Securosis Blog on Securosis

AWS Destroyed the Value Proposition for Bedrock

Wed, 10 Jun 2026 00:00:00 +0000

When you ran inference on AWS Bedrock, the deal was explicit: prompts and completions stayed inside the AWS boundary, and model providers never saw your data. That guarantee is why regulated shops and European organizations route their AI workloads through Bedrock instead of going straight to the model vendor.

AI Will Accelerate Your Tech Debt

Sun, 22 Mar 2026 00:00:00 +0000

The Tech Debt Crisis Is Coming

Like the American middle class living paycheck to paycheck, organizations near or below the security poverty line are one big incident away from catastrophic bankruptcy. They got here through years of underinvesting in core capabilities and unified architecture, not stupidity, but a long series of decisions that prioritized shipping over sustainability. And now every smaller incident consumes the cycles that could have gone toward paying down that debt, making the hole deeper every time. Tech debt isn’t just a code quality problem. It’s an operational survival problem. The environment is too complex to reason about, too brittle to refactor, and too interconnected to safely improve. Every incident response leaves the org a little more exhausted and a little further behind. We’re rapidly approaching a security crisis that looks like the financial crisis of 2008. Thousands, maybe millions, of companies with business models that cannot afford proper security are about to get breached and go out of business. Like the families with mortgages they couldn’t afford, many of these companies were on borrowed time to begin with. The unsympathetic response will be “they shouldn’t have been in business at all,” but people will still be out of work, investors will still be out of money, and the ripple effects will be real. And AI is only going to make this worse.

AI Security Invariants

Sat, 21 Mar 2026 00:00:00 +0000

(Co-Authored with Ariel Septon of Native) Security invariants are a critical component of your cloud and IT governance strategy. However, how can we apply this same thinking to the non-deterministic world of Generative AI?

Going to RSAC 2026? Disaster Recovery Breakfast and MORE!

Mon, 16 Mar 2026 00:00:00 +0000

Someone asked me last week if I was going to RSAC. I replied that I’m pretty sure after I die they’ll prop my body up in a corner of Moscone, Irish wake style. Eventually I’ll retire or move on, but this year isn’t THAT year. I still get tremendous value out of RSAC. Personally I spend nearly no time on the show floor, a lot of time in meetings, and a bit of time in sessions. As a review committee member I see all the content for my track before I show up and I think most people who complain about the conference get blasted by the show floor and don’t go to sessions. The content has improved materially over the past decade, with more deep technical content than most people realize. This year I’m presenting in four sessions (unexpectedly). I’m co-presenting with Aaron Turner on some IANS content on MCP/agent architectures we collaborated on. I’m running a cloud incident analysis workshop with Ryan Bergsma, one of my Cloud Security Alliance co-workers. I’m giving a new presentation on K-12 and “below the security poverty line” orgs with a first-time collaborator, Michael Klein, and I’m facilitating a Fundamentals Forum. I’m also presenting at our CSA Summit on Monday (on the Governance hierarchy… and announcing a new CSA initiative), participating in a panel on OpenClaw, and… yeah, busy week. For the first time we are offering 1-on-1’s to CSA members at the Summit! Yes, I am voluntarily packing my schedule every 30 minutes like back in Gartner days. Just email me for more info on that. But I saved the best for last. The 16th annual Disaster Recovery Breakfast! And for the second time this is hosted by our friends over at 1Password (like, actual friends I’ve known for decades). My kids are on spring break this week and all my content is approved, so I’m off for some family time before my four day marathon, I hope to see you there, and email me at rmogull@securosis.com if you want to catch up or snag one of those 1-on-1 slots on Monday.

AI, have you been drinking?

Mon, 11 Aug 2025 00:00:00 +0000

For the last couple months I have been working with AI security. First with the general architecture and data flows for Generative and Agentic AI systems, and lately more with prompt & response security techniques. These later topics are where AI systems offer greenfield for attackers to apply all the old – and a select few new – attack techniques. I was researching how to coerce AI to misbehave, as part of my introduction to prompt engineering, I am stumbling across cases where we do not need attackers at all – the AI systems seem eager to misbehave all on their own.

The 15th Annual Disaster Recovery Breakfast

Mon, 31 Mar 2025 00:00:00 +0000

It has survived recessions, obsessions, parenthood, natural disasters, pandemics, unnatural disasters, and the rise and fall of eateries great and small. That’s right, it’s the Securosis RSAC Disaster Recovery Breakfast! This year we’ve changed things up thanks to our new partner, 1Password, who reached out and offered to host the DRB in their event space just up the street from the Moscone center. With all the changes in the restaurant scene in that particular area of town… you can understand how this… reduced our annual organizational stress. As always this is a quiet hangout of an event. Drop in and out as you please to catch up with friends, strangers, and… well, whoever wanders in. An RSVP is appreciated to make sure we have enough food, but as always is not required. We hope to see you there! Optional RSVP at https://events.1password.io/RSA2025#

Announcing the CloudSLAW Patreon!

Tue, 25 Feb 2025 00:00:00 +0000

TL;DR: Support CloudSLAW Here!

I know that as most of you lay your weary heads to rest every night (or morning, for you night shifters), the last thought that fires through your synapses is, “I really wish I could get more CloudSLAW!”

And then a not-a-miracle occurs...

Sun, 24 Nov 2024 00:00:00 +0000

It’s a perfect fall Sunday morning here in Phoenix. After a brutally hot summer the air is cool, the sky is clear, and the fresh air is drifting into the hotel ballroom while I wait for my daughter to take the stage in the Irish dance regionals competition.

Enterprise Governance Is Failing Cloud Security

Fri, 18 Oct 2024 00:00:00 +0000

We have a major problem. It isn’t really getting better, and soon a critical window of opportunity will close that we can’t afford to lose. I don’t say this lightly, and I think anyone who has read my prior work knows I am not prone to FUD. No one can possibly know the actual percentage of enterprise workloads and applications that have moved to cloud, but every statistic I could find estimates that, at most, it is somewhere in the range of 25% (here’s one Gartner take). I think under 25% is likely accurate, but I estimate that well over 90% of organizations have some production workloads in cloud, including SaaS and PaaS/IaaS. The lake is wide but only deep for a relatively small number of enterprises. This is natural and expected; it takes decades to transition existing workloads, especially when they are running happily in datacenters and there’s no major driver to move them out. This is our window. Most organizations are in the shallow end of the pool, staring wistfully at the adventurous kids jumping off the high dive and frolicking around in the deep end. We have a choice – wait, learn to swim, or strap on some floaties and hope for the best. Oh, and there’s no lifeguard and there are most definitely some sharks. With lasers. If organizations don’t improve their cloud governance, they have no chance of meaningfully improving their cloud security. That’s bad enough with today’s relatively limited cloud adoption, but as we gradually move more and more workloads to the cloud, without effective governance the problem will increase exponentially. Nearly every single cloud security issue and breach is the direct result of a governance failure, not a technology failure.

On TidBITS: My Take on Apple Intelligence and Private Cloud Compute

Mon, 01 Jul 2024 00:00:00 +0000

I just published a piece on Apple Intelligence at TidBITS that I’m pretty excited to release. I wrote it (literally sitting poolside on vacation) to try and explain why this matters to someone even if they don’t know anything about AI or security. For those of us in cloud security, some really interesting things are going on:

Old Dog, New Tricks [Final Incite: June 24, 2024]

Mon, 24 Jun 2024 00:00:00 +0000

TL;DR: Back in December, I took a job as head of strategy and technology for a candy-importing company called Dorval Trading. To explain the move I dusted off the confessor structure, and also performed a POPE evaluation of the opportunity below. I’ll be teaching at Black Hat this summer, so I hope to see many of you there. Otherwise you can always reach me at my Securosis email, at least until Rich cancels my account.

The Cloud Shared Irresponsibilities Model

Tue, 04 Jun 2024 00:00:00 +0000

The next phase of cloud security won’t be about shiny new products or services, although we’ll have those. It won’t be about stopping the next world-ending cloud 0-day, but we’ll continue trying to prevent them. It won’t be about AI, but we’ll still have to do something with AI to appease our machine overlords. It will be about making cloud deployments more inherently secure through better, smarter defaults, and better, smarter, and yes, cheaper, built-in capabilities. Here’s why: When I first started researching and working with public cloud about 15 years ago, I realized that cloud providers have massive economic incentives to be better at security than your organization. A major breach of a cloud provider that affects all (or most) tenants would be an existential event which would destroy trust in that provider and crater their business. We’ve arguably had moderate multi-tenant events, and are witnessing events in real time — wondering whether my theory will stand, and a major CSP will suffer from a direct breach (as a result of Microsoft’s recent incidents and the CISA CSRB report). This was the origin of the shared responsibilities model. There’s a waterline in the technology: below it the cloud provider is responsible for ensuring the services you consume are inherently secure. Above it you are responsible for how you secure and configure what you use. Security is transitive. When I build on a service, I am only as secure as the underlying service. It turns out this plays both ways. It’s a two-way door. Security impacts are also transitive. If a customer on a cloud platform suffers a major security breach, every headline includes the name of the cloud provider. Sure, you can blame the customer for misconfiguring your service, but that doesn’t mean everyone won’t still think you’re responsible.

AWS Cloud Incident Analysis Query Cheatsheet

Mon, 20 May 2024 00:00:00 +0000

I’ve been teaching cloud incident response with Will Bengtson at Black Hat for a few years now, and one of the cool side effects of running training classes is that we are forced to document our best practices and make them simple enough to explain. (BTW — you should definitely sign up for the 2024 version of our class before the price goes up!) One of the more amusing moments was the first year we taught the class, when I realized I was trying to hand-write all the required CloudTrail log queries in front of the students, because I had only prepared a subset of what we needed. As I wrote in my RECIPE PICKS post, you really only need a handful of queries to find 90% of what you need for most cloud security incidents.

Let Your Devs and Admins See the Vulns

Mon, 13 May 2024 00:00:00 +0000

A year or so ago I was on an application security program assessment project in one of those very large enterprises. We were working with the security team and they had all the scanners, from SAST/SCA to DAST to vulnerability assessment, but their process was really struggling. It took a long time for bugs to get fixed, things were slow to get approved and deployed, and remediating in-production vulnerabilities could also be slow and inefficient. At one point I asked how vulnerabilities (anything discovered after deployment) were being communicated back to the developers/admins? “Oh, that data is classified as security sensitive so they aren’t allowed access.” Uhh… okay, So you are not letting the people responsible for creating and fixing the problem know about the problem? How’s that going for you? This came up in a conversation today about providing cloud deployment administrators access to the CSPM/CNAPP. In my book this is often an even worse gap, since a large percentage of organizations I work with do not allow the security team change access to cloud deployments, yet issues there are often immediately exploitable over the Internet (or you have a public data exposure… just read the Universal Cloud Threat Model, okay?). Here are my recommendations:

New Accidental Research Release: The Universal Cloud Threat Model (UCTM)

Tue, 23 Apr 2024 00:00:00 +0000

The conversation went something like this: Me: “Hey Chris, want to co-present at RSA? I have this idea around how we fix things when we get dropped into a new org and they have a cloud security mess.” Chris: “Sure, you want to write up the description and submit it?” Me: “Yep, on it!” [A couple months later] Chris: “So what’s this Universal Cloud Threat Model you put in the description?” Me: “Oh, I just thought we’d make fun of all the edgy cloud security attack research since nearly every attack is just the same 3 things over and over.” Chris: “Yeah, sounds about right, want to hop on a quick call to map out the slides?” [A two hour spontaneous Zoom call later] Chris: “Crap, I think we need to write a paper.” Me: “Really?” Chris: “Yeah, this is good stuff.” Me: “Fine. But only if we can put my cat in as a threat actor. He just broke a bowl and is making a move on my bourbon .” Chris: “Sure, what’s his name?” Me: “Goose” Chris: “Well what did you expect?” You can download the UCTM here. And read Chris’ absolutely epic announcement post in the voice of Winston Churchill!

Sisense: Learning Lessons Before the Body Hits the Ground

Fri, 12 Apr 2024 00:00:00 +0000

Look, we don’t yet know what really happened at Sisense. Thanks to Brian Krebs and CISA, combined with the note sent out by the CISO (bottom of this post), it’s pretty obvious the attackers got a massive trove of secrets. Just look at that list of what you have to rotate. It’s every cred you ever had, every cred you ever thought of, and the creds of your unborn children and/or grandchildren. Brian’s article has basically one sentence that describes the breach:

You are infected with Epstein-Barr. You are also infected with the next XZ.

Fri, 05 Apr 2024 00:00:00 +0000

Nearly everyone in the United States (and probably elsewhere) is infected with the Epstein-Barr virus at some point in their life. Most people will never develop symptoms, although a few end up with mono. Even without symptoms you carry this invasive genetic material for life. There’s no cure, and EBV causes some people to develop cancers and possibly Multiple Sclerosis, Chronic Fatigue Syndrome, and other problems. Those later diseases are likely caused by some other precipitating even or infection that “triggers” a reaction with EBV. Look, I have most of a molecular biology degree and I’m a paramedic and I won’t pretend to fully understand it all. The tl;dr is EBV is genetic material floating around your body for life and at some point it activates or interacts with something else and causes badness. (Me write good! Use words!) As I’ve been reading about the XZ Initiative (I’m using initiative deliberately due to the planning and premeditation) the same week that the CISA CSRB released their scathing report on Microsoft, it’s damn clear that our software supply chain issues are as deep as the emptiness of my cat’s soul. (I mean I love him, and I’m excited he’s coming back from the hospital this afternoon, but I couldn’t come up with a more-amusing analogy). If you aren’t up to date on all things XZ I suggest reading Matt Johansen’s rollup in his Vulnerable U newsletter. Here’s how EBV and XZ relate, at least in my twisted mind. XZ was clearly premeditated, well planned, sophisticated, and designed to slowly spread itself under the radar for many years before being triggered. There is absolutely no chance this approach hasn’t already been used by multiple threat actors. As much as I hate FUD and hyperbole, I am 100% confident that there is code in tools and services I use that has been similarly compromised. We didn’t miraculously catch the first ever attempt, because a Microsoft dev is anal-retentive about performance. XZ is the first such exploit which got caught. If I were a cybercriminal or government operative, I would already have several of these long-term attacks underway. You are welcome to believe our record is 1 for 1. I think it’s 1 catch of N attacks, and N scares me. I also do not believe we can eliminate this threat vector. I don’t think the best SAST/SCA tools and a signed SBOM have any chance at making this go away. Ever. That doesn’t mean we give up and lose hope — we just change our perspective and focus more on resilience to these attacks than pure prevention. I don’t have all the answers — not even close — but there are three aspects I think we should explore more. First, let’s make it harder on threat actors. Let’s increase their costs. How? Well, aside from all the improved security scanning over the past few years, I like the idea Daniel Miessler recently mentioned in a conversation and noted in his newsletter: use AI to automatically perform open source intel (OSINT) on OSS contributors. Do they have a history outside that code repo? Any real human interactions? This will be far from perfect, but will likely increase the cost of attack to build a persona which looks sufficiently real. We also have compromises in commercial software (hello Solar Winds). Vendors need to explore better internal code controls, sourcing, and human processes. E.g. require YubiKeys from all devs, side channel notifications and approvals of commits, and I suspect there are some new and innovative scanning approaches we can take as AI evolves (until it evolves past humanity and enslaves us all). E.g. “this may not be a known security defect, but it looks weird compared to this developer’s history, so maybe ping another ~~future energy source~~ human to review it”. I’m also a fan of making critical devs work on dedicated machines separate from the ones they use for email and web browsing, to reduce phishing/malware as a vector. No, I haven’t ever had anyplace I’ve worked approve that, but I have heard of some shops which pulled it off. The final part is preparing for the next XZ that slips through and is eventually triggered. Early detection, rapid remediation, and all the other hard expensive things. SBOM/SCA/DevSecOps are key here: you MUST be able to figure out where you are using any particular software package, and be able to implement compensating defenses (e.g., firewalls) and patch quickly. This is NOT SIMPLE AT SCALE, but it’s your best bet as the downstream customer for these things. None of what I suggested is easy. I think this is the next phase of the Assume Breach mindset. You can’t cure EBV. You can’t prevent all possible negative outcomes. But you can reduce some risks, detect others earlier, and react aggressively when those first cancer cells show up.

It's Time for a Microsoft Trustworthy Cloud Initiative

Wed, 03 Apr 2024 00:00:00 +0000

“All cloud security failures are IAM failures, and all IAM failures are governance failures." — me on Twitter (too many years ago to find)

The 14th Annual RSAC Disaster Recovery Breakfast Is on!

Wed, 03 Apr 2024 00:00:00 +0000

Over 15 years ago (pre-Blip) I wanted to do something fun and casual for friends and Securosis readers at the annual RSA Conference… that I, as a budding entrepreneur, could actually afford. I started calling around and found a little place called Jillian’s right near the conference willing to open up early and serve breakfast for a reasonable rate. We ended up with around 50 people dropping in and out over those few hours, just mostly sitting around a table talking about whatever. Little did I know that our Disaster Recovery Breakfast would outlast Jillian’s, and, it seems, downtown San Francisco? I also never thought it would peak out at one point at around 300 people and inspire dozens of copycats. But one thing never changed — the casual atmosphere, the chance to talk without having to scream into someone’s ear, and the great conversations fueled by coffee (and the occasional Irish coffee). Once again, we’re back! Like last year we are hosting at the Pink Elephant which is just a few minutes walk and totally worth it if you want breakfast burritos or an omelette. This year we have two of our long-standing partners helping us out, plus a new (old) face. Here are the details:

Resolve 90% of Cloud Incidents with RECIPE PICKS

Thu, 07 Mar 2024 00:00:00 +0000

As any long-time readers know, I constantly abuse my past experiences and hobbies to try and make my current work sound WAY more interesting than it probably is. Or maybe it’s just an ego thing, I don’t want to think too hard about it. But, on occasion, lessons from my parallel lives actually inspire some original work. As a paramedic and a pilot I have had to memorize many dozens of mnemonics, and I’ve forgotten many more. Mnemonics are proven to be highly effective memory devices even in the midst of intense stress, like flying a plane or working a 9-1-1 call. For example, I learned “SAMPLE” for taking a patient’s history probably 30 years ago and I still use it today because in the insanity that is some calls it can be easy to lose track and forget a fundamental. This I always remember to ask about Signs and Symptoms, Allergies, Medications, Prior medical history, Last oral intake, and Event (why did they call us today?). Having issues ventilating an intubated patient? Use DOPE. Accidentally put your airplane into a spin? Use PARE (Power, Aileron, Rudder, Elevator). The more you drill these the better they work. I memorized RAKETS for my private pilot checkride but I definitely need to look that one up (it’s used to figure out if you can still fly a plane with a broken part). We don’t really use these in infosec, and I think it’s time to change that. Thus I present to you RECIPE PICKS for cloud incident response. This one hit me yesterday on an internal dev review call in one window while finishing my paramedic recertification in an open browser tab. For 4 years now here is how I’ve taught what to look for first in a cloud incident: I have the students leave that one up when we start the scenarios and live fire exercises. But standing in the shower I came up with a much better way to remember what to do. NOTE: the order doesn’t matter, as with SAMPLE it’s to make sure you don’t miss anything (the format breaks a little at the end due to this sites rendering, sorry): R esource (current config/state) E vents (api call(s) on that resource) C hanges (diff plus associated API calls) I dentity (who made the triggering change or API call) P ermissions (of the identity; informs the blast radius) E ntitlements (of the resource: e.g. it’s IAM role or managed identity) P ublic (is it public?) I P (all API calls from that IP address) C aller (all other API calls from the calling identity) tracK(look for indications of a pivot; e.g. role chaining) forenS ics (on a resource, or digging into resource logs) These steps shouldn’t be done in order, except the last two probably need to be the last two (especially the forensics). This is all based on the process I’ve figured out over the years and I estimate you can probably close 90% of incidents relatively quickly by pulling this data. I’m definitely going to start trying to build more of these into my trainings, and I’ll do some more blog posts in the coming weeks on how to use RECIPE PICKS. I’d also be remiss if I didn’t link over to a work blog post on how our platform does most of this automatically on every incident. Let me know what you think and if I missed anything. Just email rmogull@securosis.com since I have comments turned off due to all the ridiculous spam.

Check out the shiny new Cloud Security Maturity Model 2.0!

Tue, 27 Feb 2024 00:00:00 +0000

I’m pretty excited about this one. We are finally releasing version 2.0 of the Cloud Security Maturity Model. This is the culmination of nearly 9 months of research and analysis, a massive update from the original released in 2020. The tl;dr is that this version is not only updated to reflect current cloud security practices, but it includes around 100 cloud security control objectives to use as Key Performance Indicators — each matched 1:1 (where possible) with a technical control you can assess (AWS for now— we plan to expand to Azure and GCP next).

I Broke the 3-2-1 Rule and Almost Paid The Price!

Thu, 22 Feb 2024 00:00:00 +0000

This post isn’t about some fancy new research. Consider it a friendly nudge to floss. I’m pretty Type A about backing up and have data going back 20+ years at this point. I’m especially particular about my family photos. Until yesterday (this is called foreshadowing) my strategy was:

Regression to the Fundamentals

Tue, 06 Feb 2024 00:00:00 +0000

After 25 years in technology, mostly in security, I recently realized I’m regressing. No, not in terms of my mental acuity or health (although all of you would be better judges on my brain function), but more in terms of my career. And no, I don’t mean I’m going back to the Helpdesk… and according to my children and most of my family I never really left anyway. Not that I’m paid for it. Well, sometimes with some cookies. But never enough cookies. It’s just that the longer I do this the more I realize that it’s the fundamentals that really matter. That as much as I love all the fun advanced research, all that work really only addresses and helps a relatively small percentage of the world. The hard problems aren’t the hard problems; the hard problems are solving the easy problems consistently. We mostly suck at that. What’s fascinating is that this isn’t a problem limited to security. I really noticed it recently when I was working on my paramedic recertification. As a paramedic I can do all sorts of advanced things that involve drugs, electricity, and tubes. In some cases, especially cardiac arrest, the research now shows that you, the bystander, starting good quality CPR early is far more important than me injecting someone with epinephrine. In fact, studies seem to indicate that epi in cardiac arrest does not improve long term patient outcomes. CPR and electricity (AEDs) for the win. Advanced clinicians for myself? Useful and necessary, but useless without the fundamentals before we get there. Back to security. As a researcher (and a vendor) we are drawn to the hard problems. I’m not saying they don’t matter — they very much do. As much as AI is in the hype machine right now it’s there for a reason and we need experts engaged early, even if most of what they’ll do will fail because AI is a truly disruptive innovation. If you don’t believe me just re-read this sentence after the 2024 election. And some basic problems need new innovations instead of banging our heads against the wall. Passwordless is a great example of attacking an intractable problem with hard engineering that is invisible to users. As much as I’d like to be doing more leading-edge research, I keep finding myself focusing on the basics, and trying to help other people do the basics better. Let’s take cloud incident response, my current bread and butter. Will Bengtson and I keep coming up with all sorts of cool, advanced cloud attacks to include in our IR training at Black Hat. The reality is those are mostly there so people think we are smart and to keep the rare advanced students interested. Nearly all cloud attacks a student working on a real IR team will encounter are the same two or three “simple” things. Lost or stolen credentials used for crypto, ransomware, or data exfiltration, or hacking a vulnerable public-facing instance for… crypto, ransomware, or data exfiltration. Instead of spending my time on leading-edge research I’m building training for people with zero experience. I’m working on simple models which hopefully help people focus better. On the product side I’m focusing more on basic problems that seem to slip through the gaps. Chris Farris and I are working on a new talk and threat modeling approach to focus consistently on the fundamentals which really matter, not all the crazy advanced stuff in your inbox every day. Researchers and research teams mostly publish on the fun, interesting and advanced things because that’s more intellectually interesting and gets the headlines. There’s nothing wrong with that — we need it — but never forget that the basics matter more. I still get FOMO from time to time, but in the end I can do a lot more good at a much larger scale focusing on helping with fundamentals. Simple isn’t sexy, but without plumbers we’re all covered in shit pretty damn quickly. As a paramedic the one thing we are exceptional at is facing utter chaos, identifying what will kill you, and keeping things from getting worse. Maybe I biased my career from the start. Chris says he objects to being called a simple problem. Please humor him. Will just asked that I spell his name correctly.

Is This Thing Still On?

Thu, 01 Feb 2024 00:00:00 +0000

I started a blog in 2006. This blog, to be precise. I kinda just wanted a blog. Blogs were cool. Twitter wasn’t really a thing yet. YouTube was only like a year old. The iPhone was hiding in an engineering and design lab. I didn’t expect securosis.com to be around 18 years later. I certainly didn’t expect it would become my full time job for 15 of those years. I most definitely didn’t expect to take on partners, spin out a product startup, have kids, lose my hair, grow… other hair, lose a partner (to a bank, not the grave, if there’s a difference), and, as of last weekend, migrate the entire site to our fourth hosting provider and third new software stack without losing any significant content. And most embarrassing of all, I didn’t expect to not write on my own site for… 3 years. But that’s what happens when you build a startup that gets acquired (and I still work there full time), your consulting customers keep you super busy with hands-on technical projects, and you spend a chunk of the pandemic running around playing paramedic. Oh, and when your kids hit the age where you and your wife effectively become unpaid ride share drivers. Now it’s time to come home. I’m still working and writing at FireMon and other places, but thanks to the success of CloudSLAW (my lab a week newsletter/blog/YouTube channel) I have the itch to just start blogging about random non-day-job security stuff again. I also have some new research on the way, and maybe some friends will be dropping in. Securosis (the company) is just for side projects now, and weirdly I think that gives me a freedom in my writing I forgot about. We just moved the site and I’m slowly updating things. In the coming weeks I also plan to pull some old posts from the 18-year history of this site and rip them to shreds with my modern knowledge and sensibilities. I hope some of you stick around for the ride, but I plan to have fun no matter what.

The THIRTEENTH Annual Disaster Recovery Breakfast: Changing of the Guard

Wed, 29 Mar 2023 00:00:00 +0000

What a long, strange trip it’s been over the last 3 years. In fact, the last time I saw many of you was at the last Disaster Recovery Breakfast in 2020. Within two weeks of that event, the world shut down due to COVID. Well, a lot has changed since then. DisruptOps was acquired by Firemon in September 2021. In early 2022, Rich decided he wanted to see our cloud security vision through and dedicate his full-time efforts to the Cloud Defense product. In July of 2022, I decided to partner with Alan Shimel and Mitch Ashley and join Techstrong as head of the research business. We still do cloud security training and house our cloud security content in Securosis, but we’ve both moved on. Our long-time venue for the DRB, Jillian’s (then TableTop Tap House) in San Fransisco, didn’t survive the pandemic. They went out of business in early 2022 and took our deposit for the 2022 DRB with them. Ouch. But given the lack of venues and the rescheduling of the RSA Conference to June 2022, we couldn’t pull off the breakfast last year. But this year, we are back. But it’s different. We have a different venue, which is The Pink Elephant (142 Minna St). We have a different organizer, which is now Techstrong and our Security Boulevard site. We have mostly the same sponsors, so we need to thank our pals at IANS, LaunchTech, and AimPoint Group. Their support is critical. So yes, we’ve had a changing of the guard. But what isn’t different is breakfast. It’s still a place where you can grab some breakfast and see some friends without the pomp and circumstance of a major conference. We hope to see you there.

Heading to Techstrong

Tue, 12 Jul 2022 00:00:00 +0000

The phone rang. On the other end, I heard a booming voice many of you are familiar with. “Hey Mikey! What’s shaking? What’s your plan now that Rich is with Firemon?” It was Alan Shimel, my good friend and head of Techstrong Group. It was maybe 10 minutes after Rich’s announcement had hit Twitter. I told Alan I would stay the course, but he had other ideas. “We should do something together. Think about it.” So I did. We had a call a few days later and started sketching out what it would look like if I joined Alan and the team. I’d want to build a research team since that’s what I love to do. I’d also like to have a hand in developing the corporate strategy. Alan said that sounded great; when can I start? I wasn’t there yet. I needed to know more about the business. I needed to spend some more time with the team. So I made the pilgrimage down to Boca to do a working session with Alan and see what we could work out. I learned that Techstrong is at the center of some pretty disruptive technology shifts, like DevOps (yes, DevOps.com is ours), cloud-native computing, containers (containerjournal.com), microservices, and of course, security (securityboulevard.com). There is an excellent events business with tons of virtual events. I’ve been a guest on TechstrongTV more times than I could count, so I know about their video capabilities. And the company has a top-notch customer list. So there is an exciting platform to build on. But could I have an impact? Next, I dug into the research business that another old friend, Mitchell Ashley, created. There are some short reports and they did some speaking gigs, but Techstrong Research didn’t have a point of view about where the markets are heading. So it was “research,” but not the kind of research I do. So yeah, I can have an impact on Techstrong Research. The timing also felt right. My youngest kids are off to college in August, so it’s a good time to make some changes. It’s not like my partners at Securosis haven’t done a similar thing. Adrian headed off into corporate cloud land a couple of years ago. Rich made a move to Firemon earlier this year. As much as I loved the 12 years with Securosis, I’m ready to tilt at another windmill. Though it had to be the right situation, and I found that with Techstrong. I’m happy to say I’m taking my talents to ~~South Beach~~ Boca. I’ve taken the role of Chief Strategy Officer of Techstrong Group and General Manager of Techstrong Research. The intangibles made this an easy decision for me. It’s about working with my friends. It always has been. I have been fortunate to work with Rich and Adrian for the past 12 years. When we spun out DisruptOps, I was able to work with Jody Brazil, Brandy Peterson, and Matt Eberhart. And now I get to work with my good friends Alan, Mitch, and Parker. I have no illusions about how much work lies ahead. I’m back to building a research business, and it’s very exciting. Ultimately I’m a builder, and I’m lucky to have the opportunity to build with another set of good friends. Securosis is still a thing. Rich and I will continue to run our cloud security curriculum and training activities here. But Securosis will no longer function as an analyst firm. I’ll continue to support existing clients, but that work will transition to Techstrong Research when it makes sense. I’m not sure if this is good or bad, but you’ll see a lot more of me. I’ll be visible across the Techstrong network, writing, speaking, and interviewing exciting companies. I’ll be publishing trends and forward-looking research and ensuring that Techstrong has a strong point of view about where technology is going. I’ll be at Black Hat, so if you are there, let me know. It’ll be great to meet up, and I can fill you in on all the cool stuff we do at Techstrong.

SOC 2025: Operationalizing the SOC

Mon, 18 Apr 2022 00:00:00 +0000

So far in this series, we’ve discussed the challenges of security operations, making sense of security data, and refining detection/analytics, which are all critical components of building a modern, scalable SOC. Yet, there is an inconvenient fact that warrants discussion. Unless someone does something with the information, the best data and analytics don’t result in a positive security outcome. Security success depends on consistent and effective operational motions. Sadly, this remains a commonly overlooked aspect of building the SOC. As we wrap up the series, we’re going to go from alert to action and do it effectively and efficiently, every time (consistently), which we’ll call the 3 E’s. The goal is to automate everything that can be automated, enabling the carbon (you know, humans) to focus on the things that suit them best. Will we get there by 2025? That depends on you, as the technology is available, it’s a matter of whether you use it.

SOC 2025: Detection/Analytics

Thu, 10 Mar 2022 00:00:00 +0000

We spent the last post figuring out how to aggregate security data. Alas, a lake of security data doesn’t find attackers, so now we have to use it. Security analytics has been all the rage for the past ten years. In fact, many security analytics companies have emerged promising to make sense of all of this security data. It turns out analytics aren’t a separate thing; they are part of every security thing. That’s right, analytics drive endpoint security offerings. Cloud security products? Yup. Network security detection? Those too. It’s hard to envision a security company of scale without analytics playing a central role in providing value to their customers. As a security leader, what do you have to know about analytics and detection as you figure out how the SOC should evolve? First, it’s not about [analytics technique A] vs. [analytics technique B]. It’s about security outcomes, and to get there you’ll need to start thinking in terms of the SOC platform.

SOC 2025: Making Sense of Security Data

Tue, 08 Feb 2022 00:00:00 +0000

Intelligence comes from data. And there is no lack of security data, that’s for sure. Everything generates data. Servers, endpoints, networks, applications, databases, SaaS services, clouds, containers, and anything else that does anything in your technology environment. Just as there is no award for finding every vulnerability, there is no award for collecting all the security data. You want to collect the right data to make sure you can detect an attack before it becomes a breach. As we consider what the SOC will look like in 2025, given the changing attack surface and available skills base, we’ve got to face reality. The sad truth is that TBs of security data sit underutilized in various data stores throughout the enterprise. It’s not because security analysts don’t want to use the data. They don’t have a consistent process to evaluate ingested data and then analyze it constantly. But let’s not get the cart before the proverbial horse. First, let’s figure out what data will drive the SOC of the Future.

SOC 2025: The Coming SOC Evolution

Mon, 24 Jan 2022 00:00:00 +0000

It’s brutal running a security operations center (SOC) today. The attack surface continues to expand, in a lot of cases exponentially, as data moves to SaaS, applications move to containers, and the infrastructure moves to the cloud. The tools used by the SOC analysts are improving, but not fast enough. It seems adversaries remain one (or more) steps ahead. There aren’t enough people to get the job done. Those that you can hire typically need a lot of training, and retaining them continues to be problematic. As soon as they are decent, they head off to their next gig for a huge bump in pay. At the same time, security is under the spotlight like never before. Remember the old days when no one knew about security? Those days are long gone, and they aren’t coming back. Thus, many organizations embrace managed services for detection and response, mostly because they have to. Something has to change. Actually, a lot has to change. That’s what this series, entitled SOC 2025 is about. How can we evolve the SOC over the next few years to address the challenges of dealing with today’s security issues, across the expanded attack surface, with far fewer skilled people, while positioning for tomorrow? We want to thank Splunk(you may have heard of them) for agreeing to be the preliminary licensee for the research. That means when we finish up the research and assemble it as a paper, they will have an opportunity to license it. Or not. There are no commitments until the paper is done, in accordance with our Totally Transparent Research methodology.

New Age Network Detection: Use Cases

Wed, 18 Aug 2021 00:00:00 +0000

As we wrap up the New Age Network Detection (NAND) series, we’ve made the point that network analysis remains critical to finding malicious activity, even as you move to the cloud. But clearly, collection and analysis need to change as the underlying technology platforms evolve. But that does put the cart a bit ahead of the horse. We haven’t spent much time honing in on the specific use cases where NAND makes a difference. So that’s how we’ll bring the series to a close. To be clear, this is not an exhaustive list of use cases, but it hits the high points and helps you understand the value of NAND relative to other means of detection.

Papers Posted

Mon, 12 Jul 2021 00:00:00 +0000

It turns out that we are still writing papers and posting them in our research library, even though far less frequently than back in the day. Working with enterprises on their cloud security strategies consumes most of our cycles nowadays. When we’re not assessing clouds or training on clouds or getting into trouble, we’ve published 3 papers over the past year. I’ve finally posted them to the research library for you to check out.

New Age Network Detection: Collection and Analysis

Tue, 06 Jul 2021 00:00:00 +0000

As we return to our series on New Age Network Detection, let’s revisit our first post. We argued that we’re living through technology disruption on a scale, and at a velocity, we haven’t seen before. Unfortunately security has failed to keep pace with attackers. The industry’s response has been to move the goalposts, focusing on new shiny tech widgets every couple years. We summed it up in that first post:

New Age Network Detection: Introduction

Tue, 25 May 2021 00:00:00 +0000

Like the rest of the technology stack, the enterprise network is undergoing a huge transition. With data stores increasingly in the cloud and connectivity to SaaS providers and applications running in Infrastructure as a Service (IaaS) platforms, a likely permanently remote workforce has new networking requirements. Latency and performance continue to be important, but also being able to protect employee devices in all locations and providing access to only authorized resources. Bringing the secure network to the employee represents a better option to solve these requirements instead of forcing the employee onto the secure network. The network offers a secure connection; thus, you no longer backhaul traffic on-prem to run through the corporate web proxy or go through a centralized VPN server. And the operational challenges of running a global network forces the likely embrace of managed networking service to allow organizations to focus on what rides on top of the network and less on building and operating the pipes. Using capabilities like a software-defined perimeter (or Zero Trust Network Access, if you like that term better) and intelligent routing gets employees to the resources they need, quickly and efficiently. Pretty compelling, eh? But alas, it’ll be a long time before we fully move to this new model because installed base. Many companies still have a lot of enterprise networking gear, and the CFO said they couldn’t just toss it. Most sensitive corporate data remains on-prem, meaning we’ll still need to maintain interoperability with the data center networks for the foreseeable future. But to be clear, networks will look much different in 5 - 7 years. As exciting as these new networks may be, you can’t depend on the service provider to find adversaries in your environment. You can’t expect them to track a multi-faceted attack from the employee to the database they targeted as they pivot through various connections, compromised devices, and data stores. Even if you don’t manage the network, you need to detect and eradicate attackers, and if anything doing that across these different networks and cloud services makes it even harder. What’s the urgency? We’ve been in the security business for close to 30 years, and disruption happens slower than you expect. This Bill Gates quote sums it up nicely: “We always overestimate the change that will occur in the next two years and underestimate the change that will occur in the next ten. Don’t let yourself be lulled into inaction.” There is a lot to unpack there. What kind of actions should you be taking?

Securing APIs: Empowering Security

Thu, 15 Apr 2021 00:00:00 +0000

As discussed in Application Architecture Disrupted, macro changes including the migration to cloud disrupting the tech stack, application design patterns bringing microservices to the forefront, and DevOps changing dev/release practices dramatically impact building and deploying applications. In this environment, the focus turns to APIs as the fabric that weaves together modern applications. Alas, the increasing importance of APIs also makes them a target. Historically, enterprises take baby steps to adopt new technologies, experimenting and finding practical boundaries to meet security, reliability, and resilience requirements before fully committing. Requiring a trade-off between security and speed, it may take years to achieve widespread usage of new technologies. But that isn’t fast enough with the expectation that today’s businesses will move fast and break stuff. As a result, DevOps organizations don’t play by the same rules governing IT adoption of new technologies. In fact, DevOps happened because corporate IT couldn’t move fast enough. These DevOps teams adopt these technologies first and ask for permission later. There needs to be a middle ground where the organization can implement security as part of the tech stack, ensuring adherence to security policies, including protecting critical data, while moving fast enough to deliver in each application sprint.

Securing APIs: Modern API Security

Mon, 29 Mar 2021 00:00:00 +0000

As we started the API Security series, we went through how application architecture evolves and how that’s changing the application attack surface. API Security requires more than traditional application security. Traditional application security tactics like SAST/DAST, WAF, API Gateway, and others are necessary but not sufficient. We need to build on top of the existing structures of application security to protect modern applications. So what does API Security look like? We wouldn’t be analysts if we didn’t think in terms of process and lifecycle. Having practiced security for decades, one of the only truisms which held up over time has been visibility, then control. There are a hundred ways to describe it, like “you can’t manage what you can’t see,” and they are right. Let’s use that prism to look at API security, and that means starting with visibility.

Securing APIs: Application Architecture Disrupted

Fri, 05 Mar 2021 00:00:00 +0000

When you think of disruption, the typical image is a tornado coming through and ripping things up, leaving towns leveled and nothing the same moving forward. But disruption can be slow and steady, incremental in the way everything you thought you knew has changed. Securing cloud environments was like that, initially trying to use existing security concepts and controls, which worked well enough. Until they didn’t and forced a re-evaluation of everything that we thought we knew about security. The changes were (and still are for many) challenging, but overall very positive. We see the same type of disruption in how applications are built, deployed, and maintained within most organizations. Macro changes include the migration to cloud disrupting the tech stack, application design patterns bringing microservices to the forefront, and DevOps changing dev/release practices. As we’ve been slowly navigating this sea change, the common thread between these changes is an increasing reliance on application programming interfaces (APIs). From a security standpoint, this new dependence on APIs changes the source of risk - it’s not just the front end under siege from traditional attacks and recon activities that map out backend processes. APIs have quickly emerged as the most attractive and least protected target within these new applications since they have access to critical data and services. Thus, we’ve decided to document this disruption and the impact on how you have to view application security moving forward. We’re happy to introduce our latest blog series called Securing APIs: The New Application Attack Surface. In the series, we’ll go through how application architecture and the attack surface is changing, how application security needs to evolve to deal with these disruptions, and how to empower security in an environment where DevOps rules the roost. Because that is the way. Let’s give thanks to Salt Security as the potential licensee of this blog series before we get started. As a refresher for those new around here, we don’t write sponsored papers. We publish research for practitioners that we may license to a vendor at the end of the process. That gives us the flexibility to go where our research takes us without undue influence. It’s a bit of a counter-intuitive model, but we’ve been doing it for 13 years at this point, and it works pretty well.

Infrastructure Hygiene: Success and Consistency

Mon, 01 Mar 2021 00:00:00 +0000

We went through the risks and challenges of infrastructure hygiene, and then various approaches for fixing the vulnerabilities. Let’s wrap up the series by seeing how this kind of approach works in practice and how we’ll organize to ensure the consistent and successful execution of an infrastructure patch. Before we dive in, we should reiterate that none of the approaches we’ve offered are mutually exclusive. A patch does eliminate the vulnerability on the component, but the most expedient path to reduce the risk might be a virtual patch. The best long-term solution may involve moving the data layer to a PaaS service. You figure out the best approach on a case-by-case basis, balancing risk, availability, and the willingness to consider refactoring the application.

Infrastructure Hygiene: Fixing Vulnerabilities

Fri, 26 Feb 2021 00:00:00 +0000

As discussed in the first post in the Infrastructure Hygiene series, the most basic advice we can give on security is to do the fundamentals well. That doesn’t insulate you from determined and well-funded adversaries or space alien cyber attacks, but it will eliminate the path of least resistance that most attackers take. The blurring of infrastructure as more tech stack components become a mix of on-prem, cloud-based, and managed services further complicate matters. How do you block and tackle well when you have to worry about three different fields and multiple teams playing on each field? Maybe that’s enough of the football analogies. As if that wasn’t enough, now you have no margin for error because attackers have automated the recon for many attacks. So if you leave something exposed, they will find it. They being the bots and scripts always searching the Intertubes for weak links. Although you aren’t reading this to keep hearing about the challenges of doing security, are you? So let’s focus on how to fix these issues.

Infrastructure Hygiene: Why It’s Critical for Protection

Mon, 22 Feb 2021 00:00:00 +0000

After many decades as security professionals, it is depressing to have the same issues repeatedly. It’s kind of like we’re stuck in this hacker groundhog day. Get up, clean up after stupid users, handle a new attack, fill out compliance report, and then do it all over again. Of course, we all live in an asymmetrical world when it comes to security. The attackers only have to be right once, and they are in your environment. The defenders only have to be wrong once, and the attackers also gain a foothold. It’s not fair, but then again, no one said life was fair. The most basic advice we give to anyone building a security program is to make sure you do the fundamentals well. You remember security fundamentals, right? Visibility for every asset. Maintain a strong security configuration and posture for those assets. Patch those devices efficiently and effectively when the vendor issues an update. Most practitioners nod their head about the fundamentals and then spend all day figuring out how the latest malware off the adversary assembly line works — or burning a couple of days threat hunting in their environment. You know, the fun stuff. The fundamentals are just… boring. The fact is, the fundamentals work, not for every attack but a lot of them. So we’re going to provide a reminder of that in this series we are calling Infrastructure Hygiene: The First Line of Security. We can’t eliminate all of the risks, but shame on us if we aren’t making it harder for the adversaries to gain a foothold in your environment. It’s about closing the paths of least resistance and making the adversaries work to compromise your environment. We want to thank our pals at Oracle for potentially licensing the paper. We appreciate a company that is willing to remind its folks about the importance of blocking and tackling instead of just focusing on the latest, shiniest widget.

Data Security in the SaaS Age: Quick Wins

Wed, 05 Aug 2020 00:00:00 +0000

As we wrap up our series on Data Security in the SaaS age, let’s work through a scenario to show how these concepts apply in a specific scenario. We’ll revisit the “small, but rapidly growing” pharmaceutical company we used as an example in our Data Guardrails and Behavioral Analytics paper. The CISO has seen the adoption of SaaS accelerate over the past two years. Given the increasing demand to work from anywhere at all organizations, the CTO and CEO have decided to minimize on-premise technology assets. A few years ago they shifted their approach to use data guardrails and behavioral analytics to protect the sensitive research and clinical trial data generated by the business. But they still need a structured program and appropriate tools to protect their SaaS applications. With hundreds of SaaS applications in use and many more coming, it can be a bit overwhelming to the team, who needs to both understand their extended attack surface and figure out how to protect it at scale. With guidance from their friends at Securosis, they start by looking at a combination of risk (primarily to high-profile data) and broad usage within the business, as they figure out which SaaS application to focus on protecting first. The senior team decides to start with CRM. Why? After file storage/office automation, CRM tends to be the most widespread application, representing the most sensitive information stored in a SaaS application: customer data. They also have many business partners and vendors accessing the data and the application, because they have multiple (larger) organizations bringing their drugs to market; they want to make sure all those constituencies have the proper entitlements within their CRM. Oh yeah, and their auditors were in a few months back, and suggested that assessing their SaaS applications needs to be a priority, given the sensitive data stored there. As we described in our last post, we’ll run through a process to determine who should use the data and how. For simplicity’s sake, we’ll generalize and answer these questions at a high level, but you should dig down much deeper to drive policy.

Data Security in the SaaS Age: Thinking Small

Mon, 22 Jun 2020 00:00:00 +0000

Our last post in Data Security in a SaaS World discussed how the use and sharing phases of the (frankly partially defunct) Data Security Lifecycle remain relevant. That approach hinges on a detailed understanding of each application to define appropriate policies for what is allowed and by whom. To be clear, these are not – and cannot be – generic policies. Each SaaS application is different and as such your policies must be different, so you (or a vendor or service provider) need to dig into it to understand what it does and who should do it. Now the fun part. The typical enterprise has hundreds, if not thousands, of SaaS services. So what’s the best approach to secure those applications? Any answer requires gratuitous use of many platitudes, including both “How do you eat an elephant? One bite at a time.” and that other old favorite, “You can’t boil the ocean.” Whichever pithy analogy you favor for providing data security for SaaS, you need to think small, by setting policies to protect one application or service at a time. We’re looking for baby steps, not big bangs. The big bang killed initiatives like DLP. (You remember DLP, right?) Not that folks don’t do DLP successfully today – they do – but if you try to classify all the data and build rules for every possible data loss… you’ll get overwhelmed, and then it’s hard to complete the project. We’ve been preaching this small and measured approach for massive, challenging projects like SIEM for years. You don’t set up all the SIEM rules and use cases at once – at least not if you want the project to succeed. The noise will bury you, and you’ll stop using the tool. People with successful SIEM implementations under their belts started small with a few use cases, then added more once they figured out how to make a few sets set work. The Pareto principle applies here, bigtime. You can eliminate the bulk of your risk by protecting 20% of your SaaS apps. But if you use 1,000 SaaS apps, you still need to analyze and set policies for 200 apps – a legitimately daunting task. We’re talking about a journey here, one that takes a while. So prioritization of your SaaS applications is essential for project success. We’ll also discuss opportunities to accelerate the process later on — you can jump the proverbial line with smart technology use.

Data Security in the SaaS Age: Focus on What You Control

Mon, 15 Jun 2020 00:00:00 +0000

As we launched our series on Data Security in the SaaS Age, we described the challenge of protecting data as it continues to spread across dozens (if not hundreds) of different cloud providers. We also focused attention on the Data Security Triangle, as the best tool we can think of to keep focused on addressing at least one of the underlying prerequisites for a data breach (data, exploit, and exfiltration). If you break any leg of the triangle you stop the breach. The objective of this research is to rethink data security, which requires us to revisit where we’ve been. That brings us back to the Data Security Lifecycle, which we last updated in 2011 in parts one, two and three).

Insight 6/2/2020: Walking Their Path

Thu, 04 Jun 2020 00:00:00 +0000

Between Mira and I, we have 5 teenagers. For better or worse, the teenage experience of the kids this year looks quite a bit different; thanks COVID! They haven’t really been able to go anywhere, and although things are loosening up a bit here in Atlanta, we’ve been trying to keep them pretty isolated. To the degree we can. In having the kids around a lot more, you can’t help but notice both the subtle and major differences. Not just in personality, but in interests and motivation. Last summer (2019) was a great example. Our oldest, Leah, was around after returning a trip to Europe with her Mom. (remember when you could travel abroad? Sigh.) She’s had different experiences each summer, including a bunch of travel and different camps. Our second oldest (Zach) also spent the summer in ATL. But he was content to work a little, watch a lot of YouTube, and hang out with us. Our third (Ella) and fifth (Sam) went to their camps, where each has been going for 7-8 years. It’s their home and their camp friends are family. And our fourth (Lindsay) explored Israel for a month. Many campers believe in “10 for 2.” They basically have to suffer through life for 10 months to enjoy the 2 months at camp each year. I think of it as 12 for 2 because we have to work hard for the entire year to pay for them to go away. Even if all of the kids need to spend the summer near ATL, they’ll do their own thing in their own way. But that way is constantly evolving. I’ve seen the huge difference 6 months at college made for Leah. I expect a similar change for Z when he (hopefully) goes to school in the fall. As the kids get older, they learn more and inevitably think they’ve figured it out. Just like 19-year-old Mike had all the answers, each of the kids will go through that invincibility stage. The teenage years are challenging because even though the kids think they know everything, we still have some control over them. If they want to stay in our home, they need to adhere to certain rules and there is (almost) daily supervision. Not so much when they leave the nest, and that means they need to figure things out – themselves. I have to get comfortable letting them be and learning lessons. After 50+ years of screwing things up, I’ve made a lot of those mistakes (A LOT!) and could help them avoid a bunch of heartburn and wasted time. But then I remember I’ve spent most of my life being pretty hard-headed and I that I didn’t listen to my parents trying to tell me things either. I guess I shouldn’t say didn’t, because I’m not sure if they tried to tell me anything. I wasn’t listening. The kids have to walk their own path(s). Even when it means inevitable failure, heartbreak, and angst. That’s how they learn. That’s how I learned. It’s an important part of the development process. Life can be unforgiving at times, and shielding the kids from disappointment doesn’t prepare them for much of anything. The key is to be there when they fall. To help them understand what went wrong and how they can improve the next time. If they aren’t making mistakes, they aren’t doing enough. There should be no stigma of failing. Only to quitting. If they are making the same mistakes over and over again, then I’m not doing my job as a parent and mentor. I guess one of the epiphanies I’ve had over the past few years is that my path was the right path. For me. I could have done so many things differently. But I’m very happy with where I am now and am grateful for the experiences, which have made me. That whole thing about being formed in the crucible of experience is exactly right. So that’s my plan. Embrace and celebrate each child’s differences and the different paths they will take. Understand that their experiences are not mine and they have to make and then own their choices, and deal with the consequences. Teach them they need to introspect and learn from everything they do. And to make sure they know that when they fall on their ass, we’ll be there to pick them up and dust them off. Photo credit: “Sakura Series” originally uploaded by Nick Kenrick

Data Security in the SaaS Age: Rethinking Data Security

Wed, 03 Jun 2020 00:00:00 +0000

Securosis has a long history of following and publishing on data security. Rich was the lead analyst on DLP about a zillion years ago during his time with Gartner. And when Securosis first got going (even before Mike joined), it was on the back of data security advisory and research. Then we got distracted by this cloud thing, and we haven’t gone back to refresh our research, given some minor shifts in how data is used and stored with SaaS driving the front office and IaaS/PaaS upending the data center (yes that was sarcasm). We described a lot of our thinking of the early stages of this transition in Tidal Forces 1 and Tidal Forces 3, and it seems (miraculously) a lot of what we expected 3 years ago has come to pass. But data security remains elusive. You can think of it as a holy grail of sorts. We’ve been espousing the idea of “data-centric security” for years, focusing on protecting the data, which then allows you to worry less about securing devices, networks, and associated infrastructure. As with most big ideas, it seemed like a good idea at the time. In practice, data-centric security has been underwhelming as having security policy and protection travel along with the data, as data spreads to every SaaS service you know about (and a bunch you don’t know about), was too much. How did Digital Rights Management work at scale? Right. The industry scaled back expectations and started to rely on techniques like tactical encryption, mostly using built-in capabilities (FDE for structured data, and embedded encryption for file systems). Providing a path of least resistance to both achieve compliance requirements, as well as “feel” the data was protected. Though to be clear, this was mostly security theater, as compromising the application still provided unfettered access to the data. Other techniques, like masking and tokenization, also provided at least a “means” to shield the sensitive data from interlopers. New tactics like test data generation tools also provide an option to ensure that developers don’t inadvertently expose production data. But even with all of these techniques , most organizations still struggle with protecting their data. And it’s not getting easier.

Insight 5/27/2020: Samson

Wed, 27 May 2020 00:00:00 +0000

Do you ever play those wacky question games with your friends? You know, where the questions try to embarrass you and make you say silly things? I was never much of a game player, but sometimes it’s fun. At some point in every game, a question about your favorite physical feature comes up. A lot of people say their eyes. Or their legs. Or maybe some other (less obvious) feature. It would also be interesting to ask your significant other or friends what they thought. I shudder to think about that. But if you ask me, the answer is pretty easy. It’s my hair. Yeah, that sounds a bit vain, but I do like my hair. Even though it turned gray when I was in my early 30s, that was never an impediment. It probably helped early in my career, as it made me seem a bit older and more experienced, even though I had no idea what I was doing (I still don’t). The only issue that ever materialized was when I first started dating Mira (who also has great hair). She showed my picture to her daughter (who was 12 at the time), and she asked, “why are you dating that old guy?” That still cracks me up. This COVID thing has created a big challenge for me. I usually wear my hair pretty short, trimmed with a clipper on the sides, and styled up top. But for a couple of months, seeing my stylist wasn’t an option. So my hair has grown. And grown. And grown. As it gets longer, it elevates. It’s like a bird’s nest elevation. You know, like losing your keys in there elevation. I could probably fit a Smart Car in there if I don’t get it cut at some point soon. If I’m going to grow my hair out, I want to have Michael Douglas’s hair. His hair is incredible, especially during his Black Rain period. The way his hair flowed as he was riding the motorcycle through Tokyo in that movie. It was awesome, but that is not to be. My destiny is to have big bird nest hair. Mira told me to shave it off. I have a bunch of friends that have done the home haircut, and it seems to work OK. I learned that a friend of mine has been doing his hair at home for years. And he looks impeccable even during the pandemic. I’m a bit jealous. I even bought a hair clipper to do it myself. I figured I’d let one of the kids have fun with it, and it would make for a fun activity. What else are we doing? The clipper is still in its packaging. I can’t bring myself to use it. Even if the self-cut turned out to be a total fiasco, my hair grows so fast it would only take a few weeks to grow out. So we aren’t talking about common sense here. There is something deeper in play, which took me a little while to figure out. I used to wear my hair very short in college during my meathead stage. So it’s not that I’m scared of really short hair. Then I remembered the one time I did a buzz cut as an adult. It was the mid-90s when I was 60 lbs heavier and into denim shirts. Yes, denim shirts were cool back then, trust me. So combine a big dude with a buzz cut in a denim shirt, and then one of my friends told me I looked like Grossberger from Stir Crazy, that was that. No more buzz cut. Clearly, I’m still scarred from that. I guess I have a bit of a Samson complex. It’s like I’ll lose my powers if I get a terrible haircut. I’m not sure what powers I have, but I’m not going to risk it. I’ll just let the nest keep growing. Mira says she likes it, especially when I gel my hair into submission and comb it straight back. I call it the poofy Gekko look. But I fear the gel strategy won’t last for much longer. By the end of the day, the top is still under control, but my sides start to go a little wacky, probably from me running my hands through my hair throughout the day. I kind of look like Doc Brown from Back to the Future around 6 PM. It’s pretty scary. What to do? It turns out hair salons were one of the first businesses to reopen in Georgia. So I made an appointment for mid-June to get a cut from my regular stylist. Is it a risk? Yes. And I’ve never checked her license, but I’m pretty sure her name isn’t Deliah. The salon is taking precautions. I’ll be wearing a mask and so will she. We have to wait outside, and she cleans and disinfects everything between customers. It’s a risk that I’m willing to take. Because at some point, we have to return to some sense of normalcy. And for me, getting my hair cut without risking a Grossberger is the kind of normalcy I need.

Insight 5/14/2020: Hugs

Thu, 14 May 2020 00:00:00 +0000

The pandemic is hard on everyone. (says the Master of the Obvious) It’s a combination of things. There are layers of fear — both from the standpoint of the health impact, as well as the financial challenges facing so many. We cannot underestimate the human toll, and unfortunately, the US has never prioritized mental health. As I mentioned last week in my inaugural new Insight, I’m not scared for myself, although too many people I care about are in vulnerable demographics. I’m lucky that (at least for now) the business is OK. I work in an industry that continues to be important and for a company that is holding its own. But it’s hard not to let the fear run rampant. The Eastern philosophies teach us to stay in the moment. To try to focus on what’s right in front of you. Do not fixate on decisions made or roads not taken. Do not think far ahead about all of the things that may or may not come to pass. Stay right here in the experience of the present. And I try. I really try to keep the things I control at the forefront. Yet there is so much I don’t control about this situation. And that creates a myriad of challenges. For example, I don’t control the behavior of others. I believe the courteous thing to do now is wear a mask when in public. There are certainly debates about whether the masks make a real difference in controlling the spread of the novel coronavirus. But when someone near me is wearing a mask, it’s a sign (to me anyway) that they care about other people. Maybe I’m immunocompromised (thankfully I’m not). Maybe I live with someone elderly. They don’t know. The fact is they likely don’t have the infection. But perhaps they do. It’s about consideration, not about personal freedoms. I have the right to approach someone sitting nearby and fart (from 6 feet away, of course). But I don’t do that because it’s rude. I put wearing a mask into the same category. But alas, I don’t control whether other people wear masks. I can only avoid those that don’t. NY Governor Andrew Cuomo said it pretty well. I don’t control who takes isolation seriously and who doesn’t. Many people have decided to organize small quarantine pods who isolate with each other because they don’t see anyone else. This arrangement requires discipline and trust and doesn’t scale much past 2 or 3 families. Being in a blended household means that I had my pod defined for me. There are my household and the households of both of our former spouses. It’s hard to keep everyone in sync. My kids were staying with their Mom in the early days of quarantine. But my son was seeing other kids in the neighborhood. Not a lot, but a few. And supposedly those kids were staying isolated – until they weren’t. One of the neighbors had a worker in the house and then had a visitor who was a healthcare professional in Canada. Sigh. So he goes into isolation for two weeks, and I can’t see my kids. Then my former spouse got religion about isolation and decided that she wasn’t comfortable with my pod, which includes Mira’s former spouse. She doesn’t know him, and in this situation, trust is challenging. Sigh. Another six weeks of not seeing my kids. Mira and I have done a few social distance walks with them, but it’s hard. You wonder if they are too close. So we adapted and set up chairs in a parking lot and hung out. It’s tough. All I wanted to do was hug my kids, but I couldn’t. To be clear, in the grand scheme of things, this is a minor problem. A point in time that will pass. Maybe in 6 months, or maybe in a year. But it will pass. And I’ve got it good, given my health and ability to still work. Many people don’t. They may be alone, or they may not have a job. Those are big problems. But I also don’t want to minimize my experience. It sucks not to be able to parent your kids. It’s getting more complicated by the day. Things in Georgia (where I live) are opening up. Many of the kid’s friends are getting together, and the reality is that we can’t keep them isolated forever. So their Mom and I decided we would keep things locked down through the end of May and then revisit our decision in June. My kids could stay with me for a little while. And that happened last week. When I went over to pick them up, I was overcome. It was only a hug, but it felt like a lot more than that. Over the past week, I got to wake them up, pester them to do online classes, eat with them, and sit next to them as we watched something on Netflix. We were going to figure out week by week where the kids would stay. I’m not going anywhere, so that would work great. But the best-laid plans… I found out that my oldest is seeing her friends. And isn’t socially distancing. Sigh. She’s an adult (if you call 19 an adult), and she made the decision. I’m unhappy but trying to be kind. I’m trying to understand her feelings as her freshman year in college abruptly ended. She went from the freedom of being independent (if you call college independent living) to being locked up in her Mom’s house. That when you are 19, you don’t really think about the impact of your actions on other people. That you can get depressed and forget about the rules and do anything to take a drive with a couple of friends. And now the other house where my kids live is no longer in my pod. One of the kids is with me, and she’ll stay for a couple of weeks. But after that, we have to go back to isolation. It’ll no more hugs for a while. And it makes me sad. Hug? originally uploaded by Simon Hayhurst

Insight 5/4/2020: Confessions

Mon, 04 May 2020 00:00:00 +0000

It’s a sunny late spring day. Mike steps into the dank building and can smell the must. It feels old but familiar. Strangely familiar. The building looks the same, but he knows it’s different. Too much time has passed. He steps into the confessional and starts to talk. Mike: Forgive me. It’s been almost 3 and a half years since I’ve been here. I’d say it was because I have been busy, which I have. But it’s not that. I spent close to 13 years here, and I had gone through a pretty significant personal transformation. As I was navigating the associated transitions, I guess I just wanted to live a bit and integrate a lot of the lessons I’ve learned behind the scenes for a while. Confessor: OK. That seems reasonable. How’s that been going? Mike: Pretty good, I’d say. I mentioned my new love (her name is Mira). We got married in mid-2017. I’ve packed my oldest daughter off to college last August and my step-son leaves for his college hopefully at the end of this summer. We’ve got a wonderful blended family and we’ve made some close friends as well. Physically I’m good as well. I’ve been able to maintain my fitness through intense workouts (thanks to OrangeTheory) and use the time in class as my mindfulness practice. And I just try to improve a little bit each day and live my life with kindness and grace. Confessor: How’s work going? You mentioned being busy, but what does that mean? Everyone is busy. Mike: That’s a good point. Culturally there is some kind of weird incentive to be busy. Or to look busy, anyway. Rich and I have been grinding away. Adrian decided to move on last December, so we’ve just kept pushing forward. Evidently cloud security is a thing, so we’ve benefited from being in the right place at the right time. But we spend a lot of time thinking about how work changes and the impact to security. We don’t quite know what it will look like, but we’re pretty sure it accelerates a lot of the trends we’ve been talking about for the past 5 years. I’m also happy to say DisruptOps is doing well (we closed a Series A back in late February). I guess I’m just grateful. I work with great people and I can still pay the bills, so no complaints. Confessor: Hmmm. So you are in a good spot personally and the business is doing well. It seems that you used the time away from here productively. Why come back now? Mike: I found that being here was a way of documenting my journey, for me. And that many of the people here enjoyed it and learned a thing or two. The fact is we are in the midst of a very uncertain time. Our society has undergone shocks to the system and we’re all trying to figure out what a “new normal” looks like. I don’t have any answers, to be clear, but I want to share my fears, my hopes, and my experiences and hope that we’ll all navigate these challenging and turbulent waters together. Confessor: Fear. That’s a good place to start. What are you scared of? Mike: Simply put, that COVID-19 impacts people that I love. We’ve been lucky so far, taking the quarantine seriously, but I am not taking that for granted and continuing to stay inside. Good thing I can come here virtually. Strangely enough, I have little fear regarding my own physical well-being. I made a deal with Mira that we’d be together for at least 44 years and I plan to make good on that deal. But our parents are old and in some cases, immunocompromised. We can’t control what other people do and whether they respect the threat or the science. So it’s definitely scary. Confessor: How are you holding up mentally? Mike: It’s tough. My head was spinning. I was consumed by the news and reacting to most every Tweet. It wasn’t productive. So I’ve started seated meditation again. I just needed to shut down my thoughts, even for a short time, and open up to possibility. To get into the habit of controlling my thoughts, my outlook, and my mood. Meditation helps me do that. And it’s hard to not be able to do the things we love and have no idea when things will return to some semblance of normal. You know, doing simple things that I took for granted, like travel. Mira and I love to travel and we’re very fortunate to go on very cool trips. We can’t see shows or live sports for the time being. That sucks. I also value the time I can spend with clients and at conferences. Who knew that the RSA Conference would be the last time many of us will travel for business for who knows how long? But you make the best of it. Confessor: We’ve changed a lot in the time that you were away. There are new people here. Some have moved on. Mike : It’s not like I’m the same person either. We’re all constantly changing. The goal is to navigate change in the most graceful way possible. I like to think my changes have been positive. I don’t need to act like a grump anymore, I was happy to leave that aspect of my persona behind. I think there is also something to be said about the wisdom of experience. I don’t claim to be wise, but I have a lot of experience. Mostly screwing things up. Hopefully, I’ll be able to continue sharing that experience here and we can learn together. We’re in uncharted territory and that can be pretty exciting if you are open to the inevitable changes ahead. Confessor: So when will you be back? And I suspect it won’t look the same, will it? Mike: You are pretty perceptive. I always enjoyed that about being here. I’m going to aim to visit twice a month. Maybe more often when I have a lot to say. Maybe a little less often at times too. And yes, it will look a bit different. First off, I’m changing the name. Kind of. When I retired a few years ago, it was because the term incite didn’t fit anymore. But the idea of providing insight does. It’s really what I want to do. So that’s what we’ll call my periodic visits. So welcome back to the Insight. Confessor: I have to say, I’m glad you’re back. It’s been way too long… Mike: Thanks. It’s nice to be home. Photo credit: “seeking confession” from Chris Booth

Understanding COVID, ARDS, and Mechanical Ventilation

Wed, 01 Apr 2020 00:00:00 +0000

April 7 Update: some research is emerging since I posted this that COVID related ARDS is not typical ARDS. Here’s the medical reference for providers but it’s very early evidence so far we should keep an eye on:COVID-19 Does Not Lead to a “Typical” ARDS. This was further validated by an article in MedScape that previews some emerging peer-reviewed research. Thus while my explanations of ARDS and ventilators is accurate, the ties to COVID-19 are not and new treatment protocols are emerging. Although this is a security blog, this post has absolutely nothing to do with security. No parallels from medicine, no mindset lessons, just some straight-up biology. As many readers know I am a licensed Paramedic. I first certified in the early 1990’s, dropped down to EMT for a while, and bumped back up to full medic two years ago. Recently I became interested in flight and critical care and completed an online critical care and flight medic course from the great team at FlightBridgeED. Paramedics don’t normally work with ventilators – it is an add-on skill specific for flight and critical care (ICU) transports. I’m a neophyte to ventilator management, with online and book training but no practice, but I understand the principles, and thanks to molecular biology back in college, have a decent understanding of cellular processes. COVID-19 dominates all our lives now, and rightfully so. Ventilators are now a national concern and one the technology community is racing to help with. Because of my background I’ve found myself answering a lot of questions on COVID-19, ARDS, and ventilators. While I’m a neophyte at running vents, I’m pretty decent at translating complex technical subjects for non-experts. Here’s my attempt to help everyone understand things a bit better. The TL;DR is that COVID-19 damages the lungs, which for some people triggers the body to overreact with too much inflammation. This extra fluid interferes with gas exchange in the lungs, and oxygen can’t as easily get into the bloodstream. You don’t actually stop breathing, so we use the ventilators to change pressure and oxygen levels, in an attempt to diffuse more oxygen through this barrier and into the lungs without, causing more damage by overinflating them.

Mastering the Journey—Building Network Manageability and Security for your Path

Thu, 27 Feb 2020 00:00:00 +0000

This is the third post in our series, “Network Operations and Security Professionals’ Guide to Managing Public Cloud Journeys”, which we will release as a white paper after we complete the draft and have some time for public feedback. You might want to start withour first and second posts. Special thanks to Gigamon for licensing. As always, the content is being developed completely independently using our Totally Transparent Research methodology. Learning cloud adoption patterns doesn’t just help us identify key problems and risks – we can use them to guide operational decisions to address the issues they consistently raise. This research focuses on managing networks and network security, but the patterns include broad security and operational implications which cover all facets of your cloud journey. Governance issues aside, we find that networking is typically one of the first areas of focus for organizations, so it’s a good target for our first focused research. (For the curious, IAM and compliance are two other top areas organizations focus on, and struggle with, early in the process).

Defining the Journey—the Four Cloud Adoption Patterns

Thu, 20 Feb 2020 00:00:00 +0000

This is the second post in our series, “Network Operations and Security Professionals’ Guide to Managing Public Cloud Journeys”, which we will release as a white paper after we complete the draft and have some time for public feedback. You might want to start withour first post. Special thanks to Gigamon for licensing. As always, the content is being developed completely independently using our Totally Transparent Research methodology.

Your Cloud Journeys is Unique, but Not Unknown

Mon, 17 Feb 2020 00:00:00 +0000

This is the first post in a new series, our “Network Operations and Security Professionals’ Guide to Managing Public Cloud Journeys”, which we will release as a white paper after we complete the draft and have some time for public feedback. Special thanks to Gigamon for licensing. As always, the content is being developed completely independently using ourTotally Transparent Research methodology.

The TWELFTH Annual Disaster Recovery Breakfast: (IM)MATURITY

Mon, 20 Jan 2020 00:00:00 +0000

For Rich and me, it seems like forever that we’ve been doing this cloud thing. We previewed the first CCSK class back at RSAC 2011, so we’re closing in on 10 years of hands-on, in the weeds cloud stuff. It’s fundamentally changed Securosis, and we ended up as founders of DisruptOps as well.

Saying Goodbye

Mon, 02 Dec 2019 00:00:00 +0000

I never thought I would say this, but I am leaving Securosis. By the time you read this I will have started a new position with Bank of America. I have been asked to help out with application and cloud security efforts. I have been giving a lot of thought to what I like to do, what makes me happy, and what I want to do with the rest of my career, and I came to the realization it is time for a change. There are aspects of the practice of security which I can never explore with Securosis or DisruptOps. The bank offers many challenges – and operates at a scale – which I have never experienced. That, and I will get to work with a highly talented team already in place. I could not really have written a better job description for myself, so I am jumping at this opportunity.

Understanding and Selecting RASP 2019: New Paper

Tue, 19 Nov 2019 00:00:00 +0000

Today we are launching our 2019 updated research paper from our recent series, Understanding and Selecting RASP (Runtime Application Self-Protection). RASP was part of the discussion on application security in just about every one of the hundreds of calls we have taken, and it’s clear that there is a lot of interest – and confusion – on the subject, so it was time to publish a new take on this category. And we would like to heartily thank you to Contrast Security for licensing this content. Without this type of support we could not bring this level of research to you, both free of charge and without requiring registration. We think this research paper will help developers and security professionals who are tackling application security from within understand what other security measures are at their disposal to protect application stacks from attack.

Enterprise DevSecOps: Security’s Role In DevOps

Wed, 16 Oct 2019 00:00:00 +0000

As we mentioned earlier, DevOps is not all about tools and technology – much of its success lies in how people work within the model. We have already gone into great detail about tools and process, and we approached much of this content from the perspective of security practitioners getting onboard with DevOps. This paper is geared toward helping security folks, so here we outline their role in a DevOps environment. We hope to help you work with other teams and reduce friction.

Enterprise DevSecOps: Security Test Integration and Tooling

Mon, 14 Oct 2019 00:00:00 +0000

In this section we show you how to weave security into the fabric of your DevOps automation framework. We are going to address the questions “We want to integrate security testing into the development pipeline, and are going to start with static analysis. How do we do this?”, “We understand “shift left”, but are the tools effective?” and “What tools do you recommend we start with, and how do we integrate them?”. As DevOps encourages testing in all phases of development and deployment, we will discuss what a build pipeline looks like, and the tooling appropriate for stage. The security tests typically sit side by side with functional and regression tests your quality assurance teams has likely already deployed. And beyond those typical post-build testing points, you can include testing on a developer’s desktop prior to check-in, in the code repositories before and after builds, and in pre-deployment staging areas.

Enterprise DevSecOps: Security Planning

Fri, 11 Oct 2019 00:00:00 +0000

This post is intended to help security folks create an outline or structure for an application security program. We are going to answer such common questions as “How do we start building out an application security strategy?”, “How do I start incorporating DevSecOps?” and “What application security standards should I follow?”. I will discuss the Software Development Lifecycle (SDLC), introduce security items to consider as you put your plan in place, and reference some application security standards for use as guideposts for what to protect against. This post will help your strategy; the next one will cover tactical tool selection.

Enterprise DevSecOps: How Security Works With Development

Thu, 10 Oct 2019 00:00:00 +0000

In our first paper on ‘Building Security Into DevOps’, given the ‘newness’ of DevOps for most of our readers, we included a discussion on the foundational principles and how DevOps is meant to help tackle numerous problems common to software delivery. Please refer to that paper is you want more detailed background information. For our purposes here we will discuss just a few principles that directly relate to the integration of security teams and testing with DevOps principles. These concepts lay the foundations for addressing the questions we raised in the first section, and readers will need to understand these as we discuss security tooling and approaches in a DevOps environment.

Enterprise DevSecOps: New Series

Thu, 03 Oct 2019 00:00:00 +0000

DevOps is an operational framework which promotes software consistency and standardization through automation. It helps address many nightmare development issues around integration, testing, patching, and deployment – both by breaking down barriers between different development teams, and also by prioritizing things which make software development faster and easier.

Understanding and Selecting RASP 2019: Selection Guide

Fri, 13 Sep 2019 00:00:00 +0000

We want to take a more formal look at the RASP selection process. For our 2016 version of this paper, the market was young enough that a simple list if features was enough to differentiate one platform from another. But the current level of platform maturity makes top-tier products more difficult to differentiate.

Understanding and Selecting RASP 2019: Integration

Wed, 11 Sep 2019 00:00:00 +0000

Editor’s note* We have been having VPN interruptions, so I apologize for the uneven cadence of delivery on these posts. We are working on the issue.

In this section we will outline how RASP fits into the technology stack, in both production deployment and application build processes. We will show what that looks like and why it’s important to fit into these steps for newer application security technologies. We will close with a discussion of how RASP differs from other security technologies, and discuss advantages and tradeoffs of differing approaches.

Understanding and Selecting RASP 2019: Technology

Mon, 09 Sep 2019 00:00:00 +0000

It is time to discuss technical facets of RASP products – including how the technology works, how it integrates into an application environment, and the advantages of different integration options. We will also outline important considerations such as platform support which impact the selection process. We will also consider a couple aspects of RASP technology which we expect to evolve over next couple years.

Understanding and Selecting RASP 2019: Use Cases

Fri, 30 Aug 2019 00:00:00 +0000

Updated 9-13 to include business requirements

The primary function of RASP is to protect web applications against known and emerging threats. In some cases it is deployed to block attacks at the application layer, before vulnerabilities can be exploited, but in many cases RASP tools process a request until it detects an attack and then blocks the action.

Understanding and Selecting RASP: 2019

Tue, 27 Aug 2019 00:00:00 +0000

During our 2015 DevOps research conversations, developers consistently turned the tables on us, asking dozens of questions about embedding security into their development process. We were surprised to discover how much developers and IT teams are taking larger roles in selecting security solutions, working to embed security products into tooling and build processes. Just like they use automation to build and test product functionality, they automate security too.

Firestarter: Multicloud Deployment Structures and Blast Radius

Wed, 07 Aug 2019 00:00:00 +0000

In this, our second Firestarter on multicloud deployments, we start digging into the technological differences between the cloud providers. We start with the concept of how to organize your account(s). Each provider uses different terminology but all support similar hierarchies. From the overlay of AWS organizations to the org-chart-from-the-start of an Azure tenant we dig into the details and make specific recommendations. We also discuss the inherent security barriers and cover a wee bit of IAM.

DisruptOps: Breaking Attacker Kill Chains in AWS: IAM Roles

Fri, 02 Aug 2019 00:00:00 +0000

Breaking Attacker Kill Chains in AWS: IAM Roles

Over the past year I’ve seen a huge uptick in interest for concrete advice on handling security incidents inside the cloud, with cloud native techniques. As organizations move their production workloads to the cloud, it doesn’t take long for the security professionals to realize that the fundamentals, while conceptually similar, are quite different in practice. One of those core concepts is that of the kill chain, a term first coined by Lockheed Martin to describe the attacker’s process. Break any link and you break the attack, so this maps well to combining defense in depth with the active components of incident response.

Firestarter: So you want to multicloud?

Thu, 01 Aug 2019 00:00:00 +0000

This is our first in a series of Firestarters covering multicloud. Using more than one IaaS cloud service provider is, well, a bit of a nightmare. Although this is widely recognized by anyone with hands-on cloud experience that doesn’t mean reality always matches our desires. From executives worried about lock in to M&A activity we are finding that most organizations are being pulled into multicloud deployments. In this first episode we lay out the top level problems and recommend some strategies for approaching them.

What We Know about the Capital One Data Breach

Mon, 29 Jul 2019 00:00:00 +0000

I’m not a fan of dissecting complex data breaches when we don’t have any information. In this case we do know more than usual due to the details in the complaint filed by the FBI.

DisruptOps: Build Your Own Multi-Cloud Security Monitoring in 30 Minutes or Less with StreamAlert

Fri, 19 Jul 2019 00:00:00 +0000

Build Your Own Multi-Cloud Security Monitoring in 30 Minutes or Less with StreamAlert

One of the most difficult problems in cloud security is building comprehensive multi-account/multi-cloud security monitoring and alerting. I’d say maybe 1 out of 10 organizations I assess or work with have something effective in place when I first show up. That’s why I added a major monitoring lab based on AirBnB’s StreamAlert project to the Securosis Advanced Cloud Security and Applied DevSecOps training class (we still have some spots available for our Black Hat 2019 class).

Apple Flexes Its Privacy Muscles

Wed, 12 Jun 2019 00:00:00 +0000

Apple events follow a very consistent pattern, which rarely changes beyond the details of the content. This consistency has gradually become its own language. Attend enough events and you start to pick up the deliberate undertones Apple wants to communicate, but not express directly. They are the facial and body expressions beneath the words of the slides, demos, and videos.

DisruptOps: The Security Pro’s Quick Comparison: AWS vs. Azure vs. GCP

Wed, 12 Jun 2019 00:00:00 +0000

I’ve seen a huge increase in the number of questions about cloud providers beyond AWS over the past year, especially in recent months. I decided to write up an overview comparison over at DisruptOps. This will be part of a slow-roll series going into the differences across the major security program domains – including monitoring, perimeter security, and security management. Here’s an excerpt:

Selecting Enterprise Email Security: the Buying Process

Tue, 28 May 2019 00:00:00 +0000

To wrap up this series we will bring you through a process of narrowing down the shortlist and then testing products and/or services in play. With email it’s less subjective because malicious email is… well, malicious. But given the challenges of policy management at scale (discussed in our last post), you’ll want to ensure a capable UX and sufficient reporting capabilities as well.

Selecting Enterprise Email Security: Scaling to the Enterprise

Mon, 20 May 2019 00:00:00 +0000

As we continue down the road of Selecting Enterprise Email Security, let’s hone in on the ‘E’ word: Enterprise. Email is a universal application, and scaling up protection to the enterprise level is all about managing email security in a consistent way. So this post will dig into selecting the security platform, integrating with other enterprise security controls, and finally some adjacent services which can improve the security of your email and so should be considered as part of broad protection.

Selecting Enterprise Email Security: Detection Matters

Thu, 09 May 2019 00:00:00 +0000

As we covered in the introduction to our Selecting Enterprise Email Security series, even after over a decade of trying to address the issue, email-borne attacks are still a scourge on pretty much every enterprise. That doesn’t mean the industry hasn’t made progress – it’s just that between new attacker tactics and the eternal fallibility of humans clicking on things, we’re arguably in about the same place we’ve been all along.

Selecting Enterprise Email Security: Introduction

Tue, 23 Apr 2019 00:00:00 +0000

It’s 2019, and we’re revisiting email security. Wait; what? Did we step out of a time machine and end up in 2006? Don’t worry – you didn’t lose the past 13 years in a cloud of malware (see what we did there?). But before we discuss the current state of email security, we thought we should revisit what we wrote in our 2012 RSA Guide about email security.

DisruptOps: Cloud Security CoE Organizational Models

Tue, 09 Apr 2019 00:00:00 +0000

Cloud Security CoE Organizational Models

In the first post of our Cloud Security Center of Excellence series we covered the two critical aspects of being successful at cloud security: accountability and empowerment. Without accepting accountability to secure all the organization’s cloud assets, and being empowered to make changes to the environment in the name of improved security, it’s hard to enforce a consistent baseline of security practices that can dramatically reduce an organization’s attack surface.

DisruptOps: Forming the Cloud Security Center of Excellence

Tue, 19 Mar 2019 00:00:00 +0000

Forming the Cloud Security Center of Excellence

We spend a lot of time talking to cloud security professionals, basically trying to figure out the best ways to get their jobs done in largely uncharted territory. Cloud technology is evolving at an unprecedented rate, empowering line of business users to move fast and not ask permission from IT or Security. Of course this can result in an unmanaged environment, with many traditional governance models rendered useless by the accessibility and ease of using the cloud. This is what we call cloud chaos.

The ELEVENTH Annual Disaster Recovery Breakfast: Is that you Caesar?

Mon, 28 Jan 2019 00:00:00 +0000

Things have been good in security. Really good. For a really long time. We can remember when there were a couple hundred people that showed up for the RSA Conference. Then a couple thousand. Now over 40,000 people descend on San Francisco to check out this security thing. There are hundreds of companies talking cyber. VC money has flowed for years, funding pretty much anything cyber. Cyber cyber cyber.

Firestarter: 2019: Insert Winter is Coming Meme Here

Mon, 07 Jan 2019 00:00:00 +0000

In this year-end/start firestarter the gang jumps into our expectations for the coming year. Spoiler alert- the odds are some consolidation and contraction in security markets are impending… and not just because the Chinese are buying fewer iPhones.

Quick Wins with Data Guardrails and Behavioral Analytics

Wed, 26 Dec 2018 00:00:00 +0000

This is the third (and final) post in our series on Protecting What Matters: Introducing Data Guardrails and Behavioral Analytics. Our first post,Introducing Data Guardrails and Behavioral Analytics: Understand the Mission we introduced the concepts and outlined the major categories of insider risk. In the second post we delved into and defined the terms. And as we wrap up the series, we’ll bring it together via a scenario showing how these concepts would work in practice

Firestarter: re:Invent Security Review

Mon, 17 Dec 2018 00:00:00 +0000

It’s that time of year again. The time when Amazon takes over our lives. No, not the holiday shopping season but the annual re:Invent conference where Amazon Web Services takes over Las Vegas (really, all of it) and dumps a firehouse of updates on the world. Listen in to hear our take on new services like Transit Hub, Security Hub, and Control Tower.

DisruptOps: Something You Probably Should Include When Building Your Next Threat Models

Tue, 13 Nov 2018 00:00:00 +0000

Something You Probably Should Include When Building Your Next Threat Models

We are working on our threat modeling here at DisruptOps and I decided to refresh my knowledge of different approaches. One thing that quickly stood out is that nearly none of the threat modeling documentation or tools I’ve seen cover the CI/CD pipeline.

DisruptOps: Three of the Most Crucial Sections of the DevSecOps Roadmap

Thu, 08 Nov 2018 00:00:00 +0000

Three of the Most Crucial Sections of the DevSecOps Roadmap

As I mentioned in the (DevSec)Ops vs. Dev(SecOps) post, we’ve been traveling around to a couple of **DevOpsDays conferences **doing the Quick and Dirty DevSecOps talk. One of the things I tend to start with early in the talk is that like DevOps, DevSecOps is not a product. Or something you can deploy and forget. It’s a cultural change. It’s a process. It’s a journey.

Protecting What Matters: Defining Data Guardrails and Behavioral Analytics

Tue, 06 Nov 2018 00:00:00 +0000

This is the second post in our series on Protecting What Matters: Introducing Data Guardrails and Behavioral Analytics. Our first post,Introducing Data Guardrails and Behavioral Analytics: Understand the Mission, introduced the concepts and outlined the major categories of insider risk. This post defines the concepts.

Building a Multi-cloud Logging Strategy: Issues and Pitfalls

Tue, 30 Oct 2018 00:00:00 +0000

As we begin our series on Multi-cloud logging, we start with reasons some traditional logging approaches don’t work. I don’t like to start with a negative tone, but we need to point out some challenges and pitfalls which often beset firms on first migration to cloud. That, and it helps frame our other recommendations later in this series. Let’s take a look at some common issues by category.

DAM Not Moving to the Cloud

Mon, 29 Oct 2018 00:00:00 +0000

I have concluded that nobody is using Database Activity Monitoring (DAM) in public Infrastructure or Platform as a Service. I never see it in any of the cloud migrations we assist with. Clients don’t ask about how to deploy it or if they need to close this gap. I do not hear stories, good or bad, about its usage. Not that DAM cannot be used in the cloud, but it is not.

DisruptOps: The 4 Phases to Automating Cloud Management

Mon, 29 Oct 2018 00:00:00 +0000

A Security Pro’s Cloud Automation Journey

Catch me at a conference and the odds are you will overhear my saying “cloud security starts with architecture and ends with automation.” I quickly follow with how important it is to adopt a cloud native mindset, even when you’re bogged down with the realities of an ugly lift and shift before the data center contract ends and you turn the lights off. While that’s a nice quip, it doesn’t really capture anything about how I went from a meat and potatoes (firewall and patch management) kind of security pro to an architecture and automation and automation cloud native. Rather than preaching from the mount, I find it more useful to describe my personal journey and my technical realizations along the way. If you’re a security pro, or someone trying to up-skill a security pro for cloud, odds are you will end up on a very similar path.

DisruptOps: Consolidating Config Guardrails with Aggregators

Fri, 26 Oct 2018 00:00:00 +0000

Disrupt:Ops: Consolidating Config Guardrails with Aggregators

In Quick and Dirty: Building an S3 guardrail with Config we highlighted that one of the big problems with Config is you need to build it in all regions of all accounts separately. Now your best bet to make that manageable is to use infrastructure as code tools like CloudFormation to replicate your settings across environments. We have a lot more to say on scaling out baseline security and operations settings, but for this post I want to highlight how to aggregate Config into a unified dashboard.

Building a Multi-cloud Logging Strategy: Introduction

Thu, 25 Oct 2018 00:00:00 +0000

Logging and monitoring for cloud infrastructure has become the top topic we are asked about lately. Even general conversations about moving applications to the cloud always seem to end with clients asking how to ‘do’ logging and monitoring of cloud infrastructure. Logs are key to security and compliance, and moving into cloud services – where you do not actually control the infrastructure – makes logs even more important for operations, risk, and security teams. But these questions make perfect sense – logging in and across cloud infrastructure is complicated, offering technical challenges and huge potential cost overruns if implemented poorly.

Cloudera and Hortonworks Merge

Thu, 25 Oct 2018 00:00:00 +0000

I had been planning to post on the recent announcement of the planned merger between Hortonworks and Cloudera, as there are a number of trends I’ve been witnessing with the adoption of Hadoop clusters, and this merger reflects them in a nutshell. But catching up on my reading I ran across Mathew Lodge’s recent article in VentureBeat titled Cloudera and Hortonworks merger means Hadoop’s influence is declining. It’s a really good post. I can confirm we see the same lack of interest in deployment of Hadoop to the cloud, the same use of S3 as a storage medium when Hadoop is used atop Infrasrtucture as a Service (IaaS), and the same developer-driven selection of whatever platform is easiest to use and deploy on. All in all it’s an article I wish I’d written, as he did a great job capturing most of the areas I wanted to cover. And there are some humorous bits like “Ironically, there has been no Cloud Era for Cloudera.” Check it out – it’s worth your time.

DisruptOps: Quick and Dirty: Building an S3 Guardrail with Config

Wed, 24 Oct 2018 00:00:00 +0000

Disrupt:Ops: Quick and Dirty: Building an S3 Guardrail with Config

In How S3 Buckets Become Public, and the Fastest Way to Find Yours we reviewed the myriad ways S3 buckets become public and where to look for them. Today I’ll show the easiest way to continuously monitor for public buckets using AWS Config. The good news is this is pretty easy to set up; the bad news is you need to configure it separately in every region in every account.

Introducing Data Guardrails and Behavioral Analytics: Understand the Mission

Tue, 23 Oct 2018 00:00:00 +0000

After over 25 years of the modern IT security industry, breaches still happen at an alarming rate. Yes, that’s fairly obvious but still disappointing, given the billions spent every year in efforts to remedy the situation. Over the past decade the mainstays of security controls have undergone the next generation treatment – initially firewalls and more recently endpoint security. New analytical techniques have been mustered to examine infrastructure logs in more sophisticated fashion.

DisruptOps: How S3 Buckets Become Public, and the Fastest Way to Find Yours

Mon, 22 Oct 2018 00:00:00 +0000

How S3 Buckets Become Public, and the Fastest Way to Find Yours

In What Security Managers Need to Know About Amazon S3 Exposures we mentioned that one of the reasons finding public S3 buckets is so darn difficult is because there are multiple, overlapping mechanisms in place that determine the ultimate amount of S3 access. To be honest, there’s a chance I don’t even know all the edge cases but this list should cover the vast majority of situations.

DisruptOps: Why Everyone Automates in Cloud

Fri, 19 Oct 2018 00:00:00 +0000

Why Everyone Automates in Cloud

If you see me speaking about cloud it’s pretty much guaranteed I’ll eventually say:

Cloud security starts with architecture and ends with automation.

DisruptOps: (DevSec)Ops vs. Dev(SecOps)

Wed, 17 Oct 2018 00:00:00 +0000

(DevSec)Ops vs. Dev(SecOps)

I just got back from the Boston DevOps Days. I really enjoy hanging around DevOps and cloud people. The energy of these conferences is great, and they are genuinely excited about transforming how their organizations build and deploy applications. Many don’t have a negative perception of security folks, but they don’t really understand what security folks do either.

DisruptOps: What Security Managers Need to Know About Amazon S3 Exposures (2/2)

Mon, 15 Oct 2018 00:00:00 +0000

What Security Managers Need to Know About Amazon S3 Exposures (2/2)

Our first Disrupt:Ops post discussed how exposure of S3 data becomes such a problem, with some details on how buckets become public in the first place. This post goes a bit deeper, before laying a foundation for how to manage S3 to avoid these mistakes yourself.

DisruptOps: What Security Managers Need to Know About Amazon S3 Exposures (1/2)

Thu, 11 Oct 2018 00:00:00 +0000

As we spin up Disrupt:OPS we are beginning to post cloud-specific content over there, mixing theory with practical how-to guidance. Not to worry! We have plenty of content still planned for Securosis. But we haven’t added any staff at Securosis so there is only so much we can write. In the meantime, linking to non-product posts from Securosis should help ensure you don’t lose sleep over missing even a single cloud-related blog entry.

Firestarter: Hardware Hacks and Lift and Pray

Thu, 04 Oct 2018 00:00:00 +0000

Did China manage to hardware hack the Apple and Amazon data centers? Or did Bloomberg get it wrong? And what the heck can you do about it anyway? This week we start with a discussion of today’s blockbuster security news, before shifting gears back to cloud. It turns out most organizations are having to lift and shift to cloud, even when that is not ideal. We talk about some of your options, even in the face of ridiculous management timelines.

Making an Impact with Security Awareness Training: Quick Wins and Sustained Impact

Thu, 27 Sep 2018 00:00:00 +0000

Our last post explained Continuous Contextual Content as a means to optimize the effectiveness of a security awareness program. CCC acknowledges that users won’t get it, at least not initially. That means you need to reiterate your lessons over and over (and probably over) again. But when should you do that? Optimally when their receptivity is high – when they just made a mistake.

Making an Impact with Security Awareness Training: Continuous Contextual Content

Tue, 11 Sep 2018 00:00:00 +0000

As we discussed in the first post of our Making an Impact with Security Awareness Training series, organizations need to architect training programs around a clear definition of success, both to determine the most appropriate content to deliver, and also to manage management expectations. The definition of success for any security initiative is measurable risk reduction, and that applies just as much to security awareness training.

Firestarter: Advanced Persistent Tenacity

Mon, 03 Sep 2018 00:00:00 +0000

Mike and Rich discuss the latest Wired piece in Notpetya and how advanced attacks, despite the hype, are very much still alive and well. These days you might be a victim not because you are targeted, but because you are a pivot to a target or share some underlying technology. As a new Apache Struts vulnerability rolls out, we thought it a good time to re-address some fundamentals and evaluate the real risks of both widespread and targeted attacks.

Making an Impact with Security Awareness Training: Structuring the Program

Thu, 30 Aug 2018 00:00:00 +0000

We have long been fans of security awareness training. As explained in our 2013 paper Security Awareness Training Evolution, employees remain the last line of defense, and in all too many cases those defenses fail. We pointed out many challenges facing security awareness programs, and have since seen modest improvement in some of those areas. But few organizations rave about their security awareness training, which means we still have work to do.

Firestarter: Black Hat and AI… What Could Go Wrong?

Tue, 28 Aug 2018 00:00:00 +0000

In this episode we review the lessons of this year’s Black Hat and DEF CON. In particular, we talk about how things have changed with the students we have in class, now that we’ve racked up over 5 years of running trainings on cloud security. then we delve into one of the biggest, and most confusing, trends… the mysteries of Artificial Intelligence and Machine Learning. Considering our opinions of natural intelligence, you might guess where this heads…

Firestarter: It’s a GDPR Thing

Fri, 06 Jul 2018 00:00:00 +0000

Mike and Rich discuss the ugly reality that GDPR really is a thing. Not that privacy or even GDPR are bad (we’re all in favor), but they do require extra work on our part to ensure that policies are in place, audits are performed, and pesky data isn’t left lying around in log files unexpectedly.

Scaling Network Security: The Scaled Network Security Architecture

Sun, 01 Jul 2018 00:00:00 +0000

After considering the challenges of existing network security architectures (RIP Moat) we laid out a number of requirements for the new network security. This includes the needs for scale, intelligence, and flexibility. That’s all well and good, but how do you get there? We’ll wrap up this series by discussing a couple key architectural constructs which will influence how you build your future network security architecture.

Scaling Network Security: The New Network Security Requirements

Fri, 22 Jun 2018 00:00:00 +0000

In our last post we bid adieu to The Moat, given the encapsulation of almost everything into standard web protocols and the movement of critical data to an expanding set of cloud services. Additionally, the insatiable demand for bandwidth further complicates how network security scales. So it’s time to reframe the requirements of the new network security. Basically, as we rethink network security, what do we need it to do?

Scaling Network Security: RIP, the Moat

Tue, 05 Jun 2018 00:00:00 +0000

The young people today laugh at folks with a couple decades of experience when they rue about the good old days, when your network was snaked along the floors of your office (shout out for Thicknet!), and trusted users were on the corporate network, and untrusted users were not.

SecMon State of the Union: The Buying Process

Mon, 04 Jun 2018 00:00:00 +0000

Now that you’ve revisited your important use cases, and derived a set of security monitoring requirements, it’s time to find the right fit among the dozens of alternatives. To wrap up this series we will bring you through a reasonably structured process to narrow down your short list, and then testing the surviving products. Once you’ve chosen the technical winner, you need to make the business side of things work – and it turns out the technical winner is not always the solution you end up buying.

SecMon State of the Union: Refreshing Requirements

Tue, 29 May 2018 00:00:00 +0000

Now that you understand the use cases for security monitoring, our next step is to translate them into requirements for your strategic security monitoring platform. In other words, now that you have an idea of the problem(s) you need to solve, what capabilities do you need to address them? Part of that discussion is inevitably about what you don’t get from your existing security monitoring approach – this research wouldn’t be very interesting if your existing tools were all peachy.

SecMon State of the Union: Focus on Use Cases

Thu, 17 May 2018 00:00:00 +0000

When we revisited the Security Monitoring Team of Rivals it became obvious that the overlap between SIEM and security analytics has passed a point of no return. So with a Civil War brewing our key goal is to determine what will be your strategic platform for security monitoring. This requires you to shut out the noise of fancy analytics and colorful visualizations, and focus on the problem you are trying to solve now, with an eye to how it will evolve in the future. That means getting back to use cases. The cases for security monitoring tend to fall into three major buckets:

The Security Profession Needs to Adopt Just Culture

Fri, 04 May 2018 00:00:00 +0000

Yesterday Twitter revealed they had accidentally stored plain-text passwords in some log files. There was no indication the data was accessed and users were warned to update their passwords. There was no known breach, but Twitter went public anyway, and was excoriated in the press and… on Twitter.

SecMon State of the Union: Revisiting the Team of Rivals

Tue, 24 Apr 2018 00:00:00 +0000

Things change. That’s the only certainty in technology today, and certainly in security. Back when we wrote Security Analytics Team of Rivals, SIEM and Security Analytics offerings were different and did not really overlap. It was more about how can they coexist, instead of choosing one over the other. But nowadays the overlap is significant, so you need existing SIEM players basically bundling in security analytics capabilities and security analytics players positioning their products as next-generation SIEM.

Firestarter: The RSA 2018 Episode

Thu, 12 Apr 2018 00:00:00 +0000

This week Rich, Mike, and Adrian talk about what they expect to see at the RSA Security Conference, and if it really means anything. As we do in most of our RSA Conference related discussions the focus is less on what to see and more on what industry trends we can tease out, and the potential impact on the regular security practitioner. For example, what happens when blockchain and GDPR collide? Do security vendors finally understand cloud? What kind of impact does DevOps have on the security market? Plus we list where you can find us, and, as always, don’t forget to attend the Tenth Annual Disaster Recovery Breakfast!

Complete Guide to Enterprise Container Security New Paper

Mon, 02 Apr 2018 00:00:00 +0000

The explosive growth of containers is not surprising because the technology (most obviously Docker) alleviates several problems for deploying applications. Developers need simple packaging, rapid deployment, reduced environmental dependencies, support for micro-services, generalized management, and horizontal scalability – all of which containers help provide. When a single technology enables us to address several technical problems at once, it is very compelling. But this generic model of packaged services, where the environment is designed to treat each container as a “unit of service”, sharply reduces transparency and audit-ability (by design), and gives security pros nightmares. We run more code faster, but must in turn accept a loss of visibility inside the containers. It begs the question, “How can we introduce security without losing the benefits of containers?”

Firestarter: Auditors, Assessors, and Cloud.. Oh My!

Mon, 19 Mar 2018 00:00:00 +0000

This week the gang discusses Rich’s recent discussions with some clients struggling to deal with auditors and assessors who don’t really understand cloud computing.

Evolving to Security Decision Support: Laying the Foundation

Sun, 04 Mar 2018 00:00:00 +0000

As we resume our series on Evolving to Security Decision Support, let’s review where we’ve been so far. The first step in making better security decisions is ensuring you have full visibility of your enterprise assets, because if you don’t know assets exist, you cannot make intelligent decision about protecting them. Next we discussed how threat intelligence and security analytics can be brought to bear to get both internal and external views of your attack environment, again with the goal of turning data into information you can use to better prioritize efforts.

The TENTH Annual Disaster Recovery Breakfast: Are You F’ing Kidding Me?

Tue, 27 Feb 2018 00:00:00 +0000

What was the famous Bill Gates quote? “We always overestimate the change that will occur in the next two years and underestimate the change that will occur in the next ten.” Well, we at Securosis actually can gauge that accurately given this is the TENTH annual RSA Conference Disaster Recovery Breakfast.

Evolving to Security Decision Support: Data to Intelligence

Mon, 19 Feb 2018 00:00:00 +0000

As we kicked off our Evolving to Security Decision Support series, the point we needed to make was the importance of enterprise visibility to the success of your security program. Given all the moving pieces in your environment – including the usage of various clouds (SaaS and IaaS), mobile devices, containers, and eventually IoT devices – it’s increasingly hard to know where all your critical data is and how it’s being used.

Firestarter: Old School and False Analogies

Mon, 12 Feb 2018 00:00:00 +0000

Old School and False Analogies

This week we skip over our series on cloud fundamentals to go back to the Firestarter basics. We start with a discussion of the week’s big acquisition (like BIG considering the multiple). Then we talk about the hyperbole around the release of the iBoot code from an old version of iOS. We also discuss Apple, cyberinsurance, and the actuarial tables. Then we finish up with Rich blabbing about lessons learned as he works on his paramedic again and what parallels to bring to security. For more on that you can read these posts: https://securosis.com/blog/this-security-shits-hard-and-it-aint-gonna-get-any-easier and https://securosis.com/blog/best-practices-unintended-consequences-negative-outcomes

Best Practices, Unintended Consequences, and Negative Outcomes

Thu, 08 Feb 2018 00:00:00 +0000

Information Security is a profession. We have job titles, recognized positions in nearly every workplace, professional organizations, training, and even some fairly new degree programs. I mean none of that sarcastically, but I wouldn’t necessarily say we are a mature profession. We still have a lot to learn about ourselves. This isn’t unique to infosec – it’s part of any maturing profession, and we can learn the same lessons the others already have.

Firestarter: Best Practices for Root Account Security and… SQRRL!!!!

Mon, 05 Feb 2018 00:00:00 +0000

Just because we are focusing on cloud fundamentals doesn’t mean we are forgetting the rest of the world. This week we start with a discussion over the latest surprise acquisition of Sqrrl by Amazon Web Services and what it might indicate. Then we jump into our ongoing series of posts on cloud security by focusing on the best practices for root account security. From how to name the email accounts, to handling MFA, to your break glass procedures.

Evolving to Security Decision Support: Visibility is Job #1

Thu, 01 Feb 2018 00:00:00 +0000

To demonstrate our mastery of the obvious, it’s not getting easier to detect attacks. Not that it was ever really easy, but at least you used to know what tactics adversaries used, and you had a general idea of where they would end up, because you knew where your important data was, and which (single) type of device normally accessed it: the PC. It’s hard to believe we now long for the days of early PCs and centralized data repositories.

Firestarter: Architecting Your Cloud with Accounts

Wed, 31 Jan 2018 00:00:00 +0000

We are taking over our own Firestarter and kicking off a new series of discussions on cloud security… from soup to nuts (whatever that means). Each week for the next few months we will cover, in order, how to build out your cloud security program. We are taking our assessment framework and converting it into a series of discussions talking about what we find and how to avoid issues. This week we start with architecting your account structures, after a brief discussion of the impact of the Meltdown and Spectre vulnerabilities since they impact cloud (at least for now) more than your local computer.

This Security Shit’s Hard and It Ain’t Gonna Get Any Easier

Tue, 30 Jan 2018 00:00:00 +0000

In case you couldn’t tell from the title, this line is your official EXPLICIT tag. We writers sometimes need the full spectrum of language to make a point.

Wrangling Backoffice Security in the Cloud Age: Part 2

Fri, 26 Jan 2018 00:00:00 +0000

This is the second part in a two-part series (later paper) on managing increased use and reliance on SaaS for traditional back-office applications.See Part 1. This will also be included in a webcast with Box on March 6, and you can register here.

Container Security 2018: Logging and Monitoring

Wed, 24 Jan 2018 00:00:00 +0000

We close out this research paper with two key areas: Monitoring and Auditing. We want to draw attention to them because they are essential to security programs, but have received only sporadic coverage in security blogs and the press. When we go beyond network segregation and network policies for what we allow, the ability to detect misuse is extremely valuable, which is where monitoring and logging come in. Additionally, most Development and Security teams are not aware of the variety of monitoring options available, and we have seen a variety of misconceptions and outright fear of the volume of audit logs to capture, so we need to address these issues.

Wrangling Backoffice Security in the Cloud Age

Wed, 24 Jan 2018 00:00:00 +0000

Over a year ago we first published our series on Tidal Forces: The Trends Tearing Apart Security As We Know It. We called out three megatrends in technology with deep and lasting impact on security practice:

Container Security 2018: Runtime Security Controls

Mon, 22 Jan 2018 00:00:00 +0000

After the focus on tools and processes in previous sections, we can now focus on containers in production systems. This includes which images are moved into production repositories, selecting and running containers, and the security of underlying host systems.

Container Security 2018: Securing Container Contents

Mon, 15 Jan 2018 00:00:00 +0000

Testing the code and supplementary components which will execute within containers, and verifying that everything conforms to security and operational practices, is core to any container security effort. One of the major advances over the last year or so is the introduction of security features for the software supply chain, from container engine providers including Docker, Rocket, OpenShift and so on. We also see a number of third-party vendors helping to validate container content, both before and after deployment. Each solution focuses on slightly different threats to container construction – Docker, for example, offers tools to certify that a container has gone through your process without alteration, using digital signatures and container repositories. Third-party tools focus on security benefits outside what engine providers offer, such as examining libraries for known flaws. So while things like process controls, digital signing services to verify chain of custody, and creation of a bill of materials based on known trusted libraries are all important, you’ll need more than what is packaged with your base container management platform. You will want to consider third-party to help harden your container inputs, analyze resource usage, analyze static code, analyze library composition, and check for known malware signatures. In a nutshell, you need to look for risks which won’t be caught by your base platform.

The Future of Security Operations: Embracing the Machines

Fri, 12 Jan 2018 00:00:00 +0000

To state the obvious, traditional security operations is broken. Every organization faces more sophisticated attacks, the possibility of targeted adversaries, and far more complicated infrastructure; compounding the problem, we have fewer skilled resources to execute on security programs. Obviously it’s time to evolve security operations by leveraging technology to both accelerate human work and take care of rote, tedious tasks which don’t add value. So security orchestration and automation are terms you will hear pretty consistently from here on out.

Container Security 2018: Build Pipeline Security

Thu, 11 Jan 2018 00:00:00 +0000

Most people fail to consider the build environment when thinking about container security, but it is critical. The build environment is traditionally the domain of developers, who don’t share much detail with outsiders (meaning security teams). But with Continuous Integration (CI) or full Continuous Deployment (CD), we’re shooting new code into production… potentially several times a day. An easy way for an attacker to hack an application is get into its development or build environment – usually far less secure than production – and alter code or add new code to containers. The risk is aggravated by DevOps rapidly breaking down barriers between groups, and operations and security teams given access so they can contribute to the process. Collaboration demands a more complex and distributed working environment, with more stakeholders. Better controls are needed to restrict who can alter the build environment and update code, and an audit process to validate who did what.

Container Security 2018: Threats and Concerns

Tue, 09 Jan 2018 00:00:00 +0000

To better understand which container security areas you should focus on, and why we recommend particular controls, it helps to understand which threats need to be addressed and which areas containers affect most. Some threats and issues are well-known, some are purely lab proofs of concept, and others are threat vectors which attackers have yet to exploit – typically because there is so much low-hanging fruit elsewhere.

Building a Container Security Program 2018: Introduction

Sun, 07 Jan 2018 00:00:00 +0000

The explosive growth of containers is not surprising – these technologies, such as Docker, alleviate several problems for developers deploying applications. Developers need simple packaging, rapid deployment, reduced environmental dependencies, support for microservices, generalized management, and horizontal scalability – all of which containers help provide. When a single technology enables us to address several technical problems at once, it’s very compelling. But this generic model of packaged services, where the environment is designed to treat each container as a “unit of service”, sharply reduces transparency and auditability (by design), and gives security pros nightmares. We run more code and faster, but must accept a loss of visibility inside the container. It begs the question, “How can we introduce security without losing the benefits of containers?”

How Cloud Security Managers Should Respond to Meltdown and Spectre

Fri, 05 Jan 2018 00:00:00 +0000

I hope everyone enjoyed the holidays… just in time to return to work, catch up on email, and watch the entire Internet burn down thanks to a cluster of hardware vulnerabilities built into pretty much every computing platform available.

New Paper: Understanding Secrets Management

Tue, 02 Jan 2018 00:00:00 +0000

Traditional application security concerns are shifting, responding to disruptive technologies and development frameworks. Cloud services, containerization, orchestration platforms, and automated build pipelines – to name just a few – all change the way we build and deploy applications. Each effects security a different way. One of the new application security challenges is to provision machines, applications, and services with the credentials they need at runtime. When you remove humans from the process things move much faster – but knowing how and when to automatically provide passwords, authentication tokens, and certificates is not an easy problem. This secrets management problem is not new, but our need grows exponentially when we begin orchestrating the entire application build and deployment process. We need to automate distribution and management of secrets to ensure secure application delivery.

Firestarter: An Explicit End of Year Roundup

Thu, 21 Dec 2017 00:00:00 +0000

The gang almost makes it through half the episode before dropping some inappropriate language as they summarize 2017. Rather than focusing on the big news, we spend time reflecting on the big trends and how little has changed, other than the pace of change. How the biggest breaches of the year stemmed from the oldest of old issues, to the newest of new. And last we want to thank all of you for all your amazing support over the years. Securosis has been running as a company for a decade now, which likely scares all of you even more than us. We couldn’t have done it without you… seriously.

Firestarter: Breacheriffic EquiFail

Fri, 15 Dec 2017 00:00:00 +0000

This week Mike and Rich address the recent spate of operational fails leading to massive security breaches. This isn’t yet another blame the victim rant, but a frank discussion of why these issues are so persistent and so difficult to actually manage. We also discuss the rising role of automation and its potential to reduce these all-too-human errors.

The Future of Security Operations: Regaining Balance

Mon, 27 Nov 2017 00:00:00 +0000

The first post in this series, Behind the 8 Ball, raised a number of key challenges practicing security in our current environment. These include continual advancement and innovation by attackers seeking new ways to compromise devices and exfiltrate data, increasing complexity of technology infrastructure, frequent changes to said infrastructure, and finally the systemic skills shortage which limits our resources available to handle all the challenges created by the other issues. Basically, practitioners are behind the 8-ball in getting their job done and protecting corporate data.

Endpoint Advanced Protection Buyer’s Guide: Top 10 Questions for Detection and Response

Tue, 21 Nov 2017 00:00:00 +0000

There are plenty of obvious questions you could ask an endpoint security vendor. But most won’t really help you understand the nuances of their approach, so we decided to distill the selection criteria down to a couple of key points. We’ll provide not just the questions, but the rationale behind them.

Endpoint Advanced Protection Buyer’s Guide: Key Technologies for Detection and Response

Mon, 20 Nov 2017 00:00:00 +0000

Now let’s dig into some key EDR technologies which appear across all the use cases: detection, response, and hunting.

Agent

The agent is deployed to each monitored endpoint, so you be sensitive to its size and its performance hit on devices. A main complaint regarding older endpoint protection was performance impact on devices. The smaller the better, and the less performance impact the better (duh!), but just as important is agent deployability and maintainability.

Endpoint Advanced Protection Buyer’s Guide: Key Capabilities for Response and Hunting

Fri, 17 Nov 2017 00:00:00 +0000

As we resume posting Endpoint Detection and Response (D/R) selection criteria, let’s start with a focus on the Detection use case.

Endpoint Advanced Protection Buyer’s Guide: Key Capabilities for Detection

Thu, 16 Nov 2017 00:00:00 +0000

As we resume posting Endpoint Detection and Response (D/R) selection criteria, let’s start with a focus on the Detection use case.

Endpoint Advanced Protection Buyer’s Guide: Detection and Response Use Cases

Wed, 15 Nov 2017 00:00:00 +0000

As we continue documenting what you need to know to understand Endpoint Advanced Protection offerings, it’s time to delve into Detection and Response. Remember that before you are ready to pick anything, you need to understand the problem you are trying to solve. Detecting all endpoint attacks within microseconds and without false positives isn’t really achievable. You need to determine the key use cases most important to you, and make an honest assessment of your team and adversaries.

Endpoint Advanced Protection Buyer’s Guide: Top 10 Questions on Prevention

Fri, 10 Nov 2017 00:00:00 +0000

Endpoint Advanced Protection Buyer’s Guide: Key Prevention Technologies

Thu, 09 Nov 2017 00:00:00 +0000

After exploring prevention approaches, you should understand some common technologies which are foundational to endpoint advanced prevention offerings. Machine Learning Machine learning is a catch-all term to indicate that the endpoint protection vendor uses sophisticated mathematical analysis on a large set of data to generate models for detecting malicious files or activity on devices. There are a couple mathematical algorithms which can improve malware prevention. Static file analysis: With upwards of a billion malicious file samples in circulation, mathematical analysis of malware can pinpoint commonalities across malicious files. With a model of what malware looks like, advanced prevention products then

Face ID is the Future of Security (Authentication)

Thu, 09 Nov 2017 00:00:00 +0000

Every year, as I travel the security conference circuit, hallway conversations always turn to, “See anything interesting?”. To be honest, I can’t remember the last time I was excited about an honestly cool security technology (which I didn’t create myself, but let’s not go there today). I see plenty of cloud innovation, and plenty of security evolution, but not a lot of revolution.

The Future of Security Operations: Behind the 8 Ball

Thu, 09 Nov 2017 00:00:00 +0000

As the velocity of technology infrastructure change continues to increase, it is putting serious stress on Security Operations (SecOps). This has forced security folks to face the fact that operations has never really been our forte. That’s a bit harsh, but denial never helps address serious problems. The case is fairly strong that most organizations are pretty bad at security operations. How many high-profile breaches could have been avoided if one of many alerts was acted upon? How many attacks were made possible by not having properly patched servers or infrastructure? How many successful compromises resulted from human error?

Endpoint Advanced Protection Buyer’s Guide: Preventing the Attacks, Part 2

Wed, 08 Nov 2017 00:00:00 +0000

Let’s resume our discussion of endpoint attack prevention approaches with the options available once an attack actually begins to execute, or once it has already executed on a device.

Endpoint Advanced Protection Buyer’s Guide: Preventing the Attacks, Part 1

Tue, 07 Nov 2017 00:00:00 +0000

We discussed specific attacks in our last post, so it’s time to examine approaches which can prevent them. But first let’s look at the general life cycle of an attack.

Endpoint Advanced Protection Buyer’s Guide: The Attacks

Mon, 06 Nov 2017 00:00:00 +0000

As we previewed in the Introduction to our Endpoint Advanced Protection Buyer’s Guide, the first step to selecting an endpoint security product is figuring out what problem you are trying to solve. Then figure out which capabilities are most important to solve those problems. Only then can you start trying to find a vendor who meets those requirements. This is what we call establishing *selection criteria.

Minimum Viable Cloud is an Anti-Pattern

Mon, 06 Nov 2017 00:00:00 +0000

About a year ago I first heard the dreaded acronym “MVC”. It was during a call about a potential project, and this contact kept namedropping it like Kanye or something – not that I knew what it meant at the time. I kept wondering how Model/View/Controller was so important to their deployment. Eventually I learned it stands for “Minimum Viable Cloud”.

Firestarter: The team is back from the dead, and so are some really crappy cloud ideas.

Tue, 31 Oct 2017 00:00:00 +0000

The team is back from the dead, and so are some really crappy cloud ideas.

Watch or listen:

Bad vs. Less Bad Security Reporting: CoreML vs. Ships

Thu, 26 Oct 2017 00:00:00 +0000

As I was flying home from a meeting today I read two security stories that highlighted the differences between bad and less bad ways to report on security issues.

Secrets Management: Deployment Considerations

Fri, 29 Sep 2017 00:00:00 +0000

We will close out this series with a look at several operational considerations for selecting a secrets management platform. There are quite a few secrets management tools, both commercial and otherwise, on the market, and each does things a bit differently. Rather than a giant survey of every product and how it works, we will focus on the facets of these products which enable them to handle the use cases discussed earlier. Central questions include how these platforms deploy, how they provide scalability and resiliency, and how they integrate with the services they supply secrets to? To better distinguish between products you need to understand why they were created, because core functions and deployment models are heavily influenced by a platform’s intended use.

Secrets Management: Features and Functions (updated)

Fri, 22 Sep 2017 00:00:00 +0000

In this section we will discuss the core features of a secrets management platform. There are basic functions every secrets management platform needs to address the basic use cases. These include secure storage and disbursement of secrets, identity management, and API access, for starters. There are plenty of tools out there, many open source, and several bundled into other platforms. But when considering what you need from one of these platforms, the key thing to keep in mind is that most of them were originally developed to perform a single very specific task – such as injecting secrets into containers at runtime, or integrating tightly with a Jenkins build server, or supplementing a cloud identity service. Those do one thing well, but typically do not address multiple use cases.

Secrets Management: Use Cases

Thu, 21 Sep 2017 00:00:00 +0000

This post will discuss why secrets management is needed at all, along with the diverse use cases which teams need it to address. In every case there is some secret data which needs to be sent – hopefully not in plain text – to an application or service. And in every case we want the ability to provide secrets, both when an operator is present and automatically. The biggest single issue is that security around these secrets today is largely absent, and they are kept in cleartext within documents of various types. Let’s dive in.

Secrets Management: New Series

Tue, 19 Sep 2017 00:00:00 +0000

This week we are starting a new research series on Secrets Management. What is secrets management and why do you care? A good number of you in security will be asking these questions. Secrets Management platforms do exactly what the name implies; they store, manage and provide secrets. This technology addresses several problems most security folks don’t yet know they have. As development teams leverage automation and orchestration techniques, they are creating new security issues to be tackled. Let’s jump into some of the back story, and then outline what we will accomplish in this research effort.

