructor, are you still teaching today? What is your favorite venue?
I still teach quite a bit. I teach courses on intrusion detection and prevention, incident response and forensics, Windows security, and Unix and Linux security, as well as the Certified Information Security Manager (CISM) exam prep course.Nice! And, I know you are a writing machine with over a hundred papers and multiple books, what is your main focus in writing at the present?
My blog site is my main current emphasis.[1] I write a minimum of two blog entries every week, covering a very wide range of issues. I also still periodically write papers for various journals, such as Computer Fraud and Security and the ISSA Journal.I enjoy your blog, thanks for doing that, I particularly enjoyed http://www.high-tower.com/blogs/gschultz/wikileaks-pandoras-box-opened/ that was nicely balanced. I remember hearing that you are on the advisory board for Secure Defenses and you have a senior position at High Tower; will you share with our readers where else you are involved in governance?
Nowhere else. Just keeping up with the security issues at my company, High Tower, keeps me plenty busy with respect to governance issues. We eat our own home cooking, the things I talk about when I give lectures on governance are the things we do at High Tower.Awesome, so you really do have a voice that should be listened to in our industry, so let's drill down shall we? Question number one, is the log analysis space really a separate space from the SIEM space? A lot of confusion still floats over this question, and I get asked about this a lot; what is your take?
The answer is, it depends. In a SIEM tool with full functionality, log analysis and the analysis performed by the tool are essentially the same. Both utilize event correlation algorithms to maximize correct detections and minimize false alarms. But some SIEM tools are really nothing more than log aggregators; they perform little, if any, log analysis.What do you think of the current state of the log collection and management industry from a detection point of view? I keep asking customers to give me examples of where these systems are successfully detecting security incidents and the war stories are few and far between. On the other hand, finding operational problems seems to be a bit easier. What is your take on and what advice do you have for using these devices to collect actionable security information you might not otherwise receive?
It depends on the tool. I, of course, am biased toward the High Tower Cinxi SIEM appliance in which log analysis is based on sophisticated attack models. The MetaRules in this appliance fire wherever a combination of time sequence-dependent events occur, not simply when an intrusion detection system (Whoa there Gene, what do you mean by MetaRules, can you break that down for us?
A MetaRule is a special term thatOK, thanks for doing that, can you give me an example of a real world detection using Cinxi?
In one case, a High Tower Cinxi appliance was installed at a university and then the configuration of a number of hosts and devices was changed to send syslog and other data to this box. Within five minutes, the appliance reported that a number of Linux hosts in a particular subnet were giving indications that they had been compromised on the basis that they had been launching subtle probes against other internal systems and these hosts were listening on a suspicious port. By going to log data available before the Cinxi appliance was installed, a system administrator found that one host had originally been compromised to allow the attacker to gain unprivileged remote access, and then, shortly afterwards, the attacker gained root access. An ssh agent was running on the compromised system; the attack quickly used it to gain unauthorized root access to other hosts. Administrators had not previously noticed anything out of the ordinary. Once they understood the pattern of attacks, they found evidence that other hosts had been compromised by the same basic type of attack in parts of the network in which hosts did not send syslog output to the Cinxi appliance. Some other SIEM tools are capable of doing the same type of thing, but some of the tools are not really all so proficient in detecting attacks because their rules are based solely on intrusion detection signatures or, in some cases, rather esoteric attack taxonomies rather than models of how real-life attacks occur. In this case, these tools are much more likely to detect malfunctions such as misconfigured routers spraying packets across the network than bona fide attacks.Thanks Gene,
can
we get another real world story?
This is very helpful Gene, and it does show the importance of event correlation; what if that was a rootkit that got installed? That makes event correlation even more important, yes?
If that was a rootkit, Stephen, antivirus would not have found the malware; it has control of the kernel. Event correlation may be all that you have, though there are some new technologies starting to show up.What about the BMC or Service Host, they are connected to the network, but they are not the main CPU. If we do not have event correlation, will we know what happens?
One thing that can be done, Stephen, is a dedicated CPU to scan systems: it connects to them and scans them. This is the new technology I was talking about; for instance, Copilot, is a PCI card with a CPU. You may have read the Usenix paper.[2] So you plug it in and it has its own CPU and its own memory and it can connect to the memory of the subverted machine. Right now they are pricey, but I think the cost will go down and the features will go up.What is the impact of virtualization on SIEMs and security in general?
I am not sure, I think that will be the next level of challenge for these products. Virtualization is a double edge sword. Some people say we are doomed, the red pill - blue pill residing in the virtual environment, and all that. But, if you think about it, virtualization hasn't employed a lot of security. That needs to change and I think that will be a growth area for the industry. From a SIEM perspective, we simply need to learn the signs that a virtual environment has been compromised. Also, vendors can put markers in place, essentially tripwires, so that if code is running where it does not belong, that can be detected. Of course, the attackers will learn what the tripwires are, but it is a cat and mouse game. Right now, I would say the attackers that write rootkits for virtual environments have the advantage, but that will not always be so.Very
helpful! SIEMs
are pricey beasts, I notice the Price to Earnings ratio of some of the
Where do you see this space in the next two years?
