Over the past two months, there has been a tremendous amount of chatter in the security community about the term ‘cyberwar’ and whether or not the US is engaged in a cyberwar. Mike McConnell (former Director of National Intelligence) wrote a pointed op-ed for The Washington Post claiming that, “The United States is fighting a cyber-war today, and we are losing.” His opinions are consistent with the current Director of National Intelligence, Dennis Blair, whose February testimony to the US Senate stated, “Malicious cyber activity is occurring on an unprecedented scale with extraordinary sophistication. While both the threats and technologies associated with cyberspace are dynamic, the existing balance in network technology favors malicious actors, and is likely to continue to do so for the foreseeable future.”

These statements spurred an excoriating response from the pages of Wired that, “The biggest threat to the open internet is not Chinese government hackers or greedy anti-net-neutrality ISPs, it’s Michael McConnell, the former director of national intelligence.” At the annual RSA security conference Howard Schmidt, the newly appointed White House Cyber-Security Coordinator stated unequivocally that, “There is no cyberwar.” Nonetheless in a Washington Post article on March 19th 2010 Ellen Nakashima dramatically points out the need for clearer cyberwar policies by pointing to US cyber operations already executed and that cyber actions are underway.

Various cyberwar definitions are hotly contested, even more nuance-laden and have a very material impact on the dramatic claims one might make. Below are several observations about cyberspace upon which all well-informed parties agree:

Click here to read the full posting on The Firewall at Forbes.com

It’s a little known fact that NetWitness has been innovating in the security field for over 11 years, which was further validated by the announcement of our recently granted US Patent # 7,634,557. Clearly, when it comes to network analysis we do it better than anyone else, and it’s really the only way to get the results you need.

Reaching back over a decade (ca.1999) when our first patent was filed, ( US Patent # 7,016,951 ), and murmurs of network forensics were swirling from a few experts in the security community, our innovation in this field was in full swing.  The technology was chartered as an analytical application to make sense of network traffic for users with no networking experience.  This in itself was no small task, as I cannot emphasize how difficult it was explaining what an IP address was to an English major. See the snapshot of NetWitness v3.5 ca. 2002, ironically it looks like some our 2010 competition.

In retrospect, NetWitness was conceived in a reverse direction from how most security products end up being developed.  Our strategy was to understand the data FIRST, then figure out how to capture it and scale it reliably into an enterprise.  Honestly, we spent several years trying to determine the best way to present complex network data to our users, which at that time was simple HTTP and SMTP sessions.  We had no idea how the network application profile of an Enterprise would evolve to what it is today.   With that said, we made sure that the advanced methods we developed were flexible enough to evolve with the Internet and the needs of our users.  These methods found their way into these two patents.

The first and most important patent is a method for traffic capture, session reassembly, metadata extraction and recursive port-agnostic service identification. Did you get all that?  Back when Firewall and IDS were tinkering with port numbers for rule logic, NetWitness was beyond that approach over 10 years ago.  The assumption to classify network traffic by port alone is prone to mistakes for reliable security analysis. It was not until recently there was a prominent increase in products that are, or at least market port agnostic support, like application firewalls and some DLP products.

The second patent, the topic of this announcement, extends the core technology by defining a system and method for organizing and describing the traffic we collect.  Yet again an example of how we designed the technology to evolve as the Internet evolved.   The patent specifically focuses on the session data model and structures that fuel the Investigator interface and the user experience.  The result is the most visible difference between NetWitness and our competitors, as well as what provides the analytical value when responding to <INSERT NETWORK PROBLEM HERE>. Another example of the product evolution can be seen in the screenshot below of NetWitness v5 ca. 2004.

Its always been my assertion that to do true network forensics, or really any good network analysis, you need a few key ingredients:

1) Reliable, scalable, and forensically sound network capture.  Unfortunately the vast majority of “network forensic” vendors stop HERE!

2) As you would expect from any forensic science, the technical ability to piece the clues or segments of an event back together is the next logical step. For network forensics its assembling the packets back into full sessions, because without this step you have disparate puzzle pieces, without a complete picture.

3) Then finally the right tools to analyze, correlate, mine and report the findings to humans. Thankfully there is an NetWitness App for that and a free API/SDK too.

These elements combined are the foundation of what NetWitness NextGen is, and the basis of our technology that is truly becoming a game-changer in security.  NetWitness Corporation was founded in late 2006, but unknown to many, the innovation and pioneering environment that fuels the technology today started 10 years earlier.  Enjoy our innovation by using Investigator Freeware, and know that before the security challenges of today really materialized we were hard at work creating solutions for today. Network security products that simply work.

Cheers,

NetWitness v9, ca. 2010.

Chairman and CEO of NetWitness, Amit Yoran, gave testimony yesterday to the House Committee on Homeland Security regarding the Review of the Federal Cyberspace Mission.  The House Committee wanted Mr. Yoran’s input based on his leadership in cyber security in the private and Federal space and his experiences as the first Director of the National Cyber Security Division (NCSD) and standing up the United States Computer Emergency Readiness Team (US-CERT) and Einstein program at the Department of Homeland Security (DHS), and as founder and CEO of Riptech.

Below is his five-minute summary to the Committee.