The TLS 1.3 Controversy, and Why We Need to Choose Stronger Security

Thu, 24 Aug 2017 00:00:00 +0000

Transport Layer Security (TLS) is fundamental to the security of the Internet. Proposed changes to the protocol are generating extensive controversy within and outside the security industry. Rather than getting into cryptographic specifics, this post focuses on the root of the controversy, and why we believe TLS 1.3 should proceed with the full support of technical professionals.

Introducing the Endpoint Advanced Protection Buyer’s Guide

Tue, 22 Aug 2017 00:00:00 +0000

Endpoint security has undergone a renaissance recently. Similar to network security a decade ago, the technology had not seen significant innovation for years, and adversaries improved to a point where many organizations questioned why they kept renewing existing endpoint protection suites. It was an untenable situation.

How to Evaluate a Possible Apple Face ID

Thu, 03 Aug 2017 00:00:00 +0000

It’s usually more than a little risky to comment on hypothetical Apple products, but while I was out at Black Hat and DEF CON Apple accidentally released the firmware for their upcoming HomePod. Filled with references to other upcoming products and technologies, the firmware release makes it reasonably probable that Apple will release an updated iPhone without a Touch ID sensor, relying instead on facial recognition.

Upcoming Webcast on Dynamic Security Assessment

Mon, 05 Jun 2017 00:00:00 +0000

It’s been a while since I’ve done a webcast, so if you are going through the DTs like I am, you are in luck. On Wednesday at 1 PM ET (10 AM PT), I’m doing an event with my friends at SafeBreach on our Dynamic Security Assessment content. I even convinced them to use one of my favorite sayings in the title:

DLP in the Cloud

Tue, 30 May 2017 00:00:00 +0000

It’s been quite a while since we updated our Data Loss Prevention (DLP) research. It’s not that DLP hasn’t continued to be an area of focus (it has), but a bunch of other shiny things have been demanding our attention lately. Yeah, like the cloud. Well, it turns out a lot of organizations are using this cloud thing now, so they inevitably have questions about whether and how their existing controls (including DLP) map into the new world.

Multi-cloud Key Management Research Paper

Wed, 24 May 2017 00:00:00 +0000

Cloud computing is the single biggest change to computing we have seen, fundamentally changing how we use computing resources. We have reached a point where multi-cloud support is a reality for most firms; SaaS and private clouds are complimented by public PaaS and IaaS. With these changes we have received an increasing number of questions on how to protect data in the cloud, so in this research paper we discuss several approaches to both keeping data secure and maintaining control over access.

Multi-Cloud Key Management: Selection and Migration

Thu, 20 Apr 2017 00:00:00 +0000

Cloud services are typically described as sharing responsibility for security, but the reality is that you don’t working shoulder to shoulder with the vendor. Instead you implement security with the building blocks they provide you, possibly filling in gaps where they don’t provide solutions. One of the central goals of this research project was to show that it is possible to take control of data security, supplanting embedded encryption and key management services, even when you don’t control the environment. And with key management you can gain as much security as your on-premise solution provides – in some cases even continuing leverage familiar tools – with minimal disruption to existing management processes.

Multi-Cloud Key Management: Service and Deployment Options

Sun, 16 Apr 2017 00:00:00 +0000

This post will discuss how to deploy encryption keys into a third-party cloud service. We illustrate the deployment options, along with the components of a solution. We will then walk through the process of getting a key from your on-premise Hardware Security Module (HSM) into a cloud HSM. We will discuss variations on using cloud-based HSM for all encryption operations, as well as cases where you instead delegate encryption operations to the cloud-native encryption service. We’ll close out with a discussion of software-based (non-HSM) key management systems running on IaaS cloud services.

Multi-Cloud Key Management: Use Cases

Wed, 12 Apr 2017 00:00:00 +0000

This post will cover some issues and concerns customers cite when considering a move – or more carefully reassessing a move they have already made – to cloud services.

Identifying the biggest challenges in running security teams

Tue, 11 Apr 2017 00:00:00 +0000

It’s hard to believe, but it’s been 10 years since I published the Pragmatic CSO. Quite a bit has changed in terms of being a senior security professional. Adversaries continuously improve and technology infrastructure is undergoing the most significant disruption I’ve seen in 25 years in technology. It’s never been more exciting – or harder – to be a security professional.

Multi-Cloud Key Management (New Series)

Mon, 10 Apr 2017 00:00:00 +0000

Running IT systems on public cloud services is a reality for most companies. Just about every company uses Software as a Service to some degree; with many having already migrated back-office systems like email, collaboration, file storage, and customer relationship management software. But we are now also witnessing the core of the data center – financial systems, databases, supply chain, and enterprise resource planning software – moving to public Platform and Infrastructure “as a Service” (PaaS & IaaS) providers. It’s common for medium and large enterprises to run SaaS, PaaS, and IaaS at different providers, all in parallel with on-premise systems. Some small firms we speak with no longer have data centers, with all their applications hosted by third parties.

Introducing Threat Operations: TO in Action

Wed, 22 Mar 2017 00:00:00 +0000

As we wrap up our Introduction to Threat Operations series, let’s recap. We started by discussing why the way threats are handled hasn’t yielded the results the industry needs and how to think differently. Then we delved into what’s really required to keep pace with increasingly sophisticated adversaries: accelerating the human. To wrap up let’s use these concepts in a scenario to make them more tangible.

Introducing Threat Operations: Accelerating the Human

Tue, 14 Mar 2017 00:00:00 +0000

In the first post of our Introducing Threat Operations Series, we explored the need for much stronger operational discipline around handling threats. With all the internal and external security data available, and the increasing sophistication of analytics, organizations should be doing a better job of handling threats. If what you are doing isn’t working, it’s time to start thinking differently about the problem, and addressing the root causes underlying the inability to handle threats. It comes down to _accelerating the human: making your practitioners better through training, process, and technology.

Security Analytics Team of Rivals: A Glimpse into the Future

Tue, 21 Feb 2017 00:00:00 +0000

A lot of our research is conceptual, so we like to wrap up with a scenario. This helps make the ideas a bit more tangible, and provides context for you to apply it to your particular situation. To illuminate how the Security Analytics Team of Rivals can work, let’s consider a scenario involving a high-growth retailer who needs to maintain security while scaling operations which are stressed by that growth.

Introducing Threat Operations: Thinking Differently

Sun, 12 Feb 2017 00:00:00 +0000

Let’s start with a rhetorical question: Can you really “manage” threats? Is that even a worthy goal? And how do you even define a threat. We’ve seen a more accurate description of how adversaries operate by abstracting multiple attacks/threats into a campaign. That intimates a set of interrelated attacks all with a common mission. That seems like a better way to think about how you are being attacked, rather than the whack a mole approach of treating every attack as a separate thing and defaulting to the traditional threat management cycle: Prevent (good luck), Detect, Investigate, Remediate.

Security Analytics Team of Rivals: Coexistence Among Rivals

Fri, 10 Feb 2017 00:00:00 +0000

As we described in the introduction to this series, security monitoring has been around for a long time and is evolving quickly. But one size doesn’t fit all, so if you are deploying a Team of Rivals they will need to coexist for a while. Either the old guard evolves to meet modern needs, or the new guard will supplant them. But in the meantime you need to figure out how to solve a problem: detecting advanced attackers in your environment.

REMINDER: Register for the Disaster Recovery Breakfast

Wed, 08 Feb 2017 00:00:00 +0000

If you are going to be in San Francisco next week. Yes, next week. How the hell is the RSA Conference next week? Anyhow, don’t forget to swing by the Disaster Recovery Breakfast and say hello Thursday morning. Our friends from Kulesa Faul, CHEN PR, LaunchTech, and CyberEdge Group will be there. And hopefully Rich will remember his pants, this time.

Securing SAP Clouds [New Paper]

Wed, 08 Feb 2017 00:00:00 +0000

Use of cloud services is common in IT. Gmail, Twitter, and Dropbox are ubiquitous; as are business applications like Salesforce, ServiceNow, and QuickBooks. But along with the basic service, customers are outsourcing much of application security. As more firms move critical back-office components such as SAP Hana to public platform and infrastructure services, those vendors are taking on much more security responsibility. It is far from clear how to assemble a security strategy for complex a application such as SAP Hana, or how to adapt existing security controls to an unfamiliar environment with only partial control.

Security Analytics Team of Rivals: Introduction [New Series]

Wed, 01 Feb 2017 00:00:00 +0000

Security monitoring has been a foundational element of most every security program for over a decade. The initial driver for separate security monitoring infrastructure was the overwhelming amount of alerts flooding out of intrusion detection devices, which required some level of correlation to determine which mattered. Soon after, compliance mandates (primarily PCI-DSS) emerged as a forcing function, providing a clear requirement for log aggregation – which SIEM already did. As the primary security monitoring technology, SIEM became entrenched for alert reduction and compliance reporting.

Tidal Forces: Software as a Service Is the New Back Office

Tue, 31 Jan 2017 00:00:00 +0000

TL;DR: SaaS enables Zero Trust networks with pervasive encryption and access. Box vendors lose once again.

It no longer makes sense to run your own mail server in your data center. Or file servers. Or a very long list of enterprise applications. Unless you are on a very very short list of organizations. Running enterprise applications in an enterprise data center is simply an anachronism in progress. A quick peek at the balance sheets of the top tier Software as a Service providers shows the transition to SaaS continues unabated.

Dynamic Security Assessment: In Action

Mon, 30 Jan 2017 00:00:00 +0000

In the first two posts of this Dynamic Security Assessment series, we delved into the limitations of security testing and then presented the process and key functions you need to implement it.

Securing SAP Clouds: Application Security

Wed, 25 Jan 2017 00:00:00 +0000

This post will discuss the foundational elements of an application security program for SAP HCP deployments. Without direct responsibility for management of hardware and physical networks you lose the traditional security data capture points for traffic analysis and firewall technologies. The net result is that, whether on PaaS or IaaS, your application security program becomes more important than ever as what you have control over. Yes, SAP provides some network monitoring and DDoS services, but your options are are limited, they don’t share much data, and what they monitor is not tailored to your applications or requirements.

Securing SAP Clouds: Architecture and Operations

Tue, 24 Jan 2017 00:00:00 +0000

This post will discuss several keys differences in application architecture and operations – with a direct impact on security – which you need to reconsider when migrating to cloud services. These are the areas which make operations easier and security better.

Tidal Forces: Endpoints Are Different—More Secure, and Less Open

Wed, 18 Jan 2017 00:00:00 +0000

This is the second post in the Tidal Forces series.The introduction is available..

Computers aren’t computers any more.

Call it a personal computer. A laptop, desktop, workstation, PC, or Mac. Whatever configuration we’re dealing with, and whatever we call it, much of the practice of information security focuses on keeping the devices we place in our users’ hands safe. They are the boon and bane of information technology – forcing us to find a delicate balance between safety, security, compliance, and productivity. Lock them down too much and people can’t get things done – they will find an unmanaged alternative instead. Loosen up too much, and a single click on the wrong ad banner can take down a company. Vendors know it is possible to escalate a foothold on the enterprise endpoint, or the network, to reach hundreds of millions – perhaps even billions – in revenue. Extend this out to consumer computers at home, and even a small market footprint can sustain a decade of other failed products and corporate missteps.

Secure Networking in the Cloud Age: Use Cases

Thu, 12 Jan 2017 00:00:00 +0000

As we wrap up our series on secure networking in the cloud era, we have covered the requirements and migration considerations for this new network architecture – highlighting increased flexibility for configuration, scaling, and security services. In a technology environment which can change as quickly as a developer hitting ‘commit’ for a new feature, infrastructure needs to keep pace, and that is not something most enterprises can or should build themselves.

Network Security in the Cloud Age: Requirements and Migration

Tue, 10 Jan 2017 00:00:00 +0000

As we noted in our introductory post for this Network Security in the Cloud Age series, everything changes, and technology is undergoing the most radical change and disruption since… well, ever. We’re not kidding – check out our Tidal Forces post for the rundown. This disruption will have significant ramifications for how we build and manage networks. Let’s work through the requirements for this network of the future, and then provide some perspective on how you can and should migrate to the new network architecture.

Assembling A Container Security Program [New Paper]

Wed, 04 Jan 2017 00:00:00 +0000

We are pleased to launch our latest research paper, on Docker security: Assembling a Container Security Program. Containers are now such integral elements of software delivery that enterprises are demanding security in and around containers. And it’s no coincidence that Docker has recently added a variety of security capabilities to its offerings, but they are only a small subset of what customers need. During our research we learned many things, including that:

Network Security in the Cloud Age: Everything Changes

Tue, 03 Jan 2017 00:00:00 +0000

We have spent a lot of time discussing the disruptive impact of the cloud and mobility on… pretty much everything. If you need a reminder, check out our Inflection paper, which lays out how we (correctly, in hindsight) saw the coming tectonic shifts in the computing landscape. Rich is updating that research now, so you can check out his first post, where he discusses the trends which threaten promise to upend everything we know about security: Tidal Forces.

Tidal Forces: The Trends Tearing Apart Security As We Know It

Tue, 03 Jan 2017 00:00:00 +0000

Imagine a black hole suddenly appearing in the solar system – gravity instantly warping space and time in our celestial neighborhood, inexorably drawing in all matter. Closer objects are affected more strongly, with the closest whipping past the event horizon and disappearing from the observable universe. Farther objects are pulled in more slowly, but still inescapably. As they come closer to the disturbance, the gravitational field warping space exponentially, closer points are pulled away from trailing edges, potentially ripping entire planets apart.

Dynamic Security Assessment: Process and Functions

Thu, 29 Dec 2016 00:00:00 +0000

As we wind down the year it’s time to return to forward-looking research, specifically a concept we know will be more important in 2017. As described in the first post of our Dynamic Security Assessment series, there are clear limitations to current security testing mechanisms. But before we start talking about solutions we should lay out the requirements for our vision of dynamic security assessment.

Incite 12/21/2016: To Incite

Wed, 21 Dec 2016 00:00:00 +0000

In the process of wrapping up the year I realize the last Incite I wrote was in August. Damn. That’s a long respite. It’s in my todo list every Tuesday. And evidently I have dutifully rescheduled it for about 3 months now. I am one to analyze (and probably overanalyze) everything, so I need to figure out why I have resisted writing the Incite.

The NINTH Annual Disaster Recovery Breakfast: the More Things Change…

Mon, 19 Dec 2016 00:00:00 +0000

Big 9. Lucky 9. Or maybe not so lucky 9, because by the time you reach our annual respite from the wackiness of the RSA Conference, you may not be feeling very lucky. But if you flip your perspective, you’ll be in the home stretch, with only one more day of the conference before you can get the hell out of SF.

The NINTH Annual Disaster Recovery Breakfast: the More Things Change…

Mon, 19 Dec 2016 00:00:00 +0000

Amazon re:Invent Takeaways? Hang on to Your A**es…

Thu, 08 Dec 2016 00:00:00 +0000

I realized I promised to start writing more again to finish off the year and then promptly disappeared for over a week. Not to worry, it was for a good cause, since I spent all of last week at Amazon’s re:Invent conference. And, umm, might have been distracted this week by the release of the Rogue One expansion pack for Star Wars Battlefront. But enough about me…

Cloud Security Automation: Code vs. CloudFormation or Terraform Templates

Wed, 16 Nov 2016 00:00:00 +0000

Right now I’m working on updating many of my little command line tools into releasable versions. It’s a mixed bag of things I’ve written for demos, training classes, clients, or Trinity (our mothballed product). A few of these are security automation tools I’m working on for clients to give them a skeleton framework to build out their own automation programs. Basically, what we created Trinity for, that isn’t releasable.

Cloud Database Security: 2011 vs. Today

Mon, 14 Nov 2016 00:00:00 +0000

Adrian here.

I had a brief conversation today about security for cloud database deployments, and their two basic questions encapsulated many conversations I have had over the last few months. It is relevant to a wider audience, so I will discuss them here.

Dynamic Security Assessment: The Limitations of Security Testing [New Series]

Thu, 10 Nov 2016 00:00:00 +0000

We have been fans of testing the security of infrastructure and applications as long as we can remember doing research. We have always known attackers are testing your environment all the time, so if you aren’t also self-assessing, inevitably you will be surprised by a successful attack. And like most security folks, we are no fans of surprises.

Assembling a Container Security Program: Monitoring and Auditing

Wed, 09 Nov 2016 00:00:00 +0000

Our last post in this series covers two key areas: Monitoring and Auditing. We have more to say, in the first case because most development and security teams are not aware of these options, and in the latter because most teams hold many misconceptions and considerable fear on the topic. So we will dig into these two areas essential to container security programs.

Assembling a Container Security Program: Container Validation

Mon, 07 Nov 2016 00:00:00 +0000

This post is focused on security testing your code and container, and verifying that both conform to security and operational practices. One of the major advances over the last year or so is the introduction of security features for the software supply chain, from both Docker itself and a handful of third-party vendors. All the solutions focus on slightly different threats to container construction, with Docker providing tools to certify that containers have made it through your process, while third-party tools are focused on vetting the container contents. So Docker provides things like process controls, digital signing services to verify chain of custody, and creation of a Bill of Materials based on known trusted libraries. In contrast, third-party tools to harden container inputs, analyze resource usage, perform static code analysis, analyze the composition of libraries, and check against known malware signatures; they can then perform granular policy-based container delivery based on the results. You will need a combination of both, so we will go into a bit more detail:

Assembling a Container Security Program: Runtime Security

Mon, 07 Nov 2016 00:00:00 +0000

This post will focus on the ‘runtime’ aspects of container security. Unlike the tools and processes discussed in previous sections, here we will focus on containers in production systems. This includes which images are moved into production repositories, security around selecting and running containers, and the security of the underlying host systems.

Firestarter: How to Tell When Your Cloud Consultant Sucks

Mon, 07 Nov 2016 00:00:00 +0000

Mike and Rich had a call this week with another prospect who was given some pretty bad cloud advice. We spend a little time trying to figure out why we keep seeing so much bad advice out there (seriously, BIG B BAD not OOPSIE bad). Then we focus on the key things to look for to figure out w

More on Bastion Accounts and Blast Radius

Mon, 07 Nov 2016 00:00:00 +0000

I have received some great feedback on my post last week on bastion accounts and networks. Mostly that I left some gaps in my explanation which legitimately confused people. Plus, I forgot to include any pretty pictures. Let’s work through things a bit more.

Assembling a Container Security Program: Securing the Build

Sun, 06 Nov 2016 00:00:00 +0000

As we mentioned in our last post, most people don’t seem to consider the build environment when thinking about container security, but it’s important. Traditionally, the build environment is the domain of developers, and they don’t share a lot of details with outsiders (in this case, Operations folks). But this is beginning to change with Continuous Integration (CI) or full Continuous Deployment (CD), and more automated deployment. The build environment is more likely to go straight into production. This means that operations, quality assurance, release management, and other groups find themselves having to cooperate on building automation scripts and working together more closely. Collaboration means a more complex, distributed working environment, with more stakeholders having access. DevOps is rapidly breaking down barriers between groups, even getting some security teams to contribute test scripts and configuration updates. Better controls are needed to restrict who can alter the build environment and update code, and an audit process to validate who did what.

Bastion (Transit) Networks Are the DMZ to Protect Your Cloud from Your Datacenter

Fri, 04 Nov 2016 00:00:00 +0000

In an earlier post I mentioning bastion accounts or virtual networks. Amazon calls these “transit VPCs” and has a good description. Before I dive into details, the key difference is that I focus on using the concept as a security control, and Amazon for network connectivity and resiliency. That’s why I call these “bastion accounts/networks”.

Endpoint Advanced Protection: Remediation and Deployment

Fri, 04 Nov 2016 00:00:00 +0000

Now that we have gotten through 80% of the Endpoint Advanced Protection lifecycle we can focus on remediation, and then how to start getting value from these new alternatives.

Assembling a Container Security Program: Threats

Wed, 02 Nov 2016 00:00:00 +0000

After a somewhat lengthy hiatus – sorry about that – I will close out this series over the next couple days.

Seven Steps to Secure Your AWS Root Account

Wed, 02 Nov 2016 00:00:00 +0000

The following steps are very specific to AWS, but with minimal modification they will work for other cloud platforms which support multi factor authentication. And if your cloud provider doesn’t support MFA and the other features you need to follow these steps… find another provider.

Endpoint Advanced Protection: Detection and Response

Tue, 01 Nov 2016 00:00:00 +0000

As we discussed previously, despite all the cool innovation happening to effectively prevent compromises on endpoints, the fact remains that you cannot stop all attacks. That means detecting the compromise quickly and effectively, and then figuring out how far the attack has spread within your organization, continues to be critical.

How to Start Moving to the Cloud

Tue, 01 Nov 2016 00:00:00 +0000

Yesterday I warned against building a monolithic cloud infrastructure to move into cloud computing. It creates a large blast radius, is difficult to secure, costs more, and is far less agile than the alternative. But I, um… er… uh… didn’t really mention an alternative.

Ten Years of Securosis: Time for a Memory Dump

Mon, 31 Oct 2016 00:00:00 +0000

I started Securosis as a blog a little over 10 years ago. 9 years ago it became my job. Soon after that Adrian Lane and Mike Rothman joined me as partners. Over that time we have published well over 10,000 posts, around 100 research papers, and given countless presentations. When I laid down that first post I was 35, childless, a Research VP at Gartner still, and recently married. In other words I had a secure job and the kind of free time no one with a kid ever sees again. Every morning I woke up energized to tell the Internet important things!

Your Cloud Consultant Probably Sucks

Mon, 31 Oct 2016 00:00:00 +0000

There is a disturbing consistency in the kinds of project requests I see these days. Organizations call me because they are in the midst of their first transition to cloud, and they are spending many months planning out their exact AWS environment and all the security controls “before we move any workloads up”. More often than not some consulting firm advised them they need to spend 4-9 months building out 1-2 virtual networks in their cloud provider and implementing all the security controls before they can actually start in the cloud.

The Difference between SecDevOps and Rugged DevOps

Wed, 26 Oct 2016 00:00:00 +0000

Adrian here.

I wanted to do a quick post on a question I’ve been getting a lot: “Is there a difference between SecDevOps, Rugged DevOps, DevSecOps, and the rest of those various terms? Aren’t they all the same?”

SAP Cloud Security: Contracts

Mon, 24 Oct 2016 00:00:00 +0000

This post will discuss the division of responsibility between a cloud provider and you as a tenant, and how to define aspects of that relationship in your service contract. Renting a platform from a service provider does not mean you can afford to cede all security responsibility. Cloud services free you from many traditional IT jobs, but you must still address security. The cloud provider assumes some security responsibilities, but many still fall into your lap, while others are shared. The administration and security guides don’t spell out all the details of how security works behind the scenes, or what the provider really provides. Grey areas should be defined and clarified in your contract up fron. During an incident response is a terrible time to discover what SAP actually offers.

Endpoint Advanced Protection: The Evolution of Prevention

Mon, 17 Oct 2016 00:00:00 +0000

As we discussed in our last post, there is a logical lifecycle which you can implement to protect endpoints. Once you know what you need to protect and how vulnerable the devices are, you try to prevent attacks, right? Was that a snicker? You’ve been reading the trade press and security marketing telling you prevention is futile, so you’re a bit skeptical. You have every right to be – time and again you have had to clean up ransomware attacks (hopefully before they encrypt entire file servers), and you detect command and control traffic indicating popped devices frequently. A sense of futility regarding actually preventing compromise is all too common.

Assembling a Container Security Program [New Series]

Tue, 04 Oct 2016 00:00:00 +0000

The explosive growth of containers is not surprising – technologies such as Docker address several problems facing developers when they deploy applications. Developers need simple packaging, rapid deployment, reduced environmental dependancies, support for micro-services, and horizontal scalability – all of which containers provide, making them very compelling. Yet this generic model of packaged services, where the environment is designed to treat each container as a “unit of service” sharply reduces transparency and auditability (by design) and gives security pros nightmares. We run more code and run it faster, begging the question, “How can you introduce security without losing the benefits of containers?”

Securing SAP Clouds [New Series]

Mon, 03 Oct 2016 00:00:00 +0000

Every enterprise uses cloud computing services to some degree – tools such as Gmail, Twitter, and Dropbox are ubiquitous; as are business applications like Salesforce, ServiceNow, and Quickbooks. Cost savings, operational stability, and reduced management effort are all proven advantages. But when we consider moving back-office infrastructure – systems at the heart of business – there is significant angst and uncertainty among IT and security professionals. For big and complex applications like SAP, they wonder if cloud services are a viable option. The problem is that security is not optional, but actually critical. For folks operating in a traditional on-premise environment, it is often unclear how to adapt the security model to an unfamiliar environment where they only have partial control.

Endpoint Advanced Protection: The Endpoint Protection Lifecycle

Wed, 28 Sep 2016 00:00:00 +0000

As we return to our Endpoint Advanced Protection series, let’s dig into the lifecycle alluded to at the end of our introduction. We laid out a fairly straightforward set of activities required to protect endpoint devices. But we all know straightforward doesn’t mean easy.

Incite 8/31/2016: Meetings: No Thanks

Wed, 31 Aug 2016 00:00:00 +0000

It’s been a long time since I had an office job. I got fired from my last in November 2005. I had another job since then, but I commuted to Boston. So I was in the office maybe 2-3 days a week. But usually not. That means I rarely have a bad commute. I work from wherever I want, usually some coffee shop with headphones on, or in a quiet enough corner to take a call. I spend some time in the home office when I need to record a webcast or record a video with Rich and Adrian.

Nuke It from Orbit

Wed, 31 Aug 2016 00:00:00 +0000

I had a call today, that went pretty much like all my other calls.

An organization wants to move to the cloud. Scratch that – they are moving, quickly. The team on the phone was working hard to figure out their architectures and security requirements. These weren’t ostriches sticking their heads in the sand, they were very cognizant of many of the changes cloud computing forces, and were working hard to enable their organization to move as quickly and safely as possible. They were not blockers. The company was big.

New Paper: Understanding and Selecting RASP

Mon, 29 Aug 2016 00:00:00 +0000

We are pleased to announce the availability of our Understanding RASP (Runtime Application Self-Protection) research paper. We would like to heartily thank Immunio for licensing this content. Without this type of support we could not bring this level of research to you, both free of charge and without requiring registration. We think this research paper will help developers and security professionals who are tackling application security from within.

Endpoint Advanced Protection: The State of the Endpoint Security Union

Wed, 17 Aug 2016 00:00:00 +0000

Innovation comes and goes in security. Back in 2007 network security had been stagnant for more than a few years. It was the same old, same old. Firewall does this. IPS does that. Web proxy does a third thing. None of them did their jobs particularly well, struggling to keep up with attacks encapsulated in common protocols. Then the next generation firewall emerged, and it turned out that regardless of what it was called, it was more than a firewall. It was the evolution of the network security gateway.

Thoughts on Apple’s Bug Bounty Program

Thu, 04 Aug 2016 00:00:00 +0000

It should surprise no one that Apple is writing their own playbook for bug bounties. Both bigger, with the largest potential payout I’m aware of, and smaller, focusing on a specific set of vulnerabilities with, for now, a limited number of researchers. Many, including myself, are definitely free to be surprised that Apple is launching a program at all. I never considered it a certainty, nor even necessarily something Apple had to do.

Incident Response in the Cloud Age [new paper]

Thu, 28 Jul 2016 00:00:00 +0000

Incident response is always tough today. But when you need to deal with faster networks, an increasingly mobile workforce, and that thing called cloud computing, IR gets even harder. Sure, there are new technologies like threat intelligence, better network and endpoint telemetry, and analytics to help you investigate faster. But don’t think you’ll be able to do the same thing tomorrow as you did yesterday. You will need to evolve your incident response process and technology to handle the cloud age, just like you have had to adapt many of your other security functions to this new reality.

Our Incident Response in the Cloud Age paper digs into impacts of the cloud, faster and virtualized networks, and threat intelligence on your incident response process. Then we discuss how to streamline response in light of the lack of people to perform the heavy lifting of incident response. Finally we bring everything together with a scenario to illuminate the concepts.

Incite 7/27/2016: The 3 As

Tue, 26 Jul 2016 00:00:00 +0000

One of the hardest things for me to realize has been that I don’t control everything. I spent years railing against the machine, and getting upset when nothing changed. Active-minded people (as opposed to passive) believe they make their own opportunities and control their destiny, sometimes by force of will. Over the past few years, I needed a way to handle this reality and not make myself crazy. So I came up with 3 “A” words that make sense to me. The first ‘A’, Acceptance, is very difficult for me because it goes against most of what I believe. When you think about it, acceptance seems so defeatist. How can you push things forward and improve them if you accept the way they are now? I struggled with this for the first 5 years I practiced mindfulness.

Summary: News…. and pulling an AMI from Packer and Jenkins

Thu, 14 Jul 2016 00:00:00 +0000

Rich here.

Before I get into tech content, a quick personal note. I just signed up for my first charity athletic event, and will be riding 250 miles in 3 days to support challenged athletes. I’ve covered the event costs, so all donations go right to the cause. Click here if you are interested in supporting the Challenged Athletes Foundation (and my first attempt at fundraising since I sold lightbulbs for the Boy Scouts. Seriously. Lightbulbs. Really crappy ones which burned out in months, making it very embarrassing to ever hit that neighborhood again. Then again, that probably prepared me for a career in security sales).

Building a Threat Intelligence Program [New Paper]

Thu, 30 Jun 2016 00:00:00 +0000

Threat Intelligence has made a significant difference in how organizations focus resources on their most significant risks. Yet far too many organizations continue to focus on very tactical use cases for external threat data. These help, but they underutilizing the intelligence’s capabilities and potential. The time has come to advance threat intelligence into the broader and more structured TI program to ensure systematic, consistent, and repeatable value. A program must account for ongoing attack indicator changes and keep up with evolution in adversaries’ tactics.

Managed Security Monitoring: Selecting a Service Provider

Thu, 30 Jun 2016 00:00:00 +0000

Based on the discussion in our first post, you have decided to move toward a managed security monitoring service. Awesome! That was the easy part. Now you need to figure out what kind of deployment model makes sense, and then do the hard work of actually selecting the best service provider for you.

Incite 6/29/16: Gone Fishin’ (Proverbially)

Wed, 29 Jun 2016 00:00:00 +0000

It was a great Incite. I wrote it on the flight to Europe for the second leg of my summer vacation. I said magical stuff. Such depth and perspective, I even amazed myself. When I got to the hotel in Florence and went to post the Incite on the blog, it was gone. That’s right: G. O. N. E.

Managed Security Monitoring: Use Cases

Mon, 27 Jun 2016 00:00:00 +0000

Many security professionals feel the deck is stacked against them. Adversaries continue to improve their techniques, aided by plentiful malware kits and botnet infrastructures. Continued digitization at pretty much every enterprise means everything of interest in on some system somewhere. Don’t forget the double whammy of mobile and cloud, which democratizes access without geographic boundaries, and takes the one bastion of control, the traditional data center, out of your direct control. Are we having fun yet?

Summary: Modifying rsyslog to Add Cloud Instance Metadata

Thu, 23 Jun 2016 00:00:00 +0000

Rich here. Quick note: I basically wrote an entire technical post for Tool of the Week, so feel free to skip down if that’s why you’re reading. Ah, summer. As someone who works at home and has children, I’m learning the pains of summer break. Sure, it’s a wonderful time without homework fights and after-school activities, but it also means all 5 of us in the house nearly every day. It’s a bit distracting. I mean do you have any idea how to tell a 3-year-old you cannot ditch work to play Disney Infinity on the Xbox? Me neither, which explains my productivity slowdown. I’ve actually been pretty busy at ‘real work’, mostly building content for our new Advanced Cloud Security course (it’s sold out, but we still have room in our Hands-On class). Plus a bunch of recent cloud security assessments for various clients. I have been seeing some interesting consistencies, and will try to write those up after I get these other projects knocked off. People are definitely getting a better handle on the cloud, but they still tend to make similar mistakes. With that, let’s jump right in…

Shining a Light on Shadow Devices [New Paper]

Wed, 15 Jun 2016 00:00:00 +0000

Visible devices are only some of the network-connected devices in your environment. There are hundreds, quite possibly thousands, of other devices you don’t know about on your network. You don’t scan them periodically, and you have no idea of their security posture. Each one can be attacked, and might provide an adversary with opportunity to gain presence in your environment. Your attack surface is much larger than you thought. In our Shining a Light on Shadow Devices paper, we discuss the attacks on these devices which can become an issue on your network, along with some tactics to

Getting the SWIFT Boot

Mon, 13 Jun 2016 00:00:00 +0000

As long as I have been in security and following the markets, I have observed that no one says security is unimportant. Not out loud, anyway. But their actions usually show a different view. Maybe there is a little more funding. Maybe somewhat better visibility at the board level. But mostly security gets a lot of lip service.

Understanding and Selecting RASP: Buyers Guide

Mon, 13 Jun 2016 00:00:00 +0000

Before we jump into today’s post, we want to thank Immunio for expressing interest in licensing this content. This type of support enables us to bring quality research to you, free of charge. If you are interested in licensing this Securosis research as well, please let us know. And we want to thank all of you who have been commenting throughout this series – we have received many good comments and questions. We have in fact edited most of the posts to integrate your feedback, and added new sections to address your questions. This research is certainly better for it!

Building Resilient Cloud Network Architectures [New Paper]

Thu, 09 Jun 2016 00:00:00 +0000

Building Resilient Cloud Network Architectures builds on our Pragmatic Security Cloud and Hybrid Networks research, focusing on cloud-native network architectures that provide security and availability infeasible in a traditional data center. The key is that cloud computing provides architectural options which are either impossible or economically infeasible in traditional data centers, enabling greater protection and better availability.

Summary: June 10, 2016

Thu, 09 Jun 2016 00:00:00 +0000

Adrian here.

A phone call about Activity Monitoring administrative actions on mainframes, followed by a call on security architectures for new applications in AWS. A call on SAP vulnerability scans, followed by a call on Runtime Application Self-Protection. A call on protecting relational databases against SQL injection, followed by a discussion of relevant values to key security event data for a big data analytics project. Consulting with a firm which releases code every 12 months, and discussing release management with a firm that is moving to two-a-day in a continuous deployment model. This is what my call logs look like.

Evolving Encryption Key Management Best Practices: Use Cases

Wed, 08 Jun 2016 00:00:00 +0000

This is the third in a three-part series on evolving encryption key management best practices. The first post isavailable here. This research is also posted at GitHub for public review and feedback. My thanks to Hewlett Packard Enterprise for licensing this research, in accordance with our strict Totally Transparent Research policy, which enables us to release our independent and objective research for free.

Incite 6/7/2016: Nature

Wed, 08 Jun 2016 00:00:00 +0000

Like many of you, I spend a lot of time sitting on my butt banging away at my keyboard. I’m lucky that the nature of my work allows me to switch locations frequently, and I can choose to have a decent view of the world at any given time. Whether it’s looking at a wide assortment of people in the various Starbucks I frequent, my home office overlooking the courtyard, or pretty much any place I can open my computer on my frequent business travels. Others get to spend all day in their comfy (or not so comfy) cubicles, and maybe stroll to the cafeteria once a day.

Mr. Market Loves Ransomware

Tue, 07 Jun 2016 00:00:00 +0000

The old business rule is: when something works, do more of it. By that measure ransomware is clearly working. One indication is the number of new domains popping up which are associated with ransomware attacks. According to an Infoblox research report (and they provide DNS services, so they should know), there was a 35x increase in ransomware domains in Q1.

Building a Vendor (IT) Risk Management Program [New Paper]

Mon, 06 Jun 2016 00:00:00 +0000

In Building a Vendor (IT) Risk Management Program, we explain why you can no longer ignore the risk presented by third-party vendors and other business partners, including managing an expanded attack surface and new regulations demanding effective management of vendor risk. We then offer ideas for how to build a structured and systematic program to assess vendor (IT) risk, and take action when necessary.

Evolving Encryption Key Management Best Practices: Part 2

Fri, 03 Jun 2016 00:00:00 +0000

This is the second in a four-part series on evolving encryption key management best practices. The first post isavailable here. This research is also posted at GitHub for public review and feedback. My thanks to Hewlett Packard Enterprise for licensing this research, in accordance with our strict Totally Transparent Research policy, which enables us to release our independent and objective research for free.

Incident Response in the Cloud Age: In Action

Thu, 02 Jun 2016 00:00:00 +0000

When we do a process-centric research project, it works best to wrap up the series with a scenario that really illuminates the concepts we’ve discussed throughout the series and make things a bit more tangible.

Summary: June 3, 2016

Thu, 02 Jun 2016 00:00:00 +0000

Adrian here.

Unlike my business partners who have been logging thousands of air miles, speaking at conferences and with clients around the country, I have been at home. And with the mildest spring in Phoenix’s recored history, it’s been a blessing as we’re 45 days past the point we typically encounter 100 degree days. Bike rides. Hiking. Running. That is, when I get a chance to sneak outdoors and enjoy it. With our pivot there is even more writing and research going on than normal, if that’s even possible. You will begin to see the results of this work within the next couple of weeks, and we are looking forward to putting a fresh face on the business. That launch will coincide with us posting lots more hands on advice for cloud security and migrations.

Firestarter: Where to start?

Tue, 31 May 2016 00:00:00 +0000

It’s long past the day we need to convince you that cloud and DevOps is a thing. We all know it’s happening, but one of the biggest questions we get is “Where do I start?” In this episode we scratch the surface of how to start approaching the problem when you don’t get to join a hot unicorn startup and build everything from scratch with an infinite budget behind you.

Understanding and Selecting RASP: Integration

Tue, 31 May 2016 00:00:00 +0000

This post will offer examples for how to integrate RASP into a development pipeline. We’ll cover both how RASP fits into the technology stack, and development processes used to deliver applications. We will close this post with a detailed discussion of how RASP differs from other security technologies, and discuss advantages and tradeoffs compared to other security technologies.

Incident Response in the Cloud Age: Addressing the Skills Gap

Thu, 26 May 2016 00:00:00 +0000

As we described in our last post, incident response in the Cloud Age requires an evolved response process, in light of data sources you didn’t have before, including external threat intelligence, and the ability to analyze data in ways that weren’t possible just a few years ago. You also need to factor in the fact that access to specific telemetry, especially around the network, is limited because you don’t have control over networks anymore.

Incite 5/25/2016: Transitions

Wed, 25 May 2016 00:00:00 +0000

I have always been pretty transparent about my life in the Incite. I figured maybe readers could learn something that helps them in life through my trials and tribulations, and if not perhaps they’d be entertained a bit. I also write Incites as a journal of sorts for myself. A couple times a year I search through some old Incites and remember where I was at that point in my life. There really wasn’t much I wouldn’t share, but I wondered if at some point I’d find a line I wouldn’t cross in writing about my life publicly.

Incident Response in the Cloud Age: More Data, No Data, or Both?

Tue, 24 May 2016 00:00:00 +0000

As we discussed in the first post of this series, incident response needs to change, given disruptions such as cloud computing and the availability of new data sources, including external threat intelligence. We wrote a paper called Leveraging Threat Intelligence in Incident Response (TI+IR) back in 2014 to update our existing I/R process map. Here is what we came up with:

Understanding and Selecting RASP: Use Cases

Tue, 24 May 2016 00:00:00 +0000

As you might expect, the primary function of RASP is to protect web applications against known and emerging threats; it is typically deployed to block attacks at the application layer, before vulnerabilities can be exploited. There is no question that the industry needs application security platforms – major new vulnerabilities are disclosed just about every week. And there are good reasons companies look to outside security vendors to help protect their applications. Most often we hear that firms simply have too many critical vulnerabilities to fix in a timely manner, with many reporting their backlog would take years to fix. In many cases the issue is legacy applications – ones which probably should never have been put on the Internet. These applications are often unsupported, with the engineers who developed them no longer available, or the platforms so fragile that they become unstable if security fixes are applied. And in many cases it is simply economics: the cost of securing the application itself is financially unfeasible, so companies are willing to accept the risk, instead choosing to address threats externally as best they can.

Evolving Encryption Key Management Best Practices: Introduction

Mon, 23 May 2016 00:00:00 +0000

This is the first in a four-part series on evolving encryption key management best practices. This research is alsoposted at GitHub for public review and feedback. My thanks to Hewlett Packard Enterprise for licensing this research, in accordance with our strict Totally Transparent Research policy, which enables us to release our independent and objective research for free.

Incite 5/20/2016: Dance of Joy

Fri, 20 May 2016 00:00:00 +0000

Perception of time is a funny thing. As we wind down the school year in Atlanta, it’s hard to believe how quickly this year has flown by. It seems like yesterday XX1 was starting high school and the twins were starting middle school. I was talking to XX1 last week as she was driving herself to school (yes, that’s a surreal statement) and she mentioned that she couldn’t believe the school year was over. I tried to explain that as you get older, time seems to move more quickly.

Incident Response in the Cloud Age: Shifting Foundations

Thu, 19 May 2016 00:00:00 +0000

Since we published our React Faster and Better research and Incident Response Fundamentals, quite a bit has changed relative to responding to incidents. First and foremost, incident response is a thing now. Not that it wasn’t a discipline mature security organizations focused on before 2012, but since then a lot more resources and funding have shifted away from ineffective prevention towards detection and response. Which we think is awesome.

Summary: May 19, 2016

Thu, 19 May 2016 00:00:00 +0000

Rich here. Not a lot of news from us this week, because we’ve mostly been traveling, and for Mike and me the kids’ school year is coming to a close. Last week I was at the Rocky Mountain Information Security Conference in Denver. The Denver ISSA puts on a great show, but due to some family scheduling I didn’t get to see as many sessions as I hoped. I presented my usual pragmatic cloud pitch, a modification of my RSA session from this year. It seems one of the big issues organizations are still facing is a mixture of where to get started on cloud/DevOps, with switching over to understand and implement the fundamentals. For example, one person in my session mentioned his team thought they were doing DevOps, but actually mashed some tools together without understanding the philosophy or building a continuous integration pipeline. Needless to say, it didn’t go well. In other news, our advanced Black Hat class sold out, but there are still openings in our main class I highlighted the course differences in a post. You can subscribe to only the Friday Summary.

Understanding and Selecting RASP: Technology Overview

Tue, 17 May 2016 00:00:00 +0000

This post will discuss technical facets of RASP products, including how the technology works, how it integrates into an application environment, and the advantages or disadvantages of each. We will also spend some time on which application platforms supported are today, as this is one area where each provider is limited and working to expand, so it will impact your selection process. We will also consider a couple aspects of RASP technology which we expect to evolve over next couple years.

Shining a Light on Shadow Devices: Seeing into the Shadows

Mon, 16 May 2016 00:00:00 +0000

As we have posted this Shadow Devices series, we have discussed the millions (likely billions) of new devices which will be connecting to networks over the coming decade. Clearly many of them won’t be traditional computer devices, which can be scanned and assessed for security issues. We called these other devices shadow devices because this is about more than the “Internet of Things” – any networked device which can be used to steal information – whether directly or by providing a stepping stone to targeted information – needs to be considered.

SIEM Kung Fu [New Paper]

Tue, 10 May 2016 00:00:00 +0000

In the SIEM Kung Fu paper, we tell you what you need to know to get the most out of your SIEM, and solve the problems you face today by increasing your capabilities (the promised Kung Fu).

Shining a Light on Shadow Devices: Attacks

Mon, 09 May 2016 00:00:00 +0000

What is the real risk of the Shadow Devices we described back in our first post? It is clear that more organizations don’t really take their risks seriously. They certainly don’t have workarounds in place, or proactively segment their environments to ensure that compromising these devices doesn’t provide opportunity for attackers to gain presence and a foothold in their environments. Let’s dig into three broad device categories to understand what attacks look like.

Understanding and Selecting RASP edited [New Series]

Mon, 09 May 2016 00:00:00 +0000

In 2015 we researched Putting Security Into DevOps, with a close look at how automated continuous deployment and DevOps impacted IT and application security. We found DevOps provided a very real path to improve application security using continuous automated testing, run each time new code was checked in. We were surprised to discover developers and IT teams taking a larger role in selecting security solutions, and bringing a new set of buying criteria to the table. Security products must do more than address application security issues; they need to mesh with continuous integration and deployment approaches, with automated capabilities and better integration with developer tools.

Updates to Our Black Hat Cloud Security Training Classes

Mon, 09 May 2016 00:00:00 +0000

We have been getting questions on our training classes this year, so I thought I should update everyone on major updates to our ‘old’ class, and what to expect from our ‘advanced’ class. The short version is that we are adding new material to our basic class, to align with upcoming Cloud Security Alliance changes and cover DevOps. It will still include some advanced material, but we are assuming the top 10% (in terms of technical skills) of students will move to our new advanced class instead, enabling us to focus the basic class on the meaty part of the bell curve.

Summary: May 5, 2016

Fri, 06 May 2016 00:00:00 +0000

Rich here.

It’s been a busy couple weeks, and the pace is only ramping up. This week I gave a presentation and a workshop at Interop. It seemed to go well, and the networking-focused audience was very receptive. Next week I’m out at the Rocky Mountain Infosec Conference, which is really just an excuse to spend a few more days back near my old home in Colorado. I get home just in time for my wife to take a trip, then even before she’s back I’m off to Atlanta to keynote an IBM Cybersecurity Seminar (free, if you are in the area). I’m kind of psyched for that one because it’s at the aquarium, and I’ve been begging Mike to take me for years.

Updating and Pruning our Mailing Lists

Wed, 04 May 2016 00:00:00 +0000

As part of updating All Things Securosis, the time has come to migrate our mailing lists to a new provider (MailChimp, for the curious). The CAPTCHA at our old provider wasn’t working properly, so people couldn’t sign up. I’m not sure if that’s technically irony for a security company, but it was certainly unfortunate. So…

Firestarter: What the hell is a cloud anyway?

Tue, 03 May 2016 00:00:00 +0000

In our wanderings we’ve noticed that when we pull our heads out of the bubble, not everyone necessarily understands what cloud is or where it’s going. Heck, many smart IT people are still framing it within the context of what they currently do. It’s only natural, especially when they get crappy advice from clueless consultants, but it certainly can lead you down some ugly paths. This week Mike, Adrian and Rich are also joined by Dave Lewis (who accidentally sat down next to Rich at a conference) to talk about how people see cloud, the gaps, and how to navigate the waters.

Summary: April 28, 2016

Thu, 28 Apr 2016 00:00:00 +0000

Rich here.

Okay, have I mentioned how impatient I’m getting about updating our site? Alas, there is only so fast you can push a good design and implementation. The foundation is all set and we hope to start transferring everything into our new AWS architecture within the next month.

Incite 4/27/2016: Tap the B.R.A.K.E.S.

Wed, 27 Apr 2016 00:00:00 +0000

I mentioned back in January that XX1 has gotten her driver’s permit and was in command of a two ton weapon on a regular basis. Driving with her has been, uh, interesting. I try to give her an opportunity to drive where possible, like when I have to get her to school in the morning. She can navigate the couple of miles through traffic on the way to her school. And she drives to/from her tutor as well, but that’s still largely local travel.

Building a Vendor IT Risk Management Program: Ongoing Monitoring and Communication

Mon, 25 Apr 2016 00:00:00 +0000

As we mentioned last post, after you figure out what risk means to your organization, and determine the best way to quantify and rank your vendors in terms that concept of risk, you’ll need to revisit your risk assessment; because security in general, and each vendor’s environment specifically, is dynamic and constantly changing. We also need to address how to deal with vendor issues (breaches and otherwise) – both within your organization, and potentially to customers as well.

Building a Vendor IT Risk Management Program: Evaluating Vendor Risk

Fri, 22 Apr 2016 00:00:00 +0000

As we discussed in the first post in this series, whether it’s thanks to increasingly tighter business processes/operations with vendors andtrading partners, or to regulation (especially in finance) you can no longer ignore vendor risk management. So we delved into the structure and mapped out a few key aspects of a VRM program. Of course we are focused on the IT aspects of vendor management, which should be a significant component of a broader risk management approach for your environment.

Friday Summary: April 21, 2016

Thu, 21 Apr 2016 00:00:00 +0000

Adrian here.

Starting with the 2008 RSA conference, Rich and Chris Hoff presented each year on the then-current state of cloud services, and predicted where they felt cloud computing was going. This year Mike helped Rich conclude the series with some new predictions, but more importantly they went back to assess the accuracy of previous prognostications. My takeaway is that their predictions for what cloud services would do, and the value they would provide, were pretty well spot on. And in most cases, when a specific tool or product was identified as being critical, they totally missed the mark. Wildly.

How iMessage distributes security to block “phantom devices”

Tue, 19 Apr 2016 00:00:00 +0000

Last Friday I spent some time in a discussion with senior members of Apple’s engineering and security teams. I knew most of the technical content but they really clarified Apple’s security approach, much of which they have never explicitly stated, even on background. Most of that is fodder for my next post, but I wanted to focus on one particular technical feature I have never seen clearly documented before; which both highlights Apple’s approach to security, and shows that iMessage is more secure than I thought.

Summary April 14, 2016

Thu, 14 Apr 2016 00:00:00 +0000

Rich here.

Mike, Adrian, and I are just back from a big planning session for what we are calling “Securosis 2.0”. Everything is lining up nicely, and now we mostly just need to get the website updated. We are fully gutting the current design and architecture, and moving everything into AWS. The prototyping is complete and next week I get to build out the deployment pipeline, because we are going with a completely immutable design.

Summary: The Great Vomit Apology

Fri, 08 Apr 2016 00:00:00 +0000

Rich here.

I started to write an apology for this week’s Summary, because I missed last week due to an unplanned stomach bug that hit at 4am Thursday, when I normally write these. It was nearly 5 days before I fully recovered. Then I realized I had fully drafted a Summary on March 11 – an abridged version due to my daughter waking up with a stomach infection. It turns out I left that one as a draft, and never even noticed… that’s what kids do to ya.

Maximizing WAF Value: Management

Thu, 07 Apr 2016 00:00:00 +0000

As described in last post, deploying a WAF requires knowledge of both application security and your specific application(s). Management it requires an ongoing effort to keep a WAF current with emerging attacks and frequent application changes. Your organization likely adds new applications and changes network architectures at least a couple times a year. We see more and more organizations embracing continuous deployment for their applications. This means application functions and usage are constantly changing as well. So you need to adjust your defenses regularly to keep pace.

Incite 4/6/2016—Hindsight

Wed, 06 Apr 2016 00:00:00 +0000

When things don’t go quite as you hoped, it’s human nature to look backwards and question your decisions. If you had done something different maybe the outcome would be better. If you didn’t do the other thing, maybe you’d be in a different spot. We all do it. Some more than others. It’s almost impossible to not wonder what would have been.

Maximizing WAF Value: Deployment

Wed, 06 Apr 2016 00:00:00 +0000

Now we will dig into the myriad ways to deploy a Web Application Firewall (WAF), including where to position it and the pros & cons of on-premise devices versus WAF services. A key part of the deployment process is training the WAF for specific applications and setting up the initial rulesets. We will also highlight effective practices for moving from visibility (getting alerts) to control (blocking attacks). Finally we will present a Quick Wins scenario because it’s critical for any security technology to get a ‘win’ early in deployment to prove its value.

Maximizing Value From Your WAF [New Series]

Thu, 31 Mar 2016 00:00:00 +0000

Web Application Firewalls (WAFs) have been in production use for well over a decade, maturing from point solutions primarily blocking SQL injection to mature application security tools. In most mature security product categories, such as anti-virus, there hasn’t been much to talk about, aside from complaining that not much has changed over the last decade. WAFs are different: they have continued to evolve in response to new threats, new deployment models, and a more demanding clientele’s need to solve more complicated problems. From SQL injection to cross-site scripting (XSS), from PCI compliance to DDoS protection, and from cross-site request forgeries (CSRF) to 0-day protection, WAFs have continued add capabilities to address emerging use cases. But WAF’s greatest evolution has taken place in areas undergoing heavy disruption, notably cloud computing and threat analytics.

Incite 3/30/2016: Rational People Disagree

Wed, 30 Mar 2016 00:00:00 +0000

It’s definitely a presidential election year here in the US. My Twitter and Facebook feeds are overwhelmed with links about what this politician said and who that one offended. We get to learn how a 70-year old politician got arrested in his 20s and why that matters now. You also get to understand that there are a lot of different perspectives, many of which make absolutely no sense to you. Confirmation bias kicks into high gear, because when you see something you don’t agree with, you instinctively ignore it, or have a million reasons why dead wrong. I know mine does.

Resilient Cloud Network Architectures: Design Patterns

Tue, 29 Mar 2016 00:00:00 +0000

We introduced resilient cloud networks in this series’ first post. We define them as networks using cloud-specific features to provide both stronger security and higher availability for your applications. This post will dig into two different design patterns, and show how cloud networking enables higher resilience.

Securing Hadoop: Security Recommendations for Hadoop [New Paper]

Tue, 29 Mar 2016 00:00:00 +0000

We are pleased to release our updated white paper on big data security: Securing Hadoop: Security Recommendations for Hadoop Environments. Just about everything has changed in the four years since we published the original. Hadoop has solidified its position as the dominant big data platform, by constantly advancing in function and scale. While the ability to customize a Hadoop cluster to suit diverse needs has been its main driver, the security advances make Hadoop viable for enterprises. Whether embedded directly into Hadoop or deployed as add-on modules, services like identity, encryption, log analysis, key management, cluster validation, and fine-grained authorization are all available. Our goal for this research paper is first to introduce these technologies to IT and security teams, and also to help them assemble these technologies into an coherent security strategy.

Resilient Cloud Network Architectures: Fundamentals

Fri, 25 Mar 2016 00:00:00 +0000

As much as we like to believe we have evolved as a species, people continue to be scared of things they don’t understand. Yes, many organizations have embraced the cloud whole hog and are rushing headlong into the cloud age. But it’s a big world, and millions of others remain paralyzed – not really understanding cloud computing, and taking the general approach that it can’t be secure because, well, it just can’t. Or it’s too new. Or some for other unfounded and incorrect reason. Kind of like when folks insisted that the Earth was the center of the universe.

Incite 3/23/2016: The Madness

Wed, 23 Mar 2016 00:00:00 +0000

I’m not sure why I do it, but every year I fill out brackets for the annual NCAA Men’s College basketball tournament. Over all the years I have been doing brackets, I won once. And it wasn’t a huge pool. It was a small pool in my office, when I used to work in an office, so the winnings probably didn’t even amount to a decent dinner at Fuddrucker’s. I won’t add up all my spending or compare against my winning, because I don’t need a PhD in Math to determine that I am way below the waterline.

Shadow Devices: The Exponentially Expanding Attack Surface [New Series]

Wed, 23 Mar 2016 00:00:00 +0000

One of the challenges of being security professionals for decades is that we actually remember the olden days. You remember, when Internet-connected devices were PCs; then we got fancy and started issuing laptops. That’s what was connected to our networks. If you recall, life was simpler then. But we don’t have much time for nostalgia. We are too busy getting a handle on the explosion of devices connected to our networks, accessing our data.

Summary: Who pays who?

Fri, 18 Mar 2016 00:00:00 +0000

Adrian here…

Apple buying space on Google’s cloud made news this week, as many people were surprised that Apple relies on others to provide cloud services, but they have been leveraging AWS and others for years. Our internal chat was alive with discussion about build vs. buy for different providers of cloud services. Perhaps a hundred or so companies have the scale to make a go at building from scratch at this point, and the odds of success for many of those are small. You need massive scale before the costs make it worth building your own. Especially the custom engineering required to get equivalent hardware margins. That leave a handful of firms who can make a go of this, and it’s still not always clear whether they should. Even Apple buys others’ services, and it usually makes good economic sense.

Building a Vendor IT Risk Management Program: Program Structure

Thu, 17 Mar 2016 00:00:00 +0000

As we started exploring when we began Building a Vendor IT Risk Management Program, modern integrated business processes have dramatically expanded the attack surface of pretty much every organization. You can no longer ignore the risk presented by vendors or other business partners, even without regulatory bodies pushing for formal risk management of vendors and third parties. As security program fanatics we figure it’s time to start documenting such a program.

Building a Vendor IT Risk Management Program: Understanding Vendor IT Risk

Tue, 15 Mar 2016 00:00:00 +0000

Outsourcing is nothing new. Industries have been embracing service providers for functions they either couldn’t or didn’t want to perform for years. This necessarily involved integrating business systems and providing these third-party vendors with access to corporate networks and computer systems. The risk was generally deemed manageable and rationalized by the business need for those integrated processes. Until it wasn’t.

Firestarter: The Rugged vs. SecDevOps Smackdown

Tue, 15 Mar 2016 00:00:00 +0000

After a short review of the RSA Security Conference, Rich, Mike, and Adrian debate the value of using labels like “Rugged DevOps” or “SecDevOps”. Rich sees them as different, Mike wonders if we really need them, and Adrian has been tracking their reception on the developer side of the house. Okay, it’s pathetic as smackdowns go, but you wouldn’t have read this far if we didn’t give it an interesting title.

SIEM Kung Fu: Getting Started and Sustaining Value

Thu, 10 Mar 2016 00:00:00 +0000

As we wrap up this series on SIEM Kung Fu, we have discussed SIEM Fundamentals and some advanced use cases to push your SIEM beyond its rather limited out-of-the-box capabilities. To make the technology more useful over time, you should revisit your SIEM operation process.

Incite 3/9/2016: Star Lord

Wed, 09 Mar 2016 00:00:00 +0000

Everything is a game nowadays. Not like Words with Friends (why yes, since you ask – I do enjoy getting my ass kicked by the women in my life) or even Madden Mobile (which the Boy plays constantly) – I’m talking about gamification. In our security world, the idea is that rank and file employees will actually pay attention to security stuff they don’t give a rat’s ass about… if you make it all into a game. So get departments to compete for who can do best in the phishing simulation. Or give a bounty to the team with the fewest device compromises due to surfing pr0n. Actually, though, it might be more fun to post the link that compromised the machine in the first place. The employee with the nastiest NSFW link would win. And get fired… But I digress.

SIEM Kung Fu: Advanced Use Cases

Tue, 08 Mar 2016 00:00:00 +0000

Given the advance of SIEM technology, the use cases described in the first post of our SIEM Kung Fu series are very achievable. But with the advent of more packaged attack kits leveraged by better organized (and funded) adversaries, and the insider threat, you need to go well beyond what comes out of the [SIEM] box, and what can be deployed during a one-week PoC, to detect real advanced attacks.

Incite 2/29/2016: Leap Day

Mon, 29 Feb 2016 00:00:00 +0000

Today is leap day, the last day of February in a leap year. That means the month of February has 29 days. It happens once every 4 years. I have one friend (who I know of) with a birthday on Leap Day. That must have been cool. You feel very special every four years. And you just jump on the Feb 28 bandwagon to celebrate your birthday in non-leap years. Win/win.

Presenting the RSA Conference Guide 2016

Thu, 25 Feb 2016 00:00:00 +0000

Apparently the RSA Conference folks failed to regain their senses after letting us have free reign last year to post our RSA Conference Guide to the conference blog. We changed the structure this year, and here is how we explained it in the introductory post of the Guide.

Summary: The Cloud Horizon

Thu, 25 Feb 2016 00:00:00 +0000

By Adrian

Two weeks ago Rich sketched out some changes to our Friday Summary, including how the content will change. But we haven’t spelled out our reasons. Our motivation is simple. In a decade, over half your systems will be in some cloud somewhere. The Summary will still be about security, but we’ll focus on security for cloud services, cloud applications, and how DevOps techniques intertwine with each. Rather than rehash on-premise security issues we have covered (ad nauseum) for 9 years, we believe it’s far more helpful to IT and security folks to discuss what is on the near horizon which they are not already familiar with. We can say with certainty that most of what you’ve learned about “the right way to do things” in security will be challenged by cloud deployments, so we are tuning the Summary to increase understanding the changes in store, and what to do about them. Trends, features, tools, and even some code. We know it’s not for everybody, but if you’re seriously interested, you can subscribe directly to the Friday Summary.

Building a Threat Intelligence Program: Gathering TI

Fri, 19 Feb 2016 00:00:00 +0000

[Note: We received some feedback on the series that prompted us to clarify what we meant by scale and context towards the end of the post. See? We do listen to feedback on the posts. - Mike]

Do We Have a Right to Security?

Fri, 19 Feb 2016 00:00:00 +0000

Don’t be distracted by the technical details. The model of phone, the method of encryption, the detailed description of the specific attack technique, and even feasibility are all irrelevant.

Summary: Law Enforcement and the Cloud

Fri, 19 Feb 2016 00:00:00 +0000

While the big story this week was the FBI vs. Apple, I’d like to highlight something a little more relevant to our focus on the cloud. You probably know about the DOJ vs. Microsoft. This is a critically important case where the US government wants to assert access on the foreign branch of a US company, putting it in conflict with local privacy laws. I highly recommend you take a look, and we will post updates here.

Firestarter: RSA Conference—the Good, Bad, and the Ugly

Wed, 17 Feb 2016 00:00:00 +0000

Every year we focus a lot on the RSA Conference. Love it or hate it, it is the biggest event in our industry. As we do every year, we break down some of the improvements and disappointments we expect to see. Plus, we spend a few minutes talking about some of the big changes coming here at Securosis. We cover a possibly-insulting keynote, the improvements in the sessions, and how we personally use the event to improve our knowledge.

Securing Hadoop: Technical Recommendations

Tue, 16 Feb 2016 00:00:00 +0000

Before we wrap up this series on securing Hadoop databases, I am happy to announce that Vormetric has asked to license this content, and Hortonworks is also evaluating a license as well. It’s community support that allows us to bring you this research free of charge. Also, I’ve received a couple email and twitter responses to the content; if you have more input to offer, now is the time to send it along to be evaluated with the rest of the feedback as we will assembled the final paper in the coming week. And with that, onto the recommendations.

Securing Hadoop: Enterprise Security For NoSQL

Mon, 15 Feb 2016 00:00:00 +0000

Hadoop is now enterprise software.

There, I said it. I know lots of readers in the IT space still look at Hadoop as an interloper, or worse, part of the rogue IT problem. But better than 50% of the enterprises we spoke with are running Hadoop somewhere within the organization. A small percentage are running Mongo, Cassandra or Riak in parallel with Hadoop, for specific projects. Discussions on what ‘big data’ is, if it is a viable technology, or even if open source can be considered ‘enterprise software’ are long past. What began as proof of concept projects have matured into critical application services. And with that change, IT teams are now tasked with getting a handle on Hadoop security, to which they response with questions like “How do I secure Hadoop?” and “How do I map existing data governance policies to NoSQL databases?”

The Summary is dead. Long live the Summary!

Fri, 12 Feb 2016 00:00:00 +0000

As part of our changes at Securosis this year, it’s time to say goodbye to the old Friday Summary, and hello to the new one. Adrian and I started the Summary way back before Mike joined the company, as our own version of his weekly Security Incite. Our objective was to review the highlights of the week, both our work and things we found on the Internet, typically with an introduction based on events in our personal lives.

Securing Hadoop: Operational Security Issues

Wed, 10 Feb 2016 00:00:00 +0000

Beyond the architectural security issues endemic to Hadoop and NoSQL platforms discussed in the last post, IT teams expect some common security processes and supporting tools familiar from other data management platforms. That includes “turning the dials” on configuration management, vulnerability assessment, and maintaining patch levels across a complex assembly of supporting modules. The day-to-day processes IT managers follow to ensure typical application platforms are properly configured have evolved over years – core platform capabilities, community contributions, and commercial third-party support to fill in gaps. Best practices, checklists, and validation tools to verify things like admin rights are sufficiently tight, and that nodes are patched against known and perhaps even unknown vulnerabilities. Hadoop security has come a long way in just a few years, but it still lacks the maturity in day to day operational security offerings, and it is here that we find most firms continue to struggle.

Summary: Die Blah, Die!!

Thu, 04 Feb 2016 00:00:00 +0000

Rich here.

I was a little burnt out when the start of this year rolled around. Not “security burnout” – just one of the regular downs that hit everyone in life from time to time. Some of it was due to our weird year with the company, a bunch of it was due to travel and impending deadlines, plus there was all the extra stress of trying to train for a marathon while injured (and working a ton).

Incite 2/3/2016: Courage

Wed, 03 Feb 2016 00:00:00 +0000

A few weeks ago I spoke about dealing with the inevitable changes of life and setting sail on the SS Uncertainty to whatever is next. It’s very easy to talk about changes and moving forward, but it’s actually pretty hard to do. When moving through a transformation, you not only have to accept the great unknown of the future, but you also need to grapple with what society expects you to do. We’ve all been programmed since a very early age to adhere to cultural norms or suffer the consequences. Those consequences may be minor, like having your friends and family think you’re an idiot. Or decisions could result in very major consequences, like being ostracized from your community, or even death in some areas of the world.

test

Wed, 03 Feb 2016 00:00:00 +0000

test

third test

Wed, 03 Feb 2016 00:00:00 +0000

third test using tomorrow’s date

test with taqs

Tue, 02 Feb 2016 00:00:00 +0000

test

Event-Driven AWS Security: A Practical Example

Mon, 01 Feb 2016 00:00:00 +0000

Would you like the ability to revert unapproved security group (firewall) changes in Amazon Web Services in 10 seconds, without external tools? That’s about 10-20 minutes faster than is typically possible with a SIEM or other external tools. If that got your attention, then read on…

Securing Hadoop: Architectural Security Issues

Mon, 01 Feb 2016 00:00:00 +0000

Now that we have sketched out the elements a Hadoop cluster, and what one looks like, let’s talk threats to the databases. We want to consider both the database infrastructure itself, as well as the data under management. Given the complexity of a Hadoop cluster, the task is closer to securing an entire data center than a typical relational database. All the features that provide flexibility, scalability, performance, and openness, create specific security challenges. The following are some specific threats to clustered databases.

Securing Hadoop: Architecture and Composition

Fri, 29 Jan 2016 00:00:00 +0000

Our goal for this post is to succinctly outline what Hadoop (and most NoSQL) clusters look like, how they are assembled, and how they are used. This provides better understanding of the security challenges, and what sort of protections need to be leveraged to secure them. Developers and data scientists continue to stretch system performance and scalability, using customized combinations of open source and commercial products, so there is really no such thing as a ‘standard’ Hadoop deployment. With these considerations in mind, it is time to map out threats to the cluster.

Securing Hadoop: Security Recommendations for NoSQL platforms [New Series]

Mon, 25 Jan 2016 00:00:00 +0000

It’s been three and a half years since we published our research paper on Securing Big Data. That research paper has been one of the more popular papers we’ve ever written. And it’s no wonder as NoSQL adoption was faster than we expected; we see hundreds of new projects popping up, leveraging the scale, analytics and low cost of these platforms. It’s not hyperbole to claim it has revolutionized the database market over the last 5 years, and community support behind these platforms – and especially Hadoop – is staggering.

Security is Changing. So is Securosis.

Mon, 25 Jan 2016 00:00:00 +0000

Last week Rich sent around Cockroaches Versus Unicorns: The Golden Age Of Cybersecurity Startups, by Mahendra Ramsinghani over at TechCrunch, for us to read. It isn’t an article every security professional needs to read, but it is certainly mandatory reading for anyone who makes buying decisions, tracks the security market, or is on the investment or startup side.

The EIGHTH Annual Disaster Recovery Breakfast: Clouds Ahead

Mon, 25 Jan 2016 00:00:00 +0000

Once again Securosis and friends are hosting our RSA Conference Disaster Recovery Breakfast. It’s really hard to believe this is the eighth year for this event. Regardless of San Francisco’s February weather, we expect to be seeing clouds all week. But we’re happy to help you cut through the fog to grab some grub, drinks, and bacon.

Incite 1/20/2016 — Ch-ch-ch-ch-changes

Wed, 20 Jan 2016 00:00:00 +0000

I have always gotten great meaning from music. I can point back to times in my life when certain songs totally resonate. Like when I was a geeky teen and Rush’s Signals spoke to me. I saw myself as the awkward kid in Subdivisions who had a hard time fitting in. Then I went through my Pink Floyd stage in college, where “The Wall” dredged up many emotions from a challenging childhood and the resulting distance I kept from people. Then Guns ‘n Roses spoke to me when I was partying and raging, and to this day I remain shocked I escaped largely unscathed (though my liver may not agree).

Summary: Impossible

Fri, 15 Jan 2016 00:00:00 +0000

Rich here.

When I hurt my knee running right before Thanksgiving everyone glanced at my brace and felt absolutely compelled to tell me how much “getting old sucks”. Hell, even my doctor commiserated as he discussed his recent soccer injury.

Incite 1/13/2016: Permitted

Wed, 13 Jan 2016 00:00:00 +0000

I’m not sure how it happened, but XX1 turned 15 in November and got her driver’s permit. Wait, what?!?! That little girl can now drive. Like, legally? WTF? Clearly it is now January, and I am still in shock that 15 years has passed by in the blink of an eye.

SIEM Kung Fu: Fundamentals [New Series]

Tue, 12 Jan 2016 00:00:00 +0000

Another SIEM blog series? Really? Why are we still talking about SIEM? Isn’t that old technology? Hasn’t it been subsumed by new and shiny security analytics products and services? Be honest – those thoughts crossed your mind, especially because we have published a lot of SIEM related research over the past few years. We previously worked through the basics of the technology and how to choose the right SIEM for your needs. A bit over a year ago we looked into how to monitor hybrid cloud environments.

Incite 1/6/2016 — Recharging

Wed, 06 Jan 2016 00:00:00 +0000

The last time I took 2 weeks off was probably 20 years ago. As I write that down, it makes me sad. I’ve been been running pretty hard for a long time. Even when I had some forced vacations (okay, when I got fired), I took maybe a couple days off before I started focusing on the next thing. Whether it was a new business or a job, I got consumed by what was next almost immediately. I didn’t give myself any time to recharge and heal from the road rash that accumulated from one crappy job after another.

Incite 12/15/2015: Looking Forward

Wed, 16 Dec 2015 00:00:00 +0000

In last week’s Incite I looked backwards at 2015. As we close out this year (this will be the last Incite in 2015), let me take a look forward at what’s in store for 2016.

Building a TI Program: Success and Sharing

Tue, 15 Dec 2015 00:00:00 +0000

To wrap up our series on Building a Threat Intelligence Program (Introduction; Gathering TI; Using TI), we need to jump back to the beginning for a bit. How do you define success of the program? More importantly, how can you kickstart the program with a fairly high-profile success to show the value of integrating external data into your defenses, and improve your security posture? That involves getting a quick win and then publicizing it.

Threat Detection Evolution [New Paper]

Mon, 14 Dec 2015 00:00:00 +0000

Most organizations have realized that threat prevention has limitations, so we have seen renewed focus on threat detection. But like most other security markets, the term threat detection has been distorted to cover almost everything. So we figure it’s time to clarify what threat detection is and how it is evolving to deal with advanced attacks, sophisticated adversaries, and limited resources.

Building Security Into DevOps [New Paper]

Thu, 10 Dec 2015 00:00:00 +0000

We are pleased to announce the launch of our latest research paper, on Building Security Into DevOps. We expect DevOps to fundamentally change the practice of software development over the next decade, and with it how we handle application security.

2015 Wrap Up and 2016 Non-Predictions

Wed, 09 Dec 2015 00:00:00 +0000

Rich, Mike, and Adrian highlight the big trends from the year and where our expectations were right and wrong. We teeter on the brink of predictions, but manage to pull ourselves back from falling into that chasm of idiocy. Mostly.

Incite 12/9/2015: Looking Backwards

Wed, 09 Dec 2015 00:00:00 +0000

As a guy who pretty much always looks forward, I still find it useful at the end of each calendar year to look backwards and evaluate where I am in life and what (if anything) I want to focus on in the coming year. 2015 has been a very interesting year, both personally and professionally. I’m at an age where transformation happens, and that has been a real focus for me. I’ve spent a long time evaluating every aspect of my life and making changes, some small and some very significant. Trying to navigate those changes gracefully requires focus and effort.

Summary: Surviving the Holidays

Thu, 03 Dec 2015 00:00:00 +0000

With the holidays upon us, and the weather in Phoenix at that optimal temperature of 50F warmer than wherever people come from, the migration has begun. The snowbirds are back in Phoenix. And all my relatives want to visit. All pretty much at the same time. As I write this I am recovering from 20 contiguous days of four different groups of friends and relatives staying at my home. Overlapping, I might add. And it was glorious – it was great to see each and every one of them – but I heaved a great sigh of relief when the last party got onto a plane and flew back home. I think I have baked, roasted, toasted, and barbecued every type of food I know how to cook. I’ve been a tour guide across the state – twice over – showing off every interesting place within a three-hour drive. Today’s summary is a toast to all of you who survived Thanksgiving – I am thankful for many things, and I am also thankful this holiday is only once a year.

Incite 12/2/2015: Grateful Habits

Wed, 02 Dec 2015 00:00:00 +0000

A week ago most folks in the US were in food comas from the Thanksgiving feast. Of course this is a great time of year to be grateful for what you have. Whether it’s family, health, work, or anything else. This morning I got a great reminder that expressing gratitude is a habit, which requires daily work – especially for security people.

Summary: Boy in the Bubble

Thu, 19 Nov 2015 00:00:00 +0000

I’m going to write a fairly innocuous opening to this week’s Friday Summary, despite the gravity of current events. Because some things are best dealt with… not now, and not here.

Cloud Security Best Practice: Limit Blast Radius with Multiple Accounts

Wed, 18 Nov 2015 00:00:00 +0000

This is one of those ideas that I’m pretty sure I picked up on while either at a presentation or working with a client, but I honestly can’t remember where I first heard it. That said, it’s become one of my absolutely essential cloud security recommendations for years now. It’s also a great example of using the cloud for security advantage, rather than getting hung up on the differences.

The Blame Game

Mon, 16 Nov 2015 00:00:00 +0000

Get hacked? Blame China. Miss a quarter? Blame China. Serve malware to everyone visiting your site? Don’t take responsibility, just blame your anti-ad-blocking vendor. Or China. Or both. Look, we really can’t keep track of these things, but in this episode Mike and Rich talk about the lack of accountability in our industry (and other industries). One warning… a particular analogy goes a little too far. Maybe we need the explicit tag on this one.

Critical Security Capabilities for Cloud Providers

Thu, 12 Nov 2015 00:00:00 +0000

Between teaching classes and working with clients, I spend a fair bit of time talking about particular cloud providers. The analyst in me never wants to be biased, but the reality is there are big differences in terms of capabilities, and some of them matter.

Summary: Refurbished

Thu, 12 Nov 2015 00:00:00 +0000

The grout in my shower isn’t merely cracking, it’s starting to flake out in chunks, backed by the mildew it spent years defending from my cleansing assaults. Our hallway walls downstairs are streaked like the protective concrete edges around a NASCAR track. Black, gray, and red marks left behind from hundreds of minor impacts with injection-molded plastic vehicles. The carpet in our family room, that little section between the sliding glass door to our patio and the kitchen, looks like it misses its cousins at the airport.

Massive, Very Bad Java 0-Day (and, Sigh, Oracle)

Wed, 11 Nov 2015 00:00:00 +0000

Last Friday my wife and I were out at a concert when, thanks to social media, I learned there is a major vulnerability in a common component of Java. I planned to write it up, but spent most of Monday dealing with a 6+ hour flight delay, and all day yesterday in a meeting. I’m glad I waited.

The Power of Immutable

Mon, 09 Nov 2015 00:00:00 +0000

I wrote up a post over at the RSA Conference blog this week introducing the idea of immutable infrastructure to security professionals. It is a concept that really highlights some of the massive security benefits when you combine cloud computing and DevOps principles. Here’s a snippet:

Summary: Distract and Deceive

Fri, 06 Nov 2015 00:00:00 +0000

Today I was sitting in my office, window open, enjoying the cold front that finally shoved the summer heat out of Phoenix. I had an ice pack on my leg because my achilles tendon has been a little twitchy as I go into the last 8 weeks of marathon training. My wife was going through the mail, walked in, and dropped a nice little form letter from the United States Office or Personnel Management onto my desk.

The Economist Hack: Good Intentions, Bad Execution

Fri, 06 Nov 2015 00:00:00 +0000

The Economist used a tool on their site to block collect stats and serve ads to visitors using ad blockers. I will avoid diving into the ad-blocking debate, but I will note that my quick check showed 16 ad trackers and beacons on the page. I don’t mind ads, but I do mind tracking.

CSA Guidance V4 Content on GitHub

Thu, 05 Nov 2015 00:00:00 +0000

A while back we announced that we were contracted by the Cloud Security Alliance to write the next version of the CSA Guidance. This is actually a community project, not us off writing by ourselves in a corner. The plan is to:

DevOpsed to Death

Wed, 04 Nov 2015 00:00:00 +0000

Alan Shimmel asks have we beat “What is DevOps” to death yet? Alan illustrates his point by using the more-than-beaten-to-death, we-wish-it-would-go-away-right-now of Chuck Norris meme. Those of us who have talked about DevOps for a while are certainly beginning to tire of explaining why it is more than automation. But Alan’s question is legit, and I have to say the answer is “No!” We are in the top of the second inning of a game that will be playing out for years.

Incite 11/4/2015: The Taper

Wed, 04 Nov 2015 00:00:00 +0000

As I mentioned, I’m running a half marathon for Team in Training to defeat blood cancers. I’ve raised a bunch of money and still appreciate any donations you can make. I’m very grateful to have made it through my training in one piece (mostly), and ready to go. The race is this coming Saturday and the final two weeks of training are referred to as the taper, when you recover from months of training and get ready to race.

Why I design for one cloud at a time

Wed, 04 Nov 2015 00:00:00 +0000

Putting all your eggs in one basket is always a little disconcerting. Anyone who works with risk is always wary of reducing options. So I am never surprised when clients ask about alternative cloud providers and try to design cloud-agnostic applications.

Million Dollar iOS Exploit? Maybe.

Tue, 03 Nov 2015 00:00:00 +0000

I wrote an article over at TidBITS today on the news that Zerodium paid $1M for an iOS exploit.

There are a few dynamics working in favor of us normal iOS users. While those that purchase the bug will have incentives to use it before Apple patches it, the odds are they will still restrict themselves to higher-value targets. The more something like this is used, the greater the chance of discovery. That also means there are reasonable odds that Apple can get their hands on the exploit, possibly through a partner company, or even by focusing their own internal security research efforts. And the same warped dynamics that allow a company like Zerodium to exist also pressure it to exercise a little caution. Selling to a criminal organization that profits via widespread crime is far noisier than selling quietly to government agencies out to use it for spying.

Get Your Marshmallows

Mon, 02 Nov 2015 00:00:00 +0000

Last week we learned that not only did Symantec mess up managing their root SSL certificates, but they also botched their audit so bad Google may remove them from Chrome and other products. This is just one example in a long history of security companies failing to practice what they preach. From poor code development practices to weak internal controls, the only new thing in this instance is the combination of getting caught, potential consequences, and a lack of wiggle room.

Summary: Edumacation

Thu, 29 Oct 2015 00:00:00 +0000

For those who skip the intro, the biggest security news this week was the passage of CISA, Oracle’s… interesting.. security claims, more discussion on encryption weirdness from the NSA, and security research getting a DMCA exemption. All these stories are linked down below.

The Economics of Cloud Security

Wed, 28 Oct 2015 00:00:00 +0000

I have talked a lot about this, but I don’t think I’ve ever posted it here on the blog.

I am consistently amused by people who fear moving to the cloud (and by people who take random potshots at the cloud) because they are worried about a lack of security.

Hybrid Clouds: An Ugly Reality

Mon, 26 Oct 2015 00:00:00 +0000

In my recent paper on cloud network security I came down pretty hard on hybrid networks. I have been saying similar things in many presentations, including my most recent RSA session. Enough that I got a request for clarification. Here is some additional detail I will add to the paper; feedback or criticism is appreciated.

How I got a CISSP and ended up nominated for the Board of Directors

Fri, 23 Oct 2015 00:00:00 +0000

About two years ago I was up in Toronto having dinner with James Arlen and Dave Lewis (@myrcurial and @gattaca). Since Dave was serving on the (ISC)2 Board of Directors, and James and I were not CISSPs, the conversation inevitably landed on our feelings as to the relative value of the organization and the certifications.

Chewie, We’re Home

Thu, 22 Oct 2015 00:00:00 +0000

Every week, we here at Securosis like to highlight the security industry’s most important news in our Friday Summary. Those events that not only made the press, but are likely to significantly impact your professional lives and, potentially, the well-being of the organization you work for.

Incite 10/21/2015: Appreciating the Classics

Wed, 21 Oct 2015 00:00:00 +0000

It has been a while since I’ve mentioned my gang of kids. XX1, XX2 and the Boy are alive and well, despite the best efforts of their Dad. All of them started new schools this year, with XX1 starting high school (holy crap!) and the twins starting middle school. So there has been a lot of adjustment. They are growing up and it’s great to see. It’s also fun because I can start to pollute them with the stuff that I find entertaining.

re:Invent Yourself (or else)

Tue, 20 Oct 2015 00:00:00 +0000

A bit over a week ago we were all out at Amazon’s big cloud conference, which is now up to 19,000 attendees. Once again it got us thinking as to how quickly the world is changing, and the impact it will have on our profession. Now that big companies are rapidly adopting public cloud (and they are), that change is going to hit even faster than ever before. In this episode the Securosis team lays out some of what that means, and how now is the time to get on board.

It’s a Developer’s World Now

Thu, 15 Oct 2015 00:00:00 +0000

Last week Mike, Adrian, and myself were out at the Amazon re:Invent conference. It’s the third year I’ve attended and it’s become one of the core events of the year for me; even more important than most of the security events. To put things in perspective, there were over 19,000 attendees and this is only the fourth year of the conference.

Building Security Into DevOps: The Role of Security in DevOps

Mon, 12 Oct 2015 00:00:00 +0000

In today’s post I am going to talk about the role of security folks in DevOps. A while back we provided a research paper on Putting Security Into Agile Development; the feedback we got was the most helpful part of that report was guiding security people on how best to work with development. How best to position security in a way to help development teams be more Agile was successful, so this portion of our research on DevOps we will strive to provide similar examples of the role of security in DevOps.

Building a Threat Intelligence Program: Using TI

Wed, 07 Oct 2015 00:00:00 +0000

As we dive back into the Threat Intelligence Program, we have summarized why a TI program is important and how to (gather intelligence. Now we need a programmatic approach for using TI to improve your security posture and accelerate your response & investigation functions.

Building Security Into DevOps: Tools and Testing in Detail

Tue, 06 Oct 2015 00:00:00 +0000

Thus far I’ve been making the claim that security can be woven into the very fabric of your DevOps framework; now it’s time to show exactly how. DevOps encourages testing at all phases in the process, and the earlier the better. From the developers desktop prior to check-in, to module testing, and against a full application stack, both pre and post deployment - it’s all available to you.

New Report: Pragmatic Security for Cloud and Hybrid Networks

Mon, 05 Oct 2015 00:00:00 +0000

This is one of those papers I’ve been wanting to write for a while. When I’m out working with clients, or teaching classes, we end up spending a ton of time on just how different networking is in the cloud, and how to manage it. On the surface we still see things like subnets and routing tables, but now everything is wired together in software, with layers of abstraction meant to look the same, but not really work the same.

Building Security Into DevOps: Security Integration Points

Sat, 03 Oct 2015 00:00:00 +0000

A couple housekeeping items before I begin today’s post - we’ve had a couple issues with the site so I apologize if you’ve tried to leave comments but could not. We think we have that fixed. Ping us if you have trouble.

Pragmatic Security for Cloud and Hybrid Networks: Design Patterns

Tue, 29 Sep 2015 00:00:00 +0000

This is the fourth post in a new series I’m posting for public feedback, licensed byAlgosec. Well, that is if they like it – we are sticking to our Totally Transparent Research policy. I’m also live-writing the content on GitHub if you want to provide any feedback or suggestions. Click here for the first post in the series, [here for post two](https://securosis.com/blog/pragmatic-security-for-cloud-and-hybrid-networks-cloud-networking-101, post 3, post 4.

Pragmatic Security for Cloud and Hybrid Networks: Building Your Cloud Network Security Program

Mon, 28 Sep 2015 00:00:00 +0000

Building Security Into DevOps: The Emergence of DevOps

Fri, 25 Sep 2015 00:00:00 +0000

In this post we will outline some of the key characteristics of DevOps. In fact, for those of you new to the concept, this is the most valuable post in this series. We believe that DevOps is one of the most disruptive trends to ever hit application development, and will be driving organizational changes for the next decade. But it’s equally disruptive for application security, and in a good way. It enables security testing, validation and monitoring to be interwoven with application development and deployment. To illustrate why we believe this is disruptive – both for application development and for application security, we are first going to delve into what Dev Ops is and talk about how it changes the entire development approach.

Incite 9/23/2015: Friday Night Lights

Thu, 24 Sep 2015 00:00:00 +0000

I didn’t get the whole idea of high school football. When I was in high school, I went to a grand total of zero point zero (0.0) games. It would have interfered with the Strat-o-Matic and D&D parties I did with my friends on Friday listening to Rush. Yeah, I’m not kidding about that.

Pragmatic Security for Cloud and Hybrid Networks: Network Security Controls

Thu, 24 Sep 2015 00:00:00 +0000

This is the second post in a new series I’m posting for public feedback, licensed byAlgosec. Well, that is if they like it – we are sticking to our Totally Transparent Research policy. I’m also live-writing the content on GitHub if you want to provide any feedback or suggestions. Click here for the first post in the series, and here for post two.

Pragmatic Security for Cloud and Hybrid Networks: Cloud Networking 101

Tue, 22 Sep 2015 00:00:00 +0000

Pragmatic Security for Cloud and Hybrid Networks: Introduction

Wed, 16 Sep 2015 00:00:00 +0000

This is the start in a new series I’m posting for public feedback, licensed byAlgosec. Well, that is if they like it – we are sticking to our Totally Transparent Research policy. I’m also live-writing the content on GitHub if you want to provide any feedback or suggestions. With that, here’s the content…

Building Security into DevOps [New Series]

Mon, 14 Sep 2015 00:00:00 +0000

I have been in and around software development my entire professional career. As a new engineer, as an architect, and later as the guy responsible for the whole show. And I have seen as many failed software deliveries – late, low quality, off-target, etc. – as successes. Human dysfunction and miscommunication seem to creep in everywhere, and Murphy’s Law is in full effect. Getting engineers to deliver code on time was just one dimension of the problem – the interaction between development and QA was another, and how they could both barely contain their contempt for IT was yet another. Low-quality software and badly managed deployments make productivity go backwards. Worse, repeat failures and lack of reliability create tension and distrust between all the groups in a company, to the point where they become rival factions. Groups of otherwise happy, well-educated, and well-paid people can squabble like a group of dysfunctional family members during a holiday get-together.

EMV Migration and the Changing Payments Landscape [New Paper]

Fri, 04 Sep 2015 00:00:00 +0000

With the upcoming EMV transition deadline for merchants fast approaching, we decided to take an in-depth look at what this migration is all about – and particularly whether it is really in merchants’ best interests to adopt EMV. We thought it would be a quick, straightforward set of conversations. We were wrong.

Incite 8/26/2015: Epic Weekend

Wed, 26 Aug 2015 00:00:00 +0000

Sometimes I have a weekend when I am just amazed. Amazed at the fun I had. Amazed at the connections I developed. And I’m aware enough to be overcome with gratitude for how fortunate I am. A few weekends ago I had one of those experiences. It was awesome.

Applied Threat Intelligence [New Paper]

Mon, 17 Aug 2015 00:00:00 +0000

Threat Intelligence remains one of the hottest areas in security. With its promise to help organizations take advantage of information sharing, early results have been encouraging. We have researched Threat Intelligence deeply; focusing on where to get TI and the differences between gathering data from networks, endpoints, and general Internet sources. But we come back to the fact that having data is not enough – not now and not in the future.

Friday Summary: Customer Service

Thu, 13 Aug 2015 00:00:00 +0000

Rich here.

A few things this week got me thinking about customer service. For whatever reason, I have always thought the best business decision is to put the needs of the customer first, then build your business model around that. I’m enough of a realist to know that isn’t always possible, but combine that with “don’t make it hard for people to give you money” and you sure tilt the odds in your favor.

Incite 8/12/2015: Transitions

Wed, 12 Aug 2015 00:00:00 +0000

The depths of summer heat in Atlanta can only mean one thing: the start of the school year. The first day of school is always the second Monday in August, so after a week of frenetic activity to get the kids ready, and a day’s diversion for some Six Flags roller coaster goodness, the kids started the next leg of their educational journey.

MAD Karma

Wed, 12 Aug 2015 00:00:00 +0000

Way back in 2004 Rich wrote an article over at Gartner on the serious issues plaguing Oracle product security. The original piece is long gone, but here is an article about it. It lead to a moderately serious political showdown, Rich flying out to meet with Oracle execs, and eventually their move to a quarterly patch update cycle (due more to the botched patch than Rich’s article). This week Oracle’s 25-year-veteran CISO Mary Ann Davidson published a blog post decrying customer security assessments of their products. Actually she threatened legal action for evaluation of Oracle products using tools that look at application code. Then she belittled security researchers (for crying wolf, not understanding what they are talking about, and wasting everybody’s time – especially her team’s), told everyone to trust Oracle because they find nearly all the bugs anyway (not that they seem to patch them in a timely fashion), and… you get it.

Incite 7/29/2015: Finding My Cause

Wed, 29 Jul 2015 00:00:00 +0000

When you have resources you are supposed to give back. That’s what they teach you as a kid, right? There are folks less fortunate than you, so you help them out. I learned those lessons. I dutifully gave to a variety of charities through the years. But I was never passionate about any cause. Not enough to get involved beyond writing a check.

EMV and the Changing Payment Space: Mobile Payment

Mon, 27 Jul 2015 00:00:00 +0000

As we close out this series on the EMV migration and changes in the payment industry, we are adding a section on mobile payments to clarify the big picture. Mobile usage is invalidating some long-held assumptions behind payment security, so we also offer tips to help merchants and issuing banks deal with the changing threat landscape.

EMV and the Changing Payment Space: Systemic Tokenization

Fri, 24 Jul 2015 00:00:00 +0000

This post covers why I think tokenization will radically change payment security.

EMV-compliant terminals offer several advantages over magnetic stripe readers – notably the abilities to communicate with mobile devices, validate chipped credit cards, and process payment requests with tokens rather than credit card numbers. Today’s post focuses on use of tokens in EMV-compliant payment systems. This is critically important, because when you read the EMV tokenization specification it becomes clear that its security model is to stop passing PAN around as much as possible, thereby limiting its exposure.

Building a Threat Intelligence Program [New Series]

Wed, 22 Jul 2015 00:00:00 +0000

Security practitioners have been falling behind their adversaries, who launch new attacks using new techniques daily. Furthermore, defenders remain hindered by the broken negative security model of looking for attacks they have never seen before (well done, compliance mandates), and so consistently missing these attacks. If your organization hasn’t seen the attack or updated your controls and monitors to look for these new patterns… oh, well.

EMV and the Changing Payment Space: The Liability Shift

Wed, 22 Jul 2015 00:00:00 +0000

So far we have discussed the EMV requirement, covered the players in the payment landscape, and considered merchant migration issues. It is time to get into the meat of this series. Our next two posts will discuss the liability shift in detail, and explain why it is not as straightforward as its marketing. Next I will talk about the EMV specification’s application of tokenization, and how it changes the payment security landscape.

EMV and the Changing Payment Space: Migration

Tue, 21 Jul 2015 00:00:00 +0000

Moving to EMV compliant terminals is not a plug-and-play endeavor. You can’t simply plug them in, turn them on and expect everything to work. Changes are needed to the software for supporting point-of-sale systems (cash registers). You will likely need to provision keys to devices; if you manage keys internally you will also need to make sure everything is safely stored in an HSM. There are often required changes to back-office software to sync up with the POS changes. IT staff typically need to be trained on the new equipment. Merchants who use payment processors or gateways that manage their terminals for them face less disruption, but it’s still a lot of work and rollouts can take months.

Summary: Community

Fri, 17 Jul 2015 00:00:00 +0000

Rich here.

I’m going to pull an Adrian this week, and cover a few unrelated things. Nope, no secret tie-in at the end, just some interesting things that have hit over the past couple weeks, since I wrote a Summary.

Living with the OPM Hack

Thu, 16 Jul 2015 00:00:00 +0000

And yep, thanks to his altruistic streak even Rich is affected. We don’t spend much time on blame or history, but more on the personal impact. How do you move on once you know much of your most personal information is now out there, you don’t know who has it, and you don’t know how they might want to use it?

Incite 7/15/15 — On Top of the Worlds

Wed, 15 Jul 2015 00:00:00 +0000

I discussed my love of exploring in the last Incite, and I have been fortunate to have time this summer to actually explore a bit. The first exploration was a family vacation to NYC. Well, kind of NYC. My Dad has a place on the Jersey shore, so we headed up there for a couple days and took day trips to New York City to do the tourist thing.

EMV and the Changing Payment Space: the Basics

Tue, 14 Jul 2015 00:00:00 +0000

This is the second post in our series on the “liability shift” proposed by EMVCo – the joint partnership of Visa, Mastercard, and Europay. Today we will cover the basics of what the shift is about, requirements for merchants, and what will happen to those who do not comply. But to help understand we will also go into a little detail about payment providers behind the scenes.

Threat Detection Evolution: Quick Wins

Tue, 14 Jul 2015 00:00:00 +0000

As we wrap up this series on Threat Detection Evolution, we’ll work through a quick scenario to illustrate how these concepts come together to impact on your ability to detect attacks. Let’s assume you work for a mid-sized super-regional retailer with 75 stores, 6 distribution centers, and an HQ. Your situation may be a bit different, especially if you work in a massive enterprise, but the general concepts are the same.

Incite 7/1/2015: Explorers

Wed, 01 Jul 2015 00:00:00 +0000

When I take a step back I see I am pretty lucky. I’ve seen a lot of very cool places. And experienced a lot of different cultures through my business travels. And now I’m at a point in life where I want to explore more. Not just do business hotels and see the sights from the front seat of a colleague’s car or taxi. I want to explore and see all the cool things this big world has to offer.

New Series: EMV, Tokenization, and the Changing Payment Space

Tue, 30 Jun 2015 00:00:00 +0000

October 1st, 2015, is the deadline for merchants to upgrade “Point of Sale” and “Point of Swipe” terminals to recommended EMV compliant systems. To quote Wikipedia, “EMV (Europay MasterCard Visa), is a technical standard for smart payment cards and for payment terminals and automated teller machines which can accept them.” These new terminals can validate an EMV specific chip in a customer’s credit card on swipe, or validate a secure element in a mobile device when it is scanned by a terminal. The press is calling this transition “The EMV Liability Shift” because merchants who do not adopt the new standard for payment terminals are being told that they – not banks – will be responsible for fraudulent transactions. There are many possible reasons for this push.

Threat Detection: Analysis

Mon, 29 Jun 2015 00:00:00 +0000

As discussed in our last post, evolved threat detection’s first step is gathering internal and external security data. Once you have the data aggregated you need to analyze it to look for indications that you have compromised devices and/or malicious activity within your organization.

Summary: I Am Now a Security Risk

Thu, 18 Jun 2015 00:00:00 +0000

Rich here,

Yep, it looks very likely my personal data is now in the hands of China, or someone pretending to be China, or someone who wants it to look like China. While I can’t go into details, as many of you know I’ve done things with the federal government related to my rescue work. It isn’t secret or anything, but I never feel comfortable talking specifics because it’s part-time and I’m not authorized to represent any agency.

Threat Detection Evolution: Data Collection

Thu, 18 Jun 2015 00:00:00 +0000

The first post in this series set the stage for the evolution of threat detection. Now that we’ve made the case for why detection must evolve, let’s work through the mechanics of what that actually means. It comes down to two functions: security data collection, and analytics of the collected data. First we’ll go through what data is helpful and where it should come from.

Incite 6/10/2015: Twenty Five

Thu, 11 Jun 2015 00:00:00 +0000

This past weekend I was at my college reunion. It’s been twenty five years since I graduated. TWENTY FIVE. It’s kind of stunning when you think about it. I joked after the last reunion in 2010 that the seniors then were in diapers when I was graduating. The parents of a lot of this year’s seniors hadn’t even met. Even scarier, I’m old enough to be their parent. It turns out a couple friends who I graduated with actually have kids in college now. Yeah, that’s disturbing.

My 2015 Personal Security Guiding Principles and the New Rand Report

Thu, 11 Jun 2015 00:00:00 +0000

In 2009, I published My Personal Security Guiding Principles. They hold up well, but my thinking has evolved over six years. Some due to personal maturing, and a lot due to massive changes in our industry.

Contribute to the Cloud Security Alliance Guidance: Community Drives, Securosis Writes

Wed, 10 Jun 2015 00:00:00 +0000

This week we start one of the cooler projects in the history of Securosis. The Cloud Security Alliance contracted Securosis to write the next version of the CSA Guidance.

Threat Detection Evolution: Why Evolve? [New Series]

Wed, 10 Jun 2015 00:00:00 +0000

As we discussed recently in Network-based Threat Detection, prevention isn’t good enough any more. Every day we see additional proof that adversaries cannot be reliably stopped. So we have started to see the long-awaited movement of focus and funding from prevention, to detection and investigation. That said, for years security practitioners have been trying to make sense of security data to shorten the window between compromise and detection – largely unsuccessfully.

Network Security Gateway Evolution [New Series]

Tue, 09 Jun 2015 00:00:00 +0000

(Note: We’re restarting this series over the next week, so we are reposting the intro to get things moving again. – Mike )

We Don’t Know Sh—. You Don’t Know Sh

Tue, 26 May 2015 00:00:00 +0000

Once again we have a major security story slumming in the headlines. This time it’s Hackers on a Plane, but without all that Samuel L goodness. But what’s the real story? It’s time to face the fact that the only people who know are the ones who aren’t talking, and everything you hear is most certainly wrong.

Summary: Ginger

Thu, 21 May 2015 00:00:00 +0000

Rich here.

As a redhead (what little is left) I have spent a large portion of my life answering questions about red hair. Sometimes it’s about pain tolerance/wound healing (yes, there are genetic differences), but most commonly I get asked if the attitude is genetic or environmental.

Incite 5/20/2015: Slow down [to speed up]

Wed, 20 May 2015 00:00:00 +0000

When things get very busy it’s hard to stay focused. There is so much flying at you, and so many things stacking up. Sometimes you just do the easy things because they are easy. You send the email, you put together the proposal, you provide feedback on the document. It can be done in 15 minutes, so you do it. Leaving the bigger stuff for later. At least I do.

Summary: DevOpsinator

Thu, 14 May 2015 00:00:00 +0000

It seems we messed up, and last week’s Summary never made it out of draft. So I doubled up and apologize for the spam, but since I already put in all the time, here you go…

Network-based Threat Detection: Operationalizing Detection

Wed, 13 May 2015 00:00:00 +0000

As we wrap up our Network-based Threat Detection series, we have already covered why prevention isn’t good enough and how to find indications that an attack is happening, based on what you see on the network. Our last post worked through adding context to collected data to allow some measure of prioritization for alerts. To finish things off we will discuss additional context and making alerts operationally useful.

Network-based Threat Detection: Prioritizing with Context

Mon, 11 May 2015 00:00:00 +0000

During speaking gigs we ask how many in the audience actually get through their to-do list every day. Usually we get one or two jokers in the crowd between jobs, or maybe just trying to troll us a bit. But nobody in a security operational role gets everything done every day. So the critical success factor is to make sure you are getting the right things done, and not burning time on activities that don’t reduce risk or contain attack damage.

Incite 5/6/2015: Just Be

Wed, 06 May 2015 00:00:00 +0000

I’m spent after the RSAC. By Friday I have been on for close to a week. It’s nonstop, from the break of dawn until the wee hours of the morning. But don’t feel too bad – it’s one of my favorite weeks of the year. I get to see my friends. I do a bunch of business. And I get a feel for how close our research is to reflecting the larger trends in the industry.

RSAC wrap-up. Same as it ever was.

Mon, 04 May 2015 00:00:00 +0000

The RSA conference is over and put up some massive numbers (for security). But what does it all mean? Can all those 450 vendors on the show floor possibly survive? Do any of them add value?

Network-based Threat Detection: Looking for Indicators

Wed, 29 Apr 2015 00:00:00 +0000

Now that RSAC is behind us, it’s time to get back to our research agenda. So we pick up Network-based Threat Detection where we left off. In that first post, we made the case that math and context are the keys to detecting attacks from network activity, given that we cannot totally prevent endpoint compromise. Attackers always leave a trail on the network.

RSA Conference Guide 2015 Deep Dives: Security Management

Thu, 23 Apr 2015 00:00:00 +0000

Last year Big Data was all the rage at the RSAC in terms of security monitoring and management. So the big theme this year will be…(drum roll, please)…Big Data. Yes, it’s more of the same, though we will see security big data called a bunch of different things—including insider threat detection, security analytics, situational awareness, and probably two or three more where we have no idea what they even mean.

RSA Conference Guide 2015 Deep Dives: Endpoint Security

Wed, 22 Apr 2015 00:00:00 +0000

What you’ll see at the RSAC in terms of endpoint security is really more of the same. Advanced attacks blah, mobile devices blah blah, AV-vendor hatred blah blah blah. Just a lot of blah… But we are still recovering from the advanced attacker hangover, which made painfully clear that existing approaches to preventing malware just don’t work. So a variety of alternatives have emerged to do it better. Check out our Advanced Endpoint and Server Protection paper to learn more about where the technology is going. None of these innovations has really hit the mainstream yet, so it looks like the status quo will prevail again in 2015. But the year of endpoint security disruption is coming—perhaps 2016 will be it…

RSA Conference Guide 2015 Deep Dives: Identity and Access Management

Wed, 22 Apr 2015 00:00:00 +0000

No Respect

Identity is one of the more difficult topics to cover in our yearly RSAC Guide, because identity issues and trends don’t grab headlines. Identity and Access Management vendors tend to be light-years ahead of most customers. You may be thinking “Passwords and Active Directory: What else do I need to know?” which is pretty typical. IAM responsibilities sit in a no-man’s land between security, development, and IT… and none of them wants ownership. Most big firms now have a CISO, CIO, and VP of Engineering, but when was the last time you heard of a VP of Identity? Director? No, we haven’t either. That means customers—and cloud providers, as we will discuss in a bit—are generally not cognizant of important advancements. But those identity systems are used by every employee and customer. Unfortunately, despite ongoing innovation, much of what gets attention is somewhat backwards.

RSA Conference Guide 2015 Deep Dives: Network Security

Tue, 21 Apr 2015 00:00:00 +0000

We had a little trouble coming up with a novel and pithy backdrop for what you will see in the Network Security space at RSAC 2015. We wonder if this year we will see the first IoT firewall, because hacking thermostats and refrigerators has made threat models go bonkers. The truth is that most customers are trying to figure out what to do with the new next-generation devices they already bought. We shouldn’t wonder why the new emperor looks a lot like the old emperor, when we dress our new ruler (NGFW) up in clothes (rules) that look so similar to our old-school port- and protocol-based rulesets.

RSA Conference Guide 2015 Deep Dives: Application Security

Mon, 20 Apr 2015 00:00:00 +0000

Coming Soon to an Application Near You: DevOps

For several years you have been hearing the wonders of Agile development, and how it has done wondrous things for software development companies. Agile development isn’t a product – it is a process change, a new way for developers to communicate and work together. It’s effective enough to attract almost every firm we speak with away from traditional waterfall development. Now there is another major change on the horizon, called DevOps. Like Agile it is mostly a process change. Unlike Agile it is more operationally focused, relying heavily on tools and automation for success. That means not just your developers will be Agile – your IT and security teams will be, too!

RSA Conference Guide 2015 Deep Dives: Data Security

Mon, 20 Apr 2015 00:00:00 +0000

Data security is the toughest coverage area to write up this year. It reminds us of those bad apocalypse films, where everyone runs around building DIY tanks and improvising explosives to “save the children,” before driving off to battle the undead hordes and—leaving the kids with a couple spoons, some dirt, and a can of corned beef hash.

RSA Conference Guide 2015 Deep Dives: Cloud Security

Sun, 19 Apr 2015 00:00:00 +0000

Before delving into the world of cloud security we’d like to remind you of a little basic physics. Today’s lesson is on velocity vs. acceleration. Velocity is how fast you are going, and acceleration is how fast velocity increases. They affect our perceptions differently. No one thinks much of driving at 60mph. Ride a motorcycle at 60mph, or plunge down a ski slope at 50mph (not that uncommon), and you get a thrill.

RSA Conference Guide 2015 Deep Dives: Overview

Sun, 19 Apr 2015 00:00:00 +0000

With lots of folks (including us) at the RSA Conference this week, we figured we’d post the deep dives we wrote for the RSAC Guide and give those of you not attending a taste of what your missing. Though we haven’t figured out how to relay the feel of the meat market at the W bar after 10 PM nor the ear deafening bass at any number of conference parties nor the sharp pain you feel in your gut after a night of being way too festive. Though we’re working on that for next year’s guide.

LAST CHANCE! Register for the Disaster Recovery Breakfast

Fri, 17 Apr 2015 00:00:00 +0000

Holy crap! The RSA Conference starts on Monday. Which means… you don’t have much time left to register for the 7th annual Disaster Recovery Breakfast.*

Presenting the 2015 RSA Conference Guide

Thu, 16 Apr 2015 00:00:00 +0000

As you’ve seen over the past week, we’ve been reposting our RSAC Guide here. That’s because the RSA Conference folks allowed us to post it on their blog first. Yes, they are nuts, but we aren’t going to complain.

Incite 4/15/2015: Boom

Wed, 15 Apr 2015 00:00:00 +0000

I’ve been on the road a bit lately, and noticed discussions keep working around to the general health of our industry. I’m not sure whether we’re good or just lucky, but we security folk find ourselves in the middle of a maelstrom of activity. And that will only accelerate over the next week, as many of us saddle up and head to San Francisco for the annual RSA Conference. We’ve been posting our RSA Conference Guide on the RSA Conference blog (are they nuts?) and tomorrow we’ll post our complete guide with all sorts of meme goodness.

RSAC Guide 2015: P.Compliance.90X

Fri, 10 Apr 2015 00:00:00 +0000

Compliance. It’s a principle driver for security spending, and vendors know this. That’s why each year compliance plays a major role in vendor messaging on the RSA show floor. A plethora of companies claiming to be “the leader in enterprise compliance products” all market the same basic message: “We protect you at all levels with a single, easy-to-use platform.” and “Our enterprise-class capabilities ensure complete data security and compliance.” Right.

RSAC Guide 2015: Go Pro or Go Home

Thu, 09 Apr 2015 00:00:00 +0000

In the United States there’s a clearly defined line between amateur and professional athletes. And in our wacky world of American sports we have drafts, statistics, hefty contracts, trophies, and rings to demonstrate an athlete’s success.

RSAC Guide 2015: IOWTF

Thu, 09 Apr 2015 00:00:00 +0000

Have you heard a vendor tell you about their old product, which now protects the Internet of Things? No, it isn’t a pull-up bar, it’s an Iron Bar Crossfit (TM) Dominator!

RSA Guide 2015: Get Bigger (Data) Now!!!

Wed, 08 Apr 2015 00:00:00 +0000

This year at RSA we will no doubt see the return of Big Data to the show floor. This comes along with all the muscle confusion that it generates – not unlike Crossfit. Before you hoist me to the scaffolding or pummel me with your running shoes, let’s think about this. Other than the acolytes of this exercise regimen, who truly understands it? Say “Big Data” out loud. Does that hold any meaning for you, other than a shiny marketing buzzword and marketing imagery? It does? Excellent. If you say it three times out loud a project manager will appear, but sadly you will still need to fight for your budget.

RSAC Guide 2015: DevOpsX Games

Wed, 08 Apr 2015 00:00:00 +0000

DevOps is one of the hottest trends in all of IT – sailing over every barrier in front of it like a boardercross racer catching big air on the last roller before the drop to the finish. (We’d translate that, but don’t want to make you feel too old and out of touch).

RSAC Guide 2015: Key Theme: Security Bonk

Tue, 07 Apr 2015 00:00:00 +0000

The Security Bonk

For better or worse, a bunch of the Securosis team have become endurance athletes. Probably more an indication of age impacting our explosiveness, and constant travel impacting our respective waistlines, than anything else. So we’re all too familiar with the concept of ‘bonking’: hitting the wall and capitulating. You may not give up, but you are just going through the motions.

RSA Guide 2015: Change

Mon, 06 Apr 2015 00:00:00 +0000

Every year we like to start the RSA Guide with review of major themes you will most likely see woven through presentations and marketing materials on the show floor. These themes are a bit like channel-surfing late-night TV – the words and images themselves illustrate our collective psychology more than any particular needs. It is easy to get excited about the latest diet supplement or workout DVD, and all too easy to be pulled along by the constant onslaught of finely-crafted messaging, but in the end what matters to you? What is the reality behind the theme? Which works? Is it low-carb, slow-carb, or all carb? Is it all nonsense designed to extract your limited financial resources? How can you extract the useful nuggets from the noise?

RSAC Guide 2015: Key Theme: Change

Mon, 06 Apr 2015 00:00:00 +0000

Friday Summary: April 3, 2013: Getting back in

Thu, 02 Apr 2015 00:00:00 +0000

Running. I started running when I was 9. I used to tag along to exercise class at the local community college with my mom, and they always finished the evening with a couple laps around the track. High school was track and cross country. College too. When my friends and I started to get really fast, there would be the occasional taunting of rent-a-cops, and much hilarity during the chase, usually ending in the pursuers crashing into a fence we had neatly hopped over. Through my work career, running was a staple, with fantastic benefits for both staying healthy and washing away workday stresses.

Incite 4/1/2015: Fooling Time

Wed, 01 Apr 2015 00:00:00 +0000

As we started recording the Firestarter Monday Rich announced the date. When he said “March 30”, it was kind of jarring. It’s March 30? How did that happen? Wasn’t it just yesterday we rang in the new year? I guess it was almost 90 yesterdays. Thankfully Rich cut me off as I went down the rabbit hole of wondering where the time went.

Firestarter: Using RSA

Tue, 31 Mar 2015 00:00:00 +0000

The RSA Conference is the biggest annual event in our industry (really – there are tens of thousands of people there). But bigger doesn’t mean everything is better, and it can be all too easy to get lost in the event and fail to get value out of it. Even if you don’t attend, this is the time of year a lot of security companies focus on, which affects everything you see and read – for better and worse. This week we discuss how we get value out of the event, and how to find useful nuggets in the noise. From skipping panels (except Mike’s, of course) to hitting some of the less-known opportunities like Learning Labs and the Monday events, RSA can be very useful for any security pro, but only if you plan.

New Paper! Endpoint Defense: Essential Practices

Mon, 30 Mar 2015 00:00:00 +0000

We’ve seen a renaissance of sorts regarding endpoint security. To be clear, most of solutions in the market aren’t good enough. Attackers don’t have to be advanced to make quick work of the endpoint protection suites in place. That realization has created a wave of innovation on the endpoint that promises to provide a better chance to prevent and detect attacks. But the reality is far too many organizations can’t even get the fundamentals of endpoint security.

Incite 3/25/2015: Playing it safe

Wed, 25 Mar 2015 00:00:00 +0000

A few weeks back at BSidesATL, I sent out a Tweet that kind of summed up my view of things. It was prompted by an email from a fitness company with the subject line “Embrace Discomfort.” Of course they were talking about the pain of whatever fitness regimen you follow. Not me. To me, comfort is uncomfortable.

Network-based Threat Detection: Overcoming the Limitations of Prevention

Wed, 25 Mar 2015 00:00:00 +0000

Organizations continue to invest heavily to block advanced attacks , on both endpoints and networks. Despite all this investment devices continue to be compromised in increasing numbers, and high-profile breaches continue unabated. Something isn’t adding up. It comes down to psychology – security practitioners want to believe that the latest shiny geegaw for preventing compromise will finally work and stop the pain.

Endpoint Defense Essential Practices

Fri, 20 Mar 2015 00:00:00 +0000

The area of security has the most increased focus recently is protecting the endpoint. Once you stop snickering, it makes some sense. For years (or decades, depending on how cynical you want to be) endpoint security was the beneficiary of the compliance driver. Whether the technologies actually protected anything was beside the point. Assessors would show up, and you needed to have AV. Then advanced attackers happened and the industry started innovating, starting with network security, leaving the endpoint largely unprotected.

New! Cracking the Confusion: Encryption & Tokenization for Data Centers, Servers, & Applications

Fri, 20 Mar 2015 00:00:00 +0000

Woo Hoo! It’s New Paper Friday!

Over the past month or so you have seen Adrian and myself put together our latest work on encryption. This one is a top-level overview designed to help people decide which approach should work best for datacenter projects (including servers, storage, applications, cloud infrastructure, and databases). Now we have pieced it together into a full paper.

Summary: Crunch Time

Thu, 19 Mar 2015 00:00:00 +0000

I’ve had one conversation about 8 times this week:

“Ready for RSA?”

“Not even close.”

“Yeah, figured it would be better since they pushed it out an extra month, but not so much.”

Incite 3/18/2015: Pause

Wed, 18 Mar 2015 00:00:00 +0000

It’s been over a month since I wrote an Incite. It’ is the longest period of downtime since I joined Securosis. I could talk about my workload, which is bonkers right now. But over the years I’ve written the Incite regardless of workload. I could talk about excessive travel, but I haven’t been traveling nearly as much as last year. I could come up with lots of excuses, but as I tell my kids all the time, “I’m not in the excuses business.”

Firestarter: Cyber Cash Cow

Mon, 16 Mar 2015 00:00:00 +0000

Last week we saw a security company hit the $2.4B valuation level. Yes, that’s a ‘B’, as in billion. This week we dig into the changing role of money and investment in our industry, and what it might mean. We like to pretend keeping our heads down and focusing on defense and tech is all that matters, but practically speaking we need to keep half an eye on the market around us. It not only affects the tools at our disposal, but influences the entire course of our profession.

Take Control of Security for Mac Users

Tue, 10 Mar 2015 00:00:00 +0000

I spend a lot of time on Apple security, more for personal reasons than anything else. They are the tools I use every day, and where I send most of my friends and family to manage their digital lives, so my investment runs deeper than anything financial. I have been the Security Editor over at TidBITS since about the time I founded Securosis, but I am not the only security expert over there. Joe Kissell has himself written books on the topic, and plenty of articles (mostly at TidBITS and Macworld).

Be Careful What You Wish For, It’s the SEVENTH Annual Disaster Recovery Breakfast

Mon, 09 Mar 2015 00:00:00 +0000

There seems to something missing for us Securosis folks now that it’s the beginning of March. After some reflection we realized it’s that dull ache in our livers from surviving yet another RSA Conference. The show organizers had to move the conference to April this year, to ensure a full takeover of San Francisco. Regardless of when the conference is, there is one thing you can definitely count on: the DRB!

SecDevOps Learning Lab at RSA

Mon, 09 Mar 2015 00:00:00 +0000

We were invited to run a two-hour learning lab on a topic of our choice this year at the RSA Conference. I suspect it will surprise… no one… that we chose Pragmatic SecDevOps as our topic.

Friday Summary: More Cowbell

Thu, 05 Mar 2015 00:00:00 +0000

Rich here.

Not to get too personal, but I had a dream about being back on ski patrol last night.

Firestarter: Cyber vs. Terror (yeah, we went there)

Mon, 02 Mar 2015 00:00:00 +0000

Last week the US Director of National Intelligence said cyberattacks are a greater risk than terrorism. This week we debate what that means, and whether terminology is getting so muddled that it becomes meaningless. Plus we rip into Rich’s post claiming security people need to stop thinking of themselves as warriors, and start thinking like spies.

Summary: You’re a Spy, not a Warrior

Thu, 26 Feb 2015 00:00:00 +0000

Rich here.

These days it is hard to swing a cyberstick without hearing a cybergasp of cyberstration at the inevitable cyberbuse of the word “cyber”.

Cracking the Confusion: Encryption Decision Tree

Wed, 25 Feb 2015 00:00:00 +0000

This is the final post in this series. If you want to track it through the entire editing process, you canfollow along and contribute on GitHub. You can read the first post, and find the other posts under “related posts” in full article view.

Ticker Symbol: Hack - Updated

Tue, 24 Feb 2015 00:00:00 +0000

There is a ticker symbol HACK that tracks a group of publicly traded “Cyber Security” firms. Given how hot everything ‘Cyber’ is, HACK may do just fine – who knows? But perhaps one for breached companies (BRCH?) would be better. For you security geeks out there who love to talk about the cost of breaches, let’s take a look at the stock prices of several big-named firms which have been breached:

Cracking the Confusion: Top Encryption Use Cases

Thu, 19 Feb 2015 00:00:00 +0000

This is the sixth post in a new series. If you want to track it through the entire editing process, you canfollow along and contribute on GitHub. You can read the first post and find the other posts under “related posts” in full article view.

Summary: Three Mini Gadget Reviews… and a Big Week for Security Fails

Thu, 19 Feb 2015 00:00:00 +0000

Rich here,

Before I get into the cold open for this week, the past few days have been pretty nasty for privacy, security, and the digital supply chain. I will have a post on that up soon, but you can skip to the Top News section to catch the main stories. They are essential reading this week, and we don’t say that often.