I'm not being very original here by saying that SIEM technology is already becoming mainstream in information security practices, and in two years it will be even more so. The Gartner Group, in fact, sees SIEM technology growing to a $10 billion industry in just two years. There are three main reasons: 1) substantial reduction of time and labor costs, 2) good SIEM technology makes compliance much easier and more efficient, and 3) it takes intrusion detection up to the next level by automating what outstanding intrusion detection analysts have done for years--performing pattern analysis on intrusion detection data based on knowledge of how real-life attacks work.Gene,
one of my
concerns is that as a community we are losing the ability to detect
attacks. My
opinion is part of this is grew from when we all responded to Gartner's
"Intrusion
detection is dead" paper by implementing Intrusion Prevention Systems,
we
seemed to believe we could leave the detection to the system, not the
human
analyst. So it is great to see you mention intrusion detection several
times;
can you please expand, and be Cinxi specific, on how this helps us take
intrusion detection to the next level. I know you touched on this with
the
first war story; can you take us into the technical weeds with an
example of an
attack that is hard to write a Snort rule for, and that you can help us
detect?
The work of Dr. Matt Bishop and his colleagues at the University of California at Davis has shown that ability to produce fused alerts, i.e., single alerts representing sets of highly interrelated actions by an attacker (something that is highly desirable from the perspective of an intrusion detection analyst), can be enhanced considerably by analyzing the capabilities of each attacker. Some attackers engage in only very elementary actions, whereas others are capable of very sophisticated ones. Knowing that actions are occurring and linking actions with capabilities of attackers allow the creation of mathematical models that can identify multi-stage attacks that mainstream IDSs would be likely to overlook.
Thanks, I
appreciate that! You mention reduction of time and labor costs. Is that
really
correct? Where do the savings come from? I am a bit gun shy; I still
remember
implementing HP Openview and thinking I could operate it with two FTEs, then it
ended up needing four!
What are
your thoughts about integrating SIEM with these passive sniffers, P0F,
SourceFire RNA, Tenable Passive Sniffer? It seems like an economic way
to keep
the SIEM information up to date?
One of the things we like to do in the Security Laboratory Thought Leader series is give people a bully pulpit, a chance to express what is really burning on their heart. What would you like to share with our readers?
My number one passion right now is to evangelize the information security community and senior management concerning the need to embrace and apply the concept of information security governance. Governance is a number of activities that are exercised by high level management. These activities help ensure that strategic objectives of the organization are met. This is management oversight, planning, and evaluating, ensuring that whatever drives the business operations is always considered. You have to work out your own flavor of governance in an organization. What works in government may well not work in the insurance industry, may well not work in a private company. But I will tell you, Stephen, I am the CSO at High Tower and this works great for us. The CEO loves the idea that we have a strategic plan and priority. This filters down to the technical folks, the admins, and they are very thankful to have priority. If we do not give the technical people guidance, they have a very hard time. This concept is the most revolutionary one to emerge from within information security in decades. If understood and applied properly, it results in huge dividends, including (but not limited to) far better risk management and delivery of business-related value.I realize this is a similar question to when I asked about advice for the corporate world, but if a close friend was taking a job as CSO of a fortune 500, and they already had a SIEM implementation, but it was partial and ongoing, what would be the most important advice you would give her?
Honestly, I'd look very hard at the SIEM tool that this person had purchased and on the basis of the features, functionality and reliability (or lack thereof) of this tool, make a recommendation to either accelerate and complete the SIEM implementation (because of the many benefits of this technology), or to scrap it and start over. I don't pull punches--there are some SIEM tools to which I would not even allocate rack space if they were given to me because they don't at all deliver what SIEM products should (although they can be quite amusing to watch because of all the lights that go on and off and other display gimmickry). Some others are really excellent; if the friend had picked one of these, I would strongly recommend going full speed ahead with the implementation.Thanks, this has been great and I have really enjoyed it and learned a lot. Just one last question - can you tell us a bit about Dr. Gene Schultz the person? What do you do when you are not in front of a computer?
Well, not flying, that's for sure. I am on an airplane going to some part of the world just about all the time. (Would you like my bonus miles so that you, not I, can fly somewhere else?) On a serious note, I like bicycling, fishing, hiking in the mountains (where my wife and I have a small second home), and fiddling with the two model railroad sets that I have built. Model railroading is probably my biggest after hours passion, but being on travel so much, I do not get nearly as much time to work on my layouts as I would like. Interestingly, I recently read an article about pop singer Rod Stewart, who is also an avid model railroader. He brings kits with him while he is on tour, but has the advantage of owning his own plane, so he can take anything he wants with him. Perhaps I should take a clue from him. *smile*1. http://www.high-tower.com/blogs/gschultz/
2. http://www.cs.umd.edu/~waa/pubs/USENIX-copilot.pdf