This document discusses the concept of symbiotic security, where multiple security tools work together in an integrated ecosystem. It provides an example of how ThreadFix acts as a symbiotic tool by consolidating vulnerability data from different scanners and allowing that data to be used by other tools. The document argues that security tools should provide open APIs and data standards to encourage symbiotic functionality rather than working in isolated "silos". It also demonstrates how ThreadFix allows vulnerability data to be mapped with operational data and prioritized based on actual attacks.

1. THE MAGIC OF SYMBIOTIC
SECURITY
Creating an Ecosystem of Security Systems

2. DAN CORNELL
¢ Founder and CTO of Denim Group
¢ Software developer by background (Java, .NET, etc)
¢ OWASPSan Antonio, Global Membership
Committee
2

3. JOSH SOKOL
¢ Information Security Program Owner at National
Instruments
¢ Chair of the OWASP Global Chapters Committee
¢ Co-Chairof OWASP AppSec USA 2012 (October
23-26 in Austin, TX)

4. BUSINESS REQUIREMENTS
¢ We need an Intrusion Prevention System (IPS).
¢ We’ve budgeted $50,000 for it.
¢ Get us the best tool for our money.
How would you evaluate for purchase?

5. 3 PARTY REVIEWS
RD
¢ Overall Ranking from SC Magazine Feb. 2011
1) McAfee – 5 stars
2) NitroGuard – 5 stars
3) Top Layer Security – 5 stars
4) Sourcefire – 4 stars
5) CounterSnipe – 4 stars

6. INDUSTRY RANKINGS
1) McAfee
2) Sourcefire
3) HP
4) Cisco
5) IBM

7. COST
¢ Lowest cost from SC Magazine Feb. 2011
1) CounterSnipe - $500/site
2) NitroGuard - $6,495
3) Sourcefire - $8,995
4) McAfee - $10,995
5) Top Layer Security - $12,495

8. FEATURES
ü Zero-day threat protection
ü Inline protecting
ü Passive monitoring
ü Support for custom policies
ü Real-time alerting
ü Central management
ü Compliance grade reporting
ü High availability

9. THE INHERENT PROBLEM
¢ 3rdParty Bias
¢ Incomplete Industry Rankings
¢ Cost is ALWAYS Negotiable
¢ Features are commodity

10. TOOLS ARE EVALUATED BASED ON CLASS
FEATURES; NOT ON ENTERPRISE VALUE.
ü Proprietary
Protocols
ü “Greedy”
Vulnerability Mgmt
Malware Analysis
Platforms
Firewall
NAC
IPS
ü Tools Working
in Silos
ü Duplication of
Functionality

11. GAUGING ENTERPRISE VALUE
Separating the Wheat from the Chaff

12. CONSUMER CAPABILITIES
ü Events
ü Alerts
ü SNMP
ü Syslog

13. CONSUMERS CAN BE “GREEDY”
Exploitation –
Parasitism. The
leech gains food
and nutrients,
but the host
gains nothing
from having a
leech suck its
blood.

14. PROVIDER CAPABILITIES
ü Open API
ü Open DB
ü Data Export

15. SYMBIOTIC SECURITY
You can
assemble an
arsenal of
best-in-breed
tools that
work together.
Even smaller
purchases can
have a large
impact.

16. SYMBIOTIC SECURITY IS NOT
¢ A
piece of hardware or software you can
purchase.
¢ A ranking system for vendors.
¢ A label you can slap on your new product.

17. SYMBIOTIC SECURITY IS
¢ A philosophy on how you evaluate purchases.
¢ A
concept for creating an ecosystem of security
systems.
¢ A
means of making the tools we invest in more
valuable to us.

18. BEWARE OF PSEUDO-SYMBIOSIS
¢ Single vendor with multiple product offerings
that work together.
¢ Gives symbiotic functionality, but only within
that vendors tool set.
¢ True Symbiotic Security is about being able to
hand-pick your toolset and have them work
together regardless of brand.

19. SECURITY TOOLS
And Their Classifications

20. DATA IN SILOS
¢ Reputation data: Do I trust the source?
¢ Attack data: How am I being attacked?
¢ Vulnerability data: What attacks are my systems
vulnerable to?
¢ Asset data: What versions of O/S and software
am I running?
¢ Identity data: Who is using my systems?
¢ Data classification: Who should have access to
what?

21. DATA IN SILOS (CONT)
¢ Trust hierarchy: Who do I trust and who trusts
me?
¢ Authentication data: Do I have access?
¢ Authorization data: What can I access?
¢ QA data: What has been tested?
¢ Trust boundaries: Is data crossing between two
trust levels?