Cracking the Confusion: Additional Platform Features and Options

Wed, 18 Feb 2015 00:00:00 +0000

This is the fifth post in a new series. If you want to track it through the entire editing process, you canfollow along and contribute on GitHub. You can read the first post and find the other posts under “related posts” in full article view.

Cracking the Confusion: Key Management

Tue, 17 Feb 2015 00:00:00 +0000

This is the fourth post in a new series. If you want to track it through the entire editing process, you canfollow along and contribute on GitHub. You can read the first post and find the other posts under “related posts” in full article view.

Firestarter: Cyber!!!

Mon, 16 Feb 2015 00:00:00 +0000

Last week President Obama held a cybersecurity summit out in the Bay Area. He issued a new executive order and is standing up a new threat sharing center. This is in response to ongoing massive attacks such as the Anthem breach and (as we heard this weekend) hundreds of millions stolen in bank thefts. But what does it all mean to security pros and the industry? The truth is, not much in our day-to-day (yet), but you certainly had better pay attention.

Some days, I think we are screwed

Mon, 16 Feb 2015 00:00:00 +0000

I meant to write about this earlier and forgot. Last week I was listening to the Diane Rehm show on NPR while out for a long run (I am weird and prefer talk radio/podcasts on long workouts). The show was all about cybersecurity. To be honest, the panel was a bit weak (Ravi Pendse from Brown was decent).

Cracking the Confusion: Encryption Layers

Thu, 12 Feb 2015 00:00:00 +0000

Picture enterprise applications as a layer cake: applications sit on databases, databases on files, and files are mapped onto storage volumes. You can use encryption at each of these layers in your application stack: within the application, in the database, on files, or on storage volumes. Where you use an encryption engine dominates security and performance. Higher up the stack can offer more security, with higher complexity and performance cost.

Friday Summary: February 13, 2015

Thu, 12 Feb 2015 00:00:00 +0000

Welcome to the Friday the 13th edition of the Friday Summary! It has been a while since I wrote the summary so there is lots to cover …

Cracking the Confusion: Building an Encryption System

Wed, 11 Feb 2015 00:00:00 +0000

This is the second post in a new series. If you want to track it through the entire editing process, you canfollow along and contribute on GitHub. You can read the first post here

Cracking the Confusion: Encryption and Tokenization for Data Centers, Servers, and Applications

Wed, 11 Feb 2015 00:00:00 +0000

This is the first post in a new series. If you want to track it through the entire editing process, you canfollow it and contribute on GitHub.

Firestarter: It’s Not My Fault!

Mon, 09 Feb 2015 00:00:00 +0000

Rich, Mike, and Adrian each pick a trend they expect to hammer us in 2015. Then they talk about it, probably too much. From threat intel to tokenization to SaaS security.

Applied Threat Intelligence: Building a TI Program

Sun, 08 Feb 2015 00:00:00 +0000

As we wrap up our Applied Threat Intelligence series, we have already defined TI and worked our way through a number of the key use cases (security monitoring, incident response, and preventative controls) where TI can help improve your security program, processes, and posture. The last piece of the puzzle is building a repeatable process to collect, aggregate, and analyze the threat intelligence. This should include a number of different information sources, as well as various internal and external data analyses to provide context to clarify what the intel means to you.

Even if Anthem Had Encrypted, It Probably Wouldn’t Have Helped

Fri, 06 Feb 2015 00:00:00 +0000

Earlier today in the Friday Summary I vented frustrations at news articles blaming the victims of crimes, and often guessing at the facts. Having been on the inside of major incidents that made the international news (more physical than digital in my case), I know how little often leaks to the outside world.

Submit for the RSA Crowdsourced Track

Fri, 06 Feb 2015 00:00:00 +0000

Over the years the RSA Conference has racked up some (legitimate) criticism that its session selection process was too opaque, started too early for up-to-date content, and didn’t always reflect the community at large.

Summary: Analyze, Don’t Guess

Thu, 05 Feb 2015 00:00:00 +0000

Rich here,

Another week, another massive data breach.

This morning I woke up to a couple interview requests over this. I am always wary of speaking on incidents based on nothing more than press reports, so I try to make clear that all I can do is provide some analysis. Maybe I shouldn’t even do that, but I find I can often defuse hyperbole and inject context, even without speaking to the details of the incident.

Incite 2/4/2015: 30x32

Wed, 04 Feb 2015 00:00:00 +0000

It was a pretty typical day. I was settled into my seat at Starbucks writing something or other. Then I saw the AmEx notification pop up on my phone. $240.45, Ben Sherman, on the card I use for Securosis expenses. Huh? Who’s Ben Sherman? Pretty sure my bookie’s name isn’t Ben. So using my trusty Google fu I saw they are a highbrow mens clothier (nice stuff, BTW). But I didn’t buy anything from that store.

New Paper: Security and Privacy on the Encrypted Network

Wed, 04 Feb 2015 00:00:00 +0000

Our Security and Privacy on the Encrypted Network paper tackles setting security policies to ensure that data doesn’t leak out over encrypted tunnels, and that employees adhere to corporate acceptable use policies, by decrypting traffic as needed. It also addresses key use cases and strategies for decrypting network traffic, including security monitoring and forensics, to ensure you can properly alert on security events and investigate incidents. We include guidance on how to handle human resources and compliance issues because an increasing fraction of network traffic is encrypted.

Applied Threat Intelligence: Use Case #3, Preventative Controls

Tue, 03 Feb 2015 00:00:00 +0000

So far, as we have looked to apply threat intelligence to your security processes, we have focused on detection/security monitoring and investigation/incident response functions. Let’s jump backwards in the attack chain to take a look at how threat intelligence can be used in preventative controls within your environment.

Summary: Heads up

Thu, 29 Jan 2015 00:00:00 +0000

Rich here.

Last week I talked about learning to grind it out. Whether it’s a new race distance, or plowing through a paper or code that isn’t really flowing, sometimes you need to just put your head down, set a pace, and keep moving.

Incite 1/28/2015: Shedding Your Skin

Wed, 28 Jan 2015 00:00:00 +0000

You are constantly changing. We all are. You live, you learn, you adapt, you change. It seems that if you pay attention, every 7-9 years or so you realize you hardly recognize the person looking back at you from the mirror. Sometimes the changes are very positive. Other times a cycle is not as favorable. That’s part of the experience. Yet many people don’t think anything changes. They expect the same person year after year.

Applied Threat Intelligence: Use Case #2, Incident Response/Management

Tue, 27 Jan 2015 00:00:00 +0000

As we continue with our Applied Threat Intelligence series, let us now look at the next use case: incident response/management. Similar to the way threat intelligence helps with security monitoring, you can use TI to focus investigations on the devices most likely to be impacted, and help to identify adversaries and their tactics to streamline response.

Applied Threat Intelligence: Use Case #1, Security Monitoring

Mon, 26 Jan 2015 00:00:00 +0000

As we discussed in Defining TI, threat intelligence can help detect attacks earlier by benefiting from the misfortune of others and looking for attack patterns being used against higher profile targets. This is necessary because you simply cannot prevent everything. No way, no how. So you need to get better and faster at responding. The first step is improving detection to shorten the window between compromise and discovery of compromise.

Firestarter: 2015 Trends

Mon, 26 Jan 2015 00:00:00 +0000

Rich, Mike, and Adrian each pick a trend they expect to hammer us in 2015. Then we talk about it, probably too much. From threat intel to tokenization to SaaS security.

New Paper: Monitoring the Hybrid Cloud

Mon, 26 Jan 2015 00:00:00 +0000

We are pleased to announce the availability of our Monitoring the Hybrid Cloud: Evolving to the CloudSOC paper. As the megatrends of cloud computing and mobility continue to play out in technology infrastructure, your security monitoring approach must evolve to factor in the lack of both visibility and control over the infrastructure. But senior management isn’t in the excuses business so you still need to provide the same level of diligence in protecting critical data. This paper looks at why the cloud is different, emerging use cases for hybrid cloud security monitoring, and some architectural ideas with migration plans to get there.

Applied Threat Intelligence: Defining TI

Sun, 25 Jan 2015 00:00:00 +0000

As we looked back on our research output for the past 2 years it became clear that threat intelligence (TI) has been a topic of interest. We have written no less than 6 papers on this topic, and feel like we have only scratched the surface of how TI can impact your security program.

Summary: Grind on

Thu, 22 Jan 2015 00:00:00 +0000

Rich here.

Last weekend I ran a local half-marathon. It wasn’t my first, but I managed to cut 11 minutes off my time and set PRs (Personal Record for you couch potatoes) for both the half and a 10K. I didn’t really expect either result, especially since I was out of running for nearly a month due to a random foot injury (although I kept biking).

Incite 1/21/2015: Making the Habit

Wed, 21 Jan 2015 00:00:00 +0000

Over halfway through January (already!), how are those New Year’s resolutions going? Did you want to lose some weight? Maybe exercise a bit more? Maybe drink less, or is that just me? Or have some more fun? Whatever you wanted to do, how is that going?

Firestarter: Full Toddler

Mon, 19 Jan 2015 00:00:00 +0000

Yes, people, the disclosure debate is still alive and kicking. But now it is basically a pissing match between two of the largest tech companies. With Google setting rigid deadlines, and Microsoft stuck on their rigid schedule, who will win? Grab the popcorn as we talk about egos, internal inconsistencies, and why putting the user first is so damn hard.

New Paper: Security Best Practices for Amazon Web Services

Mon, 19 Jan 2015 00:00:00 +0000

I could probably write a book on AWS security at this point, except I don’t have the time, and most of you don’t have time to read it. So I wrote a concise paper on the key essentials to get you started – including the top four things to do in the first five minutes with a new AWS account.

test post, do not publish - Testing Tagging system

Mon, 19 Jan 2015 00:00:00 +0000

Testing tags

Summary: No Surprises

Thu, 15 Jan 2015 00:00:00 +0000

Rich here,

First a quick note. I will be giving a webcast onmanaging SaaS security later this month. I am about to start writing more on the Cloud Security Gateway market and new techniques for dealing with SaaS.

Incite 1/14/2015: Facing the Fear

Wed, 14 Jan 2015 00:00:00 +0000

Some folks just naturally push outside their comfort zones as a matter of course. I am one of them. Others only do things that are comfortable, which is fine if it works for them. I believe that while you are basically born with a certain risk tolerance, you can be taught to get comfortable with pushing past your comfort zone.

Your Risk Isn't My Risk (Apple Thunderbolt Edition)

Tue, 13 Jan 2015 00:00:00 +0000

Last Friday I wrote an article on the Thunderstrike proof of concept attack against Macs. I won’t spend any more time analyzing it but I think it’s valuable as an example of risk assessment.

Friday Summary: Favorite Films of 2014 (Redux)

Sun, 11 Jan 2015 00:00:00 +0000

Rich here. Something went wonky so most of the Summary didn’t load properly on Friday. So I am reposting with the lost content…

Incite 1/7/2014: Savoring the Moment

Wed, 07 Jan 2015 00:00:00 +0000

Early December is a big deal in our house. It’s Nutcracker time, with both girls working all fall to get ready for their dance company’s annual production of the Xmas classic. They do 5 performances over a weekend, and neither girl wants it to end. We have to manage the letdown once that weekend is over. It has been really awesome to see all of the dancers grow up, via the Nutcracker. They start as little munchies playing party boys and girls in the first scene, and those who stick with it become Dew Drop or possibly even the Sugarplum Fairy.

Security and Privacy on the Encrypted Network: Selection Criteria and Deployment

Thu, 18 Dec 2014 00:00:00 +0000

Our Use Cases post ran through setting policies for decryption, and specific use cases driving decryption of network traffic. We also brought up human resources and compliance considerations when building policies. But that doesn’t address the technical nuances of actually figuring out where to decrypt, or how to select and deploy the technology, so here we go. First let’s talk a bit about whether you need a standalone device.

Summary: That's a Wrap!

Thu, 18 Dec 2014 00:00:00 +0000

Rich here,

Holy crap, what a year!

I have been in the security business for a while now. I wouldn’t say I am necessarily jaded, but… yeah. Wow.

Security Best Practices for Amazon Web Services: Third Party Tools

Wed, 17 Dec 2014 00:00:00 +0000

This is our third post on AWS security best practices, to be compiled into a short paper. See alsoour first post, on defending the management plane and our second post, on using built-in AWS tools.

Firestarter: Predicting the Past

Tue, 16 Dec 2014 00:00:00 +0000

In our last Firestarter for this year, Mike, Adrian, and I take on some of the latest security predictions for 2015. Needless to say, we aren’t impressed. We do, however, close out with some trends we are seeing which are likely to play out next year, and are MOST DEFINITELY NOT PREDICTIONS.

Security Best Practices for Amazon Web Services: Built-In Features

Fri, 12 Dec 2014 00:00:00 +0000

This is our second post on AWS security best practices, to be compiled into a short paper.The first post on defending the management plane is here.

Security and Privacy on the Encrypted Network: Use Cases

Thu, 11 Dec 2014 00:00:00 +0000

In the first post of this series on Security and Privacy on the Encrypted Network, we argued that organizations need to encrypt more traffic. Unfortunately the inability to see and inspect encrypted traffic impairs the ability to enforce security controls/policies and meet compliance mandates. So let’s dig into how to strategically decrypt traffic in order to address a few key use cases – including enforcing security policies and monitoring for security and compliance. We also need to factor in the HR and privacy issues associated with decrypting traffic – you don’t want to end up on the wrong side of a worker council protesting your network security approach.

Summary: Nantucket

Thu, 11 Dec 2014 00:00:00 +0000

Rich here.

There once was a boy from Securosis.

Who had an enormous… to do list.

With papers to write…

Incite 12/10/2014: Troll off the old block

Wed, 10 Dec 2014 00:00:00 +0000

Every so often the kids do something that makes me smile. Evidently the Boss and I are doing something right and they are learning from our examples. I am constantly amused by the huge personality XX2 has, especially when performing. She’s the drama queen, but in a good way… most of the time.

3 Envelopes

Mon, 08 Dec 2014 00:00:00 +0000

I really enjoyed Thom Langford’s recent post Three Envelopes, One CISO, on the old parable about preparing three envelopes to defer blame for bad things – until you cannot shift it, when you take the bullet.

Monitoring the Hybrid Cloud: Migration Planning

Mon, 08 Dec 2014 00:00:00 +0000

We will wrap up this series with a migration path to monitoring the hybrid cloud. Whether you choose to monitor the cloud services you consume, or go all the way and create your own SOC in the cloud, these steps will get you there. Let’s dive in.

Security Best Practices for Amazon Web Services

Thu, 04 Dec 2014 00:00:00 +0000

This is a short series on where to start with AWS security. We plan to release it as a concise white paper soon. It doesn’t cover everything but is designed to kickstart and prioritize your cloud security program on Amazon. We do plan to write a much deeper paper next year, but we received several requests for something covering the fundamentals, so here you go…

Summary: 88 Seconds

Thu, 04 Dec 2014 00:00:00 +0000

Rich here.

I don’t remember actually seeing Star Wars in the movie theater. I was six years old in 1977, and while I cannot remember the feelings of walking along the sticky theater floor, finding a seat I probably had to kneel on to see the screen from, and watching as the lights dimmed and John Williams assaulted my ears, I do remember standing with my father outside. In a line that stretched around the building. My lone image of this transformative day is of waiting near the back doors, my father beside me, wondering just what the big deal was.

Incite 12/3/2014: Winding Down

Wed, 03 Dec 2014 00:00:00 +0000

As I sit in yet another hotel, banging out yet another Incite, overlooking yet another city that isn’t home, this is a good time to look back on 2014 because this is my last scheduled trip for this year. It has been an interesting year. At this point the highs this year feel higher, and the lows lower. There were periods when I felt sick from the whiplash of ups and downs. That’s how life is sometimes. Of course my mindfulness practice helps me handle the turbulence with grace, and likely without much external indication of the inner gyrations.

Monitoring the Hybrid Cloud: Technical Considerations

Mon, 01 Dec 2014 00:00:00 +0000

New platforms for hybrid cloud monitoring bring both new capabilities and new challenges. We have already discussed some differences between monitoring the different cloud models, and some of the different deployment options available. This post will dive into some technical considerations for these new hybrid platforms, highlighting potential benefits and issues for data security, privacy, scalability, security analytics, and data governance.

Monitoring the Hybrid Cloud: Solution Architectures

Tue, 25 Nov 2014 00:00:00 +0000

The good old days: Monitoring employees on company-owned PCs, accessing the company data center across corporate networks. You knew where everything was, and who was using it. And the company owned it all, so you could pretty much dictate where and how you performed security monitoring. With cloud and mobile? Not so much.

Firestarter: Numbness

Mon, 24 Nov 2014 00:00:00 +0000

SLmageddon V12. Polar Vortices. Ebola. APT123. We live in an era when every week it seems some massive new vulnerability, exploit, or attack is going to take down society. This week Rich, Mike, and Adrian tackle the endless progression of bad news; and how to maintain focus when everyone wants you to save the children.

Friday Summary: November 21, 2014

Fri, 21 Nov 2014 00:00:00 +0000

Thus ends the busiest four weeks I have had since joining Securosis. A few conferences – AWS Re:Invent was awesome – a few client on-site days, meeting with some end customers, and about a half dozen webcasts, have together left me gasping for air. We all need a little R&R here and the holidays are approaching, so Firestarters and blog posts will be a bit sporadic. Technically it is still Friday, so here goes today’s (slightly late) summary.

Securing Enterprise Applications [New White Paper]

Fri, 21 Nov 2014 00:00:00 +0000

Securing enterprise applications is hard work. These are complex platforms, with lots of features and interfaces, reliant on database support, and often deployed across multiple machines. They leverage both code provided by the vendor, as well as hundreds – if not thousands – of supporting code modules produced specifically for the customer’s needs. This make every environment a bit different, and acceptable application behavior unique to every company. This is problematic because during our research we found that most organizations rely on security tools which work on the network fringes, around applications. These tools cannot see inside an application to fully understand its configuration and feature set, nor do they understand application-layer communication. This approach is efficient because a generic tool can see a wide variety of threats, but misses subtle misuse and most serious misconfigurations.

Incite 11/12/2014: Focus

Wed, 12 Nov 2014 00:00:00 +0000

Interruption is death for a writer. At least it is for me. I need to get into a flow state, where I’m locked in and banging words out. With my travel schedule and the number of calls I make even when not traveling, finding enough space to get into flow has been challenging. Very challenging. And it gets frustrating. Very frustrating.

Ticker Symbol: HACK

Wed, 12 Nov 2014 00:00:00 +0000

I think the financial equivalent of jumping shark is Wall Street creating an ETF based on your theme.

If so, cybersecurity has arrived.

Building an Enterprise Application Security Program: Recommendations

Mon, 10 Nov 2014 00:00:00 +0000

Our goal for this series is not to cover the breadth and depth of an entire enterprise application security program – most of you have that covered already. Instead it is to identify the critical gaps at most firms and offer recommendations for how to close them. We have covered use cases and pointed out gaps; now it’s time to offer recommendations for how to address the deficiencies. You will notice many of the gaps noted in the previous section are byproducts of either a) attackers exposing soft spots in security; or b) innovation with the cloud, mobile, and analytics changing the boundaries of what is possible.

Changing Pricing (for the first time ever)

Mon, 10 Nov 2014 00:00:00 +0000

This is a corporate news post, so skip it if all you want is our usual snarky security analysis.

For the first time since starting Securosis we are increasing our prices. Yes, it has been over seven years without any change in pricing for our services. The new prices are only a modest bump, and also streamlined to remove the uncertainty of travel expenses on engagements. Call it ego, but we think we are a heck of a bargain.

Monitoring the Hybrid Cloud: Emerging SOC Use Cases

Mon, 10 Nov 2014 00:00:00 +0000

In the introduction to our series on Monitoring the Hybrid Cloud we went through all the disruptive forces which are increasingly complicating security monitoring. These include the accelerating move to cloud computing and expanding access via mobile devices. Those new models require much greater automation, and significantly less visibility and control over the physical layer of the technology stack. So you need to think about monitoring a bit differently.

Leveraging Threat Intelligence in Incident Response/Management [Final Paper]

Sun, 09 Nov 2014 00:00:00 +0000

We continue to investigate the practical use of Threat Intelligence (TI) within your security program. After tackling how to Leverage Threat Intel in Security Monitoring, we now turn our attention to Incident Response and Management. In this paper we go deep into how your existing incident response and management processes can (and should) integrate adversary analysis and other threat intelligence sources, to help narrow down the scope of your investigations.

New Research Paper: Secure Agile Development

Fri, 07 Nov 2014 00:00:00 +0000

Security teams are tightly focused on bringing security to applications, and meeting compliance requirements in the delivery of applications and services. On the other hand job #1 for software developers is to deliver code faster and more efficiently, with security a distant second. Security professionals and developers often share responsibility for security, but finding the best way to embed security into the software development lifecycle (SDLC) is not an easy challenge.

Summary: Comic Book Guy

Thu, 06 Nov 2014 00:00:00 +0000

Rich here.

I only consistently read comic books for a relatively short period of my life. I always enjoyed them as a kid but didn’t really collect them until sometime around high school. Before that I didn’t have the money to buy them month to month. I kept up a little in college, but I probably had less free capital as a freshman than in elementary school. Gas money and cheap dates add up crazy fast.

Building an Enterprise Application Security Program: Security Gaps

Wed, 05 Nov 2014 00:00:00 +0000

This post will discuss the common security domains with enterprise applications, areas where generalized security tools lack the depth to address application and database specific issues, and some advice on how to fill in the gaps. But first I want to announce that Onapsis has asked to license the content of this research series. As always, we are pleased when people like what we write well enough to get behind our work, and encourage our Totally Transparent Research style. With that, on with today’s post!

Incite 11/5/2014: Be Like Water

Wed, 05 Nov 2014 00:00:00 +0000

You want it and you want it now. So do I. Whatever it is. We live in an age of instant gratification. You don’t need to wait for the mailman to deliver letters – you get them via email. If you can’t wait the 2 days for Amazon Prime shipping, you order it online and pick it up at one of the few remaining brick and mortar stores. Record stores? Ha! Book stores? Double ha!! We live in the download age. You want it, you buy it (or not), and you download it. You have it within seconds.

Monitoring the Hybrid Cloud: Evolving to the CloudSOC [New Series]

Mon, 03 Nov 2014 00:00:00 +0000

As we wrote in The Future of Security, we believe the collision of cloud computing and mobility will disrupt and transform security. We started documenting the initial stages of the transformation, so we now turn our attention to how controls will be implemented as the technology space moves to an automated and abstracted reality. That may sound like science fiction, but these technologies are here now, and it is only beginning to become apparent how automation and abstraction will ripple outward, transforming the technology environment.

Apple Security and Privacy Updates

Thu, 30 Oct 2014 00:00:00 +0000

I realize I have been slacking off posting here at Securosis, but thanks to a string of big event thingies, I thought I should link to a bunch of recent Apple security and privacy articles I posted over at TidBITS (mostly) and Macworld.

Building an Enterprise Application Security Program: Use Cases

Thu, 30 Oct 2014 00:00:00 +0000

This post will discuss security and compliance use cases for an enterprise application security program. The following are the main issues enterprises need to address with enterprise application management, in no particular order. None of these drivers are likely to surprise you. But skimming the top-line does not do the requirements justice – you also need to understand why enterprise applications offer different challenges for data collection and analysis, to fully appreciate why off-the-shelf security tools leave coverage gaps.

Friday Summary; October 31, 2014

Thu, 30 Oct 2014 00:00:00 +0000

I was at Intel’s Focus conference earlier this week. Intel basically held a McAfee coming-out party, and announced that the security practices of both firms will henceforth be run under the single umbrella of Intel Security. Not much to report on that, but I spoke to more customers at this event than at any other vendor event. And they were chatty, which is nice. But something is troubling me. Do you know what they did not mention as a problem? Mobile. Nope. The biggest surprise of the week was hearing security practitioners and CISOs talk about the threat of the IoT (Internet of Things), without even mentioning mobile. I am still surprised, because a) mobile is really here, b) security of mobile data is a problem on most devices, c) mobile app controls and spotty authentication are still an issue, and d) the market has yet to embrace a good model for control. IoT does not even feel real yet, but the security practitioners I heard speak are currently dealing with threats to Point of Sale terminals, medical devices, cars, and a whole bunch of devices we have used for a long time, but where the current generation includes sophisticated processors and Internet connectivity. Still, IoT is your biggest concern? Really?

Incite 10/29/2014: Short Memory

Wed, 29 Oct 2014 00:00:00 +0000

Sometimes a short memory is very helpful. Of course as you get older, it may not be a choice. But old guy issues aside, there are times you need to forget what just happened and move on to the next thing. Maybe it’s a deal you lost, or a project you couldn’t get funded, or a bungled response to an incident. If you live to fight another day then you need to learn, put it in the past, and move forward.

New Research Paper: Trends in Data Centric Security

Tue, 28 Oct 2014 00:00:00 +0000

The concept of Data Centric Security is not new, but its advantages are only now becoming clear. As customers embrace disruptive technologies – cloud, mobile, NoSQL – where the availability and effectiveness of security controls are in question, Data Centric Security is an approach to securing data regardless of where it is moved. DCS is a way to leverage these new technologies without compromising data security, integrity, or compliance.

Building an Enterprise Application Security Program [New Series]

Mon, 27 Oct 2014 00:00:00 +0000

Over the last couple months I have had many similar conversations on enterprise application security: customers identify gaps in their security program, are unaware of the availability of certain types of solutions, or simply don’t believe that certain solutions deliver their advertised value. But I expect issues when speaking to a company who wants to implement advanced security on a Hadoop database, where technology simply may not exist to deliver the security and performance required. It is altogether different when talking about SAP or Oracle financials. These are mature platforms, often in place for more than a decade, so you would expect every aspect to be covered. Surprisingly that is often not the case.

Firestarter: It’s All in the Cloud

Mon, 27 Oct 2014 00:00:00 +0000

Adrian is out, so Rich and Mike cover the latest Amazon Web Services news as their big re:Invent conference closes in. We start with the new Frankfurt datacenter, and how a court case involving Microsoft could kill off the future of all US-based cloud companies (it’s always the little things). Then we discuss directory services in the cloud, and how this indicates increasing cloud adoption and maturity at a pace we really haven’t ever seen before.

Old School (Computer)

Sun, 26 Oct 2014 00:00:00 +0000

Lots of folks talk lovingly about their first computers. Mine was a Timex Sinclair I ran through my 10” black-and-white TV. But that wasn’t the first computer I played with. My Dad was pretty early into the word processing world as part of his law practice. So when we went to the computer show down in NYC and checked out all the new wares, I was like a kid in a candy store.

Summary: Roamin’

Thu, 23 Oct 2014 00:00:00 +0000

Rich here.

Last night I arrived home around 11pm from the totally awesome SecTor conference in Toronto. It took about 11 hours to wend my way home through the air system, which has a certain beauty.

Incite 10/21/2014: Running Man

Wed, 22 Oct 2014 00:00:00 +0000

There were always reasons I wasn’t a runner. I was too big and carried too much weight. I was prone to knee pain. I never had good endurance. I remember the struggle when I had to run 3 miles as a pledge back in college. I finished, but I was probably 10 minutes behind everyone else. Running just wasn’t for me. So I focused on other methods of exercise. I lifted weights until my joints let me know that wasn’t a very good idea. Then I spent a couple years doing too many 12-ounce curls and eating too many burritos. For the past few years I have been doing yoga and some other body weight training.

Hindsight is 20/20

Sun, 19 Oct 2014 00:00:00 +0000

It won’t happen to you, right? After every breach you see all sorts of former employees and others crawl out from under their various rocks to talk about how screwed-up their former employer was. And how the breach was inevitable. It is a bit comical at this point. The latest example is a bunch of former Home Depot employees talking about their old shop.

An Example of Gratitude

Wed, 15 Oct 2014 00:00:00 +0000

This is off topic, but this post from Daniel Miessler is a great example of how I want to reorient my world view.

Friday Summary: October 17, 2014

Wed, 15 Oct 2014 00:00:00 +0000

Ever tried to count to a billion? Don’t bother. The average human lifespan is about 2.5 billion seconds, so you’d waste half your life trying. But that may help put into perspective Databrick’s latest announcement that they were able to sort 10 trillion records in four hours with the Spark platform. That’s three times faster than the previous record, with one-tenth the number of server nodes. Or perhaps you noticed that Amazon added full JSON support to DynamoDB, so you can easily inject JSON directly into the cluster. Or maybe you saw that Data Torrent now supports analytics on the incoming data stream. Or perhaps you were pleased to see ParStream’s distributed approach specifically geared to the Internet of Things.

Incite 10/15/2014: Competing

Wed, 15 Oct 2014 00:00:00 +0000

A few years ago I had to stop competing. The constant need to win – whatever that even meant – was making me unhappy. Even when things were going well, I found some reason to feel like a loser. So I got off the hamster wheel and put myself in positions where I wasn’t really competing against others. I am always trying to improve, but I stopped doing that in terms of others. Set a goal. Work toward it. Adjust as needed.

Summary: Physicality

Thu, 09 Oct 2014 00:00:00 +0000

Writing is an oddly physical act.

Technically you are just sitting there, clanking away on the keyboard, while your bottom loses circulation and gets sore. (Maybe I need a new chair.) But keeping your brain running at the right tempo for effective writing involves a complicated dance of nutrition, sleep, physical movement, and environmental management.

The New Agile: Deployment Pipelines and DevOps

Tue, 07 Oct 2014 00:00:00 +0000

Our last post reviewed key tools to conduct security tests in the development process, and before that we discussed big picture process adjustments to accommodate security testing, but didn’t fully how to integrate. Agile itself is in the middle of a major disruptive evolution, transforming into a new variant called DevOps, bringing significant long-term implications which are beneficial to security. The evolution of development security and Agile are closely tied together, so we can start by specifying how to integrate into the deployment pipeline, then discuss the implications of DevOps.

Firestarter: Hulk bash

Mon, 06 Oct 2014 00:00:00 +0000

Mike, Adrian, and I start off a little rough around the edges, but eventually get to the point. Travel is taking its toll so we won’t be able to keep our usual weekly schedule, but we will stay as close as possible – until I run off to Amsterdam for a week, for Black Hat Europe. We catch up on the inane for a few minutes, before jumping into a discussion of the bash vulnerability and disclosure debacle. We agree it is often valuable to analyze an event after the initial shock waves (See what I did there? Shellshock? Shock waves?). Today we focus on the deeper implications and how the heck a disclosure could be so bungled. Plus a little advice on where to focus your patching efforts.

Friday Summary: October 3, 2014 cute puppy edition

Thu, 02 Oct 2014 00:00:00 +0000

I was going to write more this week on Apple Pay security and it use of tokenization because more details have come out, but I won’t bother because TUAW beat me to it. They did a good job explaining how tokenization is used by Apple, and went on to discuss one of the facets I have been trying to get details on: the CCV/CVV code. Apple is dynamically generating a new CVV for each transaction, which can be verified by the payment processor to ensure it is coming from an authorized device. In a nutshell: fingerprint scan to verify the user is present, a token that represents the card/device combination, and a unique CVV to verify the device in use. That is not just beyond magstripes – it is better than EMV-style smart cards. No wonder the banks were happy to work with Apple. Tip of the cap to Yoni Heisler for a well-written article.

Incite 10/1/2014: Stranger in my own town

Wed, 01 Oct 2014 00:00:00 +0000

I had a bit of a surreal experience earlier this week. Rich probably alluded to it a few times on the Twitter, but we are all as busy as we have been since we started the new Securosis 5 years ago. I m traveling like a mad man and it’s getting hard to squeeze in important meetings with long-time clients. But you do what you need to – we built this business on relationships, and that means we pay attention to the ones that matter.

Security and Privacy on the Encrypted Network: The Future is Encrypted

Mon, 29 Sep 2014 00:00:00 +0000

The cloud and mobility are disrupting how IT builds and delivers value to the organization. Whether you are moving computing workloads to the cloud with your data now on a network outside your corporate perimeter, or an increasingly large portion of your employees are now accessing data outside of your corporate network, you no longer have control over networks or devices. Security teams need to adapt their security models to protect data. For details see our recent Future of Security research.

Friday Summary: September 26, 2014

Thu, 25 Sep 2014 00:00:00 +0000

I have a great job. The combination of extended coverage areas, coupled with business to tech, and everything in between, makes it so. In this week alone I have talked to customers about Agile development and process adjustments, technical details of how to deploy masking for Hadoop, how to choose between two SIEM vendors, and talked to a couple vendors about Oracle and SAP security. The breadth of stuff I am exposed to is awesome. People often ask me if I want to go back to being a CTO or offer me VP of Engineering positions, but I cannot imagine going back to just focusing on one platform. I don’t get my hands as dirty, but in some ways it is far more difficult to learn nuances of half a dozen competitive product areas than jus one. And what a great time to be neck deep in security … so long as I don’t drown in data.

Why Amazon is Rebooting Your Instances (Updated)

Thu, 25 Sep 2014 00:00:00 +0000

Update:Amazon published some details. Less than 10% of AWS systems are affected, and the vulnerability will be disclosed October 1st. As suspected this is about Xen – not the bash vulnerability.

Why the bash vulnerability is such a big deal (updated)

Thu, 25 Sep 2014 00:00:00 +0000

Updated: I made a mistake and gave Akamai credit. Stephane doesn’t work for them – I misread the post. Fixed.

Hindsight FTW

Tue, 23 Sep 2014 00:00:00 +0000

[soapbox]

Within a week or two after every high profile data breach, we get naysayers and Tuesday Morning Quarterbacks playing the “If they only did X …” game. You know – the game where they are always right in hindsight. I am a bit surprised Pescatore jumped on that bandwagon in Simple Math: It Always Costs Less to Avoid a Breach Than to Suffer One, but he did.

Secure Agile Development: Building a Security Tool Chain

Mon, 22 Sep 2014 00:00:00 +0000

Now that we have laid out the Agile process it’s time to discuss where different types of security testing fits within it. Your challenge is not just to figure out what testing you need to identify code issues, but also to smoothly fit tests into the framework to help speed testing. You will incorporate multiple testing techniques into the the process, with each tool or technique focused on finding slightly different issues. Developers are clever, so development teams find ways to circumvent security testing if it interferes with efficient coding. And you will need to accept that some tests simply cannot be performed in certain parts of the process, while others can be incorporated in multiple places. To help you evaluate both which tools to consider and how to incorporate them, we offer several recommendations for designing a security “tool chain”.

Summary: Run Free

Thu, 18 Sep 2014 00:00:00 +0000

Last night I spent four hours without my iPhone. Four conscious hours, to be specific. It was wonderful.

I realize that may sound strange, but I bet the majority of you reading this nearly always have a phone within hearing range, if not actively grasped in your hand or stuffed in a pocket where you obsessively check it every now and then, when the slightest breeze triggers the vibration nerves in your upper thigh.

Incite 9/17/2014: Break the Cycle

Wed, 17 Sep 2014 00:00:00 +0000

The NFL has had a tough week. The Ray Rice stuff I mentioned last week. And uber-running-back Adrian Peterson deactivated on Sunday, due to a child abuse indictment. The stories are terrible, especially given that NFL players are explosive athletes and trained in violence. No kid or spouse has a chance in the face of an angry NFL player. And no, I’m not going to anywhere near Floyd Mayweather on this topic.

Secure Agile Development: Process Adjustments

Wed, 17 Sep 2014 00:00:00 +0000

This is the fourth installment of our Secure Agile Development research. Today’s post discusses one of the toughest parts of bringing security into an Agile program; process modification. The common waterfall development process has cleanly delineated phases, each of which provides an opportunity for security integration, and each security activity must be completed before moving on to the next phase. Agile includes whatever work gets done in the sprint – it does not bend to security so you need to bend security to fit Agile.

Firestarter: Apple Pay

Tue, 16 Sep 2014 00:00:00 +0000

After a short break, the boys are back and here to talk about Apple. No, not the new wrist-mounted toy, but the first mobile payment system you might actually use. Or so says Rich’s Macworld editor, based on his article title.

Fix Something

Mon, 15 Sep 2014 00:00:00 +0000

Once again Wendy kills it with How to Help, saying things many of us probably think. Daily. It can get frustrating when all you hear is one person after another bitching about what’s wrong with security. And as she correctly points out, there are tools aplenty to tell you exactly how much work you have to do. But that doesn’t really help.

New Paper! The Security Pro’s Guide to Cloud File Storage and Collaboration

Fri, 12 Sep 2014 00:00:00 +0000

You read the series, now it’s time to download the collected works.

Okay, maybe you read the series of blog posts. And by “collected works” I mean “white paper”, but you get the idea.

Friday Summary: September 12, 2014

Thu, 11 Sep 2014 00:00:00 +0000

One day will be a business school case study how NFC went from handset (started with Nokia) to telcos to banks (HCE) and then to platforms

Secure Agile Development: Working with Development

Thu, 11 Sep 2014 00:00:00 +0000

In the next couple posts we will break down our advice for adding security into Agile development. We will do this by considering the involved people, necessary processes, and technical integrations. Today’s post focuses on helping security professionals, first by outlining how Agile development works, and then by providing recommendation for how to work with development teams.

Incite 9/10/2014: Smile and Breathe

Wed, 10 Sep 2014 00:00:00 +0000

Last week I mentioned how excited I was for the NFL season to be starting. I took the Boy to the Falcons’ home opener and it was awesome. It was a great game, and coming away with a victory in overtime was icing on the cake. As predicted, my voice was a bit rough on Monday from screaming all day Sunday, but it was worth it. I don’t think my son will ever forget that game, and neither will I.

Secure Agile Development: Agile and Agile Trends

Wed, 10 Sep 2014 00:00:00 +0000

If you are a developer reading this series, you probably have a feel for what Agile development means. For those of you who don’t live it every day, or have read the exceedingly poor Wikipedia page on Agile software development, you are probably wondering what this is all about.

Secure Agile Development: New Series

Mon, 08 Sep 2014 00:00:00 +0000

Back in 2009 Rich and I wrote a series on Building a Web Application Security program. That monstrous research paper discussed the new security challenges of building web applications, outlining how to incorporate security testing for specific types of web development programs. That research remains relevant today but issues of how to incorporate security into software development organizations – and most acutely into Agile development – remains a constant problem for clients. Knowing what tool to use and where does not address the fundamental issues of culture, goals, and process that make secure code development such a challenge. We have discussed many of the pitfalls of integrating security into Agile processes in the past, but never gone so far as to help security practitioners and CISOs learn to work with development teams. And that is about to change.

Feeding at the Data Breach Trough

Thu, 04 Sep 2014 00:00:00 +0000

They say when industries go nutty with consolidation and high-dollar M&A deals, the only folks who really make money are the bankers and the lawyers. Shareholders end up holding the bag, but these folks have moved on to the next deal.

Summary: Seven Year Scratch

Thu, 04 Sep 2014 00:00:00 +0000

Sometimes life sneaks up on you.

Often when I am introduced to new clients and professional contacts, it is as “Analyst and CEO of Securosis; he used to be at Gartner”. I am fully cognizant of the fact that not only is Gartner where I started my analyst career, but also that my time and title there are the reason I was able to start Securosis. Not only did I learn how to be an analyst, but the Gartner name (as much as it pains some people) still carries a lot of weight. Leaving as a VP carries even more (a gift from my former boss, who knew he could never get my pay where it needed to be).

Incite 9/3/2014: Potential

Wed, 03 Sep 2014 00:00:00 +0000

It starts with a blank slate. Not entirely blank because some stuff has happened over the past few months, which offers hints to where things will go. But you largely ignore that data because you want to believe. Maybe this time will be different. Or maybe it will be the same. All you can see is potential. Yet soon enough the delusions of grandeur will be shown to be exactly that – delusions.

PR Fiascos for Dummies

Tue, 02 Sep 2014 00:00:00 +0000

If you are the head of communications for a big company and one of your executives goes off-script and says something … ill advised … and puts the foot in the mouth, what can you do? You curse the gods for putting you in that job and you long for the days when someone else was in the hot seat, when you have to go into damage control.

Friday Summary: August 29, 2014

Thu, 28 Aug 2014 00:00:00 +0000

As you are likely out of the office much of today, preparing for a long weekend, I will keep this week’s summary short and to the point. Another three-star set of nits to pick.

Respect the Hierarchy

Thu, 28 Aug 2014 00:00:00 +0000

Wendy (again) states things that we should already know in such an easy to understand way, that you smack yourself upside the head and wonder why you didn’t think of it. Her post on the 451 blog about The hierarchy of IT needs makes very very clear why you continue to have problems making the case for security in your organization.

Incite 8/27/2014: It takes a village

Wed, 27 Aug 2014 00:00:00 +0000

The first couple weeks when the kids are back in school can be a little rough. We don’t have the routine down so there is some inevitable confusion and miscommunication. There are just so many details. Who is picking up which kid, from where? We drive that carpool which night? What is the address of the 3rd kid to grab for LAX practice? You know, that kind of thing.

Shipping Decent Breach Notification

Mon, 25 Aug 2014 00:00:00 +0000

Many folks have strong opinions about the right way to perform breach notification. More to the point, many folks think they know what not to do. But that’s okay – the great thing about opinions is that everyone gets their own. Recently the UPS Store, a franchised chain of shipping stores, reported a breach.

Friday Summary: STEM

Thu, 21 Aug 2014 00:00:00 +0000

A few days after returning from DEF CON my family experienced an inevitable life-changing event you cannot really prepare for.

Incite 8/20/2014: Better get a Bucket

Wed, 20 Aug 2014 00:00:00 +0000

So I am finally home for a few weeks, coinciding with the kids starting school. As usual I grab my messenger bag first thing in the am and head out on my nomadic journey. With about 10 local Starbucks with Google WiFi, I am typically in one of those. I get faster Internet at Starbucks than I do at home (57mbps down FTW). It does make me a little more predictable, so that’s a bit alarming. But I’ll trade 50mb downloads for the anemic DSL speeds of AT&T WiFi every day of the week.

APT hits the ER

Tue, 19 Aug 2014 00:00:00 +0000

Everyone wants to be special. When I’m chatting with a company that doesn’t fit the typical profile for a state-sponsored attacker target, sometimes they seem disappointed. I certainly don’t mean to hurt their self-esteem, but the reality is that most businesses just don’t have anything of interest to a nation state.

CISO’s Head Asplode

Mon, 18 Aug 2014 00:00:00 +0000

Just in case you felt it was only you as the CISO who had an overwhelming amount of stuff to do, it’s not. This mind map on the Security Advisor Alliance site should bring that message home.

Firestarter: You Can’t Handle the Gartner

Mon, 18 Aug 2014 00:00:00 +0000

After our little Black Hat and DEF CON induced hiatus, the boys are back to talk about the latest vendor suing Gartner. Yes, there is a Gartner Tax. No, it isn’t what you think. No, there is no pay for play. Yes, there are better ways to handle this. Yes, end users love Magic Quadrants no matter how much you trash talk them. And yeah, somehow we know a bit about how all this works from all sides.

21st Century Shakedown

Fri, 15 Aug 2014 00:00:00 +0000

Over the past year or so we have done a bunch of research into denial of service attacks, at both the application and network levels. Tactics are one thing, but we usually start with adversary analysis. You know: who wants to pop your environment and steal your stuff. Or maybe just knock you down so you can’t get up.

Friday Summary: August 15, 2014

Thu, 14 Aug 2014 00:00:00 +0000

Oddly enough my big takeaway from the Black Hat security conference was not about security – it was about innovation. It seems many of the disruptive trends we have been talking about are finally taking hold, finding mainstream acceptance and recognition. We have been talking about cloud computing for a long time – Rich has been teaching cloud security for four years now – but people seem to be really ‘getting’ it. It takes time for the mainstream to fully embrace new technologies, and only then do we see disruption fully take effect. It is as if you need to step fully into the new environment before what’s really possible takes shape and starts to manifest itself. Fo example, when the Internet hit big in 1996 or so, we talked about how this would hurt “brick and mortar” retail, but it was a good 7 to 10 years before that reality fully manifested. Only then did the change take full effect, and few industries were left untouched. We are just now reaching that point with the cloud, mobile, and NoSQL databases, and getting here has been exciting!

It’s not a problem until someone dies…

Thu, 14 Aug 2014 00:00:00 +0000

One of the noteworthy activities coming out of BlackHat/DEF CON was the open letter to the auto industry from I am the Cavalry espousing 5 principles for making the computers in cars safer – before someone gets hurt. As our pal Josh Corman says in a CSO article on the initiative:

Incite 8/13/2014: Butterflies

Wed, 13 Aug 2014 00:00:00 +0000

A couple weeks ago we went to see the kids at camp on visiting day. They have so much fun, learn new skills, and grow as individuals at camp – despite being away from the watchful eyes of their parental units. Go figure – let your kids spread their wings, and they do. One of the new skills both XX2 and the Boy tried out was waterskiing. So during visiting day they get to show off for the folks.

Suing Gartner: a Pyrrhic Loss?

Tue, 12 Aug 2014 00:00:00 +0000

It happens every couple years. Some vendor is really pissed at their placement in the Magic Quadrant, and they decide to sue Gartner and make it right. Inevitably the suit involves the words pay to play, and the vendor thinks they will be the company to make things right in the world. They will get justice for all those companies relegated to the loser niche quadrant. They will unmask the evil analysts for the shakedown artists they are.

Security Trolling Mass Media

Mon, 11 Aug 2014 00:00:00 +0000

At Black Hat last week, it became apparent just how mainstream our little part of the world has become. And it’s not so little any more, either. When 2 of the top 5 articles on cnn.com are related to cyber we have hit the big time. But that also means promoters and other shysters will start showing up in even greater numbers to capitalize on the media hype machine looking for any kind of news to drive page views.

Cloud File Storage and Collaboration: Additional Security Features

Fri, 01 Aug 2014 00:00:00 +0000

This is part 4 of our Security Pro’s Guide to Cloud File Storage and Collaboration (file sync and share). The full paper isavailable on GitHub as we write it. See also part 1, part 2, and part 3.

Big Brother’s Price Tag

Thu, 31 Jul 2014 00:00:00 +0000

There is no free lunch. We need to be reminded of that over and over again. Apparently the Australian government wants to mandate telcos store customer data for 2 years. This is ostensibly to combat terrorism.

Friday Summary, August 1, 2014: Productivity Metrics edition

Thu, 31 Jul 2014 00:00:00 +0000

I read Jim Bird’s blog consistently because he talks about stuff that interests me. He has a ton of experience and his posts are thought-provoking. And every couple months I totally disagree with him, which makes reading his stuff all the more fun. This week is one of those times, with Devops isn’t killing developers – but it is killing development and developer productivity. I think Jim flat-out misses the mark on this one.

Incite 7/30/2014: Free Fall

Wed, 30 Jul 2014 00:00:00 +0000

If you caught my weekend rantings on Twitter, I had some free time this past weekend. The Boss was on a girl’s weekend. The kids are away at camp. And I had a meeting with a client first thing Monday morning. So I could have stayed in the ATL and taken an evening flight out. Or I could fly out first thing in the morning and find a way to get my blood pumping.

The DevOps-y Future of Security Engineering

Wed, 30 Jul 2014 00:00:00 +0000

We have talked a lot about how this cloud thing and the associated DevOps revolution will fundamentally reshape security. Probably not tomorrow, or even the day after that. But before you know it, everything you thought you knew about security will have changed. Rich documented a bunch of our thinking in his Future of Security paper, so you can start there.

Recruiting Across the Spectrum

Mon, 28 Jul 2014 00:00:00 +0000

I really like this story about ULTRA Testing, which hires folks on the autism spectrum to perform software testing. The CEO makes a great point here:

All Good Things

Fri, 25 Jul 2014 00:00:00 +0000

Side note: we are aware of the site issues and are working hard on them. There were major changes to the platform we use, and they conflict with our high-security setup. I think we should have it fixed soon, and we apologize. That’s what we get for having a non-DevOps-y legacy site.

Cloud File Storage and Collaboration: Core Security Features

Thu, 24 Jul 2014 00:00:00 +0000

This is part 3 of our Security Pro’s Guide to Cloud File Storage and Collaboration (file sync and share). The full paper isavailable on GitHub as we write it. See also part 1 and part 2 here.

The 2015 Endpoint and Mobile Security Buyer's Guide [Updated Paper]

Thu, 24 Jul 2014 00:00:00 +0000

In an uncommon occurrence we have updated one of our papers within a year of publication. As mentioned in the latest version of our Endpoint Security Buyer’s Guide, mobile devices are just additional endpoints that need to be managed like any other device. But it became clear that we needed to dig a bit deeper into securing mobile endpoints.

The Identity Cheese Shop

Thu, 24 Jul 2014 00:00:00 +0000

Gunnar and I frequently comment on the fragmented nature off-premise identity solutions. For example there is no Active Directory for mobile. Cloud IAM solutions commonly use bulk replication to propagate identity, while more elegant options are seldom considered. We pointed out how fragmented the market was a few months back when I wrote about the Identity Mosaic. When discussing the problem we wondered what vendors must say to customers looking for cloud or mobile identity solutions. It struck us that we’ve seen this act before: Monty Python’s Cheese Shop!

TI+IR/M: Quick Wins

Thu, 24 Jul 2014 00:00:00 +0000

The best way to understand how threat intelligence impacts your incident response/management process is to actually run through an incident scenario with commentary to illustrate the concepts. For simplicity’s sake we assume you are familiar with our recommended model for an incident response organization and the responsibilities of the tier 1, 2, and 3 response levels. You can get a refresher back in our Incident Response Fundamentals series.

Cloud File Storage and Collaboration: Overview and Baseline Security

Wed, 23 Jul 2014 00:00:00 +0000

This is part 2 of our Security Pro’s Guide to Cloud File Storage and Collaboration (file sync and share). The full paper isavailable on GitHub as we write it. See also Part 1.

Incite 7/23/2014: Mystic Rhythms

Wed, 23 Jul 2014 00:00:00 +0000

One of the things I most enjoy when the kids are at camp is being able to follow my natural rhythms. During the school year things are pretty structured. Get up at 5, do my meditation, get the kids ready for school, do some yoga/exercise, clean up, and get to work. When I’m on the road things are built around the business day, when I’m running around from meeting to meeting.

Firestarter: Hacker Summer Camp

Tue, 22 Jul 2014 00:00:00 +0000

In the latest Firestarter, Rich, Mike, and Adrian discuss the latest controversial research to hit the news from HOPE and Black Hat. We start with a presentation by Jonathan Zdziarski on data recoverable using forensics on iOS. While technically accurate, we think the intent he ascribes intent to Apple shows a deeply flawed analysis. We then discuss a talk removed from Black Hat on de-anonymizing Tor. In this case it seems the researchers didn’t really understand the legal environment around them. Both cases are examples of great research gone a little awry.

TI+IR/M: The New Incident (Response) & Management Process Model

Tue, 22 Jul 2014 00:00:00 +0000

Now that we have the inputs (both internal and external) to our incident response/management process we are ready to go operational. So let’s map out the IR/M process in detail to show where threat intelligence and other security data allows you to respond faster and more effectively.

TI+IR/M: Threat Intelligence + Data Collection = Responding Better

Mon, 21 Jul 2014 00:00:00 +0000

Our last post defined what is needed to Really Respond Faster, so now let’s peel back the next layer of the onion to delve into collecting data that will be useful for investigation, both internally and externally. This starts with gathering threat intelligence to cover the external side. It also involves a systematic effort to gather forensic information from networks and endpoints while leveraging existing security information sources including events, logs, and configurations.

Leading Security ‘People’

Sun, 20 Jul 2014 00:00:00 +0000

In the July 2 Incite I highlighted Dave Elfering’s discussion of the need to sell as part of your security program. Going through my Instapaper links I came across Dave’s post again, and I wanted to dig a bit deeper. Here is what I wrote in my snippet:

Friday Summary: July 18, 2014, Rip Van Winkle edition

Thu, 17 Jul 2014 00:00:00 +0000

I have been talking about data centric security all week, so you might figure that’s what I will talk about in this week’s summary. Wrong.

Incite 7/16/2014: Surprises

Wed, 16 Jul 2014 00:00:00 +0000

Every time I took a new job, on my first day I would tell the team that I hate surprises. What I really meant was a warning, not to screw something up and not tell me. That’s not really a surprise, per se. More a failure to communicate. But now that I’m a bit older I realize the importance of surprises. When you are surprised it really means you had no expectations.

The Security Pro’s Guide to Cloud File Storage and Collaboration: Introduction

Wed, 16 Jul 2014 00:00:00 +0000

This is a new series on what security pros need to know about cloud file storage and collaboration (also called file sync and share). If you have feedback please leave a comment, or eventrack and edit the evolving paper over on GitHub.

Trends in Data Centric Security: Deployment Models

Wed, 16 Jul 2014 00:00:00 +0000

So far we have talked about the need for data centric security, what that means, and which tools fit the model. Now it is time to paint a more specific picture of how to implement and deploy data centric security, so here are some concrete examples of how the tools are deployed to support a data centric model.

Are CISOs finally ‘real’ executives?

Tue, 15 Jul 2014 00:00:00 +0000

Many CISOs I have worked with over the past 10 years have consistently complained that no one else in the executive suite understands them. They can’t get the right level of support. They face constant roadblocks. Basically, they’re perplexed that business people are actually more worried about business.

Firestarter: China and Career Advancement

Mon, 14 Jul 2014 00:00:00 +0000

Mike’s at the Jersey Shore, Rich is in Boulder, and Adrian is… baking in Phoenix in between tree-killing monsoons. This week we kept it simple with two topics. First up, China’s accusations that iOS and iDevices are a security risk. Which they should know, since they are all built there. Second is a discussion on security careers. How to break in, and what hiring managers should really look for.

Leverging TI in Incident Response/Management: Really Responding Faster

Mon, 14 Jul 2014 00:00:00 +0000

In the introduction to our Leveraging Threat Intelligence in Incident Response/Management series we described how the world has changed since we last documented our incident response process. Adversaries are getting better and using more advanced tactics. The difficulty is compounded by corporate data escaping our control into the cloud, and the proliferation of mobile devices.

It’s Just a Matter of Time

Sun, 13 Jul 2014 00:00:00 +0000

So a couple of weeks ago in the Incite (4th snippet) I gave Jamie Arlen huge kudos for being a soothsayer. At Black Hat 2011 Jamie presented an attack scenario attacking high frequency trading networks, and Bloomberg recently reported that attack actually hit a hedge fund.

Listen to Rich Talk, Win a ... Ducati?

Fri, 11 Jul 2014 00:00:00 +0000

I have to admit, this is a bit of a first.

I am participating in a cloud security webinar July 21st with Elastica, a cloud application security gateway firm (that’s the name I’m playing with for this category). It will be less slides and more discussion, and not about their product. This is a product category I have started getting a lot of questions on, even if there isn’t a standard name yet, and I will probably pop off a research paper on it this fall.

Summary: Boulder

Fri, 11 Jul 2014 00:00:00 +0000

Well, I did it. I survived over 6 months of weekly travel (the reason I haven’t been writing much). Even the one where the client was worried I was going to collapse due to flu in the conference room, and the two trips that started with me vomiting at home the morning I had to head to the airport.

Incite 7/9/2014: One dollar…

Wed, 09 Jul 2014 00:00:00 +0000

A few weeks ago I was complaining about travel and not being home – mostly because I’m on family vacations and doing work I enjoy. I acknowledged these are first world problems. I didn’t appreciate what that means. You lose touch with a lot of folks’ reality when you are in the maelstrom of your own crap. I’m too busy. The kids have too many activities. There are too many demands on my time.

Open Source Development and Application Security Survey Analysis [New Paper]

Wed, 09 Jul 2014 00:00:00 +0000

We love data – especially when it tells us what people are doing about security. Which is why we were thrilled at the opportunity to provide a – dare I say open? – analysis of the 2014 Open Source Development and Application Security survey. And today we launch the complete research paper with our analysis of the results. Here are a couple highlights:

Trends in Data Centric Security: Tools

Wed, 09 Jul 2014 00:00:00 +0000

The three basic data centric security tools are tokenization, masking, and data element encryption. Now we will discuss what they are, how they work, and which security challenges they best serve.

Leveraging Threat Intelligence in Incident Response/Management

Tue, 08 Jul 2014 00:00:00 +0000

It’s hard to be a defender today. Adversaries continue to innovate, attacking software which is not under your control. These attacks move downstream as low-cost attack kits put weaponized exploits in the hands of less sophisticated adversaries, making them far more effective. But frequently attackers don’t even need to use innovative attacks because a little reconnaissance and a reasonably crafted phishing message can effectively target and compromise your employees. The good news is that we find very few still clinging to the hope that all attacks can be stopped by deploying the latest shiny object coming from a VC-funded startup.

Increasing the Cost of Compromise

Mon, 07 Jul 2014 00:00:00 +0000

It seems to be all threat intelligence all the time in the tech media, so I might as well jump on the bandwagon. My pals Wendy Nather of 451 and Jamie Blasco of AlienVault recently did a webcast on the topic. Dan Raywood has a good overview of the content. Wendy does the analyst thing and categorizes the different types of threat intelligence. She points out that sharing is taking place, but more slowly than it should. Jamie then makes a compelling case for why everyone should share threat intel when possible. Shared intelligence increases the cost of compromise.

Trends In Data Centric Security: Use Cases

Mon, 07 Jul 2014 00:00:00 +0000

After a short hiatus we are back with the next installment of our Data Centric Security series. This post will discuss why customers are interested in this approach, and specific use cases they are looking to address. It should be no surprise that all these use cases are driven by security or compliance. What’s interesting is why other tools and technologies do not meet their needs. What prompts people to look for a different approach to data security? Those are the questions we will address with today’s post.

Incite 7/2/2014 — Relativity

Wed, 02 Jul 2014 00:00:00 +0000

As you get older time seems to move faster. There may be something to these theories of Einstein. It’s hard to believe that yesterday was July 1. That means half of 2014 is in the rear view mirror. HALF. That’s unbelievable to me. Time is flying at the speed of light. I look at the list of things I wanted to do and it’s still largely unfinished. I did a bunch of things I didn’t expect to be doing. Though I guess that’s always the case.

Firestarter: G Who Shall Not Be Named

Mon, 30 Jun 2014 00:00:00 +0000

As they fight to keep the Firestarter running through Google outages, vacations, and client travel, our dynamic trio return once again. This week they discuss some of the latest news from a particular conference held out in Washington DC last week which Mike stopped by (well, the lobby bar) and Rich used to help run.

Updating the Endpoint Security Buyer’s Guide: Mobile Endpoint Security Management

Mon, 30 Jun 2014 00:00:00 +0000

In a rather uncommon occurrence, we are updating one of our papers within a year of publication. As shown by our recent deep dive into Advanced Endpoint and Server Protection, endpoint security is evolving pretty quickly. As mentioned in the latest version of our Endpoint Security Buyer’s Guide, mobile devices are just additional endpoints that need to be managed like any other device. But it has become clear that we need to dig a bit deeper into securing mobile endpoints, so we will.

Friday Summary: Legal wrangling edition

Fri, 27 Jun 2014 00:00:00 +0000

This week’s intro has nothing to do with security – just a warning in case that matters to you.

I’m betting most people spent their spare time this week watching the World Cup. Or perhaps “sick time”, given the apparent national epidemic that suddenly cleared up by Friday. I am not really a ‘football’ fan, but there were some amazing matches and I remain baffled at how a player thought he could get away with biting another player during a match. And then flop and cry that he hurt his mouth! Speechless!

Knucklehead-Employee.com

Thu, 26 Jun 2014 00:00:00 +0000

You have to love it when your employees take some initiative and aggressively take it to the competition who is cleaning your clock. They spend their time working the product, refining the messaging, and getting your mojo back in the market, right?

Incite 6/25/2014: June Daze

Wed, 25 Jun 2014 00:00:00 +0000

I’m not sure why I ever think I’ll get anything done in June. I do try. I convince myself this year will be different. I look at the calendar and figure I’ll be able to squeeze in some writing. I’m always optimistic that I will be able to crank through it because there is stuff to get done. And then at the end of June I just shrug and say to myself, “Yup, another June gone and not much got done.”

Trends in Data Centric Security [New Series]

Mon, 23 Jun 2014 00:00:00 +0000

It’s all about the data. The need of many different audiences to derive value from data is driving several disruptive trends in IT. The question that naturally follows is “How do you maintain control over data regardless of where it moves?” If you want to make data useful, by using it in as many places as you can, but you cannot guarantee those places are secure, what can you do?

Open Source Development Analysis: Development Trends

Fri, 20 Jun 2014 00:00:00 +0000

For the final installment of our analysis of the 2014 Open Source Development and Application Security Survey, we will focus on open source development trends. Our topic is less security per se, and more how developers use open source, how it is managed, and how it is perceived in the enterprise.

Open Source Development Analysis: Application Security

Wed, 18 Jun 2014 00:00:00 +0000

Continuing our analysis of the 2014 Open Source Development and Application Security Survey, we can now discuss results as the final version has just been released. Today’s post focuses on application security related facets of the data.

2014 Open Source Development Webcast this Wednesday

Tue, 17 Jun 2014 00:00:00 +0000

Reminder: 2014 Open Source Development Webcast this Wednesday

A quick reminder: Brian Fox and I will be doing a webcast this Wednesday (June 18th) on the results of the 2014 Open Source Development and Application Security Survey. We have decided to divide the survey into a half dozen or so focus areas and discuss the results. We have different backgrounds in software development so we feel an open discussion is the best way to offer perspective on the results. Brian has been a developer and worked with the open source community for well over a decade, and I have worked with open source since the late ’90s and managed secure code development for about as long. The downside is that we were both created with the verbose option enabled, but we will be sure to leave time for comments at the end.

Firestarter: Apple and Privacy

Tue, 17 Jun 2014 00:00:00 +0000

Mike is out on a beach this week sunning himself (don’t think to hard about that) so Rich and Adrian join up to talk about some interesting developments in Apple privacy, and how Apple may be using it to get some competitive advantage.

Mobile Malware Supply and Demand

Tue, 17 Jun 2014 00:00:00 +0000

Just in case you thought supply and demand don’t apply to our little area of the world, think again. It is interesting to read about a $5,000 malware kit targeting Android. Dan Goodin digs into the specifics of the iBanking malware kit, the breadth of its capabilities, and how it proliferates (typically against users already infected with financial malware on their PCs); and resists whitelists to evade detection and prevention.

Incid#*%$ Happen: Manage Them

Sun, 15 Jun 2014 00:00:00 +0000

We all fall into the trap of adopting industry lingo to describe various functions. But when you take a step back, and think about mental cues we need to perform our best, sometimes it makes sense to look at things a bit differently. We all call the function of dealing with an attack incident response now.

Friday Summary: June 13, 2014

Fri, 13 Jun 2014 00:00:00 +0000

As Rich said in last week’s Summary, the blog will be quiet this summer because we are busier than we have ever been before. The good news is that new research and Securosis offerings are usually the result. But that does not stop us from feeling guilty about our lack of blogging. With that, I leave you with a couple thoughts from my world this week on a Friday the 13th:

Take our IT practices survey and win cool stuff (and free data)

Thu, 12 Jun 2014 00:00:00 +0000

Thanks to the cloud, mobility, and emerging practices like DevOps, I don’t think anyone would argue we aren’t in one of the most rapidly evolving IT eras since the emergence of the World Wide Web. Like it, hate it, or anywhere in between, everyone I speak with knows the winds have changed. Personally I believe these disruptions are more impactful than our first tenuous connections to the Internet but that’s fodder for another post.

Incite 6/11/2014: Dizney

Wed, 11 Jun 2014 00:00:00 +0000

This week I will take a page from Adrian’s Friday Summary approach, and just offer a stream of consciousness about the recent trip the family and I took to DisneyWorld. We went down there to watch the girls dance in Downtown Disney. Their dance company does this every other year, which means we are down in Orlando doing the Disney thing every two years. Trying to be more present and aware in my daily life was interesting in a place like Disney. So let me start with a few observations.

Open Source Development and Application Security Analysis [New Series]

Wed, 11 Jun 2014 00:00:00 +0000

Earlier this year I participated in the 2014 Open Source Development and Application Security Survey, something I have participated in the last couple years. As a developer and former development manager – and let’s face it, an overtly opinionated one – I am always interested in adding my viewpoint to these inquiries, even if I’m just one developer voice among thousands. But I have also benefitted from these surveys – looking at the stuff my peers are using, and even selecting open source distributions based on these shared data points. Crazy, I know, but it’s another way to leverage the community.

Summary: Summer

Fri, 06 Jun 2014 00:00:00 +0000

Rich here,

When I grew up in New Jersey, summer didn’t really start until June 25th, the day we got out of school. It was weird to me when I moved to Colorado and school ended in May and started in August, but people also used the word “pop” to describe soda, so I figured it was a wacky cultural thing.

Cloudera acquires Gazzang

Tue, 03 Jun 2014 00:00:00 +0000

Today Cloudera announced that they have acquired Austin-based data encryption vendor Gazzang. From the press release:

While Cloudera customers will continue to have a choice of a broad range of cross-platform data protection methods available from Cloudera partners, Cloudera now offers encryption for all data-at-rest stored inside the Hadoop cluster – using an approach that is transparent to applications using the data, thereby minimizing the costs associated with enabling encryption. Cloudera plans to focus the efforts of the Gazzang team on additional security challenges in Hadoop. The team will become the heart of the Cloudera Center for Security Excellence focusing exclusively on Hadoop security.

Firestarter: Sputnik or Sputput

Mon, 02 Jun 2014 00:00:00 +0000

Mike is off giving a giant mouse all his money, so Rich and Adrian ran the Firestarter as a duo this week. The question of the day is: Are we in a Sputnik moment? Did the Target breach shake things up so much that security is moving up the chain? Or are these short-term reactions, which will fade with our memories of what happened?

Friday Summary: The Hammock Edition

Fri, 30 May 2014 00:00:00 +0000

I am a pretty upbeat person, and despite my tendency towards snark I am optimistic by nature. You might find that surprising, given my profession of computer and software security, but it’s not. I have gotten a daily barrage of negative news about hacks, breaches, and broken software for well over a decade now. Like rainwater off a duck’s back, I let the bad news wash over me, and continue to educate those interested in security. Sure, I have had days where I say “Crap, security on everything is broken – and worse, nobody seems to get it.” Which is pretty much what Quinn Norton said last week with Everything is Broken. But her article was so well-written that it got to me. It is a testament to the elegance and effectiveness of her arguments that someone as calloused as I could be dragged along with her storyline, right into mild depression. It didn’t help that my morning reading consisted of that and this presentation on how the Internet and always-on connectivity may be making our lives worse. Both offer a sober look at the state of security and privacy; both were well done, with provocative imagery and text. And I admit, for the first time in a long time, I allowed them to get to me. Powerful posts.

Incite 5/28/2014: Auditory Dissonance

Wed, 28 May 2014 00:00:00 +0000

I didn’t want to become that Dad. The one who says, “Turn that crap down.” Or “What is this music?” Or “Get off my lawn!” I didn’t want that to be me. I wanted to be the cool Dad, who would listen to the new music with my kids and appreciate it. Maybe even like it. For a while, I was able to do that.

What You Need to Know About Amazon’s New Volume Storage Encryption

Tue, 27 May 2014 00:00:00 +0000

Amazon Web Services dropped a security bomb this week when they announced the immediate availability of volume storage encryption. With one click, for free, you can encrypt any EBS (Elastic Block Storage) volume in AWS. For those who aren’t familiar with AWS, they are effectively virtual hard drives you attach to a running instance (virtual machine). I missed this one, but Contributing Analyst Gal Shpantzer picked it up and mailed it to us internally.

Summary: A Thousand Miles

Fri, 23 May 2014 00:00:00 +0000

The past week has been a bit of a whirlwind. Last Friday I flew out to Denver for a family thing, then transferred over to Boulder for a DevOps.com advisory board meeting, Camp DevOps (where I presented), and Gluecon.

Translation Machine: Responding to (Uninformed) Bloggers

Fri, 23 May 2014 00:00:00 +0000

One of the things I don’t miss about running a marketing team is worrying about responding to negative press. It’s a lot worse today, now that you not only have to spin less informed beat reporters who frequently troll for page views by misrepresenting competitive nonsense. But also bloggers and Tweeters who make things up say things about the product.

Incite 5/21/2014: Recitals

Wed, 21 May 2014 00:00:00 +0000

As we get into late May it is getting to be summer in the ATL. The kids finish up school this week, the pools open, and my standard work attire consists of shorts, a T-shirt, and flip flops. The Boss is frantically getting the kids ready for camp, and we have a few family trips planned before they leave.

Firestarter: Wanted Posters and SleepyCon

Tue, 20 May 2014 00:00:00 +0000

We apologize for the quality of this week’s show… but Rich is on the road and can’t seem to understand the word ‘bandwidth’. Assuming you are willing to put up with us, watch us amuse ourselves over FBI wanted posters with Chinese army members on them. Then we debate the sometimes-sorry state of 95% of the 863 security cons in the world.

When Security Services Attack

Tue, 20 May 2014 00:00:00 +0000

In the unintended consequences file, it’s awesome when big honking devices to stop attacks get owned and blast other sites. Yup, the folks at Incapsula found a huge DDoS that was leveraging equipment from two (not one, but two!) DDoS protection services.

CEO on Line 2

Mon, 19 May 2014 00:00:00 +0000

It has been a couple weeks since Target’s CEO was fired. Maybe not officially fired, but for all intents and purposes that’s what happened. The data breach was the most visible reason, though as George Hulme points out that was really a red herring.

Friday Summary: May 16, 2014

Fri, 16 May 2014 00:00:00 +0000

It’s odd, given the large number of security conferences I attend, how few sessions I get to see. I am always meeting with clients around events, but I rarely get to see the sessions. Secure360 is an exception, and that’s one of the reasons I like to go. I figured I’d share some of better ones – at least sessions where I not only learned something but got to laugh along the way:

Incite 5/14/2014: Solo Exploration

Wed, 14 May 2014 00:00:00 +0000

Is it possible to like interacting with people, yet need time alone? To really enjoy working in a team, yet cherish a night of solitude? I have always defined myself as an introvert. It provided a convenient excuse when I just didn’t want to deal with people. Though I do need my solo time to recharge, that’s for sure. But I also need to be social. Not all the time and not for extended periods of time, but a life of solitude doesn’t really appeal to me either. It’s an interesting contrast.

Firestarter: 3 for 5- McAfee, XP, and CEOs

Mon, 12 May 2014 00:00:00 +0000

A lot is going on in security land, so Rich, Mike, and Adrian return with another 3 for 5 episode. Three stories, five minutes each, all the sarcastic bite in a convenient package.

Summary: Thin Air

Fri, 09 May 2014 00:00:00 +0000

Rich here. A quick mention: I will run a security session at Camp DevOps in Boulder on May 20th. I am looking forward to learning some things myself.

Incite 5/7/2014: Accomplishments

Wed, 07 May 2014 00:00:00 +0000

Yesterday I was in Winnipeg. By choice! I was invited to speak at the Western Canada Information Security Conference, and there isn’t much I like better than giving talks in Canada. Folks are nice. They appreciate when you come up to their towns to talk. They don’t say much during the pitch, but they come up after the session or in the coffee line and make it clear that they were listening. Just like in the Northeast. OK, not so much.

New Paper: Advanced Endpoint and Server Protection

Tue, 06 May 2014 00:00:00 +0000

Anti-virus is basically dead, at least according to the biggest anti-virus vendor. The good news is that signature-based AV has actually been dead for a long time; even the big players have been broadening their capabilities to assess, prevent, detect, and investigate advanced malware on endpoints and servers. There has been a tremendous amount of activity and innovation in protecting endpoint and servers, driven by necessity:

Firestarter: There Is No SecDevOps

Mon, 05 May 2014 00:00:00 +0000

Adrian is off at the altar of Buffett (the other one – not the one I wear a coconut bra for), so Mike and I delved into SecDevOps, triggered by a post from Andrew Storms over at DevOps.com. This is where the world is heading folks – you might as well prepare yourselves now.

Friday Summary: Biased Analysis Edition

Fri, 02 May 2014 00:00:00 +0000

Glenn Fleishman (@GlennF) tweeted “Next month’s Wired: ‘We painstakingly reconstructed Steve Jobs’ wardrobe so you can wear it, too.’” A catty response to Wired Magazine’s recent reconstruction of Steve Jobs’ stereo system. Unlike Mr. Fleishman I was highly interested in this article, and found it relevant to current events. For people who love music and quality home music reproduction, iTunes’ disgustingly low-resolution MP3 files seem at odds with Jobs’ personal interest in HiFi. The equipment surrounding Jobs in the article’s lead picture was not just good stereo equipment, and not ‘name brand’ equipment either – but instead esoteric brands aimed at aficionados (indicating Jobs was very serious about music reproduction and listening). The irony is that someone who was heavily invested in HiFi would become the principal purveyor of what audiophiles deem unholy evil. Sure, MP3s are a great convenience – just not so great for music quality. This picture has made HiFi trade magazines over the years, and while Jobs was alive the vanishingly small population of audiophiles held out hope that we would someday get high-resolution music from iTunes. The rumor – of which confirmation would be a great surprise – is that we may finally get HiRes files from iTunes, which I suspect is why this picture was the subject of such scrutiny. The market for high-quality headphones has jumped 10-fold in the last 7 years, and vinyl record sales have gone up 6-fold in the same period, showing public interest in higher quality audio while CD sales plummet. Even piracy-paranoid anti-consumer vendors like Sony have begun to sell HiRes DSD files, so Apple has likely noticed these trends and we can hope they will follow suit.

Incite 4/30/2014: Sunscreen

Wed, 30 Apr 2014 00:00:00 +0000

After a mostly miserable winter, at least in terms of the weather, spring is here. And some days it feels like summer. This past weekend was awesome. A little hot, but nice. Sun shining. Watching the kids play LAX. Dinner/drinks to celebrate two of my best friends completing a trail marathon. Yes, they ran 26.2 miles through the woods. I didn’t say my friends were overly bright, did I?

XP Users Twisting in the Wind

Tue, 29 Apr 2014 00:00:00 +0000

Windows XP’s recent end of life has garnered a bit of industry recognition. Mostly from vendors pushing controls to lock down the ancient operating system. Folks who are stuck on XP are, well, stuck. And now there is a new exploit in the wild that takes advantage of IE, so what are XP users to do?

Firestarter: The Verizon DBIR

Mon, 28 Apr 2014 00:00:00 +0000

After missing a week, Rich, Mike, and Adrian return to talk about birthdays, the annual Verizon Data Breach Investigations Report, and child-induced alcohol consumption.

NoSQL Security: Understanding NoSQL Platforms

Mon, 28 Apr 2014 00:00:00 +0000

I started this series on recommendations for securing NoSQL clusters a couple weeks ago, so sorry for the delay posting the rest of the series. I had some difficulty contacting the people I spoke with during the first part of this “big data” research project, and some vendors were been slow to respond with current product capabilities. As I hoped, launching this series “shook the tree of knowledge”, and several people responded to my inquiries. It has taken a little more time than I thought to schedule calls and parse through the data, but I am finally restarting, and should be able to quickly post the rest of the research.

Defending Against Network-based Distributed Denial of Service Attacks [New Paper]

Sun, 27 Apr 2014 00:00:00 +0000

What’s a couple hundred gigabits per second of traffic between friends, right? Because that is the magnitude of recent volumetric denial of service attacks, which means regardless of who you are, you need a plan to deal with that kind of onslaught.

Summary: Time and Tourists

Fri, 25 Apr 2014 00:00:00 +0000

Rich here,

Travel is about as close as any of us get to a time machine.

Leave home, step into an airport, and you step out of your life, even in our hyper-connected world. Sure, you are still on email, still talking to your family over the phone or Skype/FaceTime, and still surrounded by screens spewing endless worthless updates on the tragedy du jour, but fundamentally you are cut off. From your normal life, daily patterns, and state of mind. It isn’t ‘bad’, but it is unavoidable – no matter how closely you hew to your familiar habits.

Pass the Hemlock

Thu, 24 Apr 2014 00:00:00 +0000

I can certainly empathize with folks who suffer from burnout, in any occupation. It is miserable and clinical and not to be minimized or swept under the rug. But if this whole mindfulness approach has shown me anything, it is that we control how we respond to situations. So yes, security is a tough job. Yes, you probably can’t win. Yes, your senior management has no idea what you do and can’t understand your value.

Incite 4/23/2014: New Coat of Paint

Wed, 23 Apr 2014 00:00:00 +0000

It is interesting to see the concept of mindfulness enter the vernacular. For folks who have read the Incite for a while, I haven’t been shy about my meditation practice. And next week I will present on Neuro-Hacking with Jen Minella at her company’s annual conference. I never really shied away from this discussion, but I didn’t go out of my way to discuss it either.

Understanding Role Based Access Control: Advanced Concepts

Tue, 22 Apr 2014 00:00:00 +0000

For some of you steeped in IAM concepts, our previous post on Role Lifecycles seems a bit basic. But many enterprises are still grappling with how to plan for, implement, and manage roles throughout the enterprise. There are many systems which contribute to roles and privileges, so what may seem basic in theory is often quite complex in practice. Today’s post will dig a bit deeper into more advanced RBAC concepts. Let’s roll up our sleeves to look at role engineering!

Verizon DBIR 2014: Incident Classification Patterns

Tue, 22 Apr 2014 00:00:00 +0000

[Note: Rich, Adrian, and Mike are all traveling today, so we asked Jamie Arlen to provide at least a little perspective on an aspect of the DBIR he found interesting. So thanks Jamie for this. We will also throw Gunnar under the bus a little because he has been very active on our email list, with all sorts of thoughts on the DBIR, but he doesn’t want to share them publicly. Maybe external shaming will work, but more likely he’ll retain his midwestern sensibilities and be too damn nice.]

DDoS-fuscation

Sun, 20 Apr 2014 00:00:00 +0000

Akamai’s research team has an interesting post on how attackers now use web proxies to shield their identities when launching DDoS attacks. Using fairly simple web-based tools they can launch attacks, and by routing the traffic through an exposed web proxy they can hide the bots or other devices performing the attacks.

Friday Summary: April 18, 2014, The IT Dysfunction Issue

Fri, 18 Apr 2014 00:00:00 +0000

I just finished reading The Phoenix Project by Gene Kim, Kevin Behr, and George Spafford. And wow, what a great book! It really captures the organizational trends and individual behaviors that screw up software & IT projects. And, better yet, it offers some concrete examples for how to address these issues. The Phoenix Project is a bit like a time machine for me, because it so accurately captures the entire ecosystem of dysfunction at one of my former companies that it could have been based on that organization. I have worked with these people and witnessed those behaviors – but my Brent was a guy named Yudong who was very bright and well-intentioned, but without a clue how to operate. Those weekly emergency hair-on-fire sessions were typically caused by him. Low-quality software and badly managed deployments make productivity go backwards. Worse, repeat failures and lack of reliability create tension and distrust between all the groups in a company, to the point when they become rival factions. Not a pleasant work environment – everyone thinks everyone else is bad at their jobs! The Phoenix Project does a wonderful job of capturing these situations, and why companies fall into these behavioral patterns.

Incite 4/16/2014: Allergies

Wed, 16 Apr 2014 00:00:00 +0000

It was a crummy winter. Cold. Snowy. Whiplash temperature swings. Over the past few weeks, when ATL finally seemed to warm up for spring (and I was actually in town), I rejoiced. One of the advantages of living a bit south is the temperate weather from mid-February to late November.

Can’t Unsee (and the need for better social media controls)

Tue, 15 Apr 2014 00:00:00 +0000

I have to admit the USAirways porno tweet had me cracking up. Business Insider has good coverage (even including the NSFW link, if you are a glutton for well, whatever). It was funny not because of the picture, but as an illustration of how a huge corporation could have its brand and image impacted by the mistake of one person. Also because it didn’t happen to me. I assure you the executive suite at the company did not think this was funny, at all.

Understanding Role Based Access Control: Role Lifecycle

Tue, 15 Apr 2014 00:00:00 +0000

Roles-based access control (RBAC) has earned a place in the access control architectures at many organization. Companies have many questions about how to effectively use roles, including “How can I integrate role-based systems with my applications? How can I build a process around roles? How can I manage roles on a day-to-day basis? And by the way, how does this work?” It is difficult to distinguish between the different options on the market – they all claim equivalent functionality. Our goal for this post is to provide a simple view of how all the pieces fit together, what you do with them, and how each piece helps provide and/or support role-based access.

Responsibly (Heart)Bleeding

Mon, 14 Apr 2014 00:00:00 +0000

Yeah, we hit on the Heartbleed vulnerability in this week’s FireStarter, but I wanted to call attention to how Akamai handled the vulnerability. They first came out with an announcement that their networks (and their customers) were safe because their systems were already patched. Big network service providers tend to get an early heads-up when stuff like this happens, so they can get a head start on patching.

FFIEC’s Rear-View Mirror

Sun, 13 Apr 2014 00:00:00 +0000

You have to love compliance mandates, especially when they are anywhere from 18 months to 3 years behind the threat. Recently the FFIEC (the body that regulates financial institutions) published some guidance for financials to defend against DDoS attacks. Hat tip to Techworld.

Firestarter: Three for Five

Sun, 13 Apr 2014 00:00:00 +0000

In this week’s Firestarter the team makes up for last week and picks three different stories, each with a time limit. It’s like one of those ESPN shows, but with less content and personality.

Understanding Role Based Access Control [New Series]

Wed, 09 Apr 2014 00:00:00 +0000

Identity and Access Management (IAM) is a marathon rather than a sprint. Most enterprises begin their IAM journey by strengthening authentication, implementing single-sign on, and enabling automated provisioning. These are excellent starting points for an enterprise IAM foundation, but what happens next? Once users are provisioned, authenticated, and signed on to multiple systems, how are they authorized? Enterprises need to very quickly answer crucial questions: How is access managed for large groups of users? How will you map business roles to technology and applications? How is access reviewed for security and auditing? What level of access granularity is appropriate?

Defending Against DDoS: Mitigations

Mon, 07 Apr 2014 00:00:00 +0000

Our past two posts discussed network-based Distributed Denial of Device (DDoS) attacks and the tactics used to magnify those attacks to unprecedented scale and volume. Now it’s time to wrap up this series with a discussion of defenses. To understand what you’re up against let’s take a small excerpt from our Defending Against Denial of Service Attacks paper.

NoSQL Security 2.0 [New Series] updated

Fri, 04 Apr 2014 00:00:00 +0000

NoSQL, both the technology and the industry, have taken off. We are past the point where we can call big data a fad, and we recognize that we are staring straight into the face of the next generation of data storage platforms. About 2 years ago we started the first Securosis research project on big data security, and a lot has changed since then. At that point many people had heard of Hadoop, but could not describe what characteristics made big data different than relational databases – other than storing a lot of data. Now there is no question that NoSQL — as a data management platform — is here to stay; enterprises have jumped into large scale analysis projects with both feet and people understand the advantages of leveraging analytics for business, operations, and security use cases. But as with all types of databases – and make no mistake, big data systems are databases – high quality data produces better analysis results. Which is why in the majority of cases we have witnessed, a key ingredient is sensitive data. It may be customer data, transactional data, intellectual property, or financial information, but it is a critical ingredient. It is not really a question of whether sensitive data is stored within the cluster – more one of which sensitive data it contains. Given broad adoption, rapidly advancing platforms, and sensitive data, it is time to re-examine how to secure these systems and the data they store.

Booth Babes Be Gone

Thu, 03 Apr 2014 00:00:00 +0000

OK. I have changed my tune. I have always had a laissez-faire attitude toward booth babes. I come from the school of what works. And if booth babes generate leads, of which some statistically result in deals, I’m good. Mr. Market says that if something works, you keep doing it. And when it stops working you move on to the next tactic. Right?

Incite 4/2/2014: Disruption

Wed, 02 Apr 2014 00:00:00 +0000

The times they are a-changin’. Whether you like it or not. Rich has hit the road, and has been having a ton of conversations about his Future of Security content, and I have adapted it a bit to focus on the impact of the cloud and mobility on network security. We tend to get one of three reactions:

Breach Counters

Tue, 01 Apr 2014 00:00:00 +0000

The folks at the Economist (with some funding from Booz Allen Hamilton, clearly doing penance for bringing Snow into your Den) have introduced the CyberTab cyber crime cost calculator. And no, this isn’t an April Fool’s joke. The Economist is now chasing breaches and throwinging some cyber around. Maybe they will sponsor a drinking game at DEFCON or something.

Defending Against DDoS: Magnification

Mon, 31 Mar 2014 00:00:00 +0000

As mentioned in our last post, the predominant mechanism of network-based DDoS attacks involves flooding the pipes with standard protocols like SYN, ICMP, DNS, and NTP. But that’s not enough, so attackers now take advantage of weaknesses in the protocols to magnify the impact of their floods by an order of magnitude. This makes each compromised device far more efficient as an attack device and allows attackers to scale attacks over 400gbps (as recently reported by CloudFlare). Only a handful of organizations in the world can handle an attack of that magnitude, so DDoS + reflection + amplification is a potent combination.

Defending Against DDoS: Attacks

Sun, 30 Mar 2014 00:00:00 +0000

As we discussed in our Introduction to Defending Against Network-based Distributed Denial of Service Attacks, DDoS is a blunt force instrument for many adversaries. So organizations need to remain vigilant against these attacks. There is not much elegance in a volumetric attack – adversaries impact network availability by consuming all the bandwidth into a site and/or by knocking down network and security devices, overwhelming their ability to handle the traffic onslaught.

Analysis of Visa’s Proposed Tokenization Spec

Fri, 28 Mar 2014 00:00:00 +0000

Visa, Mastercard, and Europay – together known as EMVCo – published a new specification for Payment Tokenisation this month. Tokenization is a proven security technology, which has been adopted by a couple hundred thousand merchants to reduce PCI audit costs and the security exposure of storing credit card information. That said, there is really no tokenization standard, for payments or otherwise. Even the PCI-DSS standard does not address tokenization, so companies have employed everything from hashed credit card (PAN) values (craptastic!) to very elaborate and highly secure random value tokenization systems. This new specification is being provided to both raise the bar on shlock home-grown token solutions, but more importantly to address fraud with existing and emerging payment systems.

Friday Summary: March 28, 2014—Cloud Wars

Fri, 28 Mar 2014 00:00:00 +0000

Begun, the cloud war has.

We have been talking about cloud computing for a few years now on this blog, but in terms of market maturity it is still early days. We are really entering the equivalent of the second inning of a much longer game, it will be over for a long time, and things are just now getting really interesting. In case you missed it, the AWS Summit began this week in San Francisco, with Amazon announcing several new services and advances. But the headline of the week was Google’s announced price cuts for their cloud services:

Security Sharing

Fri, 28 Mar 2014 00:00:00 +0000

I really like that some organizations are getting more open about sharing information regarding their security successes and failures. Prezi comes clean about getting pwned as part of their bug bounty program. They described the bug, how they learned about it, and how they fixed it. We can all learn from this stuff.

Mike’s Upcoming Webcasts

Thu, 27 Mar 2014 00:00:00 +0000

After being on the road for what seems like a long time (mostly because it was), I will be doing two webcasts next week which you should check out.

Incite 3/26/2014: One Night Stand

Wed, 26 Mar 2014 00:00:00 +0000

There is no easy way to say this. I violated a vow I made years ago. It wasn’t a spur of the moment thing. I have been considering how to do it, without feeling too badly, for a few weeks. The facts are the facts. No use trying to obscure my transgression. I cheated. If I’m being honest, after it happened I didn’t feel bad. Not for long anyway.

Firestarter: The End of Full Disclosure

Mon, 24 Mar 2014 00:00:00 +0000

Last week we held a wake for Windows XP. This week we continue that trend, as we discuss the end of yet era – coincidentally linked to XP. Last week the venerable Thunderdome of security lists bid adieu, as the Full Disclosure list suddenly shut down. And yes, this discussion is about more than just one email list going bye-bye.

Friday Summary: March 21, 2014—IAM Mosaic Edition

Fri, 21 Mar 2014 00:00:00 +0000

Researching and writing about identity and access management over the last three years has made one thing clear: This is a horrifically fragmented market. Lots and lots of vendors who assemble a bunch of pieces together to form a ‘vision’ of how customers want to extend identity services outside the corporate perimeter – to the cloud, mobile, and whatever else they need. And for every possible thing you might want to do, there are three or more approaches. Very confusing.

Firestarter: An Irish Wake

Wed, 19 Mar 2014 00:00:00 +0000

We originally recorded this episode on St. Patty’s Day and thought it would be nice to send off Windows XP with a nice Irish wake, but Google had a hiccup and our video was stuck in Never Never Land for an extra day. To be honest, we thought we lost it, so no complaints.

Incite 3/18/2014: Yo Mama!

Wed, 19 Mar 2014 00:00:00 +0000

It’s really funny and gratifying to see your kids growing up. Over the weekend XX1 took her first solo plane trip. I checked her in as an unaccompanied minor, and she miraculously got TSA Pre-check. Of course that didn’t mean I did with my gate pass. So the TSA folks did their darndest to maintain the security theater, and swabbed my hands and feet.

Jennifer Minella Is Now a Contributing Analyst

Wed, 19 Mar 2014 00:00:00 +0000

We are always pretty happy-go-lucky around here, but some days we are really happy.

Today is one of those days.

Webinar Tomorrow: What Security Pros Need to Know About Cloud

Tue, 18 Mar 2014 00:00:00 +0000

Hey everyone,

I mentioned it on Twitter but also wanted to post it here. Tomorrow I will be giving a webinar on What Security Pros Need to Know About Cloud, based on the white paper I recently released.

Defending Against Network Distributed Denial of Service Attacks [New Series]

Mon, 17 Mar 2014 00:00:00 +0000

Back in 2013, volumetric denial of service (DoS) attacks targeting networks were all the rage. Alleged hacktivists effectively used the tactic first against Fortune-class banks, largely knocking down major banking brands for days at a time. But these big companies adapted quickly and got proficient at defending themselves, so attackers then bifurcated their attacks. On one hand they went after softer targets like public entities (the UN, et al) and smaller financial institutions. They also used new tactics to take on content delivery networks like CloudFlare with multi-hundred-gigabyte attacks, just because they could.

Reminder: We all live in glass houses

Mon, 17 Mar 2014 00:00:00 +0000

Forrester’s Rick Holland makes a great point in the epic Target Breach: Vendors, You’re Not Wrestlers, And This Isn’t The WWE post. Epic mostly because he figured out how to work the WWE and a picture of The Rock into a security blog post.

New Paper: Reducing Attack Surface with Application Control

Sun, 16 Mar 2014 00:00:00 +0000

Attacks keep happening. Breaches keep happening. Senior management keeps wondering what the security team is doing.

The lack of demonstrable progress [in stopping malware] comes down to two intertwined causes. First, devices are built using software that has defects attackers can exploit. Nothing is perfect, especially not software, so every line of code presents an attack surface. Second, employees can be fooled into taking action (such as installing software or clicking a link) that enables attacks to succeed.

Summary: DevOps Trippin’

Fri, 14 Mar 2014 00:00:00 +0000

Rich here,

As technology professionals we always place bets with our careers. There is no way to really know, for certain, which sets of skills will be most in demand down the road. Yet, as with financial investments, we only have so many resources (time and brain cells) to allocate at any given time. Invest too much too early and your nifty new skills won’t be in demand. Too late and you miss the best opportunities, and are stuck playing catch-up if that’s even possible.

Incite 3/12/2014: Digging Out

Wed, 12 Mar 2014 00:00:00 +0000

The ritual is largely the same. I do my morning stuff (usually consisting of some meditation and some exercise), I grab a quick bite, and then I consult my list of things that need to get done. It is long, and seems to be getting longer. The more I work, the more I have to do. It’s a good problem to have, but it’s still a problem.

Firestarter: RSA Postmortem

Tue, 11 Mar 2014 00:00:00 +0000

We are all rested and recovered from RSA (yeah, right) and it’s time to review the week and what we think. Did we mention security is back, baby?! That’s right – it is clear budgets are now free, and the stink of desperation is fading.

Advanced Endpoint and Server Protection: Quick Wins

Mon, 10 Mar 2014 00:00:00 +0000

We have covered the main aspects of the threat management cycle, in terms of the endpoint and server contexts, in our last few posts. Now let’s apply these concepts to a scenario to see how it plays out. In this scenario you work for a high-tech company which provides classified technology to a number of governments, and has a lot of valuable intellectual property. You know you are targeted by state-sponsored adversaries for the classified information and intellectual property on your networks. So you have plenty of senior management support and significant resources to invest in dealing with advanced threats.

New Paper: Leveraging Threat Intelligence in Security Monitoring

Sun, 09 Mar 2014 00:00:00 +0000

As we continue our research into the practical uses of threat intelligence (TI), we have documented how TI should change existing security monitoring (SM) processes. In our Leveraging Threat Intelligence in Security Monitoring paper, we go into depth on how to update your security monitoring process to integrate malware analysis and threat intelligence. Updating our process maps demonstrates that we don’t consider TI a flash in the pan – it is a key aspect of detecting advanced adversaries as we move forward.

Advanced Endpoint and Server Protection: Detection/Investigation

Fri, 07 Mar 2014 00:00:00 +0000

Our last AESP post covered a number of approaches to preventing attacks on endpoints and servers. Of course prevention remains the shiny object most practitioners hope to achieve. If they can stop the attack before the device is compromised there need be no clean-up. We continue to remind everyone that hope is not a strategy, and counting on blocking every attack before it reaches your devices always ends badly.

Friday Summary: March 7, 2014

Thu, 06 Mar 2014 00:00:00 +0000

I don’t code much. In fact over the last 10 years or so I have been actively discouraged from coding, with at least one employer threatening to fire me if I was discovered. I have helped firms architect new products, I have done code reviews, I have done some threat modeling, and even a few small Java utilities to weave together a couple other apps. But there has been very, very little development in the last decade. Now I have a small project I want to do so I jumped in with both feet, and it feels like I was dumped into the deep end of the pool. I forgot how much bigger a problem space application development is, compared to simple coding.

Incite 3/5/2014: Reentry

Wed, 05 Mar 2014 00:00:00 +0000

After I got off the plane Friday night, picked my bag up off the carousel, took the train up to the northern Atlanta suburbs, got picked up by the Boss, said hello to the kids, and then finally took a breath – my first thought was that RSA isn’t real. But it is quite real, just not sustainable. That makes reentry into my day to day existence a challenge for a few days.

Research Revisited: FireStarter: Agile Development and Security

Fri, 28 Feb 2014 00:00:00 +0000

I have had many conversations over the last few months with firms about to take their first plunge into Agile development methodologies. Each time they ask how to map secure software development processes into an Agile framework. So I picked this Firestarter for today’s retrospective on Agile Development and Security (see the original post with comments).

Research Revisited: Off Topic: A Little Perspective

Thu, 27 Feb 2014 00:00:00 +0000

As I was crawling through the old archives for some posts, I found my very first reference to Mike here at Securosis. I timed this Revisited post to fire off when Mike’s post on joining Securosis goes live, and the title now seems to have more meaning.

Research Revisited: POPE analysis on the new Securosis

Thu, 27 Feb 2014 00:00:00 +0000

Since we’re getting all nostalgic and stuff, I figured I’d dust off the rationale I posted the day we announced that I was joining Securosis. That was over 4 years ago and it has been a great ride. Rich and Adrian haven’t seen fit to fire me for cause yet, and I think we’ve done some great work.

Research Revisited: Apple, Security, and Trust

Wed, 26 Feb 2014 00:00:00 +0000

Update:

After publishing this, I realized I should have taken more time editing, especially after Apple released their iOS Security paper this week. My intention was to refer to situations where, often due to attacks, vulnerabilities, or other events, Apple is pushed into responding. They can still struggle to balance the lines between what they want to say, and what outsiders want to hear. They have very much improved communications with researchers, the media, and the level of security information they publish in the open. It is the crisis situations that knock things off kilter at times.

Research Revisited: Hammers vs. Homomorphic Encryption

Wed, 26 Feb 2014 00:00:00 +0000

We are running a retrospective during RSA because we cannot blog at the show. We each picked a couple posts we like and still think relevant enough to share. I picked a 2011 post on Hammers and Homomorphic Encryption, because a couple times a year I hear about a new startup which is going to revolutionize security with a new take on homomorphic encryption. Over and over. And perhaps some day we will get there, but for now we have proven technologies that work to the same end. (Original post with comments)

New Paper: The Future of Security The Trends and Technologies Transforming Security

Tue, 25 Feb 2014 00:00:00 +0000

This paper originally started with a blog post called Inflection. Sure, many of our papers start as a series of posts, but this time the post came long before I thought of a paper. I started seeing a bunch of interrelated trends, and what appeared to be some likely unavoidable outcomes. Unlike most predictive pieces, I focused as much on inherent security trends as on disruptive forces. Less “new attacks” and more “new ways we are doing things”.

Research Revisited: RSA/NetWitness Deal Analysis

Tue, 25 Feb 2014 00:00:00 +0000

As we continue our journey down memory lane I want to take a look at what I said about the RSA/NetWitness deal back in April 2011, when it was announced. In hindsight the NetWitness technology has become the underlying foundation of RSA’s security management and security analytics offerings, so I underplayed that a bit. EnVision is pretty much dead. And we haven’t really seen a compelling alternative on the full packet capture and analytics front. Although a bunch of bigger SIEM players started introducing that technology this year.

Research Revisited: Security Snakeoil

Tue, 25 Feb 2014 00:00:00 +0000

Wow! Sometimes we find things in the archives that still really resonate. This is a short one but I’ll be damned if I don’t expect to see this exact phrase used on the show floor at RSA this week.

Research Revisited: The Data Breach Triangle

Mon, 24 Feb 2014 00:00:00 +0000

This has always been one of my favorite posts, and it is one I still use regularly. I even have a slide on it in my RSA presentation for this week.

Research Revisited: 2006 Incites

Sun, 23 Feb 2014 00:00:00 +0000

All of us Securosis folks will be at the RSA Conference this week, so we figured we’d pre-load some old stuff to get a feel for how our research positions turned out. Mine is really old, digging back into the archives from when I had just started Security Incite. Each year I put together a set of Incites that reflected what I expected to happen that year.

Research Revisited: The 3 Dirty Little Secrets of Disclosure No One Wants to Talk About

Sun, 23 Feb 2014 00:00:00 +0000

This post doesn’t hold up that well, but it goes back to 2006 and the first couple weeks the site was up. And I think it is interesting to reflect on how my thinking has evolved, as well as the landscape around the analysis.

Apple Bug Bad. Patch Now. Here Are Good Writeups

Sat, 22 Feb 2014 00:00:00 +0000

Yesterday Apple released iOS 7.06, an important security update you have probably seen blasted across many other sites. A couple points:

Firestarter Happy Hour- RSA 2014 (With an Audio Download Option)

Fri, 21 Feb 2014 00:00:00 +0000

We may have gone too far.

Okay, not really, but we hope you enjoy this beer-fueled extended episode of the Securosis Firestarter. Clocking in at a full hour, we prep and review the upcoming RSA show, which is really our way of covering how we think the year in the security industry will look.

Summary: A Little Tipsy, a Little Edgy

Thu, 20 Feb 2014 00:00:00 +0000

It is 6:44pm as I write this.

Adrian just left after we recorded our first extended Firestarter/Happy Hour.

The idea was that he would drive down, we would dial Mike in from Atlanta, talk about RSA stuff, Adrian would leave, and I would finish off work.

Incite 2/19/2014: Outwit, Outlast, OutRSA

Wed, 19 Feb 2014 00:00:00 +0000

No, we aren’t talking about Survivor, which evidently is still on the air. Who knew? This week the band of merry Securosis men are frantically preparing for next week’s RSA Conference. We’ll all descend on San Francisco Sunday afternoon to get ready for a week of, well, work and play.

Security Analytics with Big Data Research Paper

Wed, 19 Feb 2014 00:00:00 +0000

I am happy to announce the release of a research paper a long time in the making: Security Analytics with Big Data. This topic generates tons of questions from end users, and we get them from large and mid-sized enterprises alike. The goals of this research project were threefold:

The (Full) 2014 Securosis RSA Conference Guide

Wed, 19 Feb 2014 00:00:00 +0000

Yes, you have seen this content because we have been blogging it for 10 days. But you can’t really take our blog with you to the RSA Conference, can you? Oh, smartphone browsers. Never mind.

Join the Securosis Firestarter Happy Hour: RSA Edition

Tue, 18 Feb 2014 00:00:00 +0000

When we started the FireStarter we also decided to try a quarterly (or whenever convenient) extended edition that breaks out of our usual 15-minute time limit. We will be recording the very first of these this Thursday at 5pm ET.

Firestarter: Payment Madness

Mon, 17 Feb 2014 00:00:00 +0000

This is our last regular Firestarter before we record our pre-RSA Quarterly Happy Hour. This week, after a few non-sequiturs, we talk about the madness of payment systems. It seems the US is headed towards chip and signature, not chip and PIN like the rest of the world, because banks think American are too stupid to remember a second PIN.

RSA Conference Guide 2014 Deep Dive: Cloud Security

Mon, 17 Feb 2014 00:00:00 +0000

In our 2013 RSA Guide we wrote that 2012 was a tremendous year for cloud security. We probably should have kept our mouth shut and remembered all those hype cycles, adoption curves, and other wavy lines because 2013 blew it away. That said, cloud security is still quite nascent, and in many ways losing the race with the cloud market itself, expanding the gap between what’s happening in the cloud and what’s actually being secured in the cloud. The next few years are critical for security professionals and vendors as they risk being excluded from cloud transformation projects, and thus find themselves disengaged in enterprise markets as cloud vendors and DevOps take over security functions.

RSA Conference Guide 2014 Deep Dive: Data Security

Mon, 17 Feb 2014 00:00:00 +0000

It is possible that 2014 will be the death of data security. Not only because we analysts can’t go long without proclaiming a vibrant market dead, but also thanks to cloud and mobile devices. You see, data security is far from dead, but is is increasingly difficult to talk about outside the context of cloud, mobile, or… er… Snowden. Oh yeah, and the NSA – we cannot forget them.

RSA Conference Guide 2014 Deep Dive: Endpoint Security

Mon, 17 Feb 2014 00:00:00 +0000

We are in the home stretch, with only a few more deep dives to post.

EPP: Living on Borrowed Time?

Every year we take a step back and wonder if this is the year customers will finally revolt against endpoint protection suites and shift en masse to something free, or one of the new technologies focused on preventing advanced attacks. It is so easy to forget how important inertia is to security buying cycles. Combined with the continued (ridiculous) PCI mandate for ‘anti-malware’ (whatever that means), the AV vendors continue to print money.

RSA Conference Guide 2014 Deep Dive: Identity and Access Management

Sun, 16 Feb 2014 00:00:00 +0000

One of the biggest trends in security gets no respect at RSA. Maybe because identity folks still look at security folks cross-eyed. But this year things will be a bit different. Here’s why:

RSA Conference Guide 2014 Deep Dive: Application Security

Fri, 14 Feb 2014 00:00:00 +0000

With PoS malware, banking trojans, and persistent NSA threats the flavors of the month and geting all the headlines, application security seems to get overshadowed every year at the RSA Conference. Then again, who wants to talk about the hard, boring tasks of fixing the applications that run your business. We have to admit it’s fun to read about who the real hackers are, including selfies of the dorks people apparently selling credit card numbers on the black market. Dealing with a code vulnerability backlog? Not so much fun. But very real and important trends are going on in application security, most of which involve “calling in the cavalry” – or more precisely outsourcing to people who know more about this stuff, to jumpstart application security programs.

RSA Conference Guide 2014 Deep Dive: Security Management and Compliance

Fri, 14 Feb 2014 00:00:00 +0000

As we continue deep dives into our coverage areas, we now hit security management and compliance.

If you don’t like it, SECaaS!

We have taken a bunch of calls this year from folks looking to have someone else manage their SIEM. Why? Because after two or three failed attempts, they figure if they are going to fail again, they might as well have a service provider to blame. Though that has put some wind in the sails of the service providers who offer monitoring services, and provided an opening for those who can co-source and outsource the SIEM. Just make sure to poke and prod the providers about how you are supposed to respond to an incident when they have your data. And to be clear… they have your data.

Bit9 Bets on (Carbon) Black

Thu, 13 Feb 2014 00:00:00 +0000

In an advanced endpoint and server protection consolidation play, Bit9 and Carbon Black announced a merger this morning. Simultaneously, the combined company raised another $38 million in investment capital to fund the integration, pay the bankers, and accelerate their combined product evolution. Given all the excitement over anything either advanced or cyber, this deal makes a lot of sense as Bit9 looks to fill in some holes in its product line, and Carbon Black gains a much broader distribution engine.

Friday Summary: February 14, 2014

Thu, 13 Feb 2014 00:00:00 +0000

Bacon as a yardstick: This year will see the 6th annual Securoris Disaster Recovery Breakfast, and I am measuring attendance in required bacon reserves. Jillian’s at the Metreon has been a more than gracious host each year for the event. But when we order food we (now) do it in increments of 50 people. At the moment we are ordering bacon for 250, and we might need to bump that up! We have come a long way since 2009, when we had about 35 close friends show up, but we are overjoyed that so many friends and associates will turn out. Regardless, we expect a quiet, low-key affair. It has always been our favorite event of the week because of that. Bring your tired, your hungry, your hungover, or just plain conference-weary self over and say ‘Howdy’. There will be bacon, good company, and various OTC pharmaceuticals to cure what ills you.

RSA Conference Guide 2014 Deep Dive: Network Security

Thu, 13 Feb 2014 00:00:00 +0000

As we begin deeper dives into our respective coverage areas, we will start with network security. We have been tracking the next generation (NG) evolution for 5 years, during which time it has fundamentally changed the meaning of the perimeter – as we will discuss below. Those who moved quickly to embrace NG have established leadership positions, at the expense of those that didn’t. Players who were leaders 5 short years ago have become non-existent, and there is a new generation of folks with innovative network security approaches to handle advanced attacks. After many years of stagnation, network security has come back with a vengeance.

RSA Conference Guide 2014 Watch List: DevOps

Thu, 13 Feb 2014 00:00:00 +0000

We have covered the key themes we expect to see at the RSA Conference, so now we will cover a theme or two you probably won’t see at the show (or not enough of, at least), but really should. The first is this DevOps things guys like Gene Kim are pushing. It may not be obvious yet, but DevOps promises to upend everything you know about building and launching applications, and make a fundamental mark on security. Or something I like to call “SecOps”.

Security Management 2.5: Replacing Your SIEM Yet? [New Paper]

Thu, 13 Feb 2014 00:00:00 +0000

Security Information and Event Management (SIEM) systems create a lot of controversy among security folks – they are a pain but it is an instrumental technology for security, compliance, and operations management. The problem is – given the rapid evolution of SIEM/Log Management over the past 4-5 years – that product obsolescence is a genuine issue. The problems caused by products that have failed to keep pace with technical evolution and customer requirements cannot be trivialized. This pain becomes more acute when a SIEM fails to collect the essential information during an incident – and even worse when it completely fails to detect a threat. Customers spend significant resources (both time and money) on caring for and feeding their SIEM. If they don’t feel the value is commensurate with their investment they will move on – searching for better, easier, and faster products. It is only realistic for these customers to start questioning whether their incumbent offerings make sense moving forward.

Advanced Endpoint and Server Protection: Prevention

Wed, 12 Feb 2014 00:00:00 +0000

As we return to our Advanced Endpoint and Server Protection series, we are back working our way through the reimagined threat management process. After discussing assessment you know what you have and what risk those devices present to the organization. Now you can design a control set to prevent compromise from happening in the first place.

Incite 2/12/2014: Kindling

Wed, 12 Feb 2014 00:00:00 +0000

Sitting at my feet is the brand spanking new Kindle I ordered for XX1. It arrived before the snow and ice storm hits the ATL, so we got pretty lucky. She’s a voracious reader and it has become inefficient (and an ecological crime) to continue buying her paper books. She has probably read the Harry Potter series 5 or 6 times, and is constantly giving me new lists of books to buy. She has books everywhere. She reads on the bus. She gets in trouble because sometimes she reads in class. It’s pretty entertaining that the Boss and I need to try to discipline her, when her biggest transgression is reading in class. I kind of want to tell the teacher that if they didn’t suck at keeping the kid’s attention, it wouldn’t be a problem. But I don’t.

RSA Conference Guide 2014 Key Theme: Cloud Everything

Wed, 12 Feb 2014 00:00:00 +0000

There is no stopping the train now that it’s rolling. Here is the final key theme that we expect to see at the show, and yes it’s all about the cloud. And yes, I managed to work a Jimmy Buffett lyric into the piece. Rich 1, Internet 0.

RSA Conference Guide 2014 Key Theme: Crypto and Data Protection

Wed, 12 Feb 2014 00:00:00 +0000

You didn’t think you would need to wait long for a Snowden reference, did you? Well, you know we Securosis guys like to keep you in suspense. But without further ado, it’s time. Snowden time!

Firestarter: Mass Media Abuse

Tue, 11 Feb 2014 00:00:00 +0000

In this week’s Firestarter we talk about the Book of Mormon (the play, not the other thing), biking while intoxicated, and the ongoing predilection of mass media to abuse the truth about security for ratings. Because, NBC and Sochi.

RSA Conference Guide 2014 Key Theme: Retailer Hacking

Tue, 11 Feb 2014 00:00:00 +0000

As we continue posting the key themes we expect to see at this year’s RSA Conference, it’s time hit the source of all things FUD: recent retailer breaches. Security marketing is driven by catalysts, to create urgency, to buy products and services. There have been plenty so far this year, and we will hear all about them at the show.

New Paper: Defending Data on iOS 7

Mon, 10 Feb 2014 00:00:00 +0000

I have been working on this one quietly for a while. It is a massive update to my previous paper on iOS security.

RSA Conference Guide 2014 Key Theme: APT0

Mon, 10 Feb 2014 00:00:00 +0000

It’s that time of year. The security industry is gearing up for the annual pilgrimage to San Francisco for the RSA Conference. For the fifth year your pals at Securosis are putting together a conference guide to give you some perspective on what to look for and how to make the most of your RSA experience. We will start with a few key themes for the week, and then go into deep dives on all our coverage areas. The full guide will be available for download next Wednesday, and we will post an extended Firestarter video next Friday discussing the Guide. Without further ado, here is our first key theme.

RSA Conference Guide 2014 Key Theme: Big Data Security

Mon, 10 Feb 2014 00:00:00 +0000

As we continue posting our key themes for the 2014 RSA Conference, let’s dig a bit into big bata, because you won’t be hearing anything about it at the show…

We Need to Thank Target for Being Hacked

Mon, 10 Feb 2014 00:00:00 +0000

Normally we like to blame the victim, but in this case we need to thank them. From the WSJ, the swap to Chip and PIN will happen by October 2015. Here is the key point:

Friday Summary: Ink Stained Wretch

Thu, 06 Feb 2014 00:00:00 +0000

I love writing.

Except when I hate it.

When people ask what I do for a living, I almost never say ‘writer’. I’m an analyst, who occasionally dabbles as a tech journalist, but pumps out more words in typical a year than many professional writers.

Quick Wins with TISM

Thu, 06 Feb 2014 00:00:00 +0000

After making the case for threat intelligence (TI), and combining it with some ideas about how security monitoring (SM) is evolving – based both on customer needs and technology evolution – there is clear value in integrating TI into your SM efforts. But all that stuff is still conceptual. How can you actually apply this integrated process to shorten the window between compromise and detection? How can you get a quick win for the integration of TI and SM to build some momentum for your efforts? Finally, how do you ensure you can turn that quick win into sustainable leverage, producing increased accuracy and better prioritization of alerts from the SM platform?

Incite 2/5/2014: Super Dud

Wed, 05 Feb 2014 00:00:00 +0000

I’m sure long-time Incite readers know I am a huge football fan. I have infected the rest of my family, and we have an annual Super Bowl party with 90+ people to celebrate the end of each football season. I have laughed (when Baltimore almost blew a 20 point lead last year), cried (when the NY Giants won in 2011), and always managed to have a good time. Even after I stopped eating chicken wings cold turkey (no pun intended), I still figure out a way to pollute my body with pizza, chips, and Guinness. Of course, lots of Guinness. It’s not like I need to drive home or anything.

Security’s Future: Implications for Cloud Providers

Wed, 05 Feb 2014 00:00:00 +0000

This is the fifth post in a series on the future of information security, which will be the basis for a white paper. You can leave feedback here as a blog comment, or evensubmit edits directly over at GitHub, where we are running the entire editing process in public. This is the initial draft, and I expect to trim the content by about 20%. The entire outline is available. See the first post, second post, third post and fourth post.

Security’s Future: Implications for Security Vendors

Tue, 04 Feb 2014 00:00:00 +0000

This is the fourth post in a series on the future of information security, which will be the basis for a white paper. You can leave feedback here as a blog comment, or evensubmit edits directly over at GitHub, where we are running the entire editing process in public. This is the initial draft, and I expect to trim the content by about 20%. The entire outline is available. See the first post, second post, and third post.

TISM: The Threat Intelligence + Security Monitoring Process

Tue, 04 Feb 2014 00:00:00 +0000

As we discussed in Revisiting Security Monitoring, there has been significant change on the security monitoring (SM) side, including the need to analyze far more data sources at a much higher scale than before. One of the emerging data sources is threat intelligence (TI), as detailed in Benefiting from the Misfortune of Others. Now we need to put these two concepts together, to detail the process of integrating threat intelligence into your security monitoring process. This integration can yield far better and more actionable alerts from your security monitoring platform, because the alerts are based on what is actually happening in the wild.

Firestarter: Inevitable Doom

Mon, 03 Feb 2014 00:00:00 +0000

Okay, let’s just ignore the first part of this Firestarter where we talk about the Denver Broncos, okay? We recorded it on the Friday before the game and, well, enough said.

Security’s Future: What it Means (Part 3)

Mon, 03 Feb 2014 00:00:00 +0000

This is the third post in a series on the future of information security, which will be the basis for a white paper. You can leave feedback here as a blog comment, or evensubmit edits directly over at GitHub, where we are running the entire editing process in public. This is the initial draft, and I expect to trim the content by about 20%. The entire outline is available. See the first post and the second post.

Security’s Future: Six Trends Changing the Face of Security

Fri, 31 Jan 2014 00:00:00 +0000

This is the second post in a series on the future of information security, which will be the basis for a white paper. You can leave feedback here as a blog comment, or evendirectly submit edits over at GitHub, where we are running the entire editing process in public. This is the initial draft, and I expect to trim the content by about 20%. The entire outline is available. The first post is available.

Friday Summary: January 31, 2014

Thu, 30 Jan 2014 00:00:00 +0000

During my total and complete laptop fail for this week’s Firestarter, I was trying to make the point that large software projects have a considerably higher probability of failure. It is no surprise that many government IT projects are ‘failures’ – they are normally managed as ginormous projects with many competing requirements. It worked or the Apollo missions so governments doggedly cling to that validated model. But in the commercial environment Agile is having a huge and positive impact on software development. Coincidentally, this week Jim Bird discussed the findings of the 2013 Chaos Report. In a nutshell the topline was “More projects are succeeding (39% in 2012, up from 29% in 2004), mostly because projects are getting smaller”. But Jim points out that you cannot conjure up an Agile development program like the Wonder Twins activate their superhero powers – Agile development processes are one aspect, but program management across multiple Agile efforts is another thing entirely. A lot of thought and work has gone into this over the last few years, and things like the Scaled Agile Framework can help. Still, most government projects I have seen employ no Agile techniques. There is a huge body of knowledge out on how to get these things done, and industry leads the public sector by a wide margin.

Security’s Future: a Disruptive Collision

Thu, 30 Jan 2014 00:00:00 +0000

This is the first post in a series on the future of information security, which will be the basis for a white paper. You can leave feedback here as a blog comment, or evendirectly submit edits over at GitHub, where we run the entire editing process in public. This is the initial draft, and I expect to trim the content by about 20%. The entire outline is available.

TISM: Revisiting Security Monitoring

Thu, 30 Jan 2014 00:00:00 +0000

In our first post on Leveraging Threat Intelligence in Security Monitoring (TISM), Benefiting from the Misfortune of Others, we discussed threat intelligence as a key information source for shortening the window between compromise and detection. Now we need a look in terms of security monitoring – basically how monitoring processes need to adapt to the ability to leverage threat intelligence.

Incite 1/29/2014: Southern Snowpocalypse

Wed, 29 Jan 2014 00:00:00 +0000

I grew up in the northeast. My memories of snow weren’t really good. I didn’t ski, so all that I knew about snow was that I had to shovel it and it’s hard to drive in. It is not inherently hard to drive in snow, but too many folks have no idea what they are doing, which makes it hard.

