can’t help but be skeptical of mssp value

Rothman has a great post about why someone may choose a managed security services provider (MSSP), and the comments are excellent. I’d certainly read more about people’s experiences with an MSSP both from the vendor but also the customers.

I’m pretty skeptical of the value, but totally agree with Rothman’s bullet points on why you’d go with one. Really, I think there are good reasons, and the best might be offloading the lower hanging alerts and events to someone else, and then blending what’s left into internal staff (the hybrid approach). But I just have a lot of skepticism of the value that could be provided to anything but the smallest businesses and largest enterprises…or those that have an extremely big interest in being solid with security (e.g. banks).

My skepticism comes from the convergence of operations and security, where changes may influence security events and visibility. For instance, when IPS visibility is minimized because operations needed a SPAN port for a while. Or when the SoC team can’t investigate an incident properly because they’re an outside entity without any real access to the customer devices. Or when a network layout is changed which creates gaps that the SoC team has no chance to anticipate.

Part of my skepticism is also my distance from the tasks at hand as well. I often imagine an MSSP SOC as little more than a smarter, more efficient, but less powerful automated alerting mechanism. Sure my IPS and AV and SIEM can log and interpret and send me alerts on important issues, but what is my MSSP going to give me beyond that stuff in the first place? Are they going to decide that all that ARP crap on my network isn’t worth 10k false alarms a day? Are they going to know that all those UDP connections opening at 9pm every night are tied to a single automated SQL job? Are they going to know that a Slapper alert on my firewall is useless because I don’t run Apache, or vice versa?

It just seems tough to me to think an MSSP SoC is going to be very effective except against the most obvious stuff, and even then with lots of luck.

It sort of sounds like a DLP solution. 🙂

a quick case for layered defenses

Will a spam filter catch all malicious email sent to you? No.
Will a web filter block you from getting to all malicious sites? No.
Will a local antimalware tool prevent all malware from infecting your system? No.
Will your own diligence and paranoia weed out all email/web-borne issues? No.
Will reduced desktop rights protect your system? Not entirely.
Will your sandbox browser or script-blocking plugin stop everything? No (but close!).

Will any one of the above be the “right” answer for your business? No.
Will all of the above reduce your risk quite significantly? Yes, when done properly!
Will (broad) detection/monitoring of strange things catch the rest? No, but it should come close!

(This was prompted by some Starbucks spam email that made it through our filters today [despite a forged To address!], and a few users reported, but upon investigation I see our web filter is already blocking this domain. It simply illustrates that layered defense is paramount.)

It’s tempting to look at that sandbox/script-blocking as a best solution, but it’s also one that is entirely in the hands of the end user much of that time, specifically for script-blocking. For many people that I suggest use it, they end up getting sick of it and just allow everything or go back to using a poor browser choice. I’m not a big fan of security that users can turn off at will and without tracking or safety nets.

thoughts on online document mgmt services

Whenever I hear about “cloud storage” or “document management in the cloud” (both uses of the term “cloud” are marketing uses and synonymous with “Internet/web/server” and not actual cloud computing), my bigger kneejerk reactions run the gamut of, “You want to lose control of your sensitive documents?” and, “Don’t you dare mention backups; backups are a fundamental part of IT since it started and don’t need to be put online!”

But I read an article, “Online Document Management – Protecting Your Confidential Data”, by someone associated with a business that offers this service. Despite that, I found it well-written enough to pass on.

I liked the reasons posed for moving, and I agree with them, even if reluctantly. Traditional file servers based on popular OS versions are simply not adequate without lots of work, from a security perspective. The log suck. Management sucks. And there’s always one or two admins who just don’t do things the way they should be done, and then you have to live with their shoddy solutions that you can’t change without impacting business process.

