Recent Controversy

There has been a bit of a verbal flare up between the folks behind Snort and Suricata. Matt Jonkman, founder of Emerging Threats and OISF’s president, recent statement that “[Intrusion detection technology] has been stagnant for the last five years” [7] did not sit well with Martin Roesch, Snort’s creator. Roesch questioned Suricata’s stated benefits when he responded, “OISF has wrapped Suricata in some cool computer science concepts, but they have not delivered on their vision. [Suricata] offers a sub-set of Snort’s functionality at a fraction of its performance.” [8] Roesch went on to say, “They’ve produced a clone of Snort that performs worse at taxpayer’s expense.”

Matt Olney, a senior research engineer for the Sourcefire Vulnerability Research Team (VRT) addressed the multi-threaded benefit when he wrote, “Trust me, if multi-threading were the answer, the industry would have moved there in short order.” [10] Olney went on to quote results of an internal test pitting Snort against Suricata, “With rules loaded, Suricata runs up to about 200MB per second. Snort, with rules, hits 894MB per second with no drops.”

Jonkman questioned those finding when he wrote, “Those stats are ridiculous, and they refuse to publish details of the equipment and configuration used.” Jonkman goes on to explain, “We know that we’re not, right now, cycle for cycle, faster than Snort … but we’re getting six times the performance as Snort on the same hardware, with version 1.0.” Victor Julien, lead developer of Suricata, explain [14], “Is Suricata faster than Snort on a single core cycle for cycle, tick for tick? No. It’s pretty clear we aren’t, I didn’t expect us to be either. But we scale. We’ve had reports of running on a 32 core box and scaling to use all cores.” Russ McRee, a senior security analyst / researcher and founder of holisticinfosec.org, adds, “Consider that an unnamed military body has tested Suricata versus Snort on a large scale platform (24 processors and 128GB of RAM) and saw a very clear 6-fold speed increase over a tuned Snort implementation on the same platform.”

Features

Russ McRee article on Suricata in August’s ISSA Journal [18] contained a table comparing features, which we will add Bro information to:

Seth Hall, Information Security Detection-Response Architect at GE (and one of the top Bro developers), addressed the above table and pointed out some of the strong features of Bro. Seth writes:

• Multithreaded processing: Work is ongoing on this, but nothing releasable yet. Bro does have a fully functional cluster deployment model which helps users to scale support on a single box and/or across multiple boxes.
• IPv6 Support: Due to a bug, which hopefully will be addressed by the next release, IPv6 support is unusable in large scale production.
• IP reputation: You could say that Bro has IP reputation, it’s easy to utilize lists of addresses at least. I’m going to be working heavily on an intelligence sources framework for Bro soon too which will be able to consume a wide range of intelligence sources including IP addresses.
• Automated protocol detection: There’s even an academic paper about it [19] if you’d like to find out exactly how it works.
• Global variables/flowbits: Bro support for this sort of thing is far beyond what anything else has inherently because Bro has a complete programming language.
• GeoIP lookups: I added that myself several years ago. Bro supports IPv6 geoip lookups in addition to IPv4 and ASN lookups using another database for libGeoIP.
• Advanced HTTP Parsing: Bro has had it for years.
• HTTP Access Logging: Definitely. My script [20] will be included in the next release too.
• SMB Access Logging: This is something that I’m planning on tackling soon. I don’t know what the level of support for SMB is currently, but there is a parser already.
• HTTP Blocklist lookups: Yes, I consider this similar to the IP reputation and it’s going to be included in the intelligence sources framework. Some usage of URL lists is already included in a script that I distribute separately [21] but which will be in the next release of Bro.
• Free: Bro is under the BSD license, so in my opinion it’s actually more free than Snort or Suricata which are both under the GPL and much more difficult to share code with.

While Snort and Suricata have been a bit in the public spotlight recently, the developers of Bro have stayed clear of the recent verbal debate. Bro is the third open source IDS/IPS engine we will be working with. It is primarily funded by the National Science Foundation’s Strategic Technologies for the Internet program. Robin Sommer this week announced [26] that the International Computer Science Institute (ICSI) and the National Center for Supercomputing Applications (NCSA) have been awarded a grant of almost $3M for extensive Bro development. To quote Robin:

The funded project aims specifically at addressing much of the feedback that we have received from Bro users over the years. It will enable us to refine many of the rough edges that the system has accumulated over time[*], improve Bro’s performance significantly, and also make it much easier for the community to contribute to the project.

Expect some interesting work from the Bro camp. Some of Bro’s current stated features and benefits [15] include:

• Network Based: Bro is a network-based IDS. It collects, filters, and analyzes traffic that passes through a specific network location. A single Bro monitor, strategically placed at a key network junction, can be used to monitor all incoming and outgoing traffic for the entire site. Bro does not use or require installation of client software on each individual, networked computer.
• Rich Application-Layer Analysis: A primary feature of Bro is that it includes detailed, parser-driven analysis of many popular application protocols. The output of these analyzers is a stream of events that describe observed activity in semantically rich, high-level terms. These events themselves do not constitute security alerts, but rather provide the input for further, stateful processing using Bro’s custom scripting language.
• Custom Scripting Language: Bro policy scripts are programs written in the Bro language. They contain the “rules” that describe what sorts of activities are deemed troublesome. They analyze the network activity and initiate actions based on the analysis. Although the Bro language takes some time and effort to learn, once mastered, the Bro user can write or modify Bro policies to detect and alert on virtually any type of network activity.
• Pre-written Policy Scripts: Bro comes with a rich set of policy scripts designed to detect the most common Internet attacks while limiting the number of false positives, i.e., alerts that confuse uninteresting activity with the important attack activity. These supplied policy scripts will run “out of the box” and do not require knowledge of the Bro language or policy script mechanics.
• Powerful Signature Matching Facility: Bro policies incorporate a signature matching facility that looks for specific traffic content. For Bro, these signatures are expressed as regular expressions, rather than fixed strings. Bro adds a great deal of power to its signature-matching capability because of its rich language. This allows Bro to not only examine the network content, but to understand the context of the signature, greatly reducing the number of false positives. Bro comes with a set of high value signatures policies, selected for their high detection and low false positive characteristics.
• Network Traffic Analysis: Bro not only looks for signatures, but can also analyze network protocols, connections, transactions, data amounts, and many other network characteristics. It has powerful facilities for storing information about past activity and incorporating it into analyses of new activity.
• Detection Followed by Action: Bro policy scripts can generate output files recording the activity seen on the network (including normal, non-attack activity). They can also generate problem alerts to event logs, including the operating system syslog facility. In addition, scripts can execute programs, which can, in turn, send e-mail messages, page the on-call staff, automatically terminate existing connections, or, with appropriate additional software, insert access control blocks into a router’s access control list. With Bro’s ability to execute programs at the operating system level, the actions that Bro can initiate are only limited by the computer and network capabilities that support Bro.

In my previous post, “Snort 3: The Next Generation” [4], Marty provided a roadmap of where Snort is heading. While changes have since been made as Snort develops, the philosophy remains the same. Sourcefire is moving forward on a solid security framework. See the recent work on the Sourcefire’s Razorback framework [24] and [25]. Olney described Razorback in this way [10], “It isn’t Snort, it isn’t ClamAV, and it isn’t Suricata. It’s a new approach to the detection problem, and was built from the ground up in close collaboration with groups that are facing APT-level threats. It may not be perfect, it may not even be the right answer (but we think it is), but it is truly innovative.”

More immediate, examine the the improved features Snort 2.9.0 Beta [16]:

• Updates to HTTP Inspect to extract and log IP addresses from X-Forward-For and True-Client-IP header fields when Snort generates events on HTTP traffic.
• Updates to SMTP preprocessor to support MIME attachment decoding across multiple packets.
• Updates to the Snort packet decoders for IPv6 for improvements to anomaly detection.

The new features include:

• Feature rich IPS mode including improvements to Stream for inline deployments. Additionally a common active response API is used for all packet responses, including those from Stream, Respond, or React. A new response module, respond3, supports the syntax of both resp & resp2, including strafing for passive deployments. When Snort is deployed inline, a new preprocessor
  has been added to handle packet normalization to allow Snort to interpret a packet the same way as the receiving host.
• Use of a Data Acquisition API (DAQ) that supports many different packet access methods including libpcap, netfilterq, IPFW, and afpacket. For libpcap, version 1.0 or higher is now required. The DAQ library can be updated independently from Snort and is a separate module that Snort links to.
• A new rule option ‘byte_extract’ that allows extracted values to be used in subsequent rule options for isdataat, byte_test, byte_jump, and content distance/within/depth/offset.
• Two new rule options to support base64 decoding of certain pieces of data and inspection of the base64 data via subsequent rule options.
• Added a new pattern matcher that supports Intel’s Quick Assist Technology for improved performance on supported hardware platforms. Visit http://www.intel.com to find out more about Intel Quick Assist.

Last, but not least, several characteristics OSIF report Suricata has to handle today’s threat are [12]:

• An open source engine. The power of the community works well
  within IT security defenses, as a community is more effective than a
  single organization at capturing characteristics of emerging threats.
• Multi-threaded. A multi-threaded architecture allows the engine
  to take advantage of the multiple core and multiple processor
  architectures of today’s systems.
• Supports IP reputation. By incorporating reputation and
  signatures into its engine, Suricata can flag traffic from known
  nefarious origins.
• Automated protocol detection. Preprocessors automatically
  identify the protocol used in a network stream and apply the
  appropriate rules, regardless of numerical port.

For additional background information, I have written several past posts on IDS/IPS (see “Suricata: A Next Generation IDS/IPS Engine” [2], “Installing Bro IDS 1.4″ [3], “Snort 3: The Next Generation” [4], “Blacklisting with Snort”, [17], “IDS/IPS: The Mark Twain of the Security World” [5], and “IDS” [6]). I will not repeat that information in this post.

Version

We will be setting these software packages up to be used on a development machine. The exchange between the Snort and Suricata was focused on timing and features. For that reason, I am interested in maximizing features verses stability. We will be using the latest software, which may mean beta or even CVS versions.

Supporting Software

The three IDS/IPS engines share most of the supporting software requirements, depending on configuration options. Below are a few required libraries and software packages:

Below are a few libraries and software packages that are not required, but you should consider installing. The packages, except GeoIP and Google Perftools, should have binaries available for your OS. Use these ports to install the packages and save yourself the trouble of having to keep the software updated. We will go through through the installation of GeoIP and Google Perftools from source code.

Installing Supporting Software

Which libraries and supporting software you install will be dependent on which options you use in configuring your IDS/IPS engines. If you can install packages (and not source), carefully consider this option. It will make maintenance easier. We will walk through the source installation for demonstration purposes.

Libcap-ng

For Linux users, the libcap-ng will be required for dropping privileges.

root# cd /usr/local/src
/usr/local/src root# wget http://people.redhat.com/sgrubb/libcap-ng/libcap-ng-0.6.4.tar.gz
/usr/local/src root# tar libcap-ng-0.6.4.tar.gz
/usr/local/src  root# cd libcap-ng-0.6.4
/usr/local/src/libcap-ng-0.6.4 root# ./configure
/usr/local/src/libcap-ng-0.6.4 root# make
/usr/local/src/libcap-ng-0.6.4 root# make install

Libdnet

Make sure Libdnet is in your library path:

 root# /sbin/ldconfig -p | grep -i libdnet
libdnet32.so.1 (libc6) => /usr/lib/libdnet32.so.1
libdnet32.so (libc6) => /usr/lib/libdnet32.so

If you do not get a path returned, you will need to install libdnet (use –prefix if it needs to be installed in a special location). We will pull down it down the CVS version, because we will need the sctp.h file to be installed.

root# cd /usr/local/src
/usr/local/src root# wget svn checkout http://libdnet.googlecode.com/svn/trunk/ libdnet-cvs
/usr/local/src root# cd libdnet-cvs
/usr/local/src/libdnet-cvs root# ./configure
/usr/local/src/libdnet-cvs root# make
/usr/local/src/libdnet-cvs root# make install
/usr/local/src/libdnet-cvs root# cp include/dnet/sctp.h /usr/local/include/dnet

If you have installed libdnet in a special location, make sure to include its path in /etc/ld.so.conf.

Libnet

The library libnet will be required for packet-injecting.

root# cd /usr/local/src
/usr/local/src root# wget http://github.com/sam-github/libnet/tarball/libnet-1.1.4 \
-O  libnet-1.1.4.tgz
/usr/local/src root# tar xzf libnet-1.1.4.tgz
/usr/local/src root# cd sam-github-libnet-d2bedb5
/usr/local/src/sam-github-libnet-d2bedb5 root# ./autogen.sh
/usr/local/src/sam-github-libnet-d2bedb5 root# ./configure
/usr/local/src/sam-github-libnet-d2bedb5 root# make
/usr/local/src/sam-github-libnet-d2bedb5 root# make install

Libnfnetlink and Libnetfilter

If you plan on using the IPS capabilities (inline support), you will need to install libnfnetlink and libnfnetlink-queue.

root# cd /usr/local/src
/usr/local/src root# wget \
ftp://ftp.netfilter.org/pub/libnfnetlink/snapshot/libnfnetlink-20100823.tar.bz2
/usr/local/src root# bunzip2 libnfnetlink-20100823.tar.bz2
/usr/local/src root# tar xf libnfnetlink-20100823.tar
/usr/local/src root# cd libnfnetlink-20100823
/usr/local/src/libnfnetlink-20100823 root# ./autogen.sh
/usr/local/src/libnfnetlink-20100823 root# ./configure
/usr/local/src/libnfnetlink-20100823 root# make
/usr/local/src/libnfnetlink-20100823 root# make check
/usr/local/src/libnfnetlink-20100823 root# make install
/usr/local/src/libnfnetlink-20100823 root# cd /usr/local/src
/usr/local/src root# wget \
ftp://ftp.netfilter.org/pub/libnetfilter_queue/snapshot/libnetfilter_queue-20100824.tar.bz2
/usr/local/src root# md5sum libnetfilter_queue-20100824.tar.bz2
69ce1eb24632bfed050cd936e0fe660c  libnetfilter_queue-20100824.tar.bz2
/usr/local/src root# bunzip2 libnetfilter_queue-20100824.tar.bz2
/usr/local/src root# tar xf libnetfilter_queue-20100824.tar
/usr/local/src root# cd libnetfilter_queue-20100824
/usr/local/src/libnetfilter_queue-20100824 root# ./autogen.sh
/usr/local/src/libnetfilter_queue-20100824 root# PKG_CONFIG_PATH=/usr/local/lib/pkgconfig/ ./configure
/usr/local/src/libnetfilter_queue-20100824 root# make
/usr/local/src/libnetfilter_queue-20100824 root# make check
/usr/local/src/libnetfilter_queue-20100824 root# make install

Libpcap and PF_RING

If you are running on a system with a Linux kernels 2.6.x or greater, you will want to install PF_RING on your system. PF_RING is a network socket that can greatly improve packet capture speed. PF_RING polls packets from NICs by means of Linux NAPI. NAPI (“New API”) is a modification to the device driver packet processing framework, which is designed to improve the performance of high-speed networking. NAPI copies packets from the NIC to PF_RING circular buffer. The application then reads packets from the ring. PF_RING can distribute incoming packets to multiple rings (hence multiple applications) simultaneously. Please see “Exploiting Commodity Multicore Systems for Network Traffic Analysis” [23] for additional information.

We are going to walk through a specific example with certain ethernet card drivers and a particular linux kernel. Please make sure not to copy the commands blindly. Adjust to your system. The below is for demonstration purposes. These steps are based on Gunjan Bansal blog [22]. Please see Gunjan’s blog for additional explanation.

First step, provide some basic information on the system.

root# /sbin/ifconfig -a
eth0      Link encap:Ethernet  HWaddr 00:00:00:00:00:00
root# /sbin/ethtool -i eth0
driver: e1000e
version: 1.0.2-k3.1
firmware-version: 1.3-1
bus-info: 0000:00:19.0
root# /bin/uname -r
2.6.18-194.8.1.el5PAE

In this example I will be working off the ethernet interface eth0 and the ethernet driver e1000e. The kernel release is 2.6.18-194.8.1.el5PAE.

Second step is to download the PF_RING software from ntop through the SVN repository, configure, compile, and install. The “/sbin” directory will need to be in your PATH or you will get a complaint about “ldconfig: Command not found.”

root# cd /usr/local/src
root# PATH=$PATH:/sbin
/usr/local/src root# mkdir pf_ring && cd pf_ring
/usr/local/src/pf_ring root# svn co https://svn.ntop.org/svn/ntop/trunk/PF_RING/
/usr/local/src/pf_ring root# cd PF_RING/kernel
/usr/local/src/pf_ring/PF_RING/kernel root# make
/usr/local/src/pf_ring/PF_RING/kernel root# make install
/usr/local/src/pf_ring/PF_RING/kernel root# cd ../userland/lib
/usr/local/src/pf_ring/PF_RING/userland/lib root# make
/usr/local/src/pf_ring/PF_RING/userland/lib root# make install

Under some OSs, you need to compile libpcap to support large files (files large than 2G). We are going to install the resulting libpcap under /usr/local. Large file support is required if the following kind of error is produced:

root# ls -lh /data/ids/full2.pcap
-rw-r--r-- 1 root root 12G Oct 26 10:01 /data/ids/full2.pcap
root# /usr/local/snort/bin/snort -o -A none -c \
/usr/local/snort/conf/snort.conf -l /logs/snort/logs \
-r /data/ids/full2.pcap
Error getting stat on pcap file: /data/ids/full2.pcap:
Value too large for defined data type
ERROR: Error getting pcaps
Fatal Error, Quitting..

To compile large file support into libpcap:

/usr/local/src/pf_ring/PF_RING/userland/lib root# cd ../libpcap-1.0.0-ring/
/usr/local/src/pf_ring/userland/libpcap-1.0.0-ring root# ./configure --prefix=/usr/local \
CFLAGS="-D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE \
-D_FILE_OFFSET_BITS=64"
/usr/local/src/pf_ring/userland/libpcap-1.0.0-ring root# make
/usr/local/src/pf_ring/userland/libpcap-1.0.0-ring root# make shared
/usr/local/src/pf_ring/userland/libpcap-1.0.0-ring root# make install
/usr/local/src/pf_ring/userland/libpcap-1.0.0-ring root# make install-shared

By configuring tcpdump with support for PF_RING, all applications (tcpdump and our IDS/IPS engines) will be able to access simultaneously the PF_RING circular buffer.