Firestarter: Government Influence

Mon, 27 Jan 2014 00:00:00 +0000

In this week’s Firestarter Rich, Mike, and Adrian (until his computer died) discuss the importance (or lack thereof) of the security industry and community in influencing government.

New Series (and Paper): The Future of Information Security

Mon, 27 Jan 2014 00:00:00 +0000

Update: Here are links to the series as we post it:

Leveraging Threat Intelligence in Security Monitoring: Benefiting from the Misfortune of Others

Sun, 26 Jan 2014 00:00:00 +0000

Threat intelligence (TI) is hot because it promises to close the gap a bit between attackers and defenders. So we have done considerable research on TI over the past year. We started by talking about the Early Warning System, a monitoring concept that leverages threat intelligence feeds to look for emerging attacks. Then we dove into the kinds of TI you can extract from network traffic, the ability to identify malicious IPs and senders by gathering TI through email, and finally a view of the external world through EcoSystem TI.

Summary: Mmm. Beer.

Thu, 23 Jan 2014 00:00:00 +0000

I realize this will shock many of you, but I hated beer in high school and the first couple years of college.

The SIXTH Annual Disaster Recovery Breakfast (with 100% less boycott)

Thu, 23 Jan 2014 00:00:00 +0000

Holy crap, time flies! Especially when you mark years by making the annual pilgrimage to San Francisco for the RSA Conference. Once again we are hosting our RSA Conference Disaster Recovery Breakfast. It has been six frickin’ years! That’s hard to believe but reinforces that we are not spring chickens anymore.

Incite 1/22/2014: The Catalyst

Wed, 22 Jan 2014 00:00:00 +0000

I was on the phone last week with Jen Minella, preparing for a podcast on our Neuro-Hacking talk at this year’s RSA Conference, when she asked what my story is. We had never really discussed how we each came to start mindfulness practices. So we shared our stories, and then I realized that given everything else I share on the Incite, I should tell it here as well.

Firestarter: Target and Antivirus

Mon, 20 Jan 2014 00:00:00 +0000

In this week’s Firestarter Rich, Mike, and Adrian discuss the latest in the Target relevations and whether over-reliance on antivirus is to blame once again. We aren’t out to blame the victim. We also pick our top prevention strategies for this sort of attack. Ain’t hindsight great?

Mindfulness Works

Mon, 20 Jan 2014 00:00:00 +0000

Back in November I learned I will be giving a talk on Neuro-Hacking at RSA with Jennifer Minella. We will be discussing how mindfulness practices can favorably impact the way you view things, basically allowing you to hack your brain. But I am pretty sure you can’t sell my synapses on an Eastern European carder forum.

Eliminate Surprises with Security Assurance and Testing [New Paper]

Sun, 19 Jan 2014 00:00:00 +0000

We have always been fans of making sure applications and infrastructure are ready for prime time before letting them loose on the world. It’s important not to just use basic scanner functions either – your adversaries are unlikely to limit their tactics to things you find in an open source scanner. Security Assurance and Testing enables organizations to limit the unpleasant surprises that happen when launching new stuff or upgrading infrastructure.

A Very Telling Antivirus Metric

Thu, 16 Jan 2014 00:00:00 +0000

From Brian Krebs’ awesome reporting on the Target breach (emphasis added):

The source close to the Target investigation said that at the time this POS malware was installed in Target’s environment (sometime prior to Nov. 27, 2013), none of the 40-plus commercial antivirus tools used to scan malware at virustotal.com flagged the POS malware (or any related hacking tools that were used in the intrusion) as malicious. “They were customized to avoid detection and for use in specific environments,” the source said.

Apple’s Very Different BYOD Philosophy

Thu, 16 Jan 2014 00:00:00 +0000

I am currently polishing off the first draft of my Data Security for iOS 7 paper, and reached one fascinating conclusion during the research which I want to push out early. Apple’ approach is implementing is very different from the way we normally view BYOD. Apple’s focus is on providing a consistent, non-degraded user experience while still allowing enterprise control. Apple enforces this by taking an active role in mediating mobile device management between the user and the enterprise, treating both as equals. We haven’t really seen this before – even when companies like Blackberry handle aspects of security and MDM, they don’t simultaneously treat the device as something theuser owns. Enough blather – here you go…

Friday Summary: January 17, 2014

Thu, 16 Jan 2014 00:00:00 +0000

Today I am going to write about tokenization. Four separate people have sent me a questions about tokenization in the last week. As a security paranoiac I figured there was some kind of conspiracy or social engineering going on – this whole NSA/Snowden/RSA thingy has me spooked. But after I calmed down and realized that these are ‘random’ events, I recognized that the questions are good and relevant to a wider audience, so I will answer a couple of them here on the blog. In no particular order:

Incite 1/15/2014: Declutter

Wed, 15 Jan 2014 00:00:00 +0000

As I discussed last week, the beginning of the year is a time for ReNewal and taking a look at what you will do over the next 12 months. Part of that renewal process should be clearing out the old so the new has room to grow. It’s kind of like forest fires. The old dead stuff needs to burn down so the new can emerge. I am happy to say the Boss is on board with this concept of renewal – she has been on a rampage, reducing the clutter around the house.

Reducing Attack Surface with Application Control: Use Cases and Selection Criteria

Wed, 15 Jan 2014 00:00:00 +0000

In the first post in our Application Control series we discussed why it is hard to protect endpoints, and some of the emerging alternative technologies that promise to help us do better. Mostly because it is probably impossible do a worse job of protecting endpoints, right? We described Application Control (also known as Application Whitelisting), one of these alternatives, while being candid about the perception and reality of this technology after years of use.

Security Management 2.5: Migration

Wed, 15 Jan 2014 00:00:00 +0000

If you made it this far we know your old platform is akin to an old junker automobile: every day you drive to work in a noisy, uncomfortable, costly vehicle that may or may not get you where you need to be, and every time you turn around you’re spending more money to fix something. With cars figuring out what you want, shopping, getting financing, and then dealing with car sales people is no picnic either, but in the end you do it to make you life a bit easier and yourself more comfortable. It is important to remember this because, at this stage of SIEM replacement, it feels like we have gone through a lot of work just so we can do more work to roll out the new platform. Let’s step back for a moment and focus on what’s important; getting stuff done as simply and easily as possible.

Advanced Endpoint and Server Protection: Assessment

Tue, 14 Jan 2014 00:00:00 +0000

As we described in the introduction to the Advanced Endpoint and Server Protection series, given the inability of most traditional security controls to defend against advanced attacks, it is time to reimagine how we do threat management. This new process has 5 phases; we call the first phase Assessment. We described it as:

Security Management 2.5: Negotiation

Tue, 14 Jan 2014 00:00:00 +0000

You made your decision and kicked it up the food chain – now the fun begins. Well, fun for some people, anyway. For the first half of this discussion we will assume you have decided to move to a new platform and offer tactics for negotiating for a replacement platform. But some people decide not to move, using the possible switch for negotiating leverage. It is no bad thing to stay with your existing platform, so long as you have done the work to know it can meet your requirements. We are writing this paper for the people who keep telling us about their unhappiness, and how their evolving requirements have not been met. So after asking all the right questions, if the best answer is to stay put, that’s a less disruptive path anyway.

Cloud Forensics 101

Mon, 13 Jan 2014 00:00:00 +0000

Last week I wrote up my near epic fail on Amazon Web Services where I ‘let’ someone launch a bunch of Litecoin mining instances in my account.

Firestarter: Crisis Communications

Mon, 13 Jan 2014 00:00:00 +0000

Okay, we have content in this thing. We promise. But we can’t stop staring at our new title video sequence. I mean, just look at it!

Reducing Attack Surface with Application Control: The Double-Edged Sword [New Series]

Mon, 13 Jan 2014 00:00:00 +0000

The problems of protecting endpoints are pretty well understood. As we described in The 2014 Guide to Endpoint Security, you have stuff (private data and/or intellectual property) that others want. On the other hand, you have employees who need to do their jobs and require access to said private data and/or intellectual property. Those employees have sensitive data on their devices, so you need to protect their endpoints. It’s not like this is anything new. Protecting endpoints has been a focus of security professionals since, well, always – with decidedly unimpressive results.

Security Management 2.5: Selection Process

Mon, 13 Jan 2014 00:00:00 +0000

With vendor evaluations in hand, you are ready to make your decision, right? The answer is both yes and no. We know the importance of this decision – you are here because your first attempt at this project wasn’t as successful as it needed to be. After the vendor evaluation process you are in a position to distinguish innovative technologies from pigs with fresh lipstick. But now you need to see which of the vendors is actually the best fit for you! Successful decision-making on SIEM replacement goes beyond vendor evaluation – it entails evaluating yourself too. It is important to differentiate between the two because you cannot make a decision without taking a long hard look at yourself, your team, and your company. This is an area where many projects fail, so let’s break the decision down to ensure you can make a good recommendation and feel comfortable with it – from both internal and external perspectives.

New Paper: What CISOs Need to Know About Cloud Computing

Fri, 10 Jan 2014 00:00:00 +0000

Over the past few years I have spent a lot of time traveling the world, talking and teaching about cloud security. To back that up I have probably spent more time researching the technologies than any other topic since I moved from being a developer and consultant into the analyst role. Something seemed different at such a fundamental level that I was driven to put my hands on a keyboard and see what it looked and felt like. To be honest, even after spending a couple years at this, I still feel I am barely scratching the surface.

Summary: Enlightening Embarrassment

Fri, 10 Jan 2014 00:00:00 +0000

Rich here.

A funny thing happened this week.

As I wrote on Tuesday, someone hacked my Amazon Web Services account when I accidentally left my keys in code I pushed up to GitHub. The first line of my code was,

Security Management 2.5: The Decision Process

Thu, 09 Jan 2014 00:00:00 +0000

By this point you appreciate the difference large gap between what you need and what you have, so it’s time to dip your toes in the water to see what other platform vendors offer. But how? You need to figure out which vendors are worth investigating for their advantages, despite any disadvantages. Much of defining evaluation criteria and potential candidates involves wading objectively through vendor hyperbole to see what each offering actually does vs. drug-induced optimism in the vendor’s marketing department. As technology markets mature (and SIEM is pretty mature), the base capabilities of the platforms converge, making them all look alike. Complicating the issue, vendors adopt similar messaging regardless of actual features, making it increasingly difficult to differentiate between the platforms.

Incite 1/8/2014: ReNew Year

Wed, 08 Jan 2014 00:00:00 +0000

Since I’m on the East Coast of the US, when the ball drops in Times Square that’s it. The old year is done. The new year begins. With some of Dublin’s finest coursing through my veins, I get a little nostalgic. I don’t think about years in terms of “good” or “bad” anymore – instead I realize that 2013 is now merely a memory that will inevitably fade away.

Mikko Hypponen Still Speaking at the RSA Conference Updated

Tue, 07 Jan 2014 00:00:00 +0000

This speaks for itself:

An Open Letter to the Chiefs of EMC and RSA

and

Securing Smart Machines: Where We Are, Where We Want to Be, and Challenges

My $500 Cloud Security Screwup—UPDATED

Tue, 07 Jan 2014 00:00:00 +0000

Update: Amazon reached out to me and reversed the charges, without me asking or complaining (or in any way contacting them). I accept full responsibility and didn’t post this to get a refund, but I’m sure not going to complain – neither is Mike. This is a bit embarrassing to write. I take security pretty seriously. Okay, that seems silly to say, but we all know a lot of people who speak publicly on security don’t practice what they preach. I know I’m not perfect – far from it – but I really try to ensure that when I’m hacked, whoever gets me will have earned it. That said, I’m also human, and sometimes make sacrifices for convenience. But when I do so, I try to make darn sure they are deliberate, if misguided, decisions. And there is the list of things I know I need to fix but haven’t had time to get to. Last night, I managed to screw both those up. It’s important to fess up, and I learned (the hard way) some interesting conclusions about a new attack trend that probably needs its own post. And, as is often the case, I made three moderately small errors that combined to an epic FAIL. I was on the couch, finishing up an episode of Marvel’s Agents of S.H.I.E.L.D. (no, it isn’t very good, but I can’t help myself; if they kill off 90% of the cast and replace them with Buffy vets it could totally rock, though). Anyway… after the show I checked my email before heading to bed. This is what I saw:

Security Management 2.5: Evaluating the Incumbent

Tue, 07 Jan 2014 00:00:00 +0000

To explain the importance of picking a platform, rather than a product, our last post compared Log Management to SIEM, like the difference between using kitchen appliances and running a machine shop. One is easy to use, but limited in applicability; the other requires more work on your part, but can accomplish much more. Our goal was to contrast use cases and levels of expectations between the two product classes; despite lower overall platform satisfaction and the greater amount of work required, SIEM is what many customers need to get their work done. Pushing the boundaries of what is possible involves some pain.

Firestarter: The NSA and RSA

Mon, 06 Jan 2014 00:00:00 +0000

Hey everyone. It’s a new year and time for new stuff from your pals here at Securosis.

We used to run a Monday-morning ‘Firestarter’ post to get people thinking for the week. We decided to revive it with a twist. We are restarting the Firestarter as a weekly short video (15 minutes or so is our target). As we work out the details we also plan to push it out as a podcast, and once every month or so we will run a longer episode to dig deeper into a topic.

Security Management 2.5: Revisiting Requirements

Mon, 06 Jan 2014 00:00:00 +0000

Given the evolution of SIEM technology and the security challenges facing organizations, it is time to revisit requirements and use cases. This is an essential part of the evaluation process. You need a fresh and critical look at your security management environment to understand what you need today, how that will change tomorrow, and what kinds of resources and expertise you can harness – unconstrained by your current state. While some requirements may not have changed all that much (such as ease of management and compliance reporting), as we described earlier in this series, the way we use these systems has changed dramatically.

Thank You

Tue, 31 Dec 2013 00:00:00 +0000

As you may have noticed, I haven’t been blogging much the past month or so. 2013 has been an… interesting … year, filled with personal and professional highs and lows. Our third child was born, and we were back in the thick of things with 3 kids aged four and under. Don’t even get me stared on the near nonstop string of minor illnesses. There’s nothing like stomach flu twice in a month. Once on a travel day – thus the last month of minimal blogging.

Security Management 2.5: Platform Evolution

Mon, 30 Dec 2013 00:00:00 +0000

This post discusses evolutionary changes in SIEM, focusing on how underlying platform capabilities have evolved to meet the requirements discussed in the last post. To give you a sneak peek, it is all about doing more with more data. The change we have seen in these platforms over the past few years has been mostly under the covers. It’s not sexy, but this architectural evolution was necessary to make sure the platforms scaled and could perform the needed analysis moving forward. The problem is that most folks cannot appreciate the boatload of R&D which has been required to enable many platforms to receive a proverbial brain transplant. We will start with the major advancements.

Security Management 2.5: Changing Needs

Fri, 27 Dec 2013 00:00:00 +0000

Today’s post discusses the changing needs and requirements organizations have for security management customers, which is just a fancy way of saying “Here’s why customers are unhappy.” The following items are the main discussion points when we speak with end users, and the big picture reasons motivating SIEM users to consider alternatives.

Advanced Endpoint and Server Protection [New Series]

Thu, 26 Dec 2013 00:00:00 +0000

Endpoint protection has become the punching bag of security. Every successful attack seems to be blamed on a failure of endpoint protection. Not that this is totally unjustified – most solutions for endpoint protection have failed to keep pace with attackers. In our 2014 Endpoint Security Buyers Guide, we discussed many of the issues around endpoint hygiene and mobility. We also explored the human element underlying many of attacks, and how to prepare your employees for social engineering attacks in Security Awareness Training Evolution.

New Paper: Defending Against Denial of Service Attacks

Tue, 24 Dec 2013 00:00:00 +0000

Just in case you had nothing else to do during the holiday season, you can check out our latest research on Application Denial of Service Attacks. This paper continues our research into Denial of Service attacks after last year’s Defending Against Denial of Service Attacks research. As we stated back then, DoS encompasses a number of different tactics, all aimed at impacting the availability of your applications or infrastructure. In this paper we dig much deeper into application DoS attacks. For good reason – as the paper says:

Security Management 2.5: Replacing Your SIEM Yet? [New Series]

Mon, 23 Dec 2013 00:00:00 +0000

Security Information and Event Management (SIEM) systems create a lot of controversy with security folks; they are one of the cornerstones on which the security program are built upon within every enterprise. Yet, simultaneously SIEM generates the most complaints and general angst. Two years ago Mike and I completed a research project on “SIEM 2.0: Time to Replace your SIEM?” based upon a series of conversations with organizations who wanted more from their investment. Specifically they wanted more scalability, easier deployment, and the ability to ‘monitor up the stack’ in context of business applications and better integration with enterprise systems (like identity).

Security Assurance & Testing: Quick Wins

Sun, 22 Dec 2013 00:00:00 +0000

We started this Security Assurance and Testing (SA&T) series with the need for testing and which tactics make sense within an SA&T program. But it is always helpful to see how the concepts apply to more tangible situations. So we will now show how the SA&T program can provide a quick win for the security team, with two (admittedly contrived) scenarios that show how SA&T can be used – both at the front end of a project, and on an ongoing basis, to ensure the organization is well aware of its security posture.

Security Assurance & Testing: Tactics and Programs

Fri, 20 Dec 2013 00:00:00 +0000

As we discussed in the introduction to this Security Assurance & Testing (SA&T) series, it is increasingly hard to adequately test infrastructure and applications before they go into production. But adversaries have the benefit of being able to target the weakest part of your environment – whatever it may be. So the key to SA&T is to ensure you are covering the entire stack. Does that make the process a lot more detailed and complex? Absolutely, but you can’t be sure what will happen when facing real attackers without a comprehensive test.

Friday Summary: December 20, 2013 year end edition

Thu, 19 Dec 2013 00:00:00 +0000

I have not done a Friday Summary in a couple weeks, which is a blog post we have rarely missed over the last 6 years, so bad on me for being a flake. Sorry about that, but that does not mean I don’t have a few things I to talk about before years end.

Datacard Acquires Entrust

Tue, 17 Dec 2013 00:00:00 +0000

Datacard Group, a firm that produces smart card printers and associated products, has announced its acquisition of Entrust. For those of you who are not familiar with Entrust, they were front and center in the PKI movement in the 1990s. Back then the idea was to issue a public/private key pair to uniquely identify every person and device in the universe. Ultimately that failed to scale and became unmanageable, with many firms complaining “I just spent millions of dollars so I can send encrypted email to the guy sitting next to me.” So for you old-time security people out there saying to yourself “Hey, wait, isn’t PKI dead?”, the answer is “Yeah, kinda.” Still others are saying “I thought Entrust was already acquired?”, to which the answer is “Yes”, by investment firm/holding company Thoma Bravo in 2009.

Incite 12/18/2013: Flow

Tue, 17 Dec 2013 00:00:00 +0000

As I sit down to write the last Incite of the year I cannot help but be retrospective. How will I remember 2013? It has been a year of ups and downs. Pretty much like every year. I set out to prove some hypotheses I had at the beginning of the year, and I did. I let some opportunities pass by and I didn’t execute on others. Pretty much like every year. I had low lows and very high highs. Pretty much like every year.

Incite 12/11/2013: Commuter Hell

Wed, 11 Dec 2013 00:00:00 +0000

I’m pretty lucky – my most recent memories of a long commute were back in 1988, when I worked in NYC during my engineering co-op in college. It was miserable. Car to bus to train, and then walk a couple blocks through midtown to the office. It made me old when I was young. I only did it for 6 months, and I can’t imagine the toll it takes on folks who do it every day for decades.

Poor Man’s Immortality

Fri, 06 Dec 2013 00:00:00 +0000

One of our esteemed colleagues to the North, Dave Lewis, summed up a danger in almost everything in his recent CSO post, We need to be uncomfortable. Dave talks about realizing he could check out of a job and no one would notice, and how he knew it was time to find the next challenge. He’s right.

Incite 12/4/2013: Aging Gracefully

Wed, 04 Dec 2013 00:00:00 +0000

My friend Shimmy must have taken his nostalgia pills over the long weekend – on Monday he tweeted:

Doesn’t it suck getting older I didn’t realize how truly carefree life was All is good here thinking about some new stuff

Security Assurance and Testing: No Surprises

Wed, 04 Dec 2013 00:00:00 +0000

The methods by which applications and supporting infrastructure are developed and deployed are undergoing fundamental change. Avoiding the predictable hyperbole, new methods including DevOps and Cloud Computing promise to disrupt most of IT over the next 5-10 years. But embedded infrastructure and legacy applications are not going away. IT professionals need to walk a fine line between delivering critical services at the lowest price for acceptable performance, and doing it quickly and reliably.

Scrub-a-dub-dub: Akamai and Prolexic in the tub

Mon, 02 Dec 2013 00:00:00 +0000

They say it is better to be lucky than good. I seem to test that theory on a daily basis. Just yesterday I ranted about the need for multi-layer DoS defenses, mostly by poking at a Prolexic white paper advocating the opposite. I alluded to the reality that most customers wouldn’t run all their traffic through a scrubbing center, so they need on-premise defenses as well (so a multi-layer system).

Multi-layer DoS Defense FTW

Sun, 01 Dec 2013 00:00:00 +0000

I guess I shouldn’t be surprised by highly biased marketing campaigns providing bad advice to customers. Normally I let it go (yes, Zen Mike is usually in the house), but not today. I saw Prolexic’s Why a Multi-Layered Security Strategy is Not Ideal for DDoS Mitigation campaign and was a bit perplexed, especially by one statement:

The more things change…

Mon, 25 Nov 2013 00:00:00 +0000

Actually, things mostly don’t change. We talk a lot about the dynamic threatscape, advanced attacks, and all sorts of other things that make us feel special. But most of the same tactics that have been owning people and technology for decades are still in play. The mass market doesn’t learn, so they repeat history – over and over and over again.

New Paper Available: The Executive Guide to Pragmatic Network Security Management

Fri, 22 Nov 2013 00:00:00 +0000

This should be no surprise because I just pounded through all the posts and put the paper up on GitHub for open review.

Digging into the Underground

Thu, 21 Nov 2013 00:00:00 +0000

Dell SecureWorks CTU published a cool research report published today. Joe Stewart and David Shear dug into the marketplace of attackers and found that the market for attack products, tools, and services is thriving. Here are a couple of their more interesting findings:

Summary: Stay away from the Light

Thu, 21 Nov 2013 00:00:00 +0000

Ah, the holidays. That wonderful time of year when I struggle to attempt to explain to my children why the Christmas decorations are up before Thanksgiving. They are very adamant that Thanksgiving is first, and there really shouldn’t be Xmas decorations yet. Because I agree, and struggle to keep “Burn their houses down!” in my head rather than out loud when I drive past certain neighbors, I really can’t explain.

Compliance for the Sake of Compliance

Wed, 20 Nov 2013 00:00:00 +0000

Adrian put up an insightful (as opposed to inciteful) column on Dark Reading, pointing out that that Simple Security Is A Better Bet. Though I quibble a bit with the subhead: “Complex security programs are little better than no security”. Of course any subhead taken out of context creates opportunity for misinterpretation. I would reword to say, “Complex security programs done poorly are little better than no security”. But that’s just me.

Incite 11/20/2013—Live Right Now

Wed, 20 Nov 2013 00:00:00 +0000

As I mentioned a few weeks ago, XX1 had her Bat Mitzvah recently. It was great to be surrounded for a weekend by almost all the people we care about. And XX1 really stepped up and made us very proud. There are few things more gratifying than seeing your child excel – especially on a big stage in front of a lot of people. Part of the ceremony is a blessing from the parents. Some parents provide an actual blessing. Others tell entertaining stories about the child. I chose to give her some life perspective by distilling what I have learned over the past four decades down into a fairly simple concept. I understand she probably won’t get it for a while, but I’m okay with that. So here goes:

The CISO’s Guide to the Cloud: Real World Examples and Where to Go from Here

Wed, 20 Nov 2013 00:00:00 +0000

This is part five of a series. You can readpart one, part two, part three, or part four; or track the project on GitHub.

The CISO’s Guide to the Cloud: Adapting Security for Cloud Computing, Part 2

Tue, 19 Nov 2013 00:00:00 +0000

This is part four of a series. You can readpart one, part two, or part three; or track the project on GitHub.

As a reminder, this is the second half of our section on examples for adapting security to cloud computing. As before this isn’t an exhaustive list – just ideas to get you started.

Black Hat Cloud Security Training (Beta) in Seattle Next Month

Mon, 18 Nov 2013 00:00:00 +0000

I am teaching another cloud security class for Black Hat. There are two classes, one on December 9-10, and the other December 11-12.

The CISO’s Guide to the Cloud: Adapting Security for Cloud Computing

Mon, 18 Nov 2013 00:00:00 +0000

This is part three of a series. You can readpart one or part two, or track the project on GitHub.

This part is split into two posts – here is the first half:

You Cannot Outsource Accountability

Mon, 18 Nov 2013 00:00:00 +0000

Given our severe skills gap in security, managed services and other security outsourcing tactics continue to be very interesting to end users. Either that, or non-security senior management gets frustrated by the inability of the internal team to get anything done, so they look at having someone else take a crack. As the NSS folks ask in their blog post, To Outsource or Not to Outsource, That is the Question!, but I don’t think that’s the right question.

Defending Against Application Denial of Service: Building Protections in

Fri, 15 Nov 2013 00:00:00 +0000

As we have discussed through this series, many types of attacks can impact the availability of your applications. To reiterate a number of points we made in Defending Against Denial of Service Attacks, your defenses need to be coordinated at multiple levels: at the network layer, in front of your application, within the application stack, and finally within the application.

Friday Summary: November 15, 2013

Thu, 14 Nov 2013 00:00:00 +0000

There is lots I want to talk about this week, so I decided to resort to some three-dot blogging. A few years ago at the security bloggers meet-up, Jeremiah Grossman, Rich Mogull and Robert Hansen were talking about browser security. After I rudely butted into the conversation they asked me if “the market” would be interested in a secure browser, one that was not compromised to allow marketing and advertising concerns to trump security. I felt no one would pay for it but the security community and financial services types would certainly be interested in such a browser. So I was totally jazzed when WhiteHat finally announced Aviator a couple weeks back. And work being what is has been, I finally got a chance to download it today and use it for a few hours. So far I miss nothing from Firefox, Safari, or Chrome. It’s fast, navigation is straightforward, it easily imported all my Firefox settings, and preferences are simple – somewhat the opposite of Chrome, IMO. And I like being able to switch users as I switch between different ISPs/locations (i.e., tunnels to different cloud providers ). I am not giving up my dedicated Fluid browsers dedicated to specific sites, but Fluid has been breaking for unknown reasons on some sites. But the Aviator and Little Snitch combinations is pretty powerful for filtering and blocking outbound traffic. I recommend WhiteHat’s post on key differences between Aviator and Chrome. If you are looking for a browser that does not hemorrhage personal information to any and every website, download a copy of Aviator and try it out.

Defending Against Application Denial of Service: Abusing Application Logic

Wed, 13 Nov 2013 00:00:00 +0000

We looked at application denial of service in terms of attacking the application server and the application stack, so now let’s turn our attention to attacking application itself. Clearly every application contains weaknesses that can be exploited, especially when the goal is simply to knock the application offline rather than something more complicated, such as stealing credentials or gaining access to the data. That lower bar of taking the application offline means more places to attack.

Incite 11/13/2013: Bully

Wed, 13 Nov 2013 00:00:00 +0000

When you really see the underbelly of something, it is rarely pretty. The NFL is no different. Grown men are paid millions of dollars a year to display unbridled aggression, toughness, and competitiveness. That sounds like a pretty Darwinian environment, where the strong prey on the weak. And it is given what we have seen over the last few weeks, as behavior in the Miami Dolphins locker room comes to light.

The CISO’s Guide to the Cloud: How the Cloud Is Different for Security

Wed, 13 Nov 2013 00:00:00 +0000

This is part two of a series. You canread part one here or track the project on GitHub.

How the Cloud Is Different for Security

In the early days of cloud computing, even some very well-respected security professionals claimed it was little more than a different kind of outsourcing, or equivalent to the multitenancy of a mainframe. But the differences run far deeper, and we will show how they require different cloud security controls. We know how to manage the risks of outsourcing or multi-user environments; cloud computing security builds on this foundation and adds new twists.

Defending Against Application Denial of Service: Attacking the Stack

Tue, 12 Nov 2013 00:00:00 +0000

In our last post, we started digging into ways attackers target standard web servers, protocols, and common pages to impact application availability. These kinds of attacks are at the surface level and low-hanging fruit because they can be executed via widely available tools wielded by unsophisticated attackers. If you think of a web application as an onion, there always seems to be another layer you can peel back to expose additional attack surface.

How to Detect Cloudwashing by Your Vendors

Tue, 12 Nov 2013 00:00:00 +0000

“There is nothing more deceptive than an obvious fact” – Sherlock Holmes

It’s cloud. It’s cloud-ready. It’s cloud insert-name-here. As analysts we have been running into a lot of vendors labeling traditional products as ‘cloud’. Two years ago we expected the practice to die out once customers understood cloud services. We were wrong – vendors are still doing it rather than actually building the technology. Call it cloudwashing, cloudification, or just plain BS. As an enterprise buyer, how can you tell whether the system you are thinking of purchasing is a cloud application or not? It should be easy – just look at the products branded ‘cloud’, right? But dig deeper and you see it’s not so simple. Sherlock Holmes made a science of detection, and being an enterprise buyer today can feel like a being detective in a complex investigation. Vendors have anticipated your questions and have answers ready. What to do?

New Series: What CISOs Need to Know about Cloud Computing

Tue, 12 Nov 2013 00:00:00 +0000

This is the first post in a new series detailing the key differences between cloud computing and traditional security. I feel pretty strongly that, although many people are talking about the cloud, nobody has yet done a good job of explaining why and how security needs to adapt at a fundamental level. It is more than outsourcing, more than multitenancy, and definitely more than simple virtualization. This is my best stab at it, and I hope you like it.

Defending Against Application Denial of Service: Attacking the Application Server

Mon, 11 Nov 2013 00:00:00 +0000

It has been a while, but it is time to jump back into the Application Denial of Service series with both feet. As we described in the introduction, application denial of service can be harder to deal with than volume-based network DDoS because it is not always obvious what’s an attack and what’s legitimate traffic. Unless you are running all your traffic through a scrubbing center, your applications will remain targets for attacks that exploit the architecture, application stacks, business logic, and even legitimate functionality of the application.

How to Edit Our Research on GitHub

Mon, 11 Nov 2013 00:00:00 +0000

I am still experimenting with posting research, from drafts through the editing process, on GitHub. No promises that we will keep doing this – it depends on the reaction we get. From a workflow standpoint it isn’t much more effort for us, but I like the radical transparency it enables.

Security Awareness Training Evolution [New Paper]

Mon, 11 Nov 2013 00:00:00 +0000

Everyone has an opinion about security awareness training, and most of them are negative. Waste of time! Ineffective! Boring! We have heard them all. And the criticism isn’t wrong – much of the content driving security awareness training is lame. Which is probably the kindest thing we can say about it. But it doesn’t need to be that way. Actually, it cannot remain this way – there is too much at stake. Users remain the lowest-hanging fruit for attackers, and as long as that is the case attackers will continue to target them. Educating users about security is not a panacea, but it can and does help.

Trustwave Acquires Application Security Inc.

Mon, 11 Nov 2013 00:00:00 +0000

It has been a while since we had an acquisition in the database security space, but today Trustwave announced it acquired Application Security Inc. – commonly called “AppSec” by many who know the company.

Blowing Your Mind(fulness) at RSA 2014

Fri, 08 Nov 2013 00:00:00 +0000

It was kind of a joke between two friends on a journey to become better people. Jen Minella (JJ) and I compared notes over way too many drinks at last year’s RSA, and we decided our experiences would make a good talk. I doubt either of us really thought it would be interesting to anyone but us. We were wrong.

Summary: Hands on

Thu, 07 Nov 2013 00:00:00 +0000

Before I dive into this week’s sermon, just a quick note that our posting will be a bit off through the end of the year. As happens from time to time, our collective workloads and travel are hitting insanity levels, which impedes our ability to push out more consistent updates. But, you know, gotta feed the kids and dogs.

Microsoft Upends the Bug Bounty Game

Sun, 03 Nov 2013 00:00:00 +0000

Microsoft is expanding its $100k bounty program to include incident responders who find and document Windows platform mitigation flaws.

Today’s news means we are going from accepting entries from only a handful of individuals capable of inventing new mitigation bypass techniques on their own, to potentially thousands of individuals or organizations who find attacks in the wild. Now, both finders and discoverers can turn in new techniques for $100,000.

Friday Summary: Halloween 2013 Edition

Fri, 01 Nov 2013 00:00:00 +0000

While you’re thinking about little kids in scary costumes, I’m here thinking about adults who write scary code. As I go through the results of a couple different companies’ code scans I am trying to contrast good vs. bad secure development programs. But I figure I should ask the community at large: What facet of your secure software development program has been most effective? Can you pinpoint one?

Don’t Mess with Pen Test(ers)

Wed, 30 Oct 2013 00:00:00 +0000

Almost everyone you know is blissfully unaware of the digital footprints we all leave, and how that information can be used against us. The problem is that you understand, and if you spent much time thinking about it you’d probably lose your mind. So as a coping mechanism you choose not to think of how you could be attacked or how your finances could be wrecked, if targeted by the wrong person.

Incite 10/30/2013: Managing the Details

Wed, 30 Oct 2013 00:00:00 +0000

As I wrote a few weeks ago, everyone has their strengths. I know that managing the details is not one of mine. In fact I can’t stand it, which is very clear as we prepare for our oldest daughter’s Bat Mitzvah this weekend. It’s a right of passage signaling the beginning of adulthood. I actually view it as the beginning of the transformation to adulthood, which is a good way to look at it because many folks never complete that transition – at least judging from the way they behave.

The Pragmatic Guide to Network Security Management: SecOps

Wed, 30 Oct 2013 00:00:00 +0000

This is part 3 in a series.Click here for part 1, or submit edits directly via GitHub.

Workflows: from Sec and Ops to SecOps

Even mature organizations occasionally struggle to keep security aligned with infrastructure. But low-friction processes that don’t overly burden other areas of the enterprise reduce both errors and deliberate circumvention.

The Pragmatic Guide to Network Security Management: The Process

Tue, 29 Oct 2013 00:00:00 +0000

This is part 2 in a series.Click here for part 1, or submit edits directly via GitHub.

The Pragmatic Process

As mentioned in the previous section, this process is designed primarily for more complex networks, and takes into account real-life organizational and technological complexities.

New Series: The Executive Guide to Pragmatic Network Security Management

Mon, 28 Oct 2013 00:00:00 +0000

This is the first post in a new paper I’m writing.The entire paper is also posted on GitHub for direct feedback and suggestions. As an experiment, I prefer feedback on GitHub, but will also take it here, as usual.

Thinking Small and Not Leading

Mon, 28 Oct 2013 00:00:00 +0000

Dave Elfering had a good post, making clear the difference between managing and leading.

I thought my job as a security leader was to produce detailed policies that might as well have been detailed pseudo code executed by robots.

Summary: Planned Coincidence

Fri, 25 Oct 2013 00:00:00 +0000

Every year Mike, Adrian, and I get together for a couple days to review our goals and financials, and to make plans for the next year. This year we scheduled it in Denver, and by an amazing coincidence Jimmy Buffett was in town playing.

Don’t Cry over Spilt Metrics

Thu, 24 Oct 2013 00:00:00 +0000

Our man Gunnar starts a recent post with:

Security Metrics crying need is for metrics that serve others, outside of info sec.

Incite 10/23/2013: What goes up…

Wed, 23 Oct 2013 00:00:00 +0000

Every so often I realize how spoiled I am. Sure, I am more aware of my good fortune than many, but I definitely take way too much stuff for granted. My health is good. I do what I like (most days). My family still seems to like me. I provide enough to live a pretty good lifestyle. It’s all good. I don’t have much to complain about.

Security Awareness Training Evolution: Quick Wins

Mon, 21 Oct 2013 00:00:00 +0000

In the first two posts of this series we suggested that any security awareness training program needs to be focused on the proper outcomes and driven by great content. Let’s not forget the unassailable truth that the success of any security initiative is based on building momentum and making demonstrable progress early in the deployment cycle. This is not only the case for projects that involve implementing shiny boxes to block things. With a program as visible as security awareness training, with success criteria not necessarily directly attributed to training efforts, the need for a Quick Win is more acute. Especially given the likely pushback from employees duped by attack simulations. But let’s not put the cart before the horse.

The Great Securosis GitHub Experiment

Mon, 21 Oct 2013 00:00:00 +0000

Hey everyone,

As you know, we try to make our research process as open and transparent as possible. We know any research that ends up with a vendor logo on it somewhere is viewed with justified skepticism, so our goal is to combat that perception of bias with radical transparency.

Friday Summary: October 18, 2013

Fri, 18 Oct 2013 00:00:00 +0000

I have been taking a lot of end-user calls on compliance lately. PCI, GLBA, Sarbanes-Oxley, state privacy laws, and the like. Today I was struck by how consistently these calls are more challenging than security discussions. With security users want to address a fairly well-defined problem. For example “How do we stop our IP from leaving the organization?” or “How can we protect users from phishing?” or “How do we verify administrator activity?” These discussions are far easier because of their much narrower scope, both in terms of technical approach and user perception of how they want to deal with the problem.

Security Awareness Training Evolution: Focus on Great Content

Thu, 17 Oct 2013 00:00:00 +0000

As we come back to the Security Awareness Training Evolution series after our two-week hiatus, let’s revisit some of the key issues described in the introduction. We made the case that for liability, compliance, and even security reasons you can’t really decide not to train your users about security. Of course you could, but it would be counterproductive – you need to be realistic, and accept that you cannot reach every employee and employees do stupid things. But you can reach some, if not most, and reaching those folks will minimize the number of issues you have to clean up.

Incite 10/16/2013: Building Strengths

Wed, 16 Oct 2013 00:00:00 +0000

Back when I managed people (and yes, it seems like a lifetime ago), I subscribed to the Gallup management concepts. Productivity is based on employee engagement, and employees are much more engaged when they are doing things they are good at. The book First, Break All the Rules was eye-opening – I have spent my entire career to date trying to make my weaknesses less weak, and not trying to improve my strengths.

Reality Check for Millennials Looking at Security

Wed, 16 Oct 2013 00:00:00 +0000

Evidently security as an industry does a crappy job at generating interest within kids today. How are we going to fill the massive skills gap we face, if we can’t get students interested in security from an early age. Right? RIGHT?

The Week in Webcasts

Mon, 14 Oct 2013 00:00:00 +0000

On Tuesday – that’s tomorrow for you working this Columbus day – Gunnar Peterson and I will be taking about API gateways with Intel’s Travis Broughton. We will run this webcast as an open discussion, and focus on the practical questions and issues of using API gateways. Our goal is to focus on end-user questions we have been getting, so bring your questions too – we plan to be very interactive. You can sign up here: API Gateways: Where Security Enables Innovation.

Why a vBulletin Exploit Matters to Enterprise Security

Mon, 14 Oct 2013 00:00:00 +0000

Attackers appear to have compromised tens of thousands of Web sites using a security weakness in sites powered by the forum software vBulletin, security experts warn.

Summary: Age is wasted on the… middle aged

Fri, 11 Oct 2013 00:00:00 +0000

You may have noticed our posting was down a bit this week.

Okay, pretty much non-existent. But take a look at the links in this Summary for what we have been reading and thinking about.

Firewall Management Essentials [New Paper]

Thu, 10 Oct 2013 00:00:00 +0000

We all know and love the firewall. The cornerstone of every organization’s network security defense, firewalls enforce access control policies and determine what can and cannot enter your network. But, like almost every device you have had for a while, you take them for granted and perhaps don’t pay as much attention as you need to. Until a faulty rule change opens up a hole in your perimeter large enough to drive a tanker through. Then you get some religion about more effectively managing these devices.

Incite 10/9/2013: Youth is wasted on the young

Wed, 09 Oct 2013 00:00:00 +0000

A couple years ago, when I decided to lose weight and change my eating habits, I did it with a view to living until I was at least 90. That was the number I envisioned, and given my family history, it should be achievable. So as I celebrated my 45th birthday this week, it was strange to realize that I’m close to halfway done. WTF? How did that happen?

Friday Summary: October 4, 2013

Fri, 04 Oct 2013 00:00:00 +0000

I was never a big fan of the Rolling Stones. Heard them on the radio all the time growing up but never bought any of their stuff. It was good but not good enough to spend my hard-earned money. Recently a friend, a hardcore Stones addict, convinced me I needed some in my music collection. A couple clicks on Amazon, and three days later I had a big box of music waiting for me when I got back from the Splunk conference. In need of a little rest after a hectic few weeks, I cracked open the package and gave it a listen. And WTF? This is not what I heard on the radio. This song is hardcore blues. The next song is honky-tonk. Then rock and roll, followed by some delta blues. Singer, guitarist, and drummer all changing styles with each song like each one was a style they had played all their lives. This is amazing. Different, but (ahem) I liked it! The band as I heard it on the radio growing up is not the band on CDs and records. There is depth here. Versatility. Ingenuity. What I thought is not what they are. Their popularity suddenly makes sense. The songs played on radio and streaming services do a disservice to the band, and fail to capture special aspects of what they are (and were) about.

New Whitepaper: A Practical Example of Software Defined Security

Thu, 03 Oct 2013 00:00:00 +0000

A few months back I did a series of posts demonstrating a proof of concept for implementing some basic software defined security (using AWS, Chef, and Ruby). This ended up being the basis for my KickaaS Security with APIs and Cloud talk at Black Hat.

Details for the Matasano Crypto Class

Wed, 02 Oct 2013 00:00:00 +0000

I’m really looking forward to this, although my skills will keep me in the back of the room:

October 2013 Chicago Crypto-For-Developers Class

Exploit Disclosure

Wed, 02 Oct 2013 00:00:00 +0000

Threatpost has another good piece on exploit disclosure (I swear I still read other sites). This is the other side of vulnerability disclosure, where you need to decide on releasing exploit details based on factors such as detecting live exploits in the field.

Feds take down Silk Road

Wed, 02 Oct 2013 00:00:00 +0000

Brian Krebs breaks another story:

Prosecutors in New York today said that federal agencies have taken over the Silk Road, a sprawling underground Web site that has earned infamy as the “eBay of drugs.” On Tuesday, federal agents in San Francisco arrested the Silk Road’s alleged mastermind. Prosecutors say 29-year-old Ross William Ulbricht, a.k.a “Dread Pirate Roberts” (DPR), will be charged with a range of criminal violations, including conspiracy to commit drug trafficking, and money laundering.

Incite 10/2/2013: Shutdown

Wed, 02 Oct 2013 00:00:00 +0000

17 years. That’s a long time. The last time the US Government shut down was December 1995 through January 1996. I was working for META Group at the time, probably on an airplane heading to a meeting with some client. I wasn’t married yet. I could sleep in on a Saturday. Those were the days. Life was fundamentally different. Looking back I don’t remember the specifics of what happened during the last shutdown, as that group of politicians battled each other over funding this, that, or the other thing. In fact, until this latest shutdown because a possibility, I didn’t even remember it happened in the first place. 17 years later, in my mind that shutdown was an inconsequential footnote in history that I needed to look up on Wikipedia to even remember it happened.

Security Awareness Training Evolution: Why Bother Training Users?

Wed, 02 Oct 2013 00:00:00 +0000

It seems everyone has an opinion about security awareness training, and most of them are negative. Security luminaries have largely panned awareness training as ineffective and a waste of time and money. They use weird analogies, claiming things like we cannot train folks not to eat fast food, so training never works. Are they wrong? We have all sat through endless PowerPoint slides telling us what we can do and cannot do on the Internet. They threaten you with termination unless you follow the rules specified in the 15-page Acceptable Use Policy, without any context for why they matter. It is not much different than your parents telling you that you cannot do something “because we said so.”

IE Zero Day Getting Serious

Tue, 01 Oct 2013 00:00:00 +0000

A vulnerability in Internet Explorer has been known and unpatched for two weeks.

According to ThreatPost, an exploit module is now in Metasploit, and real attacks are growing.

The Gartner Tax and Magic Quadrants

Tue, 01 Oct 2013 00:00:00 +0000

I haven’t worked at Gartner for over six years now, so I’m not surprised that many people still think vendors can pay to move up the rankings in a Magic Quadrant. I mean, just look at them. Big vendors almost always show up in the top left or right, so they have to be paying for play.

The Goof Excuse

Tue, 01 Oct 2013 00:00:00 +0000

Another day, another breach – that’s not novel. A bunch of personal information (including driver’s license numbers) was stolen from Virginia Tech. But having the organization own up to the fact that the breach resulted from a human error is uncommon.

Not the Rut You Think

Mon, 30 Sep 2013 00:00:00 +0000

Over at Network World Anton Gondalves wrote Security industry in ‘rut,’ struggling to keep up with cybercriminals:

Dramatic changes are needed in multiple fronts if the security industry hopes to move ahead of cybercriminals, who are continuously finding new ways to breach corporate systems, experts say.

Summary Haiku

Fri, 27 Sep 2013 00:00:00 +0000

Hurt back yesterday
Too much pain to write much now
Haiku easier

And don’t forget to sign up for our Black Hat cloud security training in December!

Continuous Security Monitoring [New Paper]

Thu, 26 Sep 2013 00:00:00 +0000

Continuous Monitoring has become an overused and overhyped term in security circles, driven by US Government mandate (now called Continuous Diagnostics and Mitigation). But that doesn’t change the fact that monitoring needs to be a cornerstone of your security program, within the context of a risk-based paradigm. So your pals at Securosis did their best to document how you should think about Continuous Security Monitoring and how to get there.

Cybercrime at the Speed of Light

Wed, 25 Sep 2013 00:00:00 +0000

A few years ago our very own James Arlen presented at Black Hat on the security risks of high-speed trading.

Today I read in The Verge:

Data brokers and background checks are a massive security vulnerability

Wed, 25 Sep 2013 00:00:00 +0000

Brian Krebs has done some amazing investigative reporting over the years, but this story is an absolute bombshell.

An identity theft service that sells Social Security numbers, birth records, credit and background reports on millions of Americans has infiltrated computers at some of America’s largest consumer and business data aggregators, according to a seven-month investigation by KrebsOnSecurity.

Incite 9/25/2013: Road Trip

Wed, 25 Sep 2013 00:00:00 +0000

Every so often my mind wanders and I flash back to scenes from classic movies. When I remember Animal House, I can’t help but spend perhaps 15 minutes thinking about all the great scenes in that movie. I don’t even know where to begin, but one scene that still cracks me up after all these years is:

Walled Garden Fail

Wed, 25 Sep 2013 00:00:00 +0000

Mailbox is a very popular replacement mail app for iOS that apparently auto-executes JavaScript in incoming emails, according to a post by Italian security researcher Michele Spanuolo (@MikiSpag)

Firewall Management Essentials: Quick Wins

Tue, 24 Sep 2013 00:00:00 +0000

As we put a little bow on our Firewall Management Essentials series, it’s time to focus on getting quick value from your investment. We are big fans of a Quick Wins approach, because far too many technologies sputter as deployment lags and value commensurate with the investment is never seen. The quick wins approach focuses on building momentum early in the deployment by balancing what can be done right now against longer-term goals for a technology investment. If a project team doesn’t prove value early and often, that typically dooms the implementation to failure. For firewall management, the lowest hanging fruit is optimization of existing rule sets before implementing a strong change management process. But let’s not put the cart before the horse – first you need to deploy the tool and integrate it with other enterprise systems.

API Gateways [New Research]

Mon, 23 Sep 2013 00:00:00 +0000

If you are thinking about skipping this post because you are not a developer, or think APIs are irrelevant to you, stop! You are missing the point of an important trend in both security and development. Today we launch our research paper on API gateways. It includes a ton of information about what these gateways are, how they work, and how best to take advantage of them. Additionally, we describe this industry trend and how it bakes security into the services. Even non-developers will be seeing these and working with one in the near future.

Investigating Touch ID and the Secure Enclave

Mon, 23 Sep 2013 00:00:00 +0000

As much as it pained me, Friday morning I slipped out of my house at 3:30am, drove to the nearest Apple Store, set up my folding chair, and waited patiently to acquire an iPhone 5s. I was about number 150 in line, and it was a good thing I didn’t want a gold or silver model. This wasn’t my first time in a release line, but it is most definitely the first time I have stood in line since having children and truly appreciated the value of sleep.

Keep Calm and Bust out the Tinfoil Hat

Mon, 23 Sep 2013 00:00:00 +0000

Dennis Fisher writes what many of us have been feeling for a while in The Sky is Not Falling–It’s Fallen. He argues that the fundamental underpinnings of security are being whittled away – slowly but surely. And the fact that it’s a cynical view doesn’t make it wrong.

A Quick Response on the Great Touch ID Spoof

Sun, 22 Sep 2013 00:00:00 +0000

Hackers at the Chaos Computer Club were the first to spoof Apple’s Touch ID sensor. They used existing techniques, but at higher resolution. A quick response:

Friday Summary: September 20, 2013

Fri, 20 Sep 2013 00:00:00 +0000

I have been so totally overwhelmed with projects that I have had very little time to read, research, or blog. So I was excited this morning to take a few minutes to download the new SDL research paper from Microsoft’s blog. It examines vendors using Microsoft’s SDL in both Microsoft and non-Microsoft environments. And what did I learn? Nothing. Apparently their research team has the same problem as the rest of us: no good metrics, and the best user stories get sanitized into oblivion. I am seriously disappointed – this type of research is sorely needed.

Defending Against Application Denial of Service Attacks [New Series]

Wed, 18 Sep 2013 00:00:00 +0000

As we discussed last year in Defending Against Denial of Service Attacks, attackers increasingly leverage availability-impacting attacks both to cause downtime (which costs site owners money) and to mask other kinds of attacks. These availability-impacting attacks are better known as Denial of Service (DoS) attacks. Our research identified a number of adversaries who increasingly use DoS attacks, including:

Firewall Management Essentials: Managing Access Risk

Wed, 18 Sep 2013 00:00:00 +0000

We have discussed two of the three legs of comprehensive firewall management: a change management process and optimizing the rules. Now let’s work through managing risk using the firewall.

Incite 9/18/2013: Got No Game

Wed, 18 Sep 2013 00:00:00 +0000

On Monday night I did a guest lecture for some students in Kennesaw State’s information security program. It is always a lot of fun to get in front of the “next generation” of practitioners (see what I did there?). I focused on innovation in endpoint protection and network security, discussing the research I have been doing into threat intelligence. The kids (a few looked as old as me) seemed to enjoy hearing about the latest and greatest in the security space.

Black Hat West Cloud Security Training

Tue, 17 Sep 2013 00:00:00 +0000

I am psyched to announce that our Black Hat Vegas class went well, and we have been invited to teach in Seattle December 9-10 and 11-12. As before, we will be bringing some advanced material, but you shouldn’t be scared off – advanced skillz are not required to make it through the class.

Firewall Management Essentials: Optimizing Rules

Tue, 17 Sep 2013 00:00:00 +0000

Now that you have a solid, repeatable, and automated firewall change management process, it’s time to delve into the next major aspect of managing your firewalls: optimizing rules. Back in our introduction we talked about how firewall rule sets tend to resemble a closet over time. You have a ton of crap in there, most of which you don’t use, and whatever you do use is typically hard to get to. So you need to occasionally clean up and reorganize – getting rid of stuff you don’t need, making sure the stuff that’s still in there should be, and arranging things so you can easily access the stuff you use the most. But let’s drop the closet analogy to talk firewall specifics. You need to optimize rules for a variety of reasons:

Threat Intelligence for Ecosystem Risk Management [New Paper]

Mon, 16 Sep 2013 00:00:00 +0000

Most folks think the move towards the extended enterprise is very cool. You know, get other organizations to do the stuff your organization isn’t great at. It’s a win/win, right? From a business standpoint, there are clear advantages to building a robust ecosystem that leverages the capabilities of all organizations. But from a security standpoint, the extended enterprise adds a tremendous amount of attack surface.

Firewall Management Essentials: Change Management

Fri, 13 Sep 2013 00:00:00 +0000

As we dive back into Firewall Management Essentials, let’s revisit some of the high points from our Introduction:

The firewalls run on a set of rules that basically define what ports, protocols, networks, users, and increasingly applications, can do on your network. And just like a closet in your house, if you don’t spend time sorting through old stuff it can become a disorganized mess, with a bunch of things you haven’t used in years and don’t need any more.

Friday Summary: No Sleep, Mishmash Edition

Fri, 13 Sep 2013 00:00:00 +0000

I had a really great Friday Summary planned. I was going to go all in-depth and metaphysical on something really important, with a full-on “and knowing is half the battle” conclusion at the end, tying it back to security and making you reevaluate your life.

Incite 9/11/2013: Brave New World

Wed, 11 Sep 2013 00:00:00 +0000

On a trip to the Bay Area recently, I drove past the first electronic billboard I ever saw. It’s right on the 101 around Palo Alto, and has been there at least 7 or 8 years.

Oracle Quietly Adds (Possibly Major) Java Security Update

Wed, 11 Sep 2013 00:00:00 +0000

We received an email tip today that Oracle added a new security feature to Java that might be pretty important (awaiting confirmation that I can publicly credit the person who sent it in):

Unprecedented and Shortsighted

Mon, 09 Sep 2013 00:00:00 +0000

I am still putting my personal thoughts together on the recent NSA revelations. The short version is that when you look at it in the context of developments in vulnerability disclosure and markets, we are deep into a period of time where our benign government has actively undermined the security of citizens, businesses, and even other arms of government, at scale, in order to develop and maintain offensive capabilities. (Yes, I’m a patriotic type who considers our government benign).

What to do when your Twitter account is hacked

Mon, 09 Sep 2013 00:00:00 +0000

PCWorld/TechHive has a very clear article on how to deal with a Twitter hack.

Print it out and keep it handy, especially if you manage a corporate account. If you are very big get a phone number for Twitter security, make contact, and add it to your IR plans.

Friday Summary: September 6, 2013

Fri, 06 Sep 2013 00:00:00 +0000

When my wife an I were a young couple looking for a place in the hills of Berkeley, we came across an ad for an apartment with “Views of the Golden Gate Bridge”. The price was a bit over our budget and the neighborhood was less than thrilling, but we decided to check it out. We had both previously lived in places with bay views and we felt that the extra expense would be worth it. But after we got to the property the apartment was beyond shabby, and no place we wanted to live. What’s more, we could not find a view! We stayed for a while searching for the advertised view, and when neither of us could find it we asked the agent. She said the view was from the side of the house. As it turns out, if you either stood on the fence in the alley, or on the toilet seat of the second bathroom, and looked out the small window, you could see a sliver of the Golden Gate. The agent had not lied to us – technically there was a bridge view. But in a practical sense it did not matter. I would hardly invite company over for a glass of wine and have them stand on tiptoes atop the toilet lid for an obstructed view of the bridge.

[New Paper] Identity and Access Management for Cloud Services

Thu, 05 Sep 2013 00:00:00 +0000

We are happy to announce the release of our Identity and Access Management for Cloud Services research paper.

Identity, access management, and authorization are each reasonably complicated subjects, but they all reside at the center of most on-premise security projects. Cloud computing and cloud security are both very complex subjects. Mix them all together, in essence federating your on-premise identity systems into the cloud, and you have complexity soup! Gunnar and I agreed that in light of the importance of identity management to cloud computing, and the complexity of the subject matter, users need a guide to help understand what the heck is going on. Far too often people talk about the technologies (e.g.: SAML, OAuth, and OpenID) as the solution, while totally missing the bigger picture: the transformation of identity as we knew it into Cloud IAM. We are witnessing a major shift in how we both provide and consume identity, which is not obvious to a tools-centric view.

[New Paper] Dealing with Database Denial of Service

Wed, 04 Sep 2013 00:00:00 +0000

We are pleased to put the finishing touches on our Database Denial of Service (DB-DoS) research and distribute it to the security community. Unless you have had your head in the sand for the past year, you know DoS attacks are back with a vengeance. Less visible but no less damaging is the fact that attackers are “moving up the stack” to the application and database layers. Rather than “flooding the pipes” with millions of bogus packets, we now see cases where a single request topples a database – halting the web services it supported. Database DoS requires less effort for the attacker, and provides a stealthier approach to achieving their goals. Companies that have been victimized by DB-DoS are not eager to share details, but here at Securosis we think it’s time you know what we are hearing about so you can arm yourself with knowledge of how to defend against this sort of attack. Here is an except from the paper:

Incite 9/4/2013: Annual Reset

Wed, 04 Sep 2013 00:00:00 +0000

This week marks the end of one year and the beginning of the next. For a long time I took this opportunity around the holidays to revisit my goals and ensure I was still on track. I diligently wrote down my life goals and break those into 10, 5, and 1 year increments. Just to make sure I was making progress toward where I wanted to be. Then a funny thing happened. I realized that constantly trying to get somewhere else made me very unhappy. So I stopped doing that.

Friday Summary: Decisions, Decisions

Fri, 30 Aug 2013 00:00:00 +0000

I am in a bit of a pickle, and could use some advice.

Over the time I have been an analyst, I have learned that it is important to have the right distribution of research. My rule of thumb is 80-90% of it should be practical research to help people get their jobs done on a daily basis. Then you can spend 10-20% on future research that I promise not to call thought leadership.

Firewall Management Essentials: Introduction [New Series]

Thu, 29 Aug 2013 00:00:00 +0000

It starts right there in PCI-DSS Requirement 1. Install and maintain a firewall configuration to protect cardholder data. Since it’s the first requirement, firewalls must be important, right? Not that PCI is the be all, end all of security goodness, but it does represent the low bar of controls you should have in place to defend against attackers. As the line of first defense on a network, it’s the firewall’s job to enforce a set of access policies that dictate what traffic should be allowed to pass. It’s basically the traffic cop on your network, as well as acting as a segmentation point between separate networks.

Tracking the Syrian Electronic Army

Thu, 29 Aug 2013 00:00:00 +0000

Brian Krebs is digging into the SEA and trying to out individuals:

A hacking group calling itself the Syrian Electronic Army (SEA) has been getting an unusual amount of press lately, most recently after hijacking the Web sites of The New York Times and The Washington Post, among others. But surprisingly little light has been shed on the individuals behind these headline-grabbing attacks. Beginning today, I’ll be taking a closer look at this organization, starting with one of the group’s core architects.

Deming and the Strategic Nature of Security

Wed, 28 Aug 2013 00:00:00 +0000

FierceCIO’s Derek Slater offers an interesting perspective on why W. Edwards Deming hates your approach to IT security. I was educated as an industrial engineer, so we had to study Deming left, right, and center in school. Of course when I graduated and went into programming, nobody realized that Deming’s concepts also apply to software development. But that’s another story for another Six Sigma.

Incite 8/27/2013: You Can’t Teach Them Everything

Wed, 28 Aug 2013 00:00:00 +0000

It’s nice that my kids are still at a stage where they don’t want to disappoint me or the Boss. They need our approval and can be crushed if we show even the slightest measure of dissatisfaction in what they do. My ego-centric self likes that, but the rest of me wants them to learn to stop worrying about what everyone thinks and do what they think is right. Of course, that involves having enough life experience to understand the difference between right and wrong.

Security is Reactive. Learn to Love It.

Wed, 28 Aug 2013 00:00:00 +0000

Few things make me happier than getting to publicly disagree with one of my coworkers.

Earlier today Mike suggested that security is too reactive and tactical to succeed. Then we hear the usual platitudes about treating security as a risk management function, better metrics, blah blah blah. Not that there is anything wrong with all that, but it needs to be discussed in context of the fundamental nature of security.

The future of security is embedded

Wed, 28 Aug 2013 00:00:00 +0000

I do not think Mike’s and Rich’s points are at odds at all.

Mike’s post lays out what in my view is infosec’s Achilles heel: lack of strategic alignment with the business. There are very few things that basically everyone in infosec agrees on; but a near universal one is that you can, should, and will never show a Return on Security Investment. “The business” is just supposed to accept this, apparently, and keep increasing the budget year after year; the People’s Republic of Information Security shall remain unsullied by such things as profit and loss, and breeze merrily along.

Third Time is the Charm

Wed, 28 Aug 2013 00:00:00 +0000

Nothing makes my day like getting to argue with my colleagues here at Securosis. Sadly today isn’t that day. The only thing that I love almost as much is when Mike and Rich think they are arguing with each other, but I get to point out that they are actually saying the same things, but from different angles, and therefore with different words.

Ecosystem Threat Intelligence: Use Cases and Selection Criteria

Tue, 27 Aug 2013 00:00:00 +0000

We touched on the Risks of the Extended Enterprise and the specifics of Assessing Partner Risk, so now let’s apply these concepts to a few use cases to help make the concepts a little more tangible. We will follow a similar format for each use case, talking about the business needs for access, then the threat presented by that access, and finally how Ecosystem Threat Intelligence (EcoTI) helps you make better decisions about specific partners.

PCI 3.0 is coming. Hide the kids.

Tue, 27 Aug 2013 00:00:00 +0000

The Payment Card Industry Security Standards Council recently released a preview of potential changes in PCI 3.0 that will go into effect in 2014.

Random Thought: Meet Your New Database

Tue, 27 Aug 2013 00:00:00 +0000

Something has been bugging me. It’s big data. Not the industry but the term itself. Every time I am asked about big data I need to use the term in order to be understood, but the term itself steers the uninitiated in the wrong direction. It leaves a bad taste in my mouth. It’s wrong.

Reactionary Idiot Test

Tue, 27 Aug 2013 00:00:00 +0000

We generally avoid talking about the NSA, Snowden, and such, but this piece is actually illuminating, without any sort of political commentary.

China Suffers Large DNS DDoS Attack

Mon, 26 Aug 2013 00:00:00 +0000

From the Wall Street Journal (via The Verge):

The attack began at 2 a.m. Sunday morning and was followed by a more intense attack at 4 a.m., according to the China Internet Network Information Center, which apologized to affected users in its statement and said it is working to improve its “service capabilities.”

Ecosystem Threat Intelligence: Assessing Partner Risk

Mon, 26 Aug 2013 00:00:00 +0000

As we discussed in the introduction post of our Ecosystem Threat Intelligence series, today’s business environment features increasing use of an extended enterprise. Integrating systems and processes with trading partners can benefit the business, but dramatically expands the attack surface. A compromised trading partner, with trusted access to your network and systems, gives their attackers that same trusted access to you. To net out the situation, you need to assess the security of your partner ecosystem; and be in a position to make risk-based decisions about whether the connection (collaboration) with trading partners makes sense, and what types of controls are necessary for protection given the potential exposure. To quote our first post:

VMWare Doubles Down on SDN

Mon, 26 Aug 2013 00:00:00 +0000

VMWare is pushing hard on the virtual datacenter concept this week at VMWorld, with the first release of their new SDN networking approach based on the Nicira acquisition. Greg Ferro has a good take (hat tip to @beaker/Hoff for the link):

Friday Summary: August 23, 2013

Fri, 23 Aug 2013 00:00:00 +0000

With seven trips in the last eight weeks – and I would have been 8 for 8 had I not been sick one week – I’d have been out of the office the entire last two months. It almost feels weird blogging again but there is going to be a lot to write about in the coming weeks given the huge amount of research underway.

“Like” Facebook’s response to Disclosure Fail

Thu, 22 Aug 2013 00:00:00 +0000

Every company makes mistakes, especially when it comes to researchers disclosing security bugs and/or vulnerabilities. And when the frustrated researcher goes public and makes a scene, the company has a few choices.

Incite 8/21/2013: Hygienically Challenged

Wed, 21 Aug 2013 00:00:00 +0000

I spend a lot of time in public places. I basically work in coffee shops and spend more than my fair share of time in airports and restaurants. There is nothing worse than being in the groove, banging out a blog post, and then catching a whiff of someone – before I can see them. I start to wonder if the toilet backed up or something died in the wall.

New Paper: The 2014 Endpoint Security Buyer’s Guide

Wed, 21 Aug 2013 00:00:00 +0000

Our updated and revised 2014 Endpoint Security Buyer’s Guide updates our research on key endpoint management functions, including patch and confirmation management and device control. We have also added coverage of anti- … malware, mobility, and BYOD. All very timely and relevant topics. The bad news is that securing endpoints hasn’t gotten any easier. Employees still click things, and attackers have gotten better at evading perimeter defenses and obscuring attacks.

Research Scratchpad: Stateless Security

Wed, 21 Aug 2013 00:00:00 +0000

Here’s another idea I’ve been playing with.

As I spend more time playing with various cloud and infrastructure APIs, I’m starting to come around to the idea of Stateless Security. Here’s what I mean:

Two Apple Security Tidbits

Tue, 20 Aug 2013 00:00:00 +0000

Two interesting items.

First up, whatever actual vulnerability was used, the Apple Developer Center was exploited with a code execution flaw:

IBM/Trusteer: Shooting Across the Bow of the EPP Suites

Mon, 19 Aug 2013 00:00:00 +0000

Last week, IBM announced a deal to acquire Trusteer, an Israeli company focused on advance endpoint malware detection. The price tag was reported to be $800MM - $1B, so it was a pretty healthy 7-8x multiple of rumored 2013 bookings. Trusteer’s technology fills a huge gap in IBM’s advanced malware story. They do some stuff on their network (IPS) box, but without a real presence on the endpoint, their solution is limited. And for company pushing a total security solution story like IBM, you can’t really have holes. Not obvious one’s anyway.

Lockheed-Martin Trademarks “Cyber Kill Chain”. “Cyberdouche” Still Available

Mon, 19 Aug 2013 00:00:00 +0000

It appears that Lockheed Martin has trademarked the term “Cyber Kill Chain”.

This should be no surprise, and you can read my House of Cybercards post if you want to know why this isn’t merely humorous.

New Paper: The CISO’s Guide to Advanced Attackers

Sun, 18 Aug 2013 00:00:00 +0000

Much of the security industry spends significant time and effort focused on how hard it is to deal with today’s attacks. Adversaries continue to improve their tactics. Senior management doesn’t get it, until there is a breach… then your successor can educate them. And the compliance mandates hanging over your organization like albatross remain 3-4 years behind the attacks you see daily. The vendor community compounds the issues by positioning every product and/or service as a solution to the APT problem. Which means they don’t really understand advanced attackers at all. But complaining doesn’t solve problems, so we put together a CISO’s Guide to Advanced Attackers to help you structure a programmatic effort to deal with these adversaries.

Friday Summary: Career Highlight

Fri, 16 Aug 2013 00:00:00 +0000

I got my first computer back in the mid-80’s, a few years after I started playing and programming in the back half of elementary school. It was a shiny new Commodore 64 a friend of my Mom’s gave me – we weren’t financially lucky enough to afford one ourselves.

Ecosystem Threat Intelligence: The Risk of the Extended Enterprise [New Series]

Thu, 15 Aug 2013 00:00:00 +0000

A key aspect of business today is the extended enterprise. That’s a fancy way of saying no organization does it alone anymore. They have upstream suppliers who help produce whatever it is they produce. They have downstream distribution channels that help them sell whatever needs to be sold. They outsource business processes to third parties who can handle them better and more cheaply. With the advent of advanced communication and collaboration tools, teams work on projects even if they don’t work for the same company or reside on the same continent. Jack Welch coined the term “boundaryless organizations” back in 1990 to describe an organization that is not defined by, or limited to, horizontal, vertical, or external boundaries imposed by a predefined structure. They are common today.

Research Scratchpad: Outside Looking in

Thu, 15 Aug 2013 00:00:00 +0000

I have bunch of random research thoughts I am working on. I think they are building into a cohesive whole but cannot make any promises. I’m branding these forming ideas as my “research scratchpad”, and will appreciate any feedback.

Continuous Security Monitoring: Migrating to CSM

Wed, 14 Aug 2013 00:00:00 +0000

We spent a bulk of this series defining the major use cases for Continuous Security Monitoring, taking a journey through Attacks, Change Control, and Compliance. We know that many of you tend to be people of action, who want to just get going. But without a proper plan and definition for what you are trying to achieve with your security monitoring initiative, you will just end up with a lot of shiny expensive shelfware.

Incite 8/14/2013: Tracking the Trends

Wed, 14 Aug 2013 00:00:00 +0000

I remember back in my 20s, when I though my success and wealth were assured. I was a high-flying analyst during the Internet bubble and made a bunch of coin. Then I lost a bunch of coin as the bubble deflated. Then I started a software company, which was sold off for the cash on our balance sheet. Then I chased a few hot startups that got less hot once I got there. None had a happy ending.

Incomplete Thought: Is the Cloud the Secproasaurus Extinction Event? And Are DevOps the Mammals?

Tue, 13 Aug 2013 00:00:00 +0000

Okay, I’m just throwing this one out there because the research is far from complete but I really want to hear what other people think.

Continuous Security Monitoring: Compliance

Mon, 12 Aug 2013 00:00:00 +0000

Let’s wrap up our use case discussions for Continuous Security Monitoring by digging into how CSM can contribute to your compliance efforts. We know the way we staged these use cases (first attack, then change control) is bass-ackwards from how most folks implement monitoring. Compliance is typically the first use cases implemented, mostly because PCI-DSS mandates it. Regardless of how you adopt the technology, what you want to do is make sure whatever monitoring infrastructure you put in place will be extensible and relevant to all your use cases.

Credibility and the CISO

Sun, 11 Aug 2013 00:00:00 +0000

We see continuing confusion regarding the CISO duties in many organizations. When I saw this opinion piece in SC Mag by an experienced CISO (David Nathans) with both commercial and defense sector experience, I figured we might finally get some clarification. Yeah, I should have known better.

Continuous Security Monitoring: The Change Control Use Case

Fri, 09 Aug 2013 00:00:00 +0000

We now resume our series on Continuous Security Monitoring. We have dug into the Attack Use Case so it’s time to cover the next most popular use case for security monitoring: Change Control. We will keep the same format as before; digging into what you are trying to do, what data is required to do it, and then how this information can and should guide your prioritization of operational activities.

Is Privacy Now Illegal?

Fri, 09 Aug 2013 00:00:00 +0000

Silent Circle is shutting down their email service:

However, we have reconsidered this position. We’ve been thinking about this for some time, whether it was a good idea at all. Today, another secure email provider, Lavabit, shut down their system lest they “be complicit in crimes against the American people.” We see the writing the wall, and we have decided that it is best for us to shut down Silent Mail now. We have not received subpoenas, warrants, security letters, or anything else by any government, and this is why we are acting now.

HP goes past the TippingPoint of blogging nonsense

Thu, 08 Aug 2013 00:00:00 +0000

After reading this inane blog post, “Cisco – Buying into the security game,” from an EMEA product manager for HP TippingPoint, the Security Twittersphere rose up together to call out this nonsense. I figured I would just let it lie, but I couldn’t. This is the worst type of competitive positioning – basically calling out a competitor for doing exactly what you have done. I think psychologists call this projection.

Incite 8/7/2013: Summer’s End

Wed, 07 Aug 2013 00:00:00 +0000

By the time most of you read this I will be on my way back down the east coast, shuttling all the kid’s stuff home after a summer of camp in the family truckster. 12+ hours in pleasant solitude as the Boss flies the kids home. They start school next Monday so we didn’t want them to sit in the car all day. So I’m taking one for the team, but it’s okay. I will spend the solitary time working over my world domination plans. Like I do on every long trip.

You Have Eight Months

Tue, 06 Aug 2013 00:00:00 +0000

I may be done with having children, but that doesn’t mean I’ve forgotten how quickly 8 months can stream by.

Sales/Marketing Spend, Cash Generation, and the FireEye-PO

Mon, 05 Aug 2013 00:00:00 +0000

It doesn’t happen very often so it’s highly scrutinized. No, it’s not me being nice to someone. It’s a security company IPO. Last week the folks at FireEye filed their Form S-1, which is the first step toward becoming a public company. The echo chamber blew up, mostly because of FireEye’s P&L.

We’re at Black Hat—Go Read a Book

Tue, 30 Jul 2013 00:00:00 +0000

Pretty much the entire team is out at the Black Hat conference.

Yes, we really are working. Heck, by the time you read this, Rich and James will have taught 2 separate cloud security classes.

Endpoint Security Buyer’s Guide: Buying Considerations

Fri, 26 Jul 2013 00:00:00 +0000

We have covered the reasons endpoint security is getting more challenging, and offered some perspective on what is important when buying anti-malware and endpoint hygiene products – or both in an integrated package. Then we addressed the issues BYOD and mobility present for protecting endpoints. To wrap up we just need to discuss the buying considerations driving you toward one solution over another, and develop a procurement process that can work for your organization.

Friday Summary: Dead Tree Edition

Fri, 26 Jul 2013 00:00:00 +0000

Phoenix can be a wild place for weather. We don’t get much rain, but when we do it often arrives with fearsome vengeance. When I first moved down here I thought “monsoon season” was just a local colloquialism to make Phoenicians think they were all tough or something. I mean, surely the weather here couldn’t rival what I was used to in Colorado, where occasional 100mph gusts are called ‘invigorating’ rather than ‘tornadoes’ – tornadoes go in circles.

API Gateways: Buyers Guide

Thu, 25 Jul 2013 00:00:00 +0000

We will close out this series by examining key decision criteria to help you select an API gateway. We offer a set of questions to determine which vendor solutions support your API technically, as well as the features your developers and administrators need. These criteria can be used to check solutions against your design goals and help you walk through the evaluation process.

Endpoint Security Buyer’s Guide: The Impact of BYOD and Mobility

Thu, 25 Jul 2013 00:00:00 +0000

When thinking about endpoint security it is important to decide what you consider an endpoint. We define an endpoint as any computing device that can access corporate data. This deliberately broad definition includes not just PCs, but also mobile devices (smartphones and tablets). We don’t think it is too broad – employees today expect to access the data they need, on the device they are using, from wherever they are, at any time. And regardless of the details, the data needs to be protected.

Gonzales’ Partners Indicted

Thu, 25 Jul 2013 00:00:00 +0000

This is all over the news, but Wired was the first I saw to put things in the right context:

Four Russians and one Ukrainian have been charged with masterminding a massive hacking spree that was responsible for stealing more than 160 million bank card numbers from companies in the U.S. over a seven-year period.

Database Denial of Service: Countermeasures

Wed, 24 Jul 2013 00:00:00 +0000

Before I delve into the meat of today’s post I want to say that the goal of this series is to aid IT security and database admins in protecting relational databases from DoS attacks. During the course of this research I have heard several rumors of database DoS but not found anyone willing to go on record or even provide details anonymously. Which is too bad – this type of information helps the community and helps reduce the number of companies affected. Another interesting note: we have been getting questions from network IT and application management teams rather than DBAs. In hindsight this is not so surprising – network security is the first line of defense and cloud database service providers (e.g., ISPs) don’t have database security specialists. Now let’s take a look at database DoS countermeasures.

Incite 7/23/2013: Sometimes You Miss

Wed, 24 Jul 2013 00:00:00 +0000

The point of sending the kids to sleepaway camp is that they experience things they normally wouldn’t. They expand their worldviews, meet new people, and do things they might not normally do when under the watchful (and at times draconian) eyes of their parents. As long as it’s legal and appropriate I’m cool.

Cisco FIREs up a Network Security Strategy

Tue, 23 Jul 2013 00:00:00 +0000

This morning Cisco made its first decisive move in the network security space in years, acquiring Sourcefire for $2.7 billion. That represents a 30% premium over Sourcefire’s closing price yesterday. But much more importantly it is a clear signal that Cisco hasn’t given up on security and intends to compete as organizations rebuild their network security around the poorly named next generation application awareness technology.

Continuous Security Monitoring: The Attack Use Case

Tue, 23 Jul 2013 00:00:00 +0000

We have discussed why continuous security monitoring is important, how we define CSM, and finally how you should be classifying your assets to figure out the most appropriate levels of monitoring. Now let’s dig into the problems you are trying to solve with CSM. At the highest level we generally see three discrete use cases:

Bastion Hosts for Cloud Computing

Mon, 22 Jul 2013 00:00:00 +0000

From the Amazon Web Services security blog:

A best practice in this area is to use a bastion. A bastion is a special purpose server instance that is designed to be the primary access point from the Internet and acts as a proxy to your other EC2 instances.

Exploit U

Mon, 22 Jul 2013 00:00:00 +0000

It seems Universities are the latest targets for targeted attackers, looking for a preview of the next set of technologies to come out of the major research universities. But protecting these networks is a herculean task, given the open nature of university operations, which are driven by collaboration and sharing. It makes it tough to protect things when they are fundamentally open.

If You Don’t Have Permission, Don’t ‘Test’

Mon, 22 Jul 2013 00:00:00 +0000

We don’t know much about last week’s Apple security incident, but a security researcher claims he is responsible, and was just doing research and reporting it to Apple.

New Paper: Defending Cloud Data with Infrastructure Encryption

Mon, 22 Jul 2013 00:00:00 +0000

As anyone reading this site knows, I have been spending a ton of time looking at practical approaches to cloud security. An area of particular interest is infrastructure encryption. The cloud is actually spurring a resurgence in interest in data encryption (well, that and the NSA, but I won’t go there).

Apple Developer Site Breached

Sun, 21 Jul 2013 00:00:00 +0000

From CNet (and my inbox, as a member of the developer program):

Last Thursday, an intruder attempted to secure personal information of our registered developers from our developer website. Sensitive personal information was encrypted and cannot be accessed, however, we have not been able to rule out the possibility that some developers’ names, mailing addresses, and/or email addresses may have been accessed. In the spirit of transparency, we want to inform you of the issue. We took the site down immediately on Thursday and have been working around the clock since then.

Endpoint Security Buyer’s Guide: Endpoint Hygiene and Reducing Attack Surface

Sun, 21 Jul 2013 00:00:00 +0000

As we mentioned in the last post, anti-malware tends to be the anchor in endpoint security control sets. Given the typical attacks that is justified, but too many organizations forget the importance of keeping devices up-to-date and configured securely. Even “advanced attackers” don’t like to burn 0-day attacks when they don’t need to. So leaving long-patched vulnerabilities exposed, or keeping unnecessary services active on endpoints, makes it easy for them to own your devices. The progression in almost every attack – regardless of the attacker’s sophistication – is to compromise a device, gain a foothold, and then systematically move towards the target.

Black Hat Preview 2: Software Defined Security with AWS, Ruby, and Chef

Fri, 19 Jul 2013 00:00:00 +0000

I recently wrote a series on automating cloud security configuration management by taking advantage of DevOps principles and properties of the cloud. Today I will build on that to show you how the management plane can make security easier than traditional infrastructure with a little ruby code. This is another example of material covered in our Black Hat cloud security training class.

Endpoint Security Buyer’s Guide: Anti-Malware, Protecting Endpoints from Attacks

Fri, 19 Jul 2013 00:00:00 +0000

After going over the challenges of protecting those pesky endpoints in the introductory post of the Endpoint Security Buyer’s Guide, it is now time to turn our attention to the anchor feature of any endpoint security offering: anti-malware. Anti-malware technologies have been much maligned. In light of the ongoing (and frequently successful) attacks on devices ‘protected’ by anti-malware tools, we need some perspective – not only on where anti-malware has been, but where the technology is going, and how that impacts endpoint security buying decisions.

Friday Summary: Cloud Identity Edition

Fri, 19 Jul 2013 00:00:00 +0000

One of my favorite industry events was last week, the 2013 Cloud Identity Summit. Last year’s was in Vail, Colorado, so I thought this year couldn’t top that. Wrong. This year was at the Mertiage in Napa – nice hotel, nice Italian restaurant, stunningly helpful staff, and perfect weather made for a great week. And while I was sorely tempted to tour the Napa Valley, I found the sessions too compelling to skip out. Here are a few of the highlights:

New Paper: Network-based Malware Detection 2.0: Assessing Scale, Accuracy and Deployment

Thu, 18 Jul 2013 00:00:00 +0000

Detecting malware feels like a losing battle. Between advanced attacks, innovative attackers, and well-funded state-sponsored and organized crime adversaries, organizations need every advantage they can get to stop the onslaught. We first identified and documented Network-Based Malware Detection (NBMD) devices as a promising technology back in early 2012, and they have made a difference in detecting malware at the perimeter. Of course nothing is perfect, but every little bit helps.

PCI Standards Flow Downhill

Thu, 18 Jul 2013 00:00:00 +0000

Payment gateways and payment processors have to pass PCI requirements just like merchants do. And they don’t like it any more than you do, as evidenced by recent post by Stephen Ames of Shift4. He is pissed about a new interpretation of PA-DSS, provided to his QSA outside the officially published guidance and standards, which places PA-DSS section 4.2.7 always in scope. From the post:

Google may offer client-side encryption for Google Drive

Wed, 17 Jul 2013 00:00:00 +0000

From Declan McCullagh at CNet:

Google has begun experimenting with encrypting Google Drive files, a privacy-protective move that could curb attempts by the U.S. and other governments to gain access to users’ stored files. Two sources told CNET that the Mountain View, Calif.-based company is actively testing encryption to armor files on its cloud-based file storage and synchronization service. One source who is familiar with the project said a small percentage of Google Drive files is currently encrypted.

Incite 7/17/2013: 80 años

Wed, 17 Jul 2013 00:00:00 +0000

If you want a feel for how long 80 years is, here are a few facts. In 1933, the President was Herbert Hoover until March, when FDR became President. The Great Depression was well underway in the US and spreading around the world. Hitler first rose to power in Germany. And Prohibition was repealed in the US. I’ll certainly drink to that.

The Temptation of the Developer

Tue, 16 Jul 2013 00:00:00 +0000

Threat modeling involves figuring out ways the system can be gamed and your [fill in the blank] can be compromised. Great modelers can take anything and come up with new ways to question the integrity of the system. When it comes to 0-day attacks, many tend to focus on increasingly sophisticated fuzzers and other techniques to find holes in code, like the tactics described in the Confessions of a Cyber Warrior interview.

Counterpoint: KNOX vs. AZA throwdown

Mon, 15 Jul 2013 00:00:00 +0000

Adrian makes a number of excellent points. Enterprises need better usability and management for mobile devices, but co-mingling these goals complicates solutions.

FireStarter: KNOX vs. AZA mobile throwdown

Mon, 15 Jul 2013 00:00:00 +0000

A group of us were talking about key takeaways for the 2013 Cloud Identity Summit last week in Napa. CIS 2012 focused on getting rid of passwords; but the conversation centered on infrastructure and identity standards such as OAuth, OpenID Connect, and SAML, which provide tool to authenticate users to cloud services. 2013 was still about minimizing usage of passwords, but focused on the client side where the “rubber meets the road” with mobile client apps.

Intel Software Guard Extensions (SGX) Is Mighty Interesting

Mon, 15 Jul 2013 00:00:00 +0000

I am in a bit over my head here, but take a look at the first two presentations at the Workshop on Hardware and Architectural Support for Security and Privacy. Intel is preparing to introduce a new capability in their processors to support use of secure encrypted memory spaces on commodity CPUs. Their objective is to provide applications with a secure ‘enclave’ (their term) with a protected memory and execution space. It’s called Intel Software Guard Extensions (SGX).

Summary: Here’s to the Defenders

Fri, 12 Jul 2013 00:00:00 +0000

I was reading Roger Grimes’ interview with an offensive cybersecurity operator, and one key quote really stood out:

I wish we spent as much time defensively as we do offensively. We have these thousands and thousands of people in coordinate teams trying to exploit stuff. But we don’t have any large teams that I know of for defending ourselves. In the real world, armies spend as much time defending as they do preparing for attacks. We are pretty one-sided in the battle right now.

API Gateways: Implementation

Thu, 11 Jul 2013 00:00:00 +0000

APIs go through a software lifecycle, just like any other application. The purchaser of the API develops, tests, and manages code as before, but when they publish new versions the API gateway comes into play. The gateway is what implements operational polices for APIs – serving as a proxy to enforce security, application throttling, event logging, and routing of API requests.

Continuous Security Monitoring: Classification

Thu, 11 Jul 2013 00:00:00 +0000

As we discussed in Defining CSM, identifying your critical assets and monitoring them continuously is a key success factor for your security program – at least if you are interested in figuring out what’s been compromised. But reality says you can’t watch everything all the time, even with these new security big data analytical thingies.

Living to fight another day…

Thu, 11 Jul 2013 00:00:00 +0000

Our man Dave Lewis has a great post on CSO Online, When Disaster Comes Calling, about the importance of making sure your disaster recovery plan actually can help you when you have, uh, a disaster. Folks don’t always remember that sometimes success is living to fight another day.

The Endpoint Security Buyer’s Guide [New Series]

Thu, 11 Jul 2013 00:00:00 +0000

Last year we documented our thoughts on buying Endpoint Security Management offerings, which basically include patch, configuration, device control, and file integrity monitoring – increasingly bundled in suites to simplify management. We planned to dig into the evolution of endpoint security suites earlier this year but the fates intervened and we got pulled into other research initiatives. Which is just as well because these endpoint security and management offerings have consolidated more quickly than we anticipated, so it makes sense to treat all these functions within a consistent model.

Tips on SQL Azure Security

Thu, 11 Jul 2013 00:00:00 +0000

@gepeto42 had a good post:

Windows Azure SQL Database, formely known as SQL Azure, is Microsoft’s managed database platform in Azure. While it is based on Microsoft SQL Server, it has various limitations that can impact how you secure and manage it. It also has some features that can help improve security.

Another Disclosure Debacle, with a Twist

Wed, 10 Jul 2013 00:00:00 +0000

I picked this one up from Slashdot (yes, I still read it sometimes):

Following a blog post by security company Secunia, VideoLAN (vendor of popular VLC media player) president Jean-Baptiste Kempf accuses Secunia of lying in a blog post titled ‘More lies from Secunia.’ It seems that Secunia and Jean-Baptiste Kempf have different views on whether a vulnerability has been patched.

Black Hat Preview: Automating Cloud Security Policy Compliance

Wed, 10 Jul 2013 00:00:00 +0000

Many people focus (often wrongly) on the new risks of cloud computing, but I am far more interested in leveraging cloud computing to improve security.

Incite 7/10/2013: Selfies

Wed, 10 Jul 2013 00:00:00 +0000

Before she left for camp XX1 asked me to download her iPhone photos to our computer, so she could free up some space. Evidently 16gb isn’t enough for these kids today. What would Ken Olson say about that? (Dog yummy for those catching the reference.) I happened to notice that a large portion of her pictures were these so-called selfies. Not in a creeper, micro-managing Dad way, but in a curious, so that’s what the kids are up to today way. A selfie is where you take a picture of yourself (and your friends) with your camera phone. Some were good, some were bad. But what struck me was the quantity. No wonder she needed to free up space – she had all these selfies on her phone.

Using Amazon IAM Roles to Distribute Security Credentials (for Chef)

Wed, 10 Jul 2013 00:00:00 +0000

As I discussed in Black Hat Preview: Automating Cloud Security Policy Compliance, you can combine Amazon S3 and IAM roles to securely provision configuration files (or any other files) and credentials to Amazon EC2 or VPC instances. Here are the details.

Using cloud-init and s3cmd to Automatically Download Chef Credentials

Wed, 10 Jul 2013 00:00:00 +0000

Our last post described how to use Amazon EC2, S3, and IAM as a framework to securely and automatically download security policies and credentials. That’s the infrastructure side of the problem, and this post will show what you need to do to the instance to connect to this infrastructure, grab the credentials, install and configure Chef, and connect to the Chef server. The advantage of this structure is that you don’t need to embed credentials into your machine image, and you can use stock (generic) operating systems are on public clouds. In private clouds it is also useful because it reduces the number of machine images to maintain. These instructions can be modified to work in other cloud platforms, but your mileage will vary. They also require an operating system that supports cloud-init (Windows uses ec2config, which I know very little about, but also appears to support user data scripts). I will walk through the details of how this works, but you won’t use any of these steps manually. They are just explanation, to give you what you need to adapt this for other circumstances.

How Not to Handle a Malware Outbreak

Tue, 09 Jul 2013 00:00:00 +0000

Malware is a pervasive problem in enterprises today. It can often be insidious as hell and difficult to ferret out. But sometimes the response to a malware outbreak defies basic common sense. The CIO for the Economic Development Administration (EDA) thought a scorched earth policy was the best approach…

Kudos: Microsoft’s App Store Security Policy

Tue, 09 Jul 2013 00:00:00 +0000

Today on the Microsoft Security Response Center Blog:

Under the policy, developers will have a maximum of 180 days to submit an updated app for security vulnerabilities that are not under active attack and are rated Critical or Important according to the Microsoft Security Response Center rating system. The updated app must be submitted to the store within 180 days of the first report that reproduces the issue. Microsoft reserves the right to take swift action in all cases, which may include immediate removal of the app from the store, and will exercise its discretion on a case-by-case basis.

Multitenancy is the Least Interesting Security Property of Cloud Computing

Tue, 09 Jul 2013 00:00:00 +0000

Today I was mildly snarky on the Security Metrics email list when a few people suggested that instead of talking about cloud computing we should talk about shared infrastructure. In their minds, ‘shared’ = ‘cloud’. I fully acknowledge that I may be misinterpreting their point, but this is a common thread I hear. Worse yet, very frequently when I discuss security risks, other security professionals key in on multitenancy as their biggest concern in cloud computing.

RSA Acquires Aveksa

Tue, 09 Jul 2013 00:00:00 +0000

EMC has announced the acquisition of Aveksa, one of the burgeoning players in the identity management space. Aveksa will be moved into the RSA security division, and no doubt merged with existing authentication products. From the Aveksa blog:

Continuous Security Monitoring: Defining CSM

Mon, 08 Jul 2013 00:00:00 +0000

In our introduction to Continuous Security Monitoring we discussed the rapid advancement of attacks, and why that means you can never “get ahead of the threat”. That means you need to react faster to what’s happening, which requires shortening the window of exposure by embracing extensive security monitoring. We tipped our hats to both PCI Council and the US government for requiring monitoring as a key aspect of their mandates. The US government pushed it a step further by including continuous in its definition of monitoring. We love the term ‘continuous’, but this one word has caused a lot of confusion in folks responsible for monitoring their environments.

Calendar Bites Google Security in the Ass

Fri, 05 Jul 2013 00:00:00 +0000

Well, this is embarrassing:

Blowing hash and signing functions so that the underlying code can be changed without the hash and sigs changing is horrifyingly atrocious. This is the code equivalent of impersonating a person with a mask so good nobody, not even the real person themselves, can tell the difference.

Proactive WebAppSec

Fri, 05 Jul 2013 00:00:00 +0000

Earlier this week rsnake blogged about the Top 10 Proactive Web Application Security Measures. He has a very good set of recommendations, a highly recommended read for web application developers and webmasters alike:

Database Denial of Service: Attacks

Wed, 03 Jul 2013 00:00:00 +0000

Today’s post will discuss database denial of service attacks so later we can consider how to stop them.

From the security researcher’s perspective I cannot help but be impressed by the diversity of database DoS attacks. Many such attacks are pretty dumb – they seem to be written by a person who does not understand SQL, writing horrible queries that are the opposite of efficient. Some exploits are so simple – yet clever – that we are amazed the targeted vulnerability was not found in quality assurance tests. But dumb or not, these attacks are effective. For example you could start a couple different searches on a website, choose a very broad list of values, and hit ‘search’. The backend relational system starts to look at every record in every table, chewing up memory and waiting for slow disk reads.

Incite 7/3/2013: Independence

Wed, 03 Jul 2013 00:00:00 +0000

During the week of July 4th in the US we cannot help but think about independence. First of all, it’s a great excuse for a party and BBQ, right? To celebrate our escape from the tyranny of rulers from a far-off land, we eat and drink beer until we want to puke, and blow up fireworks made in other far-off lands. Being serious for a moment (but only a moment, we promise), independence means a lot of things to a lot of people, and now is a good time to revisit what it means to you, and make sure your choices reflect your beliefs.

New Paper: Quick Wins with Website Protection Services

Wed, 03 Jul 2013 00:00:00 +0000

Simple website compromises can feel like crimes with no clear victims. Who cares if the Joey’s Bag of Donuts website gets popped? But that is not a defensible position any more. Attackers don’t just steal data from these websites – they also use them to host malware, command and control nodes, and proxies to defeat IP reputation systems.

Why. Continuous. Security. Monitoring? [New Series]

Wed, 03 Jul 2013 00:00:00 +0000

Remember the old marketing tagline, “Get Ahead of the Threat?” It seems pretty funny now, doesn’t it? Given the kinds of attacks we are facing and attackers’ increasing sophistication, we never see the threats coming and being even marginally reactive seems like a pipe dream. The bad news is that it will not get easier any time soon. Don’t shoot the messenger, but understand that is the reality of today’s information security landscape.

OpenStack Security Guide Released

Tue, 02 Jul 2013 00:00:00 +0000

An OpenStack Security Guide epub was released this week, and among the contributors was our friend Andrew Hay.

Trying to find this info before was like locating a piece of hay in a haystack (not an Andrew Hay – he would be considerably easier to find in a haystack). We use OpenStack for the Cloud Security Alliance training labs, and I had to figure out a lot of this myself through painful reading of barely-legible documentation.

API Gateways: Key Management

Mon, 01 Jul 2013 00:00:00 +0000

For developers one of the most visible API gateway operations is key management. But dear reader this is not your father’s key management – the kind laden with X.509, PKI, and baroque foofaraw that security teams had to beg developers to implement. This is 2013 and the keys are OAuth access keys! And developers are asking us for the keys too, so what should we do?

The Battle over Active Defense Continues

Mon, 01 Jul 2013 00:00:00 +0000

One of our favorite friends, Jack Daniels, has a new post on Active Defense:

If you make the claim that “active defense” is only a euphemism for “hacking back”, you are either hyping an agenda, or selling a (probably outdated) security model. Or perhaps you’ve just been misled by the previously mentioned shysters. By my count that’s three flavors of wrong, although one may be slightly less bitter.

Want Privacy? Have Your Kids Browse for You

Mon, 01 Jul 2013 00:00:00 +0000

The FTC has issued new rules on data collection for minors:

Now, the list of what counts as “personal information” has been expanded to include geolocation markers, IP addresses, pictures or audio of the child, and persistent cookies that can track users across sites. The rules also now apply to companies that make plug-ins or advertising networks, which often collect information but aren’t thought of as discrete sites that fall under the rules.

The doctor is in the house (and knocking your site down)

Sun, 30 Jun 2013 00:00:00 +0000

Andy Ellis (yes, @csoandy) had a good educational post on DNS Reflection attacks. The DrDos (no, Digital Research DOS isn’t making a comeback – dating myself FTW) has proven an effective way for attackers to scale Denial of Service (DoS) attacks to over 100gbps. Andy explains how DNS Reflection works, why it’s hard to deal with, and what targets can do to defend themselves.

Black Hat Schedule

Fri, 28 Jun 2013 00:00:00 +0000

Our schedules are already filling up for Black Hat this year, so if you want to meet please drop us a line.

Friday Summary: June 28, 2013—“Summer’s here” edition

Fri, 28 Jun 2013 00:00:00 +0000

Normally by this time of year things slow down, people go on vacation, and we get to relax a bit, but not this year. At least not for me. It has been seven days a week here for a while, playing catch-up with all the freakin’ research projects going on. And I have wanted to comment on a ton of news items, but have not had the time. So this week’s summary consists of comments on a few headlines I have not had any other the chance to comment on. Here we go:

Standards don't move fast enough

Fri, 28 Jun 2013 00:00:00 +0000

Branden Williams is exactly right: 2013 is a pivotal year for PCI DSS. A new version of the guidance will hit later this year.

Database Denial of Service [New Series]

Thu, 27 Jun 2013 00:00:00 +0000

We have begun to see a shift in Denial of Service (DoS) tactics by attackers, moving up the stack from networks to servers and from servers to the application layer. Over the last 18 months we have also witnessed a new wave of vulnerabilities and isolated attacks against databases, all related to denial of service. We have seen recent issues with Oracle with invalid object pointers, a serious vulnerability in the workload manager, the TNS listener barfing on malformed packets, a PostgreSQL issue with unrestricted networking access that was rumored to allow file corruption to crash the database, the IBM DB2 XML feature, and multiple vulnerabilities in MySQL including remote ability to crash the database. A vulnerability does not mean that exploitation has occurred but we hear more off-the-record accounts of database attacks. We cannot quantify the risk or likelihood of attack, but this seems like a good time to describe these attacks briefly and offer some mitigation suggestions.

API Gateways: Developer Tools

Wed, 26 Jun 2013 00:00:00 +0000

Our previous post discussed the first step in the development process: getting access to the API gateway through access provisioning. Now that you have access it’s time to discuss how the gateway supports your code development and deployment processes. An API gateway must accomplish two primary functions: help developers build, test, and deploy applications; and help companies control use of their API. They are part development environment and part operational security tool.

Casting out SQLi

Wed, 26 Jun 2013 00:00:00 +0000

Ericka Chickowski posted an interview with the creators of the open source library AntiSQLi at Dark Reading. She is discussing a very interesting development tool, but the value proposition gets somewhat lost in the creators’ poor terminology.

Incite 6/26/2013: Camp Rules

Wed, 26 Jun 2013 00:00:00 +0000

June is a special time for us. School is over and we take a couple weeks to chill before the kids head off to camp. Then we head up to the Delaware beach where the Boss and I met many moons ago, and then put the kids on the bus to sleepaway camp. This year they are all going for 6 1/2 weeks. Yes, it’s good to be our kids. We spend the rest of the summer living vicariously through the pictures we see on the camp’s website.

iOS 7 Adds Major Data Security Improvements

Wed, 26 Jun 2013 00:00:00 +0000

Apple posted a page with some short details on the new business features of iOS 7. These security enhancements actually change the game for iOS security and BYOD:

The Black Hole of DLP

Mon, 24 Jun 2013 00:00:00 +0000

I was talking to yet another contact today who reinforced that almost no one is sniffing SSL traffic when they deploy DLP.

Top 10 Stupid Sales/Press/Analyst Presentation Tricks

Mon, 24 Jun 2013 00:00:00 +0000

If you see any of these in a vendor sales/analyst presentation, run fast.

They open with, “this is under NDA” or “this is confidential” and you have never signed an NDA.

Automation Awesomeness and Your Friday Summary (June 21, 2013)

Fri, 21 Jun 2013 00:00:00 +0000

I am intensely lazy.

If you read anything by Tim Ferris (the “4 Hour X” guy), you have heard him talk about Minimum Effective Dose. What is the least you can do to achieve your objective? In some ways that’s how I define my life.

Full Disk Encryption (FDE) Advice from a Reader

Thu, 20 Jun 2013 00:00:00 +0000

I am doing some work on FDE (if you are using the Securosis Nexus, I just added a small section on it), and during my research one of our readers sent in some great advice.

How China Is Different

Wed, 19 Jun 2013 00:00:00 +0000

Richard Bejtlich, on President Obama’s interview on Charlie Rose:

This is an amazing development for someone aware of the history of this issue. President Obama is exactly right concerning the differences between espionage, practiced by all nations since the beginning of time, and massive industrial theft by China against the developed world, which the United States, at least, will not tolerate.

Microsoft Offers Six Figure Bounty for Bugs

Wed, 19 Jun 2013 00:00:00 +0000

From the BlueHat blog, Microsoft’s security community outreach:

In short, we are offering cash payouts for the following programs:

Mitigation Bypass Bounty – Microsoft will pay up to $100,000 USD for truly novel exploitation techniques against protections built into the latest version of our operating system (Windows 8.1 Preview). Learning about new exploitation techniques earlier helps Microsoft improve security by leaps, instead of one vulnerability at a time. This is an ongoing program and not tied to any event or contest.

Scamables

Wed, 19 Jun 2013 00:00:00 +0000

A post at PCI Guru got my attention this week, talking about a type of rebate service called Linkables. They essentially provide coupon discounts without physical coupons: you get money off your purchases for promotional items after you pay, rather than at the register. All you have to do is hand over your credit card. Really.

Security Analytics with Big Data: Deployment Issues

Wed, 19 Jun 2013 00:00:00 +0000

This is the last post in our Security Analytics with Big Data series. We will end with a discussion of deployment issues and concerns for any big data deployment, and focus on issues specific to leveraging SIEM. Please remember to post comments or ask questions and I will answer in the comments.

Talking Head Alert: Adrian on Key Management

Wed, 19 Jun 2013 00:00:00 +0000

Tomorrow, June 20th, bright and early at 8:00am Pacific I will be talking about key management with the folks at Prime Factors. Actually, Prime Factors was kind enough to sponsor the educational webcast, but at this time I am flying solo on this one – no vendor presentation is on the agenda. I will look at key management a little differently that what we have presented in the past, more operationally than technically. Even if you know all about key management, dial in and let your boss think you’re getting continuing education while you space out. So grab a cup of coffee and listen in, and bring any questions you may have. You can register here.

Network-based Malware Detection 2.0: Deployment Considerations

Mon, 17 Jun 2013 00:00:00 +0000

As we wrap up Network-based Malware Detection 2.0, the areas of most rapid change have been scalability and accuracy. That said, getting the greatest impact on your security posture from NBMD requires a number of critical decisions. You need to determine how the cloud fits into your plans. Early NBMD devices evaluated malware within the device (on-box sandbox), but recent advances and new offerings have moved some or all the analysis to cloud compute farms. You also need to figure out whether to deploy the device inline, in order to block malware before it gets in. Blocking whatever you can may sound like an easy decision, but there are trade-offs to consider – as there always are.

Project Communications

Mon, 17 Jun 2013 00:00:00 +0000

A note on project management: One client was quite disappointed with me for not showing progress as I went along and said “Fast iteration is better than delayed perfection,” while another client was mad at me because “you’re trickling again,” – showing progress but not a finished product (a\k\a delayed perfection)…

API Gateways: Access Provisioning

Sun, 16 Jun 2013 00:00:00 +0000

What do we want? API Access!

When do we want it? Now!

I’s time to change your entire mindset. We’re talking about API security, but not for traditional APIs. API gateways are a response to the “open API” movement, and create a very different development environment.

Friday Summary: June 14, 2013

Fri, 14 Jun 2013 00:00:00 +0000

Are you aware of a theft of big data? I will ask in a slightly different way: Do you know of any instance where a commercial big data cluster was exposed to an attacker who mined the cluster for fun or profit? Hackers are unlikely to copy a big data set – why bother moving terabytes when they can use your cluster to store and process your data. I am unaware of any occurrences, public or private. And no, LexisNexis and ChoicePoint, where the attackers had valid user credentials, don’t count. Please comment if you know of an example.

Risk Management: Proto-Science

Thu, 13 Jun 2013 00:00:00 +0000

Alex Hutton has been on the leading edge of IT security risk management as long as I have known him. He has a new blog, and if you don’t think we can ever quantify risk, you need to read this post The next age of risk management, science, & craftsmanship:

We are all guilty of something

Thu, 13 Jun 2013 00:00:00 +0000

Moxie Marlinspike has a must-read editorial over at Wired:

For instance, did you know that it is a federal crime to be in possession of a lobster under a certain size? It doesn’t matter if you bought it at a grocery store, if someone else gave it to you, if it’s dead or alive, if you found it after it died of natural causes, or even if you killed it while acting in self defense. You can go to jail because of a lobster.

Incite 6/12/2013: The Wall of Worry

Wed, 12 Jun 2013 00:00:00 +0000

Anxiety is something we all deal with on a daily basis. It is a feature of the human operating system. Maybe it’s that mounting pile of bills, or an upcoming doctor’s appointment, or a visit from your in-laws, or a big deadline at work. It could be anything but the anxiety triggers our fight or flight mechanisms, causes stress, and takes a severe toll over time on our health and well being. Culturally I come from a long line of worriers. Neuroses are just something we get used to, because everyone I know has them (including me) – some are just more vocal about it than others.

Talking Head Alert: Mike on Phishing Webcast

Wed, 12 Jun 2013 00:00:00 +0000

If you have nothing better to do tomorrow at 2 pm EDT, and want to learn a bit about what’s new in phishing (there is a lot of it, but that’s not new) and how to use email-based threat intelligence to deal with it, join me and the folks from Malcovery Security on a webcast tomorrow. I will be covering the content in the Email-based Threat Intelligence paper, and the folks from Malcovery will be sharing a bunch of their research into phishing trends. It should be an interesting event, so don’t miss it…

DDoS: It’s FUD-eriffic!

Tue, 11 Jun 2013 00:00:00 +0000

FUD can be your friend when trying to get security projects funded. But it needs to be wisely used and you only have one bullet in the proverbial chamber. The folks at Prolexic just rolled out a new white paper on using FUD to make the case internally about DDoS. The paper requires registration, so I didn’t. I know all about the FUD involved in DDoS – I don’t need these guys educating me about that.

Network-based Malware Detection 2.0: The Network’s Place in the Malware Lifecycle

Tue, 11 Jun 2013 00:00:00 +0000

As we resume our Network-based Malware Detection (NBMD) 2.0 series, we need to dig into the malware detection/analysis lifecycle to provide some context on where network-based malware analysis fits in, and what an NBMD device needs to integrate with to protect against advanced threats. We have already exhaustively researched the malware analysis process. The process diagram below was built as part of Malware Analysis Quant.

Security Analytics with Big Data: Integration

Tue, 11 Jun 2013 00:00:00 +0000

Some of our first customer conversations about big data and SIEM centered on how to integrate the two platforms. Several customers wanted to know how they could pull data from different existing log management and analytics systems into a big data platform. Most were told by their vendors that big data was; and they wanted to know what that integration would look like and how it would affect operations. Likely you won’t be doing the integration, but you will need to live with the design choices of your vendor. The benefit depends on their implementation choices.

The Securosis Nexus Beta 2 Begins!

Tue, 11 Jun 2013 00:00:00 +0000

We realize it has been a while, but we are insanely excited to open up the next phase of the Securosis Nexus beta test. This is an open beta but we reserve the right to kick out anyone who annoys us.

Groupthink Kills Your Security Layers

Mon, 10 Jun 2013 00:00:00 +0000

As I continue working through my reading backlog I find interesting stuff that bears comment. When the folks over at NSS Labs attempted to poke holes in the concept of security layers I got curious. Only 3% of over 606 combinations of firewall, IPS, and Endpoint Protection (EPP) actually successfully blocked their full suite of attacks?

Quick thoughts on the iOS and OS X security updates

Mon, 10 Jun 2013 00:00:00 +0000

I am in the airport lounge after attending the WWDC keynote, and here are some quick thoughts on what we saw today:

A truism of security information sharing

Sun, 09 Jun 2013 00:00:00 +0000

From Share and share alike? Not Quite, by Mike Mimoso at Threatpost:

“With retail, the challenge is that most of the companies we share with are direct competitors,” Phillips said. “From a security perspective, you have to get over that and share because we’re all facing the same challenges. There’s no way any of us will win the war on our own.”

Getting to Know Your Adversary

Fri, 07 Jun 2013 00:00:00 +0000

After a week of travel I am finally working through my reading list, and got around to RSnake’s awesome “Talk with a Black Hat” series. Check out Part 1, Part 2 and Part 3. He takes us behind the curtain – but instead of discussing impact, which your fraud and loss group can tell you – he documents tactics being used against us all the time.

API Gateways: Security Enabling Innovation [New Series]

Thu, 06 Jun 2013 00:00:00 +0000

So why are we talking about this? Because APIs are becoming the de facto service interface – not only for cloud and mobile, but for just about every type of service. The need for security around these APIs is growing, which is why we have seen a rush of acquisitions to fill security product gaps. In what felt like a couple weeks Axway acquired Vordel, CA acquired Layer7, and Intel acquired Mashery. The acquirers all stated these steps were to accommodate security requirements stemming from steady adoption of APIs and associated web services. Our goal for this paper is to help you understand the challenges of securing APIs and to evaluate technology alternatives so you can make informed decisions about current trends in the market. We will start our discussion by mentioning what’s at stake, which should show why certain features are necessary.

Friday Summary: June 7, 2013

Thu, 06 Jun 2013 00:00:00 +0000

I haven’t been writing much over the past few weeks because I took a few weeks with the family back in Boulder. The plan was to work in the mornings, do fun mountain stuff in the afternoons with the kids, and catch up with friends in the evenings. But the trip ended up turning into a bit of medical tourism when a couple bugs nailed us on day one. For the record, I can officially state that microbrews do not seem to cure viruses. But the research continues…

Security Analytics with Big Data: New Events and New Approaches

Thu, 06 Jun 2013 00:00:00 +0000

So why are we looking at big data, and what problems can we expect it to solve that we couldn’t before? Most SIEM platforms struggle to keep up with emerging needs for two reasons. The first is that threat data does not come neatly packaged from traditional sources, such as syslog and netflow events. There are many different types of data, data feeds, documents, and communications protocols that contain diverse clues to a data breaches or ongoing attacks. We see clear demand to analyze a broader data set in order hopes of detecting advanced attacks. The second issue is that many types of analysis, correlation, and enrichment are computationally demanding. Much like traditional multi-dimensional data analysis platforms, crunching the data takes horsepower. More data is being generated; add more types of data we want, and multiply that by additional analysess – and you get a giant gap between what you need to do and what you can presently do.

Apple Expands Gatekeeper

Wed, 05 Jun 2013 00:00:00 +0000

I missed this when the update went out last night, but Gregg Keizer at Infoworld caught it:

“Starting with OS X 10.8.4, Java Web Start applications downloaded from the Internet need to be signed with a Developer ID certificate,” Apple said. “Gatekeeper will check downloaded Java Web Start applications for a signature and block such applications from launching if they are not properly signed.”

Incite 6/5/2013: Working in the House

Wed, 05 Jun 2013 00:00:00 +0000

Once, years ago, I made the mistake of saying the Boss didn’t work. I got that statement shoved deep into my gullet because she works harder than I do. She just works in the house. My job is relatively easy – I can work from anywhere, with clients I enjoy, doing stuff that enjoy doing. Often it doesn’t feel like work at all.

Matters Requiring Attention: 100 million or so

Wed, 05 Jun 2013 00:00:00 +0000

Brian Krebs posted a detailed investigative piece on the 2011 breach of Fidelity National Information Services (FIS) and subsequent ATM thefts. I warn you that it’s long but worth the read. At least if your prescription for anti-depressants is current. Each paragraph seems to include some jaw-dropping fact about FAIL. A couple choice quotes from the article:

Mobile Security Breaches

Wed, 05 Jun 2013 00:00:00 +0000

From an article based on ‘work’ by Check Point:

79% of businesses had a mobile security incident in the past year, in many cases incurring substantial costs, according to Check Point. The report found mobile security incidents cost over $100,000 for 42% of respondents, including 16% who put the cost at more than $500,000.

A CISO needs to be a business person? No kidding…

Tue, 04 Jun 2013 00:00:00 +0000

It amazes to me that articles like CISOs Must Engage the Board About Information Security and The Demise of the Player/Manager CISO even need to be written.

New Google disclosure policy is quite good

Tue, 04 Jun 2013 00:00:00 +0000

Google has stated they will now disclose vulnerability details in 7 days under certain circumstances:

Based on our experience, however, we believe that more urgent action – within 7 days – is appropriate for critical vulnerabilities under active exploitation. The reason for this special designation is that each day an actively exploited vulnerability remains undisclosed to the public and unpatched, more computers will be compromised.

Oracle adopts Trustworthy Computing practices for Java

Tue, 04 Jun 2013 00:00:00 +0000

Okay, I had to troll a bit with that title.

From a piece in SC Magazine:

Oracle formally has announced improvements in Java that are expected to harden a software line with a checkered security past.

LinkedIn Rides the Two-Factor Train

Mon, 03 Jun 2013 00:00:00 +0000

Just last week we mentioned the addition of two-factor authentication at Evernote; then LinkedIn snuck a blog post on Friday, May 31st, telling the world about their new SMS authentication. We are glad to see these popular services upgrading their authentication from password-only to password and SMS. It’s not hacker-proof – there are ways to defeat two-factor – but this is much better than password-only.

Security Analytics with Big Data: Defining Big Data

Mon, 03 Jun 2013 00:00:00 +0000

Today we pick up our Security Analytics with Big Data series where we left off. But first it’s worth reiterating that this series was originally intended to describe how big data made security analytics better. But when we started to interview customers it became clear that they are just as concerned with how big data can make their existing infrastructure better. They want to know how big data can augment SIEM and the impact of this transition on their organization. It has taken some time to complete our interviews with end users and vendors to determine current needs and capabilities. And the market is moving fast – vendors are pushing to incorporate big data into their platforms and leverage the new capabilities. I think we have a good handle on the state of the market, but as always we welcome comments and input.

Security Surrender

Mon, 03 Jun 2013 00:00:00 +0000

Last week there was a #secchat on security burnout. Again. Yeah, it’s a bit like groundhog day – we keep having the same conversation over and over again. Nothing changes. And not much will change. Security is not going to become the belle of the ball. That is not our job. It’s not our lot in life.

Finally! Lack of Security = Loss of Business

Sun, 02 Jun 2013 00:00:00 +0000

For years security folks have been frustrated when trying to show real revenue impact for security. We used the TJX branding issue for years, but it didn’t really impact their stock or business much at all. Heartland Payment Systems is probably stronger now because of their breach. You can check out all the breach databases, and it’s hard to see how security has really impacted businesses. Is it a pain in the butt? Absolutely. Does cleanup cost money? That’s clear.

Friday Summary: May 31, 2013

Fri, 31 May 2013 00:00:00 +0000

It is starting to feel like summer. Both because the weather is getting warmer and because most of the Securosis team has been taking family time this week. I will keep the summary short – we have not been doing much writing and research this week.

Network-based Malware Detection 2.0: Scaling NBMD

Fri, 31 May 2013 00:00:00 +0000

It is time to return to our Network-based Malware Detection (NBMD) 2.0 series. We have already covered how the attack space has changed over the past 18 months and how you can detect malware on the network. Let’s turn our attention to another challenge for this quickly evolving technology: scalability.

Evernote Business Edition Doubles up on Authentication

Thu, 30 May 2013 00:00:00 +0000

Joining the strong(er) authentication craze (which we enthusiastically support), along with recent entrants Twitter and Amazon Web Services, Evernote is now including two-factor authentication and access logging for its business edition. Two steps in the right direction for security.

Quick Wins with Website Protection Services: Deployment and Ongoing Management

Tue, 28 May 2013 00:00:00 +0000

For this series focused on Quick Wins with Website Protection Services, the key is getting your sites protected quickly without breaking too much application functionality. Your public website is highly visible to both customers and staff. Most such public sites capture private information, so site integrity is important. Lastly, your organization spends a ton of money geting the latest and greatest functionality on the site, so they don’t take kindly to being told their shiny objects aren’t supported by security. All this adds up to a tightrope act to protect the website while maintaining performance, availability, and functionality. Navigating these tradeoffs is what makes security a tough job.

Friday Summary: May 24, 2013

Fri, 24 May 2013 00:00:00 +0000

This month Google announced a new five year plan for identity management, and update from 2008’s five year plan. Their look backward is as interesting as the revised roadmap. Google recognized their 2-factor auth was more like one-time 2-factor, and that the model has been largely abused in practice. They also concluded that risk-based authentication has worked. A risk-based approach means more sensitive or unusual operations, such as credential changes and connections from unusual locations, ratchet up security by activating additional authentication hurdles. This has been a recent trend, and Google’s success will convince other organizations to get on board.

Making Browsers Hard Targets

Thu, 23 May 2013 00:00:00 +0000

Check out this great secure browser guide from the folks at Stach and Liu. The blog post is OK, but the PDF guide is comprehensive and awesome. Here is the intro:

Quick Wins with Website Protection Services: Protecting the Website

Thu, 23 May 2013 00:00:00 +0000

In the introductory post in the Quick Wins with Website Protection Services series, we described the key attack vectors that usually result in pwnage of your site and possibly data theft, or an availability issue with your site falling down and not being able to get back up. Since this series is all about Quick Wins, we aren’t going to belabor the build-up, rather let’s jump right in and talk about how to address these issues.

Incite 5/22/2013: Picking Your Friends

Wed, 22 May 2013 00:00:00 +0000

This time of year neighborhoods are overrun with “Graduation 2013” signs. The banners hang at the entrance of every subdivision congratulating this year’s high school graduates. It’s a major milestone and they should celebrate. Three kids on our street are graduating, and two are youngests. So we will have a few empty nests on our street.

Network-based Malware Detection 2.0: Evolving NBMD

Wed, 22 May 2013 00:00:00 +0000

In the first post updating our research on Network-based Malware Detection, we talked about how attackers have evolved their tactics, even over the last 18 months, to defeat emerging controls like sandboxing and command & control (C&C;) network analysis. As attackers get more sophisticated defenses need to as well. So we are focusing this series on tracking the evolution of malware detection capabilities and addressing issues with early NBMD offerings – including scaling, accuracy, and deployment. But first we need to revisit how the technology works. For more detail on the technology you can always refer back to the original Network-based Malware Detection paper.
Looking for Bad Behavior

Solera puts on a Blue Coat

Wed, 22 May 2013 00:00:00 +0000

Even after being in this business 20 years I still get surprised from time to time. When I saw this morning that Blue Coat is acquiring Solera Networks I was surprised, and not with a childlike sense of wonder. It was a WTF? type surprise.

