Don’t let Brian Krebs be your IDS

Red Canary

Share this Project

If you are of a certain age – back when people got their visual electronic entertainment via broadcast TV – you remember watching a show called 60 Minutes. One of the most well-known TV journalists in the country at the time, Dan Rather, worked for 60 Minutes (among other duties at CBS), where he exposed wrong-doing or shady practices of a variety of organizations. Mr. Rather became the punch line of a not-so-funny joke: If you were the CEO of a company and your secretary informed you that Dan Rather was in the lobby, you should run out the back door.

In these early days of the information age we have a new “Dan Rather” and his name is Brian Krebs. Mr. Krebs is the go-to journalist on data breaches, and a great reporter on computer security issues in general. Today, if your PR rep texts you to say that Brian Krebs wants you to comment on indications that your enterprise has been breached, you should run to your IT department.

If you are familiar with the annual Verizon Data Breach Report you know that most victims of cyber crime have no idea they are victims.  If they do find out, the overwhelming majority learn this because someone else told them. If Brian Krebs is your third-party warning of a breach you have a couple of very serious problems:

  1. You’re owned and everyone in the world knows it
  2. None of the defensive measures you took to prevent something like this from happening worked
  3. None of the alerting mechanisms you have in place worked

With regards to the first issue, don’t feel bad about being owned. Like any other company in the security space we can say with some authority that everyone is owned to some degree or another, all the time. The “assumption of breach” is the new normal.  The days of people thinking that being owned is a failure on their part are long gone, if they ever existed. There is no shame in being owned unless it is because of gross negligence.

With regards to the second issue, this is not an indictment of your past decision-making on security technology. You need firewalls and anti-virus and intrusion-related tech to filter out the noise in the hopes your security team can hear a meaningful signal.

But the fact of the matter is that even with all that filtering it is still difficult to “hear” malicious activity happening. In some cases the signal is like the noise made by a dog whistle: inaudible by humans; in other cases you may hear loud and clear but you get jaded. As recent events have shown, no warning is unimportant, it’s just a matter of scale.

“Detection” and “prevention” technology has been around for several decades but even the so-called next generation of these technologies have yet to demonstrate that they are going to make a dent in compromises that lead to breaches. The future of defense is not how well you keep intruders outside the wall (because that’s not possible), but how you deal with things once the intruders have breached the wall (which is where they are). The faster and more effective your response the less likely those behind a breach will achieve their ultimate goals (data acquisition and exfiltration). Its like the difference between being hit by someone on a bicycle and being hit by someone driving a dump truck; they’re both going to hurt, but you can walk away from the former largely unscathed.