/usr/local/src/pf_ring/userland/libpcap-1.0.0-ring root# cd ../tcpdump-4.0.0
/usr/local/src/pf_ring/userland/tcpdump-4.0.0 root# CFLAGS="-D_LARGEFILE_SOURCE \
-D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64" LDFLAGS="-lpfring -lpcap" LD_LIBRARY_PATH="/usr/lib:/usr/local/lib" ./configure
/usr/local/src/pf_ring/userland/tcpdump-4.0.0 root# make
/usr/local/src/pf_ring/userland/tcpdump-4.0.0 root# make install

Replace the ethernet driver.

/usr/local/src/pf_ring/userland/tcpdump-4.0.0 root# cd ../../drivers/intel/e1000e-1.0.15/src
/usr/local/src/pf_ring/PF_RING/drivers/intel/e1000e-1.0.15/src root# make
/usr/local/src/pf_ring/PF_RING/drivers/intel/e1000e-1.0.15/src root# make install

The third step is to activate PF_RING if its not already activated. Use lsmod to check if pf_ring is started or not.

/usr/local/src/pf_ring/PF_RING/drivers/intel/e1000e-1.0.15/src root# /sbin/lsmod | grep pf_ring
pf_ring                46680  0
/usr/local/src/pf_ring/PF_RING/drivers/intel/e1000e-1.0.15/src root# cd \
/lib/modules/2.6.18-194.8.1.el5PAE/kernel/net/pf_ring
/lib/modules/2.6.18-194.8.1.el5PAE/kernel/net/pf_ring root# /sbin/insmod \
pf_ring.ko transparent_mode=1
/lib/modules/2.6.18-194.8.1.el5PAE/kernel/net/pf_ring root# cd \
../../drivers/net/e1000e

Step four, you will unload the ethernet card driver (e1000e) and load the new driver. Keep in mind, unloading the driver means ethernet access will be lost. It is wise not to issue this command remotely.

/lib/modules/2.6.18-194.8.1.el5PAE/kernel/drivers/net/e1000e root# /sbin/rmmod \
e1000e ; /sbin/insmod e1000e.ko

You now are PF_RING enabled.

LibYAML

The yaml library will be required for parsing Suricata configuration file.

root# cd /usr/local/src
/usr/local/src root# wget http://pyyaml.org/download/libyaml/yaml-0.1.3.tar.gz
/usr/local/src root# tar xzf yaml-0.1.3.tar.gz
/usr/local/src root# cd yaml-0.1.3
/usr/local/src/yaml-0.1.3 root# ./configure
/usr/local/src/yaml-0.1.3 root# make
/usr/local/src/yaml-0.1.3 root# make check
/usr/local/src/yaml-0.1.3 root# make install

GeoIP Installation and Configuration

MaxMind GeoIP is a collection of APIs for looking up the location of an IP address. There is a collection of free GeoLite databases, which are not as accurate as the GeoIP databases, but will do for starting out and testing with Bro. To setup GeoIP for use with Bro, please follow the commands below.

root# cd /usr/local/src
/usr/local/src root# wget http://www.maxmind.com/download/geoip/database/GeoLiteCity.dat.gz
/usr/local/src root# gunzip GeoLiteCity.dat.gz
/usr/local/src root# mkdir -p /usr/local/share/GeoIP
/usr/local/src root# mv GeoLiteCity.dat /usr/local/share/GeoIP/GeoIPCity.dat
/usr/local/src root# wget http://www.maxmind.com/download/geoip/api/c/GeoIP.tar.gz
/usr/local/src root# tar xzf GeoIP.tar.gz
/usr/local/src root# cd  GeoIP-1.4.6
/usr/local/src/GeoIP-1.4.6 root# ./configure
/usr/local/src/GeoIP-1.4.6 root# make
/usr/local/src/GeoIP-1.4.6 root# make check
/usr/local/src/GeoIP-1.4.6 root# make install

Make sure /usr/local/lib is placed into your library path.

Google Perftools Installation and Configuration

Google’s perftools is a collection of a high-performance multi-threaded malloc() implementation and some performance analysis tools. Google’s perftools have replaced mpatrol for leak-checking and heap-profiling. We will compile Bro with –enable-perftools. By default, perftools will install under /usr/local directory. With perftools compiled into Bro, there are two command-line options made available:

To help with the installation of Google’s perftool, the ICSI Networking Group has written a post “Making Sure Your Bro Code Does Not Leak.” The post will provide additional information. The basic steps to install perftools are:

root# cd /usr/local/src
/usr/local/src root# wget http://google-perftools.googlecode.com/files/google-perftools-1.6.tar.gz
/usr/local/src root# tar xzf google-perftools-1.6.tar.gz
/usr/local/src root# cd google-perftools-1.6
/usr/local/src/google-perftools-1.6 root# ./configure
/usr/local/src/google-perftools-1.6 root# make
/usr/local/src/google-perftools-1.6 root# make check
/usr/local/src/google-perftools-1.6 root# make install

PCRE (pcre-8.10)

The PCRE library is a set of functions that implement regular expression pattern matching using the same syntax and semantics as Perl 5. If you can install PCRE via a binary specific to your operating system, that is the best way to install in order to avoid having to keep the software up-to-date. Below are the instructions for installing the software from source.

root# cd /usr/local/src
/usr/local/src root# wget \
http://downloads.sourceforge.net/project/pcre/pcre/8.10/pcre-8.10.tar.gz
/usr/local/src root# wget \
http://sourceforge.net/projects/pcre/files/pcre/8.10/pcre-8.10.tar.gz.sig/download
/usr/local/src root# gpg --verify pcre-8.10.tar.gz.sig pcre-8.10.tar.gz
/usr/local/src root# tar xzf pcre-8.10.tar.gz
/usr/local/src root# cd pcre-8.10
/usr/local/src/pcre-8.10 root# ./configure --prefix=/usr/local/pcre
/usr/local/src/pcre-8.10 root# make
/usr/local/src/pcre-8.10 root# make test
/usr/local/src/pcre-8.10 root# make install

XML Analyzer

The XML analyzer is highly-experimental code written by Tobias Kiesling. Installation of Xerces-C++ and XQilla is required to use the XML analyzer. The code allows you to be able to easily adjust analysis capabilities to specific XML data formats. Xerces-C++ is a validating XML parser written in a portable subset of C++. XQilla is an XQuery and XPath 2 library and command line utility written in C++.

root# cd /usr/local/src
/usr/local/src root# wget http://downloads.sourceforge.net/xqilla/XQilla-2.2.4.tar.gz
/usr/local/src root# wget http://mirror.its.uidaho.edu/pub/apache/xerces/c/3/sources/xerces-c-3.1.1.tar.gz
/usr/local/src root#  md5sum xerces-c-3.1.1.tar.gz
6a8ec45d83c8cfb1584c5a5345cb51ae  xerces-c-3.1.1.tar.gz
/usr/local/src root# tar xzf xerces-c-3.1.1.tar.gz
/usr/local/src root# tar xzf XQilla-2.2.4.tar.gz
/usr/local/src root# ln -s XQilla-2.2.4 xqilla
/usr/local/src root# cd  xerces-c-3.1.1
/usr/local/src/xerces-c-3.1.1 root# ./configure
/usr/local/src/xerces-c-3.1.1 root# make
/usr/local/src/xerces-c-3.1.1 root# make check
/usr/local/src/xerces-c-3.1.1 root# make install

With Xerces-C++, configure and install XQilla.

root# cd /usr/local/src/xqilla/
/usr/local/src/xqilla root# ./configure --with-xerces=/usr/local/src/xerces-c-3.1.1/
/usr/local/src/xqilla root# make
/usr/local/src/xqilla root# make install

Bro Setup

We will be working off the instructions previously posted in “Installing Bro IDS 1.4″ [3], just updating the material to reflect the requirements of the current Bro software. There a few options when installing Bro. Bro was not developed for the PHB. Advance security software provides the power to the user, with all the options to adapt it to your environment. To quote the Bro site, “Bro has been developed primarily as a research platform for intrusion detection and traffic analysis. It is not intended for someone seeking an ‘out of the box’ solution. Bro is designed for use by Unix experts who place a premium on the ability to extend an intrusion detection system with new functionality as needed, which can greatly aid with tracking evolving attacker techniques as well as inevitable changes to a site’s environment and security policy requirements.” With the Unix experts in mind, we will go through the steps involved to install both the stable and the development versions of Bro.

Current Stable Version

The current version should be the most stable. To install, follow these commands:

root# cd /usr/local/src
/usr/local/src root# wget ftp://bro-ids.org/bro-1.5-release.tar.gz
/usr/local/src root# tar xzf bro-1.5-release.tar.gz
/usr/local/src root# cd bro-1.5.1

The configuration and installations appears below.

Subversion Trunk

Reading the posts on the Bro mailing list, reveals that modifications have already been made to the current release. Fixes are being made continuously. These changes, while fixing problems, might introduce new problems. You do have the option of getting the most up-to-date code possible through the subversion repository. The Bro development team has made available two subparts of the repository: the trunk and development branches. The trunk is the main development head from which releases are made on a regular basis. It should be fairly stable with changes passing a regression suite to ensure the code do not break existing functionality. It is still considered experimental and not suitable for critical deployment. Below is how to download code from the trunk.

root# cd /usr/local/src
/usr/local/src root# mkdir bro-cvs
/usr/local/src/bro-cvs root# cd bro-cvs
/usr/local/src/bro-cvs root# svn checkout http://svn.icir.org/bro/trunk/bro
/usr/local/src/bro-cvs root# mv bro bro-1.5.1.cvs
/usr/local/src/bro-cvs root# cd bro-1.5.1.cvs
/usr/local/src/bro-cvs/bro-1.5.1.cvs root# ./autogen.sh

Robin’s Development Branch

The developers merge their work into the the Bro subversion trunk. Robin Sommer has a separate branch which contains experimental code for:

• the Bro Cluster framework
• NetFlow support (by Bernhard Ager)
• a BitTorrent analyzer (by Nadi Sarrar and Bernhard Ager)
• an XML analyzer (by Tobias Kiesling)
• Python bindings for Broccoli
• restructured logic for taking drop decisions via Bro’s notice framework (by Brian Tierney and Robin Sommer)
• a test-suite for Bro’s communication & serialization subsystems
• various tweaks and bugfixes

If you want the latest work done by Robin and others mentioned above, you can get access to the code with the following commands.

root# cd /usr/local/src
/usr/local/src root# mkdir bro-cvs
/usr/local/src root# cd bro-cvs
/usr/local/src/bro-cvs root# svn checkout http://svn.icir.org/bro/branches/robin/work
/usr/local/src/bro-cvs root# mv work bro-1.5.1.robin
/usr/local/src/bro-cvs root# cd bro-1.5.1.robin
/usr/local/src/bro-cvs/bro-1.5.1.robin root# ./autogen.sh

Configure and Install

Because of the various bug fixes and the additional features which add interesting options, we are going to step through installation of Robin’s branch. Please use the version of Bro appropriate for your operation.

root# cd /usr/local/src/bro-cvs/bro-1.5.1.robin
/usr/local/src/bro-cvs/bro-1.5.1.robin root# CFLAGS="-D_LARGEFILE_SOURCE \
-D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64" LDFLAGS="-lpfring -lpcap" \
LD_LIBRARY_PATH="/usr/lib:/usr/local/lib" ./configure --prefix=/usr/local/bro  \
--enable-debug --enable-perftools
/usr/local/src/bro-cvs/bro-1.5.1.robin root# make
/usr/local/src/bro-cvs/bro-1.5.1.robin root# make check
/usr/local/src/bro-cvs/bro-1.5.1.robin root# make install

If you run into any problems, go to back to the stable version of Bro and see if you can get it to compile. Then you may want to try the subversion trunk code.

Snort Setup

We will be following the direction posted previously in “Blacklisting with Snort″ [17]. Below we will get the software, verify, configure, and install the software under the /usr/local/snort area. Please adjust this to your environment. Reminder to Mac OS X and FreeBSD users, use the md5 command instead of md5sum.

 root# cd /usr/local/src
/usr/local/src root# wget wget http://www.snort.org/downloads/116 -O snort-2.8.6.1.tar.gz
/usr/local/src root# wget http://www.snort.org/downloads/116/show_md5
/usr/local/src root# cat show_md5
“b1119396a32e9df0d80404e4b6c49166”
/usr/local/src root# md5sum snort-2.8.6.1.tar.gz
b1119396a32e9df0d80404e4b6c49166  snort-2.8.6.1.tar.gz
/usr/local/src root# tar xzf snort-2.8.6.1.tar.gz
/usr/local/src root# cd snort-2.8.6.1

We are going to add in support to place alerts into a MySQL database. If MYSQL is installed on the system, you can use the “–with-mysql” configuration option to specify where. In a previous post, “Introduction to MySQL,” we went through the installation of MySQL into the /usr/local/mysql directory. For such an installation, the –with-mysql-includes=/usr/local/mysql/include and –with-mysql-libraries=/usr/local/mysql/lib command options must be used. In order to use the dynamic plugin libraries, Snort needs to be able to find libmysqlclient.so. On some operating systems, you may have problems. Adding LDFLAGS=”-L/usr/local/mysql/lib/mysql” should work.

You may want to consider configuring Snort to allow decoder and preprocessor rule eventing. This allows you to enable and disable decoder and preprocessor events on a rule by rule bases. It also allow you to specify the rule type or action of a decoder or preprocessor event on a rule by rule basis. Enable this configuration option with the configuration option using –enable-decoder-preprocessor-rules.

We will also be adding in large file support. If you had to install libdnet in a special location, you will need to specify that location with the “–with-dnet-includes=” and “–with-dnet-libraries=” configuration options.

We will configure Snort with the following command:

/usr/local/src/snort-2.8.6.1 root# CFLAGS="-D_LARGEFILE_SOURCE \
-D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64" LDFLAGS="-lpfring -lpcap" \
 LD_LIBRARY_PATH="/usr/lib:/usr/local/lib" \
./configure --prefix=/usr/local/snort --with-libpcap-includes=/usr/local/include \
--with-libpcap-libraries=/usr/local/lib \
--with-libpcre-includes=/usr/local/pcre/include \
--with-libpcre-libraries=/usr/local/pcre/lib \
--with-mysql-includes=/usr/local/mysql/include \
--with-mysql-libraries=/usr/local/mysql/lib \
--enable-decoder-preprocessor-rules --enable-zlib

Check config.log if you had any problems or just want to make sure Snort configured everything correctly. After you configure Snort, you continue to make and install it.

/usr/local/src/snort-2.8.6.1 root# make
/usr/local/src/snort-2.8.6.1 root# make check
/usr/local/src/snort-2.8.6.1 root# make install
/usr/local/src/snort-2.8.6.1 root# mkdir -p /usr/local/snort/etc
/usr/local/src/snort-2.8.6.1 root# cp etc/* /usr/local/snort/etc
/usr/local/src/snort-2.8.6.1 root# mkdir -p /usr/local/snort/preproc_rules
/usr/local/src/snort-2.8.6.1 root# cp preproc_rules/*.rules /usr/local/snort/preproc_rules
/usr/local/src/snort-2.8.6.1 root# /usr/local/snort/bin/snort -V

,,_ -*> Snort! <*-
o" )~ Version 2.8.6.1 (Build 39)
'''' By Martin Roesch & The Snort Team: http://www.snort.org/team.html
Copyright (C) 1998-2010 Sourcefire, Inc., et al.
Using PCRE version: 8.10 2010-06-25

Rules

Now we need some rules. For this example we will get the rules from the Snort and the Emerging Threats site. You will need to register for the rules at the Snort site. Do consider subscribing for the latest up-to-date rules. Registered users can only access rules 30 days after their release.

 root# cd /usr/local/snort/rules
/usr/local/snort/rules root# wget http://www.emergingthreats.net/rules/emerging-all.rules
/usr/local/snort/rules root# cd /usr/local/src
/usr/local/src root# wget \
https://www.snort.org/downloads/83 \
-O snortrules-snapshot-CURRENT.tar.gz
/usr/local/src root# md5sum snortrules-snapshot-CURRENT.tar.gz
/usr/local/src root# mv snortrules-snapshot-CURRENT.tar.gz /usr/local/snort/
/usr/local/src root# cd /usr/local/snort/
/usr/local/snort root# tar xzf snortrules-snapshot-CURRENT.tar.gz
/usr/local/snort root# rm snortrules-snapshot-CURRENT.tar.gz
/usr/local/snort root# vi /usr/local/snort/etc/snort.conf

Modify /usr/local/snort/etc/snort.conf to your environment. Make sure the RULE_PATH is set to /usr/local/snort/rules. If you configured Snort to enable decoder and preprocessor rules, you will need to add a line specifying the location of those files. Define PREPROC_RULE_PATH with the line:

 var PREPROC_RULE_PATH ../preproc_rules

Later in the snort.conf file include the lines (before other rule lists are included):

 include $PREPROC_RULE_PATH/preprocessor.rules
include $PREPROC_RULE_PATH/decoder.rules

If you wish to use the emerging threat rules, add:

 include $RULE_PATH/emerging-all.rules

in the /usr/local/snort/etc/snort.conf file. Do not forget to adjust dynamicpreprocessor file and dynamicengine path. Mac OS X users will need to use the dynamic libraries. Uncomment the Mac OS X lines in the Snort configuration file.