(Scape)goats travel under the bus

Tue, 21 May 2013 00:00:00 +0000

It’s funny how certain data points get manipulated to bolster the corporate message. At least how the trade press portrays they anyway. If you read infosecurity-magazine.com’s coverage of Veracode’s State of Software Security report, you will see the subhead that the CISO is really the Chief Information Scapegoat Officer.

Wendy Nather abandons the CISSP—good riddance

Tue, 21 May 2013 00:00:00 +0000

Mood music: Abandono by Amalia Rodrigues…

Wendy blogged about not renewing her CISSP. I never had one myself, but as Wendy said it is much less important if you’re not going through the cattle call HR process, which is majorly gebrochen in infosec… but that’s another post.

Quick Wins with Website Protection Services: Are Websites Still the Path of Least Resistance?

Mon, 20 May 2013 00:00:00 +0000

In the sad but true files, the industry has become focused on advanced malware, state-sponsored attackers, and 0-day attacks, to the exclusion of everything else. Any stroll around a trade show floor makes that obvious. Which is curious because these ‘advanced’ attackers are not a factor for the large majority of companies. It also masks the fact that many compromises start with attacks against poorly-coded brittle web sites.

Spying on the Spies

Mon, 20 May 2013 00:00:00 +0000

The Washington Post says US Officials claimed Chinese hackers breached Google to determine who the US wanted Google to spy on. In essence the 2010 Aurora attack was a counter-counter-espionage effort to determine who the US government was monitoring. From the Post’s post:

Websense Going Private

Mon, 20 May 2013 00:00:00 +0000

Websense announced today that they are being acquired by Vista Equity Partners and will be going private when the transaction closes. From the press release:

Awareness training extends to the top

Sun, 19 May 2013 00:00:00 +0000

Trustwave’s Nicolas Percoco wrote an interesting article at boardmember.com describing a targeted attack at a senior executive. Who’dathunk sites catering to board members (and other mahogany row folks) would publish stuff from security folks. Oh, how the times have changed, eh?

This botnet is no Pushdo-ver

Fri, 17 May 2013 00:00:00 +0000

In our recent little ditty on Network-based Threat Intelligence, we mentioned how resilience has become a major focus for command and control networks. The Pushdo botnet’s recent rise from the ashes (for the fourth time!) illustrates this perfectly.

A Friday Summary from Boulder: May 17, 2013

Thu, 16 May 2013 00:00:00 +0000

They say you can’t go home.

What a load of garbage.

You can totally go home (unless you’re from Fukushima or Chernobyl). In fact I am writing this week’s Summary in Boulder, Colorado – on a three-week trip to catch up with old friends, play hipster in coffee shops, and change my attitude with a little altitude. Better yet, I am writing this sitting in the Boulder Library while my kids enjoy musical story time.

Network-based Malware Detection 2.0: Advanced Attackers Take No Prisoners

Thu, 16 May 2013 00:00:00 +0000

It was simpler back then. You know, back in the olden days of 2003. Viruses were predictable, your AV vendor could provide virus signatures to catch malware, and severe outbreaks like Melissa and SQL*Slammer depended on brittle operating systems and poor patching practices. Those days are long gone, under an onslaught of innovative attacks which leverage professional software development tactics and take advantage of the path of least resistance – generally your employees.

The Perimeter Won’t Be Rebuilt Overnight

Thu, 16 May 2013 00:00:00 +0000

It’s easy to believe the hype. You know, that NGFW (Next Generation Firewall) devices will take over the perimeter tomorrow. Get on the bandwagon now before it’s too late. And the anecdotal evidence leads in this direction as well. You see lines around the corners at trade shows to glimpse an NGFW Godbox, and local seminars are standing room only to hear all about application-aware policies which can help you control those pesky users who want to Facebook all day in the office.

Boundaries won’t help GRC

Wed, 15 May 2013 00:00:00 +0000

Amen to our buddy Paul Proctor, who starts a post, Why I hate the term GRC, with “GRC is the most worthless term in the vendor lexicon.” I couldn’t agree more. 10 years later I still don’t know what it means. Besides everything, as Paul explains:

Incite 5/15/2013: Fraud Hits Close to Home

Wed, 15 May 2013 00:00:00 +0000

We are in the school year endgame right now. The kids will be done for the year in 10 days, and then summer officially begins. It is a frantic time in our house – the kids head off for camp in mid-June and we take family vacations before then. There is a lot of stuff to buy, a lot of packing to do, and a lot of quality time to squeeze in before The Boss and I become empty nesters for 7 weeks. One of those tasks is haircuts. It turns out the Boy has my hair. And that means he needs to get it cut. Frequently. I’m not complaining but it requires some planning.

The Onion hack brings tears to my eyes

Tue, 14 May 2013 00:00:00 +0000

OK, not really. But as Rich pointed out in last week’s Incite (Truth is stranger than satire), The Onion getting hacked, and then the hackers posting stuff that seemed very Onion -like, was one step short of crossing the streams.

$45M Heist Used a 5 Year Old (at least) Technique

Fri, 10 May 2013 00:00:00 +0000

Big news, big money – hackers stole $45M in a flash attack. They hacked into the bank system, focused on debit and pre-paid cards that lack the usual credit card anti-fraud detection, then made massive rapid withdrawals using mules scattered around the world.

Bloomberg Pulls a News Corp on Goldman

Fri, 10 May 2013 00:00:00 +0000

From the New York Post, of all places:

Goldman later learned that Bloomberg staffers could determine not only which of its employees had logged into Bloomberg’s proprietary terminals but how many times they had used particular functions, insiders said.

Friday Summary: May 10, 2013

Fri, 10 May 2013 00:00:00 +0000

I have never been a fan of large gatherings of people. You would never find me at a giant convention center listening to some evangelist, motivational speaker, politician, or business ‘guru’ tell me how to improve my life. I don’t stalk celebrities; participate in “million man marches”, tea party gatherings, promise-keepers, or any something-a-palooza to support a cause. I don’t have a cult-like appreciation of ‘successful’ people. It has nothing to do with a political or religious bent and I don’t fear crowds – it is a personality trait. To me group-think is a danger signal. I’m a skeptic. A contrarian. If everyone’s doing it, it must be wrong.

Database Breach Results in $45M Theft

Thu, 09 May 2013 00:00:00 +0000

Today’s big news is the hack against banking systems to pre-authenticate thousands of ATM and pre-paid debit cards. The attackers essentially modified debit card databases in several Middle Eastern banks, then leveraged their virtual cards into cash. From AP Newswire:

IaaS Encryption: How to Choose

Thu, 09 May 2013 00:00:00 +0000

There is no single right way to pick the best encryption option. Which is ‘best’ depends on a ton of factors including the specifics of the cloud deployment, what you already have for key management or encryption, the nature of the data, and so on. That said, here are some guidelines that should work in most cases.

Security earnings season in full swing

Thu, 09 May 2013 00:00:00 +0000

Most folks think you need to be a day trading financial junkie to have any interest in quarterly earnings releases and/or conference call transcripts. But you can learn a lot from following the results of your strategic security vendors and companies you don’t do business with, but who would like to do business with you. You can glean stuff about overall market health, significant problem spaces, technology innovation, and business execution.

Incite 5/8/2013: One step at a time

Wed, 08 May 2013 00:00:00 +0000

Do you ever look at your To Do list and feel like you want to just run away and hide? Me too. I talk a lot about consistent effort and not trying to hit home runs, but working for a bunch of singles and doubles. That works great for run rate activities like writing the Incite and my blog series. But I am struggling to move forward on a couple very important projects that are bigger than a breadbox and critical to the business. It is annoying the crap out of me, and I figure publicly airing my issues might help me push through them.

McAfee Gets Some NGFW Stones

Wed, 08 May 2013 00:00:00 +0000

In hindsight we should have seen this coming. I mean it’s not like McAfee even showed up for the most recent NSS Labs next-generation firewall (NGFW) test. They made noise about evolving their IPS, I mean Network Security Platform, to offer integrated firewall capabilities. But evidently it was either too hard or would have taken too long (or both) to provide a competitive product. So McAfee solved the problem by writing a $389MM check for Stonesoft.

Finger-pointing is step 1 of the plan

Tue, 07 May 2013 00:00:00 +0000

Dennis Fisher writes in Finger-Pointing on Cyberespionage does little good without a plan:

The acknowledgement from the Pentagon, in truth, feels fairly anticlimactic. It’s the equivalent of Mark McGwire admitting to using steroids-10 years after every fan in the country had already accepted that fact. At some point it becomes sort of silly to even mention it. Water is wet, ice cream is delicious and China is attacking our networks. It just is.

IaaS Encryption: Object Storage

Tue, 07 May 2013 00:00:00 +0000

Sorry, but the title is a bit of a bait and switch. Before we get into object storage encryption we need to cover using proxies for volume encryption.

Some (re)assembly required

Tue, 07 May 2013 00:00:00 +0000

Japanese Coast Guard ship (indirectly) sold to North Korea:

“The vessel was sold in a state in which information regarding operational patterns of the patrol vessel could have been obtained by some party,” an official told the paper. “We were on low security alert at that time.” That is certainly not the case these days, with heightened tensions on the Korean peninsula and the Japanese coast guard regularly involved in patrols around the disputed Diaoyu (Senkaku) islands.

The CISO’s Guide to Advanced Attackers: Evolving the Security Program

Mon, 06 May 2013 00:00:00 +0000

The tactics we have described so far are very useful for detecting and disrupting advanced attackers – even if used only in one-off situations. But you can and should establish a more structured and repeatable process – especially if you expect to be an ongoing target of advanced attackers. So you need to evolve your existing security program, including incident response capabilities. But what exactly does that mean?

2FA isn’t a big enough gun

Sun, 05 May 2013 00:00:00 +0000

The arms race goes on and on. The folks at Trusteer recently found an evolved type of malware designed to game financial institutions’ two-factor authentication (2FA) mechanisms on compromised devices. This is Darwin at work, folks – why should attackers try to rob banks, when they can mug everyone who comes out with money? Whatever gun you have, they come back with a bigger one. This is fun, right?

Now China is stealing our porn

Fri, 03 May 2013 00:00:00 +0000

Okay, it is entirely possible he paid for it, but HOW DO WE KNOW?

U.S. Finds Porn Not Secrets on Suspected China Spy’s PC

The CISO’s Guide to Advanced Attackers: Breaking the Kill Chain

Fri, 03 May 2013 00:00:00 +0000

In our last post in the CISO’s Guide to Advanced Attacks, you verified the alert, so it’s time to spring into action. This is what you get paid for – and to be candid your longevity in the CISO role directly correlates to your ability to contain the damage and recover from the attacks as quickly and efficiently as possible. But no pressure, right? So let’s work through the steps involved in breaking the kill chain, disrupting the attackers, taking counter measures, and/or getting law enforcement involved.

Friday Summary: May 3, 2013

Thu, 02 May 2013 00:00:00 +0000

I was weirdly interested in Paul Miller’s year off the Internet. Paul is a writer for The Verge, and they actually paid him to keep writing (offline) through the year instead of kicking him to the curb like most publications would have.

Getting Logstalgic

Thu, 02 May 2013 00:00:00 +0000

Good tip here in a post from the Chief Monkey about a new open source log visualization tool called Logstalgia. It basically shows web access logs visualized as a pong game. So all of you folks in my age bracket will really appreciate it. Here is the description from the project page:

Malware string in iOS app interesting, but probably not a risk

Thu, 02 May 2013 00:00:00 +0000

From Macworld: iOS app contains potential malware:

The app Simply Find It, a $2 game from Simply Game, seems harmless enough. But if you run Bitdefender Virus Scanner–a free app in the Mac App Store–it will warn you about the presence of a Trojan horse within the app. A reader tipped Macworld off to the presence of the malware, and we confirmed it.

Off topic: Cycling is the new golf

Thu, 02 May 2013 00:00:00 +0000

From the Economist:

TRADITIONALLY, business associates would get to know each other over a round of golf. But road cycling is fast catching up as the preferred way of networking for the modern professional. A growing number of corporate-sponsored charity bike rides and city cycle clubs are providing an ideal opportunity to talk shop with like-minded colleagues and clients while discussing different bike frames and tricky headwinds. Many believe cycling is better than golf for building lasting working relationships, or landing a new job, because it is less competitive.

IaaS Encryption: External Key Manager Deployment and Feature Options

Wed, 01 May 2013 00:00:00 +0000

Deployment and topology options

The first thing to consider is how you want deploy external key management. There are four options:

Incite 5/1/2013: Trailblazing Equality

Wed, 01 May 2013 00:00:00 +0000

I recently took the Boy to see “42,” which I highly recommend for everyone. It’s truly a great (though presumably dramatized) story about Jackie Robinson and Branch Rickey as they tore down the color line in major league baseball. My stepfather knew Jackie Robinson pretty well and always says great things about him. It seems the movie downplayed the abuse he took, alone, as he worked to overcome stereotypes, bigotry, and intolerance to move toward the ideal of the US founding fathers that “all men are created equal”. But importantly the movie successfully conveyed the significance of his actions and the courage of the main players.

Security Analytics with Big Data: Use Cases

Wed, 01 May 2013 00:00:00 +0000

Why do we use big data for security analytics? Aside from big data hype in the press, what motivates customers to look for new solutions? On the other side of the coin, why are vendors altering their products to use – or at least integrate with – big data? In our discussions with customers they cite performance and scalability, particularly for security event analysis. In fact this research project was originally outlined as a broad examination of the potential for big data for security analytics. The customers we speak with don’t care about generalities – they need to solve existing problems, specifically around installed SIEM and log management systems. We refocused this research on a focused need to scale beyond what they have today and get more from existing investments, and big data is a means to that end.

IaaS Encryption: Encrypting Entire Volumes

Tue, 30 Apr 2013 00:00:00 +0000

As we mentioned in our last post, there are three options for encrypting entire storage volumes:

Instance-managed
Externally-managed
Proxy

We will start with the first two today, then cover proxy encryption and some deeper details on cloud key managers (including SaaS options) next.

Gaming the pirates—literally

Mon, 29 Apr 2013 00:00:00 +0000

This is too good not to share, albeit only tangentially related to our usual SMB and enterprise focus:

A software development company posted a cracked version of their new game to pirate sites, but with a twist:

Google Glass Has Already Been Hacked By Jailbreakers

Mon, 29 Apr 2013 00:00:00 +0000

Courtesy of Forbes:

Freeman, who goes by the hacker handle “Saurik” and created the widely-used app store for jailbroken iOS devices known as Cydia, told me in a phone interview that he discovered yesterday that Glass runs Android 4.0.4, and immediately began testing previously-known exploits that worked on that version of Google’s mobile operating system. Within hours, he found that he could use an exploit released by a hacker who goes by the name B1nary last year to gain full control of Glass’s operating system.

Security Funding via Tin Cup

Mon, 29 Apr 2013 00:00:00 +0000

Folks struggling to get funding to implement security programs are a hot button of mine. I know it’s hard. I know we are expected to protect stuff with tighter budgets and fewer resources. A cornerstone of our research is effective prioritization so you can focus on the things most important to your organization. I get all that. But most folks aren’t a lot more sophisticated than passing around a tin cup during the budgeting process and hoping they get sufficient funding.

Twitter security for media companies

Mon, 29 Apr 2013 00:00:00 +0000

Twitter is worried about all the media company accounts being hacked, and has released some guidance. These aren’t exploits of Twitter itself, but of media companies, typically through phishing.

Friday Summary, April 26, 2013: Birthday Edition

Fri, 26 Apr 2013 00:00:00 +0000

On March 13th I received a birthday card. It was from my Dad. It was a nice card, it was clear he had put some thought into the card selection, and I was genuinely swayed by his thoughtful memento. On the Ides of March I received a birthday card from my grandmother. Another nice card and it was thoughtful that she remembered my birthday. Two weeks later a birthday gift arrived from my mother. Not for me, mind you, but for my wife. It was a beautiful gift, obviously expensive, and again a superbly wonderful gesture. We don’t get to keep in close contact, so I was both surprised and appreciative. April 1st a gift card arrived, this time for me, again from my mom.

Socially engineering (trading) bots

Fri, 26 Apr 2013 00:00:00 +0000

It probably went unnoticed by most of the security community, but yet another Twitter hack this week exposed more flaws with high frequency trading systems. When someone took control of the Associated Press twitter account and injected a fake news announcement that bombs had exploded in the White House, many people (unsurprisingly) believed the tweet without attempting to verify. That a 140-character message sent the stock market down in a “flash crash” – 140 points in a matter of minutes.

Incite 4/24/2013: F Perfect

Wed, 24 Apr 2013 00:00:00 +0000

Perfect is my least favorite word in the English language. Nothing is perfect. There are always things that can be improved upon, no matter how good they are. And striving for perfection is an express train to disappointment and unhappiness. I’m a card-carrying disciple of “good enough”. It doesn’t need to be perfect to add value. So I don’t obsess about typos, misplaced pixels, or any other such nonsense. Which can irritate certain business partners [and editors] at times. But I’m not going to change it. If I do work (or anything else), I get it to a point where I’m happy with it and move on.

Question everything, including the data

Tue, 23 Apr 2013 00:00:00 +0000

The good news about being in security is that you don’t have to look too far for criticism of your work. Most of the time it’s constructive criticism, so overall interaction with the security community makes your work markedly better. Which is why we live by the Totally Transparent Research process. It makes our work better.

Teaching Updated Cloud Security Class at Black Hat USA

Tue, 23 Apr 2013 00:00:00 +0000

This summer James Arlen and I are teaching the recently updated cloud security class we developed for the Cloud Security Alliance (CCSK Plus). We are pretty excited to teach this at Black Hat, and will be bringing a few extra tricks to handle the more advanced audience we expect.

Big Data Security Jazz

Mon, 22 Apr 2013 00:00:00 +0000

I tend to avoid “security jazz” blog posts – esoteric arguments contrasting what we should be doing in security against what we do today. These rants don’t really help IT professionals get their jobs done so I skip them. But this is going to be such a post because I need to talk about big data security approaches. Many of you will to stop reading at this point. But for you data architects, CISOs, and security product development teams learning about how to plan for big data security (particularly those of you who have been asking me lately) and wanting to understand the arcane research that influences my recommendations, read on.

CipherCloud Loses Argument with Internet

Mon, 22 Apr 2013 00:00:00 +0000

There are two ways to respond to criticism of your security product, especially when encryption is involved.

Respond cautiously, openly, and positively as demonstrated last week by AgileBits, the folks behind 1Password.

How to Use the 2013 Verizon Data Breach Investigations Report

Mon, 22 Apr 2013 00:00:00 +0000

A few hours after this post goes live, the Verizon Enterprise risk team will release their 2013 Data Breach Investigations Report. This is a watershed year for the report, as they are now up to 19 contributing organizations including law enforcement agencies, multiple emergency response teams (CERTs), and even potential competitors. The report covers 47,000 incidents, among which there were 621 confirmed data disclosures. This is the best data set since the start of the report, so it provides the best insight into what is going on out there.

The CISO’s Guide to Advanced Attackers: Verify the Alert

Mon, 22 Apr 2013 00:00:00 +0000

All the discussion so far in our CISO’s Guide to Advanced Attackers has been of preparation for the main event. The bell rings when an alert fires and it’s time for your incident response process to kick in. But as we have seen through our adversary analysis and intelligence gathering, “advanced attackers” present some unique challenges. In particular, they significant resources and time, which makes them difficult to deter – even if you successfully block one attack or stop a specific exfiltration, there will be more. A lot more.

Security Analytics with Big Data [New Series]

Sun, 21 Apr 2013 00:00:00 +0000

Big Data is being touted as a ‘transformative’ technology for security event analysis – promised to detect threats in the ever-increasing volume of event data generated from in-house, mobile, and cloud-based services. But a combination of PR hype, vendor positioning, and customer questions has pushed it to the top of my research agenda. Many customers are asking “Wait, don’t I already have SIEM for event analysis?” Yes, you do. And SIEM is designed and built solve the same problems – but 7-8 years ago – and it is failing to keep up with current problems. It’s not just that we’re trying to scale up to a much larger set of data, but we also need to react to events an order of magnitude faster than before. Still more troubling is that we are collecting multiple types of data, each requiring new and different analysis techniques to detect advanced attacks. Oh, and while all that slows down SIEM and log management systems, you are under the gun to identify attacks faster than before.

The CISO’s Guide to Advanced Attackers: Mining for Indicators

Sun, 21 Apr 2013 00:00:00 +0000

The key to dealing with advanced attackers is not closing off every window of vulnerability. As we have discussed throughout this series, advanced attackers will figure out a way to gain a foothold in your environment. Actually they will find multiple ways into your environment. So if you hope for any semblance of success, your goal cannot be to stop them – instead you need to work on shorteneing the window between compromise and detection. We have called that Reacting Faster and Better for years. 5 years to be exact, but who’s counting?

Token Vaults and Token Storage Tradeoffs

Fri, 19 Apr 2013 00:00:00 +0000

Use of tokenization continues to expand as customers look to simplify PCI-DSS compliance. With this increased adoption comes a lot of vendor positioning and puffery, as they attempt to differentiate their products in an increasingly competitive market. Unfortunately this competitive positioning often causes confusion among buyers, which is why I have spent the last couple mornings answering questions on FPE vs. Tokenization, and the difference between a token vault and a database. Lately most questions center on differentiating tokenization data vaults, with the expected confusion caused by vendor hyperbole. In this post I will define a token vault and shed some light on their pros and cons. My goal is to help you determine as a consumer whether vaults are something to consider when selecting a tokenization solution.

Intel Buys Mashery, or Why You Need to Pay Attention to API Security

Thu, 18 Apr 2013 00:00:00 +0000

Intel acquired API management firm Mashery today. readwrite enterprise posted a very nice write-up on how Mashery fits into the greater Intel strategy:

No news is just plain good: Friday Summary, April 18, 2013

Thu, 18 Apr 2013 00:00:00 +0000

I know the exact moment I stopped watching local news.

It was somewhere around 10-15 years ago. A toddler had died after being left locked in a car on a hot day. I wasn’t actually watching the news, but one of the screamers for the upcoming broadcast came on during a commercial break for whatever I was watching. A serious looking female reporter, in news voice, mentioned the death and how hot cars could get in the Colorado sun. Then she threw a big outdoor thermometer in a car, slammed the door, and reminded me to watch the news at 10 to see the results.

On password hashing and how to respond to security flaws

Thu, 18 Apr 2013 00:00:00 +0000

I have been learning a lot lately about password hashing since we realized our own site used an inadequate mechanism (SHA256). I am also a major fan of 1Password for password generation and management. So I held my breath while reading how to use Hashcat on 1Password data:

Run faster or you’ll catch privacy

Thu, 18 Apr 2013 00:00:00 +0000

One of the things that smacked me upside the head at a recent IANS Forum, where I run the CISO track, is the clear merging of the security and privacy functions under the purview of one executive. Of the 15 or so CISOs in the room, at least half also had responsibility for privacy. And many of them got this new responsibility as part of a recent reorganization.

Safari enables per-site Java blocking

Thu, 18 Apr 2013 00:00:00 +0000

I missed this during all my travels, but the team at Intego posted a great overview:

Meanwhile, Apple also released Safari 6.0.4 for Mountain Lion and Lion, as well as Safari 5.1.9 for Snow Leopard. The new versions of Safari give users more granular control over which sites may run Java applets. If Java is enabled, the next time a site containing a Java applet is visited, the user will be asked whether or not to allow the applet to load, with buttons labeled Block and Allow:

The CISO’s Guide to Advanced Attacks: Intelligence, the Crystal Ball of Security

Thu, 18 Apr 2013 00:00:00 +0000

As discussed in our first post in the CISO’s Guide to Advanced Attackers, the first step is to determine what kind of attack would have the greatest impact on your environment (most likely mission), so you can infer which kinds of adversaries you are likely to face. Armed with context on likely adversaries, we can move into the intelligence gathering phase. This involves learning everything we can about possible and likely adversaries, profiling probable behaviors, and determining which kinds of defenses and controls make sense to address the higher probabilities.

Incite 4/17/2013: Tipping the balance between good and evil

Wed, 17 Apr 2013 00:00:00 +0000

There are things you just can’t explain. No amount of dogma, perceived slights, or anything can excuse a senseless act of violence on unsuspecting, innocent people. Yes, I’m talking about the Boston Marathon attack, but it applies extends to any act of terrorism. I believe in karma, and the perpetrators will get their just rewards. Maybe out of the view of the public eye, but they will.

Sorry for Security Rocking

Tue, 16 Apr 2013 00:00:00 +0000

How cool would it be if LMFAO (or a reasonable proximity – Beaker, anyone?) did a security version of “Sorry for Party Rocking,” because evidently the security job market is rocking. But it offers a great perspective on the mind of the security professional. Check out the following quotes to get a feel for how things seem, which I can anecdotally validate based on the number of calls I get from CISO types looking to grow and retain their teams.

The CISO’s Guide to Advanced Attackers: Sizing up the Adversary [New Series]

Tue, 16 Apr 2013 00:00:00 +0000

Every year there seems to be a new shiny object that works security marketeers into a frenzy. The Advanced Persistent Threat hype continues to run amok 3 years in, and doesn’t seem to be abating at all. Of course there is still lot of confusion about what the APT is, and Rich’s post from early 2010 does a good job explaining our view.

Why you still need security groups with host firewalls

Tue, 16 Apr 2013 00:00:00 +0000

Security groups are the basic firewall rules associated with instances in various compute clouds. Different platforms may use different names but security group is the most common so that’s the term we will use. Basically, it is a way of defining hypervisor firewall rules. Of course this is a gross simplification – different cloud platforms enforce groups at other layers of the virtual or physical network, but you get the point. You assign instances to a security group and they inherit that rule set, which applies at a per instance level. This is key because you need to do some deeper thinking about what access rules should apply to an individual instance, which is distinctly not like a network segment with a firewall in front of it. For example you can set security group rules that restrict traffic between all instances assigned to the same security group. Thus it has traits of both a host firewall and network firewall, which is kinda cool.

Is it murder if the victim is already dead?

Sun, 14 Apr 2013 00:00:00 +0000

Sometimes seeing what you have known for years in print is helpful, even comforting. So Gartner’s Paul Proctor writing about killing compliance in cold blood is good. Paul has a bigger megaphone than the rest of us, so maybe folks will start getting on board with doing security (or risk, depending on your vernacular) and stop worrying so much about the checklists.

Friday Summary: April 12, 2013

Fri, 12 Apr 2013 00:00:00 +0000

Ever start a simple project – or perhaps ask for something simple to be done on your behalf – and get far more than you bargained for? Sometimes the seemingly simple things reach up and bite you. I was thinking about this two weeks ago, in the middle of some weekend gardening, expecting to tackle a small irrigation leak that popped up during the winter.

Unused security intelligence is, well… dumb

Fri, 12 Apr 2013 00:00:00 +0000

The hype cycle for Threat Intelligence is just getting going. It will soon join advanced malware, BYOD, and Big Data as terms that mean nothing because they have been poked, prodded, manipulated, and otherwise killed by vendor hyperbole. We have done a bunch of research into how to use threat intelligence (Early Warning, Network-based Threat Intelligence, and Email-based Threat Intelligence), so we get the value of benefiting from other folks’ misfortune and learning from how they were attacked. But I also know that our papers run 15-20 pages and usually fall into the category of tl;dr.

Gaming the Narcissist (to get what you want)

Thu, 11 Apr 2013 00:00:00 +0000

We have each probably worked for a CEO who we’d just as soon meet in a dark alley (without video surveillance), while carrying a nightstick and a taser. So when I saw Ed Moyle’s blog about Narcissistic CEOs, I was hoping it would end with “You’d better bring a mop. And a body bag.” Unfortunately Ed highlighted some research that these narcissistic douches adopt technology more aggressively (mostly due to their oversized egos) and are more likely to be successful. Humbug.

Incite 4/10/2013: 103

Wed, 10 Apr 2013 00:00:00 +0000

My paternal grandmother passed away last week at 103. No, that is not a typo. One hundred and three. Ciento tres for you Spanish speakers out there. She would have been 104 in June. That’s a long time. To give you some perspective, per the infoplease site, William Taft was president in 1909. Robert Peary and Matthew Henson reached the North Pole that year. And the big news in the medical community was finding a cure for syphilis. I’m sure that caused much rejoicing around the world. I guess before 1909 you could actually have gone blind, though my folks somehow forgot to tell me about the cure…

Should the Red (Team) be dead?

Tue, 09 Apr 2013 00:00:00 +0000

I like to see stuff that challenges common wisdom. The inimitable professor Gene Spafford of Purdue goes far against the grain in calling out the excitement of hacking competitions and red teams as counterproductive to training the next generation of security folks.

Security FUD hits investors

Mon, 08 Apr 2013 00:00:00 +0000

We ve talked a bit about the need to “be careful what we wish for,” in terms of making security a higher profile issue with senior management. Well, it’s no longer just vendors throwing FUD balloons that can splat at any time. I was perusing the Seeking Alpha investor site over the weekend when I found an article called Pandemic Cyber Security Failures Open An Historic Opportunity For Investors. Yes, I threw up a bit in my mouth when I read that headline.

Friday Summary, Gattaca Edition: April 5, 2012

Thu, 04 Apr 2013 00:00:00 +0000

Hi folks, Dave Lewis here, and it is my turn to pull the summary together this week. I’m glad for the opportunity. So, a random thought: I have made a lot of mistakes in my career and will more than likely make many more. I frequently refer to this as my well-honed ability to fall on spears.

IaaS Encryption: Protecting Volume Storage

Thu, 04 Apr 2013 00:00:00 +0000

Now that we have covered all the pesky background information, we can start delving into the best ways to actually protect data.

Appetite for Destruction

Wed, 03 Apr 2013 00:00:00 +0000

We (Rich and Gal) were chatting last week about the destructive malware attacks in South Korea. One popular theory is that patch management systems were compromised and used to spread malware to affected targets, which deleted Master Boot Records and started wiping drives (including network connected drives), even on Linux.

Brian Krebs outs possible Flashback malware author

Wed, 03 Apr 2013 00:00:00 +0000

Brian Krebs thinks he may have identified the author of the Flashback Mac malware that caused so much trouble last year. Brian is careful with accusations but displays his full investigative reporting chops as he lays out the case:

Cybersh** just got real

Wed, 03 Apr 2013 00:00:00 +0000

Huawei not expecting growth in US this year due to national security concerns (The Verge).

U.S. to scrutinize IT system purchases with ties to China (PC World):

Proposed California Data Law Will Affect Security

Wed, 03 Apr 2013 00:00:00 +0000

Threatpost reports that California is considering a law requiring companies to show consumers what data is collected on them.

Known as the “Right to Know Act of 2013,” AB 1291 was amended this week to boost its chances of success after being introduced in February by state Assembly member Bonnie Lowenthal. If passed, it would require any business that retains customer data to give a copy of that information, including who it has been shared with, for the past year upon request. It applies to companies that are both on – and offline.

Get Ready for Phone Security and Regulations

Tue, 02 Apr 2013 00:00:00 +0000

Emergency services providers and others are being hit with telephone-based denial of service attacks. Nasty stuff, powered by IP-based phone systems. This relates to SWATing (what hit Brian Krebs). It has become trivial to use computers to make and spoof phone calls.

An article so bad, I have to trash it

Mon, 01 Apr 2013 00:00:00 +0000

I almost didn’t write this post since it’s about iOS, and I about defending iOS security too much. Not that I think I’m biased, but I worry about being misinterpreted as an apologetic defender (I’m not – Apple still has security issues they need to work on, but iOS is in really good shape these days).

IaaS Encryption: Understanding Encryption Systems

Mon, 01 Apr 2013 00:00:00 +0000

Now that we have covered the basics of how IaaS platforms store data, we need to spend a moment reviewing the parts of an encryption system that are relevant for protecting cloud data. Encryption isn’t our only security tool, as we mentioned in our last post, but it is one of the only practical data-specific tools at our disposal in cloud computing.

1 in 6 Amazon Web Services Users Can’t Read

Fri, 29 Mar 2013 00:00:00 +0000

Rapid7 reported this week on finding a ton of sensitive information in Amazon S3. They scanned public buckets (Amazon S3 containers) by enumerating names, and concluded that 1 in 6 had sensitive information in them. People cried, “Amazon should do something about this!!”

Friday Summary: March 29, 2013

Fri, 29 Mar 2013 00:00:00 +0000

Our last nine months of research into identity and access management have yielded quite a few surprises – for me at least. Many of these new perspectives I have shared piecemeal in various blogs, and others not. But it occurred to me today, as we start getting feedback from the dozen or so IAM practitioners we have asked to critique our Cloud IAM research, that some key themes have been lost in the overall complexity of the content. I want to highlight a few points that really hit home with me, and which I think are critical for security professionals in general to understand.

DDoS Attack Overblown

Thu, 28 Mar 2013 00:00:00 +0000

Sam Biddle at Gizmodo says:

This guy, Prince said, could back up CloudFlare’s claims. This really was Web Dresden, or something. After an inquiry, I was ready to face vindication. Instead, I received this note from a spokesperson for NTT, one of the backbone operators of the Internet:

Defending Cloud Data: How IaaS Storage Works

Thu, 28 Mar 2013 00:00:00 +0000

Infrastructure as a Service storage can be insanely complex when you include operational and performance requirements. First you need to create a resource pool, which might itself be a pool of virtualized and abstracted storage, and then you need to tie it all together with orchestration to support the dynamic requirements of the cloud – such as moving running virtual machines between servers, instantly snapshotting multi-terabyte virtual drives, and other insanity.

Estimating Breach Impact

Thu, 28 Mar 2013 00:00:00 +0000

Russell Thomas and a bunch of his friends recently posted a research paper called How Bad Is It? – A Branching Activity Model to Estimate the Impact of Information Security Breaches, which attempts to provide a structure for estimating the impact of a breach. This work is necessary – we have no benchmarks, or even consensus, about what breached organizations should even be counting.

Defending Cloud Data: IaaS Encryption

Wed, 27 Mar 2013 00:00:00 +0000

Infrastructure as a Service (IaaS) is often thought of as merely as a more efficient (outsourced) version of our traditional infrastructure. On the surface you still manage things that look like simple virtualized networks, computers, and storage. You ‘boot’ computers (launch instances), assign IP addresses, and connect (virtual) hard drives. But while the presentation of IaaS resembles traditional infrastructure, the reality underneath is anything but business as usual.

Incite 3/27/2013: Office Space

Wed, 27 Mar 2013 00:00:00 +0000

A lot of folks ask me how I work from home. My answer is simple: I don’t. I have a home office, but I do the bulk of my work from a variety of coffee shops in my local area. So I give a few minutes’ thought at night to where I want to work the following day. Sometimes I have a craving for a Willy’s Burrito Bowl, which means I drive 20 minutes to one of their coffee shops in Sandy Springs. Other times I just have to have the salad bar’s chocolate mousse at Jason’s Deli, which means there are three different places that I could work that day. Lunch drives office location. For me, anyway.

Superior Security Economics

Wed, 27 Mar 2013 00:00:00 +0000

MailChimp is offering a 10% discount to customers who enable 2-factor authentication.

Impressive. Time to finish migrating our lists over to MailChimp (we only use them for the Friday Summary right now). We need to reward efforts like this.

Who’s Responsible for Cloud Security? (NetworkWorld Roundtable)

Wed, 27 Mar 2013 00:00:00 +0000

I recently participated in a roundtable for NetworkWorld, tackling the question of Who is responsible for cloud security?. First of all the picture is hilarious, especially because it shows my head photoshopped onto some dude with a tie. Like I’d wear a tie.

Developers and Buying Decisions

Tue, 26 Mar 2013 00:00:00 +0000

Matt Asay wrote a very though provoking piece on Oracle’s Big Miss: The End Of The Enterprise Era. While this blog does not deal with security directly, it does highlight a couple of important trends that effect both what customers are buying, and who is making the decisions.

Server Side JavaScript Injection on MongoDB

Tue, 26 Mar 2013 00:00:00 +0000

A couple years ago Brian Sullivan of Microsoft demonstrated blind SQLi and server-side JavaScript injection attacks on Mongo, Neo4j, and other big data engines, but this is the first time I have seen someone get a shell and bypass ASLR. From the SCRT Information Security Team Blog, they found an 0-day to do just that:

How Cloud Computing (Sometimes) Changes Disclosure

Mon, 25 Mar 2013 00:00:00 +0000

When writing about the flaw in Apple’s account recovery process last week, something set my spidey sense tingling. Something about it seemed different than other similar situations, even though exploitation was blocked quickly and the flaw fixed within about 8 hours.

Identifying vs. Understanding Your Adversaries

Mon, 25 Mar 2013 00:00:00 +0000

You read stories about badasses tracking down trolls and showing up at their houses, and you get fired up about attribution. The revenge gene is strong in humans and there is nothing like taking that Twitter gladiator out the woodshed for a little good old fashioned medieval treatment. Now, payback daydreams aside, Keith Gilbert asks a pretty important question about attribution. Do you really need to know exactly who the attacker is?

Apple Disables Account Resets in Response to Flaw

Fri, 22 Mar 2013 00:00:00 +0000

According to The Verge, someone discovered a way to take over Apple IDs using only the owner’s email address and date of birth.

Friday Summary: March 22, 2013, Rogue IT Edition

Fri, 22 Mar 2013 00:00:00 +0000

What happened to the guru? The magician? The computer expert at your company who knew everything. I have worked at firms that had several who knew IT systems inside and out. They knew every quirky little trick of how applications worked and what made them fail, and they could tell you which page of the user manual discussed the exact feature you were interested in. If something went wrong you needed a guru, and with a couple keystrokes they could fix just about anything. You knew a guru by their long hair, shabby dress, and the Star Trek paperback in their back pocket. And when you needed something technical done, you went to see them. That now seems like a distant memory. I have lately been hearing a steady stream of complaints from non-IT folks that IT does not respond to requests and does not seem to know how to get out of their own way.

New Paper: Email-based Threat Intelligence

Thu, 21 Mar 2013 00:00:00 +0000

The next chapter in our Threat Intelligence arc, which started with Building an Early Warning System and then delved down to the network in Network-based Threat Intelligence, now moves on to the content layer. Or at least one layer. Email continues to be the predominant initial attack mechanism. Whether it is to deliver a link to a malware site or a highly targeted spear phishing email, many attacks begin in the inbox.

Services are a startup’s friend

Thu, 21 Mar 2013 00:00:00 +0000

I try to read a variety of different non-security resources each week, to stay in touch with both technology and startup culture. Of course, we at Securosis are kind of a startup. We are small and we’re investing significantly in software (which is late and over budget, like all software projects). But we choose not to deal with outside investors and to have reasonable growth expectations, since ultimately we do this job because we love it. Not because we’re trying to retire any time soon.

DHS raises the deflector shields

Wed, 20 Mar 2013 00:00:00 +0000

All you IT professionals out there who want to divert attention, give your exec’s a warm and fuzzy feeling you’re saving money and making you’re users experience better, just do what the DHS did. Margaret Graves, DHS deputy CIO, pulled a page from Star Trek and flummoxed Congress with some Techno-Babble. From Network World:

Incite 3/20/2013: Falling down

Wed, 20 Mar 2013 00:00:00 +0000

I read a profile of Spanx’s Sara Blakely in Forbes Billionaires issue, and the tip that really resonated was that at dinner each night, her father would ask each child what they failed that day. Wait, what? He would be disappointed if the kids didn’t fail something because it meant they weren’t stretching far enough out of their comfort zone. Damn, I wish I thought of that.

The World’s Most Targeted Critical Infrastructure

Wed, 20 Mar 2013 00:00:00 +0000

Microsoft confirms ‘high-profile’ employee Xbox Live accounts hacked

Major vulnerability in EA’s Origin platform lets hackers overtake PCs

Anyone surprised? Games made an estimated $25.1B in 2010 in the US alone. This is an industry under constant attack – just ask Sony. I’d love to learn more security lessons from them.

Who comes up with this stuff?

Wed, 20 Mar 2013 00:00:00 +0000

Galaxy Note II security flaw lets intruders gain full device access.

Confirmed: iOS 6.1.3 Has Another Passcode Security Flaw

The iOS one in particular is very limited, but I am continuously astounded by the creativity of some of these passcode flaws. Give me SQL injection or heap sprays any day…

If you don’t know where you’re going…

Tue, 19 Mar 2013 00:00:00 +0000

How will you know when you get there? That’s the point our pal Kevin Riggins made during his first RSA Conference talk. He wrote up the talk and allowed it to be posted on the Symantec blog. Kevin uses the metaphor of the Winchester Mystery House as a clear (and rather painful) analogy for how far too many people operate their security environments.

When Bad Tech Journalism Gets Worse

Tue, 19 Mar 2013 00:00:00 +0000

Writing is hard – I get it. Tech writing is hard – I get it. Tech journalism is hard, especially when you need to translate complex technological issues into prose that the common reader (depending on your demographic) can understand. Writing about security for TidBITS and Macworld for the past 6 or so years has been an amazing educational experience as I have had to learn exactly how to walk this tightrope and explain things like memory parsing vulnerabilities and ASLR to consumers.

New Job Diligence

Mon, 18 Mar 2013 00:00:00 +0000

I am pretty upfront about my turbulent job history. Some of the issues were due to not doing enough homework up front before taking a job. But as I look back I am not sure I would have made different decisions about which jobs to take even if I had done more homework. A post at SCMagazine by Justin Somaini makes a couple good points about what questions to ask before taking a CISO job.

The Right Guy; the Wrong Crime

Mon, 18 Mar 2013 00:00:00 +0000

Internet troll “weev” sentenced to 41 months for AT&T/iPad hack

Weev is a total sociopath (not just a troll), and I have no sympathy for him. He wouldn’t know altruism if it kicked him in the nads, and I have little doubt his goal was to harm AT&T with his discovery. But, by all appearances, this is a weak case and a stretch of the Computer Fraud and Abuse Act with consequences not only for legitimate security research, but for Internet use in general.

Preparation Yields Results

Sun, 17 Mar 2013 00:00:00 +0000

As a huge NFL fan with the DTs without a game to obsess about each week, I am constantly looking for parallels between football and my daily existence. Adrian talked a bit in one of his Incite snippets last week about how Facebook uses red team exercises to make sure they are prepared for the real thing.

The Dangerous Dance of Product Reviews

Fri, 15 Mar 2013 00:00:00 +0000

One of the things I miss least about doing marketing on a daily basis is product reviews. Of course when you win it’s awesome. You can then puff up your chest and take a victory lap as the sales folks use the review to beat down the competition. But when you lose it totally sucks. And depending on the culture of the company, unless it was a clear and decisive victory, it may be taken as a loss. Which requires damage control, forcing you to spin why the test was flawed. Then you need to question the integrity of the reviewer. That makes you many friends in the media community. Basically you have to figure out a way to make manure smell like roses. And no, it doesn’t usually work.

Limit Yourself, Not Your Kids—Friday Summary: March 15, 2013

Thu, 14 Mar 2013 00:00:00 +0000

Raising children in the age of the Internet is both exhilarating and terrifying.

As a geek I am jealous of the technology my children will grow up with. You can make the argument that technology always advances, and my children will feel the same way about their offspring, but I think the genesis of the Internet is a clear demarcation line in human history.

Ramping up the ‘Cyber’ Rhetoric

Thu, 14 Mar 2013 00:00:00 +0000

The rhetoric about cyberattacks is nearly deafening. It seems like my Twitter timeline blows up every day about cyber-this or cyber-that. Makes me want to cyber-puke. Since Mandiant pointed the finger at China everyone seems to be jumping on the bandwagon of tough talk and posturing.

A Brief Privacy Breach History Lesson

Wed, 13 Mar 2013 00:00:00 +0000

The big ChoicePoint breach of 2004 was the result of criminals creating false business accounts and running credit reports on hundreds of thousands of customers (probably). Every major credit/background company has experienced this kind of breach of service going back decades – just look at the Dataloss DB.

Incite 3/13/13: Get Shorty

Wed, 13 Mar 2013 00:00:00 +0000

It’s hard to believe, but my family and I have been in Atlanta almost 9 years. The twins were babies; now they are people. Well, kind of. I grew up in the Northeast and spent many days shoveling our driveway during big snowstorms. Our 15 years in Northern Virginia provided a bit less shoveling time, but not much.

Compromising Cloud Managed Infrastructure

Tue, 12 Mar 2013 00:00:00 +0000

The Nibble security blog had a very good post on Subverting a Cloud-based Infrastructure with XSS and BEEF. They essentially constructed an XSS attack to issue network infrastructure management commands without user knowledge.

Could This Be the First Crack in the PCI Scam?

Tue, 12 Mar 2013 00:00:00 +0000

A sports clothing retailer is suing Visa to recover a $13M fine for a potential data breach.

The suit takes on the payment card industry’s powerful money-making system of punishing merchants and their banks for breaches, even without evidence that card data was stolen. It accuses Visa of levying legally unenforceable penalties that masquerade as fines and unsupported damages and also accuses Visa of breaching its own contracts with the banks, failing to follow its own rules and procedures for levying penalties and engaging in unfair business practices under California law, where Visa is based.

Email-based Threat Intelligence: Quick Wins

Tue, 12 Mar 2013 00:00:00 +0000

We are big on Quick Wins at Securosis. Mostly because we know how hard it is to justify new technology (or processes or people), and that if you can’t show value quickly on a new project, every subsequent request gets harder and harder to get through. Until you have a breach, that is. Then your successor gets carte blanche for a honeymoon period to do the stuff you were trying to do the whole time.

TripWire nCircles the Vulnerability Management Wagon

Tue, 12 Mar 2013 00:00:00 +0000

It’s funny how you suddenly remember random conversations from months ago at the strangest times. I recall having breakfast with some of my pals at TripWire at RSA 2012 (yes, 13 months ago), and them peppering me about the vulnerability management market. Obviously they were shopping for deals, but most of the big players then seemed economically out of reach for TripWire. And there was nothing economically feasible I could recommend for them in good conscience.

Email-based Threat Intelligence: Analyzing the Phish Food Chain

Mon, 11 Mar 2013 00:00:00 +0000

As we discussed in Industrial Phishing Tactics, phishing is a precursor to many attacks in the wild. Phishing attacks are designed to get victims to click something, then to share the victim’s account credentials and download malware; and of course they leave a trail like everything else. Following that trail can help you prioritize remediation activities, identify adversaries, and ultimately take action to protect both your environment and your customers. But first you must be able to analyze the email to identify the patterns to look for. And that requires a lot of email – a whole lot.

The BYOD problem is what?

Mon, 11 Mar 2013 00:00:00 +0000

In the immortal words of Jay-Z, you’ve got 99 problems but BYOD ain’t one of them. Colin Steele does a good job of putting the BYOD (and broader mobility) situation in proper context in You can’t solve BYOD because it’s not a problem

Untargeted Attack

Mon, 11 Mar 2013 00:00:00 +0000

I was perplexed by the wording of many initial reports on the recent attacks ‘against’ Apple, Facebook, Twitter, and Microsoft. Sure, maybe they were targeted, but it seems just as likely that the attackers just picked popular developer sites and harvested some big fish.

In Search of ... Data Scientists

Sun, 10 Mar 2013 00:00:00 +0000

Shiny technology objects make us happy. Admit it – you want to believe the buzzword du jour will make things better. Or less crappy. But if the capabilities and value of new technology are contingent on humans, eventually you run into the most debilitating of constraints: expertise limitations. It seems like everyone wants to talk about Big Data Analytics, but the inconvenient truth is that without the math folks Big Data doesn’t do much.

Email-based Threat Intelligence: Industrial Phishing Tactics (New Series)

Fri, 08 Mar 2013 00:00:00 +0000

Threat Intelligence comes in many shapes and sizes, all of which are helpful for Early Warning of imminent attack. After introducing the initial Early Warning concepts, we recently delved into how network telemetry and other information about your pipes can help to identify compromised devices in Network-based Threat Intelligence. We continue discussing all sorts of threat intel by focusing on phishing in our new series, Email-based Threat Intelligence. We stay true to our naming conventions.

Encryption Spending up in 2012

Fri, 08 Mar 2013 00:00:00 +0000

Thales released a 2012 survey on encryption spending trends today. In a nutshell, spending was up a modest amount for the first time in several years. From the Deep Dive post:

Security Education still an underused defense

Fri, 08 Mar 2013 00:00:00 +0000

One trend we see coming on like a freight train is the rebirth of security awareness training. Folks are working on content that doesn’t suck and enterprises are finally starting to gather data about how stupid mistakes (such as clicking phishing messages) are decreasing after training sessions. NetworkWorld recently ran an article (in their Insider section, which requires registration – boo!) providing some tips to deal with phishing.

Friday Summary: March 8, 2013.

Thu, 07 Mar 2013 00:00:00 +0000

I think I’m finally waking up. After a week at RSA where I basically don’t sleep – not all bad, mind you – it takes a while to recover. In fact Monday might as well not have happened – I certainly got nothing done. It was not for lack of trying, but I was simply part of the zombie apocalypse – but I don’t want brains, just some Captain Crunch and sleep. Today I had the ‘Oh crap!’ realization – I promised people things last week, and I need to deliver. As much as I’d like to shuffle this stuff onto Rich, he has got a new baby and won’t take my calls. Something about taking it easy and enjoying time with the family.

Understanding Cloud IAM: Buyers Guide

Thu, 07 Mar 2013 00:00:00 +0000

With our last post in this series on Understanding and Selecting Cloud Identity and Access Management, we want to help guide you through product selection. No two customer environments or lists of requirements are the same, but key decision criteria will help you narrow down the field to suitable platforms. We will provide questions to help determine which vendors offer solutions that fit your architecture, a set of criteria to measure the appropriateness of a vendor solution to your design goals, and help walk you through the evaluation process.

Use cases are your friends

Thu, 07 Mar 2013 00:00:00 +0000

As if the IBM Security Systems folks weren’t busy enough with the RSA Conference last week, they flew directly from San Francisco to Vegas for their annual Pulse Conference. Sure it’s a lot of back-patting and antennae rubbing, but there is usually a good nugget or two from their customer presentations.

Flash! And it’s gone…

Wed, 06 Mar 2013 00:00:00 +0000

We all knew the Flash was fast. But it seems Apple has made Flash so fast you can’t even use it on your Macs. Well, actually, they put some new protections in to ensure only the latest version of Flash runs on Mac OS X 10.6 and later.

Incite 3/6/2013: Karmic Balance

Wed, 06 Mar 2013 00:00:00 +0000

My career has been turbulent at times. I know that’s shocking to those of you who know me personally. When I was invited not to come to work at my last job in VA, I already had a good position at a hot start-up in Atlanta lined up. They were well aware of my situation, and once I was a free agent the deal got done quickly. I had one real estate agent selling a house in VA, and another looking for property in Atlanta. Full speed ahead.

Isolating the Security Skills Gap

Tue, 05 Mar 2013 00:00:00 +0000

It looks like Ray Umerley had a good time at the RSA Conference. Besides seeing pics on the Tweeter of him at the Ju Jitsu gathering, he took some time to document his thoughts about what he saw at the show (RSA Conference 2013: My Takeways). Ray covers security intelligence, and how as you collect more security data, it becomes more important that it be used within a security/risk management program.

Announcing the CCSK UK Train the Trainer Class in April

Mon, 04 Mar 2013 00:00:00 +0000

Clearly the world is not enough. So I’ll be getting my 007 on in the UK in early April to deliver our Cloud Security Training. We have recently updated the curriculum to the Cloud Security Alliance Guidance V3.0, and I have to say it kicks butt. Many of the hands-on exercises have been overhauled, and if you are looking to get familiar with cloud security you will want to check out this class.

Be Careful What You Wish for…Now You’re CISO

Mon, 04 Mar 2013 00:00:00 +0000

Hat tip to our pals at TripWire, who do a good job of leveraging the security community to generate interesting and entertaining content. They have a guy named David Spark who roams around the floor at trade shows like RSA and captures video. A recent video asked, What would you do if you became CISO?

New Paper: Network-based Threat Intelligence

Sun, 03 Mar 2013 00:00:00 +0000

Hot on the heels of our Building an Early Warning System paper, we have taken a much deeper look at the network aspect of threat intelligence in Network-based Threat Intelligence. We have always held to the belief that the network never lies (okay – almost never), and that provides a great basis on which to build an Early Warning System.

Friday Summary, RSA Edition: March 1, 2012

Fri, 01 Mar 2013 00:00:00 +0000

Rich here,

I need to apologize a bit for sending the Summary out a day late. As most of you know, this week is the big annual RSA Conference and we, Securosis, were busy as heck with conference activities. Between e10+, the Security Blogger’s Meetup, the Securosis Disaster Recovery Breakfast, and tons of conference meetings, it is the busiest week of our year.

Shattered Windows: the Impact of Attack Automation

Fri, 01 Mar 2013 00:00:00 +0000

In 2011, our friend Josh Corman codified “HD Moore’s Law”:

Casual Attacker power grows at the rate of Metasploit

For those who don’t know, Metasploit, created by HD Moore, is a free penetration testing framework (it is now owned by Rapid7, who also sells a commercial version). Metasploit allows an attacker to rapidly combine an exploit with a payload and initiate attacks, dramatically reducing the complexity compared to hand-coding an attack yourself. Unlike other commercial tools such as Immunity Canvas and Core Impact, Metasploit has a large community, and when new vulnerabilities or exploits become public they are typically converted into Metasploit modules extremely quickly (sometimes within hours). Once a module is published, anyone using Metasploit can leverage that attack.

About the Security Blogger’s Meetup

Wed, 27 Feb 2013 00:00:00 +0000

Seven years ago I had recently started blogging and emailed a few other bloggers to see if we should get together at the RSA Conference. Some of these people I knew, many I didn’t, and I thought it would be fun to have face to face arguments with a beer in hand, instead of behind a keyboard (with a beer in hand). Very very quickly we received offers to sponsor, and we turned it into an actual invite-only event organized by myself, Martin McKeay, and Alan Shimel, with Jennifer Leggio doing, literally, all the hard work.

Bit9 Details Breach

Wed, 27 Feb 2013 00:00:00 +0000

Bit9 released more details of how they were hacked.

The level of detail is excellent, and there seems to be minimal or no spin. There are a couple additional details it might be valuable to see (specifics of the SQL injection and how user accounts were compromised), but overall the post is clear, with a ton of specifics on some of what they are finding.

Go buy Take Control of Your Passwords

Wed, 27 Feb 2013 00:00:00 +0000

Joe Kissell, with whom I ‘work’ over at TidBITS, just published Take Control of Your Passwords.

Joe asked me to review the book ahead of time, and it should be mandatory reading (no, I don’t get a cut – that’s my honest opinion). Joe covers the range of password issues I have ranted on before, then includes specific strategies for managing them. Many of you who read this site might not need the book, but I guarantee nearly everyone you know will get something out of it, even if they only read some sections.

Looky here. Adaptive Authentication works…

Wed, 27 Feb 2013 00:00:00 +0000

It’s funny how some technologies fall out of the hype cycle and folks kind of forget about them. But that doesn’t mean these technologies don’t work any more. Au contraire, it usually means a technology works too well, and just isn’t exciting to talk about any more. Let’s take the case of adaptive authentication: using analytics to determine when to implement stronger authentication. It appears Google has started taking an adaptive approach to authentication for Gmail over the past 18 months:

Everything I need to know about security, I learned in kindergarten

Tue, 26 Feb 2013 00:00:00 +0000

Let’s just say I almost failed sharing back in kindergarten. Almost 40 years later I’m not a hell of a lot better at sharing (just ask my kids), but if you want to be good at security, you had better do better at sharing than me. Good points here by Don Srebnick (CISO of the City of NY) on using an ISAC to your advantage:

The Nexus Is Live with the Cloud Security Alliance!

Tue, 26 Feb 2013 00:00:00 +0000

After two years of development, yesterday we flipped the switch and our Nexus product is officially live with our first partner, the Cloud Security Alliance. After all the stress of a nearly-failed launch (one of our security controls decided to filter the payment system) it is incredibly exciting to have this out there for paying customers. Here are some details:

When is a Hack a Breach?

Tue, 26 Feb 2013 00:00:00 +0000

As the hubbub over Apple, Twitter, and Facebook being hacked with the Java flaw slowly ebbs, word hit late last week that Microsoft was also hit in the attack. Considering the nature of the watering hole attack, odds are that many many other companies have been affected.

The end of MDM (as we know it). Or not.

Mon, 25 Feb 2013 00:00:00 +0000

You know a technology is close to the top of the hype cycle when talking heads start calling for its demise. Zeus Kerravala goes medieval on MDM in this NetworkWorld column:

Attribution Meh. Indicators YEAH!

Fri, 22 Feb 2013 00:00:00 +0000

In addition to all the cycles we spent in our weekly research meeting trying to come up with cool t-shirt ideas featuring APT1, we also spent a bunch of time talking about the real impact of the Mandiant report, and how hacking for the Chinese is just different than what the US (and most other governments) do.

Everything is a feature (in time)

Thu, 21 Feb 2013 00:00:00 +0000

In the least surprising news of the day, the guy who sold his start-up, Zenprise, to Citrix, concluded that selling standalone MDM was a tough sell.

Friday Summary: February 22, 2013—Snow edition

Thu, 21 Feb 2013 00:00:00 +0000

I spent half an hour yesterday morning shoveling snow from the walkways around my house. Most of you reading this will think “so what”, as you see snow on an all-too-regular basis. For me, living in Phoenix, snow is something that happens once every 30 years or so. So for the first time in my life I got a snow day – and it was fun. Only 2 inches, but still, a totally alien experience here on the surface of the sun. Better still, the dogs loved it:

Why China’s Hacking is Different

Thu, 21 Feb 2013 00:00:00 +0000

One of the responses that keeps coming up as everyone discusses Mandiant’s report on APT1 is, “yeah, but China isn’t the only threat, and even the U.S. engages in offensive hacking”.

House of Cybercards

Wed, 20 Feb 2013 00:00:00 +0000

We are in the middle of what may be the single most disruptive transition in the practice of information security. Not one of technology, threats, or practices, but of politics. It is occurring in the hallways of capitals and the planning rooms of militaries, instead of in boardrooms of enterprises and startups in California and Massachusetts. This transition will define our priorities for the coming decades, as well as the winners and losers of the future.

Incite 2/20/2013: Tartar Wars

Wed, 20 Feb 2013 00:00:00 +0000

5 years. It doesn’t seem that long. It seems like yesterday I was on the phone screaming at the office manager of my (previous) dentist. He told the Boss something and then backtracked on it, and I had to write a check to fix the problem. I had just dropped my dental insurance and that little optional procedure wasn’t going to be covered as he had said it would. I told them to pound sand, which was a good move – I settled for perhaps 30% of the cost 18 months later, before it went to collection.

Twitter and OAuth Access Loophole

Wed, 20 Feb 2013 00:00:00 +0000

Brent Simmons brought up a great issue regarding the Twitter hack and the way OAuth works. Twitter’s notification to users:

Understanding Cloud IAM: Implementation Roadmap

Wed, 20 Feb 2013 00:00:00 +0000

IAM projects are complex, encompassing most IT infrastructure, and can take years to fully implement and roll out. So trying to do everything at once is a recipe for failure. So we turn our discussion to how to deploy IAM without biting off more than you can chew. We will discuss how to approach building an architectural schema for your particular organization, based on the cloud service and deployment models you have selected. Then we will create different implementation roadmaps depending your project goals and most critical business requirements.

Cars, Babes, and Money: It’s RSAC Time

Tue, 19 Feb 2013 00:00:00 +0000

Now that we have posted our RSA Conference Guide, we can get back to lampooning the annual ritual of trying to get folks to scan their badges on the show floor. Great perspective here from Ranum on the bad behavior you’ll see next week, all in the name of lead generation. I’m not sure if I should be howling or repulsed by this idea:

Mandiant Verifies, but Don’t Expect the Floodgates to Open

Tue, 19 Feb 2013 00:00:00 +0000

Unless you have been living in a cave, you know that earlier today Mandiant released a report with specific intelligence on the group they designate as APT1. No one has ever released this level of detail about state-sponsored Chinese hackers. Actually, “state-employed” is probably a better term. This is the kind of public report that could have political implications, and we will be discussing it for a long time.

The 2013 Securosis Guide to RSA

Tue, 19 Feb 2013 00:00:00 +0000

We have to admit, this year’s Securosis Guide to RSA is a little over the top.

A lot over the top.

AV’s False Sense of Security (and a possible Mac hack?)

Mon, 18 Feb 2013 00:00:00 +0000

Oh F-Secure, how you amuse me.

In a post about the hack of Facebook, F-Secure claims it is likely Macs were targeted, and that this could be related to the recent Twitter hack:

Network-Based Threat Intelligence: Quick Wins with NBTI

Mon, 18 Feb 2013 00:00:00 +0000

As we get back into Network-Based Threat Intelligence, let’s briefly revisit our first two posts. We started by highlighting the Kill Chain, which delved into the typical attack process used by advanced malware to achieve the attacker’s mission, which usually entails some kind of data exfiltration. Next we asked the 5 key questions (who, what, where, when, and how) to identify indicators of an advanced malware attack that can be captured by monitoring network traffic. With these indicators we can deploy sensors to monitor network traffic, and hopefully to identify devices exhibiting bad behavior, before real damage and exfiltration occur. That’s the concept behind the Early Warning System.

Facebook Hacked with Java Flaw

Fri, 15 Feb 2013 00:00:00 +0000

It’s Friday, so here is a quick link to The Verge’s latest. Developers infected via Java in the browser from a developer info site.

RSA Conference Guide 2013: Security Management and Compliance

Fri, 15 Feb 2013 00:00:00 +0000

Given RSA’s investment in security management technology (cough, NetWitness, cough) and the investments of the other big RSAC spenders (IBM, McAfee, HP), you will see a lot about the evolution of security management this year. We alluded to this a bit when talking about Security Big Data Analytics in our Key Themes piece, but let’s dig in a bit more…

Trust us, our CA is secure

Fri, 15 Feb 2013 00:00:00 +0000

Given the number of recent high profile CA compromises, it seems some of the folks who milk the SSL cash cow figured they should do something to sooth customer concerns about integrity. So what to do? What to do? Put a security council together to convince customers you take security seriously. From Dark Reading’s coverage of the announcement:

Big Data Holdup?

Thu, 14 Feb 2013 00:00:00 +0000

Computerworld UK ran an interesting article on how Deutsche Bank and HMRC are struggling to integrate Hadoop systems with legacy infrastructure. This is a very real problem for very large enterprises with significant investments in mainframes, Teradata, Grids, MPP, EDW, whatever. From the post:

Don’t Bring BS to a Data Fight

Thu, 14 Feb 2013 00:00:00 +0000

Thanks to a heads-up from our Frozen Tundra correspondent, Jamie Arlen, I got to read this really awesome response by Elon Musk of Tesla refuting the findings of a NYT car reviewer, A Most Peculiar Test Drive.

I’m losing track—is this ANOTHER Adobe 0-day?

Thu, 14 Feb 2013 00:00:00 +0000

As reported on Tom’s Guide, FireEye reports they have discovered a PDF 0-Day that is currently being exploited in the wild:

Quantify Me: Friday Summary: February 15, 2013

Thu, 14 Feb 2013 00:00:00 +0000

Rich here.

There are very few aspects of my life I don’t track, tag, analyze, and test. You could say I’m part of the “Quantified Self” movement if it weren’t for the fact that the only movement I like to participate in involves sitting down, usually with a magazine or newspaper.

RSA Conference Guide 2013: Application Security

Thu, 14 Feb 2013 00:00:00 +0000

So what hot trends in application security will you see at the RSA Conference? Mostly the same as last year’s trends, as lots of things are changing in security, but not much on the appsec front. Application security is a bit like security seasoning: Companies add a sprinkle of threat modeling here, a dash of static analysis there, marinate for a bit with some dynamic app testing (DAST), and serve it all up on a bed of WAF. The good news is that we see some growth in security adoption in every phase of application development (design, implementation, testing, deployment, developer education), with the biggest gains in WAF and DAST. Additionally, according to many studies – including the SANS application security practices survey – better than 2/3 of software development teams have an application security program in place.

ECC Certificates About More Than Speed

Wed, 13 Feb 2013 00:00:00 +0000

Major Update: I got a core fact incorrect, in a big way. Thanks to@ivanristic for catching it. It’s an obvious error and I wasn’t thinking things through. ECC is used at a different point than RC4 in establishing a connection, so this doesn’t necessarily affect the use of RC4. David Mortman seems to think it may be more about mobile support and speeding up SSL/TLS on smaller devices. My apologies, and I will leave the initial post up as a record of my error.

Incite 2/13/2013: Baby(sitter) on Board

Wed, 13 Feb 2013 00:00:00 +0000

The Boss and I don’t get out to see movies too often. At least for the last 12 years or so. It was hard to justify paying a babysitter for two extra hours so we could go see a movie. Quick dinner? Sure. Party with friends, absolutely. But a movie, not so much. We’d wait until Grandma came to visit, and then we’d do things like see movies and have date nights. But I’m happy to say that’s changing.

RSA Conference Guide 2013: Endpoint Security

Wed, 13 Feb 2013 00:00:00 +0000

The more things change, the more they stay the same. Endpoint security remains predominately focused on dealing with malware and the bundling continues unabated. Now we increasingly see endpoint systems management capabilities integrated with endpoint protection, since it finally became clear that an unpatched or poorly configured device may be more of a problem than fighting off a malware attack. And as we discuss below, mobile device management (MDM) is next on the bundling parade. But first things first: advanced malware remains the topic of every day, and vendors will have a lot to say about it at RSAC 2013.

Tuesday Patchapalooza

Wed, 13 Feb 2013 00:00:00 +0000

“Wait, didn’t I effing just patch that?” That was my initial reaction this morning, when I read about another Adobe Flash security update. Having just updated my systems Sunday, I was about to ignore the alerts until I saw the headline from Threatpost: Deja Vu: Another Adobe Flash Player Security Update Released:

Cycling, Baseball, and Known Unknowns

Tue, 12 Feb 2013 00:00:00 +0000

This morning, not even thinking about security, I popped off a tweet on cycling:

I have been annoyed lately, as I keep hearing people write off cycling while ignoring the fact that, despite all its flaws, cycling has a far more rigorous testing regimen than most other professional sports – especially American football and baseball. (Although baseball is taking some decent baby steps).

Directly Asking the Security Data

Tue, 12 Feb 2013 00:00:00 +0000

We have long been fans of network forensics tools to provide a deeper and more granular ability to analyze what’s happening on the network. But most of these network forensics tools are still beyond the reach (in terms of both resources and expertise) of mass markets at this point. Rocky D of Visible Risk tackles the question, “I’m collecting packets, so what now?” in his Getting Started with Network Forensics Tools post.

RSA Conference Guide 2013: Cloud Security

Tue, 12 Feb 2013 00:00:00 +0000

2012 was a tremendous year for cloud computing and cloud security, and we don’t expect anything slowdown in 2013. The best part is watching the discussion slowly march past the hype and into the operational realities of securing the cloud. It is still early days, but things are moving along steadily as adoption rates continue to chug along.

LinkedIn Endorsements Are Social Engineering

Mon, 11 Feb 2013 00:00:00 +0000

Today I popped off a quick tweet after yet another email from LinkedIn:

Please please please…

… stop endorsing me.

Seriously.

Macworld: The Everyday Agony of Passwords

Mon, 11 Feb 2013 00:00:00 +0000

My very first Macworld op-ed:

It’s hard to imagine an idea more inane than passwords. That we protect many of the most important aspects of our lives with little more than a short string of text is an extreme absurdity.

RSA Conference Guide 2013: Identity and Access Management

Mon, 11 Feb 2013 00:00:00 +0000

Usually at security events like the RSA Conference there isn’t much buzz about Identity and Access Management. Actually, identity is rarely thought of as a security technology; instead it is largely lumped in with general IT operational stuff. But 2013 feels different. Over the past year our not-so-friendly hacktivists (Anonymous) embarrassed dozens of companies by exposing private data, including account details and password information. Aside from this much more visible threat and consequence, the drive towards mobility and cloud computing/SaaS at best disrupts, and at worst totally breaks, traditional identity management concepts. These larger trends have forced companies to re-examine their IAM strategies. At the same time we see new technologies emerge, promising to turn IAM on its ear.

Saving Them from Themselves

Mon, 11 Feb 2013 00:00:00 +0000

The early stages of the Internet felt a bit like the free love era, in that people could pretty much do what they wanted, even if it was bad for them. I remember having many conversations with telecom carriers about the issues of consumers doing stupid things, getting their devices pwned, and then wreaking havoc on other consumers on the same network. For years the carriers stuck their heads in the sand, basically offering endpoint protection suites for free and throwing bandwidth at the problem.

Low Risk Doesn’t Mean It Won’t Kill You

Sun, 10 Feb 2013 00:00:00 +0000

Got an interesting link from my friend Don, who prefers to stay behind the scenes, pointing out an interesting perspective on Jared Diamond, an older guy evaluating the risks of his daily activities.

TidBITS: Isolate Flash Using Google Chrome

Sun, 10 Feb 2013 00:00:00 +0000

My latest TidBITS piece on Mac security:

Under normal circumstances, we recommend updating immediately whenever an important security patch is released, but in this case, we have a somewhat different recommendation. Instead of leaving Flash on your Mac, you can instead isolate it and thus reduce the attack surface available to the bad guys. This is both easier and require far less fuss going forward than you might think, and it is how I’ve been using my Mac for the past year or so.

Flash actively exploited on Windows and Mac; how to contain, not just patch

Fri, 08 Feb 2013 00:00:00 +0000

Adobe just released a Flash update due to active exploitation on both Macs (yes, Macs) and Windows:

Adobe is also aware of reports that CVE-2013-0634 is being exploited in the wild in attacks delivered via malicious Flash (SWF) content hosted on websites that target Flash Player in Firefox or Safari on the Macintosh platform, as well as attacks designed to trick Windows users into opening a Microsoft Word document delivered as an email attachment which contains malicious Flash (SWF) content.

Karma is a Bit9h

Fri, 08 Feb 2013 00:00:00 +0000

First reported by Brian Krebs (as usual), security vendor Bit9 was compromised and used to infect their customers.

But earlier today, Bit9 told a source for KrebsOnSecurity that their corporate networks had been breached by a cyberattack. According to the source, Bit9 said they’d received reports that some customers had discovered malware inside of their own Bit9-protected networks, malware that was digitally signed by Bit9’s own encryption keys.

Oracle takes another SIP of Hardware

Fri, 08 Feb 2013 00:00:00 +0000

Evidently there aren’t any interesting software companies to buy, so Oracle just dropped a cool $2B (as in Billion, sports fans) on Acme Packet. These guys build session border controllers (SBC), VoIP telecom gear. As Andy Abramson says:

PCI Guidance on Cloud Computing

Fri, 08 Feb 2013 00:00:00 +0000

The PCI Security Standards Council released a Cloud Guidance (PDF) paper yesterday. Network World calls this Security standards council cuts through PCI cloud confusion. In some ways that’s true, but in several important areas it does the opposite. Here are a couple examples:

Friday Summary, February 8, 2013: 3-dot Journalism Version

Thu, 07 Feb 2013 00:00:00 +0000

Every now and again I can’t decide what to discuss on the Friday summary, so this week I will mention all items on my mind.

Network-based Threat Intelligence: Following the Trail of Bits

Thu, 07 Feb 2013 00:00:00 +0000

Our first post in Network-based Threat Intelligence delved into the kill chain. We outlined the process attackers go through to compromise a device and steal its data. Attackers are very good at their jobs, so it’s best to assume any endpoint is compromised. But with recent advances in obscuring attacks (through tactics such as VM awareness) and the sad fact that many compromised devices lie in wait for instructions from their C&C network, you need to start thinking a bit differently about finding these compromised devices – even if they don’t act compromised.

RSA Conference Guide 2013: Network Security

Thu, 07 Feb 2013 00:00:00 +0000

After many years in the wilderness of non-innovation, there has been a lot of activity in the network security space over the past few years. Your grand-pappy’s firewall is dead and a lot of organizations are in the process of totally rebuilding their perimeter defenses. At the same time, the perimeter gradually becomes even more a mythical beast of yesteryear, forcing folks to ponder how to enforce network isolation and segmentation while the underlying cloud and virtualized technology architectures are built specifically to break isolation and segmentation.

The Increasing Irrelevance of Vulnerability Disclosure

Thu, 07 Feb 2013 00:00:00 +0000

Gunter Ollmann (now of IOActive) offers a very interesting analysis of why vulnerability disclosures don’t really matter any more.

But I digress. The crux of the matter as to why annual vulnerability statistics don’t matter and will continue to matter less in a practical sense as times goes by is because they only reflect ‘Disclosures’. In essence, for a vulnerability to be counted (and attribution applied) it must be publicly disclosed, and more people are finding it advantageous to not do that.

Bamital botnet shut down

Wed, 06 Feb 2013 00:00:00 +0000

Microsoft and Symantec today announced they have jointly taken down the command and control infrastructure of the Bamital botnet, which managed a massive click-fraud scheme. From Yahoo news:

Incite 2/6/2013: The Void

Wed, 06 Feb 2013 00:00:00 +0000

It’s over. Sunday night, when the confetti fell on the Ravens and we finished cleaning up the residual mess from the Super Bowl party, the reality set in. No NFL for months. Yeah, people will start getting fired up about spring training, but baseball just isn’t my thing. Not as a spectator sport. I can take some comfort that in the NFL being a 12-month enterprise now. In a few weeks the combine will give us a look at the next generation of football stars. Then we’ll start following free agency in early March to see who is going to be in and who is out. It’s like Project Runway, but with much higher stakes (and no Tim Gunn). I guess there are other sports to follow, like NCAA Basketball. The March Madness tournament is always fun. Until I’m blown out of all my brackets – then it’s not so fun anymore. But it’s not football.

Network-based Threat Intelligence: Understanding the Kill Chain

Wed, 06 Feb 2013 00:00:00 +0000

Our recently published Early Warning paper put forth the idea of leveraging external threat intelligence to better utilize internal data collection, further shortening the window between weaponized attack and ability to detect said attack. But of course, the Devil is in the details and taking this concept to reality means delving into actually putting these ideas into practice. There are number of different types of “threat intelligence” that can (and should) be utilized in an Early Warning context. We’ve already documented a detailed process map and metric model to undertaking malware analysis (check out our Malware Analysis Quant research). Being able to identify and search for those specific indicators of compromise on your devices can be invaluable to determine the extent of an outbreak.

RSA Conference Guide 2013: Data Security

Wed, 06 Feb 2013 00:00:00 +0000

Between WikiLeaks imploding, the LulzSec crew going to jail, and APT becoming business as usual, you might think data security was just so 2011, but the war isn’t over yet.

The Fifth Annual Securosis Disaster Recovery Breakfast

Wed, 06 Feb 2013 00:00:00 +0000

Game on!

It’s hard to imagine, but this year we are hosting the Fifth Annual RSA Conference Disaster Recovery Breakfast, in partnership with SchwartzMSL and Kulesa Faul (and possibly one more surprise guest).

The Problem with Android Patches

Wed, 06 Feb 2013 00:00:00 +0000

At the Kaspersky summit in San Juan, Puerto Rico, Chris Soghoian discussed the problem of Android user’s not updating their mobile devices to current software revisions. From Threatpost:

Great security analysis of the Evasi0n iOS jailbreak

Tue, 05 Feb 2013 00:00:00 +0000

Thanks to your friends at Accuvant labs.

Very worth reading for security pros. Peter Morgan, Ryan Smith, Braden Thomas, and Josh Thomas did an excellent job breaking it down. Here’s the security risk:

Latest to notice

Tue, 05 Feb 2013 00:00:00 +0000

In response to this SC Magazine article (thanks @pauljudge), I tweeted:

An important distinction to keep in mind when you read these articles.

New Paper: Understanding and Selecting a Key Management Solution

Tue, 05 Feb 2013 00:00:00 +0000

Yep – we are doing our very best to overload you with research this year. Here’s my latest. From the paper’s home page:

RSA Conference Guide 2013: Key Themes

Tue, 05 Feb 2013 00:00:00 +0000

It’s that time of year again. Time to get ready for a week of mayhem, debauchery, and the hunt for tchotchkes. OK, there isn’t a lot of debauchery at the RSA Conference besides the Barracuda party at the Gold Club, which we hear is an establishment of high repute. Realistically, you’ll spend most of your week fending off sales droids, gawking at booth babes (much to the chagrin of the security echo chamber), and maybe learning something about what’s new and exciting in security.

The Data Breach Triangle in Action

Tue, 05 Feb 2013 00:00:00 +0000

I refer back to Rich’s Data Breach Triangle over and over again. It’s such a clear and concise way to describe a data breach – past or potential. And we continue to see examples of how focusing on breaking one leg of the triangle works. From How the RSA Attackers Swung and Missed at Lockheed Martin on Threatpost:

If Not Java, What?

Mon, 04 Feb 2013 00:00:00 +0000

You have probably noticed some security issues with Java lately. Some vendors – including Apple – are blocking Java in order to close known and unforeseen security problems. And the claim that open source Java frameworks pose a business risk. But through this latest flame war, I have not seen an answer to the basic question:

Improving the Hype Cycle

Mon, 04 Feb 2013 00:00:00 +0000

Gartner’s Hype Cycle is one of my favorite market models. It very succinctly describes the ridiculous way PR and other external hype factors make more of a technology than it really is. When many of us show up at the RSA Conference at the end of the month, we will get our best view of the Hype Cycle in action. Most of the stuff very hyped at the show tends to be (roughly) 12 to 18 months from hitting, if it ever does.

Prepare for an iOS update in 5… 4… 3…

Mon, 04 Feb 2013 00:00:00 +0000

Evad3rs releases an iOS 6.1 jailbreak for all devices.

Update: According to @drscjmm this will not work when a passcode is set, which means we are still in pretty good shape from a security standpoint.

Understanding IAM for Cloud Services: Architecture and Design

Mon, 04 Feb 2013 00:00:00 +0000

This post will discuss the architecture and deployment models for identity and access management for cloud services. This is obviously complex – we are covering three different cloud service models (SaaS, PaaS, & IaaS); in three different deployment options (public, private, & hybrid); with a variety of communication protocols to address authentication, authorization, and provisioning. The Cloud Security Alliance has cataloged many different identity ‘standards’, but the fact that we have dozens of standards to choose from illustrates how unresolved this whole field is. Worse, each cloud provider’s standards support is likely to vary (incompatibly) from others in the field – so you will likely need custom code to connect and share identity information.

Getting Lost in the Urgent and Forgetting the Important

Sun, 03 Feb 2013 00:00:00 +0000

As usual, one of our friends has succinctly captured the heart of an issue far better than we can. Gunnar, while flattered to be considered for a Security Blogger Hall of Fame award, takes the opportunity to discuss the drop in real conversation as the Tweeter has taken time and attention from many folks who used to hold those real conversations in blogs.

A New Kind of Commodity Hardware

Fri, 01 Feb 2013 00:00:00 +0000

I was driving down the road the other day when I passed what I thought was a shipping container on the back of an 18-wheel truck. When I noticed data and power ports on the side, I realized it was a giant data center processing module. Supercomputing on wheels. Four trucks with two modules per truck, rolling down the highway. Inside reside thousands of stripped down motherboards stacked with tons of memory, packed side by side. Some of these are even designed to be filled with dielectric fluid to keep them cool. If you have not seen these things up close and personal, check out the latest article on Microsoft’s new data center

Apple blocks vulnerable Java plugin

Fri, 01 Feb 2013 00:00:00 +0000

Apple uses XProtect to block the Java browser plugin due to security concerns.

Draconian, but a good move, I think. Still, they should have notified users better for the ones who need Java in the browser (whoever that may be). You can still manually enable it to run if you need to. This doesn’t block Java itself, just the browser plugin. If complaint levels stay low, it indicates how few people use Java in the browser, and will empower Apple to make similar moves in the future.

Oracle Patches Java. Again.

Fri, 01 Feb 2013 00:00:00 +0000

What’s the over/under on this one working?

Mac users – this means XProtect won’t block it in your web browser, so if you don’t want it active be careful.

Pointing fingers is misleading (and stupid)

Fri, 01 Feb 2013 00:00:00 +0000

Everyone is all fired up that the APT is now targeting major media companies. Rich covered that in yesterday’s post, and now it seems the Wall Street Journal was also targeted by similar tactics

Twitter Hacked

Fri, 01 Feb 2013 00:00:00 +0000

Twitter announced this evening that some 250k user accounts were compromised.

This week, we detected unusual access patterns that led to us identifying unauthorized access attempts to Twitter user data. We discovered one live attack and were able to shut it down in process moments later. However, our investigation has thus far indicated that the attackers may have had access to limited user information – usernames, email addresses, session tokens and encrypted/salted versions of passwords – for approximately 250,000 users.

Friday Summary: February 1, 2013

Thu, 31 Jan 2013 00:00:00 +0000

Plan. Build. Run.

It’s a pretty straightforward process. One of those things that is so simple we rarely need to even call it out. We tend to structure our research this way, even if we use different terms that are more consistent with the context at hand.

It it was easy, everyone would be doing it…

Thu, 31 Jan 2013 00:00:00 +0000

We talk a lot about Big Data Security, and over the next couple years we will talk about it a lot more. But I think articles like Big Goals for Big Data are a bit misleading.

No Limits—New York Times Hacked by China

Thu, 31 Jan 2013 00:00:00 +0000

A must-read reported by the Times itself:

For the last four months, Chinese hackers have persistently attacked The New York Times, infiltrating its computer systems and getting passwords for its reporters and other employees.

Incite 1/30/2013: Email autoFAIL

Wed, 30 Jan 2013 00:00:00 +0000

It’s the end of January, which means my favorite day of the year is coming up. Yup, Super Bowl Sunday. It’s a huge bummer that the Falcons couldn’t close it out in the NFC Championship, but it was a great season nonetheless. But now on to the important stuff. We will be hosting our 8th Super Bowl party, and we get pretty festive. After this many years we have it down to a system. Pretty much.

Remember, every jailbreak is a security exploit

Wed, 30 Jan 2013 00:00:00 +0000

See update at the bottom

TechHive’s piece on the new iOS 6.1 jailbreak.

Only works on the pre-A5 processors, which means the iPhone 4S and iPad 2 and later are safe. The device must be connected to a computer for it to work.

Understanding IAM for Cloud Services: Use Cases

Wed, 30 Jan 2013 00:00:00 +0000

This post delves into why companies are looking at new Identity and Access Management technologies for cloud deployments. Cloud computing poses (sometimes subtly) different challenges and requires rethinking IAM deployments. The following use cases are the principal motivators listed by organizations moving existing applications to the cloud – both internal or external deployments – along with how they integrate with third party cloud services.

Universal Plug and Play Vulnerable to Remote Code Injection

Wed, 30 Jan 2013 00:00:00 +0000

Rapid7 has announced that the UPnP (Universal Plug and Play) service is vulnerable to remote code injection. Because this code is deployed in millions of devices – that’s the ‘Universal’ part – there are a freakishly large number of people vulnerable to this simple attack. From The H Security:

Gartner on Software Defined Security

Tue, 29 Jan 2013 00:00:00 +0000

Neil MacDonald on Software Defined Security:

Here’s what I propose: “Software defined” is about the capabilities enabled as we decouple and abstract infrastructure elements that were previously tightly coupled in our data centers: servers, storage, networking, security and so on.

The Graduate: 2013 Style

Tue, 29 Jan 2013 00:00:00 +0000

When in doubt, throw money at the problem. From the Washington Post, Pentagon to boost cybersecurity force:

The Pentagon has approved a major expansion of its cybersecurity force over the next several years, increasing its size more than fivefold to bolster the nation’s ability to defend critical computer systems and conduct offensive computer operations against foreign adversaries, according to U.S. officials.

The Internet is for Pr0n

Tue, 29 Jan 2013 00:00:00 +0000

Apparently the folks at Twitter forgot the first rule of the Internet. As Avenue Q so elegantly stated, The Internet is for Porn. NetworkWorld points out a minor unintended consequence of Twitter’s new Vine video sharing application, Sex and NSFW clips flood new Vine app from Twitter. Will Apple respond?

Java Moving from Ridiculous to Surreal

Mon, 28 Jan 2013 00:00:00 +0000

Adam Gowdiak in [SE-2012-01] An issue with new Java SE 7 security features:

That said, recently made security “improvements” to Java SE 7 software don’t prevent silent exploits at all. Users that require Java content in the web browser need to rely on a Click to Play technology implemented by several web browser vendors in order to mitigate the risk of a silent Java Plugin exploit.

Marketers take the path of least resistance

Mon, 28 Jan 2013 00:00:00 +0000

Rich constantly reminds us that “correlation does not imply causation,” relevant when looking at a recent NetworkWorld article talking about the decrease in spam, which concludes that botnet takedowns and improved filtering have favorably impacted the amount of spam being sent out.

The Inside Story of SQL Slammer

Mon, 28 Jan 2013 00:00:00 +0000

A first person account at Threatpost by David Litchfield, who discovered the vulnerability which was later exploited.

Looking at my phone, I excused myself from the table and took the call; it was my brother.

Threatpost on Active Defense

Mon, 28 Jan 2013 00:00:00 +0000

Mike Mimoso has a very good article on active defense at Threatpost. (Yes, we are linking to them a lot today).

Mobile Commerce Numbers Don’t Lie

Sun, 27 Jan 2013 00:00:00 +0000

We all want security to be front and center in terms of decisions on new applications. We all follow the researchers who show time and again how mobile apps, or web apps, or pretty much anything, can and will be gamed. Yet all that doesn’t matter, as security cannot get in the way of business. Branden Williams did a great job digging into the economics of Starbucks’ stored value cards to make a pretty compelling case that this stuff will happen, whether security likes it or not.

In through the Barracuda Back Door

Fri, 25 Jan 2013 00:00:00 +0000

Given the angst, conspiracy theories, and tinfoil hats around any network/security products built in China, it’s curious to see Krebs’ story on the backdoors in Barracuda products found by Stefan Viehboeck of SEC Consult Vulnerability Lab.

Friday Summary: January 25, 2013

Thu, 24 Jan 2013 00:00:00 +0000

Will Hadoop be to NoSQL what Red Hat is to Linux? Will it become more known for commercial flavors than the open-source core? Lately I have been noticing similarities between the two life-cycles, with the embrace of packaged variants.

Symantec Realigns

Thu, 24 Jan 2013 00:00:00 +0000

Symantec released their quarterly earnings today, which is the sort of thing we usually ignore. Especially because it’s only the third quarter, and not even a playoff game (I really need to hang out with Mike less). However…

The Mid-market Security Squeeze

Thu, 24 Jan 2013 00:00:00 +0000

Most folks appreciate the challenges of securing a mid-sized company. They have important data and enough employees that someone is going to screw something up. They often don’t have the budget or infrastructure maturity to take security seriously. Many get by due more to obscurity (who is going to attack them?) than any active controls. And as automated tools make it easier to find chinks in any and every company’s armor, the seriousness of the problem is going to become much higher-profile.

Incite 1/23/2013: Sustainability

Wed, 23 Jan 2013 00:00:00 +0000

You know those overnight successes who toiled in the background for 10 years before they finally broke through? How did they get there? How did they work through the Dip to reach the other side? I am fascinated by organizations which have success year after year. They seem to take the long view, set up the foundation, and stay committed to the plan. Even when other folks push for (and get) faster results, opting for short-term fixes. These band-aids may provide a short-term pop, but rarely result in longer-term results.

HIPAA Omnibus, Meet Indifference

Tue, 22 Jan 2013 00:00:00 +0000

Do you want to know what you will be reading about in the coming weeks? HIPAA. The Department of Health and Human Services has updated the HIPAA requirements.

It’s just Dropbox. What’s the risk?

Tue, 22 Jan 2013 00:00:00 +0000

From Ben Kepes’ post: Sure Dropbox is Potentially Insecure, but Does it Matter?

First, why do people go around IT to use Dropbox? In the majority of cases these are good, solid, hardworking employees that don’t want to introduce risk to their organization but that do want to get stuff done. For whatever reason (inflexible legacy systems, stubborn IT departments, need to be agile) they’ve decided that for a particular project, they want to introduce Dropbox into their workflow to quickly and easily share some content.

Don’t respond to a breach like this

Mon, 21 Jan 2013 00:00:00 +0000

A student who legitimately reported a security breach was expelled from college for checking to see whether the hole was fixed.

New Paper: Building an Early Warning System

Mon, 21 Jan 2013 00:00:00 +0000

One topic that has resonated with the industry has been Early Warning. Clearly looking through the rearview mirror and trying to contain the damage from attacks already in process hasn’t been good enough, so figuring out a way to continue shortening the window between attack and detection continues to be a major objective for fairly mature security programs. Early Warning is all about turning security management on its head, using threat intelligence on attacks against others to improve your own defenses.

If the exception is the policy, you’re doing it wrong

Sun, 20 Jan 2013 00:00:00 +0000

From NATHER’S LAW OF POLICY MANAGEMENT on the Tufin blog:

That last one is of particular interest to me today, as I saw a client recently with a rule base for his firewall that was around 1000 rules long. When looking at his compliance results for policy and risk he was showing me hundreds of rules he wanted to mark as exceptions. I was puzzled – almost two thirds of his rule base consisted of exceptions to the compliance policies they were trying to enforce.

Actually, I really was a criminal…

Fri, 18 Jan 2013 00:00:00 +0000

When Mike wrote his review of Rob Graham’s post on what could define criminality on the Internet, he focused on the anonymization piece. Me? I was struck more by Rob’s “Witchcraft is not a crime” post in a very personal way:

Javapocolypse Part… Oh, I Give up Counting

Fri, 18 Jan 2013 00:00:00 +0000

It appears that Java is still vulnerable to exploit after the latest patch from Oracle.

Disabling Java completely probably isn’t possible for many of you, so I suggest you at least use a good web gateway/network IPS/NGFW that filters for malware, and something cloud or VPN based to protect mobile users. Events like this are why I’m so interested (and have been for a long time) in browser virtualization technologies (Bromium, Invincea, anyone else?).

We are all criminals

Fri, 18 Jan 2013 00:00:00 +0000

In the anger and sorrow following Aaron Swartz’s suicide, Rob Graham makes an excellent point in I conceal my identity the same way Aaron was indicted for

A different kind of APT

Thu, 17 Jan 2013 00:00:00 +0000

What happens when you work for a US critical infrastructure company and see strange connections coming into your network from China? Using the real credentials of your top programmer? You crap your pants, that’s what you do. And you figure you have been compromised by the APT and pull the alarms. But what happens when it’s actually something else. Security audit finds dev OUTSOURCED his JOB to China to goof off at work

CISO Rule #1: Don’t be a douche…

Thu, 17 Jan 2013 00:00:00 +0000

Let’s take a look at Adam Shostack’s recent post, “The Phoenix Project may be uncomfortable”.

First of all, I haven’t gotten a chance to read Gene Kim’s new book “The Phoenix Project,” but they were kind enough to send me an electronic copy and I will get to it soon. I love the idea of teaching important lessons via a fictional story, even for technology stuff. As much as I like technical books, I don’t read them. I consult them when I have a technical question. But I read stories, and learn by osmosis when plowing through a story I enjoy. In fact I wrote one a while ago using a similar tactic.

Friday Summary: January 18, 2013

Thu, 17 Jan 2013 00:00:00 +0000

I will not write about Manti Te’o.

I will not write about Manti… ah hell, who am I kidding.

My DHS Beats Your FDA

Thu, 17 Jan 2013 00:00:00 +0000

As someone who has been part of the medical field my entire life (family business before I became a paramedic) the intersection between medicine and technology is of high personal interest. I still remember the time I got in trouble at work for hacking my boss’s password so we could get into the reporting application he accidentally locked everyone out of.

Understanding IAM for Cloud Services: Integration

Thu, 17 Jan 2013 00:00:00 +0000

“The Cloud” is a term so overused and often misapplied that it has become meaningless without context. This series will discuss identity and access management as it pertains to the three major cloud service models (Infrastructure, Platform, and Software). Each of these models (SaaS, PaaS, and IaaS) presents its own unique challenge for IAM, because each model promotes different approaches and each vendor offers their own unique flavor. The cloud service model effectively acts as a set of constraints which the IAM architect must factor into their architecture.

Does Big Data Advance Security Analytics?

Wed, 16 Jan 2013 00:00:00 +0000

If you follow the security press, you know many predict that big data will transform information security. RSA recently released a security brief on security analytics with big data that mirrors the press. Depending on your perspective, security analytics with big data may be the concept that we’ll leverage big data clusters for actionable intel in coming years. Or if you talk to SIEM vendors who run on top of NoSQL repositories, the future has been here for 5 years. You may go with “none of the above”. To me it is simply a good idea that has yet to be fully implemented, which is currently just something we talk about in the security echo chamber.

Incite 1/16/2013: Emotional Whiplash

Wed, 16 Jan 2013 00:00:00 +0000

It started out great. Fantastic even. The Dome was fired up. The team started fast. Field goal. Forced punt. Matty Ice throws a pick. Then the Falcons force a fumble and get the ball back. Touchdown. Forced punt. Field goal. 13-0. Red zone stop on a huge 4th and 1. Touchdown on a bomb. Huge sack to end the half. The Falcons were up 20-0. This was it. The year they finally exorcise the playoff demons.

Beware of Self-Proclaimed Experts

Tue, 15 Jan 2013 00:00:00 +0000

“Experts” who tell you to do dumb things… are not experts

Dump anything you don’t use. Dump anything with a proven track record of failure which you don’t need (for example, if you don’t need Java, uninstall it). That’s the easy bit, the rest requires thought and effort. If you need Java for desktop apps, but don’t need Java in your browser – disable the browser plugins.

Time to Play Nice with SCADA Kids

Tue, 15 Jan 2013 00:00:00 +0000

From the BBC:

The US government has told thousands of companies to beef up protection of computers which oversee power plants and other utilities.

Bolting on Security—at Scale

Mon, 14 Jan 2013 00:00:00 +0000

GigaOm offers a fascinating glimpse into Netflix’s EC2 architecture: Netflix shows off how it does Hadoop in the cloud:

“Hadoop is more than a platform on which data scientists and business analysts can do their work. Aside from their 500-plus-nod[sic] cluster of Elastic MapReduce instances, there’s another equally sized cluster for extract-transform-load (ETL) workloads – essentially, taking data from other sources and making it easy to analyze within Hadoop. Netflix also deploys various “development” clusters as needed, presumably for ad hoc experimental jobs.”

Happy Out of Cycle IE Patch Monday

Mon, 14 Jan 2013 00:00:00 +0000

Microsoft to release emergency Internet Explorer patch on Monday

The vulnerability, which is present in IE 6, 7 and 8, is a memory corruption issue. It can be exploited by an attacker via a drive-by download, a term for loading a website with attack code that delivers malware to a victim’s computer if the person merely visits the website.

Help Me Pick My Next Paper Topic

Mon, 14 Jan 2013 00:00:00 +0000

Hey folks,

Just a quick note that I am trying to decide between a few different topics for my next paper. If you have a moment, I could use your opinion.

Let’s Get Physical—Road Rules Edition

Mon, 14 Jan 2013 00:00:00 +0000

It’s a new year, so let’s get physical and personal. I wondered what people do about physical security specifically – how do you protect your laptop while on business travel? Hotels, airports, cars, etc. We have all seen that “road rules” can be pretty different, so what precautions do you take to ensure your laptop and devices return home safely?

Mobile Identity—WTF?

Mon, 14 Jan 2013 00:00:00 +0000

Identity management on mobile devices: How do we do it?

I have been taking a lot of calls on mobile identity issues and solutions over the last three months, and I am just as confused now as when I started looking into this subject. And I think the vendors I have spoken with are reaching, in their assessments of the right course of action and where the market is heading. If you want to implement identity on a mobile device, what do you do?

You Can’t Handle the Truth

Fri, 11 Jan 2013 00:00:00 +0000

The High Price of the Silence of Cyberwar:

In today’s debate about cyberwar, all information disclosed seems to come with an agenda. Everyone evaluating the information is forced to look not only at the information, but the motivation for revealing that information. Worse, they can question if the information not revealed is shaped differently from what is revealed. A defender who reveals information regularly and in accordance with a policy will gain credibility, and with it, the ability to better influence the debate.

$50K buys how much FDE?

Thu, 10 Jan 2013 00:00:00 +0000

Feds step up HIPAA enforcement with hospice settlement

The Hospice of North Idaho (HONI) in Hayden will pay $50,000 to avoid more costly penalties if it would have been found in violation of the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

Friday Summary: January 11, 2013

Thu, 10 Jan 2013 00:00:00 +0000

Tina Slankas presented at the Phoenix ISSA chapter this week on use of patterns for building security programs – slides can be downloaded here (PDF). The thrust of her idea was to use patterns – think design patterns if you like – for putting together control frameworks to define security efforts. Tina stated she was using the definition of ‘pattern’ in a very broad way, but the essence was reusable constructs for managing different aspects of enterprise security. For example: how identity management will function at a high level, and how will it fit with other systems.

Integration vs. Segregation

Thu, 10 Jan 2013 00:00:00 +0000

But, he said, segregation of EHR data simply is not feasible or practical for integrated health systems such as Wellstar, …

Java Sucks. Again.

Thu, 10 Jan 2013 00:00:00 +0000

Zero-day in the wild, in a popular exploit kit.

From Brian Krebs:

The hackers who maintain Blackhole and Nuclear Pack – competing crimeware products that are made to be stitched into hacked sites and use browser flaws to foist malware — say they’ve added a brand new exploit that attacks a previously unknown and currently unpatched security hole in Java.

Most Consumers Don't Need Mac AV

Thu, 10 Jan 2013 00:00:00 +0000

I can’t believe I forgot to post here when I put the article up on TidBITS, but here you go:

DDoS: Distributed, but not evenly

Wed, 09 Jan 2013 00:00:00 +0000

It shouldn’t come as any surprise, but big financials are still suffering a wave of DDoS attacks.

DDoS is like an accidental amputation – there is no question whether it’s a problem. The trick is to know ahead of time if you are on the list, and the best thing to do is keep an eye on your peers. Not everyone needs to invest proactively in DDoS protection, but you sure as heck need a plan and a vendor contact just in case. Especially if you are big, handle money, work with (or piss off) governments located “East” (Europe, Asia, Middle, whatever), or like to poke Anonymous.

Incite 1/9/2013: Never Lost

Wed, 09 Jan 2013 00:00:00 +0000

I was in the car the other day with one of the kids, and they asked me if I ever get lost. I have a pretty good sense of direction and have been able to read maps as long as I remember. I was probably compensating for my Mom’s poor sense of direction and my general anxiety at a young age about feeling lost. But it’s different today. With the advent of ever-present GPS and decent navigation, I can say it has been a long while since I have really been lost. I get misdirected sometimes, but that lasts maybe a minute and then I figure out my way. But these gadgets are no silver bullet.

Detection vs. Protection and the Game of Words

Tue, 08 Jan 2013 00:00:00 +0000

Any time you go after an entrenched technology, there will be pushback. So it’s not surprising that some folks believe that imperva’s anti-virus study is garbage.

ENISA BYOD FTW

Mon, 07 Jan 2013 00:00:00 +0000

ENISA released a solid BYOD/Consumeriation of IT guide.

At first I was turned off by phrases in the executive summary like:

Prove It to Use It

Mon, 07 Jan 2013 00:00:00 +0000

“Last year, one billion dollars was stolen in the U.S. by Romanian hackers,” says American ambassador in Bucharest, Mark Gitenstein.

Pwn Ur Cisco Phone

Mon, 07 Jan 2013 00:00:00 +0000

what’s the deal with the cisco phone eavesdropping hack?

These phones are basically little computers. If an attacker can take control of it, they can do the same things from it that they could by using a rogue or compromised system on a network. The “eavesdropping mic” is just one of many ways the compromised phone could be used.

Understanding Identity Management for Cloud Service: The Solution Space

Mon, 07 Jan 2013 00:00:00 +0000

Adrian and Gunnar here: After spending a few weeks getting updates from Identity and Access Management (IAM) service vendors – as well as a couple weeks for winter break – we have gathered the research we need to delve into the meat of our series on Understanding and Selecting Identity Management for Cloud Services. Our introductory post outlined the topics we will cover. This series is intended as a market overview, taking a broad look at issues you need to consider when evaluating cloud-based identity support systems. The intro hinted at the reasons cloud computing models force change in our approaches to access control, but today’s post will flesh out the problems of cloud IAM.

Bored? Set up your own CA

Sun, 06 Jan 2013 00:00:00 +0000

How much does it cost to start your own CA?

The main thing you’re looking to do is to pass the WebTrust audit and associated practices that the platforms will require you to do. Microsoft has the most mature process. They have a set of rules and guidelines. If you follow them, you’re in. One of those, by the way, is that you have to be a retail CA, as opposed to an internal one or a government one. It’s best to work with Microsoft first, and once you’re in their root program move to the others. They are fair, disciplined, and helpful. Most of all, once you’ve gone through all that, it’s easier to get into the other important root stores.

Internet Explorer 8 0-Day Bypasses Patch

Fri, 04 Jan 2013 00:00:00 +0000

A good update at Threatpost:

Their new exploit beat a fully patched Windows system running IE 8, the same version of the browser exploited by malware used in watering hole attacks against a number of political and manufacturing websites, including the Council on Foreign Relations in the U.S., and Chinese human rights site Uygur Haber Ajanski.

Friday Summary: January 3, 2013

Thu, 03 Jan 2013 00:00:00 +0000

2013?!? WTF?!?!

I have this time dilation theory of aging. The older you get, the smaller a as a fraction of your existence each year is, so the shorter it feels.

Karmic Career Advancement

Thu, 03 Jan 2013 00:00:00 +0000

Levelling up in the real world.

When you are looking out for the welfare of your organization instead of focusing on what you can get for yourself, that’s when you’ll be given the chance to do more and own more.

Responses to AV articles

Thu, 03 Jan 2013 00:00:00 +0000

Technewsdaily has an interesting follow up to yesterday’s NYT article on AV effectiveness, as we covered.

I agree that using VirusTotal isn’t the best approach – far from it. But I have also heard AV-Test doesn’t use good criteria. I like the NSS Labs methodology myself, which shows higher numbers than Imperva, but much lower than most other tests. Their consumer report is free. and they also offer a companion report. But consumer products are often more different from enterprise versions than you might expect, and the tests weren’t against 0-day like the Imperva ones. These reports by NSS tested effectiveness against exploits using known vulnerabilities, rather than Imperva’s test of signature recognition of new virus variants.

SSLpocalypse, part XXII

Thu, 03 Jan 2013 00:00:00 +0000

For the short version, read Rob Graham at Errata Security.

Google detected someone attempting a man in the middle attack using a certificate issued in Turkey. TURKTRUST issued two subsidiary Certificate Authority certs which allowed whoever had them to sign any certificate they wanted, for any domain they wanted. Yes, this is how SSL works and it’s a big mess (I talked about it a little in 2011).

Yes, honeypots are new again

Thu, 03 Jan 2013 00:00:00 +0000

The Washington Post sort-of covers honeypots, but mixes in national security issues. But one paragraph is out of place, because the article doesn’t really cover strike-back:

Incite 1/2/13: Consistent Variety

Wed, 02 Jan 2013 00:00:00 +0000

Happy 2013 everybody! At the dawn of a new year, most folks think more proactively about what they want to change – and what they don’t. I have spoken many times about the need to embrace change and even to learn to love change. Change is good. Stagnation is bad. But the trouble lies in how you achieve that change – and how you react when change is forced upon you.

The New York Times on Antivirus

Wed, 02 Jan 2013 00:00:00 +0000

Outmaneuvered at Their Own Game, Antivirus Makers Struggle to Adapt

The antivirus industry has a dirty little secret: its products are often not very good at stopping viruses.

Threatpost: What Have We Learned in 2012

Wed, 02 Jan 2013 00:00:00 +0000

2012: What Have We Learned

The biggest shift in 2012 was the emergence of state-sponsored malware and targeted attacks as major factors. The idea of governments developing and deploying highly sophisticated malware is far from new. Such attacks have been going on for years, but they’ve mainly stayed out of the limelight. Security researchers and intelligence analysts have seen many of these attacks, targeting both enterprises and government agencies, but they were almost never discussed openly and were not something that showed up on the front page of a national newspaper.

Friday Summary: 2012 Year End Wrap

Thu, 20 Dec 2012 00:00:00 +0000

It’s the holiday season, people are leaving for vacation, and most people have things other than security on their minds – including me – so I’ll keep today’s Friday Summary short.

Incite 12/19/2012: Celebration

Wed, 19 Dec 2012 00:00:00 +0000

As we say goodbye to Old Man 2012 and get ready to welcome Baby New Year 2013, it is time for some downtime and reflection. This will be the last Incite of the year. My focus over the next two weeks will be enjoying the accomplishments of the past 12 months. Which, by the way, is very hard for me. I came into the world with the unsatisfied gene. No matter how good it is, it can be better. No matter how much got done, I could have done more. With every accomplishment, I have already started looking towards the next goal because there are always more things to do, different windmills to tilt at, and another mountain to climb.

Friday Summary: December 13, 2012—You, Me, and Twitter

Thu, 13 Dec 2012 00:00:00 +0000

I have an on again / off again, love/hate relationship with Twitter.

Those of you who follow me might have noticed I suddenly went from barely posting to fully re-engaging with the community. Sometimes I find myself getting fed up with the navel gazing of the echo chamber, as we seem to rehash the same issues over and over again, looking for grammatical and logical gotchas in 140 characters. Twitter lacks context and nuance, and so all too easily degrades into little more than a political talk show. When I’m in a bad mood, or am drowning at work, it’s one of the first things to go.

The CloudSec Chicken or the DevOps Egg?

Thu, 13 Dec 2012 00:00:00 +0000

I am on a plane headed home after a couple days of business development meetings in Northern California, and I am starting to notice a bit of a chasm in the cloud security world.

Incite 12/12/2012: Love the Grind

Wed, 12 Dec 2012 00:00:00 +0000

As I boarded the bus, which would take me to the train, which would take me into NYC to work my engineering co-op job at Mobil Oil, I had plenty of time to think. I mostly thought about how I never wanted to be one of those folks who do a 75-90 minute commute for 25 years. Day in, day out. Take the bus to the train to the job. Leave the job, get on the train and get home at 7 or 8 pm. I was 19 at the time. I would do cool and exciting things. I’d jet around the world as a Captain of Industry. Commuting in my suit and tie was not interesting. No thanks.

Selecting an Enterprise Key Manager

Wed, 12 Dec 2012 00:00:00 +0000

Now that you have a better understanding of major key manager features and options we can spend some time outlining the selection process. This largely comes down to understanding your current technical and business requirements (including any pesky compliance requirements), and trying to plan ahead for future needs.

Building an Early Warning System: Deploying the EWS

Tue, 11 Dec 2012 00:00:00 +0000

Now that we have covered the concepts behind the Early Warning System, it’s time to put them into practice. We start by integrating a number of disparate technology and information sources as the basis of the system – building the technology platform. We need the EWS to aggregate third-party intelligence feeds and scan for those indicators within your environment to highlight attack conditions. When we consider important capabilities of the EWS, a few major capabilities become apparent:

Building an Early Warning System: Determining Urgency

Sun, 09 Dec 2012 00:00:00 +0000

The Early Warning series has leveraged your existing internal data and integrated external threat feeds, in an effort to get out ahead of the inevitable attacks on your critical systems. This is all well and good, but you still have lots of data without enough usable information. So we now focus on the analysis aspect of the Early Warning System (EWS). You may think this is just rehashing a lot of the work done through our SIEM, Incident Response, and Network Forensics research – all those functions also leverage data in an effort to identify attacks. The biggest difference is that in an early warning context you don’t know what you’re looking for. Years ago, US Defense Secretary Donald Rumsfeld described this as looking for “unknown unknowns”.

Can we effectively monitor big data?

Fri, 07 Dec 2012 00:00:00 +0000

During the big data research project I found myself thinking about how I would secure a NoSQL database if I was responsible for a cluster. One area I can’t help thinking about is Database Activity Monitoring ; how I would implement a solution for big databases? The only currently available solution I am aware of is very limited in what it provides. And I think the situation to stay that way for a long time. The ways to collect data with big data clusters, and to deploy monitoring, are straightforward. But analyzing queries will remain a significant engineering challenge. NoSQL tasks are processed very differently than on relational platforms, and the information at your disposal is significantly less.

Incite 12/5/2012: Travel Tribulations

Wed, 05 Dec 2012 00:00:00 +0000

Travel is an occupational hazard for industry analysts. There are benefits to meeting face to face with clients, and part of the gig is speaking at events and attending conferences. That means planes, trains, and automobiles. I know there are plenty of folks who fly more than I do, but that was never a contest I wanted to win. As long as I make Platinum on Delta, I’m good. I get my upgrades and priority boarding, and it works.

Enterprise Key Manager: Management Features

Mon, 03 Dec 2012 00:00:00 +0000

It’s one thing to collect, secure, and track a wide range of keys; but doing so in a useful, manageable manner demonstrates the differences between key management products.

Friday Summary: November 29, 2012

Thu, 29 Nov 2012 00:00:00 +0000

When I visit the homes of friends who are Formula One fans on race day, I am amazed. At how fanatical they are – worse than NFL and college football fans. They have the TV on for pre-race action hours before it starts. And this year’s finale was at least in a friendly time zone – otherwise they would have been up all night. But what really amazes me is not the dedication – it’s how they watch.

New Paper: Implementing and Managing Patch and Configuration Management

Thu, 29 Nov 2012 00:00:00 +0000

If you recall the Endpoint Security Management Buyer’s Guide, we identified 4 specific controls typically used to manage the security of endpoints, and divided them into periodic and ongoing controls. That paper is designed to help identify what is important, and guide you through the buying process. At the end of that process you face a key question: What now? It is time to implement and manage your new toys, so this paper provides a series of processes and practices for successfully implementing and managing patch and configuration management tools.

Incite 11/28/2012: Meet the Masters

Wed, 28 Nov 2012 00:00:00 +0000

I am not a car guy. Nor do I need an ostentatious house with all sorts of fancy things in it. Give me a comfortable place to sleep, a big TV, and fast Internet and I’m pretty content. That said, I enjoy art. The Boss and I have collected a few pieces over the years, but that has slowed down as other expenses (like, uh, the kids) have ramped up. But if someone were to drop a bag of money in our laps, we would hit an art gallery first – not a Ferrari dealer.

Enterprise Key Managers: Technical Features, Part 2

Tue, 27 Nov 2012 00:00:00 +0000

Our last post covered two of the main technical features of an enterprise key manager: deployment and client access options. Today we will finish up with the rest of the technical features – including physical security, standards support, and a discussion of Hardware Security Modules (HSMs).

Enterprise Key Manager Features: Deployment and Client Access Options

Mon, 26 Nov 2012 00:00:00 +0000

Key Manager Technical Features

Due to the different paths and use cases for encryption tools, key management solutions have likewise developed along varied paths, reflecting their respective origins. Many evolved from Hardware Security Managers (HSMs), some were built from the ground up, and others are offshoots from key managers developed for a single purpose, such as full disk or email encryption.

Building an Early Warning System: External Threat Feeds

Fri, 16 Nov 2012 00:00:00 +0000

So far we have talked about the need for Early Warning and the Early Warning Process to set the stage for the details. We started with the internal side of the equation, gaining awareness of your environment via internal data collection and baselining. This is a great beginning, but still puts you in a reactive mode. Even if you can detect an anomaly in your environment – it’s already happened and you may be too late to prevent data loss.

Friday Summary: November 16, 2012

Thu, 15 Nov 2012 00:00:00 +0000

A few weeks ago I was out in California, transferring large sums of my personal financial worth to a large rodent. This was the third time in about as many years I engaged in this activity – spending a chunk of my young children’s college fund on churros, overpriced hotel rooms, and tickets for the privilege of walking in large crowds to stand in endless lines.

Implementing and Managing Patch and Configuration Management: Leveraging the Platform

Thu, 15 Nov 2012 00:00:00 +0000

This series has highlighted the intertwined nature of patch and configuration management. So we will wrap up by talking about leverage from using a common technology base (platform) for patching and configuration. Capabilities that can be used across both functions include:

Incite 11/14/2012: 24 Hours

Wed, 14 Nov 2012 00:00:00 +0000

Sometimes things don’t go your way. Maybe it’s a promotion you don’t get. Or a deal you don’t close. Or a part in the Nutcracker that goes to someone else. Whatever the situation, of course you’re disappointed. One of the Buddhist sayings I really appreciate is “suffering results from not getting what you want. Or from getting what you don’t want.” Substitute disappointment for suffering, and there you are. We have all been there. The real question is what you do next.

Building an Early Warning System: Internal Data Collection and Baselining

Thu, 08 Nov 2012 00:00:00 +0000

Now that we have provided the reasons you need to start thinking about an Early Warning System, and a high-level idea of the process involved, it’s time to dig into the different parts of the process. Third-party intelligence, which we’ll discuss in the next post, will tell you what kinds of attacks you are more likely to see, based on what else is happening in the world. But monitoring your own environment and looking for variation from normal activity tell you whether those attacks actually ARE hitting you.

Implementing and Managing Patch and Configuration Management: Configuration Management Operations

Thu, 08 Nov 2012 00:00:00 +0000

The key high-level difference between configuration and patch management is that configuration management offers more opportunity for automation than patch management. Unless you are changing standard builds and/or reevaluating benchmarks – then operations are more of a high-profile monitoring function. You will be alerted to a configuration change, and like any other potential incident you need to investigate and determine the proper remediation as part of a structured response process.

Defending Against DoS Attacks [New Paper] and Index of Posts

Wed, 07 Nov 2012 00:00:00 +0000

We are pleased to put the finishing touches on our Denial of Service (DoS) research and distribute the paper. Unless you have had your head in the sand for the last year, you know DoS attacks are back with a vengeance, knocking down sites both big and small. It is no longer viable to ignore the threat, so we all need to think about what to do when we inevitably become a target.

Implementing and Managing Patch and Configuration Management: Patch Management Operations

Wed, 07 Nov 2012 00:00:00 +0000

Now that we have gone through all the preparation, deployed the technology, and set up policies, we need to operate our patch management environment. That will be our focus in this post. As we discussed in the Policy Definition post, there isn’t a huge amount of monthly leverage to be gained for patch management. You need to do the work of monitoring for new patches, assessing each new patch for deployment, testing the patches prior to deployment, bundling installation packages, and then installing the patches on affected devices. You will be performing each of those activities each month whether you like them or not. We have already delved into those monthy activities within the context of defining policies, so let’s take things a step deeper.

Incite 11/7/2012: And the winner is… Math

Wed, 07 Nov 2012 00:00:00 +0000

Yesterday was Election Day in the US. That means hundreds of millions of citizens braved the elements, long lines, voter suppression attempts, flaky voting machines, and other challenges to exercise our Constitutional right to choose our leaders. After waiting for about 3 hours in 2008, I got smart and voted early this year. It took me about 45 minutes and it was done.

Building an Early Warning System: The Early Warning Process

Mon, 05 Nov 2012 00:00:00 +0000

In the Introduction to the Early Warning System series, we talked about the increasing importance of threat intelligence for combating advanced attackers by understanding the tactics they are using right now against our defenses. With this intelligence, combined with information about what’s happening in your environment, you can more effectively prioritize your efforts and make better, more efficient use of your limited security resources.

Securing Big Data: Security Recommendations for Hadoop and NoSQL [New Paper]

Mon, 05 Nov 2012 00:00:00 +0000

We are pleased to announce the release of our white paper on securing big data environments. This research project provides a high-level overview of security challenges for big data environments. We cover the ways big data differs from traditional relational databases, both architecturally and operationally. We look at some of the built-in and third-party security solutions for big data clusters, and how they work with – and against – big data installations. Finally, we make a base set of recommendations for securing big data installations – we recommend several technologies to address specific threats to the data and the big data cluster itself, preferring options which can scale with the cluster. After all, security should support big data clusters, not break or hamper them.

Implementing and Managing Patch and Configuration Management: Defining Policies

Thu, 01 Nov 2012 00:00:00 +0000

So far we have focused on all the preparatory work and technology deployment that needs to happen before you can finally flip the switch and start using an endpoint security management tool in production. With the pieces in place it is now time to configure and deploy policies to prepare for the inevitable patch cycles, and to start monitoring configurations on your key devices. The first major choice is between the Quick Wins and Full Deployment processes – Quick Wins is focused on information gathering and refining priorities & policies – proving the tool’s value and making sure your results from initial testing weren’t misleading. Full Deployment is all about full coverage for all endpoint devices and users. We generally recommend you start with Quick Wins, which produces much more information and treads a bit more lightly, before jumping into Full Deployment. Who knows – you might even realign your priorities. But even after a few Quick Wins, a structured and (somewhat) patient path to Full Deployment makes the most sense.