Here are some additional thoughts I’d add.

a) By consuming someone else’s online document management solution, you really are playing by their rules. No more “creative” solutions to strange problems and requests. You tailor your processes to the rules of the service, not the other way around. This is great for keeping things in line with what you want to do. If you manage the service, then you’ll have to deal with the political machinations of requests to change this and that and why they’re “possible” but bad ideas. If someone else manages it, you typically have a much easier ability to say, “Nice idea, but that’s not how it works.” This isn’t so great, however, if you rely on innovative, creative ideas to fix strange business processes that are unique to you.

b) I really want the business hosting the online document management to be very transparent and clear with thier own processes, most importantly: their system change process and feature pipeline, the access their own people have to my documents, etc.

c) Mobile device support for document access is still a big challenge. Throwing it online often makes device compatibility someone else’s problem. However, it could also alienate some users whose devices aren’t supported. Though, to be fair, more than likely a current solution is already alienating them!

d) If there are any apps to help consume the service, are connections securely made and documents securely uploaded? If there is something like an SSL mismatch, will the user be warned?

e) When being consumed on the local device, can you determine whether someone downloaded the file to their device to use elsewhere or just viewed it online (this is usually a bit of a “trap” question…).

At the end of the day, I’m still not sold on the practice of online document management for anyone but the smallest of shops that have less budgets, are more agile, and likely less attacked or interesting. But they’re useful services to keep in mind.

warrantless gps tracking thoughts

Wired posted up an article that made the Twitter rounds yesterday, “Busted! Two New Fed GPS Trackers Found on SUV”. I have a few thoughts to share on why this is important in total, but this particular instance isn’t quite so important. As a quick recap, a California man found various different GPS units on his car and even had a report of the Feds messing with his girlfriend’s car.

1. This guy may be innocent, but there are certainly reasons to track his whereabouts. His cousin is a wanted man. He drove his cousin’s wife to Mexico (where presumably his cousin is). Gosh, let’s see, I would imagine LEO is tracking him in case he goes to wherever his cousin is hiding. I bet this would qualify as a justified reason to track his vehicle. All I’m saying here is this wasn’t necessarily some completely innocent person who has no connections or ties to anything. He’s, at best, an unfortunate collateral damage because of his family members.

2. He does have a point where people may see someone tampering with his car. If my neighbors see someone tampering with my car, they may formulate an opinion of me and how maybe I’m a bad person because it looks like someone is GPS-tracking my vehicle. They may also think someone planted a bomb or some other nefarious device and report it to LEO. And suddenly I’m “on the grid” and “in the system.” If that happens because of some mixup or random GPS-tracking on me (who is otherwise about as clean as anyone), that would really suck. I really don’t want to do anything to get my name circulating in a flawed system upon which many things depend, ya know?

Granted, proving damages to reputation due to witnessed LEO involvement with me is probably never going to actually work in court.

The point is: mistakes happen, and it would really suck to be on the receiving end of a LEO/Fed mistake.

3. Without transparency and controls to some effect, I’m a firm believer that eventually (especially as more human beings become involved) a process will be subverted for non-official or non-moral reasons. Maybe to track a husband, or a friend’s girlfriend, or political dissidents, or whathaveyou. If it can be done, I’ll pretty much bet it will be done.

4. I’m not really sure why it would be such a bad deal to require warrants for GPS-tracking a vehicle. Perhaps there are other insinuations about tracking someone’s movements in public place (streets) and a slippery slope of judicial precendence there. That’s certainly possible since I’ve not studied up on this issue (I believe there is a court case and even legislation involved that I’m not familiar with.)

Lastly, this isn’t the last time we hear of this. We have issues already with in-car services doing tracking, cell phone tracking by private corps, and credit/debit histories. And it’s naive to think they *don’t* sell and/or give that information away in any way that will help their business. We also have an increasing number of traffic cameras being implement and increasingly scary amounts of license plate scanning on the roads and even facial recognition scanning!

So, in a way, this is a losing battle, but a battle that really needs to be fought. This process is essentially the reason we have a country like we do in the first place.

play nice with the chaos monkey

Last week I mentioned the HBR article, “What Every CEO Need to Know About the Cloud”. Today I saw Brandon Williams posted about a piece of the article I did not focus on and should have: the Chaos Monkey.