Dumbpig

Leon Ward has released a Perl program, Dumbpig, which will check Snort rules for badly formatted entries and incorrect usage. He has even added blacklist support (see posting “ET RBN Blacklists with Snort and DumbPig“). To pull down dumbpig.pl, the required Perl modules, and run it against the Emerging Threats rule set:

 root# cd /home/snort/perl
/home/snort/perl root# wget http://dumbpig.googlecode.com/files/dumbpig-0.9.tgz
/home/snort/perl root# tar xzf dumbpig-0.9.tgz
/home/snort/perl root# chmod u+x ./dumbpig.pl
/home/snort/perl root# cpan -e "Parse::Snort"
/home/snort/perl root# cpan -e "LWP::Simple"
/home/snort/perl root# ./dumbpig.pl -r /usr/local/snort/rules/emerging-all.rules
DumbPig version 0.9 - leon.ward@sourcefire.com
Because I hate looking for the same dumb problems with snort rule-sets

        __,,    ( Dumb-pig says     )
      ~(  oo ---( "ur rulz r not so )
        ''''    ( gud akshuly" *    )

Config
----------------------
* Sensivity level - 3/3
* Blacklist outputi : Disabled
* Processing File - /home/snort/rules//emerging-all.rules
* Check commented out rules : Disabled
* Pause : Disbled
* ForceFail : Disabled
* Censor : Disabled
* Quite mode : Disabled
----------------------
Issue 1
1 Problem(s) found with rule on line 59 of /home/snort/rules//emerging-all.rules

alert tcp $HOME_NET any -> \
[75.126.138.202,72.249.118.38,208.78.69.70,204.13.249.70,208.78.68.70] $HTTP_PORTS  ( \
  msg:"ET CURRENT_EVENTS Possible Downadup/Conficker-A Infection Checking Geographical Location"; \
  flow:to_server; \
  classtype:trojan-activity; \
  reference:url,www.microsoft.com/security/portal/Entry.aspx?Name=Worm%3aWin32%2fConficker.A; \
  reference:url,www.f-secure.com/v-descs/worm_w32_downadup_a.shtml; \
  threshold:type both, count 5, seconds 60, track by_src; \
  reference:url,doc.emergingthreats.net/bin/view/Main/2008803; \
  reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Conficker; \
  sid:2008803; \
  rev:3; \
)
- TCP/UDP rule with no deep packet checks? This rule looks more suited to a firewall or blacklist
alert tcp $HOME_NET any ->
[75.126.138.202,72.249.118.38,208.78.69.70,204.13.249.70,208.78.68.70] $HTTP_PORTS (msg:"ET CURRENT_
EVENTS Possible Downadup/Conficker-A Infection Checking Geographical
Location"; flow:to_server; classtype:trojan-activity;
reference:url,www.microsoft.com/security/portal/Entry.aspx?Name=Worm%3aWin32%2fConficker.A;
reference:url,www.f-secure.com/v-descs/worm_w32_downadup_a.shtml;
threshold:type both, count 5, seconds 60, track by_src;
reference:url,doc.emergingthreats.net/bin/view/Main/2008803;
reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Conficker;
sid:2008803; rev:3;)

Suricata Setup

The Open Information Security Foundation ( OISF) developed Suricata to be on the leading edge in IDS/IPS software. It is very much still in development. Is that not what makes it so interesting? Before you begin, be aware of some known issues. Check out the development roadmap for upcoming scheduled releases. If you run into problems, see if it is a known issue and share your experiences with the community of developers. That is the best way to make sure Suricata improves.

With required and options software on the system, installing Suricata is pretty straight forward. Pull down the source, configure, compile, and install.

 root# cd /usr/local/src
/usr/local/src root# wget  http://www.openinfosecfoundation.org/download/suricata-1.0.1.tar.gz
/usr/local/src root# wget http://www.openinfosecfoundation.org/download/suricata-1.0.1.tar.gz.sig
/usr/local/src root# wget http://www.openinfosecfoundation.org/download/OISF.asc
/usr/local/src root# gpg --import OISF.asc
/usr/local/src root# gpg --verify suricata-1.0.1.tar.gz.sig suricata-1.0.1.tar.gz
gpg: Signature made Thu 29 Jul 2010 02:34:58 PM EDT using RSA key ID 051CC261
gpg: Good signature from "OISF "
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 3332 6BF5 5751 35CC 24F5  D2AF A30C 431D 051C C261
/usr/local/src root#  tar xzf suricata-1.0.1.tar.gz
/usr/local/src root# cd suricata-1.0.1
/usr/local/src/suricata-1.0.1 root# mkdir /usr/local/suricata
/usr/local/src/suricata-1.0.1 root#  LD_RUN_PATH="/usr/lib:/usr/local/lib" \
./configure --enable-pfring --with-libpfring-libraries=/usr/local/lib \
--with-libpfring-includes=/usr/local/include --with-libpcap-libraries=/usr/local/lib \
--with-libpcap-includes=/usr/local/include --enable-nfqueue--enable-unittests \
--enable-unified-native-timeval  --enable-profiling  --prefix=/usr/local/suricata
/usr/local/src/suricata-1.0.1 root# make
/usr/local/src/suricata-1.0.1 root# make check
/usr/local/src/suricata-1.0.1 root# make install
/usr/local/src/suricata-1.0.1 root# mkdir /usr/local/suricata/log
/usr/local/src/suricata-1.0.1 root# mkdir /usr/locall/suricata/etc
/usr/local/src/suricata-1.0.1 root# cp classification.config suricata.yaml /usr/local/suricata/etc
/usr/local/src/suricata-1.0.1 root# mkdir /usr/local/suricata/rules
/usr/local/src/suricata-1.0.1 root# cd /usr/local/suricata/rules
/usr/local/suricata/rules root# wget http://www.emergingthreats.net/rules/emerging-attack_response.rules
/usr/local/suricata/rules root# wget http://www.emergingthreats.net/rules/emerging-scan.rules
/usr/local/suricata/rules root# wget http://www.emergingthreats.net/rules/emerging-exploit.rules
/usr/local/suricata/rules root#wget http://www.emergingthreats.net/rules/emerging-current_events.rules
/usr/local/suricata/rules root#wget http://www.emergingthreats.net/rules/emerging-voip.rules
/usr/local/suricata/rules root#wget http://www.emergingthreats.net/rules/emerging-malware.rules
/usr/local/suricata/rules root#wget http://www.emergingthreats.net/rules/emerging-dos.rules
/usr/local/suricata/rules root#wget http://www.emergingthreats.net/rules/emerging-drop.rules
/usr/local/suricata/rules root#wget http://www.emergingthreats.net/rules/emerging-compromised.rules
/usr/local/suricata/rules root#wget http://www.emergingthreats.net/rules/emerging-dshield.rules
/usr/local/suricata/rules root#wget http://www.emergingthreats.net/rules/emerging-botcc.rules
/usr/local/suricata/rules root#wget http://www.emergingthreats.net/rules/emerging-rbn.rules
/usr/local/suricata/rules root# wget http://www.emergingthreats.net/rules/emerging-virus.rules
/usr/local/suricata/rules root# vi /usr/loca/suricata/etc/suricata.yaml

Modify suricata.yaml to reflect your environment. At this point, you can run Suricata with the command:

root# /usr/local/suricata/bin/suricata -c /usr/local/suricata/etc/suricata.yaml \
-s /usr/local/suricata/etc/classification.config -i eth0

To Be Continued…

Henry J. Kaiser, the father of modern American shipbuilding, once said, “Live daringly, boldly, fearlessly. Taste the relish to be found in competition – in having put forth the best within you” [9] Hopefully Jonkman, Julien, Roesch, and Olney Roesch will relish their competition and the community will enjoy the fruits of their efforts. One powerful benefit of open source is that it allows organizations the flexibility to pull down the source and setup the software in their own environment. One can easily try the packages out and become familiar with the benefits of the different IDS/IPS engines. The more you know, the better you will be at defending your organization.

Setting up the three IDS/IPS engines is only the first step. In later posts, we will continue by examining the configuration and output from Bro, Snort, and Suricata. This should help the reader understand the features each might offer an organization. Bro, Snort, and Suricata are just tools. While they will have different features, it is the person who yields the tool that determines its effectiveness. Determine for yourself what works best. Even if you have a single development box, you can setup and test against small subsets of your own network traffic. Visit Wireshark’s Sample capture page for links to pcap files and additional sources. There is also the OpenPacket’s Capture Repository, which provides the security community the capability to comment and vote on submitted pcap files. Give the IDS/IPS engines a test ride and please feel free to share your experiences.

Links

[1] Marc Ambinder, August 13th 2010, “Pentagon Wants to Secure Dot-Com Domains of Contractors,” http://www.theatlantic.com/politics/archive/2010/08/pentagon-wants-to-secure-dot-com-domains-of-contractors/61456/.
[2] John Gerber, January 5th 2010, “Suricata: A Next Generation IDS/IPS Engine,” http://blog.securitymonks.com/2010/01/05/suricata-a-next-generation-idsips-engine/.
[3] John Gerber, October 29th 2008, “Installing Bro IDS 1.4,” http://blog.securitymonks.com/2008/10/28/installing-bro-ids-14/.
[4] John Gerber, October 20th 2008, “Snort 3: The Next Generation,” http://blog.securitymonks.com/2008/10/20/snort-3-the-next-generation/.
[5] John Gerber, August 9th, 2008, “IDS/IPS: The Mark Twain of the Security World,” http://blog.securitymonks.com/2008/08/09/idsips-the-mark-twain-of-the-security-world/.
[6] John Gerber, June 17th, 2007, “IDS,” http://blog.securitymonks.com/2007/06/17/ids/.
[7] Jaikumar Vijayan, July 20th 2010, “DHS, vendors unveil open source intrusion detection engine,” http://www.computerworld.com/s/article/9179436/DHS_vendors_unveil_open_source_intrusion_detection_engine.
[8] Ellen Messmer, July 20th 2010, “Is open source Snort dead? Depends who you ask ,” http://www.networkworld.com/news/2010/072010-is-snort-dead.html?page=1.
[9] “Wikiquote: Henry J. Kaiser,” http://wapedia.mobi/enwikiquote/Henry_J._Kaiser.
[10] Matt Olney, July 20th 2010, “Innovation — You Keep Using That Word…,” http://vrt-sourcefire.blogspot.com/2010/07/innovation-you-keep-using-that-word.html.
[11] “Razorback”, http://sourceforge.net/projects/razorbacktm/files/.
[12] “Next Generation Open-Source IDS to Address Issues Facing Network Security Industry,” July 19th 2010, http://www.businesswire.com/portal/site/home/permalink/?ndmViewId=news_view&newsId=20100719005970&newsLang=en.
[13] Russ McRee, August 3rd 2010, “Suricata in toolsmith: meet the meerkat,” http://holisticinfosec.blogspot.com/2010/08/suricata-in-toolsmith-meet-meerkat.html.
[14] Victor Julien, July 22nd 2010, “On Suricata performance,” http://www.inliniac.net/blog/2010/07/22/on-suricata-performance.html.
[15] “Bro Features and Benefits,” June 28th 2010, http://www.bro-ids.org/Features.html.
[16] “Snort 2.9.0 Beta,” June 6th 2010, https://s3.amazonaws.com/snort.org/snort-beta/20100727/release_notes_290_beta.txt?AWSAccessKeyId=AKIAJJSHU7YNPLE5MKOQ&Expires=1282246315&Signature=jchbdD6d3G0ncaqOkrQAps6ZV5M%3D.
[17] John Gerber, July 19th 2009, “Blacklisting with Snort,” http://blog.securitymonks.com/2009/07/19/blacklisting-with-snort/.
[18] Russ McRee, August 2010, “Suricata: An Introduction,” http://holisticinfosec.org/toolsmith/pdf/august2010.pdf
[19] “Dynamic Application-Layer Protocol Analysis for Network Intrusion Detection,” Proceedings of the 15th conference on USENIX Security Symposium – Volume 15, 2006, http://www.icir.org/robin/papers/usenix06.pdf.
[20] Seth Hall, August 6th 2010, Github Social Coding, “http://github.com/sethhall/bro_scripts/blob/master/http-ext.bro.
[21] Seth Hall, August 6th 2010, Github Social Coding,http://github.com/sethhall/bro_scripts/blob/master/http-ext.bro#L64.
[22] Gunjan Bansal, June 16th 2010, “Installation Guide for PF_RING,” http://gunjan-bansal.blogspot.com/2010/06/installation-guide-for-pfring.html.
[23] Luca Deri and Francesco Fusco, January 30th 2010, “Exploiting Commodity Multi-core Systems for Network Traffic Analysis,” http://luca.ntop.org/MulticorePacketCapture.pdf.

[24] Mathew Olney and Matthew Watchinski, “Implementing Resource Intensive Detection Techniques With the Razorback Framework,” http://iweb.dl.sourceforge.net/project/razorbacktm/Whitepapers/razorback-whitepaper-0.1.pdf.
[25] Patrick Mullen and Ryan Pentney, Defcon Razorback Presentation, “https://www.defcon.org/images/defcon-18/dc-18-presentations/Mullen-Pentney/DEFCON-18-Mullen-Pentney-Razorback.pdf.
[26] Robin Sommer, August 24th 2010, The ICSI Networking Group Blog, “Major NSF Funding for Bro Development,” http://blog.icir.org/2010/08/major-nsf-funding-for-bro-development.html.

1. Creation of an Office of Cyberspace Policy in the Executive Office of the President run by a Senate-confirmed Director, who will advise the President on all cybersecurity matters. The Director will lead and harmonize federal efforts to secure cyberspace and will develop a national strategy that incorporates all elements of cyberspace policy, including military, law enforcement, intelligence, and diplomatic. The Director will oversee all related federal cyberspace activities to ensure efficiency and coordination.
2. Creation of a National Center for Cybersecurity and Communications (NCCC) at the Department of Homeland Security (DHS) to elevate and strengthen the Department’s cybersecurity capabilities and authorities. The Director will regularly advise the President on efforts to secure federal networks. The NCCC will be led by a Senate-confirmed Director, who will report to the Secretary. The NCCC will include the United States Computer Emergency Response Team (US-CERT), and will lead federal efforts to protect public and private sector cyber and communications networks.
3. Updates the Federal Information Security Management Act (FISMA) to modernize federal agencies practices of protecting their internal networks and systems. With strong leadership from DHS, these reforms will allow agencies to move away from the system of after-the-fact paperwork compliance to real-time monitoring to secure critical systems.
4. Requiring the NCCC to work with the private sector to establish risk-based security requirements that strengthen cybersecurity for the nation’s most critical infrastructure that, if disrupted, would result in a national or regional catastrophe.
5. Requiring covered critical infrastructure to report significant breaches to the NCCC to ensure the federal government has a complete picture of the security of these sensitive networks. The NCCC must share information, including threat analysis, with owners and operators regarding risks to their networks. The Act will provide specified liability protections to owners/operators that comply with the new risk-based security requirements.
6. Creation of a responsible framework, developed in coordination with the private sector, for the President to authorize emergency measures to protect the nation’s most critical infrastructure if a cyber vulnerability is being exploited or is about to be exploited. The President must notify Congress in advance before exercising these emergency powers. Any emergency measures imposed must be the least disruptive necessary to respond to the threat and will expire after 30 days unless the President extends them. The bill authorizes no new surveillance authorities and does not authorize the government to “take over” private networks.
7. Development of a comprehensive supply chain risk management strategy to address risks and threats to the information technology products and services the federal government relies upon. This strategy will allow agencies to make informed decisions when purchasing IT products and services.
8. Requiring the Office of Personnel Management to reform the way cybersecurity personnel are recruited, hired, and trained to ensure that the federal government has the talent necessary to lead the national cybersecurity effort and protect its own networks.

The Committee will hold a hearing on the legislation June 15, 2010.

Background

There has been a great deal of activity since I posted “FISMA: Paperwork Or Actual Security?” The House passed on a 229 to 186 roll call vote the 2011 Defense Authorization spending bill that includes measures to upgrade the Federal Information Security Management Act (FISMA). The authorization bill now faces reconciliation with the Senate version. The Senate version has yet to be considered on the Senate floor but did pass through the Senate Armed Services Committee. The House action put pressure on the Senate to act.

Action came from the US Senate Committee on Homeland Security and Governmental Affairs, who’s chairman is Senator Joe Lieberman (ID-Conn.), an original cosponsor of the bill. Lieberman had been talking about a comprehensive cybersecurity reform bill that would incorporate much of the language in the United States Information and Communications Act (S. 921) with the FISMA reform legislation introduced in April 2009 by Senator Thomas R. Carper (D.-Del). Many provisions of Carper’s bill mirror provisions in included in the House bill. Carper was pressing to include:

1. standardize Inspector Generals’ information security audits;
2. create a Chief Information Security Officer Council to establish information security best practices and guidelines, while strengthening the role of Chief Information Security Officers;
3. allow the Department of Homeland Security to conduct “red team” penetration tests against civilian agencies;
4. allow Congress to measure the effectiveness of agencies’ information security plans and procedures.

Lieberman wanted Senator Susan Collins (R-Maine), the ranking Republican on the Homeland Security panel, named on the bill. The problem was that Collins is on record opposing the top cybersecurity official in government being housed in the White House, believing the official should be quartered in the Department of Homeland Security. It looks like Lieberman and Collins were able to come to an agreement and move forward on the bill.

Thoughts

If you are interested in learning more and keeping up with FISMA, you will find Dan Philpott (twitter danphilpott) site FISMApedia interesting. It describes itself as “a collection of documents and discussions focused on Federal IT security. This site is a database of current guidance, laws and directives on how the Federal government secures its IT assets.” Philpott also posts to the Guerilla CISO.

Federal CIO Vivek Kundra, writing on the Chief Information Officers Council Blog concerning the new FISMA states “In the past, Federal agencies spent enormous time and money creating the old paper-based reports. The State Department alone, in the past six years, spent $133 million amassing 95,000 pages of security documentation for about 150 major IT systems. This works out to roughly $1,400 per page in reports that were often outdated days within being published.” Kundra goes on to state, “As we move away from the old-style reports and into a more real-time system of security data feeds, we are implementing solutions that actually help to protect the country rather than simply generate paperwork.”

For intelligent comments on FISMA, let us turn to a few folks who eat, sleep, and breathe FISMA. Michael Smith, aka rybolov, is the creator of the Guerilla CISO blog. Concerning the $1,400 per page cost, Smith in his post “A Funny Thing Happened Last Week on Capital Hill,” writes “If you buy into the State Department’s cost of $1400 per sheet, you’re absolutely daft.” Smith goes on to point out, “The cost of a security program divided by the total number of sheets of paper is probably right. In fact, if you do the security bits right, your cost per sheet will go up considerably because you’re doing much more security work while the volume of paperwork is reduced.”