Incite 10/31/2012: The Eye of the Goblin

Wed, 31 Oct 2012 00:00:00 +0000

My kids love Halloween. They obsess about their costumes for weeks ahead of the big day. They go back and forth with their friends to coordinate their looks. Sometimes it works (XX2 will be a candy corn with all her friends), sometimes it doesn’t (XX1 couldn’t gain consensus amongst her friends). They love to collect all sorts of candy they won’t eat and await the sugar rush when we let them partake in a few after trick or treating. They like to swing by the awesome haunted house in the neighborhood. It’s a day when they can forget about their issues, challenges, homework, and hormone drama, and just be kids.

Building an Early Warning System: Introduction [New Series]

Tue, 30 Oct 2012 00:00:00 +0000

Getting ahead of the attackers is the holy grail to security folks. A few years back some vendors sold their customers a bill of goods, claiming they could “get ahead of the threat.” That didn’t work out so well, and most of the world appreciates that security is a reactive situation. The realistic objective is to reduce the time it takes to react. We call this React Faster and Better. The foundation of the philosophy is an effective incident response process. But you can shrink the window of exploitation by leveraging cutting-edge research to help focus your efforts more effectively. You need an early warning system for perspective on what’s coming at you.

Implementing and Managing Patch and Configuration Management: Integrate and Deploy Technologies

Mon, 29 Oct 2012 00:00:00 +0000

By this point planning should be complete. You have designed your patch and configuration management processes, defined priorities to manage the devices in your environment, figured out which high-level implementation process to start with, discovered the devices in your environment, and performed initial testing to make sure the new technology doesn’t break anything. Now it’s time to integrate the patch and configuration management tools into your environment. Enough of this planning stuff, let’s get down to business! But you won’t actually remediate anything yet – the initial focus is on integrating technical components, installing agents as necessary, and preparing to flip the switch.

Implementing and Managing Patch and Configuration Management: Preparation

Fri, 26 Oct 2012 00:00:00 +0000

As we described in the Introduction to Implementing and Managing Patch and Configuration Management, endpoint hygiene is key to endpoint security management. WIth the product (or service) in hand, it’s time to get the technology implemented and providing value as quickly as possible. You know the old saying, “if you fail to prepare, you prepare to fail.” It’s actually true, and the preparation in this situation involves ensuring your processes are solid, defining device coverage and roll-out priorities, figuring out what’s already out there, and finally going through a testing phase to make sure you are ready to deploy widely. So, let’s revisit the patch and configuration management processes.

Incite 2/24/2012: Fruit Salad

Wed, 24 Oct 2012 00:00:00 +0000

Some days I miss when the kids were little. It’s not that I don’t appreciate being able to talk in full sentences, pick apart their arguments and have them understand what I’m talking about, or apply a heavy bit of sarcasm when I respond to some silly request. I don’t think I’d go back to the days of changing diapers, but there was a simplicity to child rearing back then. We don’t really appreciate how quickly time flies – at least I don’t. I blinked and the toddlers are little people. We were too busy making sure all the trains ran on time to appreciate those days.

White Paper: Tokenization vs. Encryption

Wed, 24 Oct 2012 00:00:00 +0000

We are relaunching one of our more popular white papers, Tokenization vs. Encryption: Options for Compliance. The paper was originally written to close some gaps in our existing tokenization research coverage and address common user questions. Specifically, how does tokenization differ from encryption, and how can I decide which to use? We believe tokenization is particularly important, for several reasons. First, in an evolving regulatory landscape, we need a critical examination of tokenization’s suitability for compliance. There are many possible applications of tokenization, and it’s simpler and easier to use than many other security tools. Second, we wanted to dispel the myth that tokenization is a replacement technology for encryption, when in fact it’s a complimentary solution that – in some cases – makes regulatory compliance easier. Finally, not all of the claimed use cases for tokenization are practical at this time.

Implementing and Managing Patch and Configuration Management: Introduction [New Series]

Tue, 23 Oct 2012 00:00:00 +0000

Endpoint devices have been the bane of security practitioners for as long as we can remember. Whether it’s unknowing users who click anything, folks who don’t think the rules apply to them, or the forgetful sorts who just leave their devices anywhere and everywhere, keeping control over endpoints causes heartburn at many organizations. To address these concerns, Securosis recently published our Endpoint Security Management Buyer’s Guide, which began with a list of the key issues complicating endpoint security management, including:

Friday Summary: October 19, 2012

Fri, 19 Oct 2012 00:00:00 +0000

Research. It’s what I do. And long before I started work at Securosis I had a natural inclination toward it. Researching platforms, software toolkits, hardware, whatever. I want to know all the facts, and most of the rumors and anecdotes as well. I research things furiously. I’m obsessive about it. I will spend hour upon hour trying to answer every question I come up with, looking at all aspects of a product. This job lets me really indulge that facet of my personality – it makes the job enjoyable, and is the reason some research projects go a tad longer that I originally expected. And in an odd way it’s one of the reasons I really like the name Securosis – the name Rich chose for the company before I joined in. My research habits border a bit on neurosis, so it fits.

New Paper: Pragmatic Key Management for Data Encryption

Fri, 19 Oct 2012 00:00:00 +0000

Hey everyone,

I am pleased to finally announce the release of Pragmatic Key Management for Data Encryption.

If you didn’t follow the posts that lead to this paper, the focus is on key management strategies for data encryption – rather than on certificate management, signing, or other crypto operations. I was able to narrow things down to four key strategies, and I also spend a little time talking about data encryption systems, as opposed to crypto operations (hashing, algorithms, etc.).

Defending Against DoS Attacks: the Process

Wed, 17 Oct 2012 00:00:00 +0000

As we have mentioned throughout this series, a strong underlying process is your best defense against a Denial of Service (DoS) attack. Tactics change and the attack volumes increase, but if you don’t know what to do when your site goes down it will be down for a while.

Incite 10/17/2012: Passion

Wed, 17 Oct 2012 00:00:00 +0000

One of the things about celebrating a birthday is the inevitable reflection. You can’t help but ask yourself: “Another year has gone by – am I where I’m supposed to be? Am I doing what I like to do? Am I moving in the right direction?” But what is that direction? How do you know?

New Series: Understanding and Selecting a Key Manager

Wed, 17 Oct 2012 00:00:00 +0000

Between new initiatives like cloud computing, and new mandates due to the continuous onslaught of compliance, managing encryption keys is moving from something only big banks worried about to something popping up among organizations of all sizes and shapes. Whether it is to protect customer data in a new web application or to ensure that a lost backup tape doesn’t force you to file a breach report, more and more organizations are encrypting more data in more places than ever before. And tying all of this together is the ever-present shadow of managing all those keys.

Defending Against DoS Attacks: Defense, Part 2: Applications

Thu, 11 Oct 2012 00:00:00 +0000

Whereas defending against volumetric DoS attacks requires resilient network architectures and service providers, dealing with application-targeted DoS puts the impetus for defense back squarely on your shoulders. As discussed in Attacks, overwhelming an application entails messing with its ability to manage session state and targeting weaknesses in the application stack. These attacks don’t require massive bandwidth, bot armies or even more than a well crafted series of GET or POST requests.

Friday Summary: October 12, 2012

Thu, 11 Oct 2012 00:00:00 +0000

Rich here.

If memory serves, I completed my first First Aid/CPR certification when I was around 10. I followed up with lifeguard at 16, ensuring myself a few years of employment as a seasonal professional volleyball player. I completed my EMT and 19 after being dumped by my first girlfriend, when I needed a way to occupy my free time. For some reason it’s hard to get insurance for 19 year-old-males driving things with lights and sirens, so I didn’t get onto my first fire department or ambulance company until I was nearly 21. I followed that up with paramedic at 22, and since then have been trained, worked as, and/or certified in everything from dive rescue, mountain rescue, and ski patrol to WMD and national disaster medical response.

Incite 10/10/2012: A Perfect Day

Wed, 10 Oct 2012 00:00:00 +0000

It’s just another day. So what that, many years ago, you happened to be born on that day. Yes, I am talking about birthdays. Evidently when it’s your birthday it means people should treat you nicely, let you do what you want, write you cards, and shower you with gifts. We’d probably all like that treatment the other 364 days too, right? But on your birthday I guess everyone deserves a little special treatment. Well, my birthday was this past weekend, and it was pretty much perfect.

US Returns Fire in Huawei/ZTE Report

Wed, 10 Oct 2012 00:00:00 +0000

I had a call today with a Reuters reporter about the Huawei/ZTE deal being spiked by the US government. To be honest, there’s an aspect of this story I assumed someone else would mention first, but I haven’t noticed it being explicitly stated anywhere yet.

Defending Against DoS Attacks: Defense Part 1, the Network

Tue, 09 Oct 2012 00:00:00 +0000

In Attacks, we discussed both network-based and application-targeting Denial of Service (DoS) attacks. Given the radically different techniques between the types, it’s only logical that we use different defense strategies for each type. But be aware that aspects of both network-based and application-targeting DoS attacks are typically combined for maximum effect. So your DoS defenses need to be comprehensive, protecting against (aspects of) both types. Anti-DoS products and services you will consider defend against both. This post will focus on defending against network-based volumetric attacks.

Friday Summary: October 5, 2012

Fri, 05 Oct 2012 00:00:00 +0000

Gunnar Peterson posted a presentation a while back on how being an investor makes him better at security, and conversely how being in security makes him better at investing. It’s a great concept, and my recent research on different investment techniques has made me realize how amazing his concept is. Gunnar’s presentation gets a handful of the big ideas (including defensive mindset, using data rather than anecdotes to make decisions, and understanding the difference between what is and what should be) right, but actually under-serves his concept – there are many other comparisons that make his point. That crossed my mind when reading An Investor’s Guide to Famous Last Words.

New Series: Understanding and Selecting Identity Management for Cloud Services

Thu, 04 Oct 2012 00:00:00 +0000

Adrian and Gunnar here, kicking off a new series on Identity Management for Cloud Services.

We have been hearing about Federated Identity and Single Sign-On services for the last decade, but demand for these features has only fully blossomed in the last few years, as companies have needed to integrate their internal identity management systems. The meanings of these terms has been actively evolving, under the influence of cloud computing. The ability to manage what resources your users can access outside your corporate network – on third party systems outside your control – is not just a simple change in deployment models; but a fundamental shift in how we handle authentication, authorization, and provisioning. Enterprises want to extend capabilities to their users of low-cost cloud service providers – while maintaining security, policy management, and compliance functions. We want to illuminate these changes in approach and technology. And if you have not been keeping up to date with these changes in the IAM market, you will likely need to unlearn what you know. We are not talking about making your old Active Directory accessible to internal and external users, or running LDAP in your Amazon EC2 constellation. We are talking about the fusion of multiple identity and access management capabilities – possibly across multiple cloud services. We are gaining the ability to authorize users across multiple services, without distributing credentials to each and every service provider.

Incite 10/3/2012: Cash is King

Wed, 03 Oct 2012 00:00:00 +0000

Last Friday was the end of the third calendar quarter. For you math majors out there, that’s the 3-month period ending September 30. Inevitably I had meetings and calls canceled at the last minute to deal with “end of quarter” issues. This happens every quarter, so it wasn’t surprising. Just funny.

Securing Big Data: Recommendations and Open Issues

Mon, 01 Oct 2012 00:00:00 +0000

Our previous two posts outlined several security issues inherent to big data architecture, and operational security issues common to big data clusters. With those in mind, how can one go about securing a big data cluster? What tools and techniques should you employ?

Endpoint Security Management Buyer’s Guide Published (with the Index of Posts)

Sun, 30 Sep 2012 00:00:00 +0000

We have published the Endpoint Security Management Buyer’s Guide paper, which provides a strategic view of Endpoint Security Management, addressing the complexities caused by malware’s continuing evolution, device sprawl, and mobility/BYOD. The paper focuses on periodic controls that fall under good endpoint hygiene (such as patch and configuration management) and ongoing controls (such as device control and file integrity monitoring) to detect unauthorized activity and prevent it from completing. The crux of our findings involve use of an endpoint security management platform to aggregate the capabilities of these individual controls, providing policy and enforcement leverage to decrease cost of ownership, and increasing the value of endpoint security management.

Securing Big Data: Operational Security Issues

Fri, 28 Sep 2012 00:00:00 +0000

Before I dig into today’s post I want to share a couple observations. First, my new copy of the Harvard Business Review just arrived. The cover story is “Getting Control of Big Data”. It’s telling that HBR thinks big data is a trend important enough to warrant a full spread, and feel business managers need to understand big data and the benefits and risks it poses to business. As soon as I finish this post I intend to dive into these articles. Now that I have just about finished this research effort, I look forward to contrasting what I have discovered with their perspective.

Defending Against DoS Attacks: Attacks

Thu, 27 Sep 2012 00:00:00 +0000

Our first post built a case for considering availability as an aspect of security context, rather than only confidentiality and integrity. This has been driven by Denial of Service (DoS) attacks, which are used by attackers in many different ways, including extortion (using the threat of an attack), obfuscation (to hide exfiltration), hacktivism (to draw attention to a particular cause), or even friendly fire (when a promotion goes a little too well).

Friday Summary: September 28, 2012 (A weird security week)

Thu, 27 Sep 2012 00:00:00 +0000

There was a lot of big news this week in the security world, most of it bad. Even if you skip the intro, make sure you read the Top News section.

Incite 9/27/2012: They Own the Night

Thu, 27 Sep 2012 00:00:00 +0000

Our days just keep getting longer and longer. When the kids were younger afternoons and early evenings were a blur of activities, homework, hygiene, meals, reading, and then bed. Most nights the kids were in bed by 8:30 and the Boss and I could eat in peace, watch a little TV, catch up, and basically take a breath. But since XX1 entered middle school, things have changed. The kids have adapted fine. The Boss and me, not so much.

New Research Paper: Pragmatic WAF Management

Wed, 26 Sep 2012 00:00:00 +0000

We are proud to announce a new research paper on Pragmatic Web Application Firewall Management. This paper has been a long time coming – we have been researching this topic for three years, looking for the right time to discuss WAF’s issues.

My Security Fail (and Recovery) for the Week

Tue, 25 Sep 2012 00:00:00 +0000

I remember sitting at lunch with a friend and well-respected member of our security community as I described the architecture we used to protect our mail server. I’m not saying it’s perfect, but this person responded with, “that’s insane – I know people selling 0-days to governments that don’t go that far”. On another occasion I was talking with someone with vastly more network security knowledge and experience than me; someone who once protected a site attacked daily by very knowledgeable predators, and he was… confused as to why I architected the systems like I did.

Securing Big Data: Architectural Issues

Tue, 25 Sep 2012 00:00:00 +0000

In the previous post we went to some length to define what big data is – because the architectural model is critical to understanding how it poses different security challenges than traditional databases, data warehouses, and massively parallel processing environments.

Another Inflection Point

Mon, 24 Sep 2012 00:00:00 +0000

Rich Mogull recently posted a great stream of consciousness piece about how we are at an inflection point in information security. He covers how cloud and mobility are having, and will continue to have, a huge impact on how we practice security. Rich mentions four main areas of impact:

Friday Summary: September 21, 2012

Fri, 21 Sep 2012 00:00:00 +0000

Adrian here …

I had a few surgical procedures over the past few weeks. They corrected some vascular defects that were causing several problems, some of which had been coming on for such a long time I was unaware that there was an issue. The whole boiling frog in a beaker concept. And with the slow progression I was ignorant of the extent of the damage it was causing. The good news is that procedures were successful and their positive benefit was far greater than I anticipated.

Incite 9/20/2012: Scabs

Thu, 20 Sep 2012 00:00:00 +0000

You will probably read this on Thursday or even Friday, and that’s late. This week got all screwed up. It’s a little matter of a bunch of things happening at the same time, mostly personal, all good. So Monday was a holiday for me and starts the fall renewal process where I don’t set goals and don’t worry about what I’m striving for any more. It also turns out Monday night was the Falcons home opener. Many of my ATL buddies consider me a sinner for going to a football game on the High Holy Days. As I told the Boss, “Football is my other religion,” so there was never a question whether I would go.

Inflection

Wed, 19 Sep 2012 00:00:00 +0000

Hang with me as I channel my inner Kerouac (minus the drugs, plus the page breaks) and go all stream of consciousness. To call this post an “incomplete thought” would be more than a little generous.

Securing Big Data: Security Issues with Hadoop Environments

Wed, 19 Sep 2012 00:00:00 +0000

How do I secure “big data”? A simple and common question. But one without a direct answer – simple or otherwise.

Attend Gunnar’s Kick-A Mobile Security and Development Class

Tue, 18 Sep 2012 00:00:00 +0000

Our very own Gunnar Peterson is co-presenting what looks like an insanely awesome mobile application security class.

And with a name like The Mobile App Sec Triathlon you know I am interested.

It’s Time for Enterprises to Support a “Backup” Browser

Tue, 18 Sep 2012 00:00:00 +0000

In today’s news we see yet another zero-day Internet Explorer exploit being used in the wild.

And once again, soon after becoming public, an exploit was added to Metasploit. Well, sort of. While the in-the-wild attack only works against Windows XP, the Metasploit version works against Windows 7 and Vista. (Note that IE 10 isn’t affected).

Defending Against Denial of Service (DoS) Attacks—New Series

Thu, 13 Sep 2012 00:00:00 +0000

For years security folks have grumbled about the role compliance has assumed in driving investment and resource allocation in security. It has all been about mandates and regulatory oversight, which drive a focus on protection, ostensibly to prevent data breaches. We have spent years in the proverbial wilderness focused entirely on the “C” (Confidentiality) and “I” (Integrity) aspects of the CIA triad, mostly neglecting the “A” (Availability). But that hasn’t worked out too well.

Friday Summary: September 14, 2012

Thu, 13 Sep 2012 00:00:00 +0000

Rich here.

Way way back in my earliest Gartner days one of my first speaking engagements was a series of three-city tours where I was paired up with an extremely experienced telecom analyst. I was still in my twenties, and probably wasn’t qualified to wash my privates – never mind advise anyone on their security strategy.

Incite 9/12/2012: Individuality

Wed, 12 Sep 2012 00:00:00 +0000

It seems like so long ago that I read the Opposites board books to the kids when they were toddlers. And it was. Today XX2 and the Boy turn 9. It’s hard to believe how quickly the time has flown. Just yesterday I was emailing with an old colleague and I figured his youngest daughter must be in college by now. Turns out she graduated last year and is now in a PhD program. I’m no spring chicken anymore, that’s for sure.

Friday Summary: September 7, 2012

Fri, 07 Sep 2012 00:00:00 +0000

I thought 35 years later, Voyager 1 is heading for the stars was very cool. It brought back many memories of starting my career at Jet Propulsion Laboratories. Voyager had been in space for a decade when I started there, but these satellites were just starting to send the stunning images back from Saturn and Jupiter. Every morning people got into work early just to see what data was sent back from the night before. Friends were processing the images, doing error and color corrections, and we were seeing other planets up close and personal for the first time. We used to get copies provided to us as employees, many with color enhancement to highlight certain features of the planets and moons. It added an element of excitement to my early career that almost made us forget we were at work.

Incite 9/4/2012: Dealing with Dealers

Wed, 05 Sep 2012 00:00:00 +0000

Back in March I mentioned it was about time for a new set of wheels. Of course nothing happens quickly in my world, so it wasn’t until mid-June that I got serious about a new car. You’d figure a guy like me would relish the opportunity to sit across from a car salesperson and beat them into submission to get the best deal. I’m not the kind of guy to blink, and I’d just as soon walk out if I don’t get what I want. Turns out I’ve been there and done that, and despite living to tell the tale, I have learned there is a better way to skin this specific cat.

Friday Summary: August 31, 2012

Thu, 30 Aug 2012 00:00:00 +0000

Rich here.

Yesterday I published an article over at Macworld on the New Java exploits, and why Mac users likely aren’t at risk. As with many previous articles on Mac security, I’m getting really positive feedback. Heck, I have even had people tell me that I’m currently writing the best stuff out there on Apple security overall.

Incite 8/29/2012: Always on the Run

Wed, 29 Aug 2012 00:00:00 +0000

Wake up. Get the kids ready for school. Exercise (maybe). Drink some coffee. Write. Make calls. Eat (sometimes too much). Write some more. Make more calls. Drink more coffee. Think some big thoughts. Pick up the kids from some activity. Have dinner. Get the kids to bed. Maybe get back to writing. Maybe watch a little TV. Go to bed much too late. Wake up and do it again. That’s an oversimplified view of my life, but it’s not far off.

Friday Summary: August 24, 2012.

Fri, 24 Aug 2012 00:00:00 +0000

This will probably sound weird, but for the first time in many years I am bummed that summer is ending. This is odd because I’m not really into vacations. I have only taken a real vacation – which I define as my wife and myself leaving the house together for more than 24 hours – twice in the last twelve years. And one of those vacations was a disaster I would not care to relive – drunken friends and crashing houseboats onto rocks is something I can do without. Anyway, vacations are just not something we really do. And when you have as many critters as we do – each needing regular attention – going anywhere gets a bit difficult. I travel a lot as part of this job, so I have no need to “get away” for its own sake. I’m happy to putter around the house, and I have made my home a great place to take time off.

Pragmatic WAF Management: Securing the WAF

Fri, 24 Aug 2012 00:00:00 +0000

WAFs themselves are an application, and as such they provide additional attack surface for your adversaries. Their goal isn’t necessarily to compromise the WAF itself (though that’s sometimes a bonus) – the short-term need is evasion. If attackers can figure out how to get around your WAF, many of its protections become moot. Your WAF needs to be secured, just like any other device sitting out there and accessible to attackers. So let’s start by discussing device security, including deployment and provisioning entitlements. Then we can get into some evasion tactics you are likely to see, before wrapping up with a discussion of the importance of testing your WAFs on an ongoing basis.

Incite 8/22/2012: Cassette Legends

Wed, 22 Aug 2012 00:00:00 +0000

The impact of technology cannot be overstated. Not compared to when I was a kid. So we were having dinner over the weekend and XX2 started changing the lyrics to Michael Jackson’s Beat It, by crooning out “Eat It.” Of course, I mentioned that she was creative but hardly original and that Weird Al Yankovic recorded that exact song some 20 years ago. Then the Boy piped in with the chorus to Weird Al’s other Michael Jackson parody, “Fat.” Wait, what?

Endpoint Security Management Buyer’s Guide: 10 Questions

Tue, 21 Aug 2012 00:00:00 +0000

Normally we wrap up each blog series with a nice summary that goes through the high points of our research and summarizes what you need to know. But this is a Buyer’s Guide, so we figured it would be more useful to summarize with 10 questions. With apologies to Alex Trebek, here are the 10 key questions we would ask if we were buying an endpoint security management product or service.

Endpoint Security Management Buyer’s Guide: Platform Buying Considerations

Mon, 20 Aug 2012 00:00:00 +0000

As we wrap up the Endpoint Security Management Buyer’s Guide, we have already looked at the business impact of managing endpoint security and the endpoint security management lifecycle, and dug into the periodic controls (patch and configuration management) and ongoing controls (device control and file integrity monitoring). We have alluded to the platform throughout the posts, but what exactly does that mean? What do you need the platform to do?

[New White Paper] Understanding and Selecting Data Masking Solutions

Thu, 16 Aug 2012 00:00:00 +0000

Today we are launching a new research paper on Understanding and Selecting Data Masking Solutions.

As we spoke with vendors, customers, and data security professionals over the last 18 months, we felt big changes occurring with masking products. We received many new customer inquires regarding masking, often for use cases outside the classic normal test data creation. We wanted to discuss these changes and share what we see with the community. Our goal has been to ensure the research addresses common questions from both technical and non-technical audiences. We did our best to cover the business applications of masking in a non-technical, jargon-free way. Not everyone who is interested in data security has a degree in data management or security, so we geared the first third of the paper to problems you can reasonably expect to solve with masking technologies. Those of you interested in the nut and bolts need not fear – we drill into the myriad of technical variables later in the paper.

Endpoint Security Management Buyer’s Guide: Ongoing Controls—File Integrity Monitoring

Thu, 16 Aug 2012 00:00:00 +0000

After hitting on the first of the ongoing controls, device control, we now turn to File Integrity Monitoring (FIM). Also called change monitoring, this entails monitoring files to see if and when files change. This capability is important for endpoint security management. Here are a few scenarios where FIM is particularly useful:

Friday Summary: August 17, 2012

Thu, 16 Aug 2012 00:00:00 +0000

Rich here…

Some weeks I can’t decide if I should write something personal, professional, or technical in the Summary intro. Especially when I’m absolutely slammed and haven’t been blogging. This week I’ll err on the side of personal, and I’m sure you all will give me a little feedback if you prefer the geeky.

Pragmatic WAF Management: Application Lifecycle Integration

Thu, 16 Aug 2012 00:00:00 +0000

As we have mentioned throughout this series, the purpose of a WAF is to protect web facing applications from attacks. We can debate build-security-in versus bolt-security-on ad infinitum, but ultimately the answer is both. In the last post we discussed how to build and maintain WAF policies to protect applications, but you also need to adapt your development process to incorporate knowledge of typical attack tactics into code development practices to address application vulnerabilities over time. This involves a two-way discussion between WAF administrators and developers. Developers do their part helping security folks understand applications, what input values should look like, and what changes are expected in upcoming releases. This ensures the WAF rules remain in sync with the application.

Incite 8/15/2012: Fear (of the Unknown)

Wed, 15 Aug 2012 00:00:00 +0000

FDR was right. We have nothing to fear, but fear itself. Of course, that doesn’t help much when you face the unknown and are scared. XX1 started middle school on Monday, so as you can imagine she was a bit anxious on Sunday night. The good news is that she made it through the first day. She even had a good attitude when her bus was over an hour late because of some issue at the high school. She could have walked the 3 miles home in a lot less time.

Endpoint Security Management Buyer’s Guide: Ongoing Controls—Device Control

Tue, 14 Aug 2012 00:00:00 +0000

As we discussed in the Endpoint Security Management Lifecycle, there are controls you run periodically and others you need to use on an ongoing basis. We tackled the periodic controls in the previous post, so now let’s turn to ongoing controls, which include device control and file integrity monitoring. The periodic controls post was pretty long, so we decided to break ongoing controls into two pieces. We will tackle device control in this post.

Pragmatic WAF Management: Policy Management

Mon, 13 Aug 2012 00:00:00 +0000

To get value out of your WAF investment – which means blocking threats, keeping unwanted requests and malware from hitting applications, and virtually patching known vulnerabilities in the application stack – the WAF must be tuned regularly. As we mentioned in our introduction, WAF is not a “set and forget” tool – it’s a security platform which requires adjustment for new and evolving threats.

Friday Summary: August 10, 2012

Fri, 10 Aug 2012 00:00:00 +0000

This Summary is a short rant on how most firms appear baffled about how to handle mobile and cloud computing. Companies tend to view the cloud and mobile computing as wonderful new advancements, but unfortunately without thinking critically about how customers want to use these technologies – instead they tend to project their own desires onto the technology. Just as I imagine early automobiles were saddled with legacy holdovers from horse-drawn carriages, when they were in fact something new. We are in that rough transition period, where people are still adjusting to these new technologies, and thinking of them in old and outmoded terms.

Tech media has fallen down, and it can’t get up

Thu, 09 Aug 2012 00:00:00 +0000

I’m going to rant a bit this morning. I’m due. Overdue, in fact. I have been far too well behaved lately. But as I mentioned in this week’s Incite, summer is over and it’s time to stir the pot a bit.

Endpoint Security Management Buyer’s Guide: Periodic Controls

Wed, 08 Aug 2012 00:00:00 +0000

As we discussed in the Endpoint Security Management Lifecycle, there are controls you use periodically and controls you need to run on an ongoing basis. This post will dig into the periodic controls, including patch and configuration management.

Incite 8/8/2012: The Other 10 Months

Wed, 08 Aug 2012 00:00:00 +0000

It’s hard to believe, but the summer is over. Not the brutally hot weather – that’s still around and will be for a couple more months in the ATL. But for my kids, it’s over. We picked the girls up at camp over the weekend and made the trek back home. They settled in pretty nicely, much better than the Boy.

Pragmatic WAF Management: the WAF Management Process

Fri, 03 Aug 2012 00:00:00 +0000

As we discussed previously in The Trouble with WAFs, there are many reasons WAFs frustrate both security and application developers. But thanks to the ‘gift’ of PCI, many organizations have a WAF in-house, and now they want to use it (more) effectively. Which is a good thing, by the way. We also pointed out that many of the WAF issues our research has discovered were not problems with technology. There is entirely too much failure to effectively manage WAF.

Endpoint Security Management Buyer’s Guide: the ESM Lifecycle

Thu, 02 Aug 2012 00:00:00 +0000

As we described in The Business Impact of Managing Endpoint Security, the world is complex and only getting more so. You need to deal with more devices, mobility, emerging attack vectors, and virtualization, among other things. So you need to graduate from the tactical view of endpoint security.

Friday Summary, TdF Edition: August 3, 2012

Thu, 02 Aug 2012 00:00:00 +0000

Rich here.

Two weeks ago I got to experience something that wasn’t on the bucket list because it was so over the top I lacked the creativity to even think of putting it on the bucket list.

Incite 8/1/2012: Media Angst

Wed, 01 Aug 2012 00:00:00 +0000

Obviously bad news sells. If you have any doubt about that, watch your local news. Wherever you are. The first three stories are inevitably bad news. Fires, murders, stupid political fiascos. Then maybe you’ll see a human interest story. Maybe. Then some sports and the weather and that’s it. Let’s just say I haven’t watched any newscast in a long time. But this focus on negativity has permeated every aspect of the media, and it’s nauseating.

Pragmatic WAF Management: The Trouble with WAF

Wed, 01 Aug 2012 00:00:00 +0000

We kicked off the Pragmatic WAF series by setting the stage in the last post, highlighting the quandary WAFs represent to most enterprises. On one hand, compliance mandates have made WAF the path of least resistance for application security. Plenty of folks have devoted a ton of effort to making WAF work, and they are now looking for even more value, above and beyond the compliance checkbox.

New Series: Pragmatic WAF Management

Tue, 31 Jul 2012 00:00:00 +0000

Outside our posts on ROI and ALE, nothing has prompted as much impassioned debate as Web Application Firewalls (WAFs). Every time someone on the Securosis team writes about Web App Firewalls, we create a mini firestorm. The catcalls come from all sides: “WAFs Suck”, “WAFs are useless”, and “WAFs are just a compliance checkbox product.” Usually this feedback comes from pen testers who easily navigate around the WAF during their engagements. The people we poll who manage WAFs – both employees and third party service providers – acknowledge the difficulty of managing WAF rules and the challenges of working closely with application developers. But at the same time, we constantly engage with dozens of companies dedicated to leveraging WAFs to protect applications. These folks get how WAFs impact their overall application security approach, and are looking for more value from their investment by optimizing their WAFs to reduce application compromises and risks to their systems.

Endpoint Security Management Buyer’s Guide: The Business Impact of Managing Endpoints

Mon, 30 Jul 2012 00:00:00 +0000

Keeping track of 10,000+ of anything is a management nightmare. With ongoing compliance oversight, and evolving security attacks taking advantage of vulnerable devices, getting a handle on what’s involved in managing endpoints becomes more important every day. Complicating matters is the fact that endpoints now include all sorts of devices – including a variety of PCs, mobiles, and even kiosks and other fixed function devices. We detailed our thoughts on endpoint security fundamentals a few years back, and much of that is still very relevant. But we didn’t continue to the next logical step: a deeper look at how to buy these technologies.

Incite 7/25/2012: Detox

Wed, 25 Jul 2012 00:00:00 +0000

What is normal? It changes most every day, especially when you are 8. We picked up the Boy from a month away at camp last weekend and we weren’t sure how he’d respond to, uh, real life. After seeing him on Visiting Day the week before, we knew he was having a great time. Maybe too great a time, as the downside is the inevitable adjustment period when times aren’t as fun or active or exciting or anything besides 16 hours of non-stop playtime.

Proxies—Meet the ‘Agents’ of Cloud Computing

Tue, 24 Jul 2012 00:00:00 +0000

You remember agents, right? Those ‘lightweight’ pieces of code vendors provided to install on all your servers? The code you pushed out to endpoints? The stuff that gathered all sorts of data and provided analysis without any impact on server performance? Agents monitored activity, enforced policies, killed viruses, and foiled botnets, all from a central location, while making you a steaming espresso? Yeah, marketing hyperbole aside, agents are the ubiquitous pieces of code that got installed on every server to perform any and all security tasks on the local hosts. For tasks where network-based intelligence and protection were inappropriate – which are more common than not – agents do much of the heavy lifting. They’re installed on endpoints and servers. And they are a pain in the ass – many enterprises instituted “no more agents” moratoria when they were multiplying like rabbits, and once you get to say 20 or so agents on a machine, things get out of hand…

FireStarter: We Need a New Definition of Dead

Mon, 23 Jul 2012 00:00:00 +0000

At the Cloud Identity Summit last week, Craig Burton stated the SAML – the security assertion language that helps thousands of enterprises address single sign-on – is unequivocably dead. Kaput. He presented the following data points to support his argument (I will link to his presentation when available):

Heading out to Black Hat 2012!

Mon, 23 Jul 2012 00:00:00 +0000

It probably does not need to be said, but just about the entire Securosis team will be at Black Hat this week. And no, not just for the parties, but there will be some of that as well. I want to see a boatload of sessions this year – and I am betting Moss, Schneier, Shostack, Ranum, and Granick on stage together will be entertaining.

Takeaways from Cloud Identity Summit

Mon, 23 Jul 2012 00:00:00 +0000

“WTF? There are no security people here! I’m at a security conference without security folk. How weird is that?”

I just got back from the Cloud Identity Summit in Vail, Colorado. Great conference, by the way. But as I walked around during the opening night festivities, I quickly realized I did not know anyone until Gunnar Peterson showed up. 400 people in attendance, and I did not know anyone. I’ve been in security for something like 16 years. When I go to a security conference – say RSA or Black Hat – I see dozens of people I know. Hundreds I have met and spoken with. And hundreds more I’ve met over the years, whose names I can’t remember, but I know we have crossed paths.

Incite 7/18/2012: 21 Days

Wed, 18 Jul 2012 00:00:00 +0000

21 days. It doesn’t seem like a long time. In the day to day grind of my routine, 3 weeks is nothing. I basically blink and that much time passes. But when your kids are away at camp it is a long time. For us day 21 is a lifesaver because it’s the first visiting day. So last weekend we packed up the car and made the trek to Pennsylvania to see the kids.

Earning Quadrant Leadership

Tue, 17 Jul 2012 00:00:00 +0000

Our friend Richard Stiennon put his promotional engine in gear this week to push his new book, UP and to the RIGHT. So my Twitter stream has been blown up by all sorts of folks praising Richard’s work. Which is great for Richard. I know what kind of commitment is required to write a book and what’s involved in self-publishing one. Including the Herculean task of getting your buddies to write glowing reviews and generating buzz in the echo chamber.

Heading out to the Cloud Identity Summit

Mon, 16 Jul 2012 00:00:00 +0000

The summer conference season has begun, and for those of us living in Phoenix, going to conferences is a great way to get out July’s blast furnace heat. I’m heading out tomorrow to the Cloud Identity Summit in Vail, Colorado. I’m not speaking – just going to hang out and learn. And there is a lot to lean about with new developments in identity management. Many of the basic tools are not actually new – SAML has been around for about a decade – but the rate of product evolution in this field is frankly staggering. How products are being deployed for cloud and mobile – and how authentication, authorization, and provisioning work together in these environments – are new. I expect to see wholesale changes in how we use and consume identity in the coming years – be it cloud, mobile, or whatever. So we have decided we need to increase coverage in this area, to aid IT in understanding how to approach identity management projects, and to dig into some of the technical details of how developers should approach implementation. Rich and I will be doing a lot of blogging on this topic in the coming months, and Gunnar Peterson and I plan to publish research on the ins and outs of cloud identity late this summer, so stay tuned.

Friday Summary: July 13, 2012

Fri, 13 Jul 2012 00:00:00 +0000

Adrian here, and happy Friday the 13th! It’s been a week since Independence day, and it feels like it’s been a month. Mike wanted us to comment on our feelings about Independence Day and what freedom means to us. For me that was easy. As as I usually do, I worked on Independence Day. Always. It’s not a day off. To me, taking time off is anathema to independence. I celebrate independence by working, because working is what earns me the right to be free. I’m long past the age of military service to my country, so I serve it by trying to build and contribute. And at this moment I feel very lucky to have the opportunity to work and make a living, and great business partners to work with. There is always a boatload of stuff to do here at Securosis, so I have been quietly ‘celebrating’ my independence by finishing up a bunch of writing. It may sound weird, but that’s just me.

[New White Paper] Evolving Endpoint Malware Detection (and Index of Posts)

Thu, 12 Jul 2012 00:00:00 +0000

As long last (OK, maybe not that long), we have assembled the Evolving Endpoint Malware Detection series and packaged it as a paper. You can check out the landing page to find out more, but this description sum it up:

Incite 7/10/2012: Freedom

Wed, 11 Jul 2012 00:00:00 +0000

Last week we celebrated Independence Day in the US. It’s a day when we reflect on the struggles of our forefathers establishing the country, the sacrifices of the Revolutionary War, and what Freedom means to us all. Actually, most folks gorge on BBQ, drink a ton of beer, and light fireworks imported from China. Which I guess is another interpretation of freedom.

Q1 Vendor Newsletter

Tue, 10 Jul 2012 00:00:00 +0000

We send a quarterly newsletter out to vendor clients as part of our retainer program. Here’s the introduction, which describes how we view the newsletter:

Friday Summary: June 29, 2012

Thu, 28 Jun 2012 00:00:00 +0000

Rich here.

I’m starting to think I might be dealing with a bit of burnout. No, not the “security burnout” that keeps cropping up on Twitter and in blog posts, but a bit of a personal burnout. I just find myself lacking a bit of general enthusiasm and creativity that usually keeps me plowing away at a productive rate.

Can You Stop a Targeted Attack?

Wed, 27 Jun 2012 00:00:00 +0000

The question of stopping targeted attacks has been on my mind for a while. Of course my partners and I have to suffer through far too many vendor briefings where they claim to stop an APT with fairy dust and assorted other black magic. But honestly, it is a legitimate and necessary question.

Incite 6/27/2012: Empty Nest

Wed, 27 Jun 2012 00:00:00 +0000

Be quiet. Be vewy vewy quiet. Now listen. What do you hear? Listen very closely. Do you hear anything? No? That’s exactly the point. The Boss and I woke up yesterday morning to the sound of nothing. No grumbling about having to get ready for school. No kvetching about ill-fitting bathing suits, and no asking for this play date or that activity. No crappy Disney Tween shows blaring from the TV. No nothing. The house is quiet.

Understanding and Selecting Data Masking: Buyer’s Guide

Mon, 25 Jun 2012 00:00:00 +0000

The final installment in our masking series closes with a simplified buyer’s guide for product selection. As with most security product buyer’s guides, we offer a fairly involved process to help customers identify their needs and evaluate solutions against each other. These guides address the difficulty of getting all stakeholders to agree on a set of use cases and priorities, which is harder than it sounds. We also offer guidance on avoiding pitfalls and vendor BS. Of course you still need to ensure that your requirements are identified and prioritized before you start testing, but the process with masking technologies is a bit less complicated than with other technologies.

Friday Summary: June 22, 2012

Fri, 22 Jun 2012 00:00:00 +0000

I have been wanting to write a bunch of blog posts for the last few weeks. No, not the heavy research work we have been in up to our eyeballs, but about some of the strange and interesting stuff currently been reported. We used to do a lot more commentary and I miss it. I have a little time this Friday, so I though I would comment on a few of the past week’s articles I think warrant discussion – in many ways as interesting for what was not discussed. Here we go:

Thoughts on Active Defense, Intrusion Deception, and Counterstrikes

Fri, 22 Jun 2012 00:00:00 +0000

Earlier this week Joseph Menn published a confusing article over at Reuters that conflated “active defense” with “strike back” technologies. As Chris Hoff said on Twitter:

Choosing Your Key Management Strategy

Wed, 20 Jun 2012 00:00:00 +0000

In our last post we covered the four enterprise key management strategies. Today we will finish off Pragmatic Key Management with recommendations on how to pick the right strategy for your project or organization.

Incite 6/20/2012: That Smell

Wed, 20 Jun 2012 00:00:00 +0000

Most folks have sights, sounds, and smells that remind them of positive experiences. Maybe from happy childhood days or a great time of life. For me, it’s the smell of the ocean. My Dad always had a boat and I remember some great times sailing on his catamaran as I was growing up. I didn’t spend a lot of time with my Dad growing up, so I loved being out on the water. And we’d bring a bucket of KFC with us, which was also a highlight. Strange, the things you remember 35 years later, eh?

Evolving Endpoint Malware Detection: Controls, Trade-offs and Compromises

Tue, 19 Jun 2012 00:00:00 +0000

As we wrap up our Evolving Endpoint Malware Detection series, it’s time to take it to the next level. We spent the first three posts on why detection is challenging, the types of behavioral indicators you should look for, and some additional data sources for added context to improve effectiveness and reduce false positives. Now we need to do something with the information we have gathered – basically to provide a verdict on whether something is malware or not, and if it is to block it. Alas, this is where you need to understand the trade-offs between different controls and decide what is best for your environment.

New Paper: Implementing and Managing a DLP Solution

Tue, 19 Jun 2012 00:00:00 +0000

Yes, folks, at long last, here is my follow-up to Understanding and Selecting a DLP Solution.

As you might guess from the title, this one is focused on implementation and management. After you have picked a tool, this will help you get up and running, and then keep it running, with as little overhead as possible.

The Four Enterprise Key Management Strategies

Mon, 18 Jun 2012 00:00:00 +0000

In our last post we covered the components of data encryption systems and ran through some common examples. Now it’s time to move on to key management itself, and dig into the four different key management strategies.

Friday Summary: June 15, 2012

Fri, 15 Jun 2012 00:00:00 +0000

Ah, summer. That time of year where our brains naturally start checking out, even if it’s inconvenient.

You have probably noticed a bit of a slowdown on the blog as we succumb to the sweet call of adventure. And by ‘adventure’ I mean the delicate balance of being way freaking behind while trying to squeeze in family vacations and a few conferences.

Understanding and Selecting Data Masking: Use Cases

Fri, 15 Jun 2012 00:00:00 +0000

As we approach the end of this series, it has become clear that I should really have started with use cases. Not only because they are the primary driver of interest in masking products, but also because many advanced features and deployment models really only make sense in terms of particular use cases. The critical importance of clustered servers, and the necessity for post-masking validation for some applications, are really only clear in light of particular usage scenarios. I will sort this out in the final paper, putting use cases first, which will help with the more complex later discussions. But here they are.

Evolving Endpoint Malware Detection: Providing Context

Thu, 14 Jun 2012 00:00:00 +0000

As we discussed in the last post, detecting today’s advanced malware requires more than just looking at the file (the classic AV technique) – we now also need to leverage behavioral indicators. To make things more interesting, even suspiciuous behavior can be legitimate in certain circumstances. So for accurate and effective detection you need better context on what the code does, where it came from, and who it came from, in order to reach a reasonable verdict on whether to allow or block execution.

Market Share Nonsense

Thu, 14 Jun 2012 00:00:00 +0000

It was bound to become blindingly obvious sometime. The ruse of anyone accurately tracking market share in any market has been a running joke for as long as I can remember. I guess some folks do argue with the so-called market share numbers, like McAfee recently did, but it is usually attributed to sour grapes for those with crappy numbers. I’d say that market share doesn’t matter for end users, but in reality it’s safer to go with a vendor with a large market share. And in today’s tough business environment, very few are willing to be unsafe.

New Paper: Defending Data on iOS

Thu, 14 Jun 2012 00:00:00 +0000

A while back we ran a show-of-hands survey at a conference of senior IT security pros. Nearly none of them wanted to support iOS, but nearly all of them needed to support iOS.

Incite 6/13/2012: Tweeting Idiocy

Wed, 13 Jun 2012 00:00:00 +0000

It’s easy to think that the main contribution of social media tools like Twitter and Facebook is to connect you more tightly to your friends, colleagues, and family. Which is true. But don’t underestimate the immediacy of using networks like Twitter to interact directly with the companies you do business with. I have two recent examples which highlight this trend.

Malware Analysis Quant [Final Paper]

Tue, 12 Jun 2012 00:00:00 +0000

Those of you who have followed Securosis for a while know that our Quant research is the big daddy of all our projects. We build a very granular process map for a certain function, build a metrics model, and in some cases survey our community to figure out what they do and what they don’t. We have already tackled Patch Management, Network Security Operations, and Database Security Options. Our latest Quant study tackled Malware Analysis. Here’s an excerpt from the Introduction to provide some context:

Understanding and Selecting Data Masking: Management and Advanced Features

Tue, 12 Jun 2012 00:00:00 +0000

In this post we will examine many of the features and functions of masking that go beyond the basics of data collection and transformation. The first, and most important, is the management interface for the masking product. Central management is the core addition that transforms masking from a simple tool into an enterprise data security platform. Central management is not new; but capabilities, and maturity, and integration are evolving rapidly. In the second part of today’s post we will discuss advanced masking functions we are beginning to see, to give you an idea of where these products are heading. Sure, all these products provide management of the basic functions, but the basics don’t fully encompass today’s principal use cases – the advanced feature set and management interfaces differentiate the various products, and are likely to drive your choice of product.

Evolving Endpoint Malware Detection: Behavioral Indicators

Mon, 11 Jun 2012 00:00:00 +0000

As we mentioned in the first post of the Evolving Endpoint Malware Detection series, Control Lost, attackers have gotten rather advanced. They don’t use the same file or malware delivery vehicle twice, constantly morph attacks, and make it very hard to use the fundamental file-based detection which underpins traditional anti-malware tools. So efforts to detect malware can no longer focus exclusively on what the malware looks like (basically a file hash or some other identifying factor) and must incorporate a number of new data sources for identification.

Upcoming: Tokenization Webcast This Week

Mon, 11 Jun 2012 00:00:00 +0000

If you are interested in discussing use cases and deployment models for Tokenization, you’re in luck! This Thursday (June 14th) at 1pm Eastern, I will be offering a webcast on Tokenization with Intel & McAfee. While many people are looking for scope reduction, reduced audit costs, and simplified security controls for PCI, that does not mean there is only one way to roll out a Tokenization system. There are several options, each with its own advantages, and the best fit depends entirely on your particular goals and how you manage your IT systems. In this webcast I will provide an overview of the three main deployment models and delve into the reasons customers choose each of them. If you are interested you can join us for free by registering: 3 Core Tokenization Models - Choosing the Right PCI DSS Strategy.

Friday Summary: June 8th, 2012

Fri, 08 Jun 2012 00:00:00 +0000

For whatever reason, I picked up a copy of a magazine my wife received as part of her interior design study work. I was absent-mindedly thumbing through it, waiting for the microwave to heat my coffee, when suddenly one of the the pictures made me stop and pay attention. It was a picture of a woman in a red leather catsuit, posed seductively by a stove. WTF? What is this ad trying to tell me? I must really not be part of their target market – but who is their target market? And another picture, this time a woman on top of a Mercedes, wearing a showgirl costume with lots of makeup. And then a woman with several ‘handymen’ fixing stuff around the house. And so on. Now, I bought a fancy Miele dishwasher, but I didn’t notice my wife responding with a racy outfit. In fact I’m pretty sure “sexy” and “kitchen appliance” are at opposite ends of her universe. I dug a bit deeper, and saw that the articles were on with topics such as: how to keep your junk drawer organized, and the best way to store linen napkins and flatware. I dove into the pile of magazines: Architectural Digest. Cote Sud. English Country Living. They are filled with the same type of content, regardless of country. All I could think was, “Who are they selling this stuff to, exactly?”

Incite 6/6/2012: Universally Awesome

Wed, 06 Jun 2012 00:00:00 +0000

With all the vacation I have planned this summer, finding time for work may be a challenge. We had 4 days at home after the Barcelona trip and then headed down to Orlando where the girls’ dance troupe did a performance at Downtown Disney. Yup, a 7-hour drive, a pair of 3-day Park Hopper tickets (which we didn’t use), costumes, hotel, and meals, so we could see the girls dance for less than 30 minutes – melting in 90+ degree weather.

Friday Summary: June 1, 2012

Fri, 01 Jun 2012 00:00:00 +0000

It’s the first of June, and I’m sure most of you are thinking about vacation, if not actually on vacation at this point. I’m here holding down the fort while the rest of Securosis is visiting places cooler and more fun. I’m taking time to reflect on security topics and my research agenda.

Understanding and Selecting Data Masking: Technical Architecture

Fri, 01 Jun 2012 00:00:00 +0000

Today we will discuss platform architectures and deployment models. Before I jump into the architectural models, it’s worth mentioning that these architectures are designed in response to how enterprises use data. Data is valuable because we use it to support business functions. Data has value in use. The more places we can leverage data to make decisions, the more valuable it is. However, as we have seen over the last decade, data propagation carries many risks. Masking architectures are designed to fit within existing data management frameworks and mitigate risks to information without sacrificing usefulness. In essence we are inserting controls into existing processes, using masking as a guardian, to identify risks and protect data as it migrates through the enterprise applications that automate business processes.

Pragmatic Key Management: Understanding Data Encryption Systems

Thu, 31 May 2012 00:00:00 +0000

One of the common problems in working with encryption is getting caught up with the intimate details of things like encryption algorithms, key lengths, cipher modes, and other minutiae. Not that these details aren’t important – depending on what you’re doing they might be critical – but in the larger scheme of things these aren’t the aspects most likely to trip up your implementation. Before we get into different key management strategies, let’s take a moment to look at crypto systems at the macro level. We will stick to data encryption for this paper, but these principles apply to other types of cryptosystems as well.

Incite 5/30/2012: Low Hanging Fruit

Wed, 30 May 2012 00:00:00 +0000

As you might have noticed, there was no Incite last week. Turns out the Boss and I were in Barcelona to celebrate 15 years of wedded bliss. We usually run about 6 months late on everything, so the timing was perfect. We had 3 days to ourselves and then two other couples from ATL joined us for the rest of the week. We got to indulge our appreciation for art – hitting the Dali, Miro, and Picasso museums. We also saw some Gaudi structures that are just mind-boggling. Then we joked about how Americans are not patient enough to ever build anything like the Sagrada Familia.

Pragmatic Key Management: Introduction

Wed, 30 May 2012 00:00:00 +0000

Few terms strike as much dread in the hearts of security professionals as key management. Those two simple words evoke painful memories of massive PKI failures, with millions spent to send encrypted email to the person in the adjacent cube. Or perhaps it recalls the head-splitting migraine you got when assigned to reconcile incompatible proprietary implementations of a single encryption standard. Or memories of half-baked product implementations that worked fine on in isolation on a single system, but were effectively impossible to manage at scale. And by scale, I mean “more than one”.

White Paper: Understanding and Selecting a Database Security Platform

Wed, 30 May 2012 00:00:00 +0000

We are pleased to announce the availability of a new research paper, Understanding and Selecting Database Security Platforms. And this paper covers most of the facets for database security today. We started to refresh our original Database Activity Monitoring paper in October 2011, but stopped short when our research showed that platform evolution has stopped converging – and has instead diverged again to embrace independent visions of database security, and splintering customer requirements. We decided our original DAM research was becoming obsolete. Use cases have evolved and vendors have added dozens of new capabilities – they have covered the majority of database security requirements, and expanded out into other areas.

Understanding and Selecting Data Masking: How It Works

Tue, 29 May 2012 00:00:00 +0000

In this post I want to show how masking works, focusing on how masking platforms move and manipulate data. I originally intended to start with architectures and mechanics of masking systems; but it should be more helpful to start by describing the different masking models, how data flows through different systems, and the advantages and disadvantages of each. I will comment on common data sources and destinations, and the issues to consider when considering masking technology. There are many different types of data repositories and services which can be masked, so I will go into detail on these choices. For now we will stick to relational databases, to keep things simple. Let’s jump right in and discuss how the technology works.

Security, Metrics, Martial Arts, and Triathlon: a Meandering Friday Summary

Thu, 24 May 2012 00:00:00 +0000

Rich here.

One of the more fascinating – and unexpected – aspects of migrating from martial arts to triathlon as my primary sport has been importance role of metrics, and how they have changed my views on security.

Understanding and Selecting Data Masking: Defining Data Masking

Wed, 23 May 2012 00:00:00 +0000

Before I start today’s post, thank you for all the letters saying that people are looking forward to this series. We have put a lot of work into this research to ensure we capture the state of currently available technology, and we are eager to address this under-served market. As always, we encourage blog comments because they help readers understand other viewpoints that we may not reflect in the posts proper. And for the record, I’m not knocking Twitter debates – they are useful as well, but they’re more ephemeral and less accessible to folks outside the Twitter cliques – not everybody wants to follow security geeks like me. And I also apologize for our slow start since initial launch – between meeting with vendors, some medical issues, and client off-site meetings, I’m a bit behind. But I have collected all the data I think is needed to do justice to this subject, so let’s get rolling!

Evolving Endpoint Malware Detection: Control Lost

Tue, 22 May 2012 00:00:00 +0000

Today we start our latest blog series, which we are calling Evolving Endpoint Malware Detection: Dealing with Advanced and Targeted Attacks – a logical next step from much of the research we have already done around the evolution of malware and emerging controls to deal with it. We started a few years back by documenting Endpoint Security Fundamentals, and more recently looked at network-based approaches to detect malware at the perimeter. Finally we undertook the Herculean task of decomposing the processes involved in confirming an infection, analyzing the malware, and tracking its proliferation with our Malware Analysis Quant research.

Continuous Learning

Fri, 18 May 2012 00:00:00 +0000

I referred back to the Pragmatic CSO tips when I started the Vulnerability Management Evolution series (the paper hit yesterday, by the way) and there was some good stuff in there, so let me once again dust off those old concepts and highlight another one. This one dealt with the reality that you are a business person, not a security person.

Friday Summary: May 18, 2012

Fri, 18 May 2012 00:00:00 +0000

A friend told me this week they were on Pinterest. I responded, “I’m sorry! How long does your employer allow you to take off?” I was seriously thinking this was something like paternity leave or one of those approved medical absence programs. I really wondered when he got sick, and what his prognosis was. He told me, “No, I’m on Pinterest to market my new idea.” WTF? Turns out it’s not a medical sabbatical, but another social media ‘tool’ for sharing photos and stuff.

[New White Paper] Vulnerability Management Evolution

Thu, 17 May 2012 00:00:00 +0000

Organizations have traditionally viewed vulnerability scanners as tactical products, largely commoditized and only valuable around audit time. How useful is a 100-page vulnerability report to an operations person trying to figure out what to fix next? Although those 100-page reports make auditors smile, as they offer a nice listing of audit deficiencies to address in the findings of fact. But the tide is definitely turning. We see a clear shift from a largely compliance-driven orientation to a more security-centric view. We document this evolution to a vulnerability/threat management platform in our new Vulnerability Management Evolution paper.

Incite 5/16/2012: Moving up Day

Wed, 16 May 2012 00:00:00 +0000

Wasn’t it just yesterday that we put XX1 on the bus for her first day of kindergarten? I guess if yesterday was August of 2006, that would be correct. Man, six years have gone by fast! On Friday she moves up to Middle School. As we watched the annual Field Day festivities with all the kids dressed up in their countries’ garb yesterday, the kindergartners seemed so small. And they are. Six years doesn’t seem so long, but against the growth of such a child it’s a lifetime.

Write Third

Tue, 15 May 2012 00:00:00 +0000

One of the things I truly love about writing for Securosis and TidBITS is that I am rarely put in a position where I need to be first to write about something. As a writer, and occasionally a journalist, I consider time the ultimate luxury. Unfortunately, few journalists have this liberty, and even fewer appreciate it.

Understanding and Selecting Data Masking: Series Introduction

Mon, 14 May 2012 00:00:00 +0000

Data masking has been around a long time. I have been masking since the early ’90s to create test data from production copies of customer insurance records, as well as to alter database columns before sending database exports out for “data cleansing”. At the time masking was little more than UNIX shell scripts or home grown Perl scripts to alter particular columns in .csv files. A few years later I was giddy with excitement to have my first masking ‘program’, running on a paleolithic version of Windows, which actually had a ‘wizard’ for walking through the process. No, it did not help with extraction of information from a database, but it identified the columns to be altered, provided a list of masks to apply, and dumped an error file when it ran into trouble. That saved a lot of tweaking scripts and manually reviewing dump files. And all this was several years before I heard anyone mention ‘ETL’ (Extract, Transform, Load) because ODBC and JDBC drivers to connect to databases were just arriving on the scene, and nobody had automated bulk loads back into another database. That was still science fiction.

Understanding and Selecting a Database Security Platform: Comments and Series Index

Fri, 11 May 2012 00:00:00 +0000

Rich and I – with help from Chris Pepper – compiled the Understanding and Selecting a Database Security Platform series into a research paper, and provided it to a number of people for initial review. We got a lot of valuable feedback and observations back. Commenters felt several topics were under-served, they believe others were over-emphasized, and more we failed to mention. We’re not too proud to admit when we’re wrong, or when we failed to capture the essence of customer buying decisions, so we are happy to revisit these topics. We believe their feedback improves the paper quite a bit. In keeping with our Totally Transparent Research process we want all discussions that affect the paper out in the open, so we are posting those comments here for review. If you have additional comments, or responses to anything here, we encourage you to chime in.

Friday Summary: May 10, 2012

Thu, 10 May 2012 00:00:00 +0000

Rich here. It amazes me how something completely mundane can be utterly fascinating the first time you experience it.

This morning I woke up about 5:45 as I heard my younger daughter waking up herself. If history held, she had been up for a little while and was ready to get out of her crib. Now!!! Nothing new there, and I started the painful process of getting out of bed (I d hammered my bad shoulder a little too much during my swim workout yesterday, leading to a painful night).

Incite 2/9/2012: Swimming with Sharks

Wed, 09 May 2012 00:00:00 +0000

What ever happened to the sit-down family dinner? Maybe it’s just me, but growing up, the only time I really experienced it was watching TV. My Mom worked retail pharmacy, so normally I was pulling something out of the freezer to warm up for my kid brother and myself. And nowadays the only time we sit down for dinner is when we go out to a restaurant.

FireStarter: Policy Wonks and Pests

Thu, 03 May 2012 00:00:00 +0000

I’ve spent more hours than I can count studying compliance and governance. Reading and re-reading PCI requirements, Sarbanes-Oxley law, theory, and applied theory. Spent mind-numbing hours combing through BASEL and BASEL II docs. I’ve spent many long weeks with external auditors, internal auditors, assessors, risk management personnel, corporate governance officers, and government officials – trying to understand their jobs, their roles, and how the world functions from their perspectives. I’ve spent months mapping those ideas and processes into policy implementations, process modifications, and the rules that actually enforce policies. I’ve written audit reports for these various compliance and policy management frameworks to demonstrate policy compliance and efficacy. When you sell security and risk management software these efforts are necessary, because compliance drives your company’s revenue. So I feel I understand policy and compliance pretty darn well, but I am bothered by the trend toward policy being the focus – at the expense of the task it was originally designed to govern.

Friday Summary: May 4, 2012

Thu, 03 May 2012 00:00:00 +0000

My conversation started like this:

“Do you know where the recorder is?” she asked.

“The what?” I replied.

“The tape recorder we bought you!”

Incite 5/2/2012: Refi Madness

Wed, 02 May 2012 00:00:00 +0000

It all started with an innocent call from my mortgage broker. He started with, “What if I could shave 75 basis points off your note, with no cost to you?” As you might have noticed, I’m a skeptical type of fellow. I asked, “What’s the catch?” He laughed and said, “No catch, I can get you from 4.25% to 3.5% and I’ll pay the costs.” I responded again, “There must be a catch. What am I missing?” He maked some wise remark about Groundhog Day and then told me there really is no catch. I can save a couple hundred bucks a month I’m currently paying the bank.

Vulnerability Management Evolution: Evolution or Revolution?

Fri, 27 Apr 2012 00:00:00 +0000

We have discussed the evolution of vulnerability management from a tactical tool to a much more strategic platform providing decision support for folks to more effectively prioritize security operations and resource allocation. But some vendors may not manage to effectively broaden their platforms sufficiently to remain competitive and fully satisfy their customer requirements. So at some point you may face a replacement decision, or to put it more kindly, a decision of evolution or revolution for your vulnerability/threat management platform.

[New White Paper] Watching the Watchers: Guarding the Keys to the Kingdom

Thu, 26 Apr 2012 00:00:00 +0000

Given the general focus on most organizations on the attackers out there , they may miss the attackers that actually have the credentials and knowledge to do some real damage. These are your so-call privileged users and far too many organizations don’t do much to protect themselves from an attack from that community. By the way, this doesn’t necessarily require a malicious insider. Rather it’s very possible (if not plausible) that a privileged user’s device gets compromised, therefore giving the attacker access to the administrator’s credentials. Right, that’s a bad day. Thus we’ve written a paper called Watching the Watchers: Guarding the Keys to the Kingdom to describe the problem and offer some ideas on solutions.

Friday Summary, TSA Edition: April 26, 2012

Thu, 26 Apr 2012 00:00:00 +0000

Rich here. I’m writing thi from an airport, so I will eschew my normal ‘personal’ intro and spend a little time on our favorite security show: Airport Screening Follies.

Incite 4/25/2012: Drafty Draft

Wed, 25 Apr 2012 00:00:00 +0000

It feels like Bizarro World to me. I woke up this morning freezing my backside off. We turned off the heat a few weeks ago and it was something like 65 this morning. Outside it was in the 40s, at the end of April. WTF? And the Northeast has snow. WTF? I had to bust out my sweatshirts, which I had hoped to shelve for the season. Again, WTF?

Vulnerability Management Evolution: Enterprise Features and Integration

Tue, 24 Apr 2012 00:00:00 +0000

We’re in the home stretch of the Vulnerability Management Evolution research project. After talking mostly about the transition from an audit-centric tactical tool to a much more strategic platform providing security decision support, it is now time to look critically at what’s required to make the platform work in your enterprise. That means providing both built-in tools to help manage your vulnerability management program, as well as supporting integration with existing security and IT management tools.

Vulnerability Management Evolution: Value-Add Technologies

Mon, 23 Apr 2012 00:00:00 +0000

So far we have talked about scanning infrastructure and the application layer, before jumping into some technology decisions you face, such as how to deal with cloud delivery and agents. But as much as these capabilities increase the value of the vulnerability management system, it’s still not enough to really help focus security efforts and prioritize the hundreds (if not thousands) of vulnerabilities or configuration problems you’ll find. So let’s look at a few emerging capabilities that really help make the information gleaned from scans and assessment more impactful to the operational decisions you make every day.

Watching the Watchers: Integration

Fri, 20 Apr 2012 00:00:00 +0000

As we wrap up Watching the Watchers it’s worth reminding ourselves of the reality of enterprise security today. Nothing stands alone – not in the enterprise management stack anyway – so privileged user management functions need to play nicely with the other management tools. There are levels of integration required, as some functions need to be attached at the hip, while others can be mere acquaintances.

Vulnerability Management Evolution: Core Technologies

Thu, 19 Apr 2012 00:00:00 +0000

As we discussed in the last couple posts, any VM platform must be able to scan infrastructure and scan the application layer. But that’s still mostly tactical stuff. Run the scan, get a report, fix stuff (or not), and move on. When we talk about a strategic and evolved vulnerability management platform, the core technology needs to evolve to serve more than merely tactical goals – it must provide a foundation for a number of additional capabilities. Before we jump into the details we will reiterate the key requirements. You need to be able to scan/assess:

Incite 4/18/2012: Camión de Calor

Wed, 18 Apr 2012 00:00:00 +0000

It was a Mr. Mom weekend, so I particularly appreciated settling in at the coffee shop on Monday morning and getting some stuff done. And it wasn’t just trucking the kids around to their various activities. It was a big weekend for all of us to catch up on work. XX1 has the CRCT standardized test this week, which is a big deal in GA, so there was much prep for that. Both XX2 and Boy have How to presentations in class this week. So they each had to write and practice a presentation. And I had to finish up our taxes and update the Securosis financials. With the Boss in absentia, I was juggling knives trying to get everything done.

Understanding and Selecting DSP: Use Cases

Mon, 16 Apr 2012 00:00:00 +0000

Database Security Platforms are incredibly versatile – offering benefits for security, compliance, and even operations. The following are some classic use cases and ways we often see them used:

Watching the Watchers: Clouds Rolling in

Mon, 16 Apr 2012 00:00:00 +0000

As much as we enjoy being the masters of the obvious, we don’t really need to discuss the move to cloud computing. It’s happening. It’s disruptive. Blah blah blah. People love to quibble about the details but it’s obvious to everyone. And of course, when the computation and storage behind your essential IT services might not reside in a facility under your control, things change a bit. The idea of a privileged user morphs in the cloud context, by adding another layer of abstraction via the cloud management environment. So regardless of your current level of cloud computing adoption, you need to factor the cloud into your PUM (privileged user management) initiative.

Friday Summary: April 13th, 2012

Fri, 13 Apr 2012 00:00:00 +0000

Happy Friday the 13th!

I was thinking about superstition and science today, so I was particularly amused to notice that it’s Friday the 13th. Rich and I are both scientists of sorts; we both eschew superstition, but we occasionally argue about science. What’s real and what’s not. What’s science, what’s pseudoscience, and what’s just plain myth. It’s interesting to discuss root causes and what forces actually alter our surroundings. Do we have enough data to make an assertion about something, or is it just a statistical anomaly? I’m far more likely to jump to conclusions about stuff based on personal experience, and he’s more rigorous with the scientific method. And that’s true for work as well as life in general. For example he still shuns my use of Vitamin C, while I’m convinced it has a positive effect. And Rich chides as I make statements about things I don’t understand, or assertions that are completely ‘pseudoscience’ in his book. I’ll make an off-handed observation and he’ll respond with “Myth Busters proved that’s wrong in last week’s show”. And he’s usually right. We still have a fundamental disagreement about the probability of self-atomizing concrete, a story I’d rather not go into – but regardless, we are both serious tech geeks and proponents of science.

Incite 4/11/2012: Exchanging Problems

Wed, 11 Apr 2012 00:00:00 +0000

I figured an afternoon flight to the midwest would be reasonably peaceful. I was wrong. Things started on the wrong foot when I got an email notification from Delta that the flight was delayed, even though it wasn’t. The resulting OJ sprint through the terminal to make the flight was agitating. Then the tons of screaming kids on the flight didn’t help matters. I’m thankful for noise isolating headphones, that’s for sure.

Pain Comes Instantly—Fixes Come Later

Tue, 10 Apr 2012 00:00:00 +0000

Mary Ann Davidson’s recent post Pain Comes Instantly has been generating a lot of press. It’s being miscast by some of the media outlets as trashing PCI Data Security Standard, but it’s really about the rules for vendors who want to certify commercial payment software and related products. The debate is worth considering, so I recommend giving it a read. It’s a long post, but I encourage you to read it all the way through before forming opinions, as she makes many arguments and provides some allegories along the way.

Responsible or Irresponsible Disclosure?—NFL Style

Tue, 10 Apr 2012 00:00:00 +0000

It’s funny to contrast this April to last April, at least as an NFL fan. Last year the lockout was in force, the negotiations stalled, and fans wondered how billionaires could argue with millionaires when the economy was in the crapper. Between the Peyton Manning lottery, the upcoming draft, and the Saints Bounty situation, there hasn’t been a dull moment for pro football fans since the Super Bowl ended.

The Myth of the Security-Smug Mac User

Tue, 10 Apr 2012 00:00:00 +0000

I still consider myself a relative newcomer to the Mac community. Despite being the Security Editor at TidBITS and an occasional contributor to Macworld (print and online), and having spoken at Macworld Expo a couple times, I only really switched to Macs back in 2005. To keep this in perspective, TidBITS has been published electronically since 1990.

How to Tell If Your Cloud Provider Can Read Your Data (Hint: They Can)

Mon, 09 Apr 2012 00:00:00 +0000

Over at TidBITS today I published a non-security-geek oriented article on how to tell if your cloud provider can read your data. Since many of you are security geeks, here’s the short version (mostly cut and paste) and some more technical info.

Understanding and Selecting DSP: Administration

Mon, 09 Apr 2012 00:00:00 +0000

Today’s post focuses on the administering Database Security Platforms. Conceptually DSP is pretty simple: collect data from databases, analyze it according to established rules, and react when a rule has been violated. The administrative component of every DSP platform follows these three basic tasks: data management, policy management, and workflow management. In addition to these three basic functions, we also need to administer the platform itself, as we do with any other application platform.

Vulnerability Management Evolution: Scanning the Application Layer

Mon, 09 Apr 2012 00:00:00 +0000

In our last Vulnerability Management Evolution post we discussed scanning infrastructure, which remains an important part of vulnerability management. But we recognize that most attacks target applications directly, so we can no longer just scan the infrastructure and be done with it. We need to climb the stack and pay attention to the application layer, looking for vulnerabilities in application as well as the supporting components. But that requires us to define an ‘application’, which is surprisingly difficult.

Watching the Watchers: Monitor Privileged Users

Sun, 08 Apr 2012 00:00:00 +0000

As we continue our march through the Privileged User Lifecycle, we have locked down privileged accounts as tightly as needed. But that’s not the whole story, and the lifecycle ends with a traditional audit. Because verifying what the administrators do with their privileges is just as important as the other steps. Admittedly, some organizations have as large a cultural issue with granular user monitoring because they actually want to trust their employees. Silly organizations, right? But in this case there is no monitoring slippery slope – we aren’t talking about recording an employee’s personal Facebook interactions or checking out pictures of Grandma. We’re talking about capturing what an administrator has done on a specific device.

Watching the Watchers: Enforce Entitlements

Fri, 06 Apr 2012 00:00:00 +0000

So far we have described the Restrict Access and Protect Credentials aspects of the Privileged User Lifecycle. So far any administrator managing a device is authorized to be there and uses strong credentials. But what happens when they get there? Do they get free reign? Should you just give them root or full Administrator rights and have done with it? What could possibly go wrong with that?

Friday Summary: April 6, 2012

Thu, 05 Apr 2012 00:00:00 +0000

Rich here…

Normally I like to open the Summary with a bit of something from my personal life. Some sort of anecdote with a message. In other words, I blatantly ripped off Mike’s format for the Security Incite… long before he took over half the company. (With Mike, even a partnership can probably be defined as a hostile takeover, based solely on his gruff voice and honesty of opinion).

Vulnerability Management Evolution: Scanning the Infrastructure

Thu, 05 Apr 2012 00:00:00 +0000

As we discussed in the Vulnerability Management Evolution introduction, traditional vulnerability scanners, focused purely on infrastructure devices, do not provide enough context to help organizations prioritize their efforts. Those traditional scanners are the plumbing of threat management. You don’t appreciate the scanner until your proverbial toilet is overflowing with attackers and you have no idea what are they targeting. We will spend most of this series on the case for transcending device scanning, but infrastructure scanning remains a core component of any evolved threat management platform. So let’s look at some key aspects of a traditional scanner.

Incite 4/4/2012: Travel the Barbarian

Wed, 04 Apr 2012 00:00:00 +0000

Flying into Milan to teach the CCSK class on Sunday morning, it really struck me how much we take this technology stuff for granted. The flight was uneventful (though that coach seat on a 9+ hour flight is the suxxor), except for the fact that the in-seat entertainment system didn’t work in our section. Wait. What? You mean you can’t see the movies and TV shows you want, or play the trivia game to pass the time? How barbaric! Glad I brought my iPad, so I enjoyed half the first season of Game of Thrones.

Understanding and Selecting DSP: Extended Features

Wed, 04 Apr 2012 00:00:00 +0000

In the original Understanding and Selecting a Database Activity Monitoring Solution paper we discussed a number of Advanced Features for analysis and enforcement that have since largely become part of the standard feature set for DSP products. We covered monitoring, vulnerability assessment, and blocking, as the minimum feature set required for a Data Security Platform, and we find these in just about every product on the market. Today’s post will cover extensions of those core features, focusing on new methods of data analysis and protection, along with several operational capabilities needed for enterprise deployments. A key area where DSP extends DAM is in novel security features to protect databases and extend protection across other applications and data storage repositories.

Defining Your iOS Data Security Strategy

Tue, 03 Apr 2012 00:00:00 +0000

Now that we’ve covered the different data security options for iOS it’s time to focus on building a strategy. In many ways figuring out the technology is the easy part of the problem – the problems start when you need to apply that technology in a dynamic business environment, with users who have already made technology choices.

iOS Data Security: Managed Devices

Mon, 02 Apr 2012 00:00:00 +0000

In our last post, on data security for partially-managed devices, I missed one option we need to cover before moving onto fully-managed devices:

Understanding and Selecting DSP: Core Features

Mon, 02 Apr 2012 00:00:00 +0000

So far this series has introduced Database Security Platforms, provided a full definition of DSP, discussed the origins and evolution of DAM to DSP, and described the technical platform architecture. We have covered the basics of a Database Security Platform. It might seem like a short list compared to all the other extended features we will cover later, but these are the most important ares, and the primary reasons to buy these tools.

Watching the Watchers: Protect Credentials

Mon, 02 Apr 2012 00:00:00 +0000

As we continue our march through the Privileged User Lifecycle, we have provisioned the privileged users and restricted access to only the devices they are authorized to manage. The next risk to address is the keys or credentials of these privileged users (P-Users) falling into the wrong hands. The best access and entitlements security controls fail if someone can impersonate a P-User.

Vulnerability Management Evolution: Introduction

Thu, 29 Mar 2012 00:00:00 +0000

Back when The Pragmatic CSO was published in 2007, I put together a set of tips for being a better CISO. In fact you can still get the tips (sent one per day for five days) if you register on the Pragmatic CSO site. Not to steal any thunder, but Tip #2 is Prioritize Fiercely. Let’s take a look at what I wrote back then.

Incite 3/28/2012: Gone Tomorrow

Wed, 28 Mar 2012 00:00:00 +0000

A recent Tweet from Shack was pretty jarring.

Old friend from college died today. Got some insane rare lung disease out of nowhere, destroyed them. Terrifying. 37 years old. :/

iOS Data Security: Securing Data on Partially-Managed Devices

Tue, 27 Mar 2012 00:00:00 +0000

Our last two posts covered iOS data security options on unmanaged devices; now it’s time to discuss partially managed devices.

Watching the Watchers: Restrict Access

Sun, 25 Mar 2012 00:00:00 +0000

As we discussed in the Privileged User Lifecycle post, there are a number of aspects to Watching the Watchers. Our first today is Restricting Access. This is first mostly because it reduces your attack surface. We want controls to ensure administrators only access devices they are authorization to manage.

Friday Summary: March 23, 2012

Fri, 23 Mar 2012 00:00:00 +0000

This should not matter: The Square Register. But it does. What do I mean by that? Check out the picture: There’s something catchy and slick about the set-up of an iPad cash register and the simple Square device. It looks like something Apple would produce. It seems right at home with – almost a natural extension of – the iPad. I run into small shop owners and independent business people who are using Square everywhere. It’s at Target, right next to the Apple products, and the salesperson said they have been flying off the shelves. People say “Wow, that’s cool.” And that’s how Square is going to win this part of the burgeoning personal payment space. The new competitor, PayPal’s Here, is marketing the superiority of their device, better service, and lower costs. Much of that ‘superiority’ is in the device’s security features – such as encrypting data inside the device – which early Square devices currently deployed do not. That’s a significant security advantage. But it won’t matter – next to its competitor, ‘Here’ looks about as modern and relevant as a Zip drive.

How to Read and Act on the 2012 Verizon Data Breach Investigations Report (DBIR)

Thu, 22 Mar 2012 00:00:00 +0000

Verizon just published their excellent 2012 Data Breach Investigations Report, and as usual, it’s full of statistical goodness.

(We will link to it once it’s formally released – we are writing this based on our preview copy).

Watching the Watchers: The Privileged User Lifecycle

Thu, 22 Mar 2012 00:00:00 +0000

As we described in the Introduction to this series, organizations can’t afford ignore the issue of privileged users (P-Users) any more. A compromised P-user (PUPwned) can cause all sorts of damage, and so needs to be actively managed. In the last post we presented the business drivers and threats – now let’s talk about solutions. As most analysts favor some kind of model to describe something, we’ll call ours the Privileged User Lifecycle.

Incite 3/21/2012: Wheel Refresh

Wed, 21 Mar 2012 00:00:00 +0000

It seems like a lifetime ago. June of 1999. Actually it was more than XX1’s lifetime ago. The Boss and I still lived in Northern Virginia. I was close to the top of the world. I started a software company, we raised a bunch of VC money, and the Internet Revolution was booming. The lease on my crappy 1996 Pathfinder was up, and I wanted some spiffy new wheels.

Understanding and Selecting DSP: Technical Architecture

Wed, 21 Mar 2012 00:00:00 +0000

One of the key strengths of DSP is its ability to scan and monitor multiple databases running on multiple database management systems (DBMSs) across multiple platforms (Windows, Unix, etc.). The DSP tool aggregates information from multiple collectors to a secure central server. In some cases the central server/management console also collects information while in other cases it serves merely as a repository for data from collectors.

iOS Data Security: Secure File Apps for Unmanaged Devices

Tue, 20 Mar 2012 00:00:00 +0000

To finish our discussion of securing data on unmanaged devices, let’s focus on three categories of apps designed for secure file access:

iOS Data Security: Protecting Data on Unmanaged Devices

Mon, 19 Mar 2012 00:00:00 +0000

There are a whole spectrum of options available for securing enterprise data on iOS, depending on how much you want to manage the device and the data. ‘Spectrum’ isn’t quite the right word, though, because these options aren’t on a linear continuum – instead they fall into three major buckets:

Talkin’ Tokenization

Mon, 19 Mar 2012 00:00:00 +0000

I want to announce a couple webcasts I’ll be on this week regarding tokenization: one will focus on the grey areas of compliance with tokenization, and the other will offer buyers a list of key evaluation criteria.

Friday Summary: March 16, 2011 (a little late)

Fri, 16 Mar 2012 00:00:00 +0000

Sorry, folks, I wrote the Summary yesterday and got so caught up in CU beating UNLV for our first NCAA Tournament win in 15 years that I forgot to actually post this.

Data Flow on iOS

Thu, 15 Mar 2012 00:00:00 +0000

Continuing our series on iOS data security, we need to take some time to understand how data moves onto and around iOS devices before delving into security and management options.

Watching the Watchers: Access to the Keys (to the Kingdom)—New Series

Thu, 15 Mar 2012 00:00:00 +0000

We are happy to announce a new series, where for the first time we will research and document the issues around privileged user management (PUM). It may not sound as exciting as cloud anything, or iOS data protection, but it’s something you overlook at your own risk. Because administrators (those privileged users) have the keys to your kingdom. A sysadmin with malicious intent can cause a very bad day for you and your organization.

Defending Enterprise Data on iOS: Introduction

Wed, 14 Mar 2012 00:00:00 +0000

The numbers alone don’t tell the story. In 2011 Apple sold 315 million iOS devices (62 million in the fourth quarter alone). There are over 100 million iCloud users – using a service less than a year old. And these numbers are for Apple alone – never mind all the other mobile devices. Apple calls this the dawn of the “post-PC era”, and with numbers like those it’s hard to argue. Even Microsoft is in the midst of what is shaping up to be the largest change in their platform strategy since Windows, in an attempt to address this market.

Defending iOS Data: iOS Security and Data Protection

Wed, 14 Mar 2012 00:00:00 +0000

Before we delve into management options we need time to understand the iOS security and data protection models. These are the controls built into the platform – many utilized in the various enterprise options we will discuss in this series. We are focused on data but will also cover iOS security basics, as they play an important role in data security, and for those of you who aren’t familiar with the specifics.

Incite 3/14/2012: My Kind of People

Wed, 14 Mar 2012 00:00:00 +0000

Like everyone else, I have a bunch of jobs. There is the day job and then my job at home. Well, it’s not really a job, it’s more a responsibility – to be a good husband and to teach my kids to be properly functioning adults. As most of you know, I take the parenting responsibility very seriously. I am constantly stressing hard work and best effort. Making the point constantly to my kids that the only thing they can truly control is their own effort.

Mr. Market Says Security Is Winning

Tue, 13 Mar 2012 00:00:00 +0000

Today Dell announced its intention to acquire SonicWALL from private equity firm Thoma Bravo. This is less than two years after Thoma Bravo took SonicWALL private in a screaming deal, and with a deal size rumored up to $1.5 billion I think we can safely assume the bankers win again. As always.

Friday Summary: March 9, 2012

Thu, 08 Mar 2012 00:00:00 +0000

By Adrian Lane:

I learned something from the e10+ session during RSA. Usually it’s my least favorite event but this year was different – it was most favorite, and not just because Rich and Mike were instrumental in putting it together. The consumerization presentation was really informative – the audience responses surprised me – but the breach victim “fireside chat” was awesome. The only way we could mimic the human stress angle in a preparedness drill is to set part of your office on fire during a press conference, or taze IT personnel as they rummage through logs. Don’t discount the stress factor in breach planning.

Incite 3/7/2012: Perspective

Wed, 07 Mar 2012 00:00:00 +0000

Life is a series of ebbs and flows. Highs and lows. Crests and troughs. It’s a yin/yang thing, and unfortunately most folks can’t appreciate that. Especially when they can’t see their way out of a down period. For a lot of security folks, the last two weeks have been such a contrast between those highs and lows that many are probably feeling whiplash.

Understanding and Selecting DSP: Data and Event Collection

Wed, 07 Mar 2012 00:00:00 +0000

In our previous post on DSP components we outlined the evolution of Database Activity Monitoring into Database Security Platforms. One of its central aspects is the evolution of event collection mechanisms from native audit, to monitoring network activity, to agent-based activity monitoring. These are all database-specific information sources. The evolution of DAM has been framed by these different methods of data collection. That’s important, because what you can do is highly dependent on the data you can collect. For example, the big reason agents are the dominant collection model is that you need them to monitor administrators – network monitoring can’t do that (and is quite difficult in distributed environments).

Burnout

Tue, 06 Mar 2012 00:00:00 +0000

I feel fortunate that I’m not haunted by the images of what I have witnessed. If I don’t sleep well at night it’s due to stress at work or at home, not dark images from the years I spent working in emergency services.

Upcoming Cloud Security Training Courses

Tue, 06 Mar 2012 00:00:00 +0000

Our world domination tour continues. At least if you consider training for the Certificate of Cloud Security Knowledge (CCSK) part of your plan to know all things Cloud Security. As authors of the training curriculum, we are the only folks who can train and certify instructors to deliver the training, so a couple times a year we deliver the courses, live and in person.

Bringing Sexy back (to Security): Mike’s RSAC 2012 Wrap-up

Mon, 05 Mar 2012 00:00:00 +0000

Oh yeah. I’m back in the ATL after a week at the RSA Conference. Aside from severe sleep deprivation, major liver damage, and some con flu… I’m feeling great. It seems everyone else is as well. Something appeared at RSA that we haven’t seen for at least 3 years: smiles. Which I guess is to be expected, since in 2009 and 2010 everyone walked around with hard hats, expecting the sky to fall. In 2011 there were some positive signs but still a lot of skepticism, which was gone this year. Almost everyone I talked to was very optimistic for 2012 and beyond.

Objectivity Matters

Tue, 28 Feb 2012 00:00:00 +0000

I owe a tremendous amount to social media. I wasn’t early to either blogging or Twitter (as my friends remind me), but once I got there a whole new world of opportunities opened. I created a boutique business (Security Incite) on the back of a blog and email newsletter. I met so many great people – many of whom became close friends – and even found a business partner or two.

Implementing DLP: Ongoing Management

Thu, 23 Feb 2012 00:00:00 +0000

Managing DLP tends to not be overly time consuming unless you are running off badly defined policies. Most of your time in the system is spent on incident handling, followed by policy management.

RSA Conference 2012 Guide: Cloud Security

Thu, 23 Feb 2012 00:00:00 +0000

We’ve renamed this section from “Virtualization and Cloud Security” to simply “Cloud Security” since if you listen to any of the marketing messages, you can’t tell the difference, even though it’s a big one. And virtualization is a hassle to type, so buh bye! Overall, as we mentioned in the key themes post, cloud security will be one of the biggest trends to watch during the conference and it also happens to be one area where you should focus since there is some real innovation, and you probably have real problems that need some help.

The Last Friday before the 2012 RSA Conference

Thu, 23 Feb 2012 00:00:00 +0000

It’s here.

No, not the new iPad. Not those test results. And most definitely not that other thing you were thinking about.

The Securosis Guide to RSA 2012

Thu, 23 Feb 2012 00:00:00 +0000

Managing DLP tends to not be overly time consuming unless you are running off badly defined policies. Most of your time in the system is spent on incident handling, followed by policy management.

Implementing DLP: Deploy

Wed, 22 Feb 2012 00:00:00 +0000

Up until this point we’ve focused on all the preparatory work before you finally turn on the switch and start using your DLP tool in production. While it seems like a lot, in practice (assuming you know your priorities) you can usually be up and running with basic monitoring in a few days. With the pieces in place, now it’s time to configure and deploy policies to start your real monitoring and enforcement.

Incite 2/22/2012: Poop Flingers

Wed, 22 Feb 2012 00:00:00 +0000

It’s a presidential election year here in the US, and that means the master spin meisters, manipulators, and liars politicians are out in full force. Normally I just tune out, wait for the primary season to end, and then figure out who I want to vote for. But I know better than to discuss either religion or politics with people I like. And that means you. So I’m not going to go there. But this election cycle is different for me, and it will be strange.

RSA Conference 2012 Guide: Data Security

Wed, 22 Feb 2012 00:00:00 +0000

In the the last twelve months we’ve witnessed the highest rates of data theft disclosures since the record setting year of 2008 (including, for the first time in public, Rich’s credit card). So predictably there will be plenty of FUD balloons flying at this year’s conference. From Anonymous to the never-ending Wikileaks fallout and cloud fears, there is no shortage of chatter about data security (or “data governance” for people who prefer to write about protecting stuff instead of actually protecting it).

Malware Analysis Quant: Documenting Metrics (and survey is still going)

Mon, 20 Feb 2012 00:00:00 +0000

Just a little President’s Day update on the Malware Analysis Quant project. At the end of last month we packaged up all the process descriptions into a spiffy paper, which you can download and check out.

RSA Conference 2012 Guide: Security Management and Compliance

Mon, 20 Feb 2012 00:00:00 +0000

As we continue with our tour through the RSA Conference, we’re in the home stretch. Today we’ll hit both security management and compliance, since the two are intrinsically linked.

Understanding and Selecting DSP: Core Components

Mon, 20 Feb 2012 00:00:00 +0000

Those of you familiar with DAM already know that over the last four years DAM solutions have been bundled with assessment and auditing capabilities. Over the last two years we have seen near universal inclusion of discovery and rights management capabilities. DAM is the centerpiece of a database security strategy, but as a technology it is just one of a growing number of important database security tools. We have already defined Database Security Platform, so now let’s spend a moment looking at the key components, how we got here, and where the technology and market are headed. We feel this will fully illustrate the need for the name change.

Webcast Wednesday 22nd: Tokenization Scope Reduction

Mon, 20 Feb 2012 00:00:00 +0000

Just a quick announcement that this Wednesday I will be doing a webcast on how to reduce PCI-DSS scope and audit costs with tokenization. This will cover the meaty part of our Tokenization Guidance paper from last year. In the past I have talked about issues with the PCI Council’s Tokenization supplement; now I will dig into how tokenization affects credit card processing systems, and how supplementary systems can fall out of scope. The webcast will start at 11am PST and run for an hour. You can sign up at the sponsor’s web site.

RSA Conference 2012 Guide: Email & Web Security

Sun, 19 Feb 2012 00:00:00 +0000

For a little bonus on a Sunday afternoon, let’s dig into the next section of the RSA Guide, Email and Web Security which remains a pretty hot area. This shouldn’t be surprising since these devices tend to be one of the only defenses against your typical attacks like phishing and drive-by downloads. We’ve decided to no longer call this market ‘content security’; that was a terrible name. Email and Web Security speaks to both the threat models as well as the deployment architectures of what started as the ‘email security gateway’ market. These devices screen email and web traffic moving in and out of your company at the application layer.

RSA Conference Guide 2012: Endpoint Security

Fri, 17 Feb 2012 00:00:00 +0000

Ah, the endpoint. Do you remember the good old days when endpoint devices were laptops? That made things pretty simple, but alas, times have changed and the endpoint devices you are tasked to protect have changed as well. That means it’s not just PC-type devices you have to worry about – it’s all varieties of smartphones and in some industries other devices including point of sale terminals, kiosks, control systems, etc. Basically anything with an operating system can be hacked, so you need to worry about it. Good times.

Friday Summary: February 17, 2012

Thu, 16 Feb 2012 00:00:00 +0000

I managed to take a couple days off last week, and got out of town. I went camping with a group of friends, all from very different backgrounds, with totally unrelated day jobs – but we all love camping in the desert. Whenever we’re BSing by the camp fire, they ask me about current events in security. There’s almost always a current data breach, ‘Anonymous’ attack, or whatever. This group is decidedly non-technical and does not closely follow the events I do. This trip the question on their minds was “What ‘s the big deal with SOPA?” Staying away from the hyperbole and accusations on both sides, I explained that the bill would have given content creators the ability to shut down web sites without due process if they suspected they hosted or distributed pirated content. I went into some of the background around issues of content piracy; sharing of intellectual property; and how digital media, rights management, and parody make the entire discussion even more cloudy.

OS X 10.8 Gatekeeper in Depth

Thu, 16 Feb 2012 00:00:00 +0000

As you can tell from my TidBITS review of Gatekeeper, I think this is an important advancement in consumer security. There are a lot of in-depth technical aspects that didn’t fit in that article, so here’s an additional Q&A for those of you with a security background who care about these sorts of things. I’m skipping the content from the TidBITS article, so you might want to read that first.

RSA Conference Guide 2012: Application Security

Thu, 16 Feb 2012 00:00:00 +0000

Building security in? Bolting it on? If you develop in-house applications, it’s likely both. Application security will be a key theme of the show. But the preponderance of application security tools will block, scan, mask, shield, ‘reperimeterize’, reconfigure, or reset connections from the outside. Bolt-on is the dominant application security model for the foreseeable future. The good news is that you may not be the one managing it, as there is a whole bunch of new cloud security services and technologies available. Security as a service, anyone? Here’s what we expect to see at this year’s RSA Conference.

Implementing DLP: Deploying Storage and Endpoint

Wed, 15 Feb 2012 00:00:00 +0000

Storage deployment

From a technical perspective, deploying storage DLP is even easier than the most basic network DLP. You can simply point it at an open file share, load up the proper access rights, and start analyzing. The problem most people run into is figuring out which servers to target, which access rights to use, and whether the network and storage repository can handle the overhead.

Incite 2/15/2012: Brushfire

Wed, 15 Feb 2012 00:00:00 +0000

I had this fraternity brother back in college named Lucas. We gave him a pretty hard time, mostly because he was the nicest guy you’d ever want to meet. Turns out he didn’t know what jobs just sucked. We’d ask Luke to clean the grease trap, a typical task when we were pledges. Not a problem for him, and that was probably the nicest thing we asked him to do. Remember that when you live in a house with 40+ guys, you tend to share a lot of things.

RSA Conference 2012 Guide: Network Security

Wed, 15 Feb 2012 00:00:00 +0000

Yesterday we posted the key themes we expect to see at the upcoming RSA Conference. Now we’ll starting digging into our main coverage areas. Today we’ll start with network security.

RSA Conference 2012 Guide: Key Themes

Tue, 14 Feb 2012 00:00:00 +0000

It’s hard to believe, but we are two weeks out from the RSA Conference. As in previous years, your pals at Securosis have put together our 3rd annual RSA Guide, which we will distribute next week. But we will give you blog reading faithful, an early look at what we expect to see at the show. So let’s with the key themes…

Implementing DLP: Deploying Network DLP

Mon, 13 Feb 2012 00:00:00 +0000

Deploying on the network is usually very straightforward – especially since much of the networking support is typically built into the DLP server.

[New White Paper] Network-Based Malware Detection: Filling the Gaps of AV

Thu, 09 Feb 2012 00:00:00 +0000

We know it’s a shock, but your endpoint protection suite isn’t doing a good enough job of blocking malware attacks. So the industry has resorted additional layers of inspection, detection, and even protection to address its shortcomings. One place focus is turning, which is seeing considerable innovation, is the network. We see a new set of devices and enhancements to existing perimeter platforms, focused on detecting and blocking malware. A paragraph from Network-Based Malware Detection: Filling the Gaps of AV says it best:

Friday Summary: February 10, 2012

Thu, 09 Feb 2012 00:00:00 +0000

They say it takes 10,000 hours of practice at a task to become an expert. This isn’t idle supposition, but something that’s been studied scientifically – if you believe in that sorts of things. (I’d like to provide a reference, but I’m in the process of becoming an expert at sitting in an Economy Class seat without wireless).

Incite 2/7/2012: The Couch

Wed, 08 Feb 2012 00:00:00 +0000

Do you ever stumble upon a show from the old days, perhaps on Boomerang or TVLand, where the doting wife meets the hubby as he comes home from work? It’s just like my deal. I come home from that tough day writing at Starbucks and the Boss is waiting with my smoking jacket, pipe, and slippers, and the trusty glass of brandy to take the edge off a tough day. And then I wake up.

Implementing and Managing a Data Loss Prevention (DLP) Solution: Index of Posts

Tue, 07 Feb 2012 00:00:00 +0000

We’re pretty deep into our series on Implementing DLP, so it’s time to put together an index to tie together all the posts. I will keep this up to date as new content goes up, and in the end it will be the master list for all eternity. Or until someone hacks our site and deletes everything. Whichever comes first.

Implementing DLP: Starting Your Integration

Tue, 07 Feb 2012 00:00:00 +0000

With priorities fully defined, it is now time to start the actual integration.

The first stop is deploying the DLP tool itself. This tends to come in one of a few flavors – and keep in mind that you often need to license different major features separately, even if they all deploy on the same box. This is the heart of your DLP deployment and needs to be in place before you do any additional integration.

Implementing DLP: Integration Priorities and Components

Mon, 06 Feb 2012 00:00:00 +0000

It might be obvious by now, but the following charts show which DLP components, integrated with which existing infrastructure, you need based on your priorities. I have broken this out into three different images to make them more readable. Why images? Because I have to dump all this into a white paper later, and building them in a spreadsheet and taking screenshots is a lot easier than mucking with HTML-formatted charts

Understanding and Selecting a Database Security Platform: Defining DSP

Mon, 06 Feb 2012 00:00:00 +0000

As I stated in the intro, Database Security Platform (DSP, to save us writing time and piss off the anti-acronym crowd) differs from DAM in a couple ways. Let’s jump right in with a definition of DSP, and then highlight the critical differences between DAM and DSP.

Friday Summary: February 3, 2012

Thu, 02 Feb 2012 00:00:00 +0000

Since Rich is vacationing working hard at a security conference in Mexico, I figure I would write this week’s Friday Summary. I am pretty jazzed about some upcoming white papers I’ll be writing on securing data and applications at scale, understanding and selecting masking technologies, and why log management is not dead! And I am having a good time researching and writing the DAM 2.0 DSP series as well. I originally intended to write about our research agenda but changed my mind. Frankly, I have spring fever. Spring fever, you ask, in the first week of February? Yep. It’s 74 degrees here and sunny. WTF? Punxsutawney Phil weighed in with his opinion, and after burning his retinas, it looks like we are going to have another six weeks of winter. I sure hope so! Another six weeks of this type of weather would be awesome. I have been on the phone with dozens of people around the country, from Boston to San Diego, and they are all experiencing fantastic weather. Even Gunnar reports highs of 48 degrees in Minnesota. I guess the cold air jet stream has been staying north of the border. For me this means my peach trees are blooming. Blooming! On freakin’ January 30th! See for yourself:

Bridging the Mobile Security Gap: Operational Consistency

Wed, 01 Feb 2012 00:00:00 +0000

We started the Bridging the Mobile Security Gap series by accepting that we can’t control the devices that show up on our networks any more. We followed up with a diatribe on the need for context to build and enforce policies which ensure that (only) the right users get to the right stuff at the right times.

Incite 2/1/2012: Bored to Tears

Wed, 01 Feb 2012 00:00:00 +0000

It’s unbelievable how different growing up today is. When I was in elementary school in the late 70s, Pong was state of the art and a handheld Coleco football game would keep a little kid occupied for hours. When they came up with the Head to Head innovation, two kids would be occupied for hours. That was definitely a different type of Occupy movement. We also didn’t have 300 channels on the boob tube. We had 5 channels, and the highlight of the year was Monster Week. At least for me.

Malware Analysis Quant: Take the Survey (and win fancy prizes!)

Wed, 01 Feb 2012 00:00:00 +0000

One of the coolest things about how we work at Securosis is our Totally Transparent Research approach. We always post our work to the blog first and let you folks have at it. In many cases it gets poked and prodded, ridiculed, and broken down. It’s certainly tough on the ego, but in the end makes the work better.

Implementing DLP: Integration, Part 1

Tue, 31 Jan 2012 00:00:00 +0000

At this point all planning should be complete. You have determined your incident handling process, started (or finished) cleaning up directory servers, defined your initial data protection priorities, figured out which high-level implementation process to start with, mapped our the environment so you know where to integrate, and performed initial testing and perhaps a proof of concept.

Bridging the Mobile Security Gap: The Need for Context

Mon, 30 Jan 2012 00:00:00 +0000

As we discussed in the first post of this series, consumerization and mobility will remain macro drivers of security for the foreseeable future, and force us to stare down network anarchy. We can certainly go back into the security playbook and deal with an onslaught of unwieldy devices by implementing some kind of agentry on the devices to provide a measure of control. But results of this device-centric approach have been mixed. And that’s being kind.

Implementing DLP: Final Deployment Preparations

Mon, 30 Jan 2012 00:00:00 +0000

Map Your Environment

No matter which DLP process you select, before you can begin the actual implementation you need to map out your network, storage infrastructure, and/or endpoints. You will use the map to determine where to push out the DLP components.

Understanding and Selecting Database Security Platforms

Mon, 30 Jan 2012 00:00:00 +0000

We love the Totally Transparent Research process. Times like this – where we hit upon new trends, discover unexpected customer uses cases, or discover something going on behind the scenes – are when our open model really shows its value. We started a Database Activity Monitoring 2.0 series last October and suddenly halted because our research showed that platform evolution has changed from convergence to independent visions of database security, with customer requirements splintering.

Malware Analysis Quant: Phase 1 - The Process [Check out the paper!]

Sun, 29 Jan 2012 00:00:00 +0000

We are well aware that the Quant research can be overwhelming. 70+ pages of process, metrics, and survey data is a lot to get through. So we have broken the Malware Analysis Quant project up into two phases. The first phase focuses on defining and describing the underlying process. In the second phase we get into metrics and run the survey to figure out who is actually doing which aspects of the process. In the end will still produce the big paper in all its glory. But we figured an interim deliverable at the end of Phase 1 would make a lot of sense. So that’s what we have done.

Friday Summary: January 27, 2012

Thu, 26 Jan 2012 00:00:00 +0000

This is the Securosis Friday Summary. For those of you who don’t know this is where Rich and I vent. When I started working with Rich I used to loathe writing this intro; now it’s therapeutic. It gives me a chance to talk about whatever is on my mind that I think people might find interesting. Sure, most Friday posts talk about security, but not always. If such things bother you – as one reader mentioned last week – search within the page for ‘Summary’ to avoid our ramblings.

Implementing DLP: Picking Priorities and a Deployment Process

Thu, 26 Jan 2012 00:00:00 +0000

At this point you should be in the process of cleaning your directory servers, with your incident handling process outlined in case you find any bad stuff early in your deployment. Now it’s time to determine your initial priorities to figure out whether you want to start with the Quick Wins process or jump right into full deployment.

Implementing DLP: Getting Started

Wed, 25 Jan 2012 00:00:00 +0000

In our Introduction to Implementing and Managing a DLP Solution we started describing the DLP implementation process. Now it’s time to put the pedal to the metal and start cranking through it in detail.

Incite 1/25/2011: Prized Possessions

Wed, 25 Jan 2012 00:00:00 +0000

So I was sitting in Dunkin Donuts Sunday morning, getting in a few hours of work while the kids were at Sunday school. You see the folks who come in and leave with two boxes of donuts. They are usually the skinny ones. Yeah, I hate them too. You see the families with young kids. What kid doesn’t totally love the donuts? You snicker at the rush at 11am when a local church finishes Sunday services and everyone makes a mad dash for Dunkin and coffee.

Bridging the Mobile Security Gap: Staring down Network Anarchy (new series)

Mon, 23 Jan 2012 00:00:00 +0000

No rest for the weary, it seems. As soon as we wrapped up last week’s blog series we start two more. Check out Rich’s new DLP series, and today I am starting to dig into the mobile security issue. We will also start up Phase 2 of the Malware Analysis Quant series this week. But don’t cry for us, Argentina. Being this busy is a good problem to have.

Implementing and Managing a DLP Solution

Mon, 23 Jan 2012 00:00:00 +0000

I have been so tied up with the Nexus, CCSK, and other projects that I haven’t been blogging as much as usual… but not to worry, it’s time to start a nice, juicy new technical series. And once again I return to my bread and butter: DLP. As much as I keep thinking I can simply run off and play with pretty clouds, something in DLP always drags me back in. This time it’s a chance to dig in and focus on implementation and management (thanks to McAfee for sponsoring something I’ve been wanting to write for a long time). With that said, let’s dig in…

The 2012 Disaster Recovery Breakfast

Mon, 23 Jan 2012 00:00:00 +0000

Really? It’s that time again? Time to prepare for the onslaught that is the RSA Conference. Well, we’re 5 weeks out, which means Clubber Lang was exactly right.

Baby Steps toward the New School

Fri, 20 Jan 2012 00:00:00 +0000

Aside from our mutual admiration society with Adam and the New School folks, clearly we as an industry have suffered because we don’t share data, or war stories, or shared experience, or much of everything. Hubris has killed security innovation. We, as an industry, cannot improve because we don’t learn from each other.

Friday Summary: January 20, 2012

Thu, 19 Jan 2012 00:00:00 +0000

I think I need to ban Mike from Arizona.

Scratch that – from a hundred mile radius of me.

A couple weeks ago he was in town so we could do our 2012 Securosis strategic planning. He rotates between my screaming kids and Adrian’s pack ‘o dogs, and this was my turn to host. We woke up on time the next morning, hopped in my car, and headed out to meet Adrian for breakfast and planning.

Incite 1/19/2012: My Seat

Thu, 19 Jan 2012 00:00:00 +0000

Before we get to the Incite we should probably explain why it’s a day late. Like many other sites we have huge issues with PIPA and SOPA, so we took down our site yesterday in protest. We don’t expect the big companies with big lobbying budgets to give up, so we need to keep the pressure on. Copyright holders have a right to protect their content, but not at the cost of our freedom and liberty. Period. Now back to our regularly scheduled pot stirring.

Malware Analysis Quant: Process Descriptions

Thu, 19 Jan 2012 00:00:00 +0000

I’m happy to report that we have finished the process description posts for the Malware Analysis Quant project. Not all of you follow our Heavy Feed (even though you should), so here is a list of all the posts.

Oracle SCN Flaw

Thu, 19 Jan 2012 00:00:00 +0000

A flaw in the Oracle database has been disclosed, whereby the Oracle System Change Number (SCN) – a feature that helps synchronize database events – outgrows its defined limits. The SCN is an ever-increasing sequence number used to determine the ‘age’ of data. It is incremented automatically by 16k per second to provide a time reference, and again each time data is ‘committed’ (written to disk). This enables transactions to be referenced to the second, and ordered within each second. As you might imagine, this is a very large number, with a maximum value and a maximum increase per day. If the SCN passes its maximum value the database completely stops. The new discovery concerns the SCN.

Censored #sopa

Tue, 17 Jan 2012 00:00:00 +0000

We blacked out Securosis (mostly – it was a rush job) to protest SOPA, PIPA, and the future variants we are sure will appear now that everyone has targeted these two acronyms.

Network-based Malware Detection: The Impact of the Cloud

Fri, 13 Jan 2012 00:00:00 +0000

Is it that time already? Yep, it’s time to wrap up our series on Network-based Malware Detection. We started with the need to block malware more effectively on the perimeter, particularly because you know you have users who are not the sharpest tools in the shed. Then we discussed the different techniques involved in detecting malware. Finally we tackled location, assessing critically whether the traditional endpoint protection model has outlived its usefulness.

Friday Summary: January 13, 2012

Thu, 12 Jan 2012 00:00:00 +0000

You’ve probably noticed we have not been doing a lot of blogging lately. Sorry about that – we’ll start back up with a bang very soon. This will be a very exciting year for Securosis – we have a bunch of projects in the pipe. I’ll be launching a re-start of the Database Activity Monitoring 2.0 series now that we have finally settled on the terminology and done sufficient research on the trends to actually convey what’s going on. Mike and I want to cover some Log Management topics, and I have a data masking research project underway as well. All that is over and above new developments with the Securosis Nexus, the Cloud Security Alliance Training, and our RSA Guide – so Q1 will be very busy and we will be writing a lot. I’ll publish my Q2 research agenda in the coming weeks, so if you have anything you want to talk about at RSA we can go into detail then. And I wanted to comment on a ton of great posts I have seen, but alas…

Checking out a bootable Windows TPM thumb drive

Wed, 11 Jan 2012 00:00:00 +0000

It’s almost RSA time again. Which means one very important thing: I need to finally post the review of the very slick TPM-based Windows bootable thumb drive Jeff Jones (@securityjones) gave me at RSA 2011. I have been promising him this review since last March, and it would be just too embarrassing to not get it done before RSA 2012. So here we go.

Incite 1/11/2012: Spoilsport

Wed, 11 Jan 2012 00:00:00 +0000

The winter holidays aggravate me. They are a consumption binge, and I know we all want a healthier global economy (which includes folks spending money they don’t have on things they don’t need) but it still irks me. I grew up modestly in a single-parent home, and we did stuff, but not a lot. We didn’t have the fancy things, which forced me to go out and earn whatever I’ve gotten.

Social Security Blogger Awards: Voting Open!

Tue, 10 Jan 2012 00:00:00 +0000

It’s hard to believe, but the RSA Conference is almost upon us. We have a lot of very cool stuff planned, including an update to our RSA Guide, a few cool partnerships, and of course the Disaster Recovery Breakfast. We will have more details on all the above as we get closer to the show. In the meantime we want you to know that voting has opened for the 2012 Social Security Blogger Awards.

Incite 1/4/2011: Shaking things up

Wed, 04 Jan 2012 00:00:00 +0000

For a football fan, there is nothing like the New Year holiday. You get to shake your hangover with a full day of football. This year was even better because the New Year fell on a Sunday, so we had a full slate of Week 17 NFL games (including a huge win for the G-men over the despised Cowboys) and then a bunch of college bowl games on Monday the 2nd.

Network-based Malware Detection: Where to Detect the Bad Stuff?

Wed, 04 Jan 2012 00:00:00 +0000

We spent the first two posts in this series on the why (Introduction) and how (Detecting Today’s Malware) of detecting malware on the network. But that all assumes the network is the right place to detect malware. As Hollywood types tend to do, let’s divulge the answer at the beginning, in a transparent ploy. Drum roll please… You want to do malware detection everywhere you can. On the endpoints, at the content layer, and also on the network. It’s not an either/or decision. But of course each approach has strengths and weaknesses. Let’s dig into those pros and cons to give you enough information to figure out what mix of these options makes sense for you.

Network-based Malware Detection: Identifying Today’s Malware

Thu, 29 Dec 2011 00:00:00 +0000

As we discussed in the Introduction to the Network-based Malware Detection series, traditional approaches to detecting malware cannot protect us any more. With rapidly morphing executables, increasingly sophisticated targeting, zero-day attacks, and innovative cloaking techniques, matching a file to a known bad AV signature is simply inadequate as a detection mechanism. We need to think differently about how to detect these attacks, so our next step is to dig into each of these specific tactics to figure out exactly what a file is doing and determining whether it’s bad.

The Last Friday Summary of 2011

Thu, 22 Dec 2011 00:00:00 +0000

A couple weeks ago we decided to change up the Friday Summary and update the format to something new and spiffy.

Incite 12/21/2011: Regret. Nothing.

Wed, 21 Dec 2011 00:00:00 +0000

Around the turn of the New Year, I always love to see the cartoon where the old guy of the current year gives way to the toddler of the upcoming year. Each new year becomes a logical breakpoint to take stock of where you’re at, and where you want to be 12 months from now. Some of us (like me) aren’t so worried about setting overly specific goals anymore, but it’s a good opportunity to make sure things are moving in the right direction.

Network-Based Malware Detection: Introduction [new blog series]

Wed, 21 Dec 2011 00:00:00 +0000

Evidently this is the month of anti-malware research for us – I’m adding to the Malware Analysis Quant project by starting a separate related series. We’re calling it Network-based Malware Detection: Filling the Gaps of AV because that’s what we need to do as an industry.

Introducing the Malware Analysis Quant Project

Mon, 19 Dec 2011 00:00:00 +0000

Yep, we’re launching another Quant research project – this time on Malware Analysis. Consider it our little holiday present to all of you.

Friday Summary: December 16, 2011

Thu, 15 Dec 2011 00:00:00 +0000

Aspartame is toxic, so they renamed it AsparSweet(tm) to confuse consumers. GMAC was fined for mistreating customers and accused of violating state laws, so they renamed themselves Ally. Slumping sales of high fructose corn syrup, a substance many feel contributes to obesity and reduced brain function, inspired the new name “corn sugar”. Euro bonds are now “stability bonds”. Corn-fed stockyard beef can now be labelled ‘Organic’. And that is that whole weird discussion on whether pizza is legally a vegetable or not.

New White Paper: Applied Network Security Analysis

Thu, 15 Dec 2011 00:00:00 +0000

We have been saying for years that you can’t assume your defenses are sufficient to stop a focused and targeted attacker. That’s what React Faster and Better is all about. But say you actually buy into this philosophy: what now? How do you figure out the bad guys are in your house? And more importantly how they got there and what they are doing? The network is your friend because it never lies.

Incite 12/14/2011: Family Matters

Wed, 14 Dec 2011 00:00:00 +0000

There are a couple calls you just don’t want to get. Like from the FBI when you’ve had some kind of breach and your secret recipe is listed on eBay. Or from the local cops because your kids did something stupid and you can only hope your umbrella policy will cover it. But those are relatively trivial in the grand scheme of things. I got a call Friday morning that my Uncle Mac had passed away suddenly. I can’t say we were very close, but he met my aunt when I was a kid, and has been present at good times and bad over the past 35 years.

Pontification Alert: Upcoming webcast appearances

Tue, 13 Dec 2011 00:00:00 +0000

I figure our lack of blogging has created a vacuum of mostly-useless security snark and babble. Who else can put so little content in so many words? But all is not lost – we continue banging away building content for the Nexus. Thanks to a few of our excellent clients, you have the opportunity to hear me ramble on about two of my favorite topics this week. If you need some excuse to get out of your root canal appointment, need to postpone that audit findings meeting, or perhaps just choose not to grovel for 2012 budget on Wednesday or Thursday afternoon, do a little clicky-clicky and join me for the following webcasts…

Tokenization Guidance White Paper Available

Mon, 12 Dec 2011 00:00:00 +0000

We are pleased to announce the availability of our latest white paper: Tokenization Guidance: How to Reduce PCI Compliance Costs. It discusses the dos and don’ts of replacing credit card data with tokens, to improve security while reducing PCI DSS auditing costs. Our primary goal was to help merchants understand how to employ tokenization to reduce PCI scope, as well as the costs of Payment Card Industry Data Security Standard audits. When we read the PCI supplement on tokenization guidelines we were shocked that it failed to provide concrete answers to the target audience’s most-asked question: How can I reduce audit scope? It felt like the paper was designed to lull us to sleep – it would raise topics we were interested in, but then ramble on without answers.

Friday Summary, December 9, 2011

Thu, 08 Dec 2011 00:00:00 +0000

As Rich announced, we are shaking up the Friday Summary a bit. We will still talk about what we are up to. And we’ll share some of our personal – possibly security related – stories in the Summary. But we will focus on fewer stories with more analysis of interesting news items. Honestly, we’ll likely sneak in security news as well – it just depends on whether we see interesting stuff.

Incite 12/6/11: Stinky

Tue, 06 Dec 2011 00:00:00 +0000

I have a younger brother. It was just the two of us (and Mom) growing up, so I find myself ill suited to dealing with girl stuff. Thankfully the Boss is wonderful at working with the girls on how to deal with bullies/mean girls, and this physical maturation process that seems to happen to girls. One day they are all cute, young and innocent; the next day you’re shopping for bras. Thankfully the Boss handles that duty as well. I’d favor the model that is bolted onto their respective rib cages, and don’t get me started on chastity belts… But when it comes to the Boy, I’m all over that.

Friday Summary: Big Changes and Carrier IQ

Thu, 01 Dec 2011 00:00:00 +0000

Back when we started the Friday Summary the world of blogs and social media was much different. RSS feeds were the primary means by which most of us sucked down our news, and we tended to communicate through cross-blog links and comments.

Incite 11/30/2011: An Introverted Thanks

Wed, 30 Nov 2011 00:00:00 +0000

As with most things, I have mixed feelings about the holidays. Who doesn’t enjoy a few days off to recharge for the end-of-year rush? But the holidays also mean family, and that’s a good thing in limited doses. I’m one of the lucky few who gets along with my in-laws. They have an inexplicably high opinion of me, and who am I to say they are wrong?

Changing Focus through the Holidays

Tue, 29 Nov 2011 00:00:00 +0000

Hey everyone,

As you may have noticed, we are pretty focused on this Securosis Nexus thing we have been working on for a while. The system is coming along great, but it’s time for us to start hammering on its content.

Fundamentals of Crowd Management

Tue, 22 Nov 2011 00:00:00 +0000

I have joked over the years that I’m more qualified to run security at a stadium concert than an IT shop, and it’s somewhat true. My security career started way back at the young age of 18 when I started working on the event staff at CU Boulder, and for Contemporary Services Corporation (CSC), who managed most of the Denver venues. By 21 I was running security at CU and supervising for CSC – managing or supervising sports, music, and other events ranging from under 100 people to over 100,000. Sometimes I was in charge, sometimes I just managed one area, and I was often a rover/troubleshooter.

Occupy Work

Mon, 21 Nov 2011 00:00:00 +0000

I don’t get this #occupy stuff. Maybe that’s an indication that I’m old. Maybe it means I’m selfish. It could be a sign that I have a lot of competing priorities and they don’t leave me a lot of time. But most of all, it’s because I don’t get it. Really.

Mobile Payments without Credit Cards

Thu, 17 Nov 2011 00:00:00 +0000

The San Francisco Chronicle ran an interesting story about a small payment processing firm that is trying to disintermediate credit card companies. But they are doing it the old fashioned way – cutting out the middleman and going direct to banks to move money for them. Dwolla is a start-up payment processor providing person-to-person payment via mobile and social media outlets. Their hook is providing payment at a substantially reduced reduced commission – just twenty-five cents ($0.25) per transaction. Compare that to credit card companies that charge a flat 3%, or PayPal, who changes thirty cents per transaction in addition to 2.9% (less 2.2% for volume sellers). Dwolla’s offering can be viewed as similar to PayPal’s or an ATM transaction, but ATM fees have escalated into the $3-10 range. With mobile payment in its infancy, this space is a greenfield for startups and established players to redefine what’s possible.

Incite 11/16/11: Blockage

Wed, 16 Nov 2011 00:00:00 +0000

Most of the time, the words flow. I have a thought, and the next thing I know there are hundreds (if not thousands) of words on the screen. I’m a writer, so that shouldn’t be surprising. What may be surprising is that there are times I get writer’s block. Like now. At some point in the early part of the week, I get a flash of inspiration and bang out the Incite. It’s usually the easiest part of my job, but not this week.

Index of Posts: Security Management 2.0

Wed, 16 Nov 2011 00:00:00 +0000

We have finished and put a little bow around our Security Management 2.0: Time to Replace Your SIEM? paper. So it’s time to post the series index, as well as a link to the completed paper.

FireStarter: Looking the other way

Tue, 15 Nov 2011 00:00:00 +0000

Over the past few weeks we have been inundated by the 24/7 media cycle, endlessly fascinated bythe alleged child abuse by a Penn State football coach. I couldn’t bring myself to read the grand jury findings, as I have a young son and the idea of anyone doing that to The Boy makes my blood boil. Regarding the perpetrator, I’m with Jay Glazer. But we Americans do take that innocent until proven guilty thing pretty seriously, so we need to let the legal system play it out.

Friday Summary: November 11, 2011

Thu, 10 Nov 2011 00:00:00 +0000

Coupons. Frequent flyer miles. Rebates. Loyalty programs. Member specials. Double coupon days. Frequent buyer programs. Weekly drawings. Big sales events. Seasonal sales. Presidents day sales. Sales tax holiday sales. Going out of business sales. Private clearance sales. 2 for 1 sales. Buy 2 get 1 free.

