[186672] in North American Network Operators' Group
Re: de-peering for security sake
daemon@ATHENA.MIT.EDU (Mike Hale)
Sun Dec 27 16:08:08 2015
X-Original-To: nanog@nanog.org
In-Reply-To: <CAL9jLabbcWtgPap3FPnCkKoC6z7J8HUqJoxPw1eETexk2UfnwQ@mail.gmail.com>
Date: Sun, 27 Dec 2015 13:08:05 -0800
From: Mike Hale <eyeronic.design@gmail.com>
To: Christopher Morrow <morrowc.lists@gmail.com>
Cc: "nanog@nanog.org" <nanog@nanog.org>
Errors-To: nanog-bounces@nanog.org
"please cite useful numbers"
For what?  IDS?  SIEM?  Log aggregation in general?  For companies
that have none of that, spinning up the best practice systems can
easily cost half a mil a year (QRadar is 200k for our sized
environment; a good netflow system is like 50 [100k+ for something
like Lancope], one FTE to support and manage this as and additional
workload on server and network guys in dealing with issues these tools
find).  And that's just the tip of the iceberg.  An additional 500k a
year is tough to justify (and costs way, way more than simply locking
the doors or hiring a team of security guards at 10 an hour).
Simplistic, of course, but one example of the cost difference.
"Sure it's a new expense (not really, since ... you've always had
security costs) but it's not 'massive'."
Depends on the organization.  For those who don't have a
security-specific team, it is new spend.
"ideally you need 2-3 people (for a larger operation, less for small
shops) with a bunch of automation to help things run along."
Absolutely agree.  So we're looking at 200-300k just in pure salary
cost, plus what, 40% extra for various benefits?
That automation piece too is incredibly pricey (either in time and
labor of software).
"though the parts aren't quite in place today :(
which is sad."
One hundred percent in agreement.  This is much, much harder for the
smaller organizations to take.  I wish there were services that made
this way easier.  I think this is where small system integrators could
partner with security services that provide tier one security response
(something like arctic wolf) and provide that needed coverage...but
that's not inexpensive either (though way cheaper than hiring your own
security dudes).
"the return is not having to fend off the WSJ reporters of the world,
and consequent lawsuits from your customers, subscribers, partners,
etc..."
True.  But how do you put that in money terms?
Obviously, I think the spend is absolutely important, and it's
something that is vitally important to the business.  But I've found
it very challenging in making that case in a way that works, precisely
because of that increased amount of spending.
"but that is changing as more and more get
pwned and the public and legal costs become greater and more apparent.
patience."
It is.  Sony and Target were really useful in that regard.
On Sun, Dec 27, 2015 at 12:51 PM, Christopher Morrow
<morrowc.lists@gmail.com> wrote:
> On Sun, Dec 27, 2015 at 3:32 PM, Mike Hale <eyeronic.design@gmail.com> wrote:
>> "done right the cost shouldn't be super much more."
>> I disagree.  Done wrong, it's not super much more.
>>
>> Done right, it's massively more.
>
> please cite useful numbers... It's not (I think) really all that much
> more. Sure it's a new expense (not really, since ... you've always had
> security costs) but it's not 'massive'.
>
>> Like Randy said, compare salaries alone.  A good security employee
>> will run you, what, 100k or more in the major job markets?  And how
>> many do you need, full time, to provide acceptable coverage for your
>> environment?
>>
>
> ideally you need 2-3 people (for a larger operation, less for small
> shops) with a bunch of automation to help things run along. Ideally
> your 2-3 experts aren't responding to the pager, almost all of that is
> offloaded to your noc/etc staff in a manner that they can actually
> deal with problems NOT as pager-spam which gets turned off. 'high
> quality alerts' with actionable playbooks.
>
> it'd be great if more of this was COTS-able for the smaller shops... I
> bet a bunch of it IS, though the parts aren't quite in place today :(
> which is sad.
>
>> The costs add up really fast without a corresponding return.
>
> the return is not having to fend off the WSJ reporters of the world,
> and consequent lawsuits from your customers, subscribers, partners,
> etc...