22. MAGIC HAPPENS
¢ Should I accept packets from random IP X?
— Reputation data
— Attack data
— Vulnerability data
— Asset data
— Trust boundaries

23. MORE MAGIC
¢ Should I allow random person X to download a file
Y?
— Data classification
— Reputation data
— Authentication data
— Authorization data
— Trust boundaries

24. EVEN MORE MAGIC
¢ WithSymbiotic Security the possibilities are
limited only by the security ecosystem you’ve put
in place.
— Creation of WAF rules based on attack data.
— Is a targeted exploit actually going to affect the
system?
— Should I allow a system on my network?

25. DEMAND SYMBIOTIC SECURITY
¢ Let
vendors know up front that you will be
evaluating the effectiveness of their tool based
on:
1. Other tools in your environment their tool can
consume data from.
2. Other tools in your environment their tool can
provide data to.
3. The net increase in security for your entire tool
ecosystem and not just their tools siloed
functionality.

26. THREADFIX
Symbiotic Security In Action

27. THREADFIX - OVERVIEW
¢ ThreadFixis a software vulnerability
aggregation and management system that helps
organizations aggregate vulnerability data,
generate virtual patches, and interact with
software defect tracking systems.
¢ Freely available under the Mozilla Public License
(MPL)
¢ Hosted at Google Code:
http://code.google.com/p/threadfix/
27

28. ThreadFix Consolidates reports so managers can speak intelligently about
the status and trends of security within their organization
28

29. Vulnerability Import • Pulls in static and dynamic results
• Eliminates duplicate results
• Allows for results to be grouped
29

30. Real-Time Protection Virtual patching helps protect
organizations during remediation
30

31. Defect Tracking • ThreadFix can connect to common defect trackers
• Defects can be created for developers
Integration • Work can continue uninterrupted
31

32. THREADFIX - SYMBIOTIC
¢ Vendor-independent
¢ Ability to consume multiple technologies (SAST,
DAST, IDS/IPS, WAF)
¢ Ability to produce output that can be consumed
by other tools (RESTful API)
¢ Mapping vulnerability data with operational data
in a bi-directional way
¢ Prioritization based on actual attack data rather
than suppositions

33. SUBSET OF SECURITY TOOL
INTERACTIONS

34. DEMO

35. VENDORS: PLEASE SUCK LESS
¢ ThreadFix was created to solve a problem that
security tool vendors have created.
— Proprietary protocols
— Lack of APIs
— Lack of standards
— Play nice!
¢ Some have been very
helpful
— File format info
— Beta testing
— And so on

36. YOU KNOW WHAT WOULD MAKE ALL THIS WAY
EASIER?
¢ Common data standards!
— Scanning tools
— Event logs
— And so on…
¢ Current efforts:
— MITRE Software Assurance Findings
Expression Schema (SAFES)
¢ http://www.mitre.org/work/tech_papers/
2012/11_3671/
— OWASP Data Exchange Format
Project
¢ https://www.owasp.org/index.php/
OWASP_Data_Exchange_Format_Project
36

37. SIMPLE SOFTWARE VULNERABILITY
LANGUAGE (SSVL)
¢ Common way to represent static and dynamic scanner
findings
¢ Based on our experience building importers for
ThreadFix
— It “works” for real-world applications because we are
essentially using it
¢ Love to hear feedback
— Send me a request and I can share the document for
editing/annotation
¢ Online:
— https://docs.google.com/document/d/
1H5hWUdj925TtoZ7ZvnfHdFABe7hBCGuZtLUas29yBGI/
edit?pli=1
— Or http://tinyurl.com/cslqv47
37

38. SIMPLE SOFTWARE VULNERABILITY
LANGUAGE (SSVL)
38

39. VENDORS WIN TOO
¢ Industry vetted standards for communication
¢ Niche products with enterprise functionality
¢ Maximize R&D time and money
¢ Vendors can excel where it matters the most

40. IDEAS TO FURTHER THE CAUSE
¢ Speak
with Gartner about adding symbiotic
characteristics to their evaluation criteria.
¢ Create
a list of tools with symbiotic
characteristics.

41. HELP US HELP THE COMMUNITY
¢ http://www.symbioticsecurity.com/

42. QUESTIONS
Josh Sokol Dan Cornell
josh.sokol@ni.com dan@denimgroup.com
Twitter: @joshsokol Twitter: @danielcornell
www.joshsokol.com www.denimgroup.com
www.webadminblog.com www.denimgroup.com/
threadfix
code.google.com/p/
threadfix
(210) 572-4400
42