Incite 11/9/11: Childlike Wonder

Wed, 09 Nov 2011 00:00:00 +0000

Heading down into Atlanta last week for the BSides ATL conference, I got into my car and the magic began. I whipped out my magic box and pulled up the address on the Maps app, just to make sure I remembered where it is. Then I fired up Pandora, which dutifully streamed rocking music to my Bluetooth-equipped car stereo. I checked out the NaviGAtor mobile site for real-time traffic data; then I was set and on my way.

Managed Services in a Security Management 2.0 World

Wed, 09 Nov 2011 00:00:00 +0000

As we posted the Security Management 2.0 series, we focused heavily on replacing an on-premise option with another on-premise option. We paid a bit of lip service to the managed SIEM/Log Management option, but not enough – the reality is that, under the proper, circumstances a managed service presents an interesting alternative to racking and stacking another set of appliances. So consider this a primer for managed services in the context of our Security Management 2.0 discussion. We will go through the drivers, use cases, and deployment architectures for those considering managed services. And we will provide cautions for areas where a service offering might not meet your expectations.

Sucking less is not a brand position

Wed, 09 Nov 2011 00:00:00 +0000

I guess if you have been around long enough, you have seen everything over and over again. I felt my age today when I saw yet another (lame) attempt to Move Security from a Cost Center to a Brand Differentiator. How many times have we security folks wished for the day we could get project funding because it helped the business either to make more money or to spend less money? Gosh, that would make life a lot easier.

Breakdown of Trust and Privacy

Tue, 08 Nov 2011 00:00:00 +0000

I try not to cover data privacy much any more, despite being an advocate, because we have already crossed the point of no return. We have allowed just about every piece of our personal data to be available on the Internet, making privacy effectively a dead issue, but in most cases the user makes the choice. But many very large public firms have been promising consumers that carefully protect customer information, and fully anonymize any data before it’s sold. This is bull$&!#.

A Public Call for eWallet Design Standards

Mon, 07 Nov 2011 00:00:00 +0000

Last week StorefrontBacktalk ran an article on Mobile Wallets. It underscored my personal naivete in assuming that anyone who designed and built a digital wallet for ecommerce would first and foremost protect customer payment data and other private information. Reading this post I had one of those genuine “Oh $&!#” moments – what if the wallet provider was not interested in my security or privacy? Duh!

Applied Network Security Analysis: The Breach Confirmation Use Case

Mon, 07 Nov 2011 00:00:00 +0000

As our last use case in Applied Network Security Analysis, it’s time to consider breach confirmation: confirming and investigating a breach that has already happened. There are clear similarities to the forensics use case, but breach confirmation takes forensic analysis to the next level: you need to learn the extent of the breach, determining exactly what was taken and from where. So let’s revisit our Forensics scenario to look at how that can be extended to confirm a breach.

Tokenization Guidance: PCI Requirement Checklist

Fri, 04 Nov 2011 00:00:00 +0000

So far in this series on tokenization guidance for protecting payment data, we have covered deficiencies in the PCI supplement, offered specific advice for merchants to reduce audit scope, and provided specific tips on what to look for during an audit. In this final post we will provide a checklist of each PCI requirement affected by tokenization, with guidance on how to modify compliance efforts in light of tokenization. I have tried to be as brief as possible while still covering the important areas of compliance reporting you need to adjust.

Understanding and Selecting DAM 2.0: Market Drivers and Use Cases

Fri, 04 Nov 2011 00:00:00 +0000

I was going to being this series talking about some of the architectural changes, but I’ve reconsidered. Since our initial coverage of Database Activity Monitoring technology in 2007, the products have fully matured into enterprise worthy platforms. What’s more, they’ve proven significant security and compliance benefits, as evidenced by market growth from $40M to revenues well north of $100M per year. This market is no longer dominated by small vendors, rather large vendors who have acquired six of the DAM startups. As such, DAM is being integrated with other security products into a blended platform. Because of this, I thought it best to go back and define what DAM is, and discuss market evolution first as it better frames the remaining topics we’ll discuss rest of this series.

Applied Network Security Analysis: The Malware Analysis Use Case

Thu, 03 Nov 2011 00:00:00 +0000

As we resume our tour of advanced use cases for Network Security Analysis, it’s time to consider malware analysis. Of course most successful attacks involve some kind of malware at some point during the attack. If only just to maintain a presence on the compromised device, some kind of bad stuff is injected. And once the bad stuff is on a device, it’s very very hard to get rid of it – and even harder to be sure. Most folks (including us) recommend you just re-image the device, as opposed to trying to clean the malware.

Friday Summary: November 4, 2011

Thu, 03 Nov 2011 00:00:00 +0000

I wouldn’t say I’m a control freak, but I am definitely “control aligned”. If something is important to me I like to know what’s going on under the hood. I also hate to depend on someone else for something I’m capable of.

Incite 11/2/2011: Be Yourself

Wed, 02 Nov 2011 00:00:00 +0000

Last week I was invited to speak at Kennesaw State University’s annual cybersecurity awareness day. They didn’t really give me much direction on the topic, so I decided to give my Happyness presentation. I figured there would be students and other employees who could benefit from my journey from total grump to fairly infrequent grump, and a lot of the stuff I’ve learned along the way.

Conspiracy Theories, Tin Foil Hats, and Security Research

Tue, 01 Nov 2011 00:00:00 +0000

It seems far too much of security research has become like Mel Gibson in “Conspiracy Theory.” Unbalanced, mostly crazy, but not necessarily wrong. But we created this situation, so we have to deal with it. I’m reacting to the media cycle around the Duqu virus, or Son of Stuxnet, identified by F-Secure (among others).

How Regular Folks See Online Safety, and What It Says about Us

Tue, 01 Nov 2011 00:00:00 +0000

I remember very clearly the day I vowed to stop watching local news. I was sitting at home cooking dinner or something, when a teaser report of a toddler who died after being left in a car in the heat aired during that “what we’re covering tonight” opening to the show. It wasn’t enough to report the tragedy – the reporter (a designation she surely didn’t deserve) seemed compelled to illustrate the story by locking a big thermometer in the car, to be pulled out during the actual segment.

Tokenization Guidance: Audit Advice

Tue, 01 Nov 2011 00:00:00 +0000

In this portion of our Tokenization Guidance series I want to offer some advice to auditors. I am addressing both internal auditors going through one of the self assessment questionnaires, as well as external auditors validating adherence to PCI requirements. For the most part auditors follow PCI DSS for the systems that process credit card information, just as they always have. But I will discuss how tokenization alters the environment, and how to adjust the investigation process in the select areas where tokenization systems supplants PAN processing. At the end of this paper, I will go section by section through the PCI DSS specification and talk about specifics, but here I just want to provide an overview.

Applied Network Security Analysis: The Advanced Security Use Case

Mon, 31 Oct 2011 00:00:00 +0000

The forensics use case we discussed previously is about taking a look at something that already happened. You presume the data is already lost, the horse is out of the barn, and Pandora’s Box is open. But what if we tried to look at some of these additional data types in terms of making security alerts better, with the clear goal of reducing the window between exploit and detection: reacting faster?

Virtual USB? Not.

Mon, 31 Oct 2011 00:00:00 +0000

Secure USB devices – ain’t they great? They offer us the ability to bring trusted devices into insecure networks, and perform trusted operations on untrusted computers. If I could drink out of one, maybe it would be the holy grail. Services like cryptographic key management, identity certificates and mutual authentication, sensitive document storage, and a pr0nsafe web browser platform. But over the last year, as I look at the mobile computing space – the place where people will want to use secure USB features – the more I think the secure USB market is in trouble. How many of you connect a USB stick to your Droid phone? How about your iPad?

Applied Network Security Analysis: The Forensics Use Case

Fri, 28 Oct 2011 00:00:00 +0000

Most organizations don’t really learn about the limitations of event logs, until forensic investigators hold up their hands and explain they know what happened, but aren’t really sure how. Huh? How could that happen? It’s pretty simple: logs are a backward-looking indicator. They can help you piece together what happened, but you can only infer how.

Friday Summary: October 28, 2011

Fri, 28 Oct 2011 00:00:00 +0000

I really enjoyed Marco Arment’s I finally cracked it post, both because he captured the essence of Apple TV here and now, and because his views on media – as a consumer – are exactly in line with mine. Calling DVRs “a bad hack” is spot-on. I went through this process 7 years ago when I got rid of television. I could not accept a 5 minute American Idol segment in the middle of the 30 minute Fox ‘news’ broadcast. Nor the other 200 channels of crap surrounding the three channels I wanted. At the time people thought I was nuts, but now I run into people (okay – only a handful) who have pulled the plug on the broadcast media of cable and satellite. Most people are still frustrated with me when they say “Hey, did you see SuperJunk this weekend?” and I say “No, I don’t get television.” They mutter something like ‘Luddite’ and wonder off. Don’t get me wrong, I have a television. A very nice one in fact, but I have been calling it a ‘monitor’ for the last few years because it’s not attached to broadcast media. But not getting broadcast television does not make me a Luddite – quite to the contrary, I am waiting for the future.

Next Generation != (Always) Better

Thu, 27 Oct 2011 00:00:00 +0000

It all started with a simple tweet from The Mogull, which succinctly summed up a lot of the meat grinder of high tech marketing. You see the industry is based on upgrades and refreshes, largely driven by planned obsolescence. Let’s just look at Microsoft Word. I haven’t really used any new functionality since Office 2003. You? They have overhauled the UI and added some cloudiness (which they call Office Live), but it’s really moving deck chairs around. A word processor is a word processor for 95% of the folks out there.

A Kick-Ass Cloud Database Security Automation Example

Wed, 26 Oct 2011 00:00:00 +0000

Yesterday I was in Vegas to participate in a panel at IBM’s Information on Demand Conference. To my amusement and frustration, I was already in Vegas that weekend, drove 4.5 hours home to Phoenix on Sunday, then flew back Monday evening (4 hours door to door).

Applied Network Security Analysis: Collection and Analysis = A Fighting Chance

Wed, 26 Oct 2011 00:00:00 +0000

In the introduction to our Applied Network Security Analysis series, we talked about monitoring everything and the limitations of a log-centric data collection approach, in our battle to improve security operational processes. Now let’s dig in a little deeper and understand what kind of data collection foundation makes sense, given the types of analysis we need to deal with our adversaries.

Incite 10/26/2011: The Curious Case of Flat Stanley

Wed, 26 Oct 2011 00:00:00 +0000

Flat Stanley has it pretty good. If you have elementary school age kids, you probably know all about him. Flat Stanley is a cute story about a kid who gets flattened, and then spends most of the book trying to regain his natural form. Many teachers have kids do a Flat Stanley project, where they color a picture and send it to a friend or relative.

New Series: Understanding and Selecting a Database Activity Monitoring Solution 2.0

Mon, 24 Oct 2011 00:00:00 +0000

Back in 2007 we – it was actually just Rich back then – published Understanding and Selecting Database Activity Monitoring – the first in-depth examination of what was then a relatively new security technology. That paper is, and remains, the definitive guide for DAM, but a lot has happened in the past 4 years. The products – and the vendors who sell them – have all changed. The reasons customers bought four years ago are not the reasons they buy today. Furthermore, the advanced features of 2007 are now part of the baseline. Given the technology’s increased popularity and maturity, it is time to take a fresh look at Database Activity Monitoring – reassessing the technology, use cases, and market drivers.

Friday Summary: October 21, 2011

Fri, 21 Oct 2011 00:00:00 +0000

My wife and I are pretty big Jimmy Buffett fans. I first got hooked way back in high school, working as a lifeguard. The summer of my freshman year in college I went with a group of friends down to the Orange Bowl, and we snuck off for a day trip to Key West and a short visit to the very first Margaritaville.

Applied Network Security Analysis: Introduction

Wed, 19 Oct 2011 00:00:00 +0000

Today we launch our next blog series, on a topic we believe is critical to success in today’s threat environment. It is network security analysis, a rather grand and nebulous term, but consider this the next step on the path which started with Incident Response Fundamentals and continued with React Faster and Better.

Incite 10/19/2011: The Inquisition

Wed, 19 Oct 2011 00:00:00 +0000

As my kids get older, fundamental aspects of their personalities become more apparent. XX1 won the “most inquisitive” award in kindergarten. 5 years later, she still asks questions. Lots of questions. A seemingly endless stream of questions.

Tokenization Guidance: Merchant Advice

Wed, 19 Oct 2011 00:00:00 +0000

The goal of tokenization is to reduce the scope of PCI database security assessment. This means a reduction in the time, cost, and complexity of compliance auditing. We want to remove the need to inspect every system for security settings, encryption deployments, network security, and application security, as much as possible. For smaller merchants tokenization can make self-assessment much more manageable. For large merchants paying 3rd-party auditors to verify compliance, the cost savings is huge.

Database Security Market Sizing and Guesstimation

Tue, 18 Oct 2011 00:00:00 +0000

I read Ericka Chickowski’s Dark Reading post on Database Security Market Growth today. While I generally agree with the estimated rate of growth, I am mystified by the market sizing. Where did this number come from? Is $755M wrong? I don’t know. But I am certain nobody else does either. I get asked about the size of the database security market every month. Simple question, impossible answer. Why? For starters, even if you agree on what constitutes database security, you would need to distinguish between databases specific products and general-purpose products with some database capabilities? Once you choose the ground rules for what’s in and what’s out, it’s basically a bunch of guesses about what vendors are earning. Understanding how much money a specific product earns is difficult with small firms that only have one or two products; and giant firms bundle many products, services, and maintenance together – making it impossible to assess what goes where. Was that money for the database licenses you purchased, the app and middleware stack, the user training, the professional services for customization, or the security? For an example of what I mean, let’s look at these facets in more depth:

Friday Summary: October 14, 2011

Fri, 14 Oct 2011 00:00:00 +0000

It started with a corn chip. I was eating corn chips – a fresh bag – and they tasted like hell. I had a tomato and some strawberries, thinking eating healthy would be good, but my body said otherwise. They made me feel poorly. I was in the airport waiting for my flight to the Bay Area, thinking “What the hell are they putting in this stuff – it’s a freakin’ corn chip?”

Incite 10/12/2011: Impact and Legacy

Wed, 12 Oct 2011 00:00:00 +0000

As have been overly reported over the past week, Steve Jobs is gone. As Rich so adroitly pointed out, “His death hit me harder than I expected. Because not only do we not have a Steve Jobs in security, we no longer have one at all.” You know, someone who seems to be the master of the universe. Perfection personified. Of course, the reality is never perfection. But what’s perfect is imperfection.

The Securosis Nexus (and) Beta Test FAQ

Wed, 12 Oct 2011 00:00:00 +0000

We’ve been getting some questions about the beta test, so I decided to put an FAQ together which we will also post within the system. If you have any other questions, please feel free to ask:

Tokenization Guidance: PCI Supplement Highlights

Wed, 12 Oct 2011 00:00:00 +0000

The PCI DSS Tokenization Guidelines Information Supplement – which I will refer to as “the supplement” for the remainder of this series – is intended to address how tokenization may impact Payment Card Industry (PCI) Data Security Standard (DSS) scope. The supplement is divided into three sections: a discussion of the essential elements of a tokenization system, PCI DSS scoping considerations, and new risk factors to consider when using tokens as a surrogate for credit card numbers. It’s aimed at merchants who process credit card payment data and fall under PCI security requirements. At this stage, if you have not downloaded a copy, I recommend you do so now. It will provide a handy reference for the rest of this post.

Firestarter: On “Architectural Limbo”

Tue, 11 Oct 2011 00:00:00 +0000

Yesterday Lori MacVittie posted another thoughtful article, Cloud Computing: Architectural Limbo, where she highlights percived problems with the NIST description. I usually agree with her cloud posts, but this is a rare case where I think she is wrong.

Good versus bad FAIL

Tue, 11 Oct 2011 00:00:00 +0000

On reflection I talk about failure a lot. As I look back at my own career experience, FAIL has commonly appeared at inopportune times. Though it’s hard to say you can pinpoint a good time to fail. It’s part of both the business and human experience, so to me failure can be positive and productive, and position you for future success. But not always, and a lot depends on the form it takes.

Isolated Computing

Tue, 11 Oct 2011 00:00:00 +0000

IBM, with researchers at North Carolina State University, has annnounced an effective way to protect information and processes in multi-tenant environments – such as cloud and virtual deployments. In what they are calling the Strongly Isolated Computing Environment, installed below the hypervisor. The teaser is that the code is a mere 300 lines – a very small footprint means simplicity, which in turn implies both performance and security.

New Series: Tokenization Guidance

Mon, 10 Oct 2011 00:00:00 +0000

Tokenization Guidance. I have wanted to write this post since the middle of August. Every time I started writing another phone phone call came in from a merchant, payment processor, technology vendor, or someone loosely associated with a Payment Card Industry (PCI) task force or steering committee (SIG). And every conversation yielded some new sliver of information that changed what I wanted to say, or implied some research work had already been conducted that was far more interesting and useful than anything being provided to the public. This in turned prompted more calls, new conversations, more digging and – like a good mystery novel – prompted me to iteratively peel back another layer of the onion. I’ve finally reached a point where I believe I have enough of the story to understand what was published and why it’s not what they should have published.

Paper Released: Fact-Based Network Security: Metrics and the Pursuit of Prioritization

Fri, 07 Oct 2011 00:00:00 +0000

What should you do right now? That’s one of the toughest questions for any security professional to answer. The list is endless, the priorities clear as mud, the risk of compromise ever present. But doing nothing is never the answer. We have been working with practitioners to answer that question for years, and we finally got around to documenting some of our approaches and concepts.

Friday Summary: Goodbye to the Crazy One

Thu, 06 Oct 2011 00:00:00 +0000

Yesterday afternoon I decided to head out for my first run since my August health scare (which turned out to be pretty much nothing). I grabbed my iPhone, and as I was putting it into my armband case a news alert popped up.

Incite 10/5/2011: Time waits for no one

Wed, 05 Oct 2011 00:00:00 +0000

Time is a funny thing. You don’t really think about it until it’s running out. Deadlines. Mortality. It’s all the same. Time just sneaks up on you, and then it’s gone. Yeah, I’m a little nostalgic this week because my birthday is Friday. And yes, there is some fodder for you social engineers out there. The kids get more excited about my birthday than I do. They want to know about cakes, parties, and the like. Personally, I’d take a day to sleep in, but who has time for that? There are things to do and places to be.

The iPad-Enterprise-Data Security Spectrum

Wed, 05 Oct 2011 00:00:00 +0000

As I mentioned in the Incite yesterday, Symantec announced DLP support for the iPad. I have been meaning to talk about this for a while, as various products have been popping onto the market, and now seems like the time.

When to Use Amazon S3 Server Side Encryption

Wed, 05 Oct 2011 00:00:00 +0000

This week Amazon announced that S3 now supports server side encryption. You can encrypt S3 items through either the API or web management console, or you can require encryption for S3 buckets. A few details:

Nitro & Q1: SIEM/Log Management vendors dropping right and left

Tue, 04 Oct 2011 00:00:00 +0000

It must be SIEM acquisition Tuesday. McAfee hit first by announcing their expected deal with Nitro Security. But then IBM surprised pretty much everyone by acquiring Q1 Labs. Don’t blink or you may miss another 2-3 SIEM/Log Management vendor acquisitions. Obviously we have been talking about consolidation in the SIEM/Log Management space for quite a while – there are about 20 vendors left now – but it’s strange that deals involving the two most significant independent vendors happened on the same day. Coincidence? Our pal and contributor James Arlen doesn’t believe in it, and neither do we…

Introducing the Securosis Nexus

Mon, 03 Oct 2011 00:00:00 +0000

Rich, Adrian, and I have been hinting about our sekret plans to launch a new research ‘product’ for a while. Today we are finally ready to let you guys in on our the scoop. We are very excited about this next step in the evolution of Securosis.

Force Attacker Perfection

Thu, 29 Sep 2011 00:00:00 +0000

I will fully admit that I sometimes finding myself parroting standard industry tropes. For example, I can’t recall how many times I’ve said in presentations and interviews:

Incite 9/28/2011: Renewal

Wed, 28 Sep 2011 00:00:00 +0000

Tonight at sundown the holiday of Rosh Hashanah starts, and Jewish folks all over the world will celebrate the coming of the year 5772. Or so the story goes. But I know better than to discuss politics or religion on the blog. You believe what you believe and I believe what I believe, and it’s all good. But the coming of a new year is a time for reflection and renewal. At least for me.

Comment on the Next Version of the Cloud Security Alliance Guidance

Tue, 27 Sep 2011 00:00:00 +0000

Two years ago I edited the Cloud Security Alliance’s Guidance (v2.1) with a couple other folks, and it nearly ended me. Pulling together a consensus with such a diverse group of global contributors, each running with very few constraints, lead to… certain quality issues.

Need a CISO cert? Got $200? Get one while they’re hot…

Mon, 26 Sep 2011 00:00:00 +0000

Evidently it’s time to rethink our business model at Securosis. All you need to do is role out a certification program and wait for money to roll in. Actually prove skills? Bah, humbug. Actually require some sort of test? Screw that. Basically all you need is a CISO job and $200, and I have a certification for you.

Friday Summary: September 23, 2011

Fri, 23 Sep 2011 00:00:00 +0000

At 20 years old, you are on a precipice of perception: you are an adult but many adults view you as a kid. In the back of your mind you worry a bit about how adults will perceive you. It was with trepidation that I met my best friend’s Mom in college. My friend George – someone I had only known a couple months, but felt like we had known each other for years – invited me to dinner. I was surprised when his truck stopped in front of my house and he was not in it – instead his mother was. The truck screeched to a halt and out popped the highest energy person I have ever met; with a hearty “Hi there,” she was literally effervescent with energy. I was reserved, wondering how the famous ‘Doctor’ would treat me – as a child or as an adult. She waved again, told me to get my ass out of the street and in the truck. I obliged, somewhat taken aback, and hopped in the passenger seat. She rolled up to the red light, looked both ways, and floored it! We screeched through the intersection, oncoming traffic be damned; up the street, fraternity boys racing for the sidewalks, we headed for home.

Home Invasion: What would you do?

Wed, 21 Sep 2011 00:00:00 +0000

This is a bit off topic, but indulge me. We had a little situation in our neighborhood last week, involving a home invasion. A couple masked (evidently armed) guys tied up a family and ransacked their house. The father was in the garage when the intruders made their entrance. The mother and a teenage child were also in the house. This happened in my sleepy suburban neighborhood, so it can happen anywhere.

Incite 9/21/2011: Where’s Waldo?

Wed, 21 Sep 2011 00:00:00 +0000

It was a bit of a shock to us over two years ago, when we learned the Boy has a lazy eye. We found out when he got evaluated prior to entering kindergarten, and they said he needed to get his eyes examined. The Boss and I have very good vision, especially when we were growing up, so it was unexpected. Ultimately it’s not a big deal. He needs to wear glasses and we have to patch his good eye for a few hours every day to force his weaker eye to get stronger.

Security Management 2.0: Migration

Mon, 19 Sep 2011 00:00:00 +0000

As we wrap up our Security Management 2.0 series, we have completed quite a journey. You have undertaken a disciplined and objective process to determine if it’s worth moving to a new security management platform. Assuming that your decision is to move, now it gets real. You need to implement and migrate your existing environment to the new thing, while maintaining service levels and without opening your organization to any additional risk. Walk in the park, right? Let’s address these migration issues, so hopefully you can learn from some of my pain.

Friday Summary: September 16, 2011

Fri, 16 Sep 2011 00:00:00 +0000

It was the idea of a party that got me thinking about it: I loved the 1990’s. It was a great decade – for me at least. I had just graduated college and pretty much everything was new. During that decade I met my wife, got married, got my first place on my own, bought my first house, got my first promotion to CTO, was finally able to buy a car that cost more than a week’s salary, made good money, was best man at four friends’ weddings, started my first company, finally got to travel the US, and made many lasting friendships. The silicon valley was a great place to work back then – it seemed like every week there was some amazing new technology to work on, or an exciting new trend.

Security Management 2.0: Negotiation

Thu, 15 Sep 2011 00:00:00 +0000

You have made your decision and recommended it up the food chain, so now the fun part begins. Well, fun for some folks, anyway. For this post we’ll assume you have decided to move to a new platform. We understand some people decide not to move, but use the question of switching as a negotiating tactic. But it bears repeating that it is no bad thing to stay with your existing platform, so long as you have done the work to determine it can meet your requirements. We’re writing this paper for the people who keep telling us how unhappy they are, and how their evolving requirements have not been met. So after asking all the right questions, if the best answer is to stay put, that’s a less disruptive path anyway.

Building an SSL Early Warning System

Wed, 14 Sep 2011 00:00:00 +0000

Most security professionals have long understood at least some of the risks of the current ‘web’ or ‘chain’ of trust model for SSL security. To quickly recap for those of you who aren’t hip-deep in this day to day:

Fact-Based Network Security: In Action

Wed, 14 Sep 2011 00:00:00 +0000

As we wrap up our series on Fact-Based Network Security, let’s run through a simple scenario to illustrate the concepts. Remember, the idea is to figure out what on the list will provide the biggest impact for your organization, and then do it. We make trade-offs every day. Some things get done, others don’t. That’s the reality for everyone, so don’t feel bad that you can’t get everything done. Ever. But the difference between a successful security practitioner, and someone looking for a job, is that success is about consistently choosing the right things to get done.

Incite 9/14/2011: Mike and the Terrible, Horrible, No Good, Very Bad Day

Wed, 14 Sep 2011 00:00:00 +0000

I have been looking forward to this day… well, since the Falcons’ season was abruptly cut short by a rampaging Pack last January. We had a little teaser with that great game Thursday, and although both teams couldn’t lose, having the Saints drop a tough one was pretty okay. I weathered a tumultuous lockout during the offseason. Even a bumpy pre-season for both my teams (NY Giants and ATL Falcons) couldn’t deter my optimism. Pro football started Sunday and I was fired up.

Payment Trends and Security Ramifications

Wed, 14 Sep 2011 00:00:00 +0000

I write a lot about payment security. Mostly brief snippets embedded in our weekly Incite, but it’s a topic I follow very closely and remain deeply interested in. Early in my career, I developed electronic wallet and payment gateway software for Internet commerce sites, and application embedded payment options. In have been closely following the technical evolution of this market for over 15 years – back in the days of CyberCash, Paymatech, and JECF. But unlike many of the articles I write, payment security affects more than just IT users – it impacts pretty much everyone. And now is a very good time to start paying attention to the payment space because we are witnessing more changes, coming faster than ever.

Recently on the Heavy Feed

Tue, 13 Sep 2011 00:00:00 +0000

Since we post most of the content for our blog series on the Heavy Feed (get it via the web or RSS), every so often we like to post links to our latest missives on the main feed. Within the next 10 days we’ll be wrapping both our Fact-based Network Security and Security Management 2.0 series. As always, we love feedback, discussion, dissension and the occasional troll to add comments, so fire away. We look forward to your participation.

Security Management 2.0: Making the Decision

Tue, 13 Sep 2011 00:00:00 +0000

It’s time – you are ready. You have done the work, including revisiting your requirements, evaluating your current platform in terms of your current and emerging requirements, assessing new vendors/platforms to develop a short list and run a comprehensive proof of concept. Now it’s time to make the call. We know this is an important decision – we are here because your first attempt at this project wasn’t as successful as it needed to be. So let’s break down the decision to ensure you can make a good recommendation and feel comfortable with it.

Friday Summary: September 9, 2011

Thu, 08 Sep 2011 00:00:00 +0000

I suppose that, all things considered, I’m a pretty nice guy. I tip well, stop my car so people can cross the street, and always put my laptop bag under the seat in front of me, instead of taking up valuable overhead luggage space.

Security Management 2.0: Vendor Evaluation - Driving the PoC

Thu, 08 Sep 2011 00:00:00 +0000

As we discussed in the last post, when considering new security management platforms, it’s critical to cull your short list based on your requirements, and to then move into the next step of the evaluation process – the Proof of Concept (PoC). Our PoC process is somewhat controversial – mostly because vendors hate it. Why? Because it’s about you and your needs, not them and their product. But you are the buyer, right? Always remember that.

Incite 9/7/2011: Decisions, Decisions

Wed, 07 Sep 2011 00:00:00 +0000

Making decisions is very hard for most people. Not for me. The Boss and I constantly discuss a single issue over and over again as she debates all aspects of a big decision. I try to be patient, but patience is, uh, not my forte. I know it’s her process and to rush that usually lands me a spot in the doghouse, but it’s still hard to understand. Decisions are easy for me. I do the work, look at the upside and downside, and make the call. Next.

Speaking at OWASP: September 22 and 23

Wed, 07 Sep 2011 00:00:00 +0000

Gunnar Peterson and I will be presenting at OWASP September 20-23rd. OWASP AppSec USA will be at the Minneapolis Convention center in – you guessed it – Minneapolis, Minnesota. This year’s theme is “Your life is in the cloud”, so there are plenty of talks on mobile app security and how to weave security into your cloud environment. Gunnar is presenting on Mobile Web Services, discussing mobile application vulnerabilities in the web services layer. I’ll be presenting CloudSec 12-Step, a look at foundational security precautions developers need to consider when building and deploying cloud applications.

Data Security Lifecycle 2.0

Tue, 06 Sep 2011 00:00:00 +0000

We reference this content a lot, so I decided to compile it all into a single post. This is the original content, including internal links, and has not been re-edited.

Security Management 2.0: Vendor Evaluation—Culling the Short List

Tue, 06 Sep 2011 00:00:00 +0000

So far we have discussed a bit of how security management platforms have evolved, how your requirements have changed since you first deployed the platform, and how you need to evaluate your current platform (Part 1, Part 2) in light of both. Now it’s time to get into the meat of the decision process by defining your selection criteria for your Security Management 2.0 platform.

The New Path of Least Resistance

Tue, 06 Sep 2011 00:00:00 +0000

It’s hard to believe it has been 10 years since the 9/11 terrorist attacks on the US. I remember that day like it was yesterday. I actually flew into the Boston airport that morning. In hindsight, those attacks opened our eyes to a previously overlooked attack vector – using a passenger jet as a missile. The folks running national security for the US had all sorts of scenarios for how we could be attacked on our own soil, but I’m not sure that vector was on their lists.

Friday Summary: September 2, 2011

Fri, 02 Sep 2011 00:00:00 +0000

I was reading Martin McKeay’s post Fighting a Bad Habit. Martin makes a dozen or so points in the post – and shares some career angst – but there is a key theme that really resonates with me. Most technology lifers I know have their own sense of self worth tied up in what they are able to contribute professionally. Without the feeling of building, contributing, or making things better, the job is not satisfying.

Making Bets

Fri, 02 Sep 2011 00:00:00 +0000

Being knee deep in a bunch of research projects doesn’t give me enough time to comment on the variety of interesting posts I see each week. Of course we try to highlight them both in the Incite (with some commentary) and in the Friday Summary. But some posts deserve a better, more detailed treatment. We haven’t done an analysis, but I’d guess we find a pretty high percentage of what Richard Bejtlich writes interesting. Here’s a little hint: it’s because he’s a big brained dude.

Security Management 2.0: Platform Evaluation, Part 2

Thu, 01 Sep 2011 00:00:00 +0000

In the second half of Platform Evaluation for Security Management 2.0, we’ll cover evaluating other SIEM solutions. At this point in the process you have documented your requirements, and rationally evaluated your current SIEM platform to determine what’s working and what’s not. This step is critical because a thorough understanding of your existing platform’s strengths and weaknesses is the yardstick against which all other options will be measured. As you evaluate new platforms, you can objectively figure out if it’s time to move on and select another platform. Again, at this point no decision has been made. You are doing your homework – no more, no less.

Fact-Based Network Security: Compliance Benefits

Wed, 31 Aug 2011 00:00:00 +0000

As we discussed in the last post, beyond the operational value of fact-based network security, compliance efforts can benefit greatly from gathering data, and being able to visualize and report on it. Why? Because compliance is all about substantiating your control set to meet the spirit of whatever regulatory hierarchy you need to achieve.

Incite 8/31/2011: The Glamorous Life

Wed, 31 Aug 2011 00:00:00 +0000

It was a Sunday like too many other Sundays. Get up, take the kids to Sunday school, grab lunch with friends, then take the kids to the pool. Head home, shower up, and then kiss the Boss and kids goodbye and head off to the airport. Again. Another week, another business trip. It’s a glamorous life.

Security Management 2.0: Platform Evaluation, Part 1

Wed, 31 Aug 2011 00:00:00 +0000

To understand the importance of picking a platform, as opposed to a product, when discussing Security Management 2.0, let’s draw a quick contrast between what we see when talking to customers of either Log Management or SIEM. Most of the Log Management customers we speak with are relatively happy with their products. They chose a log-centric offering based on limited use cases – typically compliance-driven and requiring only basic log collection and reporting. These products keep day-to-day management overhead low, and if they support the occasional forensic audit customers are generally happy. Log Management is an important – albeit basic – business tool. Think of it like buying a can opener – it needs to perform a basic function and should always perform as expected. Customers don’t want their can opener to sharpen knives, tell time, or let the cat out – they just want to open cans. It’s not that hard. Log Management benefits from its functional simplicity – and even more from relatively modest expectations.

Detecting and Preventing Data Migrations to the Cloud

Tue, 30 Aug 2011 00:00:00 +0000

One of the most common modern problems facing organizations is managing data migrating to the cloud. The very self-service nature that makes cloud computing so appealing also makes unapproved data transfers and leakage possible. Any employee with a credit card can subscribe to a cloud service and launch instances, deliver or consume applications, and store data on the public Internet. Many organizations report that individuals or business units have moved (often sensitive) data to cloud services without approval from, or even notification to, IT or security.

Fact-Based Network Security: Operationalizing the Facts

Tue, 30 Aug 2011 00:00:00 +0000

In the last post, we talked about outcomes important to the business, and what types of security metrics can help make decisions to achieve those outcomes. Most organizations do pretty well with the initial gathering of this data. You know, when the reports are new and the pie charts are shiny. Then the reality – of the amount of work and commitment required to implement a consistent measurement and metrics process – sets in. Which is when most organizations lose interest and the metrics program falls by the wayside.

The Mobile App Sec Triathlon

Tue, 30 Aug 2011 00:00:00 +0000

A quick announcement for those of you interested in Mobile Application Security: Our very own Gunnar Peterson is putting on a 3 day class with Ken van Wyk this coming November. The Mobile App Sec Triathlon will provide a cross-platform look at mobile application security issues, and spotlight critical areas of concern. The last two legs of the Triathlon cover specific areas of Android and iOS security that are commonly targeted by attackers. You’ll be learning from some of the best – Ken is well known for his work in secure coding, and Gunnar is one of the world’s best at Identity Management. Classes will be held at the eBay/PayPal campus in San Jose, California. Much more information is on the web site, including a picture of Gunnar with his ‘serious security’ face, so check it out. If you have specific questions or want to make sure specific topics are covered during the presentation, go ahead and email info@mobileappsectriathlon.com.

Friday Summary (Not Too Morbid Edition): August 26, 2011

Thu, 25 Aug 2011 00:00:00 +0000

Last Thursday I thought I was dying.

Not a joke. Not an exaggeration. As in “approaching room temperature”.

I was just outside D.C. having breakfast with Mike before going to teach the CCSK instructors class. In the middle of a sentence I felt… something. Starting from my chest I felt a rush to my head. An incredibly intense feeling on the edge of losing consciousness. Literally out of nowhere, while sitting. I paused, told Mike I felt dizzy, and then the second wave hit. I said, “I think I’m going down”, told him to call 9-1-1, and had what we in the medical profession call “a feeling of impending doom”.

Security Management 2.0: Revisiting Requirements

Thu, 25 Aug 2011 00:00:00 +0000

Given the evolution of both the technology and the attacks, it’s time to revisit your specific requirements and use cases – both current and evolving. You also need to be brutally honest about what your existing product or service does and does not do, as well as your team’s ability to support and maintain it. This is essential – you need a fresh look at the environment to understand what you need today and tomorrow, and what kind of resources and expertise you can bring to bear, unconstrained by what you need and do today. Many of you have laundry lists of things you would like to be able to do with current systems, but can’t. Those are a good place to start, but you also need to consider the trends for your industry and look at what’s coming down the road in terms of security and business challenges that will emerge over the next couple years. Capturing the current and foreseeable needs is what our Security Management 2.0 process is all about.

Fact-based Network Security: Outcomes and Operational Data

Wed, 24 Aug 2011 00:00:00 +0000

In our first post on Fact-based Network Security, we talked about the need to make decisions based on data, as opposed to instinct. Then we went in search of the context to know what’s important, because in order to prioritize effectively you need to know what presents the most value to your organization. Now let’s dig a little deeper into the next step, which is determining the operational metrics on which to base decisions.

Incite 8/24/2011: Living Binary

Wed, 24 Aug 2011 00:00:00 +0000

The Boss constantly reminds me I have no middle ground. On/Off. Black/White. No dimmer. No gray (besides on my head). Moderation is non-existent, which is why I never tried hard drugs. I knew myself well enough (even at a young age) to know it wouldn’t end well. Sure I’d be the best presenter in the crack den, but that would have impeded my plans for world domination.

Spotting That DAM(n) Fake

Wed, 24 Aug 2011 00:00:00 +0000

I awoke at 2:30am to a 90-degree bedroom. Getting up to discover why the air conditioning was not working, I found a dog pooped on my couch. Neatly in the corner – perhaps hoping I would not notice. Depositing the aforementioned ‘present’ in the garbage can, I almost stepped on both a bark scorpion and a millipede – eyeing one another suspiciously – just outside the garage door. After a while, air conditioning on and couch thoroughly scrubbed, I returned to bed only to find my wife had laid claim to all the covers and pillows. Since I was up, what the heck – I made coffee, ran the laundry, and baked muffins while the sun came up. I must admit I started work today with a jaundiced eye, and a strong desire to share some of my annoyance publicly.

Beware Anti-Malware Snake Oil

Tue, 23 Aug 2011 00:00:00 +0000

It’s hard to believe, but over the past 24 hours I’ve had 3 separate briefings with companies innovating in the area of anti-malware. Just ask them. Each started the discussion with the self-evident point that the existing malware detection model is broken. Then they each proceeded to describe (at a high level) how what they are doing isn’t anti-virus per se, but something different. Something that detects the new malware we are seeing. They didn’t want to replace the anti-malware engine. They just think they address the areas where traditional anti-malware sucks. Yeah, that’s a big job.

Cloud Security Q&A from the Field: Questions and Answers from the DC CCSK Class

Mon, 22 Aug 2011 00:00:00 +0000

One of the great things about running around teaching classes is all the feedback and questions we get from people actively working on all sorts of different initiatives. With the CCSK (cloud security) class, we find that a ton of people are grappling with these issues in active projects and different things in various stages of deep planning.

Security Management 2.0: Platform Evolution

Mon, 22 Aug 2011 00:00:00 +0000

Our motivation for launching the Security Management 2.0 research project lies in the general dissatisfaction with SIEM implementations – which in some cases have not delivered the expected value. The issues typically result from failure to scale, poor ease of use, excessive effort for care and feeding, or just customer execution failure. Granted some of the discontent is clearly navel-gazing – parsing and analyzing log files as part of your daily job is boring, mundane, and error-prone work you’d rather not do. But dissatisfaction with SIEM is largely legitimate and has gotten worse, as system load has grown and systems have been subjected to additional security requirements, driven by new and creative attack vectors. This all spotlights the fragility and poor architectural choices of some SIEM and Log Management platforms, especially early movers. Given that companies need to collect more – not less – data, review and management just get harder. Exponentially harder.

Friday Summary: August 19, 2011

Fri, 19 Aug 2011 00:00:00 +0000

Here’s to the neighbors.

I live in a rural area with a pretty low population density and 1.5 acre lot minimum. My closest neighbor is 60 feet away – most are over 300 feet or more. The area is really quiet. Usually all you can hear are birds. You can see the Milky Way at night. On any given day I may see javelina, coyotes, horny toads, road runners, vultures, hawks, barn owls, cottontails, jackrabbits, ground squirrels, mice, scorpions, one of a half-dozen varieties of snake, and a dozen varieties of birds. If you like nature, it’s a neat place to live.

Security Management 2.0: Time to Replace Your SIEM? (new series)

Thu, 18 Aug 2011 00:00:00 +0000

Mike and I are launching our next blog series today, one we know is pretty timely from the conversations with have with organizations almost every day. The reality is that many organizations have spent millions and years trying to get productivity out of their SIEM – with mediocre results. Combined with a number of the large players being acquired by mega IT companies and taking their eyes off the ball a bit, most customers need to start asking themselves some key questions.

Incite 8/17/2011: Back to School

Wed, 17 Aug 2011 00:00:00 +0000

What would you do if you could go back to school? Seriously. If you could turn back the clock and go back to grade school or even high school? No real responsibility. No one depending on you for food and/or shelter. Gosh, I’d do so many things differently. I’d buy a few shares of Microsoft when they went public (and I’d also send a note to my 1999 self to sell it). Ah, the magic of hindsight.

New White Paper: Tokenization vs. Encryption

Wed, 17 Aug 2011 00:00:00 +0000

I am proud to announce the availability of our newest white paper, Tokenization vs. Encryption: Options for Compliance. The paper was written to close some gaps in our existing tokenization research coverage. I believe it is particularly important for two reasons. First, I was unable to find a critical examination of tokenization’s suitability for compliance. There are many possible applications of tokenization, but some of the claimed uses are not practical. Second, I wanted to dispel the myth that tokenization is a replacement technology for encryption, when in fact it’s a complimentary solution that – in some cases – makes regulatory compliance easier.

Hammers and Homomorphic Encryption

Tue, 16 Aug 2011 00:00:00 +0000

Researchers at Microsoft are presenting a prototype of encrypted data which can be used without decrypting. Called homomorphic encryption, the idea is to keep data in a protected state (encrypted) yet still useful. It may sound like Star Trek technobabble, but this is a real working prototype. The set of operations you can perform on encrypted data is limited to a few things like addition and multiplication, but most analytics systems are limited as well. If this works, it would offer a new way to approach data security for publicly available systems.

Proxies and the Cloud (Public and Private)

Tue, 16 Aug 2011 00:00:00 +0000

Recently I had a conversation with a security vendor offering a proxy-based solution for a particular problem (yes, I’m being deliberately obscure). Their technology is interesting, but fundamental changes in how we consume IT resources challenge the very idea that a proxy can effectively address this problem.

Friday Summary: August 12, 2011

Thu, 11 Aug 2011 00:00:00 +0000

Believe it or not, I’m not the biggest fan of travel. Oh, I used to be, maybe 10+ years ago when I was just starting to travel as part of my career. Being in your 20’s and getting paid to literally circle the globe isn’t all bad… especially when you’re single.

Data Security Lifecycle 2.0: Functions, Actors, and Controls

Wed, 10 Aug 2011 00:00:00 +0000

In our last post we added location and access attributes to the Data Security Lifecycle. Now let’s start digging into the data flow and controls.

Incite 8/10/2011: Back to the Future

Wed, 10 Aug 2011 00:00:00 +0000

Getting old just sucks. OK, I’m not really old , but I feel that way. I think I’m suffering from the fundamental problem Rich described a few weeks ago. I think I’m 20, so I do these intense exercise programs and athletic pursuits. Lo and behold, I get hurt.

Say Hello to Chip and Pin

Wed, 10 Aug 2011 00:00:00 +0000

No, it’s not a Penn & Teller rip-off act – it’s a new credit card format. On August 9th Visa announced that they are going to aggressively encourage merchants to switch over to Chip and Pin (CAP) ‘smart’ credit cards. Europay-Mastercard-Visa (EMV) developed a smart credit card format standard many years ago, and the technology was adopted by many other countries over the next decade. In the US adoption has never really happened. That’s about to change, because Visa will give merchants a pass on PCI compliance if they adopt smart cards, or let them assume 100% of fraud liability if they don’t.

Data Security Lifecycle 2.0 and the Cloud: Locations and Access

Tue, 09 Aug 2011 00:00:00 +0000

In our last post we reviewed the Data Security Lifecycle, but other than some minor wording changes (and a prettier graphic thanks to PowerPoint SmartArt) it was the same as our four-year-old original version.

Introducing the Data Security Lifecycle 2.0

Tue, 09 Aug 2011 00:00:00 +0000

Four years ago I wrote the initial Data Security Lifecycle and a series of posts covering the constituent technologies. In 2009 I updated it to better fit cloud computing, and it was incorporated into the Cloud Security Alliance Guidance, but I have never been happy with that work. It was rushed and didn’t address cloud specifics nearly sufficiently.

NoSQL and No Security

Tue, 09 Aug 2011 00:00:00 +0000

Of all of the presentations at Black Hat USA 2011, I found Brian Sullivan’s presentation on “Server-Side JavaScript Injection: Attacking NoSQL and Node.js” the most startling. While I was aware of the poor security of most NoSQL database installations – especially their lack of support for authorization and authentication – I was not aware of their susceptibility to injection of both commands and code. Apparently Mongo and many of the NoSQL databases are nothing more than JavaScript processing engines, without the stigma of authentication. Most of these products are subject to several classes of attack, including injection, XSS, and CSRF. Brian demonstrated blind NoSQL injection scripts that can both discover database contents and run arbitrary commands. He cataloged an entire Mongo database with a couple lines of PHP.

Use THEIR data to tell YOUR story

Tue, 09 Aug 2011 00:00:00 +0000

I’m in the air (literally) on the way to Metricon 6; so I’m thinking a lot about metrics, quantification, and the like. Of course most of the discussion at Metricon will focus on how practitioners can build metrics programs to make their security programs more efficient, maybe more effective, and certainly more substantiated (with data, as opposed to faith). Justifiably so – to mature the practice of security we need to quantify it better.

Fact-Based Network Security: Defining ‘Risk’

Wed, 03 Aug 2011 00:00:00 +0000

As we mentioned when introducing this series on fact-based network security, we increasingly need to use data to determine our priorities. This enables us to focus on activities that will have the greatest business impact. But that begs the question: how you determine what’s important? The place to start is with your organization’s assets.

Incite 8/3/2011: The Kids Are Our Future

Wed, 03 Aug 2011 00:00:00 +0000

The Boss and I have been getting into Fallen Skies lately. Yeah, it’s another sci-fi show with aliens trying to take down the human race and loot our planet for our resources. They’d better hurry up, since there may not be much left when the real aliens show up, but that’s another story. In the last episode we saw, the main guy (Noah Wyle of ER) made the point that our kids are our future, and we need to keep them safe. That thought resonates with me, and thankfully I’m not dealing with aliens trying to make them into drugged-out slaves.

Words matter: You stop attacks, not breaches

Tue, 02 Aug 2011 00:00:00 +0000

Every so often, the way security marketeers manipulate words to mislead customers makes me cringe. I’m not going into specifics because that isn’t the point. I just want to clear up some terminology that many security companies misuse, which really makes them look silly.

Cloud Security Training: August 16-18, Washington DC

Mon, 01 Aug 2011 00:00:00 +0000

Hey everyone,

Just a quick announcement that we are holding another CCSK training class in a few weeks. This one is in the DC area (Falls Church) and includes the Basic, Plus, and Train the Trainer options.

Security has always been a BigData problem

Mon, 01 Aug 2011 00:00:00 +0000

It seems like BigData is all the rage. With things like NoSQL and Hadoop getting all the database wonks hot under the collar, smart forward-thinking folks like Amrit and Hoff increasingly point out the applicability of these techniques to security, and they’re right. I certainly agree that many of these new technologies will have a huge impact on our ability to figure out what’s happening in our environments. And not a moment too soon.

Friday Summary: July 29, 2011

Fri, 29 Jul 2011 00:00:00 +0000

It’s that time of year again. It’s time for me and most of the Securosis crew to travel to cooler climes and enjoy the refreshing breeze of the Nevada desert. Well, it’s cooler than Phoenix, anyway. Yes, I am talking about going to the Black Hat and Def Con security conferences in Las Vegas this August 1-7th. Every year I see something amazing – from shipping iPhones loaded with malware to hack whatever passes by to wicked database attacks. Always educational and usually a bit of fun too. It is Las Vegas after all!

New Blog Series: Fact-Based Network Security: Metrics and the Pursuit of Prioritization

Fri, 29 Jul 2011 00:00:00 +0000

As you can tell from our activity on the blog, we’ve been in the (relatively) slower summer season. Well, that’s over. Today we start one blog series, and another is hot on its heels (probably starting within 2 weeks). With our research pipeline, I suspect all three of us will be pretty busy through the fall.

Accept Apathy—Save Users from Themselves and You from Yourself

Thu, 28 Jul 2011 00:00:00 +0000

We’ve gone round and round on the challenges of doing security. As Shack says, your users just don’t give a f***. Actually you need to read Dave’s post. It lays out a lot of the issues we face every day. I’ll rephrase Dave’s point a little differently: apathy rules, and always will. Your employees are not paid to worry about security. They are paid to do their jobs, and more often than not security gets in the way of their actual responsibilities. Remember – the cold, hard truth is that security necessarily restricts access to some degree because there is no other way to protect information.

Incite 7/27/11: Negotiating in front of the crowd

Wed, 27 Jul 2011 00:00:00 +0000

The NFL lockout is over. Hallelujah! I know nothing substantial was really lost, besides the Hall of Fame game, but the folly of billionaires bickering with millionaires annoyed pretty much everyone. I believe more folks were hanging on this negotiation than the crap going on in Washington over the debt ceiling. It seemed like a tug of war gone wild, with both sides digging in. Until they finally reached a critical point, when real money was at stake, and amazingly the deal got done. What’s interesting is how the negotiations played out in real time.

Incomplete Thought: The Scarlet (Security) Letter

Wed, 27 Jul 2011 00:00:00 +0000

I know we all have compliance fatigue. Some worse than others, but we all rue the day security became more about compliance and getting the rubber stamp than actually protecting something. The pragmatist in me continues to accept our lot in life and try to be somewhat optimistic about it. But at the end of the day, we (as an industry) pretty much suck at protecting things, and there are no real catalysts to change that.

How can you not understand the business?

Tue, 26 Jul 2011 00:00:00 +0000

I usually agree with Jack Daniel. You know, we curmudgeons need to stick together. But one of the requirements of membership in the Curmudgeons Association is to call crap when we see it. And much as it pains me to say it, Jack’s latest rant on InfoSec’s misunderstanding of business is crap.

Question for Oracle Database Users

Tue, 26 Jul 2011 00:00:00 +0000

Oracle purchased Secerno 14 months ago. It was advertised as a database firewall to block malicious queries and certain types of attacks. What they have presented looks like a plausible method of protecting databases once an attack is known but before the patch is applied. And as we know many Oracle shops don’t apply security (or any) patches on a quarterly basis. They may patch on a yearly basis. Secerno looks like a temporary fix to help these companies.

FireStarter: The Time for Corporate Password Managers

Mon, 25 Jul 2011 00:00:00 +0000

I talk a lot on Twitter about my password manager. I use 1Password and love it. It auto-generates random passwords for me of any length I choose, auto-fills web forms for me, and remembers both the web page and the hideously complex password I have chosen. It automatically synchronizes across all my computers so I am never without all my current passwords. The file is encrypted with AES-128 and they handle encryption keys securely, so I believe the product is pretty secure. Now, rather than having a couple good passwords for the handful of sites I care about – and a single generic password for the 300 sites I don’t – every single one of my web accounts has its own strong password. Or I should say as strong a password as each site allows. I always worried about having the application crash and losing every single one of my passwords. Irrational fear. I back it up like any other application. In hindsight I can’t figure out what took me so long to change over.

Friday Summary: July 22, 2011

Fri, 22 Jul 2011 00:00:00 +0000

I imagine with this heat wave covering most the country you’re likely on your way to the beach – or at least some place better than work. So with me traveling, Mike suffering through physical therapy, and Rich spending time with the family, this week’s summary will be a short one.

Hacking Spikes and the Real Time Media

Fri, 22 Jul 2011 00:00:00 +0000

The Freakonomics blog assembled an interesting quorum on security. Industry heavyweights like Schneier weighed in on the following question:

Why has there been such a spike in hacking recently? Or is it merely a function of us playing closer attention and of institutions being more open about reporting security breaches?

Incite 7/19/2011: The Case of the Disappearing Letters

Wed, 20 Jul 2011 00:00:00 +0000

Something didn’t add up. We got a call from the girl’s camp literally 3 days after they got there saying XX2 needed more stationery. We hoped this meant she was a prolific writer, and we’d be getting a couple updates a week. Almost 3 weeks later, we got 1 postcard. That’s it. A few of her friends got letters, but not nearly enough to have depleted her stash of letters/postcards. And the longer we went without a letter, the more ornery The Boss got.

Rise of the Security Monkeys

Wed, 20 Jul 2011 00:00:00 +0000

As far back as I can remember, I have been a fan of testing your defenses. Some people call it pen testing, others refer to it as an assurance process, but the point is the same either way. The bad folks test your defenses every day, and if you aren’t using the same tactics to find out what they can get, you’re going to have a bad day. Maybe not today, maybe not even tomorrow. But the clock is ticking.

Mitigating Software Vulnerabilities

Mon, 18 Jul 2011 00:00:00 +0000

Matt Miller, Tim Burrell, and Michael Howard from the Microsoft Security Engineering Center published a paper last week on Mitigating Software vulnerabilities. In a nutshell, they advocate a set of tactics that limit – or outright block – known and emerging attack techniques. Rather than play catch-up and patch the threat du jour, they outline use cases for the technologies that Microsoft employs within their own products to make it much harder to compromise code with canned attacks.

Donate Your Bone Marrow

Fri, 15 Jul 2011 00:00:00 +0000

I’m going to keep this short. Dave Lewis (@gattaca)’s wife was diagnosed with leukemia yesterday. Dave is one of our Contributing Analysts and a hell of a great guy, and while I haven’t met her, everyone says his wife is even better (seems to be a common trend).

Friday Summary: July 14, 2011

Thu, 14 Jul 2011 00:00:00 +0000

Some days I think that in fitness, I’m getting wrong everything I advise people in security.

I’ve been an athlete all my life – including some stints competing at a reasonably high (amateur) level. Like the time I went to nationals for my martial art. Cool, eh? Other than the part about getting my butt whipped by a 16-year-old. It seems cutting weight in a sport where knockouts aren’t the goal isn’t necessarily a good thing (me strong… me slow… puny teenager stand still so Hulk can kick in head, pleeze?).

Security Marketing FAIL: Claims of Risk Reduction

Thu, 14 Jul 2011 00:00:00 +0000

Every time I see the phrase “reduce your risk by X%,” I break out in hives. I agree that it is critical to think about risk (which to me is really about economic loss), but everyone has a different definition of risk. And to say anyone can reduce risk by a certain percentage triggers my bullcrap filter.

Incite 7/13/2011: The King of the House

Wed, 13 Jul 2011 00:00:00 +0000

With the two girls at sleepaway camp, the Boss and I weren’t sure how the Boy would handle it. After all, he’s pretty much always surrounded by someone. Having a twin sister will do that to you. If he’s not at school, with his buddies, or doing an activity, he’s usually playing with one of his sisters. In fact, we think his ability to tune out almost everything directly correlates to always being around people.

Tokenization vs. Encryption: Healthcare Data Security

Wed, 13 Jul 2011 00:00:00 +0000

Securing Personal Health Records (PHR) for healthcare providers is supposed to be the next frontier for many security technologies. Security vendors market solutions for Protected Health Information (PHI) because HIPAA and HITECH impose data security and privacy requirements. Should a healthcare provider fail in their custodial duty to protect patient data, they face penalties – theoretically at least – so they are motivated to secure the data that fuels their business. Tokenization is one of the technologies being discussed to help secure medical information, based on its success with payment card data, but unfortunately protecting PHR is a very different problem.

Friction and Security

Mon, 11 Jul 2011 00:00:00 +0000

Every company I have worked for has had some degree of friction between sales and marketing teams. While their organizational charters are to support one another, sales always has some disagreement about how products are positioned, the quality of competitive intelligence, the quality of leads, and the lack of to grease the customer skids. Marketing complains that sales does not follow the product sales scripts, doesn’t call leads in a timely fashion, and don’t do a good job of collecting customer intelligence. Friction is a natural part of the relationship between the two organizations, so careful balancing is necessary.

How to Encrypt or Tokenize for SaaS (and Some PaaS)

Mon, 11 Jul 2011 00:00:00 +0000

A few weeks ago I posted on different methods for encrypting IaaS volumes, which tends to be one of the top questions I get about data security in the cloud. Also high on that list is encrypting (or tokenizing) for SaaS and (some) PaaS. I call this the “Salesforce.com Problem”, because more often than not I’m talking to someone on the larger side, specifically about Salesforce.com.

Tokenization vs. Encryption: Personal Information Security

Mon, 11 Jul 2011 00:00:00 +0000

In my last post I discussed how tokenization is being deployed to solve payment data security issues. It is a niche technology used almost exclusively to solve a single problem: protecting credit card data. As a technology, data tokenization has yet to cross the chasm, but our research indicates it is being used to protect personal information. In this post I will talk about using tokens to protect PII – Social Security numbers, driver’s license numbers, and other sensitive personal information. Data tokenization has value beyond simple credit card substitution – protecting other Personally Identifiable Information (PII) is its next frontier.

Simple Isn’t Simple

Fri, 08 Jul 2011 00:00:00 +0000

I have to admit that some days I have no idea what will resonate with readers. For example, my latest column over at Dark Reading seems to be generating a lot more interest than I expected.

Smart Card Laggards

Fri, 08 Jul 2011 00:00:00 +0000

The US is playing ‘catchup’ in contactless security. The US lags in smart identity card technology adoption. We lag in payment card security. It’s frustrating for Americans to travel in Europe. We have rudimentary ePassport technology, and it has been almost a decade since the first draft of the HSPD-12 PIV standards. We’re behind. We are laggards.

Call off the (Attack) Dogs

Wed, 06 Jul 2011 00:00:00 +0000

As while back, I spent some time categorizing tactics vendors use to create Fear, Uncertainty, and Doubt (FUD) as a buying catalyst for their products. We followed up with a survey trying to understand what kinds of security marketing content is useful at different stages of the sales cycle.

Incite 7/6/2011: Reading Between the Lines

Wed, 06 Jul 2011 00:00:00 +0000

As mentioned last week, our girls are off at sleepaway camp. They seem to be having a great time, but you can’t really know. Obviously if there was a serious issue, the camp would call us. Since we dealt with the nit-uation, we have heard from the guidance counselor that XX2 is doing great, and from the administrator that XX2 needs more stationary. Evidently she is a prolific writer, although our daily mailbox vigil has yielded nothing thus far. We’ll save a spot for her at Securosis, since by the time she’s out of school, I’ll need someone else to pick up the mantle of the Incite.

Social Media Security 101

Wed, 06 Jul 2011 00:00:00 +0000

It won’t surprise any of you to learn that I don’t follow Fox News on Twitter. I know, I can see the shock in your eyes, but I’m not the biggest fan of our friends on the right. Actually, I hate all 24 hour news stations – Fox biased to the right, MSNBC to the left, and CNN to the stupid.

Friday Summary: July 1, 2011

Fri, 01 Jul 2011 00:00:00 +0000

How many of you had the experience as a child of wandering around your grandparents’ house, opening a cupboard or closet, and discovering really old stuff? Cans with yellowed paper or some contraption where you had no idea of its purpose? I had that same experience today, only I was in public. I visited the store that time forgot. My wife needed some printer paper, and since we were in front of an Office Max, we stopped in. All I could say was “Wow – it’s a museum!”

Cloud Security Lifecycle Management Mulligan

Thu, 30 Jun 2011 00:00:00 +0000

Many really smart people helped author the Cloud Security Alliance Security Guidance. Many of the original authors posses deep knowledge of security within their domains of expertise, and are widely considered the best in the business. And there are many who have deep practical knowledge of operating in the cloud, and use cloud technologies on a daily basis. Unfortunately very few people have all three – especially the third. And perceptions have changed a lot since 2009 when the guide was originally drafted. Why is that important? After having set up and secured several different cloud instances, then working through the cloud security exercises Rich created, it’s obvious the guidance was drafted before the authors had much experience. It’s based on theoretical knowledge of what we expected, as opposed to what we do encounter in any given environment. Some of the guidance really hits the mark, some of it is awkward, and some of it is just not useful.

Incomplete Thought: HoneyClouds and the Confusion Control

Thu, 30 Jun 2011 00:00:00 +0000

I was somewhat captivated by Lenny Zeltser’s recent post on a Protean Information Security Architecture. His idea is that another set of controls can be based on confusing the attacker. If you open/close different potential attack vectors, you can somewhat obscure the real payload you are trying to protect.

Incite 6/28/2011: A Tough Nit-uation

Wed, 29 Jun 2011 00:00:00 +0000

As I saw the Welcome to North Carolina sign, I started to relax. About 4 hours earlier, we waved to our girls as they left for this summer’s sleepover camp expedition. The family truckster was loaded up with the boy and XX1’s friend from GA, and it took a few hours but I was getting into a driving rhythm. The miles were passing easily with Pandora as my musical guide. So I thought nothing of it when my phone intruded, showing a (610) number. I figured it was the camp just giving us a ‘heads up’ that XX2 was doing great her first day away from home. I was wrong.

When Closed Is Good

Tue, 28 Jun 2011 00:00:00 +0000

I don’t really know how to take this article on Eugene Kaspersky’s interview at InfoSec The iPhone will be niche in 5 years because it’s closed? We should have databases of smartphone users?

File Activity Monitoring Webinar This Wednesday

Mon, 27 Jun 2011 00:00:00 +0000

Ever hear of File Activity Monitoring? You know, that cool new data security tech I published a white paper on?

This Wednesday at 11 PT I will be giving a webinar on FAM (sponsored by Imperva – a guy’s gotta eat). I’ll cover the basics of the technology, why it’s useful, and some deployment scenarios/use cases.

How to Encrypt IaaS Volumes

Mon, 27 Jun 2011 00:00:00 +0000

Encrypting IaaS storage is a hot topic, but it’s time to drop the esoterica and provide some technical details. I will use a lot of terminology from last week’s post on IaaS storage options, so you should probably read that one first if you haven’t already.

The Age of Security Specialization is Near!

Mon, 27 Jun 2011 00:00:00 +0000

First day back in the saddle after vacation is always interesting. I must have had a million ideas while lounging on the beach. I remember maybe 3, and probably won’t have time to do much of anything for a while – first I need to dig out of a week of inflow. But one thing I did want to revisit quickly is defining what security folks are, and more importantly what we need to move forward.

7 Myths, Expanded

Thu, 23 Jun 2011 00:00:00 +0000

I really enjoyed the 7 myths of Entrepreneurship on Tim Ferriss’ site. The examples are from software development, but apply to most small tech firms. Having been through 6 startups of my own, I pretty much agree with everything said. More to the point, these ‘myths’ are the more common pitfalls I witnessed over and over again. That said, I think there is more to be gained here, and some important points were left on the cutting room floor. Specifically:

Friday Summary (OS/2 Edition): June 24, 2011

Thu, 23 Jun 2011 00:00:00 +0000

There’s something I need to admit.

I’m not proud of it, but it’s time to get it off my chest and stop hiding, no matter how embarrassing it is.

IaaS Storage 101

Thu, 23 Jun 2011 00:00:00 +0000

I started writing up a post on IaaS encryption options and quickly realized I should probably precede it with a post outlining the IaaS storage options first. One slightly confusing bit is that IaaS storage really falls into two categories: storage as a service where the storage itself is the product, and storage for IaaS compute instances, where the storage is tied to running virtual machines.

Is Your Email Address Worth More Than Your Credit Card Number?

Wed, 22 Jun 2011 00:00:00 +0000

It used to be that we didn’t care too much if someone stole a pile of email addresses. At worst we’d end up on yet another spam list, and these days most folks have pretty decent spam filters. Sure, it’s annoying, but it was pretty low on the scale of security risks.

Tokenization vs. Encryption: Payment Data Security

Wed, 22 Jun 2011 00:00:00 +0000

Continuing our series on tokenization for compliance, it’s time to look at how tokens are used to secure payment data. I will focus on how tokenization is employed for credit card security and helps with compliance because this model is driving adoption today.

How to Encrypt Your Dropbox Files, at Least until Dropbox Wakes the F* up

Tue, 21 Jun 2011 00:00:00 +0000

With the news that Dropbox managed to leave every single user account wide open for four hours, it’s time to review encryption options.

Friday Summary: June 17, 2011

Fri, 17 Jun 2011 00:00:00 +0000

Where would you invest? The Reuters article about Silicon Valley VCs betting on new technologies to protect computer networks got me thinking about where I would invest in computer security. This is a very tough question, because where I would invest in security technologies as a CIO is different than where I would invest as a venture capitalist. I can see security bets to address most CIOs’ need to spend money, or and quite different technologies address noisy threats, which could make investors money. As Gunnar pointed out in Unfrozen Caveman Attacker (my favorite post this week) firewalls, anti-virus, and anti-malware are SSDD – but clearly people are buying plenty of it.

New White Paper: Security Benchmarking: Going Beyond Metrics

Fri, 17 Jun 2011 00:00:00 +0000

Ever since I wrote the Pragmatic CSO a lifetime ago (okay, 4 years, but it feels like a lifetime), I have been evangelizing about better quantification of security programs. Even without context, quantification is valuable, but they are much more useful together. So I have been pushing hard for finding a set of similar companies to compare your metrics against, to provide that needed context. Alas, with the number of fires we have to fight every day, most security folks just don’t make the time to embrace metrics.

The Hazards of Generic Communications

Thu, 16 Jun 2011 00:00:00 +0000

Rich, Adrian, and I are pretty lucky. We are bombarded by data coming at us from every direction. What’s working, what’s not, who’s attacking who, what new widgets are out there – and that’s just the tip of the iceberg. For an information junkie like me, it’s a sort of nirvana.

Incite 6/15/2011: Shortcut to Hypocrisy

Wed, 15 Jun 2011 00:00:00 +0000

I’m not a big basketball fan. I like the NCAA tournament. I may watch a game or two of the NBA playoffs/finals, but I don’t follow them. It seems nothing can get our nation to rise up like a common enemy. That enemy was the Miami Heat. My Tweeter exploded last night with all sorts of venom against the Heat, as they were losing to the Mavs. I could only laugh. Because it was a great example of the hypocrisy of so many sports fans.

Stop Asking for Crap You Don’t Need and Won’t Use

Wed, 15 Jun 2011 00:00:00 +0000

I recently had a conversation with a vendor about a particular feature in their product:

Me: “So you just added XZY to the product?”
Them: “Yep.”
Me: “You know that no one uses it.”
Them: “Yep.”
Me: “But it’s on all the RFPs, isn’t it?”
Them: “Yep.”

More Control Doesn’t Equal More Secure

Tue, 14 Jun 2011 00:00:00 +0000

Last week, while teaching the CCSK (cloud security) class, the discussion reached a point I often find myself in these days. We were discussing the risk of cloud computing, and one of the students listed “less control” as a security risk.

FireStarter: Truth and (Dis)Information

Mon, 13 Jun 2011 00:00:00 +0000

We all have our own truth. Think about it: two people can see exactly the same thing, but remember totally different situations. Remember the last argument you had with your significant other. It happens all the time. You see the world through your own lens, and whatever you believe: that’s your truth.

Secure Passwords Sans Sales Pitch

Mon, 13 Jun 2011 00:00:00 +0000

I love my password manager. It enables me to use stronger passwords, unique passwords for every site, and even rotate passwords on select web services. You know, the sites that involve money. Because I can synch its data among all my computers and mobile devices, I am never without access. I believe this improves the security of my accounts, and as such, I am an advocate of this type of technology. I was encouraged when I saw the article Guard That Password in this Sunday’s New York Times. Educating users on the practical need for strong passwords in a mainstream publication is refreshing. Joe User should know how effective just a couple extra password characters can be for foiling attackers. On the downside, the article looks more like a vendor advertisement – in an attempt to reduce concerns over LastPass’s own security, the author seems to have missed describing the core values of a password manager.

Balancing the Short & Long Term

Fri, 10 Jun 2011 00:00:00 +0000

Our pal Eddie Schwartz was named CSO of RSA earlier this week, presumably with a big role at the mothership (EMC) as well. The Tweeter exploded with congratulations, as well as cautions about the difficulty of the job, given the various shoes that will inevitably continue to drop resulting from the April breach. Believe you me, Lockheed and L-3 are the tip of the iceberg.

Incite 6/8/2011: Failure to Launch

Wed, 08 Jun 2011 00:00:00 +0000

Shipping anything is pretty easy nowadays. When someone buys the P-CSO, I head over to the USPS website, fill out a form, and print out a label. If it takes 5 minutes, I need more coffee. Shipping via UPS and FedEx is similarly easy. Go to the website, log in, fill out the form, print out a paper label, tape it to the package, and drop it off. I remember (quite painfully) the days of filling out airbills (in triplicate) and then waiting in line to make sure everything was in order.

Security: the Cloud Bogeyman

Mon, 06 Jun 2011 00:00:00 +0000

I clearly remember being a kid and scared there was a monster in my closet. I was pretty young, and all it took was my Mom wrapping a can of Right Guard in a “Monster Spray” label to allay my fears. My kids tend to get scared by stuff they can’t see as well, and movies like Monsters, Inc. haven’t done much to dispel the fear in today’s generation. When I went to sleepover camp, there were the stories of Cropsey to terrorize new campers, and the chain goes on and on. We continue to be scared by the stuff we don’t understand.

Friday Summary: June 3, 2011

Fri, 03 Jun 2011 00:00:00 +0000

Speaking as someone who had to wipe several computers and reinstall the operating system because the Sony/BMG rootkit disabled the DVD drive, I need to say I am deriving some satisfaction from this: Lulzsec has hit Sony. Again. For like the, what, 10th incident in the last couple months? I’m not an anarchist and I am not cool with the vast majority of espionage, credit card fraud, hacking, and defacement that goes on. I pretty consistently come down on the other side of the fence on all that stuff. In fact I spend most of my time trying to teach people how to protect themselves from those intrusions. But just this once – and I am not too proud to admit it – I have this total case of schadenfreude going. And not just because Sony intentionally wrote and distributed malware to their customers – it’s for all the bad business practices they have engaged in. Like trying to stop the secondary market from reselling video games. It’s for spending huge amounts of engineering efforts to discourage customers from customizing PlayStations. It’s for watermarking that deteriorated video and audio quality. It’s for the CD: not the CD medium co-developed with Phillips, but telling us it sounded better than anything else. It’s for telling us Trinitron was better – and charging more for it – when it offered inferior picture quality. It’s for deteriorating the quality of their products while pushing prices higher. It’s for trying to make ‘ripping’ illegal. Sony has been fabulously successful financially, not by striving to make customers happy, but by identifying lucrative markets and owning them in a monopoly or bust model – think Betamax, Blu-ray, PlayStation, Walkman, etc.

A Different Take on the Defense Contractor/RSA Breach Miasma

Thu, 02 Jun 2011 00:00:00 +0000

I have been debating writing anything on the spate of publicly reported defense contractor breaches. It’s always risky to talk about breaches when you don’t have any direct knowledge about what’s going on. And, to be honest, unless your job is reporting the news it smells a bit like chasing a hearse.

Incite 6/1/2011: Cherries vs. M&Ms

Wed, 01 Jun 2011 00:00:00 +0000

Queue up the Alice Cooper and get ready. Last Friday was the last day of school for the kids. That means school’s out for summer, and it’s time to get ready for the heat in all its glory. Rich and Adrian live in the desert (literally), so I’m not going to complain about temperatures in the 90s, but thankfully there is no lack of air conditioning and pools to dissipate this global warming thing.

New White Paper: DAM Software vs. Appliances

Wed, 01 Jun 2011 00:00:00 +0000

I am pleased to announce our Database Activity Monitoring: Software vs. Appliance Tradeoffs research paper. I have been writing about Database Activity Monitoring for a long time, but only been within the last couple years have we seen strong adoption of the technology. While it’s not new to me, it is to most customers! I get many questions about basic setup and administration, and how to go about performing a proof of concept comparison of different technologies. Since wrapping up this research paper a couple weeks ago, I have been told by two separate firms that, “Vendor A says they don’t require agents for their Database Activity Monitoring platform, so we are leaning that way, but we would like your input on these solutions.” Another potential customer wanted to understand how blocking is performed without an in-line proxy. These are exactly the reasons I believe this paper is important, so I’m glad this is clearly the right time to examine the deployment tradeoffs. And yes, these questions are answered in section 4 under Data Collection, along with other common questions.

New White Paper: Understanding and Selecting a File Activity Monitoring Solution

Wed, 01 Jun 2011 00:00:00 +0000

A while back I got the weird idea that Database Activity Monitoring is useful enough that it would make sense to do the same thing for file repositories. I’m not talking about full DLP – but about granular tracking of user access to major file servers and document management solutions. I added “File Activity Monitoring” to the Data Security Lifecycle and figured someone would develop it eventually.

Tokenization vs. Encryption: Options for Compliance

Tue, 31 May 2011 00:00:00 +0000

We get lots of questions about tokenization – particularly about substituting tokens for sensitive data. Many questions from would-be customers are based on misunderstandings about the technology, or the way the technology should be applied. Even more troublesome is the misleading way the technology is marketed as a replacement for data encryption. In most cases it’s not an either/or proposition. If you have sensitive information you will be using encryption somewhere in your organization. If you want to use tokenization, the question becomes how much to supplant encrypted data with tokens, and how to go about it.

Friday Summary: May 27, 2011

Thu, 26 May 2011 00:00:00 +0000

In the 4 years since I started Securosis, this is absolutely the most bat-sh** crazy time I have experienced. Between cramming for the cloud security training class, managing a software development project, keeping our infrastructure up and running, hitting writing deadlines, and keeping up with prospects and clients, I barely have time to breathe. Add in a couple young kids who have done their best to ensure I don’t get a good night’s sleep at home for the past 6 months… and it’s no wonder I finished last week alternating between passing out and participating in commode-based religion.

Sowing the Seeds of Token Panic

Thu, 26 May 2011 00:00:00 +0000

It was just a matter of time. After the EMC/RSA breach in March, the clock started ticking relative to the seeds being used to gain access to something important. According to Bob Cringely, that has now happened with a very large US defense contractor having their remote access network compromised.

End Users, Fill out Our Security Marketing Content Survey

Wed, 25 May 2011 00:00:00 +0000

We got great response to our Categorizing FUD post. Obviously many of you are as frustrated with marketing idiocy as we are. So let’s band together to prove to the vendor community that some of their security marketing tactics hurt them more than they help.

Incite 5/25/2011: Rapturing the Middle Ground

Wed, 25 May 2011 00:00:00 +0000

The sun rose today. As it has every day for a couple billion years. Though plenty of people thought they would not be around on Sunday for the sunrise. Yes, I’m talking about the Rapture. Either it didn’t happen or we all got left behind, which is fine by me – I still have stuff to do. You may think the whole concept is wacky, but I’m the last guy to criticize someone else’s beliefs. What you believe is your business. I’m certainly not going to try to convince you I’m right. Especially about matters of faith.

Cloud Security Training: June 8-9 in San Jose

Tue, 24 May 2011 00:00:00 +0000

You might have noticed I haven’t been blogging much for a couple months. That’s because I’m spending nearly every waking hour on our training class for the Cloud Security Alliance. This is a pretty big deal for us and I’m psyched it’s almost finished.

Planning vs. Acting

Mon, 23 May 2011 00:00:00 +0000

I’m all for thought leadership. Folks driving our security thinking and activities forward benefit from it. Josh Corman is one of those leaders. He’s a big thinker – he can suspend disbelief and reality long enough to envision a different outcome, and make his points with passion.

Friday Summary: May 20, 2011

Fri, 20 May 2011 00:00:00 +0000

I stumbled on my last employer’s shutdown plans while rummaging around my old email archives. Those messages were from today’s date 3 years ago – not coincidentally the day Rich and I began to discuss me joining Securosis. At milestones like this I tend to get all philosophical and look back at the change, and what I like and dislike about the move. How do I feel about this change in my career? Where are we as a company, and is it anywhere near what we planned? I had no idea what an analyst really did – I just wanted to help people understand security technologies and be involved much more broadly than just database security. I kinda thought I was getting out of the startup game, but Securosis has the feel of a startup – the freedom to follow our vision, the pressure to focus on what’s most important, the agility in decision making and long hours. But it also feels like people appreciate our take on what analysts can be, which makes me think we have a shot at making this little shop a success.

Incite 5/18/2011: Trophies

Wed, 18 May 2011 00:00:00 +0000

As mentioned last week, I’ve been mired in the twins’ baseball/softball playoffs the past 2 weeks. That ended Saturday, with the Rothman clan going 1-1 in championship games. XX2’s team lost a close game and took the runner-up trophy. The Boy’s team eked out a win after dominating the league most of the year to take home the victory. It’s funny, you’d think there would be angst and disappointment coming from the girl, and happiness emanating from the boy. But that wasn’t exactly the case.

BeyondTrust Acquires Lumigent Assets

Tue, 17 May 2011 00:00:00 +0000

BeyondTrust announced today that it has acquired the assets of Database Activity Monitoring vendor Lumigent. Some of you are saying “Who?” Others, who have been around the DAM space a few years, shake your heads in dismay at what might have been. There was a time – way back in the 2004-2005 timeframe – that Lumigent had a clear leadership position in the Database Activity Monitoring space. They won many head-to-head sales engagements. They had a good sales and marketing team, the best Sarbanes-Oxley reports in the industry, the only viable auditing tool for Sybase, and the only platform that provided “before and after” query values. The latter was the hot feature for forensic audits and regulatory compliance, and every customer wanted it. Greylock, North Bridge, and NetIQ invested. Lumigent was a shining star in the nascent DAM market and they were making a name for themselves.

VMWare Buys Shavlik: One Stop Shop for Virtual Infrastructure?

Tue, 17 May 2011 00:00:00 +0000

The M&A train gathers steam in the security space. With Lumigent’s assets off the table, the TripWire buy, Sophos/Astaro, and RSA/NetWitness, it seems the busiest guys in town are the investment bankers. VMware has joined the parade by buying configuration management player Shavlik, ostensibly to facilitate the adoption of virtualization in the SMB market segment, though we believe that oversimplifies VMware’s ambition to be a one-stop shop for all things virtual infrastructure.

Defining Failure

Mon, 16 May 2011 00:00:00 +0000

Given the hard time we have defining success in the security field, you’d think we must have at least a firm handle on failure. But that isn’t entirely the case. As both an entrepreneur and a security guy, I may have a different perspective on failure, which influences how I look at pretty much all our business activities. I read a lot of VC and entrepreneur blogs, not because I want to raise money – in fact I’d rather hook my soft targets to a car battery than take outside investment. But I need to learn about how folks are screwing things up and try not to do that.

Cybersecurity’s RICO Suave: Assessing the Proposed Legislation

Fri, 13 May 2011 00:00:00 +0000

With some fanfare, the US executive branch (the White House) unveiled a proposal for cybersecurity legislation “focused on improving cybersecurity for the American people, our Nation’s critical infrastructure, and the Federal Government’s own networks and computers.”

Friday Summary: May 13, 2011

Thu, 12 May 2011 00:00:00 +0000

If you follow me on Twitter (@rmogull) you might suspect that last week I took a short vacation. And that said vacation started somewhat auspiciously. And said event really pissed me off to a degree I normally don’t let myself hit. And, just perhaps, American Airlines was responsible.

Thoma Bravo Trips the Wire Fantastic

Thu, 12 May 2011 00:00:00 +0000

With the global economy apparently warming and lots of IPOs hitting the Street, it was a bit surprising to see TripWire opt for a buyout by Thoma Bravo, as opposed to continuing with their IPO plans. But I found an article by the local Portland OR Business Journal which explained things a bit.

Incite 5/11/2011: Generalists and Specialists

Wed, 11 May 2011 00:00:00 +0000

Looking back over 30+ years, I realize my athletic career peaked at 10. I played First Base on the Monsey Orioles (“Minor League”). Our team was stacked, and we won the championship. I kept playing baseball for a few more years but my teams never made it to the championship, and when the bases moved out to 90 feet my lead feet became the beginning of the end. But it’s okay – I was pretty good with computers and in chess club too. Yep, I was fitted for my tool belt pretty early.

Incomplete Thought: Existential Identities (or: Who the F*** are You?)

Tue, 10 May 2011 00:00:00 +0000

Do you ever think about how you could just disappear? Or become someone else? Maybe only I do that after reading one too many Jason Bourne novels. Given anyone’s ability, with a keyboard and an Internet connection, to become anyone (even Abraham Lincoln is spewing quotes on Twitter now), what does ‘identity’ mean now? In the future? And is your ‘identity’ singular, or will it become identities moving forward?

SIEM: Out with the Old

Tue, 10 May 2011 00:00:00 +0000

About 4 years ago we saw the first big wave of replacements of older email security tools with a second generation we now call ‘content security’. Early email security products were deployed in-house and focused on anti-virus, anti-spam, and mail server integration. The current generation of products offered new SaaS and hybrid deployment models, technology advancements in web and content filtering, more elastic service sets, and centralized web management consoles. And let’s not forget the larger security firms with products lagging far behind the state of the art, milking their cash cows while smaller firms innovated.

Friday Summary: May 6, 2011

Fri, 06 May 2011 00:00:00 +0000

A few months back one my dogs knocked over one my speakers. Sent it flying, actually. 3’ 50lb wood cabinet speaker – as if it wasn’t there. The culprit is still a puppy, but when she gets ripping, she can pretty much take out any piece of furniture I own. And she has a big butt. She seems to run into everything butt first, which is impressive as she does not walk backwards. Wife calls her ‘J-Lo’. She learned how to spin from playing with my boxer, and now she spins out of control when she is amped up. Big ass, right into a chair… BANG! I miss having music in the living room, so I thought I would solve the problem by bringing out a pair of tower speakers from the back room. They are six feet tall and weigh 180lb each. I thought that was the perfect solution, until she moved the piano a half of an inch with one of her spins. For the sake of the speakers, and my health, I removed all stereo components from the living room.

Sophos Wishes upon A-star-o

Fri, 06 May 2011 00:00:00 +0000

In the security industry successful companies need have breadth and scale. Security is and will remain an overhead function, so end users must strive to balance broad coverage against efficiency to control, and hopefully reduce, overhead. Scoff as you may, but integration at all levels of the stack does happen, and that favors bigger companies with broader product portfolios.

Earth to Symantec: AV doesn’t stop the APT

Wed, 04 May 2011 00:00:00 +0000

If you read saw the press release title Symantec Introduces New Security Solutions to Counter Advanced Persistent Threats, what would you expect? Perhaps a detailed security monitoring solution, or maybe they bought a full packet capture solution, or perhaps really innovated with something interesting? Now what if told you that it’s actually about the latest version of Symantec’s endpoint protection product, with a management console for AV and DLP? You’d probably crap your pants from laughing so hard. I know that’s what I did, and my laundromat is not going to be happy.

Incite 5/4/2011: Free Agent Status Enabled

Wed, 04 May 2011 00:00:00 +0000

Last weekend was a little oasis in the NFL desert that has been this offseason. It looked like there would be court-ordered peace, now maybe not so much. The draft reminded me of the possibilities of the new season, at least for a little while. One of the casualties of this non-offseason has been free agency. You know, where guys who have put in their time shop their services to the highest bidder.

Software vs. Appliance: Data Collection

Wed, 04 May 2011 00:00:00 +0000

Wrapping up our Software vs. Appliance series, I want to remind the audience this series was prompted by my desire to spotlight the FUD in Database Activity Monitoring sales processes. I have mentioned data collection as one of the topics Data collection matters. As much as we would like to say the deployment architecture is paramount for performance and effectiveness, data collection is crucial too, and we need to cover a couple of the competitive topics that get lumped into bake-offs.

Software vs. Appliance: Virtual Appliances

Tue, 03 May 2011 00:00:00 +0000

For Database Activity Monitoring, Virtual Appliances result from hardware appliances not fitting into virtualization models. Management, hardware consolidation, resource and network abstraction, and even power savings don’t fit. Infrastructure as a Service (IaaS) disrupts the hardware model. So DAM vendors pack their application stacks into virtual machine images and sell those. It’s a quick win for them, as very few changes are needed, and they escape the limitations of hardware. A virtual appliance is ‘built’ and configured like a hardware appliance, but delivered without the hardware. That means all the software – both third party and vendor created – contained within the hardware appliances is now wrapped in a virtual machine image. This image is run and managed by a Virtual Machine Manager (VMware, Xen, Hyper-V, etc.), but otherwise functions the same as a physical appliance.

Standards: Should You Care? (Probably Not)

Tue, 03 May 2011 00:00:00 +0000

I just wrote up my portions of tomorrow’s Incite, and talked a bit about the importance of standards in product selection. But it’s hard to treat cogently in 30 words, so let me dig into it a bit more here. Mostly because of prevailing opinion on the importance of standards, and to what degree standards support should be a key selection criteria.

SDLC and Entropy

Mon, 02 May 2011 00:00:00 +0000

I really enjoy having Gunnar Peterson on the team. Seems like every time we talk in our staff meeting I laugh and learn something – two rare outcomes in this profession. We were having a laugh Friday morning about the tendencies of software development organizations to trip over themselves in order to improve. Several different clients were having the same problem in understanding how to apply security to code development. Part of our discussion:

What’s Old Is New again

Sat, 30 Apr 2011 00:00:00 +0000

The entire credit card table was encrypted and we have no evidence that credit card data was taken. The personal data table, which is a separate data set, was not encrypted, but was, of course, behind a very sophisticated security system that was breached in a malicious attack.

Friday Summary: April 29, 2011

Thu, 28 Apr 2011 00:00:00 +0000

I’ve taught a lot of different classes over the years, and always found the different structures to be pretty interesting.

Software vs. Appliance: Software

Thu, 28 Apr 2011 00:00:00 +0000

“It’s anything you want it to be – it’s software!” – Adrian.

Database Activity Monitoring software is deployed differently than DAM appliances. Whereas appliances are usually two-tier event collector / manager combinations which divide responsibilities, software deployments are as diverse as customer environments. It might be stand-alone servers installed in multiple geographic locations, loosely coupled confederations each performing different types of monitoring, hub & spoke systems, everything on a single database server, all the way up to N-tier enterprise deployments. It’s more about how the software is configured and how resources are allocated by the customer to address their specific requirements. Most customers use a central management server communicating directly with software agents with collect events. That said, the management server configuration varies from customer to customer, and evolves over time.

Incite 4/27/2011: Just Write

Wed, 27 Apr 2011 00:00:00 +0000

All I wanted to do on Monday night was go to sleep. I had a flight in the morning and thought it would be a good idea to get some rest. So I sit down with the Boss and we catch up on the day, discuss some tactics to deal with issues the kids face, and I’m ready to hit the rack. Then I notice she’s watching a movie called One Week (Netflix streaming FTW) where basically a guy is given a week to live and sets off on a cross-Canada jaunt on a motorcycle to discover himself, meet some interesting people, and do stuff that happens in movies.

Security Benchmarking, Beyond Metrics: Benchmarking in Action

Mon, 25 Apr 2011 00:00:00 +0000

As we wrap up our series on Security Benchmarking, we find it instructive to actually walk through a scenario and apply the process. Yes, the scenario is a bit contrived, but we’ll use it to hit the high points of the process, deciding where to start, collecting the data, establishing the peer group and communicate the findings. Keep in mind that we focus on getting quick wins , showing immediate value, building momentum and leveraging that momentum for programatic success.

Security Benchmarking, Beyond Metrics: Index

Mon, 25 Apr 2011 00:00:00 +0000

As is (now) our custom, we post a set of links to each blog series as it wraps up. This both gives us an easy way to find all our posts, and acknowledges that not everyone wants our complete feed and may want to read posts once they’re all written.

Why We Didn’t Pick the Cloud (Mostly), and That’s Okay

Mon, 25 Apr 2011 00:00:00 +0000

It’s no secret that we are currently working on a new software platform to deliver actionable security research to a broader market, engage folks, and… umm… feed our families. As you might expect, like any software project, it’s running about 30% late and 70% over budget. I just can’t seem to stop making our developers find exactly the right imagery and user experience to best represent the Securosis brand. Mike has coined a new term, ‘analness’, to describe the gyrations we’ve gone through, but I’m okay with that because we have spent years building our reputation and aren’t about to roll out a huge steaming pile of crap just to hit a delivery date.

Friday Summary: April 22, 2011

Fri, 22 Apr 2011 00:00:00 +0000

The Apple-ification of my home continues, as I got an Apple TV as an early birthday present. Tinkerer that I am, I thought “Wouldn’t it be great to hardwire it with Cat5 cable to the Airport Extreme? Download speeds will be awesome ”. So I changed the existing phone lines (I’ll never use a POTS land line again) to Ethernet. Which meant changing all the phone jacks, and then the wall plates. And rewiring the central connections. And putting a new router in the closet. And adding new power to the closet. And wiring in a small low-voltage fan. It was the snowball effect, but this was one of the first times I have not minded, because I have Giant Freakin’ Toolbox!

Data Security: Dropbox Should Mimic CrashPlan

Thu, 21 Apr 2011 00:00:00 +0000

I love it when people froth at the mouth once they finally realize the blazingly obvious!

For today’s example let’s look at the big Dropbox data privacy controversy. There are a few serious problems with Dropbox, such as not requiring a password after a host is added, making it super easy for someone to pretend to be you (if they get your host ID) and access your data. That’s not great, but there are far worse things out there I worry about.

Oracle CVSS: ‘Partial+’ is ‘Useful-’

Thu, 21 Apr 2011 00:00:00 +0000

Oracle announced the April 2011 CPU this week, with just a few moderate security issues for the database. Most DBAs monitor Oracle’s Critical Patch Updates (CPU) and are already familiar with the Common Vulnerability Scoring System (CVSS). For those of you who are not, it’s a method of calculating the relative risk of software and hardware vulnerabilities, resulting in a score that describes the potential severity of the vulnerability if an attacker were to exploit the problem. The scores are provided to help IT and operations teams decide what to patch and when. Vendors are cagey about providing vulnerability information – under the belief that any information helps attackers create exploits – so CVSS is a compromise to help customers without overly helping adversaries.

Security Benchmarking, Beyond Metrics: You Can’t Benchmark everything

Thu, 21 Apr 2011 00:00:00 +0000

We have spent much of this series on why benchmarking is important. But we also need to point out some situations where benchmarking may not be appropriate. There are clearly situations where you can’t benchmark, particularly is on granular operational data, which I call Ninja Metrics.

Incite 4/20/2011: Family Parties

Wed, 20 Apr 2011 00:00:00 +0000

The last two nights, we have celebrated Passover. Basically, we have a big dinner commemorating the escape of our forefathers from bondage and slavery in Egypt. At least that’s how the story goes, although I wasn’t there, so I maintain a healthy skepticism regarding burning bushes, parting seas, and plagues. But the point remains whether or not the stories are true. It’s really an excuse to party with friends and family, and enjoy some time together outside the craziness of day-to-day existence.

Software vs. Appliance: Appliances

Wed, 20 Apr 2011 00:00:00 +0000

I want to discuss deployment tradeoffs in Database Activity Monitoring, focusing on advantages and disadvantages of hardware appliances. It might seem minor, but the delivery model makes a big first impression on customers. It’s the first difference they notice when comparing DAM products, and it’s impressive – those racks of blinking whirring 1U & 2U machines, neatly racked, do stick with you. They cluster in groups in your data center, with lots of cool lights, logos, and deafening fans. Sometimes called “pizza boxes” by the older IT crowd, these are basic commodity computers with 1-2 processors, memory, redundant power supplies, and a disk drive or two. Inexpensive and fast, appliances are more than half the world’s DAM deployments.

Categorizing FUD

Tue, 19 Apr 2011 00:00:00 +0000

In a world full of TLAs (three letter acronyms), none resonates for security people as strongly as FUD. Or Fear, Uncertainty, and Doubt for you n00bs. Many of us rail at the offensive use of FUD in security sales. But let’s take a step back and acknowledge that security is like insurance. With very rare exceptions, security doesn’t help anyone sell more stuff. It doesn’t really help companies operate more efficiently. It’s basically about controlling downside risk.

How to Read and Act on the 2011 Verizon Data Breach Investigations Report (DBIR)

Tue, 19 Apr 2011 00:00:00 +0000

Today Verizon released the 2011 Data Breach Investigations Report: our single best source of actual incident data in the security industry, based on comprehensive metrics gathered during hundreds of incident investigations.

New White Paper: React Faster and Better: New Approaches for Advanced Incident Response

Mon, 18 Apr 2011 00:00:00 +0000

If you don’t already have attackers in your environment you will soon enough, so we have been spending a lot of time with clients figuring out how to respond in this age of APT (Advanced Persistent Threat) attackers and other attacks you have no shot at stopping. You need to detect and respond more effectively. We call this philosophy “React Faster and Better”, and have finally documented and collected our thoughts on the topic. Here are a couple excerpts from the paper to give you a feel for the issue and how we deal with it:

Security Benchmarking, Going Beyond Metrics: Continuous Improvement

Fri, 15 Apr 2011 00:00:00 +0000

So you have defined your peer groups and analysis and spent a bunch of time communicating what you found to your security program’s key stakeholders. Now it’s time to shift focus internally. One of the cool things about security metrics and benchmarks is the ability to analyze trends over time and use that data to track progress against your key goals. Imagine that – managing people and programs based on data , not just gut feel.

Weekend Reading: Security Benchmarking Series

Fri, 15 Apr 2011 00:00:00 +0000

Just in case you had nothing to do over the weekend, I came up with some homework to catch you up on our Security Benchmarking series. We’re clicking right along and think the content is kickass. So check it out, comment, and let us know if we are smoking crack.

Friday Summary: April 15, 2011 (Tax Day!)

Thu, 14 Apr 2011 00:00:00 +0000

It’s tax day.

You don’t have time to read this.

I don’t have time to write it.

Actually, my accountant is taking care of my taxes (I don’t trust myself with them). What’s really sucking down my time is preparing all the hands-on portions of the Cloud Security Alliance training.

Security Benchmarking, Going Beyond Metrics: Communications Strategies

Thu, 14 Apr 2011 00:00:00 +0000

The simple fact is that most folks senior security folks came from the technical side of the house. They started as competent (if not studly) sysadmins or security administrators, drew the short straw, and ended up with management responsibility. But very few of these folks ever studied management, gone through management training, or done anything but learned on the job. This creates a situation where senior security folks spend a lot of time doing stuff, but not enough time talking about it.

Incite 4/13/2011: Jonesing for Air

Wed, 13 Apr 2011 00:00:00 +0000

“Hi. I’m Mike. And I’m an addict.” I start every chapter of the Pragmatic CSO with those very words. There there are many things you can be addicted to. Thrills. Sex. Sugar. Booze. Drugs. Twitter. Pr0n. Caffeine. Food. Some are worse than others, though none of them really good for you. But now I have to face up to another addiction. The need for gadgets. I’m jonesing for a new MacBook Air. Big time. Like waking up in the middle of the night wanting some SSD goodness in a petite 2lb package. Jonesing, I say, and it’s not pretty.

Security Benchmarking, Going Beyond Metrics: Defining Peer Groups and Analyzing Data

Wed, 13 Apr 2011 00:00:00 +0000

So your key security metrics are collected and shared safely. What comes next? Now we need to start deriving value from the data. Remember, metrics and numbers aren’t worth the storage to keep them, unless you use them as management tools. You need to start comparing the data, drawing conclusions, and adjusting your security program based on the data. OMG, actually making changes based on data rather than shiny objects, breaches, airline magazine articles, and compliance mandate changes. How novel.

Database Trends

Tue, 12 Apr 2011 00:00:00 +0000

This is a non-security post, in case that matters to you. A few days ago I was reading about a failed Telcomm firm ‘refocusing’ its business and technology to become a cloud database provider. I’m thinking that’s the last frackin’ thing we need. Some opportunistic serial start-up-tard can’t wait to fail the first time, and wants skip over onto not one but two , hot trends. Smells like 1999. Of course they landed an additional $4M; couple Cloud with a modular database and it’s a no-lose situation – at least for landing venture funding.

New Release: Our Insanely Comprehensive Database Security Framework and Metrics

Tue, 12 Apr 2011 00:00:00 +0000

Some projects take us a few days. Others? More like 18 months.

Back before Mike even joined us, Adrian and I started a ‘quick’ project to develop a basic set of metrics for database security programs. As with most of our Project Quant efforts, we quickly realized there wasn’t even a starting framework out there, never mind any metrics. We needed to create a process for every database security task before we could define where people spent their time and money. Over the next year and a half we posted, reposted, designed, redesigned, and finally produced a framework we are pretty darn proud of.

Software vs. Appliance: Understanding DAM Deployment Tradeoffs

Mon, 11 Apr 2011 00:00:00 +0000

One thing I don’t miss from my vendor days in the Database Activity Monitoring market is the competitive infighting. Sure, I loved to do the competitive analyses to see how each vendor viewed itself, and how they were all trying to differentiate their products. I did not enjoy going into a customer shop after a competitor “poisoned the well” with misleading statements, evangelical pitches touting the right way to tackle a problem, or flat-out lies. Being second into a customer account meant having to deal with the dozen land mines left in their minds, and explaining those issues just to get even. The common land mines were about performance, lack of impact on IT systems, and platform support. The next vendor in line countered with architectures that did not scale, difficulties in deployment, inability to collect important events, and management complexity of every other product on the market. The customer often cannot determine who’s lying until after they purchase something and see if it does what the vendor claimed, so this game continues until the market reaches a certain level of maturity.

Always Be Looking

Thu, 07 Apr 2011 00:00:00 +0000

You really should read Lee Kushner and Mike Murray’s Information Security Leaders blog. Besides being good guys, they usually post good perspectives on career management each week. Like this post on Rats and Ships, where they basically address how to know your company is in trouble and when to start looking for what’s next. Obviously if the company is in turmoil and you don’t have your head in the sand, the writing will be on the wall.

Friday Summary: April 8, 2011

Thu, 07 Apr 2011 00:00:00 +0000

I was almost Phished this week. Not by some Nigerian scammer, or Russian botnet, but by my own bank.

Bundled with both my checking and mortgage statements – with the bank’s name, logos, and phone number was the warning: “Notice: Credit Report Review Re: Suspicious activity detection”. The letter made it appear that there were ongoing suspicious activity reported by the credit agency, and I needed to take immediate action. I thought “Crud, now I have to deal with this.” Enclosed was a signature sheet that looked like they wanted permission to investigate and take action. But wait a minute – when does my bank ask for permission? My suspicion awoke.

Incite 4/6/2011: Do Work

Wed, 06 Apr 2011 00:00:00 +0000

We spent last weekend up north visiting friends and family while the kids are on Spring Break. We decided to surprise them on Sunday by going to a baseball game. It was opening weekend and our home team was in town. We got cheap seats in the upper deck, but throughout the game we kept moving downwards, and by the 9th inning we were literally in the front row on the dugout. The Boss turned to me and asked if the kids had any idea how lucky they are. Yeah, right.

Security Benchmarking, Going Beyond Metrics: Sharing Data Safely

Wed, 06 Apr 2011 00:00:00 +0000

The best definition of a security benchmarking effort I am aware of is in Chapter 11 of my book, The Pragmatic CSO, which provides a good perspective on why benchmarking is important.

Less Innovation Please

Tue, 05 Apr 2011 00:00:00 +0000

It happens every time we have a series of breaches. The ‘innovators’ get press coverage with some brand-new idea for how to stop hackers and catch malicious employees trying to steal data. We are seeing yet another cycle right now, which Rich discussed yesterday in FireStarter: Now What? The sheer idiocy of Wired Magazine ’s Paranoia Meter made me laugh out loud. Not that monitoring should not be done, but the concept of monitoring users’ physical traits to identify bad behavior is a lot more effort and is also error-prone. Looking at posture, mouse movements, and keystrokes to judge state of mind, then using that to predict data theft? Who could believe in that? It baffles me. User behavior in the IT realm does not need to be measured in terms of eye movement, typing speed, or shifting in one’s seat – if it did, we would need to round up all the 3rd graders in the world because we’d have a serious problem. Worse, the demand is clearly a marketing attempt to capitalize on WikiLeaks and HBGary – the whole thing reminds me more than a little of South Park’s ‘It’.

Security Benchmarking, Going Beyond Metrics: Collecting Data Systematically

Tue, 05 Apr 2011 00:00:00 +0000

Once you have figured out what you want to count (security metrics), the next question is how to collect the data. Remember we look for metrics that are a) consistently and objectively measurable, and b) cheap to gather. That means some things we want to count may not be feasible. So let’s go through each bucket of metrics and list out the places we can get that data.

FireStarter: Now What?

Mon, 04 Apr 2011 00:00:00 +0000

I have always believed that security – both physical and digital – is a self-correcting system.

No one wants to invest any more into security than they need to. Locks, passwords, firewalls, well-armed ninja – they all take money, time, and effort we’d rather spend getting our jobs done, with our families, or on personal pursuits. Only the security geeks and the paranoid actually enjoy spending on security. So the world only invests the minimum needed to keep things (mostly) humming.

Fool us once… EMC/RSA Buys NetWitness

Mon, 04 Apr 2011 00:00:00 +0000

To no one’s surprise (after NetworkWorld spilled the beans two weeks ago), RSA/EMC formalized its acquisition of NetWitness. I guess they don’t want to get fooled again the next time an APT comes to visit. Kidding aside, we have long been big fans of full packet capture, and believe it’s a critical technology moving forward. On that basis alone, this deal looks good for RSA/EMC.

Quick Wins with DLP Light: The Process

Mon, 04 Apr 2011 00:00:00 +0000

The objective of the Quick Wins process is to get results and show value as quickly as possible, while setting yourself up for long-term success. Quick Wins for DLP Light is related to the Quick Wins for DLP process, but heavily modified to deal both with the technical differences and the different organizational goals we see in DLP Light projects.

Quick Wins with DLP Light: Technologies and Architectures

Fri, 01 Apr 2011 00:00:00 +0000

DLP Light tools cover a wide range of technologies, architectures, and integration points. We can’t highlight them all, so here are the core features and common architectures. We have organized them by key features and deployment location (network, endpoint, etc.):

Friday Summary: April 1, 2011

Thu, 31 Mar 2011 00:00:00 +0000

Okay folks – raise your hands for this one. How many of you get an obvious spam message from a friend or family member on a weekly basis?

PROREALITY: Security is rarely a differentiator

Thu, 31 Mar 2011 00:00:00 +0000

I’ve been in this business a long time – longer than most, though not as long as some. That longevity provides perspective, and has allowed me to observe the pendulum swinging back and forth more than once. This particular pendulum is the security as an enabler concept – you know, positioning security not as an overhead function but as a revenue driver (either direct or indirect).

White Paper: Network Security in the Age of Any Computing

Thu, 31 Mar 2011 00:00:00 +0000

We all know about the challenges for security professionals posed by mobile devices, and by the need to connect to anything from anywhere. We have done some research on how to start securing those mobile devices, and have broadened that research with a network-centric perspective on these issues. Let’s set the stage for this paper:

Incite 3/30/2011: The Silent Clipper

Wed, 30 Mar 2011 00:00:00 +0000

I’m very fortunate to have inherited Rothman hair, which is gray but plentiful and grows fast. Like fungus. Given my schedule, I tend to wait until things get lost in my hair before I get it cut. Like birds; or yard debris; or Nintendo DS games. A few weeks back the Boss told me to get it cut when I lost my iPhone in my hair. So I arranged a day to hit the barber I have frequented for years.

On Preboot Authentication and Encryption

Wed, 30 Mar 2011 00:00:00 +0000

I am working on an encryption project – evaluating an upcoming product feature for a vendor – and the research is more interesting than I expected. Not that the feature is uninteresting, but I thought I knew all the answers going into this project. I was wrong.

Security Benchmarking, Going Beyond Metrics: Security Metrics (from 40,000 feet)

Wed, 30 Mar 2011 00:00:00 +0000

In our introduction to Security Benchmarking, Going Beyond Metrics, we spent some time defining metrics and pointing out that they have multiple consumers, which means we need to package and present the data to these different constituencies. As you’ll see, there is no lack of things to count. But in reality, just because you can count something doesn’t mean you should. So let’s dig a bit into what you can count.

Comments on Ponemon’s “What Auditors think about Crypto”

Tue, 29 Mar 2011 00:00:00 +0000

The Ponemon Institute has released a white paper, What auditors think about Crypto (registration required). I downloaded and took a cursory look at their results. My summary of their report is “IT auditors rely on encryption, but key management can be really hard”. No shock there. A client passed along a TechTarget blog post where Larry Ponemon is quoted as saying auditors prefer encryption , but worded to make their study sound like a comparison between encryption and tokenization. So I dove deep into their contents to see if I missed something. Nope. The study does not compare encryption to tokenization, and Larry’s juxtaposition implies it is.

FAM: Selection Process

Tue, 29 Mar 2011 00:00:00 +0000

Define Needs

The first step in the process is to determine your needs, keeping in mind that there are two main drivers for File Activity Monitoring projects, and it’s important to understand the differences and priorities between them:

File Activity Monitoring Series Complete (Index)

Tue, 29 Mar 2011 00:00:00 +0000

Once again, I have knocked off a series of posts for a new white paper. The title is “Understanding and Selecting a File Activity Monitoring Solution”. Although there are only a few vendors in the market, this is a technology I have been waiting a few years for, and I think it’s pretty useful.

FAM: Policy Creation, Workflow, and Reporting

Mon, 28 Mar 2011 00:00:00 +0000

Now that we have covered the base features it’s time to consider how these tie in with policies, workflow, and reporting. We’ll focus on the features needed to support these processes rather than defining the processes themselves.

Quick Wins with DLP Light

Mon, 28 Mar 2011 00:00:00 +0000

Introduction

Our entire profession is called “information security”, but surprisingly few of our technologies focus on actually protecting the data itself, as opposed to the infrastructure surrounding it. Data Loss Prevention emerged nearly 10 years ago to address exactly this problem. By peering inside files, network traffic, and other sources – and understanding both content and context – DLP provides new capabilities comparable to when we first started looking inside network packets.

Security Benchmarking, Going Beyond Metrics: Introduction

Mon, 28 Mar 2011 00:00:00 +0000

At Securosis we tend to be passionate about security. We have the luxury of time (and lack of wingnuts yelling at us all day) to think about how security should work, and make suggestions for how to get there. We also have our own pet projects – areas of research that get us excited. We usually focus on ‘hot’ topics, because they pay the bills. We rarely get to step back and think outside the box about a security process that really needs to change.

Captain Obvious Speaks: You Need Layers

Fri, 25 Mar 2011 00:00:00 +0000

Driven by the continued noise about the RSA and Comodo breaches, we have spent a lot of time stating the obvious this week. But then I remember that what is obvious to us may not be to everyone else. And even if it is obvious to you, sometimes you need a reminder because you are probably too busy fighting fires and answering questions from senior management (like “Don’t I take dumps in a Comodo?”) to remember the obvious stuff.

Crisis Communications

Thu, 24 Mar 2011 00:00:00 +0000

I realize that I have a tendency to overplay my emergency services background, but it does provide me with some perspective not common among infosec professionals. One example is crisis communications. While I haven’t gone through all the Public Information Officer (PIO) training, basic crisis communications is part of several incident management classes I have completed. I have also been involved in enough major meatspace and IT-related incidents to understand how the process goes.

FAM: Additional Features

Thu, 24 Mar 2011 00:00:00 +0000

Beyond the base FAM features, there are two additional functions to consider, depending on your requirements. We expect these to eventually join the base feature set, but for now they aren’t consistent across the available products.

Friday Summary: March 25, 2011

Thu, 24 Mar 2011 00:00:00 +0000

I am probably in the minority, but when I buy something I think of it as mine. I paid for it so I own it.

Incite 3/23/2011: SEO Unicorns

Wed, 23 Mar 2011 00:00:00 +0000

It seems blog popularity is a double edged sword. Yes, thousands of folks read our stuff every day. But that also means we are a target for many SEO Experts , who want to buy links from us. No, we don’t sell advertising on the site. But that doesn’t stop them from pummeling us with a bunch of requests each week. Most of the time we are pretty cordial, but not always.

McAfee Acquires Sentrigo

Wed, 23 Mar 2011 00:00:00 +0000

McAfee announced this morning its intention to acquire Sentrigo, a Database Activity Monitoring company. McAfee has had a partnership with Sentrigo for a couple years, and both companies have cooperatively sold the Sentrigo solution and developed high-level integration with McAfee’s security management software. McAfee’s existing enterprise customer base has shown interest in Database Activity Monitoring, and DAM is no longer as much of an evangelical sale as it used to be. Sentrigo is a small firm and integration of the two companies should go smoothly.

Agile and Hammers: They Don’t Fix Stupid

Tue, 22 Mar 2011 00:00:00 +0000

I did not see the original Agile Ruined My Life post until I read Paul Krill’s An agile pioneer versus an ‘agile ruined my life’ critic response today. I wish I had, as I would have used Mr. Markham’s post as an example of the wrong way to look at Agile development in my OWASP and RSA presentations. Mr. Markham raises some very good points, but in general the post pissed me off: it reeks of irresponsibility and unwillingness to own up to failure. But rather than go off on a tirade covering the 20 reasons that post exhibits a lack of critical thinking, I’ll take the high road. Jon Kern’s quotes in the response hit the nail on the head, but did not include an adequate explanation of why, so I offer a couple examples.

Death, Taxes, and M&A

Mon, 21 Mar 2011 00:00:00 +0000

Ben Franklin was a pretty smart dude. My favorite quote of his is: “In this world nothing is certain but death and taxes.” For a couple hundred years, that was pretty good. But at this point, I’ll add mergers and acquisitions as the third certainty in this world. Maybe also that your NCAA bracket will get busted by some college you’ve never heard of (WTF VCU?).

FAM: Core Features and Administration, Part 1

Mon, 21 Mar 2011 00:00:00 +0000

Now that we understand the technical architecture, let’s look at the principal features seen across most File Activity Monitoring tools.

RSA Releases (Almost) More Information

Mon, 21 Mar 2011 00:00:00 +0000

As this is posting, RSA is releasing a new SecureCare note and FAQ for their clients (Login required). This provides more specific prioritized information on what mitigations they recommend SecurID clients take.

How Enterprises Can Respond to the RSA/SecurID Breach

Fri, 18 Mar 2011 00:00:00 +0000

We have gotten a bunch of questions about what people should do, so I thought I would expand more on the advice in our last post, linked below.

Network Security in the Age of Any Computing: Index of Posts

Fri, 18 Mar 2011 00:00:00 +0000

It’s hard to believe, but we have wrapped up the initial research on this series dealing with how network security evolves, given the need to provide access to critical information at any time, from any where, on any device. We call it any computing. We’ve dealt with the risks and how enforcement and policies will change. And talked quite a bit about integrating these enforcement points into the existing network and security infrastructure. Finally, we wrapped the series yesterday with Quick Wins, about the process of selecting and implementing these technologies.

Updated RSA Breached: SecurID Affected

Thu, 17 Mar 2011 00:00:00 +0000

You will see this all over the headlines during the next days, weeks, and maybe even months. RSA, the security division of EMC, announced they were breached and suffered data loss.

FAM: Technical Architecture

Thu, 17 Mar 2011 00:00:00 +0000

FAM is a relatively new technology, but we already see the emergence of consistent architectural models. The key components are a central management server, sensors, and connectors to the directory infrastructure.

Friday Summary: March 18, 2011—Preparing for the Worst

Thu, 17 Mar 2011 00:00:00 +0000

I have been debating (in my head) whether or not to write anything about what’s going on in Japan. This is about as serious as it gets, and there is far too much under-informed material out there.

Network Security in the Age of Any Computing: Quick Wins

Thu, 17 Mar 2011 00:00:00 +0000

We have worked quickly through the main concepts of using network security tactics to provide access to the myriad of endpoint and mobile devices, so now let’s shift to a process to ensure success for your project. This is all about success, so we find the best path is to focus your project on establishing an initial quick win, and then gradually build momentum for the technology with expanded deployment.

The Problem with Open Source in Commercial Software

Thu, 17 Mar 2011 00:00:00 +0000

One of the more interesting results from the Pwn2Own contest at CanSecWest was the exploitation of a Blackberry using a WebKit vulnerability.

Incite 3/16/2011: Random Act of Burrito

Wed, 16 Mar 2011 00:00:00 +0000

It’s easy to be cynical. If you want to look at the negative, things are bad. The economy isn’t great and in many parts of the world it is getting worse. Politics are divisive. The Earth is pushing back at 7.9 on the Richter scale, resulting in a generation of Japanese who may be glowing sooner rather than later. Why do we bother?

Is the Virtual Desktop Hype Real?

Wed, 16 Mar 2011 00:00:00 +0000

I’ve been hearing a lot about Virtual Desktops lately (VDIs), and am struggling to figure out how interested you all really are in using them.

Network Security in the Age of Any Computing: Integration

Wed, 16 Mar 2011 00:00:00 +0000

Supporting any computing – which we have defined as access to your critical information from anywhere, at any time, on any device – requires organizations to restrict access to specific communities of users/devices, based on organizational policies. In order to do this, you need to integrate with your existing installed base of security and networking technologies, ensuring management leverage and reducing complexity. No easy task, for sure. So let’s discuss how you can implement network access control to play nicely in the larger sandbox.

Technology Caste System

Wed, 16 Mar 2011 00:00:00 +0000

There is a caste system in technology. It’s an engineering caste system, or at least that’s what I call it. A feeling of superiority developers have over their QA, IT, product management, and release management brethren. Software developers at every firm I have ever worked for – large and small – share a condescending view of their co-workers when it comes to technology. They are at the top of the totem pole, and act as if their efforts are the most important.

FAM: Market Drivers, Business Justifications, and Use Cases

Tue, 15 Mar 2011 00:00:00 +0000

Now that we have defined File Activity Monitoring it’s time to talk about why people are buying it, how it’s being used, and why you might want it.

Network Security in the Age of Any Computing: Policy Granularity

Tue, 15 Mar 2011 00:00:00 +0000

As we discussed in the last post, there are number of ways to enforce access policies for any computing. Given the flexibility and dynamic nature of business, access policies should provide sufficient flexibility to meet business needs. To illustrate, let’s look at how an enforcement mechanism like network access control (NAC) can provide this kind of granularity. What you want is map out access models and design a set of policies to provide users with the right access at the right time from the right device.

Table Stakes

Tue, 15 Mar 2011 00:00:00 +0000

This morning I published a column over at Dark Reading that kicked off some cool comments on Twitter. Since, you know, no one leaves blog comments anymore.

Incite 3/9/2011: Greed Is (fill in the blank)

Wed, 09 Mar 2011 00:00:00 +0000

As most of you know, I’m a huge NFL fan. In fact I made my kids watch the combine on NFL Network two weeks ago when the Boss was away. The frickin’ combine. I was on the edge of my seat watching some guy run a 4.34 40-yard dash. And heard the groans of the crowd when a top rated offensive tackle did only 21 bench presses of 225 pounds. That’s it? And some defensive lineman did 50 reps on the bench. 50 reps. If this DT thing doesn’t work out, I’m sure he’s got a future benching Pintos in the circus.

The CIO Role and Security

Wed, 09 Mar 2011 00:00:00 +0000

During the e10+ event Monday at the RSA Conference, Rich and Mike moderated a panel on Optimizing Your Security Program. One of the contested topics was how to position security to upper management. Every CIO and CISO falls into the trap of having to say ‘No’ to some new idea that occurs to executive management, and then take blame for being “Negative Nancy”, “Dr. No”, “The Knight who says NEE”, or some collection of the Seven Dirty Words. I was surprised that so little has changed, as these were exactly the same problems I had a dozen years ago. While security threats were far simpler and fewer then, so was acknowledgement of the need for security. I guess it’s human nature that we still fall into the same traps.

Introduction to File Activity Monitoring

Tue, 08 Mar 2011 00:00:00 +0000

A new approach to an old problem

One of the more pernicious problems in information security is allowing someone to perform something they are authorized to do, but catching when they do it in a potentially harmful way. For example, in most business environments it’s important to allow users broad access to sensitive information, but this exposes us to all sorts of data loss/leakage scenarios. We want to know when a sales executive crosses the line from accessing customer information as part of their job, to siphoning it for a competitor.

Network Security in the Age of Any Computing: Enforcement

Tue, 08 Mar 2011 00:00:00 +0000

As we continue with “Network Security in the Age of Any Computing”, we have already hit the risks and the need for segmentation to restrict access to sensitive data. Now we focus on technologies that can help restrict access – which tend to be NAC, firewalls, and other network layer controls (such as VLANs and physical segmentation). Each technology has pros and cons. There are no ‘right’ answers – just a set of compromises that must be made b weighing the various available technology options.

