http://www.infoworld.com/articles/ct/xml/02/09/23/020923ctinsider.xml [Its a little stale for ISN, but the mention of TruSecure's covert ops perked my ears. - WK] September 20, 2002 1:01 pm PT SECURITY IS ON every CTO's mind these days, but what's the best way to evaluate security threats? TruSecure, a Herndon, Va.-based company, has come up with a risk assessment philosophy that it says focuses on real-world threats. Using a subscription business model, TruSecure sells its services to some 700 corporate customers. InfoWorld spoke with TruSecure CTO Peter Tippett. What is the overall mission of TruSecure? We're really trying to change the way people do security. TruSecure is organized around defining risk in a way that's measurable. ... Instead of measuring [risk] in a company, we measure it in the world, an actuarial sort of thing. So we generally don't believe in things like doing a risk assessment at a company or doing vulnerability testing. ... What we've set out to do is figure out what percent of vulnerabilities represents real risk and how we could go about figuring [the risk] out. We set up a pretty large organization that includes ICSA [International Computer Security Association] Labs, which is a certification and testing facility, like Underwriters Labs. All the firewalls, all the anti-virus products and all those things are there. ... We don't do any consulting; we don't sell any software or any hardware. Instead we sell a service that measures where a company is in relation to things we call "the essential practices." ... Most companies buy a three-year subscription, and during that time, we give them a very, very broad array of security services. ... They get testing, they get alerts, [and] they get decision support. They get what amounts to a help desk. While everybody else is sitting at home fretting about the crime rate, you're out patrolling the neighborhood? We are actually out fixing things. ... [We test] every anti-virus product every day against every virus that's ever happened in the entire world. ... [We do this] by making market-driven mechanisms where people give us -- and want to give us -- the knowledge we need to figure out what's really going on in the world. [For example,] because Cisco hates Check Point, Cisco would be glad to give us an attack that they think Check Point will fail. If we run it and Check Point fails it (or any of the other firewall vendors), then [the vendors] have 10 days to fix it and ship it, or they lose the ICSA Lab certification. That same sort of dynamic model gives us all kinds of inroads to figure out what really is going on in the computer security space. It sounds like you also have some covert operations going on. That's true, we call it "IS Recon" and it very much is a covert operation. It's not a hacking group; it's a mole operation. And this group has been operating now for almost six years. And it's had dozens of team members come and go over the time. We don't believe in hiring hackers, we think that's a really bad idea. But we do believe in talking and engaging and figuring out what they're saying to each other. So we have a really neat set of databases. One that we call "The Brain," and one that we call "The Trough," [and] one that we call "The Trench." And these [ databases] are the results of our listening to or engaging people in what they're doing. For example, The Brain database tracks relationships between hacker groups. And currently we track 3,000 or 4,000 individuals in about 800 different groups. And of course, the names change and the groups change pretty constantly, but at any given point in time that's about the number of people whom we track. We track which attacks that they've attacked, [and] which sites they've hacked. So when you find out who did what, do you then go work with law enforcement? We have nothing to do with law enforcement. We have no interest in prosecuting anybody, although it has happened many times that [law enforcement] comes to us. For example, the FBI came to us and asked us who wrote Melissa, and we told them. It took us a day and a half to gather 300 or 400 documents together and give [them] to the FBI to show [the agents] who wrote Melissa. They arrested the guy. We didn't know his real name -- we just knew his e-mail address and his Internet address and his IP and the service provider. ... We know his cat's name and his girlfriend's name, what city he lived in in which time frames, and what his browser was and what other aliases he used. To hear Intel and Microsoft tell it, very long instruction words and Palladium will solve all these problems in a couple of years. I don't think so. Risk is based on people. Technology helps, but whatever the technology is, this is a complex world. And the more complex it gets, the more vulnerable it gets. Profile Peter Tippett, TruSecure * Job title: CTO * Biggest success: Creating a pragmatic, dynamic, and up-to-date corporate information risk model and tracking network * Key challenge: Getting people to open up to the power and cost-savings of modeled, dynamic, outsourced risk management * Favorite escape: Flying - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Fri Sep 27 2002 - 02:38:51 PDT