Concerning allocating money towards red teams, Smith makes the point, “Do we really need penetration testing to prove that we have problems? In Mike Smith’s world, we’re just not there yet, and proving that we’re not there is just an excuse to throw the InfoSec practitioners under the bus when they’re not the people who created the situation in the first place.” Nicely put.

Smith’s recommendations to fix FISMA:

1. You have to start with workforce management. This has been addressed numerous times and has a couple of different manifestations: DoDI 8570.10, contract clauses for levels of experience, role-based training, etc. Until you have an adequate supply of clueful people to match the
   demand, you will continue to get subpar performance.
2. More testing will not help, it’s about execution. In the current culture, we believe that the more testing we do, the more likely the people being tested will be able to execute. This is highly wrong and I’ve commented on it before. I think that if it was really a fact of people being lazy or fraudulent then we would have fixed it by now. My theory is that the problem is that we have too many wonks who know the law but not the tech and not enough techs that know the law. In order to do the job, you need both. This is also where I deviate from the SANS/20 Critical Security Controls approach and the IGs that love it.
3. Fix Plans of Actions and Milestones. These are supposed to be long-term/strategic problems, not the short-term/tactical application of patches–the tactical stuff should be automated. The reasoning is that you use these plans for budget requests for the following years.
4. Fix the budget train. Right now the people with the budget (programs) are not the people running the IT and the security of it
   (CIO/CISO). I don’t know if the answer here is a larger dedicated budget for CISO’s staff or a larger “CISO Tax” on all program budgets. I could really policy-geek out on you here, just take my word for it that the people with the money are not the people protecting information and until you account for that, you will always have a problem.

More recently, Smith posted “How to Not Let FISMA Become a Paperwork Exercise” where he addresses and comments on the key criticisms of FISMA:

• Reduce paperwork requirements. Yes, some is needed.  Most is not.
• Reduce cost. There is much repetition in what we’re doing now, it borders on fraud, waste, and abuse.
• Increase technical effectiveness. IE, get from the procedural and managerial tasks and get down into the technical parts of security.

Smith offers advice on “how do you keep from letting FISMA cripple you or turn into death-by-compliance.” Go to the post and read his advice.

Off the same site Joe Faraone, aka Vlad, gives his take in the post “Machines Don’t Cause Risk, People Do!“. He disagrees with Alan Paller, director of research for SANS, when he writes, “At the risk of bashing Alan Paller yet again, I am often turned off by the approach of ‘being able to know the status of every machine at every minute,’ – as if machines by themselves cause bad security… It’s way too tactical (incorrect IMHO) and too easy to make that claim.” Faraone goes on to make the point, “Continuous, repeatable security processes followed by knowledgeable, responsible practitioners are what government needs. But you cannot develop these processes without starting from a larger, enterprise view. Successful organizations follow this–dare I say it–axiom whether discussing security governance, or system administration.”

Paller has been very vocal in his opinion against FISMA. He is frequently quoted (ex: “Sans founder slams ‘terribly damaging’ US cybersecurity law“). Paller has told the the House Committee on Oversight and Government Reform’s Subcommittee on Government Management, Organization and Procurement that FISMA, as it has been implemented and enforced until now has been more detrimental than helpful to government IT security.

FISMA was needed to get government moving in a security focus direction. Philpott in his post “The 10 CAG-egorically Wrong Ways to Introduce Standards” makes the point “Speaking as someone who scrambled to secure Federal systems before FISMA and NIST’s extensive guidance, having that documentation greatly improves my ability to efficiently and effectively secure systems.”

Statements painting FISMA as worthless, or detrimental, might grab headlines but are not real helpful. Nor are statements by Paller like, “US House of Representatives attaches new FISMA rewrite to Defense Authorization Bill. The press hasn’t picked it up yet, but NextGov.Com will have a story in a few minutes. This puts one more nail in the coffin of the Federal CISOs and security contractors who think they can go on ignoring OMB and go on wasting money on out of date report writing contracts.” Faraone calls Paller on this statement in the post, “When the News Breaks, We Fix It.”

Richard Bejtlich in this post “Thoughts on New OMB FISMA Memo” adds his opinion on FISMA reform when he writes “Long-time blog readers should know I’ve been writing about FISMA for five years, calling it a ‘joke,’ a ‘jobs program for so-called security companies without the technical skills to operationally defend systems,’ and other kind words. Any departure from the previous implementation is a welcome change.”

OMB issued “FY 2010 Reporting Instructions for the Federal Information Security” (M-10-15 ) on April 21, 2010. It identifies a three-tiered reporting approach which includes:

1. Data feeds directly from security management tools
2. Government-wide benchmarking on security posture
3. Agency-specific interviews

Bejtlich analyzes what is really changing for FISMA implementation and concludes, “It’s probably going to take .gov-savvy lawyer to really explain what these points mean, but private enterprise working with government data should probably take a close look at these new FISMA developments.”

Other Important Legislation

With more than 35 cybersecurity-related measures before Congress right now, take some time to review the presentation “Cybersecurity: The U.S. Legislative Agenda” by Melissa E. Hathaway, former acting senior director of cyberspace for the Obama administration who now runs Hathaway Global Strategies and has advisory roles at several IT companies. You might remember Hathaway from her work on the “Cyberspace Policy Review,” which was the result of a 60-day, comprehensive, “clean-slate” directed by the President to review and assess U.S. policies and structures for cybersecurity. To quote Hathaway concerning the nine key legislation to watch:

• Data Breach Legislation (S. 139): It will normalize the 46 State Data breach laws into one national umbrella. It may be expanded to include more than Personal Identifiable Information (PII). One issue with this bill is that it would consolidate all reporting to the US Secret Service, which is not helpful for broader information sharing with industry or across government.
• Data Accountability and Trust Act (H.R. 2221): It was voted out of the House of Representatives in early December 2009. It requires the ISPs to make victims aware of infection if seeing breach across network. I
  believe the Comcast Denver, CO pilot program could be anticipatory market movement associated with this bill (to better understand costs). It will be interesting to see if this is extended to those services who may also be able to determine if there is anomalous behavior on the broader backbone. As you may know, Germany just passed a law requiring their ISPs to inform their citizens/consumers if they have been infected.
• International Cybercrime Reporting and Cooperation Act (S. 1438 and H.R. 4692): This bill was introduced by Sen Gillibrand, and co-sponsored by Sen Hatch, which will give it strength in the Judiciary Committee. The bill requires the President to produce an annual report to Congress providing an assessment of every country’s level of ICT utilization and development; assesses how each country’s legal, law enforcement and judicial systems address cyber crime and protect commerce and consumers. This bill met discord from software and hardware companies and their associated lobbying organizations (e.g., BSA, Tech America) because there is language that there will be imposed sanctions on countries who have demonstrated 5 years of “bad behavior”. This Bill and any hearing around it will certainly draw attention to the recent Google/PRC debacle. It has a sister bill in the House of Representatives, H.R. 4692 mirrors the areas of focus. **Note Sen Kerry and Sen. Gillibrand have also introduced S. 3193 (International Cyberspace and Cybersecurity Coordination Act of 2010) to authorize the creation of a senior coordinator at the State Department, with the rank and status of Ambassador at Large.
• Cybersecurity Enhancement Act (H.R. 4061): It passed the House of Representatives in February (2/2/10). In addition to providing additional responsibility to NIST, it creates an office for a national coordinator for
  the networking and information technology research and development program to improve cybersecurity research and development and coordination between the federal government, academia and private sector. The NITRD office (within the Office of Science and Technology Policy) already coordinates all of the Cyber R&D which for this year is well over $4B. While this is non-controversial piece of legislation because it supports R&D efforts focused on identity management technologies and usability, authentication methods, and privacy, its not clear how the new office will interact with the current OSTP responsibilities.
• FISMA II (S. 921): It updates FISMA I from compliance driven (check-list) to measures that are performance based. It uses the State Department’s Risk Scoring tool which measures its systems on a continuous basis against known vulnerabilities and offers meaningful feedback in the form of actionable remediation techniques to the operators and high level feedback to senior managers to ensure accountability is one example that could serve as a model for the rest of government. It also affords the department and agency chief information security officer the focus and attention it need and deserve. Finally, it is possible that FISMA II will address procurement reform.
• Intelligence Authorization Act (H.R. 2071): It strengthens and enhances America’s intelligence capabilities, and improves congressional oversight of our intelligence agencies. It provides our intelligence community
  with the tools and resources to train more officers, expand language skills, strengthen cybersecurity efforts, and more effectively prevent the spread of weapons of mass destruction. Contains multiple Congressionally Directed Actions for CNCI.
• Cybersecurity Act of 2009 (S. 773): The bill combines audits, industry-developed and government-backed standards, increased information-sharing, and other mechanisms to bolster private sector cybersecurity. It
  establishes a Cybersecurity Advisory Panel (Presidential Level) and a National Clearinghouse for information sharing. Additionally, it extends the Scholarship for Service program (increases to 1000 scholarships) and increases the National Science Foundation’s budget for R&D.
• The Grid Reliability and Infrastructure Defense Act (H.R. 5026): The bill amends the Federal Power Act and directs the Federal Energy Regulatory Commission to protect the electric transmission and distribution grid from vulnerabilities. In addition to providing authority to address immediate threats, the GRID Act would also give FERC authority to mandate measures to protect against system “vulnerabilities” if it finds that the North American Electricity Reliability Corp. (“NERC) standards are insufficient. If passed, the legislation will provide a security framework for the Smart Grid.
• Energy and Water Appropriations Act 2010 (Law): It appropriates additional funds for Cybersecurity: $46.5 million for energy delivery cybersecurity, an increase of $34.5 million from 2009, to develop secure grid technologies as cyber attacks increase worldwide and the grid becomes increasingly network-connected. It also establishes a National Cyber Center for the grid.

Final Thoughts

The Committee will hold a hearing on the legislation next week, starting on June 15, 2010. Watch for analysis from the folks listed above. I am sure they will have interesting analysis as more details are released. This is going to be interesting.

Related Posts:

• FedRAMP and Recent Changes Prepare Feds for Cloud Adoption
• FISMA: Paperwork Or Actual Security?

Changes to FISMA

Last month the Obama administration announced new standards for agency reporting under FISMA as part of an effort to get agencies to shift from paper-based reports to real-time monitoring of systems. Vivek Kundra, the Federal Chief Information Officer, was interviewed by Federal News Radio in the post "OMB outlines shift on FISMA." Vivek expressed the vision that "What we need to do, when it comes to information security, is shift to a model across the federal government, with a focus that is much more of a real-time basis. And you'll see forthcoming, in terms of the FISMA reporting guidance, more centered on continuous performance monitoring and Cyberscope."

Ben Bain is reporting in the article, "NASA's new FISMA approach and what it means for you" that NASA’s Deputy Chief Information Officer for IT Security Jerry Davis is developing a new program for the security authorization process based on continuous monitoring, automated tools and reducing paperwork. NASA hopes to have it in place for fiscal 2011. “Security is still going to be done. Certification and accreditation will still be done, but the way we do it is going to change significantly and the frequency of it will change,” he said. “Instead of every three years, you’re really going to be doing it, in a sense, on like a weekly or monthly basis, you’re always going to be looking at those controls and adjusting them for changes."

Alan Paller, director of research at the SANS Institute is quoted on how the new approach will help to correct flaws in the original FISMA legislation, "It's a move toward being able to know the status of every machine at every minute. So that when something bad is coming at you, you know where you can target and where you can't so you can act quickly. It's a complete change from what we've had before. This started during the Clinton Administration, and it was the Senate that created it in the bill called GISRA, and then it became FISMA. It was an error made by people who didn't understand the threat, and the error was that you can manage fast-moving attacks with slow moving paper."

Joe Faraone, aka Vlad the Impaler, in his post "Machines Don’t Cause Risk, People Do!" warns that "continuous, repeatable security processes followed by knowledgeable, responsible practitioners are what government needs. But you cannot develop these processes without starting from a larger, enterprise view." Joe writes "Desiring to know everything about everything may seem to some to be a worthy goal, but may be beyond many organization’s budgets. *Everything* is a point in time snapshot, no matter how many snapshots you take or how frequently you take them. Continuous, repeatable security processes followed by knowledgeable, responsible practitioners are what government needs. But you cannot develop these processes without starting from a larger, enterprise view. Successful organizations follow this–dare I say it–axiom whether discussing security governance, or system administration."

Open Government and the Cloud

Effective security approaches being beyond many organization's budget might just be at the heart of the matter. Recall that Vivek Kundra statement that he sees two overarching trends now happening in computing:

1. The increasing use of mobile devices and the app ecosystems they support.
2. There's cloud computing, which can cut IT costs and drastically improve access to information.

With that in mind, it is not surprising that Nick Eaton reports in his post, "Obama's CIO ready to bring government tech up to speed" that the first two major tech initiative launched by the Obama administration consist of:

1. Data.gov, which is a depository for open government datasets that people can access to create applications, do scientific research and more. It launched with 47 datasets and it now includes more than 169,000. Since its launch in May 2009, New York, San Fransisco, Seattle and other local governments have launched similar services. Vivek has stated, that a big difference between public-sector and private-sector technology is that the commercial world is focused on front-end customer needs, whereas government IT is usually focused on the back end. Kundra wants to change that by creating accessible user interfaces to online government services, and as a result make "government cool again."
2. Apps.gov, which is hosted by the U.S. General Services Administration. It's a clearinghouse for hundreds of cloud-computing applications, both free and not, from mostly private vendors.

Cloud computing can be a solution that allow for continuous monitoring and a unified risk based approach across government agencies, all while reducing costs. A major stumbling block is achieving agencies compliance issues in respect to cloud vendors.

GSA Reissues RFQ

The GSA released the RFQ on its E-Buy mid-May asking for bids from IaaS providers on cloud storage services, virtual machines and cloud web hosting. Fed Cloud Blog interviewed Dave McClure, GSA’s Associate Administrator of Citizen Services and Communications, concerning the RFQ and the new contract. Dave discussed several of the differences:

We’re raising the security level to the moderate level. I think that’s where the public sector in general is headed — greater security in these cloud provisioning agreements. So, we’ve raised this up to the moderate level. I think that’s a significant improvement and difference from the prior RFQ. We also are making it much easier and clearer to map the industry offerings to the contract line items in this BPA instrument that we’re using. There was some confusion about whether specific services and prices for some of the industry offerings — how they’ve mapped to the contract line items in this BPA. We’ve gone back and actually cleaned that up and had conversations with industry on how that mapping process can work very effectively. So I think that will also create a much better instrument than what we had before. The third big difference is that things that are awarded off of this instrument will be candidates that will go into the FedRAMP centralized CNA approval process. I think that will make a difference, as well — knowing that your product or service will actually go through one CNA and then be usable across the entire government.

FedRAMP

This month FedRAMP was officially announced. Peter Mell, FedRAMP Program Manager, discusses the program in his presentation from last month. Peter explains FedRAMP is a government-wide initiative to provide joint authorizations and continuous security monitoring services. It provides a unified government-wide risk management and it will allow agencies to leverage FedRAMP authorizations (when applicable).

FedRAMP’s initial focus is on cloud computing with the program working with cloud vendors (currently Microsoft and Google are in pilot mode) to evaluate their overall security environment in relation to government security controls. The controls will be based on the new NIST security framework. There still will be some gaps between civilian, DoD and Intel agencies, so moving to cloud will still require some security work. The goal of FedRAMP is to create a unified risk management process that:

• increases security through focus assessment.
• eliminates duplication of effort and associated cost savings.
• enables rapid acquisition by leveraging pre-authorized solutions.
• provide agency vetted transparent security requirements and authorization packages.
• facilitates multi-agency use of shared systems.
• ensure integration with government-wide security efforts.

Peter states, "An advantage of this program is that [vendors] primary work with one security assessment and authorization body, or one risk management program, and they don't have to independently meet all of the security requirements of the many, many different agencies." In an interview with Eric Chabrow, Mell goes on to state, "Agencies, by leveraging FedRAMP authorization, will save a lot of money and enable rapid acquisition, but they're still in control. They get to choose whether or not they leverage it. They can choose if they want to do additional work to assure systems meet the security needs of their agency."

Mell believes the primary hurdle in securing the government adaption of cloud computing is the lack of government-wide authorization capabilities. Mell states:

Currently, with each federal agency independently doing risk management with these large outsourced systems in cloud computing you have got duplication of effort, but you have got incompatible policies being levied because the Federal Information Security Management Act is all about a framework by which agencies communicate or enforce their policies on a system. So you get 40 agencies together, enforcing their policies on a single system and the interception of those policies is likely not draftable. Likely, they will disagree on the finer points of server configuration, for example, and it just won't be possible and that is a source of great frustration for cloud vendors. It also means that acquisition is very slow, the lengthy compliance processes and then there is inconsistent application of these government-wide security programs.

To solve that, and I think this is common sense, I don't think we are doing anything unexpected or unusual here, it's certainly new, that the proposed solution is found within FedRAMP – the Federal Risk and Authorization Management Program. The idea is to create a government-wide, risk management program that has to be optionally used by the agencies. It provides joint authorization services and continuous monitoring services and again, I will stress that it is optional.

FedRAMP would perform assessment and authorization of these very large systems, these government-wide authorization then can be optionally leveraged by agencies so that they can adopt these services with a minimal of additional security effort required. FedRAMP would perform security, based on an agreed upon government-wide security baseline that agencies can leverage. That is what I mean by most of the work will be done because that baseline will have been assessed and authorized.

