Skip to content ↓ | Skip to navigation ↓

My friend and IT thought leader, Gene Kim, often refers to high-performing IT shops as “people with good IT kung fu.” What he means by that is that these organizations have good skills, agility, and effective practices.

Lately, the news has been full of reports of botnets and other attacks that have gone unnoticed for looong periods of time.  For example, consider the Kneber botnet.  As was reported in The Washington Post,

“The attack, which began in late 2008 and was discovered [in January 2010], targeted proprietary corporate data, e-mails, credit-card transaction data and login credentials at companies in the health and technology industries in 196 countries…”

To use one of Gene’s favorite phrases, “Holy crap!”  That means these companies were compromised for over a year before they even noticed!  Not good – in fact, totally unacceptable.

Why were these people surprised?

I’d be willing to bet many of these companies had deployed “state of the art” security tools, and the actions leading up to their breaches were still not noticed.   Why not?

I think there are several contributing factors:

  • More data isn’t better, it’s just more.
    • A lot of people decide to try to solve the problem by throwing yet another “sensor” into the mix, which just creates more alerts, more alarms, and more noise.  In essence this just creates a big landfill of events.
  • External threats and events are only part of the story.
    • Lots of security is focused on the baddies “out there.”  But lots of exploits happen when trusted insiders do something they shouldn’t – such as clicking on a nasty link, using a weak password, breaking a rule, sharing a password, or misconfiguring something.  In other words, “I have seen the enemy, and they are us.”
  • It’s about results, not just activity.
    • There is a lot of focus on suspicious events, traffic, etc.  But that’s only part of the story – you also need to keep an eye on the results of those activities:  what’s changed on your systems, how does that compare to your standards & policies, are things configured consistently, etc.

So what?

So what does this all mean?  I’ll go into that more in the future, but for now – think about these things:

  • Virtually all breaches leave evidence – changes in your IT infrastructure that you should be able to notice.
  • Many breaches take advantage of misconfigured, weakly configured, or inconsistently configured infrastructure.
  • The people you trust on your systems are highly likely to be a source or vector for any compromise you experience.
  • Many of the 2,500 companies affected by the Kneber botnet thought they were secure, and had plenty of data in their event landfills.  But they still got hit and didn’t find out for a very long time.

So…how good is your IT security kung fu?  And how do you know it’s working?

Tripwire University
  • The Payment Card Industry Data Security Standard (PSI DSS) is a worldwide information security standard defined by the Payment Card Industry Security Standards Council. "Effectively you had to have 215 specific things that have to be done to a network …

  • The gun isn't the problem the people are.. Guns are on par with marshal arts? Forget equipping solders with rifles, they just need about 10-hours of kung-fu training to take out insurgents with quick chops to the throat! I think that this is great. …

  • Maybe it's just been a streak of bad choices, or maybe his particular brand of delivery has gotten obnoxious, but Jack Black has been off his game lately. Except for Kung Fu Panda. Perhaps said delivery is best when done as an overweight, …

  • "The Karate Kid"also showcases the mist-enshrouded Wudang Mountains in southern central China, where Han takes Dre to learn about the origins of kung fu at one of the region's many Taoist temples. The cheapest and most direct way to follow in their