SHIMEL: OK. That brings up another thing that I'd like to throw at Richard. I've heard this discussed as the positive security model versus the reactive model. But to me it boils down to this nugget: the realization that we may not be able to stop everything that gets in. Part of the security practitioner's role is to understand when something happens, figure out how it happened and prevent it from causing any more harm. Richard, what do you think about that?
STIENNON: A lot people who have been under the sorts of attacks Kevin describes are saying you can't stop everything so our only hope is to detect and get them before they exfiltrate the data. And I've come around to that. It flies in the face of traditional "stop everything, be preventive and not reactive," but it's a new level of reactive. This isn't coming in Monday morning and looking at your IDS logs and going, "Oh, no." This is eyes-on-the-screen-100%-of-the time going, "Whoops, somebody just opened an attachment and infected his machine and a remote-access Trojan has been downloaded and it's starting to scan my network." Or, "Oops, the guy already jumped to the active directory server and is consuming all of my identities, we have to do something now."
And if you haven't caught it by then -- by then it might be all over the place -- it's either shut off the network and cut yourself off or find every little bit and segment of the code left behind. You've got to be able to find them all, shut them down and clean them up before you turn your network back on.
KERR: Let me build on that. With us, once they got in and got some credentials they moved from that box to a server, and then across to another, and as they did they kept gathering credentials, and eventually they got our domain credentials, which at that point is pretty much game over. And because they were moving across our network, they were touching quite a few boxes -- somewhere in the low hundreds -- and they created so many back doors that every time we closed one they opened another. And that's when we realized we couldn't stop this from happening and couldn't stop the data from moving off.
Unfortunately, we didn't have enough IDS, IPS and other monitoring tools to see what they had touched, so it was a risky decision to disconnect from the network. Some of my sister labs were attacked at a later date by similar entities and they decided not to disconnect because they were able to see more of what happened and where they were, and I guess had also learned some lessons from us.
So what you do is obviously dependent on the risk. Today we have a better picture of what's going on in our network. We've re-architected to provide better monitoring, to see better what's going, so we can disconnect 20-30 machines versus 20,000.
SHIMEL: The kind of assets you guys are talking about at Oak Ridge are national and strategic and you can't afford to risk them getting out. So disconnecting as a means of stopping the information from being exfiltrated is certainly viable, not a long-term solution, but faced with what you were faced with, what else could you do? But Kevin, it's not just about having more IDS and IPS, is it? It's having the plan in place about what to do when this happens, and I'm sure part of re-architecting is putting in place procedures and processes in case this sort of thing happens again, right?
KERR: Correct. Just to give it some context, as a CISO I had started at Oak Ridge about two months before this happened. So I was still learning the lab and when this happened I asked for our Incident Response Plan and someone reached up on the shelf, blew all the dust off of it and gave it to me and basically it was how to address a Trojan or a virus on a system. It had nothing to do with how to deal with an advanced persistent threat, and it had nothing to do with how and where to disconnect or anything like that. So there were a lot of lessons learned really quickly about how to react, and unfortunately it was a lot of ad hoc, fly by the seat of the pants stuff.
SHIMEL: Adam, what are companies like Sourcefire doing to help Kevin and those like him in these frontline situations?
O'DONNELL: Sourcefire is very much behind the "See it, Control it" idea. And that means giving visibility into any kind of connection or threat that comes into the network, as well as giving the user the ability to control the threat. We have structured all of our products and technologies along those lines. So if you have an attack that comes in through the network, you would see it on your IDS/IPS. If it gets over to the host side, you would use our host technologies to see what files were introduced, what files those files introduced, and what systems those files talked to.
To address Kevin's issue, we believe that the threats are somewhat unique to each network, so we want to come up with tools that allow specific network operators to address their specific threats. So we make these things configurable and adaptable and definable by each product owner, we give customers full access so they can generate their own rules and signatures because we believe that waiting on a vendor to address a specific threat inside of a network, especially one that's seen by a government entity or a private organization that does not want to share that threat, is essential to allowing our customers control threats.
SHIMEL: Richard, would it help if companies like Sourcefire, Symantec, McAfee and the others shared information about attacks so there would be a global threat response in the cloud? Is the security industry mature enough for that? [also see: "Startup envisions CISO collective to share cyberattack information"]
STIENNON: It's not nearly mature enough to share that information, and the attacks are so targeted it wouldn't be completely effective anyway. I know one defense contractor that, for every attack they shut down, tries to tie that back to indicators they either detected themselves or had pre-knowledge of from the Defense Industrial Base Information Sharing Network, which is easily the most mature. And information from that network only helped them stop about 20% of the attacks, so there's always going to be this need for internal situational awareness.
SHIMEL: OK. Let me throw a question out to all three of you. Are whales -- and I don't mean that in a derogatory way -- are whales like the Department of Defense, like an Oak Ridge National Lab, an exception to the rule that demands customized solutions, or do smaller shops need the same kinds of solutions?
O'DONNELL: I believe that the magnitude of threat is going to be a function of the value of the resources targeted. If it is all the credentials for a popular cloud provider or blueprints for the next F-35 modification or something else that has a monetary value that's hard to quantify, the attackers are going to throw everything they have into it. They are going to come up with custom exploits, they're going to use highly trained individuals and they're going to spend a good bit of time and be patient until they get that data.