Agencies do have unique missions and risk tolerances and security needs, and so agencies are always welcome to do incremental additional security testing, require additional security controls to be implemented and so forth. But again, the idea is to complete the bulk of the work for the agencies; do it once and do it well and thereby reduce an enormous amount of duplication of effort and enable rapid acquisition by federal agencies, eliminate that concern of security requirements not being compatible when multiple agencies levied them on a particular resource pool cloud system. And lastly, ensure consistent application of federal government-wide security programs. The Trusted Internet Connection program or there is ITM, there is Einstein, and the list goes on

As to the question of authorization, Mell explains, "this fits perfectly within existing law, OMB policy, and even NIST security guidance. What we did do is in the new NIST risk management framework, in particular the NIST Special Publication 800-37, we added an Appendix s.6. That appendix talks about this notion of joint authorization being performed by the joint authorization board and then this concept of leveraged authorization where the agencies are leveraging the outcome of this joint authorization. We put the sort of foundational underpinnings of FedRAMP into the new NIST management framework. And by the way, FedRAMP is designed to follow that NIST risk management framework and focus a lot on that continuous monitoring aspect."

There are real issues that need to be worked out as FedRAMP develops. For example, Michael Smith in his post, “NIST Cloud Conference Recap” shares his personal experience with a certifier that said, “we don’t recognize common controls so even though you’re just a simple web application you have to justify every control even if it’s provided to you as infrastructure.” Michael goes on to list several pieces that he has not seen FedRAMP addressed yet (follow the link and read his blog). I will add two more:

1. Vendor Lock in: if a cloud provider is authorized at some point but later stops meeting the security controls causing authorization to be revoked, how do agencies switch cloud providers without cost and/or loss of service?
2. Contamination Containment: when classified material leaks into the cloud, how is that dealt with? It does happen. Current requirements are to have the drives pulled and destroyed. That is not possible under current cloud configuration where the data is spread over thousands of drives.

So, everything is not rainbows and unicorns. It never is in security. There are real challenges to be faced. It is great that a discussion is taking place and folks are working hard at addressing these issues.

Federal Cloud Adoption

This past week, a new Federal CIO Council report, "The State of Public Sector Cloud Computing" was released. The executive summary states, "As we move to the cloud, we must be vigilant in our efforts to ensure that the standards are in place for a cloud computing environment that provides for security of government information, protects the privacy of our citizens, and safeguards our national security interests. This report provides details regarding the National Institute of Standards and Technology’s efforts to facilitate and lead the development of standards for security, interoperability, and portability." Kevin Jackson in his post, "Vivek Kundra – State of Public Sector Cloud Computing" describes how the report "not only details Federal budget guidance issued to agencies to foster the adoption of cloud computing, but it also describes 30 illustrative case studies at the Federal, state and local government level."

Deniece Peterson in the post, "Security, Standards and Budget Initiatives to Spark Cloud Computing Adoption" discusses the NIST forum and workshop she attended (slides are available). Deniece describe the the morning session as including a panel of industry representatives from Intel, Microsoft, the Cloud Security Alliance, Amazon.com and the Center for Democracy and Technology. The panelists' wish list consisted of:

• Keep going with FedRAMP (security certification effort), but don't stop there.
• Develop standards in collaboration with both industry and international stakeholders
• Recognize that interoperability needs can vary case by case; no one size fits all
• Don't stifle innovation by setting standards too quickly; focus on building the framework
• ID management, access control and cryptographic key management are the main security issues surround cloud computing and can have a serious impact on scalability
• Push vendors to be more transparent about their security controls
• Traditional notions based on physical boundaries will need to change
• SLAs must include meaningful metrics for performance and security

"We want to be pragmatic, but aggressive," Kundra told the Washington crowd, noting that the government's consolidation of federal data centers and several other "game-changing approaches" will further fuel the move to the cloud. Andrew R Hickey in his article, "Federal CIO Says Cloud Standards Needed For Government Adoption" describes how NIST has also started the Standards Acceleration to Jumpstart Adoption of Cloud Computing (SAJACC) initiative that will validate and communicate interim specifications to agencies in the areas of security, interoperability and data portability. "We're not trying to write cloud computing standards, but are trying to do some testing on reasonable system interfaces or specifications of systems and make the test results available so people can see something is absolutely possible because the the test results show it," NIST senior computing scientist Lee Badger said. NIST will also launch a publicly accessible Web portal to facilitate collaborative development of standards to support cloud computing requirements, Dawn Leaf, NIST senior executive for cloud computing, told attendees. Leaf expects the portal to be available sometime before the end of 2010. Currently, business use cases are now available on the CIO Web site.

Alex Howard reports that recovery.gov would be moving to Amazon's cloud. Earl Devaney, chairman of the recovery board, stated this move represents one of the "first bricks in the foundation that we're laying" throughout the federal government, in terms of cloud computing. Vivek would direct us to "look at the Department of Interior: The CIO is considering moving 80,000 emails to the cloud. Look at the investments made at GSA or a recent RFI [Request for Information] around email. Across federal government, you're seeing a number of agencies putting in a plan." J. Nicholas Hoover reports in his article "Gov 2.0: Google Readies Government Cloud" that customers Google already has for Google Apps are the city of Los Angeles and Lawrence Berkeley National Laboratory. In the federal sector, more than 100 federal agencies are already customers of Google's other products, including Google Earth, Google Maps, and Google Enterprise Search. Google Enterprise president, Dave Girouard reports "we have a lot of state and local interest, and, increasingly, with FISMA certification arriving soon, think we have an opportunity with the federal sector." Girouard said that in addressing the federal government's unique cybersecurity demands, the majority of Google's work thus far has centered around documenting, clarifying, and explaining Google's security rather than re-inventing or changing its security posture.

Final Thoughts

Mary Engelbreit, famous children's book illustrator, once wrote "If you don't like something change it; if you can't change it, change the way you think about it." Is the government making real challenges? If so, are these the kind of changes necessary to make cloud computing a reality in federal departments?

Lori MacVittie in her post, “Can the Cloud survive regulation?” points out that “we are just beginning to see the impact of what sharing and ‘international’ really means: an increasingly complex web of requirements and regulations. That may very well make the cloud a battle-zone unsuitable for any organizational use until the conflicts between security, regulations, reliability, and privacy are addressed.” Lori also considers that we might just “see the rise of regulated clouds; clouds within clouds specifically designed to meet the demanding needs of the myriad governmental and industry-specific privacy and data protection regulations. Regulated clouds set aside – at a premium of course – for those users and organizations who require a broader set of solutions to remain compliant even in the cloud.”

In the post “Cloud: Security Doesn’t Matter (Or, In Cloud, Nobody Can Hear You Scream)” Chris Hoff offers the opinion, “the only thing that will budge the needle on this issue is how agile those who craft the regulatory guidelines are or how you can clearly demonstrate why your compensating controls mitigate the risk of the provider of service if they cannot.” Chris goes on to state, “We need the regulators and examiners to keep pace with technology — as painful as that might be in the short term — to guarantee our success in the long term.” Chris also recommends organizations “manage compliance, don’t let it manage you.” Novell has done a very funny short video based on the blog (along with other entertaining short videos you will want to check out):

I do not agree with everything that is going on in government. I believe solutions will be found through trained security professionals. Security tools can be empowering but are not the end all solution. A monkey with a computer, even if it is a high performance computer, is no William Shakespeare. Adding more monkeys will not make any difference; it just creates a zoo. I do believe in the possibilities created with change, especially when you find yourself in a place where things are not working. You build upon the knowledge of your people utilizing what does work.

What gives me greatest hope is that the federal government seems to be listening to experts like Chris, Deniece, Joe, Lori, Michael, etc. and making a solid effort to create an environment where it can foster the adoption of cloud computing. These are not just cosmetic changes focused on how we think about computing, but real changes in how we will operate. For those who like the challenges brought on by change, it is an exciting time to be in security.

Related Posts:

• OMB Says Bring on the Clouds: Frightening or Funny?
• Standardization and Interoperability in Security
• Modeling Security into the Clouds
• Recent Cloud Postings
• Provenance and Trust

In today’s work environment there is a need to show changes, potential risks, improved performance, etc. in all areas of the company’s operations. Security professionals need to be prepared to answer the basic question, “why should the CIO or CEO care about security?” CSO Online has a great quote from the post, “From the CIO: Why You Didn’t Get the CISO Job” that challenges us to consider our views when it comes to security. The post states, “laser focus on your speciality is great in middle management. It’s what we want. One of the really hard things about jumping from management to executive is a focus on the whole of the business. It’s a rare person who manages it quickly or easily.” That is basically the problem with metrics. It is a battle between generalization to the point of uselessness and details to the point of not being understandable or collectible. At the end of the day, something needs to be done because the security industry is currently leaving upper management in the position of not understanding what is going on within their business. That is a risk that not acceptable.

Andrew’s article discusses what kind of security metrics should be used. Additional sources of information on security metrics can be found in a previous post entitled “Security Metrics.” The post provides links to wonderful sources on security metric information. You might also want to take a look at the CIS Consensus Security Metrics v1.0.0 guide, NIST Special Publication (SP) 800-55 Rev 1 “Security Metrics Guide for Information Technology Systems”, NIST IR-7564 “Directions in Security Metrics Research”, “Twenty Most Important Controls and Metrics for Effective Cyber Defense and Continuous FISMA Compliance,” and “Metrics, measures & Myths.” Once you have start gathering metrics, you will want to present them in an easy to understand format. This is where Google Visualization can help.

Today’s post walks through an example using the data from the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) Common Vulnerabilities and Exposures (CVE) database. The purpose is to provide a working example from which you can learn and apply to the various metrics gathered at your organization.

Data Source

A previous post, “Standardization and Interoperability in Security,” discussed how the Security Content Automation Protocol (SCAP) is an attempt to help defenders by providing a collection of XML schemas/standards that allow technical security information to be exchanged between tools. SCAP components consists of:

• Common Configuration Enumeration (CCE): provide unique identifiers to system configuration issues in order to facilitate fast and accurate correlation of configuration data across multiple information sources and tools.
• Common Platform Enumeration (CPE): a structured naming scheme for information technology systems, platforms, and packages.
• Common Vulnerability Enumeration (CVE): a dictionary of publicly known information security vulnerabilities and exposures.
• Common Vulnerability Scoring System (CVSS): a vulnerability scoring system designed to provide an open and standardized method of rating IT vulnerabilities. NIST has even provided a calculator for creating CVSS vulnerability severity scores.
• eXtensible Checklist Configuration Description Format (XCCDF): a specification language for writing security checklists, benchmarks, and related kinds of documents. NIST has released the NIST Interagency Report 7275 Revision 3 “Specification for Extensible Configuration Checklist Description Format (XCCDF) Version 1.1.4.”
• Open Vulnerability Assessment Language (OVAL): an information security community standard to promote open and publicly available security content, and to standardize the transfer of this information across security tools and services.

We are going to make use of the data from NVD/CVE XML feed with the Common Vulnerability Scoring System (CVSS) mappings (version 2.0). NIST documentation states:

CVSS provides an open framework for communicating the characteristics and impacts of IT vulnerabilities. Its quantitative model ensures repeatable accurate measurement while enabling users to see the underlying vulnerability characteristics that were used to generate the scores. Thus, CVSS is well suited as a standard measurement system for industries, organizations, and governments that need accurate and consistent vulnerability impact scores. Two common uses of CVSS are prioritization of vulnerability remediation activities and in calculating the severity of vulnerabilities discovered on one’s systems.

NVD provides CVSS ‘base scores‘ representing the innate characteristics of each vulnerability. ‘Temporal scores,’ which change over time due to events external to the vulnerability, are not provided though NVD does provide a CVSS score calculator. This allows an organization to add temporal data and even factor in ‘environmental scores‘ customized to reflect the impact of the vulnerability on the organization. Please refer to the CVSS standards guide and the OWASP Risk Rating Methodology concerning factors involved in estimating the severity of risks to your business.

NVD CVE XML Schema

For our example, we will be using the data feeds nvdcve-2.0-2010.xml and nvdcve-2.0-2009.xml. Examining the CVE XML 2.0 Schema, we are particularly interested in certain vulnerability and CVSS scoring information. For example, for CVE-2010-1228, we will parse and pull the following kind of information:

<entry id="CVE-2010-1228">
  <vuln:cve-id>CVE-2010-1228</vuln:cve-id>
  <vuln:published-datetime>2010-04-01T18:30:00.453-04:00
  </vuln:published-datetime>
  <vuln:last-modified-datetime>2010-04-05T00:00:00.000-04:00
  </vuln:last-modified-datetime>
  <vuln:cvss>
    <cvss:base_metrics>
      <cvss:score>10.0</cvss:score>
      <cvss:access-vector>NETWORK</cvss:access-vector>
      <cvss:access-complexity>LOW</cvss:access-complexity>
      <cvss:authentication>NONE</cvss:authentication>
      <cvss:confidentiality-impact>COMPLETE</cvss:confidentiality-impact>
      <cvss:integrity-impact>COMPLETE</cvss:integrity-impact>
      <cvss:availability-impact>COMPLETE</cvss:availability-impact>
      <cvss:source>http://nvd.nist.gov</cvss:source>
    </cvss:base_metrics>
  </vuln:cvss>
</entry>

Using Perl to Retrieve the CVE File

Initially we will read the nvdcve-2.0-2010.xml and nvdcve-2.0-2009.xml files. If we start retrieving the file regularly, we would want to change this to nvdcve-2.0-recent.xml. Of course, previous years can also be read in to provide a longer perspective on vulnerabilities. A simple example of a Perl subroutine to read the NVD CVE file and save it locally would be:

sub readpage {
   my($url,$nvd_file) = @_;
   my($proxy) = "http://your-proxy-server:proxy-port";
   my $ua = new LWP::UserAgent;
   $ua->proxy(http  => $proxy);
   $ua->proxy(ftp => $proxy);
   $ua->proxy(https => $proxy);
   # Go out and retrieve page
   my $req = new HTTP::Request('GET', $url);
   my $res = $ua->request($req);
   my $pjstatus = 1;
   # Check if the requested webpage is there and return results
   if ($res->is_success) { # Request successful
       open(OUTFILE,">$nvd_file") || ($pjstatus = 0);
       if ($pjstatus) {
          print OUTFILE $res->content;
       }
       close(OUTFILE);
   }
   else {
      $pjstatus = 0;
   }
   return($pjstatus);
}

Please substitute “http://your-proxy-server:proxy-port” with your site’s proxy server and port, if applicable.

Creating a MYSQL Table to Hold the Data

There is a great deal of information in the NVD CVE file. You will need to determine what information your organization will be interested in storing and graphing. For better or worse, folks have come to expect vulnerabilities to have a “Low,” “Medium,” or “High” score. NIST has stated concerning the NVD Vulnerability Severity Ratings:

NVD provides severity rankings of “Low,” “Medium,” and “High” in addition to the numeric CVSS scores but these qualitative rankings are simply mapped from the numeric CVSS scores:
1. Vulnerabilities are labeled “Low” severity if they have a CVSS base score of 0.0-3.9.
2. Vulnerabilities will be labeled “Medium” severity if they have a base CVSS score of 4.0-6.9.
3. Vulnerabilities will be labeled “High” severity if they have a CVSS base score of 7.0-10.0.

While preferring quantitative over qualitative values, for this example I would like to create a stacked column chart. We will add a severity column which is based on the CVSS score. An example table follows:

CREATE DATABASE vulnerabilities;
USE vulnerabilities;
DROP TABLE IF EXISTS `nvdcve`;
CREATE TABLE `nvdcve` (
  `cve_id` varchar(13) NOT NULL,
  `published` datetime default NULL,
  `modified` datetime default NULL,
  `score` DECIMAL(5,2) default '0.0',
  `severity` varchar(6) default 'LOW',
  `vector` varchar(25) default NULL,
  `complexity` varchar(25) default NULL,
  `authentication` varchar(25) default NULL,
  `confidentiality` varchar(25) default 'NONE',
  `integrity` varchar(25) default 'NONE',
  `availability` varchar(25) default 'NONE',
  `summary` varchar(512) default NULL,
  PRIMARY KEY  (`cve_id`),
  INDEX (score),
  INDEX (vector)
)

Using Perl Populating the Database

Populating the database table is simply a matter of reading the file and adding the entries to the table. An example Perl subroutine follows:

sub readxml {
   my($nvd_file, $dbh) = @_;
   my $parser = XML::LibXML-> new();
   my $doc    = $parser-> parse_file($nvd_file);
   my $xc     = XML::LibXML::XPathContext-> new( $doc->documentElement() );
   $xc-> registerNs(
      def  => 'http://scap.nist.gov/schema/feed/vulnerability/2.0' );
   $xc-> registerNs(
     vuln => 'http://scap.nist.gov/schema/vulnerability/0.4' );
   $xc-> registerNs( cvss => 'http://scap.nist.gov/schema/cvss-v2/0.2' );
   for my $entry ($xc-> findnodes("/def:nvd/def:entry")) {
      my $cve = $xc-> find('vuln:cve-id',$entry);
      my $published = $xc-> find('vuln:published-datetime', $entry);
      my $modified = $xc-> find('vuln:last-modified-datetime', $entry);
      my $summary = $xc-> find('vuln:summary', $entry);
      my $skip = 0;
      my ($metrics) = $xc-> findnodes('vuln:cvss/cvss:base_metrics', $entry) or ($skip = 1);
      if (! $skip) {
         my $score = $xc-> find('cvss:score', $metrics);
         my $vector = $xc-> find('cvss:access-vector', $metrics);
         my $complexity = $xc-> find('cvss:access-complexity', $metrics);
         my $authentication = $xc-> find('cvss:authentication', $metrics);
         my $confidentiality =
            $xc-> find('cvss:confidentiality-impact', $metrics);
         my $integrity = $xc-> find('cvss:integrity-impact', $metrics);
         my $availability = $xc-> find('cvss:availability-impact', $metrics);
         my $severity = "LOW";
         if (int($score) >= 7) {
            $severity = "HIGH";
         }
         elsif (int($score) >= 4) {
            $severity = "MEDIUM";
         }
         my $sql = qq{ SELECT count(*) FROM nvdcve WHERE cve_id=? };
         my $sth = $dbh->prepare( $sql );
         my $rc = $sth->execute($cve);
         if ( $rc) {
            my($exist) = $sth->fetchrow_array();
            if (! $exist) {
                $sql = qq{ INSERT INTO nvdcve SET cve_id=?,
published=?, modified=?, score=?, severity=?, vector=?, complexity=?,
authentication=?, confidentiality=?, integrity=?,availability=?, summary=? };
               $sth = $dbh->prepare( $sql );
               $rc = $sth->execute($cve,$published,$modified,$score,
$severity,$vector,$complexity,$authentication,
$confidentiality,$integrity,$availability,$summary);
            }
         }
      }
   }
}

The Perl Program to Pull It All Together

The above subroutines use the Perl modules LWP::UserAgent, XML::LibXML, XML::LibXML::XPathContext, and DBI. A sample Perl program that calls the above subroutines to pull down the NVD CVE data and load it into a MySQL table would be:

#!/usr/local/bin/perl -w
use LWP::UserAgent;
use XML::LibXML;
use XML::LibXML::XPathContext;
use DBI;
BEGIN{push @INC, "/home/jgerber/projects/nvd/perl"}
use nvdsubs qw($db_host $db $mysql_user $mysql_passwd $mysql.sock
readpage readxml );
# Main
my $datadir = "/home/johngerber/projects/nvd/data";
my @timeData = localtime(time);
my $year = 1900 + $timeData[5];
my $prev_year = 1900 + $timeData[5] - 1;
my $url = "http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-" .
    $year . ".xml";
my $prev_url = "http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-" .
    $prev_year . ".xml";
my $nvd_file = $datadir  . "/nvdcve-". $year . ".xml";
my $prev_nvd_file = $datadir  . "/nvdcve-". $prev_year . ".xml";
$db = "vulnerabilities";
local($dbh) = DBI->connect("DBI:mysql:mysql_socket=$mysql.sock;$db:$db_host",
$mysql_user, $mysql_passwd) || die "ERROR: Connecting: $DBI::errstr\n";
my ($pjstatus) = &readpage($prev_url,$prev_nvd_file);
if ($pjstatus) {
   &readxml($prev_nvd_file,$dbh);
}
$pjstatus = &readpage($url,$nvd_file);
if ($pjstatus) {
   &readxml($nvd_file,$dbh);
}
exit;

The nvdsubs.pm file will not be included in this post. The subroutines are defined and the only pieces missing are the MySQL database username and password. You don’t need mine. Add your own. At this point, we have everything we need to finally use Google Visualization to create a graph.