Ms. Chairwoman and members of the committee, thank you for the opportunity to testify before the Homeland Security Committee on Reviewing the Federal Cybersecurity Mission and for your attention to this important topic.

My name is Amit Yoran and I have a lot to say, so I’ll skip reading you my bio and jump into it.

Any effective national cyber effort must leverage the intelligence community’s superior technical acumen and scalability.  However, it is in grave peril if this effort is dominated by the intelligence community.  Simply put, the intelligence community has always and will always prioritize its own collection efforts over the defense and protection of our government’s and nation’s digital systems.  Where intelligence operations discover a compromise, the decision to inform system defenders or not, lacks transparency.  Mission conflict exists between those defending systems and those attempting to collect intelligence or counter intelligence insights.

The current series of cyber programs call for billions of dollars in funding for intelligence and centralized security efforts but are designed with very little emphasis on helping defenders better protect the systems housing our valuable data and business processes.  For instance the Center for Disease Control, which houses sensitive research and information about biological threats such as Anthrax, has ongoing cyber incidents which it lacks the personnel and technologies to adequately investigate,  In the face of spending billions more on centralized cyber intelligence activities, the CDC’s cyber budget is being cut by 37%.

Intelligence focused, our national cyber efforts are over-classified to the point where catastrophic consequences are highly probable.  High levels of classification prevent the sharing of information necessary to adequately defend systems.  For instance, IP addresses, when classified cannot be loaded into defensive monitoring systems.  It also creates insurmountable hurdles when working with a broad range of government IT staffs that do not have appropriate clearances, let alone when trying to communicate or partner with the private sector.

Classification cannot be used effectively as a cyber defensive technique, only one for avoiding responsibility and accountability. Over-classification leads to a narrowly limited review of any program.  One of the hard learned lessons from the Terrorist Surveillance Program (TSP) is that such limited review can lead to ineffective legal vetting of a program.  The cyber mission cannot be plagued by the same flaws as the TSP.

An immediate, thorough and transparent legal analysis of the governance, authorities, and privacy requirements should be performed on both the efforts used to protect IT systems as well as all cyber collection activities.  Given the broad concerns of over-classification and its cascading consequences, conducting these reviews must be a high priority task.

Cyber research investments are practically nonexistent at a time when bold new visions need to be explored.

The Department of Homeland Security (DHS) has demonstrated inefficiency and leadership failure in its cyber efforts.  While pockets of progress have been made, administrative incompetence and political infighting have squandered meaningful advancement and for years now, while our adversaries continue to aggressively press their advantage. DHS has repeated failed to either attract or retain the leadership and technical acumen required to successfully lead the cyber mission.  While the tendency would be to move the cyber mission to the NSA, it is ill advised for all of the reasons provided in my much longer written testimony.  We must enable civil government to succeed at its defensive mission or also concede that the private sector must be subjugated to intelligence support.

DHS is the natural and appropriate placement for public private partnership and cooperative activities, including those in cyber.  The current set of public private partnerships is at best ill defined.  They categorically suffer from meaningful value creation or private sector incentive.

Such incentives might include tax credits, fines, liability levers, public recognition, or even occur at an operational level, through mechanisms such as the sharing of threat intelligence, technical knowledge or incident response support to name just a few.

Trust relationships when dealing in cyber security matters are critical.  In discussions among privacy and civil liberties groups the role of the NSA in monitoring or defending US networks is debated.  Should such intelligence programs exist, DHS should be very careful before participation in, supporting  or engagement in these activities.   The department’s ability to fulfill its primary mission and responsibilities may be permanently damaged by a loss of public confidence and trust.

At a bare minimum, in order to preserve public trust, any interaction with domestic intelligence collection efforts should be explicitly and clearly articulated.  Such transparency will increase public trust and confidence and offset concerns raised by uncertainty and the uninformed.

DHS must be formally charged with and enabled to build an effective cyber capability in support of securing federal civilian systems.

Special provisions should be made in the hiring, contracting, human resources and political issues within the cyber mission of DHS to prevent it from remaining a victim of the department’s broader administrative failures.

DHS should also be given specific emergency authorities to address security concerns in civil systems, to include the ability to measure compliance with security standards, protocols and practices and take decisive action where organizations are not applying reasonable standards of care.

At present the operations cybersecurity arm of DHS, the US-CERT, remains politically torn apart into three components and completely subjugated to a cadre of detailees from the intelligence community.  In order to regain efficiency, the department’s operational security role activites must be reconsolidated in the US-CERT.  This operational mission is not resourced to succeed with less than 20 government FTEs, and a budget of only $67 million.  Additionally, the US-CERT must be led by a single federal civil executive.

The US-CERT must be provided appropriate staffing levels to move forward and given adequate funding.  Not doing so cannot help but send the strongest message to the cyber community, the rest of government, the intelligence community and the critical infrastructure in the private sector that cybersecurity does not matter to DHS leadership and should not matter to them.

A newly focused US-CERT should report directly to the Secretary of DHS, just as NTOC reports to the Director of the NSA.  The cyber responsibilities of the department must not remain buried in the bureaucracy of DHS or, alternatively, they must be removed and placed in an independent agency where they can succeed.

Amit Yoran’s full written testimony is available for download from the Committee website here.

Video archival footage of this Committee proceeding is available here.