Brandon mentioned that the Chaos Monkey is probably revenue impacting. Yup! That makes people scared! But if you have a real event and can’t handle it properly, that will likely turn into an even more revenue impacting incident than it could have been. And when it comes to Operations: things *will* fail someday.

I agree there should be controlled incidents in operations and especially in security. But I would caution that there is a very fine line between doing these controlled incidents (or tests) in a positive way or in a way that people hate and will react badly to.

Learning from tests is paramount. Pointing fingers and slapping hands and smacking ears because something is missed is called Doing It Wrong. You’ll just result in scared, sensitive, and not-happy people. No one likes to be tested and to fail and then have it shoved into their face or performance review. Yes, that gets results, but the point of so much testing and education is improvement and positive conditioning, not negative conditioning and fear.

checking in on the idea of a standing desk

I casually noticed McKeay talking about a standing desk via Twitter recently, and I see he has a detailed blog post about his new standing desk (this is itself an interesting compare/contrast for Twitter vs Blogs…). While I’ve never entertained the idea myself (though, yes, I’ve seen treadmill/walking desks for WoW players), I have to admit I’m intrigued (clearly, since I’m even bothering with this post).

Let’s get a few things out of the way. A standing desk won’t necessarily burn more calories, but it certainly eliminates the “barrier” of having to stand up and be in awkward positions in relation to the computer in order to do something else. If you’re already standing, I can certainly see how much easier it is to just walk over and do something else or be just slightly more active. But I won’t begin to think this activity comes close to actual cardio activity; it’s just a gateway. More importantly, though, is the posture, blood flow, and core balance that can be improved by not sitting all day. I totally acknowledge and would expect that.

So let’s look at my computer use cases. At work, we do have the option of swapping our desk chair with an exercise ball; and I may be tempted to try this. But standing, at 6′, I can just barely see over our typical cubes, which would be strange over time. In short, most of our cubes just aren’t ready for standing. So let’s disregard my day job for now, though I’d probably get by with a standing desk at work just fine.

At home, I typically am doing one of 4 things on my systems: movies/netflix, socializing/web browsing, tinkering with new technologies and such (research?), and video gaming. I can’t say I’ve ever watched a movie standing up and I’m not sure I’d dig that, but I bet I could mount my monitors on arms that could swivel and be positioned to accommodate a leisure position in a nearby chair. My socializing/tinkinger activities are probably pretty posture-neutral for me; it would be weird at first of course, but I bet I could do them just fine standing or sitting. There are, of course, times where I’m probably thinking or mulling something over and want a change of position, but that can be dealt with by walking away and flopping onto a beanbag (Lovesac) or something. What would be less convenient would be reading-at-length or watching webinars/presos, most likely.

(Aside: I spend an inordinate amount of time at my computers, but I also don’t spend any time at all in front of a television. In fact, I don’t have one that brings in any television stations. I have a plasma, but only for movies I want to watch away from my computers or to play console games, which isn’t all that much. So, at least I’m not lounging on a couch or Lay-Z-Boy for hours of awful television. I’ve gone 6 years now without television use, and about twice that without actually ever *watching* it [prior roommates would watch, but I would usually not].)

And then we’re to video gaming, a relatively important hobby to me. I’m pretty sure my casual MMO/WoW playing would be compatible with standing, but I’d really expect I’d get sick of standing when it comes to FPS gaming or anything with a controller. With a controller held in both hands, that probably would eliminate my ability to support myself with my hands like I would with my forearms when typing or using a mouse. Who knows! Really, gaming is about being in a pretty uniform position with hands supported consistently and solidly to allow quick and precise movements. I’m pretty sure standing for that would be taxing.

So, I’m still unsure. One idea would be to augment my current desk with a nearby stand-up desk which could hold some of my extra boxes and servers and gear. But I’d be willing to bet I’d gravitate to one desk and ignore the other.

I could possibly rig something up where my main machines can be rolled to and hooked up to KVM setups between the desks as I see fit. But other than a real workshop-like area, I bet that’ll never look less than tacky and messy. And I’d probably still gravitate one way or another.

Still, this idea is interesting enough to keep in my thoughts for the present!