Google Visualization

We are going to create a Perl program that will read our MySQL nvdcve table and generate the JavaScript that will render our charts on the client’s browser. First, we want to define the JavaScript we want to produce. Just to alleviate some concerns, with Google Visualization your data is only shared between your server and the client connecting. This is unlike Google Charts where your data is sent to Google where it is made into a chart and the result is sent back. Google states concerning the logging of chart data (via Google Charts), “The chart data included in the HTTP request is saved in temporary logs for no longer than two weeks for internal testing and debugging purposes.” Every example in the Google Visualization Gallery will state the data policy. For Google Charts, stated at the bottom of the page for each gadget description the data policy:

While Google Visualization gadgets will have the following stated data policy:

Loading Google Libraries

The first thing the JavaScript needs to do is load the required libraries. This is accomplished with the lines:

<script type="text/javascript" src="http://www.google.com/jsapi"></script>

Area Chart and Table

In this example we are going to create an column chart. In a later section, “Other Charting Options” (see below) we define different Google Visualization charting options.

JavaScript code for a sample column chart would be:

    <script type='text/javascript'>
      google.load('visualization', '1', {packages:['columnchart']});
      google.setOnLoadCallback(drawChart);
      function drawChart() {
        var data = new google.visualization.DataTable();
        data.addColumn('date', 'Date');
        data.addColumn('number', 'High');
        data.addColumn('number', 'Medium');
        data.addColumn('number', 'Low');
        data.addRows([
           [new Date(2009, 0, 30),92,97,3],
           [new Date(2009, 1, 27),168,142,25],
           [new Date(2009, 2, 31),141,165,9],
           [new Date(2009, 3, 30),132,203,12],
           [new Date(2009, 4, 29),158,153,8],
           [new Date(2009, 5, 30),200,199,22],
           [new Date(2009, 6, 31),190,195,11],
           [new Date(2009, 7, 31),127,139,14],
           [new Date(2009, 8, 30),233,208,14],
           [new Date(2009, 9, 30),163,167,18],
           [new Date(2009, 10, 30),129,172,8],
           [new Date(2009, 11, 31),200,211,19],
           [new Date(2010, 0, 29),157,139,14],
           [new Date(2010, 1, 26),137,143,12],
           [new Date(2010, 2, 31),252,242,18],
           [new Date(2010, 3, 13),92,118,17]
        ]);
        var chart = new google.visualization.ColumnChart(document.getElementById('s4graph'));
        chart.draw(data, {displayAnnotations:true, is3D: true, isStacked: true, min: 0,
          allowHtml: true, colors:[{color:'#E41B17', darker:'#C11B17'}, {color:'#FFA500', darker:'#E56717'}, {color:'#FFE87C', darker:'#C8B560'}]});
      }
    </script>

The resulting image would be the following column chart:

Rendering the Table

When providing qualitative results, I like to back them up with more accurate numeric values. Let us include a table with links to the CVSS scores for each vulnerability.

    <script type='text/javascript'>
      google.load('visualization', '1', {packages:['table']});
      google.setOnLoadCallback(drawChart);
      function drawChart() {
        var data2 = new google.visualization.DataTable();
        data2.addColumn('date', 'Date');
        data2.addColumn('number', 'High');
        data2.addColumn('number', 'Medium');
        data2.addColumn('number', 'Low');
        data2.addRows([
           [{v:new Date(2009, 0, 30),
              f:'<a href="/nvd/cvealerts.php?date=2009-01">2009-01-30</a>'}, 92,97,3],
           [{v:new Date(2009, 1, 27),
              f:'<a href="/nvd/cvealerts.php?date=2009-02">2009-02-27</a>'}, 168,142,25],
           [{v:new Date(2009, 2, 31),
              f:'<a href="/nvd/cvealerts.php?date=2009-03">2009-03-31</a>'}, 141,165,9],
           [{v:new Date(2009, 3, 30),
              f:'<a href="/nvd/cvealerts.php?date=2009-04">2009-04-30</a>'}, 132,203,12],
           [{v:new Date(2009, 4, 29),
              f:'<a href="/nvd/cvealerts.php?date=2009-05">2009-05-29</a>'}, 158,153,8],
           [{v:new Date(2009, 5, 30),
              f:'<a href="/nvd/cvealerts.php?date=2009-06">2009-06-30</a>'}, 200,199,22],
           [{v:new Date(2009, 6, 31),
              f:'<a href="/nvd/cvealerts.php?date=2009-07">2009-07-31</a>'}, 190,195,11],
           [{v:new Date(2009, 7, 31),
              f:'<a href="/nvd/cvealerts.php?date=2009-08">2009-08-31</a>'}, 127,139,14],
           [{v:new Date(2009, 8, 30),
              f:'<a href="/nvd/cvealerts.php?date=2009-09">2009-09-30</a>'}, 233,208,14],
           [{v:new Date(2009, 9, 30),
              f:'<a href="/nvd/cvealerts.php?date=2009-10">2009-10-30</a>'}, 163,167,18],
           [{v:new Date(2009, 10, 30),
              f:'<a href="/nvd/cvealerts.php?date=2009-11">2009-11-30</a>'}, 129,172,8],
           [{v:new Date(2009, 11, 31),
              f:'<a href="/nvd/cvealerts.php?date=2009-12">2009-12-31</a>'}, 200,211,19],
           [{v:new Date(2010, 0, 29),
              f:'<a href="/nvd/cvealerts.php?date=2010-01">2010-01-29</a>'}, 157,139,14],
           [{v:new Date(2010, 1, 26),
              f:'<a href="/nvd/cvealerts.php?date=2010-02">2010-02-26</a>'}, 137,143,12],
           [{v:new Date(2010, 2, 31),
              f:'<a href="/nvd/cvealerts.php?date=2010-03">2010-03-31</a>'}, 252,242,18],
           [{v:new Date(2010, 3, 13),
              f:'<a href="/nvd/cvealerts.php?date=2010-04">2010-04-13</a>'}, 92,118,17],
        ]);
        var table = new google.visualization.Table(document.getElementById('s4graph_tab'));
        table.draw(data2, {showRowNumber: true, sortAscending: false, sortColumn: 0, allowHtml: true});
      }
    </script>

The JavaScript code assumes there is a PHP program called cvealerts.php under the /nvd directory on your web server. Adjust to your environment. A sample PHP program that could be used for cvealerts.php is provided below. The resulting table chart would look like:

Handling Events: Interactions Between Graphs

We now have two different types of graphs representing the same data. We want to add interaction between the graphs so the viewer can see the relationship. With tables rows are selected when the user clicks, which correspond to the whole column of the stacked column chart. It is not a perfect fit, but it does demonstrate nicely use of adding interactions.

        // Set a 'select' event listener for the table.
        // When the table is selected,
        // we set the selection on the line graph.
        google.visualization.events.addListener(table, 'select', function() {
          chart.setSelection([{row: table.getSelection()[0].row, column: 1}]);
         });
        // Set a 'select' event listener for the graph.
        // When the graph is selected,
        // we set the selection on the table.
        google.visualization.events.addListener(chart, 'select', function() {
           table.setSelection([{row: chart.getSelection()[0].row}]);
        });

Providing Detailed Information

When the table chart link is clicked, we would like to provide some detailed information about the vulnerability. For this example, we will do this with a simple PHP program placed in the /nvd directory on the web server. The program is called cvealerts.php.

<?
session_start();
function db_connect($table) {
   $result = mysql_pconnect("<dbhost>:<dbport>", "<username>", "<password>");
   if (!$result) return false;
   if (!mysql_select_db($table)) return false;
   return $result;
}
function do_html_header($title,$checkuser,$logpage) {
?>
  <html> <head> <title><?=$title?></title></head>
  <body bgcolor="#FFFFFF">
<?
}
function do_html_footer() {
?>
<table>
<tr><td ALIGN=CENTER NOWRAP WIDTH="590"></font>
<font face="Verdana, Arial, Helvetica" size=-2>Notice to Users: Use
of this system constitutes consent to security monitoring and testing.
<br>All activity is logged with your host name and IP address.</font>
</td></tr>
</table>
</body>
 </html>
<?
}
// Main
$dates= array();
$stringlist = "";
if (isset($_GET['date'])) {
    $passdates = explode(",",$_GET['date']);
    for ($index=0; $index<count($passdates); $index++) {
       array_push($dates, $passdates[$index]);
       $stringlist .= $passdates[$index] . " ";
    }
}
else {
  print("Confusion over how you arrived at this page.<P>\n");
  exit;
}
$stringlist = preg_replace("/ $/", "",$stringlist);
do_html_header("Review NVD CVE Announcements for Month Ending $stringlist",1,1);
$nvd_host = "http://web.nvd.nist.gov/view/vuln/detail?vulnId=";
$conn = db_connect("vulnerabilities");
if (!$conn)
   logit("Could not connect to database vulnerabilities - please try later.\n",1);
for ($index=0; $index<count($dates); $index++) {
   $rule = $dates[$index];
   $sql = "SELECT cve_id,score,published,vector,severity,complexity,left(summary,50)
    FROM vulnerabilities.nvdcve
      WHERE date_format(published,'%Y-%m')='$rule'
       ORDER BY (score+0)";
   $result = mysql_query($sql,$conn);
   if (!$result)
       logit("Problem with $sql\n",1);
   print("<table border=1><tr><td><table border=0><tr><th bgcolor=\"#727D96\">
<font color=\"#ffffff\" face=\"arial,helvetica,sanserif\">Bulletin</font></th><th bgcolor=\"#727D96\">
<font color=\"#ffffff\" face=\"arial,helvetica,sanserif\">Impact</font></th><th bgcolor=\"#727D96\">
<font color=\"#ffffff\" face=\"arial,helvetica,sanserif\">Date</font></th><th bgcolor=\"#727D96\">
<font color=\"#ffffff\" face=\"arial,helvetica,sanserif\">Vector</font></th><th bgcolor=\"#727D96\">
<font color=\"#ffffff\" face=\"arial,helvetica,sanserif\">Severity</font></th><th bgcolor=\"#727D96\">
<font color=\"#ffffff\" face=\"arial,helvetica,sanserif\">Complexity</font></th><th bgcolor=\"#727D96\">
<font color=\"#ffffff\" face=\"arial,helvetica,sanserif\">Short Summary</font></th></tr>\n");
   for ($count = 1; list($cve_id, $score, $date, $vector, $severity,$complexity,$shortsum) =
     mysql_fetch_array ($result, MYSQL_NUM); ++$count) {
?>
      <tr><td CLASS="plfieldhdrleft" WIDTH="20%" BGCOLOR='#F0F5FF'>
      <?  print("<a href=\"$nvd_host$cve_id\">$cve_id</a>"); ?>
      </td>
      <td CLASS="plfieldhdrleft" BGCOLOR='#F9FCFF'>
      <?  print($score); ?>
      </td>
      <td CLASS="plfieldhdrleft" BGCOLOR='#F0F5FF'>
      <?  print($date); ?>
      </td>
      <td CLASS="plfieldhdrleft" BGCOLOR='#F9FCFF'>
      <?  print($vector); ?>
      </td>
      <td CLASS="plfieldhdrleft" BGCOLOR='#F0F5FF'>
      <?  print($severity); ?>
      </td>
      <td CLASS="plfieldhdrleft" BGCOLOR='#F9FCFF'>
      <?  print($complexity); ?>
      </td>
      <td CLASS="plfieldhdrleft" BGCOLOR='#F0F5FF'>
      <?  print($shortsum); ?>
      </td>
      </tr>
<?
   }
}
print("</table></td></tr></table>");
do_html_footer();

The PHP program would generate a HTML table displaying the NVD CVE alerts for that month. The table would look like:

When the CVE link is clicked on, the user is taken to the NIST NVD site where additional information is available.

Using Perl to Create the JavaScript

The Perl code is rather simple now that we have the MySQL tables defined and the JavaScript we want to generate. Much of the code consists of the JavaScript listed above.

#!/usr/local/bin/perl -w
use DBI;
use Time::Local;
use POSIX qw(strftime);
use LWP::UserAgent;
BEGIN{push @INC, "/home/jgerber/projects/nvd/perl"}
use ornl_feds qw($db_host $db $mysql_user $mysql_passwd );
sub slide_nvd_alerts {
  my($min_date,$graph_name,$web_link,$dbh) = @_;
  my $slide = "";
  my $slide_head = qq!
    <script type='text/javascript'>
      google.load('visualization', '1', {packages:['columnchart,table']});
      google.setOnLoadCallback(drawChart);
      function drawChart() {
        var data = new google.visualization.DataTable();
        data.addColumn('date', 'Date');
        data.addColumn('number', 'High');
        data.addColumn('number', 'Medium');
        data.addColumn('number', 'Low');
        data.addRows([
!;
   my $slide_head_table = qq!
        var data2 = new google.visualization.DataTable();
        data2.addColumn('date', 'Date');
        data2.addColumn('number', 'High');
        data2.addColumn('number', 'Medium');
        data2.addColumn('number', 'Low');
        data2.addRows([
!;
   my $table_div = $graph_name . "_tab";
   my $slide_tail = qq!
        var chart = new google.visualization.ColumnChart(document.getElementById('$graph_name'));
        chart.draw(data, {displayAnnotations:true, is3D: true, isStacked: true, min: 0, allowHtml: true,
 colors:[{color:'#E41B17', darker:'#C11B17'}, {color:'#FFA500', darker:'#E56717'},
{color:'#FFE87C', darker:'#C8B560'}]});
        var table = new google.visualization.Table(document.getElementById('$table_div'));
        table.draw(data2, {showRowNumber: true, sortAscending: false, sortColumn: 0, allowHtml: true});
            // Set a 'select' event listener for the table.
        // When the table is selected,
        // we set the selection on the line graph.
        google.visualization.events.addListener(table, 'select', function() {
          chart.setSelection([{row: table.getSelection()[0].row, column: 1}]);
         });
      // Set a 'select' event listener for the graph.
        // When the graph is selected,
        // we set the selection on the table.
        google.visualization.events.addListener(chart, 'select', function() {
           table.setSelection([{row: chart.getSelection()[0].row}]);
        });
      }
    </script>
!;
   if ($min_date eq "") {
      my $sql2 = qq{ SELECT min(published) FROM vulnerabilities.nvdcve };
      my $sth2 = $dbh->prepare( $sql2 );
      my $rc2 = $sth2->execute();
      if ($rc2) {
         $min_date = $sth2->fetchrow_array();
      }
   }
   my $table_data = "";
   my $graph_data = "";
   my $sql2 = qq{ select date_format(published,'%Y-%m'),severity,count(severity)
      FROM vulnerabilities.nvdcve where published >= ? group by date_format(published,'%Y-%m'),severity };
   my $sth2 = $dbh->prepare( $sql2 );
   my $rc2 = $sth2->execute($min_date);
   if ($rc2) {
      my ($change,$virgin,$ht,$mt,$lt,$mmax_date) = ("",1,0,0,0,"");
      while (my($snapshot_date, $severity, $pcount) = $sth2->fetchrow_array()) {
         my $sql3 = qq{ SELECT max(published) FROM vulnerabilities.nvdcve where
date_format(published,'%Y-%m')=? };
         my $sth3 = $dbh->prepare( $sql3 );
         my $rc3 = $sth3->execute($snapshot_date);
         $max_date =  $sth3->fetchrow_array();
         $max_date =~ s/ \S+$//;
         if ($change ne $snapshot_date) {
            if (! $virgin) {
                my($year,$month,$day) = split("-",$mmax_date);
                my $mmonth = $month;
                $month--;
                $graph_data .= qq!           [new Date($year, $month, $day),$ht,$mt,$lt],
!;
                $table_data .= qq!           [{v:new Date($year, $month, $day),
              f:'<a href="$web_link/cvealerts.php?date=$year-$mmonth">$mmax_date</a>'}, $ht,$mt,$lt],
!;
                ($ht,$mt,$lt) = (0,0,0);
             }
             $change = $snapshot_date;
          }
          if ($severity eq "HIGH") { $ht = $pcount; }
          elsif ($severity eq "MEDIUM") { $mt = $pcount; }
          elsif ($severity eq "LOW") { $lt = $pcount; }
          if ($mmax_date eq "") { $mmax_date = $max_date; }
          if ($mmax_date lt $max_date) { $mmax_date = $max_date; }
          $virgin = 0;
      }
      my($year,$month,$day) = split("-",$mmax_date);
      my $mmonth = $month;
      $month--;
      $graph_data .= qq!           [new Date($year, $month, $day),$ht,$mt,$lt]
!;
     $table_data .= qq!           [{v:new Date($year, $month, $day),
              f:'<a href="$web_link/cvealerts.php?date=$year-$mmonth">$mmax_date</a>'}, $ht,$mt,$lt],
!;
   }
   $table_data .= "        ]);\n";
   $graph_data .= "        ]);\n";
   $slide = $slide_head .  $graph_data . $slide_head_table . $table_data . $slide_tail;
   return($slide);
}
sub slide_body {
  my($graph_name,$title,$style) = @_;
  my $table_name = $graph_name . "_tab";
  my $table_text = "div id=\"$table_name\"";
  if ($style ne "") {
     $table_text .= " style=\'$style\'";
  }
  my $slide2 = "<h3>$title</h3>\n";
  my $itext = "div id=\"$graph_name\"";
  if ($style ne "") {
     $itext .= " style=\'$style\'";
  }
  $slide2 .= qq{
    <table><tr>
    <td valign="top"><$itext></div></td>
    <td valign="top"><$table_text></div></td>
    <td valign="top">   </td>
    <td valign="top"><div id="labels"></div></td>
    </tr></table>
  };
  return($slide2);
}
# Main
my $web_link = "/nvd";
my $results_dir = "/data/html" . $web_link;
my $result_file = $results_dir . "/nvdcve_stats.html";
my $debug = 1;
my $db = "vulnerabilities";
local($dbh) = DBI->connect("DBI:mysql:$db:$db_host", $mysql_user, $mysql_passwd) ||
   die "ERROR: Connecting: $DBI::errstr\n";
$slides_data .= &slide_body("s4graph","NVD CVE Alerts","width:700px; height:400px;");
$slides_head .= &slide_nvd_alerts("","s4graph",$web_link,$dbh);
open(OUTFILE,">$result_file");
print OUTFILE "<HTML>\n<HEAD><TITLE>NVD CVE Statistics</TITLE>\n";
print OUTFILE "<script type=\"text/javascript\" src=\"http://www.google.com/jsapi\"></script>\n";
print OUTFILE $slides_head;
print OUTFILE "</HEAD>\n<BODY>\n";
print OUTFILE $slides_data;
print OUTFILE "</BODY>\n";
close(OUTFILE);
exit;

