Recently I responded to a thought out blog entry at British Telecom’s Secure Thinking ‘blog. BT bought both INS (consulting) and CounterPane (Bruce Schneier’s MSSP company) to create a strong presence in the US. They employ, along with my friends Ben Rothke and Jim Tiller, some of the best minds in the information security industry today.
In that blog entry, they discussed something they call CMAL, which is a nice tool. They are creating sort of a Blacklist that keeps customers’ informed of malicious actions, or, as they state,
Correlated Malware Detection (CMAL) module provides our customers with a global security perspective on every session that is logged by any monitored firewall.
There is no need for me to further extol the virtues of Bruce. While we don’t always agree, he is amongst the brightest lights in information security today, world wide. Bruce can see things coming "around the bend" ahead of their time.
This was a well thought out article, and I see the value of CMAL. And knowledge-sharing between the infosec community, be it regarding 201 CMR 17 or, as the case is in this article, Malware blacklists, is a boon and benefit to would-be effected users.
That said, we need something even better. At the very least, we need a coordinated approach between all (not just major) players to create a blacklist-like database that deployed IPS’ can query and cache in real time. We need a mesh approach to such sharing, and we need a US-CERT like ability to cross industries and geographical boundaries.
Even better? It is time for the entire infosec community to stop using blacklists and start using either whitelists or… more robust technologies (such as an inherently secure computing base). Blacklists no longer work.
What do you think?