Meet the Bloggers

Vaune Carr, Principal Consultant, BT Global Services

Rob Jamison, Manager, Network Intelligence, Managed Security Solutions Group, BT Global Services

Jill Knesek, Chief Security Officer, BT Global Services

Sushila Nair, Product Manager, Managed Security Solutions Group, BT Global Services

Ben Rothke, Senior Security Consultant, BT Global Services

Pete Russo, Senior Marketing Manager, BT Global Services

Bruce Schneier, Chief Security Technology Officer, BT Global Services

Ray Stanton, Global Head of BT’s Business Continuity, Security & Governance Customer Capability Unit

Jim Tiller, Vice President, Security Professional Services, North America, BT Global Services

Toby Weir-Jones, Vice President of Product Development, Managed Security Solutions Group, BT Global Services

Twitter Blogroll About BT

SecureThinking > Tags

Posts tagged Microsoft

Monday, March 15, 2010

Bruce Schneier’s Take on Security at RSA 2010

By Pete Russo, Senior Marketing Manager, BT Global Services

It seems that everyone was shooting videos at RSA this year!  While BT’s Ben Rothke was interviewing Warren Axelrod, Ira Winkler, and Peter Lindstrom, Kevin McLaughlin from Channel Web was interviewing BT’s Chief Security Technology Officer and security luminary, Bruce Schneier. 

Find out what Bruce has to say about cloud computing, outsourcing, and why, if you’re purchasing security products and services, you shouldn’t believe anyone with a magic bullet.

Posted at 4:53 PM in SecureAlert | No Comments »
Tags: , , , , , , , , , ,

Bookmark and Share

Friday, February 5, 2010

Operation Aurora: The Dawn of a New Era of Network Attacks

By Toby Weir-Jones, Vice President – Product Development, Managed Security Solutions Group, BT Global Services

Over the past few weeks, there has been a great deal of coverage given to Google’s announcement that it has been the target of sophisticated network attacks from China.  While many have suspected that western companies and government agencies have been attacked by the Chinese, Operation Aurora was confirmation that online espionage, if not cyber war, is prevalent. 

It’s interesting to note that the purpose of the attacks was not to gain information for immediate profit, as is typically the case, but to keep tabs on the movement of information between individuals, groups, corporations, and government agencies without needing to filter content. 

As has been well documented, Operation Aurora took advantage of a vulnerability in Microsoft’s IE platform.  This continues a pattern of browser-based attacks originating in China against US networks, the most notable of which, until now, being Titan Rain back in 2003.  The specific mode of attack is not new and is not really the story in this case; sadly we’re all familiar with proliferation of attacks against browsers and their plugins, the resulting malware, and ceaseless buffer overflow attacks against thoroughly-vetted products.

But what can companies do to combat these attacks and secure their operations?  After all, not doing business in China isn’t really an option for most companies that are recovering from the economic downturn.  And really, we shouldn’t single out China as the only source of suspicious firewall logs, nor should we assume that addresses originating in the US and Europe should be benign.

What can the CSO do, then, to protect the company and customers?

Product vendors will universally claim they could have detected the attacks because they would have seen it either in the raw network traffic (for NIDS products) or in the application data in memory (for AV and HIDS products).  However, this level of detection relies on buffer overflow alerts that are so generic you’ll never know where the threat is coming from.  In their defense, host products, such as AV and HIDS, can potentially detect the source of the attack as they are application aware.  However, as is often the case, to use these host products effectively, the advanced application protections need to be enabled and not turned off—as many are—to avoid reporting false positives.

On the front-end what we advise our customers to do is to ensure they are monitoring the right devices, and logging is configured correctly.  They also need to ensure that a well-documented and rehearsed incident response plan is in place in the event that a breach occurs.

In the SOC what we’re doing is much more time-consuming.  Our analysts and engineers are relentlessly scouring every log, every security and non-security event, collecting every piece of contextual evidence and sending it back to the lab for analysis, comparing the results of a single customer network against our global customer base to document quickly and accurately that one host in a thousand within a monitored subnet is actually compromised. 

Whether the motivation is fraud, spam, or espionage is technically immaterial because it has no bearing on finding infected hosts or revealing the methods of attack.  What we rely on instead is dozens of combined years of experience in monitoring network security activity; we’re not limited to expertise on one or two technologies, we have extensive knowledge across numerous vendor platforms.  Our CMAL and CBOT modules (first released in 2008) are great examples of advanced technology that solves real business problems, and they don’t simply offer up pretty reports about knee-jerk reactions performed by other devices. 

We want to know where it’s coming from first, and then worry about the details behind what it’s doing.  Security policies don’t distinguish between the details of buffer overflow attacks vs. brute-force — they focus on intent, so focusing efforts purely on signature-based detection can dangerously restrict your view. 

This is the first post in a series about Aurora that we’re working on.  Next up, Rob Jamison, our Manager of Network Intelligence, will offer up more insights into Aurora’s methods of propagation and detection.

Posted at 7:16 PM in SecureAlert | No Comments »
Tags: , , , , , , , , , , , , ,

Bookmark and Share

Tuesday, December 22, 2009

Howard A. Schmidt – the right man for the job

Vaune M. Carr, Principal Consultant, BT Global Services

I would like to send my sincere congratulations to Howard A. Schmidt on his appointment as U.S. Chief of Cybersecurity under President Obama. This is an important time in our country’s history as public and private organizations seek the leadership of someone who has experience in the challenges of both sectors as Schmidt has.

As I stated in a previous post, the job of cybersecurity czar is daunting, and no one knows that better than Schmidt, having previously served as cyber-security advisor under George W. Bush.

The one significant change to the position will be his direct line of communication with the U.S. President. His job will be one of collaboration and take on far-reaching aspects, including ones related to International law.

Today, the security industry as a whole should be hopeful. Schmidt undoubtedly has the distinct business and leadership qualities associated with this position. Having also served in the private sector, he will be able to combine his commercial savvy with his solid government experiences to address unprecedented challenges that are unique to cybersecurity, on a vast global scale.

Posted at 9:36 PM in SecureStrategies | 1 Comment »
Tags: , , , , , ,

Bookmark and Share

subscribe - log in