Other Charting Options

Google, Google users, and other companies have shared some JavaScript visualizations built on the Google Visualization API to help you get started. Below are some example:

	Annotated Time Line (GWT Integrated) An animated time series chart. By: Google
	Area Chart (GWT Integrated) Interactive area chart. By: Google
	Bar Chart (GWT Integrated) Interactive bar chart. By: Google
	Bars of Stuff Fun bar charts using images of trains, chocolate, worms, and more. By: The visapi project
	Bio Heat Map Heatmaps are a useful way to visualize matricies of data. Scientists often use green-black-red heatmaps to visualize gene expression data from microarrays. This visualization supports both three color heatmaps (ex: green to black to red) and two color heatmaps (ex: white to yellow). By: Institute for Systems Biology
	Column Chart (GWT Integrated) Interactive column chart. By: Google
	Drastic Treemap A dynamic treemap in Flash. By: DrasticData
	Dygraphs The dygraphs JavaScript library produces interactive, zoomable charts of time series. By: Dan Vanderkam
	Filters A Visualization that acts as a control over other visualizations. It is rendered within the browser using HTML. This visualization offers the ability to select some criteria to filter the DataTable used by the controlled visualizations. By: Institute for Systems Biology
	Gauge (GWT Integrated) Each numeric value is displayed as a gauge. By: Google
	Geo Map (GWT Integrated) A map of a country, continent, or region map, with colors and values assigned to specific regions. Values are displayed as a color scale, and you can specify optional hovertext for regions. By: Google
	Intensity Map (GWT Integrated) An intensity map that highlights regions or countries based on relative values. By: Google
	Line Chart (GWT Integrated) Interactive line chart. By: Google
	Magic-Table The Magic Table is a JavaScript library that allows you to see more in your data by applying some simple visual techniques to transform a table. The table is displayed in the browser by the canvas element. Internet Explorer is not supported. By: Greg Ross
	Map (GWT Integrated) An interactive map that uses the Google Maps API. By: Google
	Motion Chart (GWT Integrated) Motion Chart: A dynamic flash based chart to explore several indicators over time. Required columns: bubble name, time and 2 columns of numeric values. Optional columns: Numeric values or categories. By: Google
	Organizational Chart A GWT Integrated simple organizational chart. By: Google
	Parallel Coordinates Chart Parallel Coordinates is a method of visualizing multivariate data. An n-dimensional space is represented as n parallel lines. Works for browsers based on Gecko or Presto (does not work in IE). This is written in Javascript, no Flash required. By: Sri Harsha Allamraju
	Pie Chart (GWT Integrated) Interactive pie chart. By: Google
	Piles of Money Column chart made of of money bills. By: The visapi project
	Scatter Chart (GWT Integrated) Interactive scatter chart. By: Google
	Table (GWT Integrated) A highly customizable table with sorting, paging and selection capabilities. By: Google
	TermCloud A list of terms, where the size and color of each word is determined by a specified frequency value (typically the number of times it appears in some text). By: The visapi project
	Thematic Mapping API Enables visualization of data in Google Earth or other geobrowsers through the use of the Google Visualization API and KML. By: Thematicmapping.org
	WordCloud Displays all words in text with size and color based on the number of time each word appears. By: The visapi project

Additional Information

Below is the talk that Itai Raz, the lead engineer for the Visualization API product at Google, gave at Google I/O 2009 titled “Using the Visualization API with GWT:”

Additional Possibilities

The work above is meant only to serve as a starting point. There is a great deal more information to expand upon. For example, we began this post pulling some information from the XML schema for CVE-2010-1228. One field we did not pull out from the XML file is:

    <vuln:cwe id="CWE-362" />

The Common Weakness Enumeration (CWE) represents vulnerability types and NIST provides a CWE Cross Section Mapped into by NVD table. In the above example, we see an entry:

Clicking on the link will take us to the MITRE site that provides a great deal more information on CWE entries. It is easy enough to expand on the above program to harvest this information for a richer information database.

Another possibility is to expand the above program to pull additional information on the CVE entry. In additional to the data in the NVD CVE XML file, we could pull information from the NVD site. Using CVE-2010-1228 as an example, we could have the program pull down the page:

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1228

Notice the line:

CVSS v2 Base Score:10.0 (HIGH) (AV:N/AC:L/Au:N/C:C/I:C/A:C) (legend)

The (AV:N/AC:L/Au:N/C:C/I:C/A:C) provides values that were used in determining the base score. If you follow the link, you will see the values used in the calculations:

• CVSS Base Score: 10
  • Impact Subscore: 10
  • Exploitability Subscore: 10
• CVSS Temporal Score: Undefined
• CVSS Environmental Score: Undefined
• Overall CVSS Score: 10

NVD has made available the equations used in calculating the CVSS base score, temporal score, and environmental score.

Three other pieces of information that might provide interesting groupings are:

• Access Complexity: Low **NOTE: Access Complexity scored Low due to insufficient information
• Authentication: Not required to exploit
• Impact Type: Allows unauthorized disclosure of information; Allows unauthorized modification; Allows disruption of service

What information is of interest and how it is used will be dependent on your organization. There is a great deal of information available and many directions you start examining.

Final Thoughts

I am often reminded of the old phrase, “Trust us, we are from the government.” No one really trusts anyone, especially when it comes to matters they do not understand. Just because you are from the security group at your organization, is that reason enough for the CEO to give you unlimited money and authority to do what you see fit? Of course not. While management might trust you, they may not believe that you are capable of seeing the big picture. That is after all their job.

Another great old saying is that “the devil is in the details.” Those details will likely fall in the security domain. In organization across the planet there is a tug of war between the details and the big picture with multiple groups adding in their opinions and views. You need to make the details understandable to your higher management to effectively argue your view. Finding effective metrics and finding clear representation is essential in today’s business. Google Visualization can be a useful tool in accomplishing this task.

ISACA does a great job of mapping COBIT to other standards. It will be interesting to see how much alignment there is between COBIT 5 and the recent work being done by the National Institute of Standards and Technology (NIST). Just last month, NIST released Special Publication 800-37 Rev. 1, “Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach.” To quote Dan Phillpott over on the Guerilla CISO site, “This document describes the central processes involved in the authorization of information systems that support the federal government. Notice I didn’t say Certification and Accreditation? That’s because C&A is deader than a sheep at a wolf convention. Want to know what replaces it?” Dan suggest picking up a copy of NIST SP 800-37 Rev 1.

Much of the recent focus on risk management is fueled by the need to deal with changing technologies. NIST SP 800-37 rev 1 is not the first NIST document concerning risk management and it certainly will not be the last. Later this year NIST will release SP 800-39 Rev. 1, “Integrated Enterprise-Wide Risk Management: Organization, Mission, and Information System View” and NIST SP 800-30 Rev. 1, “Guide for Conducting Risk Assessments.” Dr. Ron Ross presented NIST’s view of the next generation of risk management in his talk, “Next Generation Risk Management Information Security Transformation for the Federal Governmen” at the 5th Annual Security Automation Conference.

Quoting from the “Changing Technologies and the Effects on Information System Boundaries” section of NIST SP 800-37 Rev 1.:

Changes to current information technologies and computing paradigms add complications to the traditional tasks of establishing information system boundaries and protecting the missions and business processes supported by organizational information systems. In particular, net-centric architectures (e.g., service-oriented architectures [SOAs], cloud computing) introduce two important concepts: (i) dynamic subsystems; and (ii) external subsystems. While the concepts of dynamic subsystems and external subsystems (described in the following sections) are not new, the pervasiveness and frequency of their invocation in net-centric architectures can present organizations with significant new challenges.

Focusing back to COBIT 5, the planned primary improvements will consist of:

• Aligning COBIT 5 with ISACA’s TGF initiative as well as recent global governmental and market-driven enterprise and IT governance initiatives, such as sustainability and green IT.
• Consolidating COBIT 5 into a single overarching framework and knowledge base, providing one consistent and integrated source of guidance.
• COBIT 5 will be described in a high-level framework publication, providing an explanation of the objectives, scope, format and usage of COBIT 5 and enabling enterprises to strategically plan adoption of COBIT 5 and how to migrate to the new framework.
• COBIT 5 will consist of a set of publications providing:
  • The content of COBIT 5 required for enterprise implementation and assurance activities
  • Focussed guidance publications on functional, responsibility and organisational views to help
    COBIT users with a specific area of interest to better understand how COBIT can support their role.
• Clarifying the distinction between governance and management with a revised process model that distinguishes between these domains while also showing how they relate to each other, and with processes integrating both business and IT responsibilities.
• Aligning with the latest management practices as well as strengthening areas such as decision making, organisational structures, skill requirements, human factors, culture and change enablement. The new structure will be flexible, allowing future ISACA and non-ISACA standards, frameworks, regulations, etc., to be factored in.

If you want to learn more about risk management, a previous post “Risk Assessment: A Starting Point” provides a good starting point with links to some great information sources. Luke O’Connor over on Scribd, has provided some very nice graphics representation titled “How to Assess and Mitigate Risk” (a.k.a. “Six Risk Management Myths“):

ISACA is looking for feedback by the close 12 April 2010. There is also a LinkedIn Group setup by Grzegorz Albinowski where you can discuss and stay informed on COBIT 5 developments.

Miller goes on to report that OMB will require “agencies launch a series of cloud computing pilots across the government in 2010 using the E-Government Fund.” In 2013, Miller reports, agencies must provide OMB “a complete alternatives analysis for mixed life cycle projects where agencies are spending new money-known as development, modernization and enhancement-and steady state or operations and maintenance funding for how they could move to cloud computing.”

Miller quotes a former government official as saying, “They are not saying use it, but are pushing us to look at it and do an analysis of alternatives and make a decision based on our business needs. They are pushing us to look at it, yet giving us the ability to decide whether it makes sense.”

How well does your organization understand cloud computing? How will security be handled? What can you do to prepare? During this time of tight budgets, maybe you do not have the funds and/or time to attend conferences and training events. Fortunately, presentations are being posted regularly to the web, allowing you to keep informed on technological challenges. For example, the ZISC Workshop on Security in Virtualized Environments and Cloud Computing, held September 10-11th in Zurich, recently posted all their presentations:

Following NIST’s involvement in an area like cloud computing can help you judge the direction the government is heading. Tim Grance presented at the 5th Annual IT Security Automation Conference and Expo Presentations and the presentations have been made available. Grance presented on the Security Content Automation Protocol (SCAP) (see my previous post “Standardization and Interoperability in Security” for additional information on SCAP). A cloud computing track consisting only of slides (no video) was also posted. If lack of video does not concern you, the following conferences have posted slides on cloud security:

• CCSW 2009: The ACM Cloud Computing Security Workshop, held November 13th, 2009 in Chicago.
• Digital Government Institute’s Cloud Computing 2010: Focus on Operational Efficiency and Security, held December 9, 2009.
• Cloud Interoperability Roadmaps Session held in Long Beach, CA on December 10, 2009.

If you prefer to listen and do not need to see slides, Tim Grance can be heard on Dana Gardner’s BriefingsDirect podcast, “Panel Discussion: Is Cloud Computing More or Less Secure than On-Premises IT?.” The discussion includes a panel of all stars from the cloud security community, including Glenn Brunette, distinguished engineer and chief security architect at Sun Microsystems and founding member of the Cloud Security Alliance (CSA); Doug Howard, chief strategy officer of Perimeter eSecurity and president of USA.NET; Christofer Hoff, technical adviser at CSA and director of Cloud and Virtualization Solutions at Cisco Systems; and Dr. Richard Reiner, CEO of Enomaly. The podcast was recorded at the Open Group’s 23rd Enterprise Architecture Practitioners Conference in Toronto on July 20-22, 1009, along with:

• Jericho Forum Aims to Guide Enterprises Through Risk Mitigation Landscape for Cloud Adoption where Dana interviews Steve Whitlock, a member of the Jericho Board of Management.
• Cloud and Security Join Boundaryless Information as Top-of-Mind Issues for The Open Group where Dana talked with Allen Brown, president and CEO of The Open Group.
• XDAS Standard Aims to Empower IT Audit Trails from Across Complex Events where Dana talks with Ian Dobson, director of the Security Forum for The Open Group, as well as Joël Winteregg, CEO and co-founder of NetGuardians. XDAS is an open-source standard that is hopefully going to help in compliance and regulatory issues and in the automation of heterogeneous environments.
• New Era Enterprise Architects Need Sweeping Skills to Straddle the IT-Business Alignment Chasm where Dana is joined by James de Raeve, vice president of certification at The Open Group; Len Fehskens, vice president, Skills and Capabilities at The Open Group; David Foote, CEO and co-founder, as well as chief research officer, at Foote Partners, and Jason Uppal, chief architect at QRS.
• Cloud Pushes Enterprise Architects’ Scope Beyond IT into Business Process Optimization Role where Dana is joined by Tim Westbrock, managing director of EAdirections; Sandy Kemsley, an independent IT analyst and architect; and John Gotze, international president for the Association of Enterprise Architects.

For more video presentations on the cloud security, awhile back I posted “CERT, CERIAS, the Academy, and Google Video: Training Online.” Two other sources include the SecurityTube and O’Reilly Webcasts. Below are a few examples of the presentations available:

• The Belgian Beer Lovers Guide to Cloud Security (Brucon 2009) Tutorial by Craig Balding at Brucon 2009: In this presentation Craig covers why talking about “cloud” is akin to walking into a Belgian bar and asking for “beer”; the common cloud architectures and their implications for you – the security dude; what the beer brewing Trappist Monks can teach us about cloud security; attacking clouds (aka getting free beer); and dealing with the hangover: cloud incident response & forensics.
• Evolution of Security (Fsecure) Tutorial by F-Secure: an animated series on the various threats out there on the Internet and also talks about their state of the art AV (self promotion) They also talk about “cloud security” and how the next generation AV will be in the cloud and not isolated.
• Cloud Security and Privacy by Tim Mather, Subra Kumaraswamy, Shahed Latif: discusses cloud computing’s SPI delivery model, and its impact on various aspects of enterprise information security (e.g., infrastructure, data, identity and access management, security management), privacy, and compliance. Security-as-a-Service and the impact of cloud computing on corporate IT is also discussed.
• Architecting Applications for the Cloud by Jorge Noa: This presentation analyzes aspects of the Amazon EC2 IaaS cloud environment that differ from a traditional data center and introduces general best practices for ensuring data privacy, storage persistence, and reliable DBMS backup.
• Cloud Computing: The Next Frontier for Open Source by Bernard Golden: discusses how the trends of open source and cloud computing reinforce one another, and why cloud computing is a significant driver of enterprise open source adoption.
• Getting Started with Amazon Web Services by Cloud Security Deep Dive by Subra Kumaraswamy, Shahed Latif, Tim Mather: will take a deep dive into cloud security issues and focus on three specific aspects: (1) data security; (2) identity management in the cloud, and; (3) governance in the cloud (in the context of managing a cloud service provider with respect to security obligations). Each of these three topics will be covered in a 30 minute segment that will include a presentation and Q&A with the audience.
• Cloudburst (Hacking 3D and Breaking Out of VMware) Blackhat 2009 by Kostya Kortchinsky: VMware products include implement a lot of functionality, and as such have a decent chance to include some bugs. CLOUDBURST is the combination of 3 of those found in the virtualized video device (more specifically the 3D code). Combined, these allow a user in a Guest to execute code on the Host. Since the virtualized device code is the same for all the branches of the products, this impacts Workstation, as well as Fusion or ESX. Immunity, Inc. will present the various vulnerabilities and the techniques used to exploit the bug reliably, even on platforms with ASLR or DEP such as Vista SP1. Once exploited, Immunity will demonstrate how to establish MOSDEF between the Host and Guest.
• Virtualization: Resource Coupling and Security across the Stack by Dennis Moreau, Configuresoft: The session briefly addressed extension to the cloud and utility computing infrastructures to address how to use configuration and behavioral information to address the increased complexity of security, compliance and risk assessment in virtualized environments.

