In many of my talks about the Internet Storm Center (ISC), I put forward the conjecture that one of the main reasons malware development is accelerating is efficient and open collaboration. In my talks, I use this fact to explain what the ISC is trying to accomplish: We have to "out-share" in order to compete with new malware developments. This is somewhat counter intuitive for many security professionals. After all, we would never post our firewall rules (or passwords) on our web site. But why not a method you use to pick good passwords. Or better: How do you avoid using passwords?
McAfee posted a research report with the title: "Paying the Price for the Open Source Advantage". The paper very nicely puts forward a number of examples where open source hurts security. Open source enables attackers to examine source code for flaws, and a lot of malware writers use open source concepts to collaborate. The report leaves out how the lack of collaboration in the defensive community left us chasing sophisticated and well developed threats with outdated signature based tools and software whose security is largely based on an easily pierced veil of obfuscated proprietary code.
One of the founders of western military strategy Clausewitz postulated in his book "On War" that "Defense is the stronger form of waging war". But why are we loosing the network security war? We are spending larger and larger amounts on security tools. Much of this money is spent on outdated technologies like signature based anti-virus systems, point solutions that protect against the "threat of the day" and patch management systems to help us keep the leaky software we purchased (for a lot of money) afloat. We forget that some of the best security comes free, or for the price of a good pint at a local pub while hanging out with like-minded friends chatting about security. If we don't learn and if we don't start collaborating openly, we are doomed.
Lets pull out one very successful example of open source collaboration at work: Snort. Snort is not only a great Intrusion Detection System (IDS), but even better: It set a lot of the standards showing commercial vendors what a good IDS should look like. Yes we want to see packets. Yes we want to see the rules and yes, we want to tune it for our networks. Without full packets, we can't share what we learned from attacks with others. If we can't see the rules, then we can't share them to help others defend themselves. If we can't tune the rules, then we can't implement the lessons others learned to protect our network.
Now another Clausewitz quote: "Theory becomes infinitely more difficult as soon as it touches the realm of moral values." So lets put the theory of collaboration in praxis. The ISC and DShield have been created to do just that. In response to July's "Browser Bug of the Day", I would like to make August "Security Tip of the Day" month. I will post a particularly nice/insightful security tip here each day. Let the sharing begin! If you would like to share firewall logs, see how to do so here. (And yes, your home cable/DSL/dialup logs are great)!
Let's out-share and survive!
(Before I get a lot of "use large password" style tips: I am looking for novel, neat, nice, easy to implement ideas that are not widely known.)
Johannes B. Ullrich, CTO SANS Internet Storm Center.
I will be teaching next: Intrusion Detection In-Depth - SANS London July 2019
Jul 31st 2006
1 decade ago