>
> -chris
>
>> On Sun, Dec 27, 2015 at 12:27 PM, Christopher Morrow
>> <morrowc.lists@gmail.com> wrote:
>>> On Sun, Dec 27, 2015 at 2:49 PM, Mike Hale <eyeronic.design@gmail.com> wrote:
>>>> "really isn't a whole lot different from 'lock your damned doors and
>>>> windows' brick/mortar security."
>>>>
>>>> Except it's *massively* more expensive.
>>>>
>>>
>>> is it? how much does a datacenter pay for people + locks + card-key +
>>> pin-pad + ...
>>>
>>> vs
>>>
>>>  the requisite bits for security their customer portal/backoffice/etc ?
>>>
>>> done right the cost shouldn't be super much more.
>>>
>>> -chris
>>>
>>>> On Sun, Dec 27, 2015 at 11:26 AM, Christopher Morrow
>>>> <morrowc.lists@gmail.com> wrote:
>>>>> On Sun, Dec 27, 2015 at 1:59 PM,  <Valdis.Kletnieks@vt.edu> wrote:
>>>>>> On Sun, 27 Dec 2015 05:35:19 +0100, Baldur Norddahl said:
>>>>>>
>>>>>>> SSH password + key file is accepted as two factor by PCI DSS auditors, so
>>>>>>> yes it is in fact two factor.
>>>>>>
>>>>>> They also accept NAT as "security".  If anything, PCI DSS is yet another example
>>>>>> of a money grab masquerading as security theater (not even real security).
>>>>>
>>>>> is it that? or is it that once you click the checkboxes on /pci audit/
>>>>> 'no one' ever does the daily due-diligence required to keep their
>>>>> security processes updated/running/current/etc ?
>>>>>
>>>>> I'm not a fan of the compliance regimes, but their goal (in a utopian
>>>>> world where corporations are not people and such) is the equivalent of
>>>>> the little posterboard person 42" tall before the roller-coaster
>>>>> rides, right?
>>>>>
>>>>> "You really, REALLY should have at least these protections/systems/etc
>>>>> in place before you attempt to process credit-card transactions..."
>>>>>
>>>>> In the utopian world this list would be sane, useful and would include
>>>>> daily/etc processes to monitor the security controls for issues... I
>>>>> don't think there's a process bit in PCI about: "And joey the firewall
>>>>> admin looks at his logs daily/hourly/everly for evidence of
>>>>> compromise" (and yes, ideally there's some adaptive/learning/AI-like
>>>>> system that does the 'joey the firewall admin' step... but let's walk
>>>>> before running, eh?)
>>>>>
>>>>> so, it's not really a mystery why failures like this happen.
>>>>>
>>>>>> I remember seeing a story a while ago that stated that of companies hit
>>>>>> by a data breach on a system that was inside their PCI scope, something
>>>>>> insane like 98% or 99% were in 100% full PCI compliance at the time of
>>>>>> the breach.  The only conclusion to be drawn is that the PCI set of checkboxes
>>>>>> are missing a lot of really crucial things for real security.  (And let's
>>>>>> not forget the competence level of the average PCI auditor, as the ones
>>>>>> I've encountered have all been very nice people, but more suited to checking
>>>>>> boxes based on buzzwords than actual in-deopth security analysis).
>>>>>
>>>>> people toss pci/sox/etc auditors under the bus 'all the time', and i'm
>>>>> guilty of this i'm sure as well, but really ... if you put systems on
>>>>> the tubes and you don't take the same care you would for your
>>>>> brick/mortar places ... you're gonna have a bad day. 'cyber security'
>>>>> really isn't a whole lot different from 'lock your damned doors and
>>>>> windows' brick/mortar security.
>>>>>
>>>>>> So excuse me for not taking "is accepted by PCI auditors" as grounds for
>>>>>> a claim of strong actual security.
>>>>
>>>>
>>>>
>>>> --
>>>> 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0
>>
>>
>>
>> --
>> 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0
-- 
09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0