Other BruCON Security Conference (held September 18-19, 2009) videos are available at their vimeo channel. O’Reilly maintains on YouTube an O’Reilly Media Channel along with an area to sign up for future webcasts. Blackhat DC 2009 video, audio, whitepapers, and slides are also available. Content is ever changing, so keep checking the sites.

Remember that Vivek Kundra, Chief Information Officer (CIO) of the United States of America, outlined as his team’s priorities:

1. Innovation
2. Lowering the cost of Government
3. Transparency
4. Engaging Citizens
5. Ensuring a safe computing environment

In response, FedScoop! started hosting one event each quarter around these pillars. On October 14 at the Newseum, they did their first event bringing together executives in the White House and federal CIO’s, CTO’s, and decision-makers to talk about lowering the cost of government with technology. Check out the video of the Cyber Security Panel. Since one of the topics was cloud computing, FedScoop! scheduled a follow-up event. On December 9th, 2009, they hosted and posted the “Cloud Computing Shoot Out.”

FederalNewsRadio has posted a three part video series on secure cloud computing. The panelists include Jim Flyzik, President of the Flyzik Group; Henry Sienkiewicz, Technical Program Director, Computer Services, Defense Information Systems Agency; Ronald Bechtold, Army Architecture Integration Center at Headquarters, Department of the Army, Chief Information Office/G6; Curt Aubley, Chief Technology Officer CTO Operations & Next Generation Solutions, Lockheed Martin Information Systems & Global Services; Dale Wickizer, Chief Technology Officer-Public Sector, NetApp, Inc.; and Aileen Black, Vice President of Public Sector VMware Inc.

CNET’s editor of Webware, Rafe Needleman and senir writer Stephen Shankland talked with Christofer Hoff on the Reporters’ Roundtable podcast about the “Dangers of Cloud Computing.” Chris also presented at Microsoft’s BlueHat, “Cloudifornication: Indiscriminate Information Intercourse Involving Internet Infrastructure.” Any presentation with such a great title must be watched. There is a short interview with Chris from Bluehat.

One of my favorite stories of Abraham Lincoln involved the McCormick-Manny case of 1855 where Lincoln was one of Manny’s lawyers. Lincoln basically was pushed aside and humiliated. After the trial, he told Ralph Emerson, a young lawyer who was present at the trial, “I am going home. I am going home to study law.” Emerson asked, “Mr. Lincoln, you stand at the head of the bar in Illinois now! What are you talking about?” Lincoln replied, “Ah, yes, I do occupy a good position there, and I think that I can get along with the way things are done there now. But these college-trained men, who have devoted their whole lives to study, are coming West, don’t you see? And they study their cases as we never do. They have got as far as Cincinnati now. They will soon be in Illinois.” Emerson stated Lincoln turned to him, his countenance suddenly assuming that look of strong determination which those who knew him best sometimes saw upon his face, and said, “I am going home to study law! I am as good as any of them, and when they get out to Illinois, I will be ready for them.”

Change is coming. If you try just to get along, the future will overwhelm you. While we do not live in a world of unlimited funds for conferences and training, people are sharing a wealth of information. Take advantage of it and get ready for whatever might be heading your way.

The Suricata Engine and the HTP Library are available to use under the GPLv2. The new engine supports “Multi-Threading, Automatic Protocol Detection (IP, TCP, UDP, ICMP, HTTP, TLS, FTP and SMB! ), Gzip Decompression, Fast IP Matching and coming soon hardware acceleration on CUDA and OpenCL GPU cards”. GPU integration allows the use of graphic cards to accelerate operations. Mike Cloppert in his post, “Detection, Bandwidth, and Moore’s Law” pointed out:

It appears the authors well understand the point in this post, and the corresponding state of the art in solving parallel computing problems. GPU’s are emerging as a good commodity solution to parallel processing. This is covered in depth by a number of recent publications discussing parallelism, and I am by no means an expert in this field, so I will simply leave follow-up on this point as an exercise for the reader.

The HTP Library is an HTTP normalizer and parser written by Ivan Ristic, creator of Mod Security and author of the soon to be released book “ModSecurity Handbook“. This integrates and provides very advanced processing of HTTP streams. The HTP library is required by the engine, but may also be used independently in a range of applications and tools. Additional details have been provided by Ivan in his post, “HTTP parser for intrusion detection and web application firewalls.” Ivan writes concerning the development, “For the first release of the parser the goal is to be able to parse HTTP streams reliably. In the subsequent versions I will work in the parser’s security properties (such as the ability to see through evasion attacks).”

New Ideas and Concepts

Quoting from the OISF announcement, some of the next generation capabilities include:

• Multi-Threading: so very necessary.
• Automatic Protocol Detection: the engine has keywords for IP, TCP, UDP, ICMP, HTTP, TLS, FTP and SMB. Users can write rules to detect a match within a stream regardless of the port the stream occurs on. This is important for malware detection and control. Detections for more layer 7 protocols are being developed.
• Gzip Decompression: the HTP Parser will decode Gzip compressed streams.
• Independent HTP Library: the HTP Parser will be usable by other applications such as proxies, filters, etc. The parser is available as a library under GPLv2 for easy integration ito other tools.
• Standard Input Methods: support for NFQueue, IPFRing, and the standard LibPcap to capture traffic. IPFW support will be available soon.
• Unified2 Output: support for standard output tools and methods.
• Flow Variables: it is possible to capture information out of a stream and save that in a variable which can then be matched against later.
• Fast IP Matching: the engine will automatically use a special fast matching preprocessor on rules that are IP matches only (such as the RBN and compromised IP lists at Emerging Threats).
• HTTP Log Module : HTTP requests can be automatically output into an apache-style log format file for monitoring and logging activity completely independent of rulesets and matching.

A few features to look forward to in a few weeks:

• Global Flow Variables: the ability to store more information from a stream or match (actual data, not just setting a bit) over a period of time allowing comparing values across many streams and time.
• Graphics Card Acceleration: using CUDA and OpenCL to make use of the processing power of even old graphics cards to accelerate the IDS. Offloading the very computationally intensive functions of the sensor will greatly enhance performance.
• IP Reputation: will allow sensors and organizations to share intelligence and eliminate many false positives.
• Windows Binaries: will be released once there is a reasonably stable body of code.

Folks Behind It

The team is listed on the OISF site. It is an all star cast including Matt Jonkman, Victor Julien, Will Metcalf, Nathan Jimerson, Margaret Skinner, Josh Smith, Brian Rectanus, Breno Silva Pinto, Anoop Saldanha, Gurvinder Singh Dahiya, Jason MacLulich, Jason Ish, Kirby Kuehl, Dennis Henderson, Martin Solum, Ivan Ristic, Pablo Rincon, and Gerardo Iglesias Galvan.

I also wanted to point out some of the heavy hitting organizations involved. The initial funding for OISF comes from the US Department of Homeland Security (DHS), the US Navy’s Space and Warfare Command (SPAWAR), and a number of private companies that participate in the OISF Consortium. The OISF is a part of the DHS Homeland Open Security Technology (HOST) program. OISF works with Open Source Software Institute and has received legal guidance from the Software Freedom Law Center.

OISF is a US nonprofit, a 501c(3) and will not commercialize, sell, patent, copyright, or profit from the engine. OISF Consortium members are donating coders, equipment, and financial support in exchange for the ability to commercialize the engine. The important take away is that OISF has long term support for future development of Suricata.

Final Thoughts

Suricata is a very exciting and promising IDS/IPS engine. It has a great group of people behind it and future development appears secured. It is a project that is in the early stages. Do not expect to download it and simply install on a production environment. For testing the software and providing feedback, the engine and the HTP Library are available for download. To keep apprised of the latest developments join the oisf mailing lists where you discuss and share feedback. The blog of Victor Julien, Suricata’s lead developer, is another great source for the latest news and information.

To finally answer the burning question: why the name Suricata? According to the OISF site, Suricata comes from the Latin genus name for the meerkat and “the Meerkat takes security and vigilance as a life or death responsibility. There is always at least one individual on guard, watching, ready to alert the entire organization. Very much like an IDS sensor. It is always watching, always ready to alert you to danger. Or something like that…”

For a little perspective, remember back in August 2008, the Air Force suspended all efforts to the establishment of the Cyber Command. This was after the Air Force was hyping the Cyber Command capabilities on TV, in Web video advertisement, and in presentations. In September, the Pentagon decided that the US Strategic Command in Omaha, NE should create and run a version of the joint Cyber Command. Deputy Secretary of Defense Gordon England wrote in a memo, “Because all the combatant commands, military departments and other defense components need the ability to work unhindered in cyberspace, the domain does not fall within the purview of any particular department or component.”

In October, top Air Force leadership decided to continue efforts to stand up the Cyber Command. At the time, Air Force Secretary Michael Donley made the statement, “The conduct of cyber operations is a complex issue, as [Defense] and other interagency partners have substantial equity in the cyber arena. We will continue to do our part to increase Air Force cyber capabilities and institutionalize our cyber mission.”

Top military officials in May 2009 argued for a single joint command and went on to tell the media that a “Cyber attack could bring U.S. military response.” In June 2009, Defense Secretary Robert M. Gates in a memo Stated, “Our increasing dependency on cyberspace, alongside a growing array of cyber threats and vulnerabilities, adds a new element of risk to our national security. To address this risk effectively and to secure freedom of action in cyberspace, the Department of Defense requires a command that possesses the required technical capability and remains focused on the integration of cyberspace operations.”

The Defense Department failed to meet an Oct. 1 target launch date. There have been no confirmation hearing for the command’s first director. Nakashima is reporting that the project was delayed by “congressional questions about its mission and possible privacy concerns.”

NSA Deputy Director John (Chris) Inglis said “90 percent” of the command’s focus will be on defensive measures because “that’s where we are way behind.” The offensive measure lead to many policy and doctrinal questions involving cyber warfare. Nakashima goes on to report one official familiar with the Pentagon’s plans, who was not authorized to speak for the record, stated “The rules can vary dramatically depending upon under what authority you’re doing something. An offensive action is not a decision that can be taken very lightly. It is an extraordinary action because of the consequences that could result for either DOD or the intelligence community or critical U.S. industries.”

Offensive computing is a difficult topic to tackle. Remember Col. Charles W. Williamson III? He ran into a bit of controversy back in May 2008 when he posted “Carpet bombing in cyberspace: Why America needs a military botnet.” He stated, “America needs a network that can project power by building an af.mil robot network (botnet) that can direct such massive amounts of traffic to target computers that they can no longer communicate and become no more useful to our adversaries than hunks of metal and plastic.” Richard Bejtlich’s post, “Mutually Assured DDoS” points out several of the problems with a af.mil robot network. Sean Sullivan from F-Secure also did a thoughtful response titled “US Air Force Colonel Proposes Skynet.” The problem will always be in cyberspace, attackers do not wear uniforms, nor do they necessarily come from a particular domain. It is not so easy to identifying the enemy. The intelligent attacker makes all effort to blend into the population.

Paul B. Kurtz, a cybersecurity expert who served in the George W. Bush and Clinton administrations stated, “I don’t think there’s any dispute about the need for Cyber Command. We need to do better defending DOD networks and more clearly think through what we’re going to do offensively in cyberspace. But the question is how does that all mesh with existing organizations and authorities? The devil really is in the details.”

Nakashima reports officials stated:

“The initial operating plan for a cyber command is straightforward: to merge the Pentagon’s defensive unit, Joint Task Force-Global Network Operations, with its offensive outfit, the Joint Functional Command Component-Network Warfare, at Fort Meade, home to the NSA. The new command, which would include about 500 staffers, would leverage the NSA’s technical capabilities but fall under the Pentagon’s Strategic Command.

Lt. Gen. Keith B. Alexander, director of the NSA, has been nominated by President Obama to be the director of the Cyber Command. Congressional staff have been briefed three times, and the Pentagon hopes to brief lawmakers this month. Once the staff are satisfied the understand the command’s purpose and operating place, the Senate Armed Service Committee can hold the confirmation hearing for a new director.

Edmund Burke once said, “All that is necessary for evil to succeed is that good men do nothing.” Of course, Saint Bernard of Clairvaux would have cautioned, “Hell is full of good intentions or desires.” While there are many issues involved with the development of a US Cyber Command, steps are continuing to occur. Issues are being considered. Is it progress? I believe so. Stay tuned and we will all see what happens.

Thanks to Angry Alien Productions for providing links to 30-Second Bunnies Theatre. If you have never watched these collection of movies re-enacted by animated bunnies in 30 seconds, more or less, follow the links. If you enjoy the episodes, support the creative effort by buying the recently released DVD through Amazon.

For geeks, and those who love them, Kreg Steppe and Douglas E. Welch have written a story that you are going to love, “A Geek Christmas Story.” To quote the site, it is the story of “Mattie Stevens, a young boy of the early 80’s, dreams of owning a Commodore 64. He sets out to convince everyone this is the perfect gift. But, along the way runs into opposition from his parents and everyone around him including old Santa Claus”

Take a look at the all star cast of players from the podcasting community:
Narrator: Kreg Steppe – Technorama
Harvey Stevens: Dad – Kevin Devin
Mandy Stevens: Mom – Susie Murph – How to Grow your Geek Podcast
Mattie Stevens: Son – Daniel Devin
Sandy Stevens: Little Brother – Spencer Holden
Curtz Eisenberg: Friend to Mattie – Harrison Steppe
General Beringer: General – Douglas E. Welch
Lieutenant: Steve Holden – Tech News Radio
Mrs. Little: Katie Floyd – Mac Power Users Podcast
Santa’s Helper: Chuck Tomasi – Chuckchat.com
Santa: Larry Pesce – Pauldotcom.com Podcast
Judge: Victor Cajiao – Typical Mac User Podcast – Typical Shutterbug Podcast
Andrew Carnagie: Andy Helsby – Absoblogginlutely!
J.P. Morgan: Grant Bichocco – Mr.Grant.com
UPS Guy: Paul Asadoorian- Pauldotcom.com Podcast
Skipper: Rylie Starcher

Not to leave anyone out, because they have all done such a great job, the show was produced by:

George Starcher – Typical Mac User Podcast
Victor Cajiao – Typical Mac User Podcast - – Typical Shutterbug Podcast
Steve Holden – Tech News Radio - Jersey Boys Podcast – AztecMedia.net

The folks at FiT do fantastic, creative, stories around Halloween and Christmas (Server Room of Horrors – Halloween 2005; A Geek Christmas Carol – Christmas 2005; Server Room of Horrors – Halloween 2006; Lucky the Reindeer and the Island of Misfit Geeks – Christmas 2006; It’s the Great Server Chuck and Kreg! – Halloween 2007). Take the time to listen to this year’s Christmas story. You won’t be disappointed.

On a mission to reveal the truth behind Pere Noel, Mone took time for an interview on NPR’s Morning Edition and did an one hour lecture at MIT. Shaula Clark reporting for the Boston Phoenix on the MIT lecture, exposed some of Babbo Natale’s trade secrets:

• Kanakaloka is not immortal, but retains his jolly vigor with the help of organ printers.
• Swiety Mikolaj does not, in fact, leave toys under the tree; instead, he comes bearing complex chemical reactions — toys assemble themselves in their packaging.
• Ded Moroz’s Christmas Eve rounds are actually accomplished via several teams of Santa-recruited lieutenants, a series of short-distance wormholes, and time travel.
• Papai Noel’s base of operations (actually in Greenland, not the North Pole) is greatly threatened by global warming — to keep his unfathomably large server farm cool, he needs the Arctic chill. Papai Noel’s own green initiatives include planting trees and cloning his elves (“because he wouldn’t want [them] breeding on their own”).

According to Mone, Sinter Klaas uses tools that are hundreds of years beyond what we have at our disposal. For example, “Santa’s suit is laden with what are called metamaterials, which have the effect of bending light around a person so that they turn invisible” — which can come in handy if there are curious children peeking during his Christmas deliveries.

Questions on the Internet have been raised as to where Mone may have obtained his information. At the beginning of the month, Mone traveled to Google allegedly to take part in the Authors@Google series. During the talk Mone discussed how implanted listening devices in the ornaments help Hoteiosho keep the naughty and nice kids straight. Also discussed was the use of cloning and wormhole technology to help Baba Chaghaloo get to every household. A few posts on the Internet question whether Google could be providing information to Shengdan Laoren through advance data mining in exchange for some of the advance technologies.

Could the US government also be involved? Those Internet posts point to the partnership between Google and NORAD (the North American Aerospace Defense Command), a bi-national United States and Canadian organization. NORAD and Google are helping children track the journey of Jolasveinar around the world using Google Maps and Google Earth. In a possible attempt to gain patents and disrupt Google market shares, there are even rumors that Gaghant Baba’s workshop has been purchased by Bill Gates. Could a secret message exist behind the Microsoft Bing commercial about Daidi na Nollag?

Google maintains that they take user privacy very seriously. In this case, I believe them. If there is trickery, Tomten would likely be behind it. How can one trust a person who goes by so many names? And what exactly is his past? Every country provides a different story. If he is a jolly old elf, there are reports that elves have used trickery as a means to an end. Local and federal governments across the world have gift policies limiting the the value and number of gifts that can be given to government employees. Gifts can be used as bribes. One could begin to wonder if the gift bearing holiday might be a cover for a massive yearly bribery event. More troubling, attempts to trace those questioning Internet posts lead back to ISPs in Greenland. Maybe Jack Bauer is needed to get at the truth.

I am not saying Chimney John is not a jolly nice fellow. I am just not a great believer in security through obscurity. There is a great deal we don’t know about Samichlaus. As security minded people, we need to be always questioning. Video of Mone’s Google talk has been made available. View it below and judge for yourself:

Wishing you a great holiday, wherever you may be and whatever you may believe.