Network Security in the Age of Any Computing: Containing Access

Mon, 07 Mar 2011 00:00:00 +0000

In the first post of this series, we talked about the risks inherent to this concept of any computing , where those crazy users want to get at critical data at any time, from anywhere, on any device. And we all know it’s not pretty. Sure, there are things we can do at the device layer to protect the and ensure a proper configurations. But in this series we will focus on how to architect and secure the network to protect critical data. The first aspect of that is restricting access to key portions of your network to only those folks that need it.

Security Counter Culture

Mon, 07 Mar 2011 00:00:00 +0000

There’s nothing like a late-night phone call saying, “I think your email has been hacked,” to drop a security professional over the edge. My wife called me during the RSA Conference to tell me this, because some emails she got from me were duplicates that refused to be deleted. Weirdness like that always makes me question my security, and when I found the WiFi still enabled on my phone, I had my yearly conference ‘Oh $#(!’ moment early.

Friday Summary: March 4, 2011

Thu, 03 Mar 2011 00:00:00 +0000

The Friday summary is our chance to talk about whatever, and this week I am going to do just that. This week’s introduction has nothing to do with security, so skip it if you are offended by such things.

On Science Projects

Thu, 03 Mar 2011 00:00:00 +0000

I think anyone who writes for a living sometimes neglects to provide the proper context before launching into some big thought. I please guilty as charged on some aspects of the Risk Metrics Are Crap FireStarter earlier this week. As I responded to some of the comments, I used the term science project to describe some technologies like GRC, SIEM, and AppSec. Without context, some folks jumped on that. So let me explain a bit of what I mean.

What No One Is Saying about That Big HIPAA Fine

Thu, 03 Mar 2011 00:00:00 +0000

By now you have probably seen that the U.S. Department of Health and Human Services (HHS) fined Cignet healthcare a whopping $4.3M for, and I believe this is a legal term, being total egotistical assholes. (Because “willfull neglect” just doesn’t have a good ring to it).

Incite 3/2/2011: Agent Provocateur

Wed, 02 Mar 2011 00:00:00 +0000

It’s been a while since I have gotten into a good old-fashioned Twitter fight. Actually the concept behind FireStarter was to throw some controversial thought balloons out there and let the community pick our stuff apart and help find the break points in our research positions. As Jeremiah tweeted yesterday, “whatever the case, mission accomplished. Firestarter!” to my post Risk Metrics Are Crap. It devolved into a bare-knuckled brawl pretty quickly, with some of the vociferous risk metrics folks.

Network Security in the Age of Any Computing: the Risks

Wed, 02 Mar 2011 00:00:00 +0000

We are pleased to kick off the next of our research projects, which we call “Network Security in the Age of Any Computing.” It’s about how reducing attack surface, now that those wacky users expect to connect to critical resources from any device, at any time, from anywhere in the world. Thus ‘any’ computing.

Random Thoughts on Securing Applications in the Cloud

Wed, 02 Mar 2011 00:00:00 +0000

How do you secure data in the cloud? The answer is “it depends”. What type of cloud are you talking about – IaaS, PaaS, or SaaS? Public or Private? What services or applications are you running? What data do you want to protect? Following up on the things I learned at RSA, one statement I heard makes sense now. Specifically, a couple weeks ago Chris Hoff surprised me when, talking about data security in the cloud, he tweeted:

React Faster and Better: Index

Tue, 01 Mar 2011 00:00:00 +0000

With yesterday’s post, we have reached the end of the React Faster and Better series on advanced Incident Response. This series focuses a bit more on the tools and tactics than Incident Response Fundamentals.

FireStarter: Risk Metrics Are Crap

Mon, 28 Feb 2011 00:00:00 +0000

I recently got into a debate with someone about cyber-insurance. I know some companies are buying insurance to protect against a breach, or to contain risk, or for some other reason. In reality, these folks are flushing money down the toilet. Why? Because the insurance companies are charging too much. We’ve already had some brave soul admit that the insurers have no idea how to price these policies because they have no data and as such they are making up the numbers. And I assure you, they are not going to put themselves at risk, so they are erring on the side of charging too much. Which means buyers of these policies are flushing money down the loo.

React Faster and Better: Piecing It Together

Mon, 28 Feb 2011 00:00:00 +0000

We have been through all the pieces of our advanced incident response method, React Faster and Better , so it is time to wrap up this series. The best way to do that is to actually run through a sample incident with some commentary to provide the context you need to apply the method to something tangible. It’s a bit like watching a movie while listening to the director’s commentary. But those guys are actually talented.

Could This Be WikiLeaks for the Criminal Computer Underground?

Thu, 24 Feb 2011 00:00:00 +0000

When Brian Krebs sent me a link to his latest article on illegal pharmacy networks my only response was:

Holy friggin’ awesomesauce!!!

Friday Summary: February 25, 2011

Thu, 24 Feb 2011 00:00:00 +0000

In the relatively short period of time I have been on this planet, there are three time periods that really stand out to me as watershed moments in computing technology.

React Faster and Better: Respond, Investigate, and Recover

Thu, 24 Feb 2011 00:00:00 +0000

After you have validated and filtered the initial alert, then escalated to contain and respond to the incident, you may need to escalate for further specialized response, investigation, and (hopefully) recovery.

Incite 2/23/2011: Giving up

Wed, 23 Feb 2011 00:00:00 +0000

I’ve been in the security business a long time. I have enjoyed up cycles through the peaks, and back down the slope to the inevitable troughs. One of my observations getting back from RSAC 2011 is the level of sheer frustration on the part of many security professionals today. Frustration with management, frustration with users, frustration with vendors. Basically lots of folks are burnt out and mad at the world. Maybe it’s just the folks who show up at RSA, but I doubt it. This seems to be true across the industry.

What I Learned at RSAC

Wed, 23 Feb 2011 00:00:00 +0000

I was surprised at the negative tweets and blog posts after the RSA show this year, many by the security professionals at the core of this industry. I have been to RSA most years since 1997. This year, discontent and snarkiness seemed to be running high. “There is nothing new.” “There is no innovation.” “The vendors are all lying.” “These products don’t work as advertised.” “I have seen this presentation before.” “That attack won’t work in ‘the real world’.” I saw nobody excited about the concept of winning a car – what’s up with that!?! You know it’s bad when attendees complain about booth babes – booth babes! – and then go to the Barracuda party. You know who you are.

What You Really Need to Know about Oracle Database Firewall

Wed, 23 Feb 2011 00:00:00 +0000

Nothing amuses me more than some nice vendor-on-vendor smackdown action. Well, plenty of things amuse me more, especially Big Bang Theory and cats on YouTube, but the vendor thing is still moderately high on my list.

FireStarter: the New Cold War

Tue, 22 Feb 2011 00:00:00 +0000

It amuses me that folks were shocked by the latest treasure trove of goodies from the HBGary email spool. Basically these folks built custom malware on behalf of their government clients. Ars Technica digs in (with pretty impressive technical depth, I might add) and makes clear what you should already know.

RSA: the Only Difference Between a Rut and a Grave Is the Depth

Wed, 16 Feb 2011 00:00:00 +0000

I think Rich may still be sleep deprived, but on the upside his recap did elicit my loudest laugh of the day. See if you can spot the sentence that caused it.

RSA: We Now Go Live to Our Reporters on the Scene

Tue, 15 Feb 2011 00:00:00 +0000

It’s worth noting that even sleep-deprived Rich is surprisingly coherent.

Rich

While the RSA show technically doesn’t start until tomorrow, there’s still a heck of a lot going on. For myself, the worst is actually over. And by “the worst”, I mean there are even odds I will actually sleep tonight.

How to Encrypt Block Storage in the Cloud with SecureCloud

Sat, 12 Feb 2011 00:00:00 +0000

This is a bit of a different post for me. One exercise in the CCSK Enhanced Class which we are developing for the Cloud Security Alliance is to encrypt a block storage (EBS) volume attached to an AWS instance. There are a few different ways to do this but we decided on Trend Micro’s SecureCloud service for a couple reasons. First of all, setting it up is something we can handle within the time constraints of the class. The equivalent process with TrueCrypt or some other native encryption services within our AWS instance would take more time than we have, considering the CCSK Enhanced class is only one day and covers a ton of material. The other reason is that it supports my preferred architecture for encryption: the key server is separate from the encryption engine, which is separate from the data volume. This is actually pretty complex to set up using free/open source tools. Finally, they offer a free 60-day trial. The downside is that I don’t like using a vendor-specific solution in a class since it could be construed as endorsement. So please keep in mind that a) there are other options, and b) the fact that we use the tool for the class doesn’t mean this is the best solution for you. Ideally we will rotate tools as the class develops. For example, Porticor is a new company focusing on cloud encryption, and Vormetric is coming out with cloud-focused encryption. I think one of the other “V” companies is also bringing a cloud encryption product out this week. That said, SecureCloud does exactly what we need for this exercise. Especially since it’s SaaS based, which makes setting it up in the classroom much easier. Here’s how it works:

RSA 2011: A Few Pointers

Fri, 11 Feb 2011 00:00:00 +0000

It’s just a couple days until RSA Conference 2011. Is this your first time attending the security conference in San Francisco? Having attended for a few years now I can safely say that there are some things you should take into account before you show up. First of all, download the Securosis Guide to RSA 2011 (PDF) or (ePub).

The Securosis Guide to RSA 2011: The Full Monty

Fri, 11 Feb 2011 00:00:00 +0000

With great pleasure we post the 2nd annual Securosis Guide to the RSA Conference , 2011 edition. Last year’s guide we built as an experiment, but it has now effectively become an encyclopedia of all things RSA.

RSA Guide 2011: Security Management and Compliance

Thu, 10 Feb 2011 00:00:00 +0000

Security Management

Compliance is still driving most of what happens from a management standpoint, which is why have a specific compliance section below. On the security management front, there was still plenty of activity in 2010. But most customers continued to feel the same way: underwhelmed. It’s still very hard to keep control of much of anything, which is problematic as the number of devices and amount of sensitive data grow exponentially. Good times. Good times.

See Securosis @ RSA Conference 2011

Thu, 10 Feb 2011 00:00:00 +0000

We keep pretty busy schedules at RSA every year. But the good news is we do a number of speaking sessions and make other appearances throughout the week. Here is where you can find us:

Incite 2/9/2011: Loose Lips Sink Ships

Wed, 09 Feb 2011 00:00:00 +0000

I think we’ve taken this instant gratification thing a bit too far. Do you remember in the olden days, when you didn’t know what you were getting for your birthday? Now we get no surprises, pretty much as a society. The combination of a 24-hour media cycle, increasingly outsourced manufacturing, and loose lips ensures that nothing remains a secret for long.

RSA Guide 2011: Application Security

Wed, 09 Feb 2011 00:00:00 +0000

When we say application security, for we generally mean web application security. We probably could have cheated and simply reposted last year’s guide to application security and still been close. Yes, application security is still a nascent market. Last year the focus was anti-exploitation to prevent code injection attacks, and the value provided by integrating assessment and web application firewall technologies. While the threats remain the same, there are some new twists which deserve attention.

RSA Guide 2011: Endpoint Security

Wed, 09 Feb 2011 00:00:00 +0000

In 2010, there was broad acknowledgement that most of the endpoint protection deployed was more about passing PCI (yes, it’s still a requirement) than actually stopping attacks. Unfortunately, at the show we’ll continue to hear about all the advances happening in malware detection, and we’ll laugh again. The traditional signature-based model is broken, no matter how many clouds we see inserted into the mix. But with the AV cash cow continuing to moo uncontrollably, the industry will continue trying to convince customers to maintain their investments. So the real question is: who will show some type of innovation in terms of endpoint malware detection. Anyone? Anyone? Bueller? Bueller?

RSA Guide 2011: Virtualization and Cloud

Wed, 09 Feb 2011 00:00:00 +0000

2010 was a fascinating year for cloud computing and virtualization. VMWare locked down the VMSafe program, spurring acquisition of smaller vendors in the program with access to the special APIs. Cloud computing security moved from hype to hyper-hype at the same time some seriously interesting security tools hit the market. Despite all the confusion, there was a heck of a lot of progress and growing clarity. And not all of it was from the keyboard of Chris Hoff.

React Faster and Better: Contain and Respond

Tue, 08 Feb 2011 00:00:00 +0000

In our last post, we covered the first level of incident response: validating and filtering the initial alert. When that alert triggers and your frontline personnel analyze the incident, they’ll either handle it on the spot or gather essential data and send it up the chain.

RSA Guide 2011: Data Security

Tue, 08 Feb 2011 00:00:00 +0000

As someone who has covered data security for nearly a decade, some days I wonder if I should send Bradley Manning, Julian Assange, whoever wrote the HITECH act, and the Chinese hacker community a personal note of gratitude. If the first wave of data security was driven by breach disclosure laws and a mixture of lost laptops and criminal exploits, this second wave is all about stopping leaks and keeping your pants on in public. This year I’ve seen more serious interest in large enterprises to protect more than merely credit card numbers than ever before. We also see PCI and the HITECH act (in healthcare) pushing greater investment in data security down to the mid-market. And while the technology is still far from perfect, it’s definitely maturing along nicely.

RSA Guide 2011: Email/Web (Content) Security

Tue, 08 Feb 2011 00:00:00 +0000

Global Threats. APT. Botnets. Infected Web Pages. Grannies with shotguns. We expect to see anything and everything it takes for vendors to get your attention, including never before seen awards and security metrics. Some ask “Why the hype?” The value of content security — both inbound filtering to prevent unwanted garbage from coming into the network, as well as detection of unwanted activity like surfing for porn or sending company secrets to your cousin as investment advice — is proven. All the major players and most mid-tier providers have closed the major holes in their products, provide unified management for all functions, and offer some type of SaaS service. The technology works. The problem is that the segment is both mature and saturated. To earn a new customer, a vendor must steal one from a competitor. Growing revenue means convincing customers they need a new service. It is increasingly difficult to differentiate the top tier from the mid-tier players, so that noise you hear is vendors trying to find an edge. For the most part, the vendors offer quality services at a price point that continues to drop with reduced cost cloud and SaaS based offerings. But you can’t blame the vendors from trying to “one up” the competition in a crowded market.

RSA Guide 2011: Key Themes

Tue, 08 Feb 2011 00:00:00 +0000

OMG, it’s 6 days and counting to the 2011 RSA Conference. Yes, they moved the schedule up a few months, so you now can look forward to spending Valentine’s Day with cretins like us, as opposed to your loved ones. Send thank-you notes to…

RSA Guide 2011: Network Security

Tue, 08 Feb 2011 00:00:00 +0000

2010 was an interesting year for the network security space. There has been a resurgence in interest and budget projections for spending, largely for perimeter security. Part of this is a loosening of the budget purse strings, which is allowing frustrated network security folks to actually start dreaming about upgrading their perimeters. So there will be plenty of vendors positioning to benefit from the wave of 2011 spending.

React Faster and Better: Kicking off a Response

Mon, 07 Feb 2011 00:00:00 +0000

Everyone’s process is a bit different, but through our research we have found that the best teams tend to gear themselves through three general levels of response, each staffed with increasing expertise. Once the alert triggers, your goal is to filter out the day-to-day crud junior staffers are fully capable of handling, while escalating the most serious incidents through the response levels as quickly as possible. Having a killer investigation team doesn’t do any good if an incident never reaches them, or if their time is wasted on the daily detritus that can be easily handled by junior folks.

The Analyst’s Dillema: Not Everything Sucks

Mon, 07 Feb 2011 00:00:00 +0000

There’s something I have always struggled with as an analyst. Because of the, shall we say, ‘aggressiveness’ of today’s markets and marketers, most of us in the analyst world are extremely cautious about ever saying anything positive about any vendors. This frequently extends to entire classes of technology, because we worry it will be misused or taken out of context to promote a particular product or company. Or, as every technology is complex and no blanket statement can possibly account for everyone’s individual circumstances, that someone will misinterpret what we say and get pissed it doesn’t work for them.

Why You Should Delete Your Twitter DMs, and How to Do It

Mon, 07 Feb 2011 00:00:00 +0000

I’ve been on Twitter for a few years now, and over that time I’ve watched not only its mass adoption, but also how people changed their communication habits. One of the most unexpected changes (for me) is how many people now use Twitter Direct Messages as instant messaging.

Friday Summary: February 4, 2011

Thu, 03 Feb 2011 00:00:00 +0000

My wife says to me, “I seem to be getting your junk mail. Somebody just sent me Data Security Quiz results.” I have no idea what she means, so she forwarded me the email from the National Information Security Assocation (NISA). I confess that I had never heard of this organization before, and I really don’t know what they do. Apparently they quizzed a number of real estate agents and brokers around the country to find out how much they knew about data security. The results were emailed as a way of educating real estate professionals at large. Color me shocked. Actually, I thought the questions were pretty good to be asking for sales people. The Q&A was as follows:

Good Programming Practices vs. Rugged Development

Thu, 03 Feb 2011 00:00:00 +0000

I had a long chat with Josh Corman yesterday afternoon about Rugged, especially as it applies to software development. I know this will be a continuing topic at the RSA conference, and we are both looking forward to a series of brainstorming sessions on the subject. One aspect that intrigues both of us is the overlap between Agile and Rugged as conceptual frameworks for guding developer decisions. I though this was important enough to blog up prior to the conference. The discussion went something like this:

You Made Your Bed, Now Sleep in It

Thu, 03 Feb 2011 00:00:00 +0000

Twitter exploded last night with news that the self-proclaimed world’s #1 hacker’s email and Twitter accounts were compromised. Personally, the amount of time that good people spend feeding that troll annoys me. Which is why I’m not mentioning his name. Why give him any more SEO points for acting poorly? Since the beginning of time there have been charlatans, shysters, and frauds; this guy is no different. Major media outlets are too dumb and lazy to do the work required to vet their experts , so they respond to his consistent PR efforts. Whatever.

Incite 2/2/2011: The End of Anonymity

Wed, 02 Feb 2011 00:00:00 +0000

“Hi Mike, how are you this morning?” When I heard those words I instinctively checked over my shoulder, since no one really calls me by name in any of the coffee and bagel shops I frequent. And that is intentional. I like to be the nondescript guy who may look familiar, but you don’t know from where. I don’t do small talk, and if I’m in a very good mood, maybe you’ll get a smirk. Other than that, I’m just the guy with his head down, inhaling coffee, and banging away at his Mac.

Friday Summary: January 28, 2011

Thu, 27 Jan 2011 00:00:00 +0000

At Cal, even though my major was software, I had to take several electronics courses. When I got to college I had programming experience, but not the first clue about electronics. Resistors, LEDs, logic gates, karnaugh maps, and EPROMs were well outside my understanding. But within the first few weeks of classes they had us building digital alarm clocks and television remote controls from scatch. The first iterations were all resistors on breadboards, then we moved to chips and EEPROMs… which certainly made the breadboards neater. Things got much more complex a couple semesters in, when we had to design and implement CPUs – and the design not only had to work , but it actually had to meet design specifications for low power, low chip count, and high clock rates. Regardless, I loved the hardware classes, and I gave serious consideration to changing my major from software to hardware. But that pretty well died when I left college.

Intel’s Red Herring

Thu, 27 Jan 2011 00:00:00 +0000

It’s time for a good old fashion beatdown. Personally I’m working hard on not overreacting to stuff and letting most annoyances (which would normally set me off) pass on by. But sometimes, you know, a purge is required. It kind of reminds me of that great scene in 48 Hours, where Nick Nolte tells Eddie Murphy to be cool when they enter a bar to question someone. Nolte then proceeds to tear the place apart and when Murphy says “I thought you said to be cool,” the response is “That was cool.” Sometimes it’s cool to swing the clue bat.

Incite 1/25/2011: The Real-Time Peanut Gallery

Wed, 26 Jan 2011 00:00:00 +0000

For those of you who are not American Football fans, we’re in the middle of the playoffs over here. Teams work all year to get into the tournament and secure a high seeding. And of course the best laid plans sometimes end up at the wrong end of a blowout (yes, ATL Falcons, I’m talking about you). This past week’s NFC Championship provided a lot more drama than in the past, and not because it was a competitive, exciting game.

Microsoft, Oracle, or Other

Wed, 26 Jan 2011 00:00:00 +0000

I ran across Robin Harris’s analysis of the Hyder transaction database research project, and his subsequent analysis on how Microsoft could threaten Oracle in the data center on his ZDNet blog. Mr. Harris is raising the issue of disruption in the database market, a topic I have covered in my Dark Reading posts, but he is also pointing out how he thinks this could erode Oracle’s position in the data center. I think looking at Hyder and like databases as disruptive is spot on, but I think the effects Mr. Harris outlines are off the mark. They both miss the current trends I am witnessing and seem to be couched in the traditional enterprise datacenter mind set.

React Faster and Better: Organizing for Response

Wed, 26 Jan 2011 00:00:00 +0000

Now that we have a sense of what data to focus on at the beginning of an incident, it’s time to start digging into the response and investigations process itself and talk specifically about what they entail. In larger enterprises, organizing the response process and teams can be extremely complex, due both to the volume of incidents and the complexity of the organizational structure (politics). Some teams align with business units, others with tools, and yet others are centralized.

Register for Our Cloud Security Training Class at RSA

Wed, 26 Jan 2011 00:00:00 +0000

As we previously mentioned, we will teach the very first CSA Cloud Computing Security Knowledge (Enhanced) class the Sunday before RSA. We finally have some more details and the registration link.

Rich at Macworld

Mon, 24 Jan 2011 00:00:00 +0000

Just a quick note that I’m speaking at the Macworld conference this Friday in San Francisco on iOS security.

This is one of the few times I get to talk about basics with a completely-consumer audience. Last year was my first time speaking (after attending for a few years), and you can’t spend any time there and still believe the stupid “Mac users think they are invulnerable and don’t care about security” meme.

The Greenfield Project: How would you start over?

Mon, 24 Jan 2011 00:00:00 +0000

Some days I wish I was a screenwriter. There, nothing is out of bounds. Physics? Bah. Logic? Who needs that? How cool was it that the writers of Dallas (the show, not the city) decided to take a mulligan… on an entire season? Pretty cool, I’d say.

Friday Summary: January 21, 2010

Fri, 21 Jan 2011 00:00:00 +0000

Quick note: Don’t forget toRSVP to the RSA Disaster Recovery Breakfast, and sign up for the Inagural Cloud Security Alliance training class we are building & running.

Dueling Security Reports: Cisco vs. Intego

Thu, 20 Jan 2011 00:00:00 +0000

Today, within a few minutes of each other, I read the latest 2010 security reports from Cisco and Intego. The Cisco report is very broad, while the Intego report is Mac specific. They really highlight the reality vs. hyperbole problem we often see in threat reports.

The Appearance Myth

Thu, 20 Jan 2011 00:00:00 +0000

You can always tell whether you are at a hacker con or a corporate-oriented conference in our business. The hacker cons have plenty of tattoos, piercings, fringe hairstyles, and the like. In fact, I’m usually more concerned that folks will think I’m a narc because I have none of the above. But this brings me around to the idea of appearance and its impact on your career.

Advanced Persistent Threat (APT) Defeated by Marketure

Wed, 19 Jan 2011 00:00:00 +0000

Washington, D.C.

Officials today revealed that the “Advanced Persistent Threat” (APT) has been completely defeated by vendor marketure, analyst/pundit tweets, and PowerPoint presentations.

Incite 1/19/2011: Posturing Alpha Males

Tue, 18 Jan 2011 00:00:00 +0000

One of the terms you’ll likely hear at RSA this year is security posture. Along with “situational awareness” and other terms which refer to your ability to understand if you are under attack and how your defenses are positioned to protect your assets. But I’m fascinated by the psychology of posturing, because we see that kind of behavior every single day.

SMB isn’t ready for disaster. Are you?

Tue, 18 Jan 2011 00:00:00 +0000

You all know how much I like surveys. But I tend to think surveys targeted at SMB tend to be a little closer to reality, especially ones with 1,000+ responses. Our Big Yellow pals recently did a Disaster Preparedness Survey of 1,800+ small businesses, and the news isn’t very good, but not unexpected either. Here are a few soundbites:

Fighting the Good Fight

Mon, 17 Jan 2011 00:00:00 +0000

Here in the US, today is Martin Luther King, Jr. Day. For many this means a day off. For others it’s a continued call to arms to right the injustice we see. For me, it’s a reminder. A reminder of how one person’s efforts can make a difference against unsurmountable odds. How passion, focus, and a refusal to fail can change the world. Not overnight and not without setbacks, personal sacrifices, and a lot of angst. But it can be done.

The 2011 Securosis Disaster Recovery Breakfast

Mon, 17 Jan 2011 00:00:00 +0000

The RSA Conference is just around the corner, and you know what that means.

Pain.

Pain in your head, and likely a sick feeling in your stomach. All induced by an inability to restrain your consumption when surrounded by oodles of fellow security geeks and free drinks.

Friday Summary, January 14, 2011

Fri, 14 Jan 2011 00:00:00 +0000

Apparently I got out of New York just in time. The entire eastern seaboard got “Snowmageddon II, the Blanketing” a few hours after I left. Despite a four-legged return flight, I did actually make it back to Phoenix. And Phoenix was just about the only place in the US where it was not snowing, as I heard there was snow in 48 states simultaneously.

Funding Security and Playing God

Thu, 13 Jan 2011 00:00:00 +0000

I was reading shrdlu’s post on Connecting the risk dots over on the Layer 8 blog. I thought the point of contention was how to measure cost savings. Going back and reading the comments, that’s not it at all.

Incite 1/12/2011: Trapped

Wed, 12 Jan 2011 00:00:00 +0000

I enjoy living in the South (of the US). I’m far enough North that we get seasons. But far enough South to not really be subjected to severe winter weather. It’s kind of like porridge in the story of the 3 bears. Living in ATL is just right for me. Usually.

What Do You Want to See in the First Cloud Security Alliance Training Course?

Wed, 12 Jan 2011 00:00:00 +0000

It leaked a bit over Twitter, but we are pretty excited that we hooked up with the Cloud Security Alliance to develop their first training courses. Better yet, we’re allowed to talk about it and solicit your input.

Friday Summary: January 7, 2011

Fri, 07 Jan 2011 00:00:00 +0000

Compliance and security have hit the big time, and I have the proof.

Okay: all of us who live, eat, and breathe security already know that compliance is a big deal and a pain in the ass – but it isn’t as if “normal” people ever pay attention, right? Other than CEOs and folks who have to pay for our audits, right? And according to the meme that’s been circulating since I started in the business, no one actually cares about security until they’ve been hit, right?

Marketing Skills for Security Wonks: Leveraging Elmer FUDd

Fri, 07 Jan 2011 00:00:00 +0000

At the risk of having Rich yell at me again (like he did early last year) because I’m writing too much high-level stuff, let’s get back to a key soft skill of being a security manager. It’s not like we got a lot better at that in 2010, right? I talked about motivating your team earlier this week, so now let’s turn to marketing and sales. Right – you are a security guy/gal, what do you need to know about sales?

Mobile Device Security: 5 Tactics to Protect Those Buggers

Fri, 07 Jan 2011 00:00:00 +0000

In this series we’ve tackled the threats these new handheld computers mobile devices present, as well as how we need to deal with folks culturally when they demand access to sensitive corporate information on mobile devices. As we wrap up this short series on mobile device security, let’s jump in and talk about a few things we can do to protect these devices.

BSIMM meets Joe the Programmer

Thu, 06 Jan 2011 00:00:00 +0000

I always read Gary McGraw’s research on BSIMM. He posts plenty of very interesting data there, and we generally have so little good intelligence on secure code development that these reports are refreshing. His most recent post with Sammy Migues on Driving Efficiency and Effectiveness in Software Security raises some interesting questions, especially around the use of pen testing. The questions of where and how to best deploy resources are questions every development team has, and I enjoyed his entire analysis of the results of different methods of resource allocation.

Incite 1/5/2011: It’s a Smaller World, after All

Wed, 05 Jan 2011 00:00:00 +0000

I’m happy to say the holiday season was pretty eventful for the Boss and her family. Her brother (and his wife) welcomed twin boys into the world right after Xmas. The whole process of creating life still astounds, and the idea of two at a time boggles the mind – even if you’ve been through it. Turns out we were up North when the new guys showed up (a week early), so we got to meet them in person. We live 600 miles apart, so that was an unexpected bonus.

Mobile Device Security: Saying no without saying no

Wed, 05 Jan 2011 00:00:00 +0000

As we discussed in our first Mobile Device Security post (I can haz your mobile), supporting smartphones isn’t really an choice. You aren’t going to tell your CEO or any other exec 5-6 pay grades above you that they can’t use their iPad to access the deal documents on that multi-billion dollar acquisition. You know it’s much easier to read an iPad on the can, than to lug the laptop around when taking care of business, right?

React Faster and Better: Initial Incident Data

Wed, 05 Jan 2011 00:00:00 +0000

In New Data for New Attacks we discussed why there is usually too much data early in the process. Then we talked about leveraging the right data to alert and trigger the investigative process. But once the incident response process kicks in too much data is rarely the problem, so now let’s dig deeper into the most useful data for the initial stages of incident response. At this early stage, when we don’t yet know what we are dealing with, it’s all about triaging the problem. That usually means confirming the issue with additional data sources and helping to isolate the root cause.

HP(en!s) Envy: Dell Buys SecureWorks

Tue, 04 Jan 2011 00:00:00 +0000

Well, it didn’t take long to see the bankers and lawyers stayed busy over the holidays. Dell announced they are acquiring SecureWorks, the MSSP, for an undisclosed sum. Yeah, you are probably thinking the same thing I did initially. Dell? WTF?

Motivational Skills for Security Wonks: 2011 Edition

Tue, 04 Jan 2011 00:00:00 +0000

Ah yes, 2011 is here. A new year, which means it’s time to put into action all of those wonderful plans you’ve been percolating over the holidays. Oh, you don’t have plans, besides getting through the day, that is? I get that. The truth is things aren’t likely to be better in 2011 – probably not even tolerable. But we persevere because that’s what we do, although a lot of folks (including AndyITGuy, among others) continue talking burnout risk. And that means we have to refocus.

The Evolving Role of Vulnerability Assessment and Penetration Testing in Web Application Security

Tue, 04 Jan 2011 00:00:00 +0000

Yesterday I got involved in an interesting Twitter discussion with Jeremiah Grossman, Chris Eng, Chris Wysopal, and Shrdlu that was inspired by Shrdlu’s post on application security over at Layer8. I sort of suck at 140 character responses, so I figured a blog post was in order.

Mobile Device Security: I can haz your mobile

Mon, 03 Jan 2011 00:00:00 +0000

As we start 2011, a friend pointed out that my endpoint research agenda (including much of my work on Positivity) is pretty PC platform focused. And relative to endpoint security that is on point. But the reality is that nowadays we cannot assume that our only threat vectors remain PC-like devices. Given that pretty much all the smart phones out there are as powerful as the computers I used 5 years ago, we need to factor in that mobile devices are the next frontier for badness.

Coming Soon…

Sun, 02 Jan 2011 00:00:00 +0000

Mr. Cranky Faces Reality

Wed, 29 Dec 2010 00:00:00 +0000

There are some mornings I should not be allowed to look at the Internet. Those days when I think someone peed in my cornflakes. The mornings when every single media release, blog post, and news item, looks like total BS. I think maybe they are just struggling for news during the holiday season, or maybe I am just unsually snarky. I don’t know. Today was one of those days. I was combing through my feed reader and ran across Brian Prince’s article, Database Security Reminder: Don’t Let Your Guard Down.

React Faster and Better Chugging along

Wed, 29 Dec 2010 00:00:00 +0000

As we described a while back, we have separated our heavier white paper research out into a complete feed, and slimmed down the main feed. But that means folks subscribing only to the main feed may miss some of the outstanding blog series we do.

React Faster and Better: Alerts & Triggers

Tue, 28 Dec 2010 00:00:00 +0000

In our last post New Data for New Attacks, we delved into the types of data we want to systematically collect, through both log record aggregation and full packet capture. As we’ve said many times, data isn’t the issue – it’s the lack of actionable information for prioritizing our efforts. That means we must more effectively automate analysis of this data and draw the proper conclusions about what is at risk and what isn’t.

Web Application Firewalls Really Work

Mon, 27 Dec 2010 00:00:00 +0000

A couple months ago I decided to finally dig in and see whether WAFs (Web Application Firewalls) are really useful, or merely another crappy shiny object we spend a lot of money on to get the auditors off our backs.

Friday Summary: December 24, 2010

Fri, 24 Dec 2010 00:00:00 +0000

It’s the holiday season and I should be taking some time off and relaxing, watching some movies and seeing friends. Sounds good. If only I had that ‘relax’ gene sequence I would probably be off having a good time rather than worrying about security on Giftmas eve. But here I am, reading George Hulme’s Threatpost article, 2011: What’s Your IT Security Plan?. I got to thinking about this. Should I wait to do security work for 2011? I mean, at your employer is one thing – who cares about those systems when there is eggnog and pumpkin pie? I’m talkin’ about your stuff! One point I make in the talks I give on software security is: don’t prioritize security out in favor of features when building code. And in this case, if I put off security in favor of fun, security won’t get done in 2011. So I went through the process of evaluating home computer and network security over the last couple days. I did the following:

Dealtime 2010: Remembering the Departed

Thu, 23 Dec 2010 00:00:00 +0000

As we approach Christmas time, quite a few folks will have gold bullion under their trees, courtesy of the security industry M&A machines. Of course, the investment bankers and lawyers had a banner year, but let’s also hear it for some fortunate entrepreneurs, their VCs, and even some public company shareholders who were able to share in the wealth this year.

Incite 12/22/2010: Resolution

Wed, 22 Dec 2010 00:00:00 +0000

Pretty much every year, I spend the winter holidays up north visiting the Boss’s family. I usually take that week and try to catch up on all the stuff I didn’t get done, working frantically on whatever will launch right when everyone returns from their December hangover. But as I have described here, I’m trying to evolve. I’m trying to take some time to smell the proverbial roses, and appreciate things a bit. I know, quite novel.

2011 Research Agenda: Quantum Cloudiness, Supervillan Shields, and No-BS Risk

Tue, 21 Dec 2010 00:00:00 +0000

In my last post I covered the more practical items on my research agenda for the coming year. Today I will focus more on pure research: these topics are a bit more out there and aren’t as focused on guiding immediate action. While this is a smaller percentage of where I spend my time, overall I think it’s more important in the big picture.

2011 Research Agenda: the Practical Bits

Mon, 20 Dec 2010 00:00:00 +0000

I always find it a bit of a challenge to fully plan out my research agenda for the coming year. Partly it’s due to being easily distracted, and partly my recognition that there are a lot of moving cogs I know will draw me in different directions over the coming year. This is best illustrated by the detritus of some blog series that never quite made it over the finish line.

NSA Assumes Security Is Compromised

Mon, 20 Dec 2010 00:00:00 +0000

I saw an interesting news item: the NSA has changed their mindset and approach to data security. Their new(?) posture is that Security Has Always Been Compromised. Debora Plunkett of the NSA’s “Information Assurance Directorate” stated:

React Faster and Better: New Data for New Attacks, Part 1

Mon, 20 Dec 2010 00:00:00 +0000

As we discussed in our last post on Critical Incident Response Gaps, we tend to gather too much of the wrong kinds of information, too early in the process. To clarify that a little bit, we are still fans of collecting as much data as you can, because once you miss the opportunity to collect something you’ll never get another chance. Our point is that there is a tendency to try to boil the ocean with analysis of all sorts of data. That causes failure and has plagued technologies like SIEM, because customers try to do too much too soon.

Quantum Unicorns

Fri, 17 Dec 2010 00:00:00 +0000

Apparently we are supposed to fear the supercomputer of the future. According to Computerworld, the clock is ticking on encryption. Yes, you guessed it, the mythical “quantum computer” technology is back in the news again, casting its shadow over encryption. It will make breaking encryption much, much easier.

Friday Summary: December 17, 2010

Thu, 16 Dec 2010 00:00:00 +0000

I think we can firmly declare December 2010 the Month of Pwnage.

Between WikiLeaks, Gawker, McDonalds, and Anonymous DDoS attacks, I’m not sure infosec has been in the news this much since the early days of big data breaches. Heck, I haven’t been in the news this much since I got involved with the Kaminsky DNS thing. To be honest, it’s a little refreshing to have a string of big stories that don’t involve Albert Gonzales.

Infrastructure Security Research Agenda 2011—Part 4: Egress and Endpoints

Thu, 16 Dec 2010 00:00:00 +0000

In the first three posts of my 2011 Research Agenda (Positivity, Posturing and RFAB, Vaulting and Assurance) I mostly talked about how we security folks need to protect our stuff from them. You know, outside attackers trying to reach our stuff. Now let’s move on to people on the inside. Although most of us prefer to focus on folks trying to break in, it’s also important to put some forethought into protecting people inside the perimeter. Whether an employee loses a device (and compromises data), clicks the wrong link (resulting in a compromised device and giving attackers a foothold on the internal network), or even maliciously tries to exfiltrate data (WikiLeaks, anyone?) all of these attack scenarios are very real.

React Faster and Better: Incident Response Gaps

Thu, 16 Dec 2010 00:00:00 +0000

In our introduction to this series we mentioned that the current practice of incident response isn’t up to dealing with the compromises and penetrations we see today. It isn’t that the incident response process itself is broken, but how companies implement response is the problem.

Research Agenda 2011: the Open Research Version

Thu, 16 Dec 2010 00:00:00 +0000

It’s time to post my research agenda for 2011. My long-winded Securosis compatriot has chosen a thematic approach to discussing coverage areas, and while it’s an excellent – and elegant – idea, I am getting lost amongst all of the elements presented. So unlike Mike, I won’t be presenting my coverage areas so artistically. Instead I will stick to a focus on the technology variants I hear customers askING about, as well as the trends I see within different sub-segments of the security industry.

Incite 12/15/2010: It’s not a sprint…

Wed, 15 Dec 2010 00:00:00 +0000

One of the issues of being a high achiever (at least in my own mind) is that you’re always in a rush. Half the time we don’t know where we’re going, but we need to get there fast. And it results in burn-out, grumpiness, and poor job performance – which is the worst thing for someone focused on achievement. A mentor of mine saw this tendency in me early on and imprinted a thought that I still think about often: “It’s not a sprint, Mike, it’s a marathon.” Man, those words speak the truth.

Infrastructure Security Research Agenda 2011—Part 3: Vaulting and Assurance

Wed, 15 Dec 2010 00:00:00 +0000

Getting back to our Infrastructure Security Research Agenda for 2011 (Part 1: Positivity, Part 2: Posturing and RFAB), let’s now turn our attention to two more areas of focus. The first is ‘vaulting’, a fancy way of talking about network segmentation with additional security controls based on what you are protecting. Then we’ll touch on assurance, another fancy term for testing your stuff.

Market Maturity and Security Competitive Advantage

Tue, 14 Dec 2010 00:00:00 +0000

One advantage of my background is that I’ve used and marketed/sold security products, as well as followed the industry for a long time, so I see patterns over and over again. But before I jump into that, you all need to head over to Lenny Zeltser’s blog. He’s doing a lot of writing, and given the general lameness of the rest of us security bloggers, it’s nice that we have a new victim thought leader to peruse.

Get over It

Mon, 13 Dec 2010 00:00:00 +0000

Over the weekend I glanced at Twitter and saw a bit of hand-wringing inspired by something going on at (I think) the Baythreat in California. This is something that’s been popping up quite a bit on Twitter and in blog posts for a while now. The core of the comments centered on the problem of educating the unwashed security masses, combined with the problems induced by a compliance mentality, and the general “they don’t understand” and “security is failing” memes.

Infrastructure Security Research Agenda 2011—Part 2: Posturing and Reacting Faster/Better

Mon, 13 Dec 2010 00:00:00 +0000

The first of my Infrastructure Security Research Agenda 2011 posts, introducing the concept of positivity, generated a lot of discussion. Not only attached to the blog post (though the comments there were quite good), but in daily discussions with members of our extended network. Which is what a research agenda is really for. It’s a way to throw some crap against the wall and see what sticks.

Quick Wins with DLP Webinar

Mon, 13 Dec 2010 00:00:00 +0000

Back in April I published a slightly different take on DLP: Low Hanging Fruit: Quick Wins with Data Loss Prevention. It was all about getting immediate value out of DLP while setting yourself up for a full deployment.

Friday Summary: December 10, 2010

Thu, 09 Dec 2010 00:00:00 +0000

The Securosis team is here in San Francisco, meeting with vendors and presenting at the TechTarget Data Protection event. Weather has been reasonable and the food was awesome. But since it’s been going non-stop since something like 3:00am to (What is it now? 11:01pm) – this summary will be a short one.

Where Are We? Nowhereville.

Thu, 09 Dec 2010 00:00:00 +0000

It’s been about 11 months since the first time I ever spoke with Joshua Corman. He had this idea for a Rugged Software movement and wanted some feedback. After he filled me in on the concept, I told him I thought it was a good idea, and told him I was in. A few weeks later the Rugged Manifesto was published. There were a flurry of blog posts, and a bunch of email discussions, which ended February this year. Since then, I have heard … crickets. New stuff on RuggedSoftware.org? No. OWASP? Nada. Twitter? Presentations? Chat groups? Pretty much not a damned thing.

Edge Tokenization

Wed, 08 Dec 2010 00:00:00 +0000

A couple months ago Akamai announced Edge Tokenization, a service to tokenize credit card numbers for online payments. The technology is not Akamai’s – it belongs to CyberSource, a Visa-owned payment processing company. I have been holding off on this post for a couple months in order to get a full briefing from CyberSource, but that is not currently happening, and this application of tokenization technology is worth talking about, so it’s time to forge ahead. I preface this by stating that I don’t write much about specific vendor announcements – I prefer to comment on trends within a specific industry. That’s largely because most product announcements are about smaller iterative improvements or full-blown puffy marketing doublespeak. To avoid being accused of being in somebody’s pocket, I avoid product announcements, except the rare cases that are important enough to demand discussion. A new deployment model for payment processing and tokenization qualifies.

Incite 12/8/2010: the Nutcracker

Wed, 08 Dec 2010 00:00:00 +0000

When I see the term ‘nutcracker’, I figure folks are talking about their significant others. There are times when the Boss takes on the role of my nutcracker, but usually I deserve it. At least that’s my story today because I’d rather not sleep in the doghouse for the rest of the year. But that’s not what I want to talk about. Let’s discuss the holiday show (and now movie) of the same name.

Infrastructure Security Research Agenda 2011—Part 1: Positivity

Wed, 08 Dec 2010 00:00:00 +0000

Ah yes, it’s that time of year. Time for predictions and pontification and soothsaying and all sorts of other year-end comedy. As I told the crowd at SecTOR, basically everyone is making sh*t up. Sure, some have somewhat educated opinions, but at the end of the day nobody knows what will kill us in 2011. Except for the certainty that it will be something. We just don’t know what that something will be.

My 2011 Security Predictions

Wed, 08 Dec 2010 00:00:00 +0000

Someone will predict a big cyberattack someplace that may or may not happen.
Someone will predict a big SCADA attack/failure someplace that probably won’t happen, but I suppose it’s still possible.
Someone will predict that Apple will do something big that enterprises won’t adopt, but then they will.
Someone will predict some tech will die, which is usually when a lot of people will buy it.
Most people will renew every security product currently in their environment no matter how well they works (or don’t).
Someone will predict that this time it’s really the year mobile attacks happen and steal everyone’s money and nekked photos off their phones. But it probably won’t happen, and if it does the press headlines will all talk about ‘iPhone’ even if it only affects Motorola StarTACs.
Vendors will scare customers into thinking 20 new regulations are right around the corner – all of which require their products.
There will be a lot of predictions with the words “social networking”, “2.0”, “consumerization”, “Justin Bieber”, and whatever else is trending on Twitter the day they write the predictions.
Any time there’s a major global event or disaster, I will receive at least 8 press releases from vendors claiming bad guys are using it for spam/phishing.
Some botnet will be the biggest.

And a bonus:

Speaking at NRF in January

Wed, 08 Dec 2010 00:00:00 +0000

I am presenting at the National Retail Federation’s 100th annual convention in January 2011. I’ll be talking about the past, present, and future of data security, and how new threats and technologies affect payment card security. I am co-presenting with Peter Engert, who is in charge of payment card acceptance at Rooms To Go furniture, and Robert McMillon of RSA. Robert works with RSA’s tokenization product and manages the First Data/RSA partnership. We’ll each give a small slide presentation on what we are seeing in the industry, then we’ll spend the latter half of the session answering questions on any payment security issues you have. The bad news is that the presentation is on Sunday at 10:00 AM, on the first full day of the conference. The good news is both my co-presenters are very sharp guys and I expect this to be a very entertaining session.

React Faster and Better: Introduction

Tue, 07 Dec 2010 00:00:00 +0000

One of the cool things about Securosis is its transparency. We develop all our research positions in the open through our blog, and that means at times we’re wrong. Wrong is such a harsh word, and one you won’t hear most analysts say. Of course, we aren’t like most analysts, and sometimes we need to recalibrate on a research project and recast the effort. Near the end of our Incident Response Fundamentals series, we realized we weren’t tracking with our project goals, so we split that off and get to start over.

RIP Marty Martian

Tue, 07 Dec 2010 00:00:00 +0000

OK, before you start leaving flowers and wreaths at Looney Toons HQ, our favorite animated Martian is not dead. But the product formerly known as Cisco MARS is. The end of life announcement hit last week, so after June of 2011 you won’t be able to buy MARS and support will ebb away over the next 3 years. Of course, this merely formalize what we’ve all known for a long time. The carcass is mostly decomposed by the time you get the death notice.

What Amazon AWS’s PCI Compliance Means to You

Tue, 07 Dec 2010 00:00:00 +0000

This morning Amazon announced that Amazon Web Services achieved PCI-DSS 2.0 Validated Service Provider compliance. This is both a very big deal, and no big deal at all. Here’s why:

Incident Response Fundamentals: Index of Posts

Mon, 06 Dec 2010 00:00:00 +0000

As we mentioned a few weeks ago, we are in the process of splitting out the heavy duty research we do for our blog series from the security industry tips and tactics. Here is a little explanation of why:

What Quantum Mechanics Teaches Us about Data Leaks

Mon, 06 Dec 2010 00:00:00 +0000

Thanks to some dude who looks like a James Bond villain and rents rack space in a nuclear bomb resistant underground cavern, combined with a foreign nation running the equivalent of a Hoover mated with a Xerox over the entire country, “data leaks” are back in the headlines.

Friday Summary: December 3, 2010

Thu, 02 Dec 2010 00:00:00 +0000

What a week.

Last Monday and Tuesday I was out meeting with clients and prospects and was totally psyched at all the cool opportunities coming up. I was a bit ragged on Wednesday, but figured it was the lack of sleep.

I can haz ur email list

Thu, 02 Dec 2010 00:00:00 +0000

We are a full disclosure shop here at Securosis. That means you get to see the good, the bad, and yes, the ugly too. We’ve been pretty up front about saying it was just a matter of time before our stuff got hacked. In fact, you can check out the last comment from this 2007 post, where Rich basically says so. Not that we are a high profile target or anything, but it happens to everyone at some point or another.

Are You off the Grid?

Wed, 01 Dec 2010 00:00:00 +0000

I got email from friends this week about a web site that creeped them out. It’s called Spokeo, and it provides a Google-like search on personal information. Rather than creeped out, I was fascinated. Not to look for other people, but to see what the search found for me. I hate mentioning it as I am not endorsing the web site or service, but I can’t help my fascination at seeing what personal data has been collected and aggregated on me. I actually have a larger Internet fingerprint than I expected!

Incite 12/1/10: Pay It Forward

Wed, 01 Dec 2010 00:00:00 +0000

I used to be a real TV head. Before the kids showed up, the Boss and I would spend a good deal of every Saturday watching the 5 or 10 shows we recorded on the VCR (old school, baby). Comedies, dramas, the whole ball of wax. Then priorities shifted and I had less and less time for TV. The Boss still watches a few shows, but I’m usually along for the ride, catching up on my reading while some drivel is on the boob tube (Praise iPad!).

Grovel for Budget Time

Tue, 30 Nov 2010 00:00:00 +0000

One of the concepts I use in my Pragmatic CSO material is a Day in the Life of a CISO. There are lots of firefighting and other assorted activities. I usually get a big laugh when I get to the part about groveling to the CIO and CFO for budget. Yes, I call it like I see it. But after seeing a post on budgeting by Ed Moyle from before Thanksgiving, I think it’s time to dig a bit deeper.

Holiday Shopping and Security Theater

Tue, 30 Nov 2010 00:00:00 +0000

This is usually the time of year I write a how-to article on safe seasonal shopping. And some of it is the usual generic advice – use a credit card, don’t click email links, use merchants you trust, etc. – but I like to include specific advice to deal with new seasonal threats. Wading into the deluge of threat warnings about Black Friday shopping schemes this year, I found mostly noise. There are plenty of real attacks consumers should be worried about, but many which aren’t worth the attention. And every article seems to have a particular agenda. For example, I have a hard time believing SMS banking scams are a real threat to holiday shoppers, in the same way I can’t imagine someone falling for a Nigerian banking scam or turning off their refrigerator because of a crank call. Some are so targeted at a small group, the news is only interesting to the most dedicated security researchers. Others attacks combine good old fashioned fraud with a few Search Engine Optimization shenanigans to game the system, causing a lot of people grief, but persist until law enforcement makes then a priority to investigate. Of the dozens of articles out there, they all seemed to feed the security theater, making it much harder to know what’s a real threat and what’s not.

Ranum’s Right, for the Wrong Reasons

Mon, 29 Nov 2010 00:00:00 +0000

Information Security Magazine’s November issue is available. In it is an interesting rehash of the security monoculture debate between Bruce Schneier and Marcus Ranum some 8 years ago. Basically the hypothesis was that if all your software is provided by one vendor, a single security vulnerability means everyone is vulnerable. The result is a worldwide cascade of failures. The term “domino effect” was thrown around to describe what would happen.

Incident Response Fundamentals: Phasing It in

Fri, 26 Nov 2010 00:00:00 +0000

You may have noticed we’ve renamed the React Faster and Better series to Incident Response Fundamentals. Securosis shows you how the security research sausage gets made, and sometimes it’s messy. We started RFAB with the idea that it would focus on advanced incident response tactics and the like. As we started writing, it was clear we first had to document the fundamentals. We tried to do both in the series, but it didn’t work out. So Rich and I re-calibrated and decided to break RFAB up into two distinct series.

Incite 11/24/2010: Fan Appreciation

Wed, 24 Nov 2010 00:00:00 +0000

Though I have tailed off a bit from my ridiculous pace of two years ago, I still go see a lot of live music. Although many of these acts make a mint, it’s not an easy life. I can only imagine how difficult it is to be on the road for months at a time. It’s hard enough for me, and I’m only gone one or two nights at a time. Though it’s not like I’m staying at the Ritz every night (don’t tell Rich I’m staying at the Ritz, okay?).

Availability and Assumptions

Tue, 23 Nov 2010 00:00:00 +0000

Skipped out of town for a much needed vacation Friday, and spent the weekend in a very remote section of desert. I spent my time hiking to the top of several peaks and overlooking vast areas of uninhabited country. I rode quads, wandered around a perfectly intact 100 year old mine shaft, did some target practice with a new rifle, built giant bonfires, and sat around BSing with friends. A total departure from everyday life. So I was in a semi-euphoric state, and trying to ease my way back into work. I was not planning on delving into complex security philosophy and splitting semantic hairs. But here I am … talking about Quantum Datum.

I Am T-Comply

Tue, 23 Nov 2010 00:00:00 +0000

As we all get ready for the turkey-induced food coma awaiting us Yanks in two days, let me expand a bit on an incomplete thought put forth by the Hoff. His Cloudiness wonders aloud if Compliance is the Autotune of the Security Industry.

Meatspace Phishing Encounter

Tue, 23 Nov 2010 00:00:00 +0000

I had an insanely early flight this morning for some client work in the Bay Area, so last night I hopped out to fill up on gas and grab some pizza for family movie night (The Muppets Take Manhattan, in case you were wondering).

Cash, Coke & Stuxnet: an Alternative Perspective

Mon, 22 Nov 2010 00:00:00 +0000

Now that the media has feasted on the Stuxnet carcass, it gives me a moment of pause. What of a different perspective? I know – madness, right? But seriously, we have seen the media in a lather over this story for some time now. Let’s be honest – to someone who has worked in the SCADA community, this really is nothing new. It’s just one incident that happened to come to light.

Counterpoint: Availability Is Job #1

Mon, 22 Nov 2010 00:00:00 +0000

Rich makes the case that A Is Not for Availability in this week’s FireStarter. Basically his thinking is that the A in the CIA triad needs to be attribution , rather than availability. At least when thinking about security information (as opposed to infrastructure). Turns out that was a rather controversial position within the Securosis band.

Firestarter: A Is Not for Availability

Mon, 22 Nov 2010 00:00:00 +0000

It’s drilled into us as soon as we first cut our help-desk umbilical cords and don our information security diapers:

Criminal Key Management Fail

Fri, 19 Nov 2010 00:00:00 +0000

Lin Mun Poo of Malaysia sounds like a pretty bad-ass criminal hacker. He cracked into the Federal Reserve, and snagged hundreds of thousands of card numbers from a bank in Cleveland. But perhaps his intellectual skills don’t extend quite as far as they should for criminal survival.

No More Flat Networks

Fri, 19 Nov 2010 00:00:00 +0000

As I continue working through the nuances of my 2011 research agenda, I’ve been throwing trial balloons at anyone and everyone I can. I posted an initial concept I called Vaults within Vaults and got some decent feedback. At this point, I’ve got a working concept for the philosophies we’ll need to embrace to stand a chance moving forward.

Friday Summary: November 19, 2010

Thu, 18 Nov 2010 00:00:00 +0000

I got distracted by email. The Friday Summary was going to be about columnar databases. I think. Maybe it’s the flu I have had all week, or my memory is going, or just perhaps the subject was not all that interesting to begin with. But the email that distracted me was kind of funny and kinda sad. A former friend and co-worker contacted me for the first time is something like 10 years. Out of the blue.

Datum Entanglement

Wed, 17 Nov 2010 00:00:00 +0000

I’m hanging out in the Red Carpet Club at the Orlando airport, waiting to head home from the Cloud Security Alliance Congress. Yesterday Chris Hoff and I presented a three part series – first our joint presentation on disruptive innovation and cloud computing (WINnovation), then his awesome presentation on cloud computing infrastructure security issues (and more: Cloudinomicon), and finally Quantum Datum, my session on information-centric security for cloud computing.

Incite 11/17/2010: Hitting for Average

Wed, 17 Nov 2010 00:00:00 +0000

We all need some way to measure ourselves. Are we doing better? Worse? Are we winning or losing? What game are we playing again? It’s all about this mentality of needing to beat the average.

Rethinking Security

Mon, 15 Nov 2010 00:00:00 +0000

Security is broken. Captain Obvious here. We all know that but it doesn’t really help, does it? I came across a good post by Bobby Dominguez, who I met through Shimmy (but I won’t hold that against Bobby), which talks about rethinking security. To provide the proper context check out this excerpt, which beautifully highlights our futility:

Incident Response Fundamentals: Mop up, Analyze, and QA

Fri, 12 Nov 2010 00:00:00 +0000

You did well. You followed your incident response plan and the fire is out. Too bad that was the easy part, and you now get to start the long journey from ending a crisis all the way back to normal. If we get back to our before, during, and after segmentation, this is the ‘after’ part.

What You Need to Know about DLP for PCI 2.0

Fri, 12 Nov 2010 00:00:00 +0000

As I mentioned in my PCI 2.0 post, one of the new version’s most significant changes is that organizations now must not only confirm that they know where all their cardholder data is, but document how they know this and keep it up to date between assessments.

Friday Summary: November 11, 2010

Thu, 11 Nov 2010 00:00:00 +0000

When we came up with the Friday Summary, the idea was we’d share something personal that was either humorous or relevant to security, then highlight our content from the week, the best thing’s we read on other sites, and any major industry news. The question is always where to draw the line on the personal stuff. I mean, it isn’t like this is Twitter.

Incite 11/10/2010: Hallowreck (My Diet)

Wed, 10 Nov 2010 00:00:00 +0000

I fancy myself to have significant willpower. I self-motivate to work out pretty religiously, and in the blink of an eye gave up meat two and a half years ago – cold turkey (no pun intended). But I’m no superhero – in fact over the past few weeks I’ve been abnormally human. You see I have a weakness for chips. Well I actually have a number of food weaknesses, but chips are close to the top of the list. And it’s not like a few potato chips or tortilla chips will kill me in moderation. But that’s the rub – I don’t do ‘moderation’ very well.

LinkedIn Password Reset FAIL

Wed, 10 Nov 2010 00:00:00 +0000

It’s never a good day when you lose control over a significant account. First, it goes to show that none of us are perfect and we can all be pwned as a matter of course, regardless of how careful we are. This story has a reasonably happy ending, but there are still important lessons.

Incident Response Fundamentals: Contain, Investigate, and Mitigate

Tue, 09 Nov 2010 00:00:00 +0000

In our last post, we covered the first steps of incident response – the trigger, escalation, and size up. Today we’re going to move on to the next three steps – containment, investigation, and mitigation.

MS Atlanta: Protection Is Not Security

Tue, 09 Nov 2010 00:00:00 +0000

Microsoft has announced the beta release of something called Microsoft Codename “Atlanta”, which is being described as a “Cloud-Based SQL Server Monitoring tool”. Atlanta is deployed as an agent that embeds into SQL Server 2008 databases and sends telemetry information back to the Microsoft ‘cloud’ on your behalf. This data is analyzed and compared against a set of configuration policies, generating alerts when Microsoft discovers database misconfiguration.

PCI 2.0: the Quicken of Security Standards

Tue, 09 Nov 2010 00:00:00 +0000

A long time ago I tried to be one of those Quicken folks who track all their income and spending. I loved all the pretty spreadsheets, but given my income at the time it was more depressing than useful. I don’t need a bar graph to tell me that I’m out of beer money.

Baa Baa Blacksheep

Mon, 08 Nov 2010 00:00:00 +0000

Action and reaction. They have been the way of the world since olden times, and it looks like they will continue ad infinitum. Certainly they are the way of information security practice. We all make our living from the action/reaction cycle, so I guess I shouldn’t bitch too much. But it’s just wrong, though we seem powerless to stop it.

Incident Response Fundamentals: Trigger, Escalate, and Size up

Mon, 08 Nov 2010 00:00:00 +0000

Okay, your incident response process is in place, you have a team, and you are hanging out in the security operations center, watching for Bad Things to happen. Then, surprise surprise, an alert triggers: what’s next?

Friday Summary: November 5, 2010

Fri, 05 Nov 2010 00:00:00 +0000

November already. Time to clean up the house before seasonal guests arrive. Part of my list of tasks is throwing away magazines. Lots of magazines. For whatever perverse reason, I got free subscriptions to all sorts of security and technology magazines. CIO Insight. Baseline. CSO. Information Week. Dr. Dobbs. Computer XYZ and whatever else was available. They are sitting around unread so it’s time to get rid of them. While I was at it I got rid of all the virtual subscriptions to electronic magazines as well. I still read Information Security Magazine, but I download that, and only because I know most of the people who write for it. For the first time since I entered the profession there will be no science, technology, or security magazines – paper or otherwise – coming to my door.

Security Metrics: Do Something

Fri, 05 Nov 2010 00:00:00 +0000

I was pleased to see the next version of the Center for Internet Security’s Consensus Security Metrics earlier this week. Even after some groundbreaking work in this area in terms of building a metrics program and visualizing the data, most practitioners still can’t answer the simple question: “How good are you at security?”

Download the Securosis 2010 Data Security Survey Report (and Raw Data!)

Thu, 04 Nov 2010 00:00:00 +0000

Guess what? Back in September we promised to release both the full Data Security Survey results and the raw data, and today is the day.

Please Read: Major Change to the Securosis Feeds

Thu, 04 Nov 2010 00:00:00 +0000

For those of you who don’t want to read the full post, we’re changing our feeds.Click here to subscribe to the new feed with all the content you are used to. Our existing blog feed will include ‘highlights’ only as of next week.

Storytellers

Thu, 04 Nov 2010 00:00:00 +0000

Last week I was in Toronto, speaking at the SecTor conference. My remote hypnotic trance must have worked, because they gave me a lunch keynote and let me loose on a crowd of a couple hundred Canucks stuffing their faces. Of course, not having anything interesting to say myself, I hijacked one of Rich’s presentations called “Involuntary Case Studies in Data Breaches.” It’s basically a great history of data breaches, including some data about what went wrong and what folks are doing now. The idea is to learn from our mistakes and take some lessons from other folks’ pain. You know, the definition of a genius: someone who learns from other people’s mishaps.

The Question of Agile’s Success

Thu, 04 Nov 2010 00:00:00 +0000

10 years since the creation of the Manifesto for Agile Software Development, Paul Krill of Developer World asks: Did it deliver? Unfortunately I don’t think he adequately answered the question in his article. So let me say that the answer is an emphatic “Yes”, as it has provided several templates and tools for solving problems with people and process. And it has to be judged a success because it has provided a means to conquer problems other development methodologies could not.

Incident Response Fundamentals: Before the Attack

Wed, 03 Nov 2010 00:00:00 +0000

We spent the first few posts in this series on understanding what our data collection infrastructure should look like and how we need to organize our incident response capability in terms of incident command, roles and organizational structure and Response Infrastructure. Now we’ll turn to getting ready to detect an attack. It turns out many of your operational activities are critical to incident response, and this post is about providing the context to show why.

Incite 11/3/2010: 10 Years Gone

Wed, 03 Nov 2010 00:00:00 +0000

A decade seems like a lifetime. And in the case of XX1 it is. You see I’m a little nostalgic this week because on Monday XX1 turned 10. I guess I could confuse her and say “XX1 turns X,” mixing metaphors and throwing some pre-algebraic confusion in for good measure – but that wouldn’t be any fun. For her – it would be plenty fun for me. 10 years. Wow. You see, I don’t notice my age. I passed 40 a few years back and noticed that my liver’s ability to deal with massive amounts of drink and my hair color seemed to be the only outward signs of aging. But to have a 10 year old kid? I guess I’m not a spring chicken anymore.

Cool Sidejacking Security Scorecard (and a MobileMe Update)

Tue, 02 Nov 2010 00:00:00 +0000

First, for our non-technical readers who want to know more about this Firesheep/sidejacking thing, check out my relatively non-geeky article over at TidBITS.

Incident Response Fundamentals: Response Infrastructure and Preparatory Steps

Tue, 02 Nov 2010 00:00:00 +0000

In our last post we covered organizational structure options for incident response. Aside from the right org structure and incident response process, it’s important to have a few infrastructure pieces (tools) in place, and take some preparatory steps ahead of time. As with all our recommendations in this series, remember that one size doesn’t fit all, and those of you in smaller companies will probably skip some of the tools or not need some of the prep steps.

White Paper Release: Monitoring up the Stack

Tue, 02 Nov 2010 00:00:00 +0000

Yep, another white paper is in the can. As you all know, we turn a lot of the research we post on the blog into comprehensive white papers after we gather feedback from the community on our research. You may remember the Monitoring up the Stack series Adrian and Gunnar drove last month, which has now been packaged, edited, and (with the help of our editor Chris Pepper) turned into English.

IBM Dances with Fortinet—Maybe…

Mon, 01 Nov 2010 00:00:00 +0000

Ah, the investment bankers are circling again. Late Friday rumors started circulating about IBM discussions of acquiring Fortinet. With a weekend to stew and the gap open for Fortinet stock, it makes sense to think about what a potential deal means, right?

SQL Azure and 3 Pieces of Flair

Mon, 01 Nov 2010 00:00:00 +0000

I have very little social life, so I spent my weekend researching trends in database security. Part of my Saturday was spent looking at Microsoft’s security model for the Azure SQL database platform. Specifically I wanted to know how they plan to address database and content security issues with their cloud-based offering. I certainly don’t follow all things cloud to the degree our friend Chris Hoff over at RationalSurvivability does, but I do attempt to stay current on database security trends as they pertain to cloud and virtual environments.

Friday Summary: October 29, 2010

Thu, 28 Oct 2010 00:00:00 +0000

What a wild few weeks. Talk about been there, done that, got the t-shirt.

It all started October 9th, when I finally achieved a goal I’ve been chasing for well over a decade, and completed my first Olympic-distance triathlon. (1.5K swim, 40K bike, 10K run – those are distances, not dollar values).

Incident Response Fundamentals: Roles and Organizational Structure

Thu, 28 Oct 2010 00:00:00 +0000

In our last post we introduced some of the key principles of incident response. Today we will focus on the major roles and organizational structure.

The Thing about Espionage

Thu, 28 Oct 2010 00:00:00 +0000

Imagine you’re a young, skilled techie just starting your career. Maybe you’re fresh out of school, or still in an internship program. Or maybe you’ve been out of school for a few years, working your way up through various companies in the industry. You came from a normal background – possibly you thought about the military at some point, but the allure of working in technology drew you into the private sector. Your skills are solid, you produce at work, and you don’t get into any trouble beyond the usual for your age.

Incite 10/27/2010: Traffic Ahead

Wed, 27 Oct 2010 00:00:00 +0000

I saw an old friend last week, and we were talking about the business of Securosis a bit. One of the questions he asked was whether it’s a lifestyle business. The answer is that of course it is. Rich, Adrian, and I have done lots of things over the years and we all have independently come to the conclusion that we don’t want to work for big machines any more. We all have different reasons for that, and I was reminded of one of mine on Monday.

SunSec Rises on November 3rd

Wed, 27 Oct 2010 00:00:00 +0000

For those of you in the Phoenix area, or with way too many frequent flier miles and too much spare time, the Phoenix OWASP chapter is organizing a SunSec meetup after their meeting on November 3rd.

Incident Response Fundamentals: Incident Command Principles

Tue, 26 Oct 2010 00:00:00 +0000

I know what you’re thinking to yourself right now: “They promised me a cool series of posts on the cutting edge of incident response, and now we’re talking management principles and boxes on an org chart? What a rip.”

NSO Quant: The Report and Metrics Model

Mon, 25 Oct 2010 00:00:00 +0000

It has been a long slog, but the final report on the Network Security Operations (NSO) Quant research project has been published. We are also releasing the raw data we collected in the survey at this point.

Can we ever break IT?

Fri, 22 Oct 2010 00:00:00 +0000

I was reading one of RSnake’s posts on how our security devolves to the lowest common denominator because we can’t break IT – which means we can’t make changes to systems, applications, and endpoints in order to protect them. He was talking specifically about the browser, but it got me thinking a bit bigger: when/if it’s OK to break IT. To clarify, by breaking IT , I mean changing the user experience adversely in some way to more effectively protect critical data/information.

Everything You Ever Wanted to Know about DLP

Fri, 22 Oct 2010 00:00:00 +0000

Way back when I converted Securosis from a blog into a company, my very first paper was (no surprise) Understanding and Selecting a DLP Solution.

Friday Summary: October 22, 2010

Fri, 22 Oct 2010 00:00:00 +0000

Facebook is for old people. Facebook will ultimately make us more secure.

I have learned these two important lessons over the last few weeks. Saying Facebook is for old people is not like saying it’s dead – far from it. But every time I talk computers with people 10-15 years older than me, all they do is talk about Facebook. They love it! They can’t believe they found high school acquaintances they have not seen for 30+ years. They love the convenience of keeping tabs on family and friends from their Facebook page. They are amazed to find relatives who have been out of touch for decades. It’s their favorite web site by far. And they are shocked that I don’t use it. Obviously I will want to once I understand it, so they all insist on telling me about all the great things I could do with Facebook and the wonderful things I am missing. They even give me that look , like I am a complete computer neophyte. One said “I thought you were into computers?” Any conversation about security and privacy went in one ear and out the other because, as I have been told, Facebook is awesome.

Incident Response Fundamentals: Data Collection/Monitoring Infrastructure

Thu, 21 Oct 2010 00:00:00 +0000

In Incident Response Fundamentals: Introduction we talked about the philosophical underpinnings of our approach and how you need to look at stuff before, during, and after an attack. Regardless of where in the attack lifecycle you end up, there is a common requirement: for data. As we mentioned, you only get one opportunity to capture the data, and then it’s gone. So in order to react faster and better in your environment, you will need lots of data.

Incite 10/20/2010: The Wrongness of Being Right

Wed, 20 Oct 2010 00:00:00 +0000

One of my favorite sayings is “Don’t ask the question if you don’t want the answer.” Of course, when I say answer , what I really mean is opinion. It makes no difference what we are talking about, I probably have an opinion. In fact, a big part of my job is to have opinions and share them with however will listen (and even some who won’t). But to have opinions means you need to judge.

White Paper Goodness: Understanding and Selecting an Enterprise Firewall

Wed, 20 Oct 2010 00:00:00 +0000

What? A research report on enterprise firewalls. Really? Most folks figure firewalls have evolved about as much over the last 5 years as ant traps. They’re wrong, of course, but people think of firewalls as old, static, and generally uninteresting. But this is unfounded. Firewalls continue to evolve, and their new capabilities can and should impact your perimeter architecture and firewall selection process. That doesn’t mean we will be advocating yet another rip and replace job at the perimeter (sorry, vendors), but there are definitely new capabilities that warrant consideration – especially as the maintenance renewals on your existing gear come due.

Vaults within Vaults

Tue, 19 Oct 2010 00:00:00 +0000

My session for the Atlanta BSides conference was about what I expected in 2011. I might as well have thrown a dart at the wall. But the exercise got me thinking about the newest attacks (like Stuxnet) and the realization of how state-sponsored attackers have penetrated our networks with impunity. Clearly we have to shake up the status quo in order to keep up.

Incident Response Fundamentals: Introduction

Mon, 18 Oct 2010 00:00:00 +0000

Over the past year, as an industry we have come to realize that we are dealing with different adversaries using different attack techniques with different goals. Yes, the folks looking for financial gain by compromising devices are still out there. But add a well-funded, potentially state-sponsored, persistent and patient adversary to the mix, and we need to draw a new conclusion. Basically, we now must assume our networks and systems are compromised. That is a tough realization, but any other conclusion doesn’t really jive with reality, or at least the reality of everyone we talk to.

Monitoring up the Stack: Climbing the Stack

Mon, 18 Oct 2010 00:00:00 +0000

As we have discussed through this series, monitoring additional data types can extend the capabilities of SIEM in a number of different ways. But you have lots of options for which direction to go. So the real question is: where do you start? Clearly you are not going to start monitoring all of these data types at once, particularly because most forms require some integration work on your part – often a great deal. Honestly, there are no hard and fast answers on where to start, or what type of monitoring is most important. Those decisions must be based on your specific requirements and objectives. But we can describe a couple common approaches for climbing the monitoring stack.

Monitoring up the Stack: Platform Considerations

Fri, 15 Oct 2010 00:00:00 +0000

So far in the Monitoring up the Stack series, we have focused on a number of additional data types and analysis techniques that extend security monitoring to gain a deeper and better perspective of what’s happening. We have been looking at the added value that is all good, but we all know there is no free lunch. So now let’s look at some of the problems, challenges, and extra work that come along with deeper monitoring goodness. We know most of you who have labored with scalability and configuration challenges with your SIEM product were waiting for the proverbial other shoe to drop. Each new data type and the associated analysis impact the platform. So in this post we will discuss some of these considerations and think a bit about how to work around the potential issues.

New Blog Series: Incident Response Fundamentals

Fri, 15 Oct 2010 00:00:00 +0000

Our “beat our readers into a content coma” plan is working perfectly. Just when you thought you had enough of NSO Quant, Enterprise Firewall, Monitoring up the Stack, and DLP (just in the last month) – we will be starting another series Monday. Rich and I will begin the “Incident Response Fundamentals: Understanding Threats Before, During, and After the Attack” series. React Faster is something I’ve been talking about for years (literally) and Rich improved it by integrating the importance of incident response to the mix. Now we are going to bring all those aspects together into a very focused view on how you can keep pace with the rapidly evolving attack space.

Dead or Alive: Pen Testing

Thu, 14 Oct 2010 00:00:00 +0000

Remember the dead or alive game Howard Stern used to do? I think it was Stern. Not sure if he’s still doing it because I’m too cheap to subscribe to Sirius for the total of 5 minutes I spend in the car driving between coffee shops. Pen testing has been under fire lately. Ranum has been talking for years about how pen testing sucks. Brian Chess also called pen testing dead at the end of 2008.

Incite 10/13/2010: the Rise of the Cons

Wed, 13 Oct 2010 00:00:00 +0000

No we aren’t going to talk about jailbreaks or other penal system trials and tribulations. This one is about how the conference circuit is evolving in a really positive way. Most folks attend the big security shows – you know, RSA and BlackHat and maybe some others. Most folks also hate these shows. I hear a lot of complaints about weak content and vendor whoring putting a damper on the experience. Of course, since myself and my ilk tend to speak at most of these shows, we can only point the finger at ourselves. Personally, unless I’m speaking I tend to skip all but the biggest shows, which I attend for networking purposes. But that’s just me.

FireStarter: Consumer Internet Penalty Box

Tue, 12 Oct 2010 00:00:00 +0000

A few weeks back, the fine folks at Microsoft used a healthcare analogy to describe a possible solution to the Internet’s bot infestation. Scott Charney suggested that every PC should have a health certificate which would provide access to the Internet. No health certificate, no access. Kind of like a penalty box for consumer Internet users. It’s an interesting idea, and clearly we need some kind of solution to the reality that Aunt Bessie has no idea her machine has been pwned and is blasting spam and launching DDoS attacks.

IT Debt: Real or FUD?

Tue, 12 Oct 2010 00:00:00 +0000

I just ran across Slashdot’s mention of the Measuring and Monitoring Technical Debt study funded by a research grant. Their basic conclusion is that a failure to modernize software is a form of debt obligation, and companies ultimately must pay off that debt moving forward. And until the modernization process happens, software degrades towards obsolescence or failure.

Monitoring up the Stack: User Activity Monitoring

Mon, 11 Oct 2010 00:00:00 +0000

The previous Monitoring up the Stack post examined Identity Monitoring, which is a set of processes to monitor events around provisioning and managing accounts. The Identity Monitor is typically blind to one very important aspect of accounts: how they are used at runtime. So you know who the user is, but not what they are doing. User Activity Monitoring addresses this gap through reporting not on how the accounts were created and updated in the directory, but by examining user actions on systems and applications, and linking them to assigned roles.

Friday Summary: October 8, 2010

Fri, 08 Oct 2010 00:00:00 +0000

Chris Pepper was kind enough to forward this interview with James Gosling on the Basement Coders blog earlier in the week. I seldom laugh out loud when reading blogs, but his “Java, Just Free It” & “Set Java Free” t-shirts that were pissing off Oracle got me going. And the “Google is kind of a funny company because a lot of them have this peace love and happiness version of evil” quote had me rolling on the floor. In fact I found the entire article entertaining, so I recommend reading it all the way through if you have a chance. James Gosling is an interesting guy, and for someone I have never met, he has had more impact on my career than any other person on the planet.

Monitoring up the Stack: Identity Monitoring

Thu, 07 Oct 2010 00:00:00 +0000

As we continue up the Monitoring stack, we get to Identity Monitoring, which is a distinct set of concerns from User Activity Monitoring (the subject of the next post). In Monitoring Identity, the SIEM/Log Management systems gain visibility into the provisioning and Identity Management processes that enterprise use to identify, store and process user accounts to prepare the user to use the system. Contrast that with User Activity Monitoring, where SIEM/Log Management systems focus on monitoring how the user interacts with the system at runtime and looks for examples of bad behavior. As an example, do you remember when you got your driver’s license? All the processes that you went through at the DMV: Getting your picture taken, verifying your address, and taking the driving tests. All of those activities are related to provisioning an account, getting credentials created; that’s Identity Management. When you are asked to provide your driver’s license, say when checking in at a hotel, or by a police officer for driving too fast; that’s User Activity Monitoring. Identity Monitoring is an important first step because we need to associate a user’s identity with network events and system usage in order to perform User Activity Monitoring. Each requires a different type of Monitoring and different type of report, today we tackle Identity Management (and no, we won’t make you wait in line like the DMV).

Incite 10/6/2010: The Answer is 42

Wed, 06 Oct 2010 00:00:00 +0000

One of my favorite passages in literature is when Douglas Adams proclaims the Ultimate Answer to the Ultimate Question of Life, The Universe, and Everything to be 42 in Hitchhiker’s Guide to the Galaxy. Of course, we don’t know the Ultimate Question. Details. This week I plan to discover he was right as I finish my 42nd year on the planet. That seems old. It’s a big number. But I don’t feel old. In fact, I feel like a big kid. Sometimes I look at my own kids and my house and snicker a bit. Can you believe they’ve entrusted any responsibility to me? These kids think I actually know something? Ha, that’s a laugher…

Monitoring up the Stack: App Monitoring, Part 2

Mon, 04 Oct 2010 00:00:00 +0000

In the last post on application monitoring, we looked at why applications are an essential “context provider” and interesting data source for SIEM/Log Management analysis. In this post, we’ll examine how to get started with the application monitoring process, and how to integrate that data into your existing SIEM/Log Management environment.

Friday Summary: September 30, 2010

Thu, 30 Sep 2010 00:00:00 +0000

So you might have heard there’s this thing called ‘Stuxnet’. I was thinking it’s like the new Facebook or something. Or maybe more like Twitter, since the politicians seem to like it, except Sarah Palin who is totally more into Facebook.

Monitoring up the Stack: Application Monitoring, Part 1

Thu, 30 Sep 2010 00:00:00 +0000

As we continue to investigate additional data sources to make our monitoring more effective, let’s now turn our attention to applications. At first glance, many security practitioners may think applications have little to offer SIEM and Log Management systems. After all, applications are built on mountains of custom code and security and development teams often lack a shared collaborative approach for software security. However, application monitoring for security should not be dismissed out of hand. Closed-minded security folks miss the fact that applications offer an opportunity to resolve some of the key challenges to monitoring. How? It comes back to a key point we’ve been making through this series, the need for context. If knowing that Node A talked to Node B helps pinpoint a potential attack, then network monitoring is fine. But both monitoring and forensics efforts can leverage information about what transaction executed, who signed off on it, who initiated it, and what the result was – and you need to tie into to the application to get that context.

A Wee Bit on DLP SaaS

Wed, 29 Sep 2010 00:00:00 +0000

Here’s some more content that’s going into the updated version of Understanding and Selecting a Data Loss Prevention Solution (hopefully out next week). Every now and then I get questions on DLP SaaS, so here’s what I’m seeing now…

Incite 9/29/2010: Reading Is Fundamental

Wed, 29 Sep 2010 00:00:00 +0000

For those of you with young kids, the best practice is to spend some time every day reading to them. so they learn to love books. When our kids were little, we dutifully did that, but once XX1 got proficient she would just read by herself. What did she need us for? She has inhaled hundreds of books, but none resonate like Harry Potter. She mowed through each Potter book in a matter of days, even the hefty ones at the end of the series. And she’s read each one multiple times. In fact, we had to remove the books from her room because she wasn’t reading anything else.

Monitoring up the Stack: DAM, part 2

Wed, 29 Sep 2010 00:00:00 +0000

The odds are, if you already have a SIEM/Log Management platform in place, you already look at some database audit logs. So why would you consider DAM in addition? The real question when thinking about how far up the stack (and where) to go with your monitoring strategy, is whether adding database activity monitoring data will help with threat detection and other security efforts. To answer that question, consider that DAM collects important events which are not in log files, provides real-time analysis and detection of database attacks, and blocks dangerous queries from reaching the database. These three features together are greater than the sum of their parts.

Understanding DLP Solutions, “DLP Light”, and DLP Features

Wed, 29 Sep 2010 00:00:00 +0000

I’m nearly done with a major revision to the very first whitepaper I published here at Securosis: Understanding and Selecting a Data Loss Prevention Solution, and one of the big additions is an expanded section talking about DLP integration and “DLP Light” solutions.

Attend the Securosis/SearchSecurity Data Security Event on Oct 26

Mon, 27 Sep 2010 00:00:00 +0000

We may not run our own events, but we managed to trick the folks at Information Security Magazine/SearchSecurity into letting us take over the content at the Insider Data Threats seminar in San Francisco.

Monitoring up the Stack: DAM, Part 1

Mon, 27 Sep 2010 00:00:00 +0000

Database Activity Monitoring (DAM) is a form of application monitoring by looking at the database specific transactions, and integration of DAM data into SIEM and Log Management platforms is becoming more prevalent. Regular readers of this blog know that we have covered this topic many times, and gone into gory technical detail in order to help differentiate between products. If you need that level of detail, I’ll refer you to the database security page in the Securosis Research Library. Here I will give the “cliff notes” version, describing what the technology is and some of the problems it solves. The idea is to explain how DAM augments SIEM and Log Management analysis, and outfit end users with an understanding of how DAM extends the analysis capabilities of your monitoring strategy.

NSO Quant: The End is Near!

Mon, 27 Sep 2010 00:00:00 +0000

As mentioned last week, we’ve pulled the NSO Quant posts out of the main feed because the volume was too heavy. So I have been doing some cross-linking to let you who don’t follow that feed know when new stuff appears over there.

Proposed Internet Wiretapping Law Fundamentally Incompatible with Security

Mon, 27 Sep 2010 00:00:00 +0000

It’s been a while since I waded in on one of these government-related privacy thingies, but a report this morning from the New York Times reveals yet another profound, and fundamental, misunderstanding of how technology and security function. The executive branch is currently crafting a legislative proposal to require Internet-based communications providers to support wiretap capabilities in their products.

Friday Summary: September 24, 2010

Fri, 24 Sep 2010 00:00:00 +0000

We are wrapping up a pretty difficult summer here at Securosis. You have probably noticed from the blog volume as we have been swamped with research projects. Rich, Mike, and I have barely spoken with one another over the last couple months as we are head-down and researching and writing as fast as we can. No time for movies, parties, or vacation travel. These Quant projects we have been working on make us feel like we have been buried in sand. I have been this busy several times during my career, but I can’t say I have ever been busier. I don’t think that would be possible, as there are not enough hours in the day! Mike’s been hiding at undisclosed coffee shops to the point his family had his face put on a milk carton. Rich has taken multitasking to a new level by blogging in the shower with his iPad. Me? I hope to see the shower before the end of the month.

Government Pipe Dreams

Thu, 23 Sep 2010 00:00:00 +0000

General Keith Alexander heads the U.S. Cyber Command and is the Director of the NSA. In prepared testimony today he said the government should set up a secure zone for themselves and critical infrastructure, walled off from the rest of the Internet.

NSO Quant: Clarifying Metrics (and some more links)

Thu, 23 Sep 2010 00:00:00 +0000

We had a great comment by Dan on one of the metrics posts, and it merits an answer with explanation, because in the barrage of posts the intended audience can certainly get lost. Here is Dan’s comment:

Incite 9/22/2010: The Place That Time Forgot

Wed, 22 Sep 2010 00:00:00 +0000

I don’t give a crap about my hair. Yeah, it’s gray. But I have it, so I guess that’s something. It grows fast and looks the same, no matter what I do to it. I went through a period maybe 10 years ago where I got my hair styled, but besides ending up a bit lighter in the wallet (both from a $45 cut and all the product they pushed on me), there wasn’t much impact. I did get to listen to some cool music and see good looking stylists wearing skimpy outfits with lots of tattoos and piercings. But at the end of the day, my hair looked the same. And the Boss seems to still like me regardless of what my hair looks like, though I found cutting it too short doesn’t go over very well.

Monitoring up the Stack: File Integrity Monitoring

Wed, 22 Sep 2010 00:00:00 +0000

We kick off our discussion of additional monitoring technologies with a high-level overview of file integrity monitoring. As the name implies, file integrity monitoring detects changes to files – whether text, configuration data, programs, code libraries, critical system files, or even Windows registries. Files are a common medium for delivering viruses and malware, and detecting changes to key files can provide an indication of machine compromise.

New Paper (+ Webcast): Understanding and Selecting a Tokenization Solution

Tue, 21 Sep 2010 00:00:00 +0000

Around the beginning of the year Adrian and I released our big database encryption paper: Understanding and Selecting a Database Encryption or Tokenization Solution. We realized pretty quickly there was no way we could do justice to tokenization in that paper, so we are now excited to release Understanding and Selecting a Tokenization Solution.

NSO Quant: Manage Process Metrics, Part 1

Tue, 21 Sep 2010 00:00:00 +0000

We realized last week that we may have hit the saturation point for activity on the blog. Right now we have three ongoing blog series and NSO Quant. All our series post a few times a week, and Quant can be up to 10 posts. It’s too much for us to keep up with, so I can’t even imagine someone who actually has to do something with their days.

FireStarter: It’s Time to Talk about APT

Mon, 20 Sep 2010 00:00:00 +0000

There’s a lot of hype in the press (and vendor pitches) about APT – the Advanced Persistent Threat. Very little of it is informed, and many parties within the security industry are quickly trying to co-opt the term in order to advance various personal and corporate agendas. In the process they’ve bent, manipulated and largely tarnished what had been a specific description of a class of attacker. I’ve generally tried to limit how much I talk about it – mostly restricting myself to the occasional Summary/Incite comment, or this post when APT first hit the hype stage, and a short post with some high level controls.

Monitoring up the Stack: Threats

Mon, 20 Sep 2010 00:00:00 +0000

In our introductory post we discussed how customers are looking to derive additional value form their SIEM and log management investments by looking at additional data types to climb the stack. Part of the dissatisfaction we hear from customers is the challenge of turning collected data into actionable information for operational efficiency and compliance requirements. This challenge is compounded by the clear focus on application-oriented attacks. For the most part, our detection only pays attention to the network and servers, while the attackers are flying above that. It’s kind of like repeatedly missing the bad guys because they are flying at 45,000 feet, but you cannot get above 20,000 feet. You aren’t looking where the attacks are actually happening, which obviously presents problems. At its core SIEM can fly at 45,000’ and monitor application components looking for attacks, but it will take work to get there. Though given the evolution of the attack space, we don’t believe keeping monitoring focused on infrastructure is an option, even over the middle term.

Understanding and Selecting an Enterprise Firewall: Selection Process

Sun, 19 Sep 2010 00:00:00 +0000

Now that we’ve been through the drivers for evolved, application-aware firewalls, and a lot of the technology enabling them, how does the selection process need to evolve to keep pace? As with most of our research at Securosis, we favor mapping out a very detailed process, and leaving you to decide which steps make sense in your situation. So we don’t expect every organization to go through every step in this process. Figure out which are appropriate for your organization and use those.

Friday Summary: September 17, 2010

Fri, 17 Sep 2010 00:00:00 +0000

Reality has a funny way of intruding into the best laid plans.

Some of you might have noticed I haven’t been writing that much for the past couple weeks and have been pretty much ignoring Twitter and the rest of the social media world. It seems my wife had a baby, and since this isn’t my personal blog anymore I was able to take some time off and focus on the family. Needless to say, my “paternity leave” didn’t last nearly as long as I planned, thanks to the work piling up.

Understanding and Selecting an Enterprise Firewall: to UTM or Not to UTM?

Fri, 17 Sep 2010 00:00:00 +0000

Given how much time we’ve spent discusing application awareness and how these new capabilities pretty much stomp all over existing security products like IDS/IPS and web filters, does that mean standalone network security devices go away? Should you just quietly accept that unified threat management (UTM) is the way to go because the enterprise firewall provides multiple functions? Not exactly.

Upcoming Webinar: Selecting SIEM

Fri, 17 Sep 2010 00:00:00 +0000

Tuesday, September 21st, at 11am PST / 2pm EST, I will be presenting a webinar: “Keys to Selecting SIEM and Log Management”, hosted by NitroSecurity. I’ll cover the basics of SIEM, including data collection and deployment, then dig into use cases, enrichment, data management, forensics, and advanced features.

DLP Selection: Infrastructure Integration Requirements

Thu, 16 Sep 2010 00:00:00 +0000

In our last post we detailed content protection requirements, so now it’s time to close out our discussion of technical requirements with infrastructure integration.

Understanding and Selecting an Enterprise Firewall: Advanced Features, Part 2

Thu, 16 Sep 2010 00:00:00 +0000

After digging into application awareness features in Part 1, let’s talk about non-application capabilities. These new functions are really about dealing with today’s attacks. Historically, managing ports and protocols has sufficed to keep the bad guys outside the perimeter; but with today’s bumper crop of zombies & bots, the old ways don’t cut it any more.

DLP Selection Process: Protection Requirements

Wed, 15 Sep 2010 00:00:00 +0000

Now that you’ve figured out what information you want to protect, it’s time to figure out how to protect it. In this step we’ll figure out your high-level monitoring and enforcement requirements.

Incite 9/15/2010: Up, down, up, down, Repeat

Wed, 15 Sep 2010 00:00:00 +0000

It was an eventful weekend at chez Rothman. The twins (XX2 and XY) had a birthday, which meant the in-laws were in town and for the first time we had separate parties for the kids. That meant one party on Saturday night and another Sunday afternoon. We had a ton of work to do to get the house ready to entertain a bunch of rambunctious 7 year olds. But that’s not all – we also had a soccer game and tryouts for the holiday dance performance on Saturday.

Monitoring up the Stack: Introduction

Wed, 15 Sep 2010 00:00:00 +0000

The question that came up over and over again during our SIEM research project: “How do I derive more value from my SIEM installation?” As we discussed throughout that report, plenty of data gets collected, but extracting actionable information remains a challenge. In part this is due to the “drinking from the fire-hose” effect, where the speed and volume of incoming data make it difficult to process effectively. Additionally, data needs to be pieced together with sufficient reference points from multiple event sources before analysis. But we found a major limiting factor was also the network-centric perspective on data collection and analysis. We were looking at traffic, rather than transactions. We were looking at packet density, not services. We were looking at IP addresses instead of user identity. We didn’t have context to draw conclusions.

The Securosis 2010 Data Security Survey Report Rates the Top 5 Data Security Controls

Wed, 15 Sep 2010 00:00:00 +0000

Over the summer we initiated what turned out to be a pretty darn big data security survey. Our primary goal was to assess what data security controls people find most effective; and get a better understanding of how they are using the controls, what’s driving adoption, and a bit on what kinds of incidents they are experiencing.

DLP Selection Process: Defining the Content

Tue, 14 Sep 2010 00:00:00 +0000

In our last post we kicked off the DLP selection process by putting the team together. Once you have them in place, it’s time to figure out which information you want to protect. This is extremely important, as it defines which content analysis techniques you require, which is at the core of DLP functionality.

Understanding and Selecting an Enterprise Firewall: Advanced Features, Part 1

Tue, 14 Sep 2010 00:00:00 +0000

Since our main contention in the Understanding and Selecting an Enterprise Firewall series is the movement toward application aware firewalls, it makes sense to dig a bit deeper into the technology that will make this happen and the major uses for these capabilities. With an understanding of what to look for, you should be in a better position to judge whether a vendor’s application awareness capabilities will match your requirements.

DLP Selection Process, Step 1

Mon, 13 Sep 2010 00:00:00 +0000

As I mentioned previously, I’m working on an update to Understanding and Selecting a DLP Solution. While much of the paper still stands, one area I’m adding a bunch of content to is the selection process. I decided to buff it up with more details, and also put together a selection worksheet to help people figure out their requirements. This isn’t an RFP, but a checklist to help you figure out major requirements – which you will use to build your RFP – and manage the selection process.

FireStarter: Automating Secure Software Development

Mon, 13 Sep 2010 00:00:00 +0000

I just got back from the AppSec 2010 OWASP conference in Irvine, California. As you might imagine, it was all about web application security. We security practitioners and coders generally agree that we need to “bake security in” to the development process. Rather than tacking security onto a product like a band-aid after the fact, we actually attempt to deliver code that is secure from the get-go. We are still figuring out how to do this effectively and efficiently, but it seems to me a very good idea.

HP Sets Its ArcSights on Security

Mon, 13 Sep 2010 00:00:00 +0000

When there’s smoke, there’s usually fire. I’ve been pretty vocal over the past two weeks, stating that users need to forget what they are hearing about various rumored acquisitions, or how these deals will impact them, and focus on doing their jobs. They can’t worry about what deal may or may not happen until it’s announced. Well, this morning HP announced the acquisition of ArcSight, after some more detailed speculation appeared over the weekend. So is it time to worry yet?

Understanding and Selecting an Enterprise Firewall: Management

Mon, 13 Sep 2010 00:00:00 +0000

The next step in our journey to understand and select an enterprise firewall has everything to do with management. During procurement it’s very easy to focus on shiny objects and blinking lights. By that we mean getting enamored with speeds, feeds, and features – to the exclusion of what you do with the device once it’s deployed. Without focusing on management during procurement , you may miss a key requirement – or even worse, sign yourself up to a virtual lifetime of inefficiency and wasted time struggling to manage the secure perimeter.

Friday Summary: September 10, 2010

Fri, 10 Sep 2010 00:00:00 +0000

I attended the OWASP Phoenix chapter meeting earlier this week, talking about database encryption. The crowd was small as the meeting was the Tuesday after Labor day, rather than the normal Thursday slot. Still, I had a good time, especially with the discussion afterwards. We talked about a few things I know very little about. Actually, there are several areas of security that I know very well. There are a few that I know reasonably well, but as I don’t practice them day to day I really don’t consider myself an expert. And there are several that I don’t know at all. And I find this odd, as it seemed that 15 years ago a single person could ‘know’ computer security. If you understood netword security, access controls, and crypto, you had a pretty good handle on things. Throw in some protocol design, injection, and pen test concepts and you were a freakin’ guru.

Understanding and Selecting an Enterprise Firewall: Deployment Considerations

Fri, 10 Sep 2010 00:00:00 +0000

Now that we’ve been through technical architecture considerations for the evolving firewall (Part 1, Part 2), let’s talk about deployment considerations. Depending on requirements, there many different ways to deploy enterprise firewalls. Do this wrong and you end up with either too many or too few boxes, single points of failure, suboptimal network access, and/or crappy application performance.

Incite 9/7/2010: Iconoclastic Idealism

Wed, 08 Sep 2010 00:00:00 +0000

Tonight starts the Jewish New Year celebration – Rosh Hashanah. So L’Shana Tova to my Jewish peeps out there. I send my best wishes for a happy and healthy 5771. At this time of year, I usually go through my goals and take a step back to evaluate what I’ve accomplished and what I need to focus on for the next year. It’s a logical time to take stock of where I’m at. But as I’ve described, I’m moving toward a No Goal philosophy, which means the annual goal setting ritual must be jettisoned.

Understanding and Selecting an Enterprise Firewall: Technical Architecture, Part 2

Wed, 08 Sep 2010 00:00:00 +0000

In the first part of our Enterprise Firewall technical discussion, we talked about the architectural changes required to support this application awareness stuff. But the reality is most of the propaganda pushed by the firewall vendors still revolves around speeds and feeds. Of course, in the hands of savvy marketeers (in mature markets), it seems less than 10gbps magically becomes 40gbps, 20gbps becomes 100gbps, and software on an industry-standard blade becomes a purpose-built appliance. No wonder buying anything in security remains such a confusing and agonizing endeavor.

FireStarter: Market for Lemons

Tue, 07 Sep 2010 00:00:00 +0000

During BlackHat I proctored a session on “Optimizing the Security Researcher and CSO relationship. From the title and outline most of us assumed that this presentation would get us away from the “responsible disclosure” quagmire by focusing on the views of the customer. Most of the audience was IT practitioners, and most were interested in ways research findings might help the end customer, rather than giving them another mess to clean up while exploit code runs rampant. Or just as importantly, which threat is hype, and which threat is serious.

New Release: Data Encryption 101 for PCI

Tue, 07 Sep 2010 00:00:00 +0000

We are happy to announce the availability of Data Encryption 101: A Pragmatic Approach to PCI Compliance.

It struck Rich and myself that data storage is a central topic for PCI compliance which has not gotten a lot of coverage. The security community spends a lot of time discussing the merits of end-to-end encryption, tokenization, and other topics, but meat and potatoes stuff like encryption for data storage is hardly ever mentioned. We feel there is enough ambiguity in the standard to warrant deeper inspection into what merchants are doing to meet the PCI DSS requirements. For those of you who followed along with the blog series, this is a compilation of that content, but it has been updated to reflect all the comments we received and additional research, and the entire report was professionally edited.

Understanding and Selecting an Enterprise Firewall: Technical Architecture, Part 1

Tue, 07 Sep 2010 00:00:00 +0000

In the first part of our series on Understanding and Selecting an Enterprise Firewall, we talked mostly about use cases and new requirements (Introduction, Application Awareness Part 1, and Part 2) driving a fundamental re-architecting of the perimeter gateway.

Friday Summary: September 3, 2010

Fri, 03 Sep 2010 00:00:00 +0000

I bought the iPhone 4 a few months ago and I still love it. And luckily there is a cell phone tower 200 yards north of me, so even if I use my left handed kung fu grip on the antenna, I don’t drop calls. But I decided to keep my older Verizon account as it’s kind of a family plan deal, and I figured just in case the iPhone failed I would have a backup. And I could get rid of all the costly plan upgrades and have just a simple phone. But not so fast! Trying to get rid of the data and texting features on the old Blackberry is apparently not an option. If you use a Blackberry I guess you are obligated to get a bunch of stuff you don’t need because, from what the Verizon tech told me, they can’t centrally disable data features native to the phone. WTF?

Understanding and Selecting an Enterprise Firewall: Application Awareness, Part 2

Fri, 03 Sep 2010 00:00:00 +0000

In our last post on application awareness as a key driver for firewall evolution, we talked about the need and use cases for advanced firewall technologies. Now let’s talk a bit about some of the challenges and overlap of this kind of technology. Whether you want to call it disruptive or innovative or something else, introducing new capabilities on existing gear tends to have a ripple effect on everything else. Application awareness on the firewall is no exception.

Understanding and Selecting an Enterprise Firewall: Application Awareness, Part 1

Thu, 02 Sep 2010 00:00:00 +0000

As mentioned in the Introduction to Understanding and Selecting an Enterprise Firewall, we see three main forces driving firewall evolution. The first two are pretty straightforward and don’t require a lot of explanation or debate: networks are getting faster and thus the perimeter gateways need to get faster. That’s not brain surgery.

Incite 9/1/2010: Battle of the Bandz

Wed, 01 Sep 2010 00:00:00 +0000

Hard to believe it’s September already. As we steam through yet another year, I like to step back and reflect on the technical achievements that have literally changed our life experience. Things like the remote control and pay at the pump. How about the cell phone, which is giving way to a mini-computer that I carry in my pocket? Thankfully it’s much lighter than a PDP-11. And networks, yeah man, always on baby! No matter where you are, you can be connected. But let’s not forget the wonders of silicone and injection molding, which has enabled the phenomena known as Silly Bandz.

Understanding and Selecting an Enterprise Firewall: Introduction

Tue, 31 Aug 2010 00:00:00 +0000

Today we begin the our next blog series: Understanding and Selecting an Enterprise Firewall.

Yes, really. Shock was the first reaction from most folks. They figure firewalls have evolved about as much over the last 5 years as ant traps. They’re wrong, of course, but most people think of firewalls as old, static, and generally uninteresting. In fact, most security folks begin their indentured servitude looking after the firewalls, where they gain seasoning before anyone lets them touch important gear like the IPS.

Data Encryption for PCI 101: Selection Criteria

Mon, 30 Aug 2010 00:00:00 +0000

As a merchant your goal is to protect stored credit card numbers (PAN), as well as other card data such as card-holder name, service code, and expiration date. You need to protect these fields from both unwanted physical (e.g., disk, tape backup, USB) and logical (e.g., database queries, file reads) inspection. And detect and stop misuse if possible, as well.

Have DLP Questions or Feedback? Want Free Answers?

Mon, 30 Aug 2010 00:00:00 +0000

Back when I started Securosis my first white paper was Understanding and Selecting a DLP Solution. It has been downloaded many thousands of times (about 400 times a month for the first couple years), and I still see it showing up all the time when I talk with clients. (Some people call it the DLP Bible, but if I said that it would be really pretentious). Although the paper is still accurate, it’s time for an update.

Data Encryption for PCI 101: Supporting Systems

Fri, 27 Aug 2010 00:00:00 +0000

Continuing our series on PCI Encryption basics, we delve into the supporting systems that make encryption work. Key management and access controls are important building blocks, and subject to audit to ensure compliance with the Data Security Standard.

Friday Summary: August 27, 2010

Fri, 27 Aug 2010 00:00:00 +0000

My original plan for this week’s summary was to geek out a bit and talk about my home automation setup. Including the time I recently discovered that even household electrical is powerful enough to arc weld your wire strippers if you aren’t too careful.

Home Security Alarm Tips

Fri, 27 Aug 2010 00:00:00 +0000

This is one of those posts I’ve been thinking about writing for a while – ever since I saw one of those dumb-ass ADT commercials with the guy with the black knit cap breaking in through the front door while some ‘helpless’ woman was in the kitchen.

White Paper Released: Understand and Selecting SIEM/Log Management

Thu, 26 Aug 2010 00:00:00 +0000

In this report we spotlight both the grim realities and real benefits of SIEM/Log Management platforms. The vendors are certainly not going to tell you about the bad stuff in their products – they just shout out the same fantastic advantages touted in the latest quadrant report. Trust us when we say there are many pissed-off SIEM users, but plenty of happy ones as well. We focused this paper on resetting expectations and making sure you know enough to focus on success, which will save you much heartburn later.

Incite 8/25/2010: Let Freedom Ring

Wed, 25 Aug 2010 00:00:00 +0000

It’s funny how different folks have totally different perceptions of the same things. Obviously the idea of freedom for someone living under an oppressive regime is different than my definition. My good fortune to be born in a certain place to a certain family is not lost on me.

Starting the Understanding and Selecting an Enterprise Firewall Project

Wed, 25 Aug 2010 00:00:00 +0000

I joined Securosis back in January and took on coverage of network and endpoint security. My goal this year was to lay the foundation by doing fairly in-depth research projects on the key fundamental areas in each patch. I started with Endpoint Security Fundamentals (I’m doing some webcasts next month) and continued with the Network Security Operations Quant project (which I’m now working through) to focus on the processes to manage network security devices. But clearly selecting the anchor device in the perimeter – the firewall – demands a full and detailed analysis.

Backtalk Doublespeak on Encryption

Tue, 24 Aug 2010 00:00:00 +0000

Updated:* 8/25/2010

Storefront-Backtalk magazine had an interesting post on Too Much Encrypt = Cyberthief Gift. And when I say ‘interesting’, I mean the topics are interesting, but the author (Walter Conway) seems to have gotten most of the facts wrong in an attempt to hype the story. The basic scenario the author describes is correct: when you encrypt a very small range of numbers/values, it is possible to pre-compute (encrypt) all of those values, then match them against the encrypted values you see in the wild. The data may be encrypted, but you know the contents because the encrypted values match. The point the author is making is that if you encrypt the expiration date of a credit card, an attacker can easily guess the value.

Webcasts on Endpoint Security Fundamentals

Tue, 24 Aug 2010 00:00:00 +0000

Starting in early September, I’ll be doing a series of webcasts digging into the Endpoint Security Fundamentals paper we published over the summer. Since there is a lot of ground to cover, we’ll be doing three separate webcasts, each focused on a different aspect.

Data Encryption for PCI 101: Encryption Options

Mon, 23 Aug 2010 00:00:00 +0000

In the introductory post of the Data Encryption for PCI series, there were a lot of good comments on the value of hashing functions. I wanted to thank the readers for participating and raising several good points. Yes, hashing is a good way to match a credit card number you currently have determine if it matches one you have already been provided – without huge amounts of overhead. You might even call it a token. For the purpose of this series, as we have already covered tokenization, I will remain focused on use cases where I need to keep the original credit card data.

FireStarter: Certifications? We don’t need no stinkin’ certifications…

Mon, 23 Aug 2010 00:00:00 +0000

It’s time that the security industry stopped trying to play paramilitary games and started trying to do a good job (aka “best practices”.) It would be a very pleasant change.

Friday Summary: August 20, 1010

Fri, 20 Aug 2010 00:00:00 +0000

Before I get into the Summary, I want to lead with some pretty big news: the Liquidmatrix team of Dave Lewis and James Arlen has joined Securosis as Contributing Analysts! By the time you read this Rich’s announcement should already be live, but what the heck – we are happy enough to coverage it here as well. Over and above what Rich mentioned, this means we will continue to expand our coverage areas. It also means that our research goes through a more rigorous shredding process before launch. Actually, it’s the egos that get peer shredding – the research just gets better. And on a personal note I am very happy about this as well, as a long-time reader of the Liquidmatrix blog, and having seen both Dave and James present at conferences over the years. They should bring great perspective and ‘Incite’ to the blog. Cheers, guys!

Another Take on McAfee/Intel

Thu, 19 Aug 2010 00:00:00 +0000

A few moments ago Mike posted his take on the McAfee/Intel acquisition, and for the most part I agree with him. “For the most part” is my nice way of saying I think Mike nailed the surface but missed some of the depths.

Data Encryption for PCI 101: Introduction

Thu, 19 Aug 2010 00:00:00 +0000

Rich and I are kicking off a short series called “Data Encryption 101: A Pragmatic Approach for PCI Compliance”. As the name implies, our goal is to provide actionable advice for PCI compliance as it relates to encrypted data storage. We write a lot about PCI because we get plenty of end-user questions on the subject. Every PCI research project we produce talks specifically about the need to protect credit cards, but we have never before dug into the details of how. This really hit home during the tokenization series – even when you are trying to get rid of credit cards you still need to encrypt data in the token server, but choosing the best way to employ encryption is varies depending upon the users environment and application processing needs. It’s not like we can point a merchant to the PCI specification and say “Do that”. There is no practical advice in the Data Security Standard for protecting PAN data, and I think some of the acceptable ‘approaches’ are, honestly, a waste of time and effort.

Liquidmatrix + Securosis: Dave Lewis and James Arlen Join Securosis as Contributing Analysts

Thu, 19 Aug 2010 00:00:00 +0000

In our ongoing quest for world domination, we are excited to announce our formal partnership with our friends over at Liquidmatrix.

McAfee: A (Secure) Chip on Intel’s Block

Thu, 19 Aug 2010 00:00:00 +0000

Ah, the best laid plans. I had my task list all planned out for today and was diving in when my pal Adrian pinged me in our internal chat room about Intel buying McAfee for $7.68 billion. Crap, evidently my alarm didn’t go off and I’m stuck in some Hunter S. Thompson surreal situation where security and chips and clean rooms and men in bunny suits are all around me.

Acquisition Doesn’t Mean Commoditization

Wed, 18 Aug 2010 00:00:00 +0000

There has been plenty of discussion of what HP’s recent acquisition of Fortify means in terms of commoditization and consolidation in the market. The reality is that most acquisitions by large vendors are about covering perceived holes in their product line. In other words this is really just the market acknowledging the legitimacy of the product or feature set. Don’t get me wrong – legitimization is very important, but it doesn’t necessarily mean either consolidation or commoditization, though they both indicate some level of legitimization.

Incite 8/18/2010: Smokey and the Speed Gun

Wed, 18 Aug 2010 00:00:00 +0000

What ever happened to the human touch? And personal service? Those seem to be hallmarks of days gone by. It’s too bad. Since I don’t like people, I tend not to develop relationships with my bankers or pharmacists or clergy – or pretty much anyone, come to think of it. But I guess a lot of other people did and they likely miss that person to person interaction.

HP (Finally) Acquires Fortify

Tue, 17 Aug 2010 00:00:00 +0000

One of the great things about Twitter and iChat is their ability to fuel the rumor mill. The back-office chatter for the last couple months, both within and outside Securosis, has been about rumors of HP buying Fortify Software. So we weren’t surprised when HP announced this morning that they are acquiring Fortify Software for an “undisclosed sum.” Well, not publicly disclosed anyway. In our best KGB voice, “Ve have vays of making dem talk.” And talk they did.

Tokenization: Selection Criteria

Mon, 16 Aug 2010 00:00:00 +0000

To wrap up our Understanding and Selecting a Tokenization Solution series, we now focus on the selection criteria. If you are looking at tokenization we can assume you want to reduce the exposure of sensitive data while saving some money by reducing security requirements across your IT operation. While we don’t want to oversimplify the complexity of tokenization, the selection process itself is fairly straightforward. Ultimately there are just a handful of questions you need to address: Does this meet my business requirements? Is it better to use an in-house application or choose a service provider? Which applications need token services, and how hard will they be to set up?

Friday Summary: August 13, 2010

Thu, 12 Aug 2010 00:00:00 +0000

A couple days ago I was talking with the masters swim coach I’ve started working with (so I will, you know, drown less) and we got to that part of the relationship where I had to tell him what I do for a living.

Gunnar Peterson Joins Securosis As a Contributing Analyst

Thu, 12 Aug 2010 00:00:00 +0000

We are ridiculously excited to announce that Gunnar Peterson is the newest member of Securosis, joining us as a Contributing Analyst. For those who don’t remember, our Contributor program is our way of getting to work with extremely awesome people without asking them to quit their day jobs (contributors are full members of the team and covered under our existing contracts/NDAs, but aren’t full time). Gunnar joins David Mortman and officially doubles our Contributing Analyst team.

Identity and Access Management Commoditization: a Tale of Two Cities

Wed, 11 Aug 2010 00:00:00 +0000

Identity and access management are generally 1) staffed out of the same IT department, 2) sold in vendor suites, and 3) covered by the same analysts. So this naturally lumps them together in people’s minds. However, their capabilities are quite different. Even though identity and access management capabilities are frequently bought as a package, what identity management and access management offer an enterprise are quite distinct. More importantly, successfully implementing and operating these tools requires different organizational models.

Incite 8/11/2010: No Goal!

Wed, 11 Aug 2010 00:00:00 +0000

The Boss is a saint. Besides putting up with me every day, she recently reconnected with a former student of hers. She taught him in 5th grade and now the kid is 23. He hasn’t had the opportunities that I (or the Boss) had, and she is working with him to help define what he wants to do with his life and the best way to get there. This started me thinking about my own perspectives on goals and achievement.

The Yin and Yang of Security Commoditization

Tue, 10 Aug 2010 00:00:00 +0000

Continuing our thread on commoditization, I want to extend some of Rich’s thoughts on commoditization and apply them to back-office data center products. In all honesty I did not want to write this post, as I thought it was more of a philosophical FireStarter with little value to end users. But as I thought about it I realized that some of these concepts might help people make better buying decisions, especially the “we need to solve this security problem right now!” crowd.

Tokenization: Use Cases, Part 3

Tue, 10 Aug 2010 00:00:00 +0000

Not every use case for tokenization involves PCI-DSS. There are equally compelling implementation options, several for personally identifiable information, that illustrate different ways to deploy token services. Here we will describe how tokens are used to replace Social Security numbbers in human resources applications. These services must protect the SSN during normal use by employees and third party service providers, while still offering authorized access for Human Resources personnel, as well as payroll and benefits services.

Commoditization and Feature Parity on the Perimeter

Mon, 09 Aug 2010 00:00:00 +0000

Following up on Rich’s FireStarter on Security Commoditization earlier today, I’m going to apply a number of these concepts to the network security space. As Rich mentioned innovation brings copycats, and with network-based application control we have seen them come out of the woodwork.

FireStarter: Why You Care about Security Commoditization

Mon, 09 Aug 2010 00:00:00 +0000

This is the first in a series we will be posting this week on security markets. In the rest of this series we will look at individual markets, and discuss how these forces work to help with buying decisions.

iOS Security: Challenges and Opportunities

Mon, 09 Aug 2010 00:00:00 +0000

I just posted an article on iOS (iPhone/iPad) security that I’ve been thinking about for a while over at TidBITS.

Here are excerpts from the beginning and ending:

Tokenization Topic Roundup

Mon, 09 Aug 2010 00:00:00 +0000

Tokenization has been one of our more interesting research projects. Rich and I thoroughly understood tokenization server functions and requirements when we began this project, but we have been surprised by the depth of complexity underlying the different implementations. The variety of variations and different issues that reside ‘under the covers’ really makes each vendor unique. The more we dig, the more interesting tidbits we find. Every time we talk to a vendor we learn something new, and we are reminded how each development team must make design tradeoffs to get their products to market. It’s not that the products are flawed – more that we can see ripples from each vendor’s biggest customers in their choices, and this effect is amplified by how new the tokenization market still is.

When Writing on iOS Security, Stop Asking AV Vendors Whether Apple Should Open the Platform to AV

Mon, 09 Aug 2010 00:00:00 +0000

A long title that almost covers everything I need to write about this article and many others like it.

The more locked down a platform, the easier it is to secure. Opening up to antivirus is about 987 steps down the priority list for how Apple could improve the (already pretty good) iOS security. You want email and web filtering for your iPhone? Get them from the cloud…

Friday Summary: August 6th, 2010

Fri, 06 Aug 2010 00:00:00 +0000

I started running when I was 10. I started because my mom was talking a college PE class, so I used to tag along and no one seemed to care. We ran laps three nights a week. I loved doing it and by twelve I was lapping the field in the 20 minutes allotted. I lived 6 miles from my junior high and high school so I used to run home. I could have walked, ridden a bike, or taken rides from friends who offered, but I chose to run. I was on the track team and I ran cross country – the latter had us running 10 miles a day before I ran home. And until I discovered weight lifting, and added some 45 lbs of upper body weight, I was pretty fast.

Tokenization: Use Cases, Part 2

Fri, 06 Aug 2010 00:00:00 +0000

In our last use case we presented an architecture for securely managing credit card numbers in-house. But in response to a mix of breaches and PCI requirements, some payment processors now offer tokenization as a service. Merchants can subscribe in order to avoid any need to store credit cards in their environment – instead the payment processor provides them with tokens as part of the transaction process. It’s an interesting approach, which can almost completely remove the PAN (Primary Account Number) from your environment.

Tokenization: Use Cases, Part 1

Thu, 05 Aug 2010 00:00:00 +0000

We have now discussed most of the relevant bits of technology for token server construction and deployment. Armed with that knowledge we can tackle the most important part of the tokenization discussion: use cases. Which model is right for your particular environment? What factors should be considered in the decision? The following three or four uses cases cover most of the customer situations we get calls asking for advice on. As PCI compliance is the overwhelming driver for tokenization at this time, our first two use cases will focus on different options for PCI-driven deployments.

Incite 8/4/2010: Letters for Everyone

Wed, 04 Aug 2010 00:00:00 +0000

As I mentioned in the Mailbox Vigil, we don’t put much stock in snail mail anymore. Though we did get a handful of letters from XX1 (oldest daughter) from sleepaway camp, aside from that it’s bills and catalogs. That said, every so often you do get entertained by the mail. A case in point happened when we got back from our summer pilgrimage to the Northern regions this weekend (which is why there was no Incite last week).

What Do We Learn at Black Hat/DefCon?

Tue, 03 Aug 2010 00:00:00 +0000

Actually I learned nothing because I wasn’t there. Total calendar fail on my part, as a family vacation was scheduled during Black Hat week. You know how it goes. The Boss says, “how is the week of July 26 for our week at the beach?” BH is usually in early August, so I didn’t think twice.

GSM Cell Phones to Be Intercepted in Defcon Demonstration

Mon, 26 Jul 2010 00:00:00 +0000

This hit Slashdot today, and I expect the mainstream press to pick it up fairly soon. Chris Paget will be intercepting cell phone communications at Defcon during a live demonstration.

Tokenization: Series Index

Mon, 26 Jul 2010 00:00:00 +0000

Understanding and Selecting a Tokenization Solution:

Tokenization: Token Servers, Part 3, Deployment Models

Mon, 26 Jul 2010 00:00:00 +0000

We have covered the internals of token servers and talked about architecture and integration of token services. Now we need to look at some of the different deployment models and how they match up to different types of businesses. Protecting medical records in multi-company environments is a very different challenge than processing credit cards for thousands of merchants.

Death, Irrelevance, and a Pig Roast

Fri, 23 Jul 2010 00:00:00 +0000

There is nothing like a good old-fashioned mud-slinging battle. As long as you aren’t the one covered in mud, that is. I read about the Death of Snort and started laughing. The first thing they teach you in marketing school is when no one knows who you are, go up to the biggest guy in the room and kick them in the nuts. You’ll get your ass kicked, but at least everyone will know who you are.

Friday Summary: July 23, 2010

Fri, 23 Jul 2010 00:00:00 +0000

A couple weeks ago I was sitting on the edge of the hotel bed in Boulder, Colorado, watching the immaculate television. A US-made 30” CRT television in “standard definition”. That’s cathode ray tube for those who don’t remember, and ‘standard’ is the marketing term for ‘low’. This thing was freaking horrible, yet it was perfect. The color was correct. And while the contrast ratio was not great, it was not terrible either. Then it dawned on me that the problem was not the picture, as this is the quality we used to get from televisions. Viewing an old set, operating exactly the same way they always did, I knew the problem was me. High def has so much more information, but the experience of watching the game is the same now as it was then. It hit me just how much our brains were filling in missing information, and we did not mind this sort of performance 10 years ago because it was the best available. We did not really see the names on the backs of football jerseys during those Sunday games, we just thought we did. Heck, we probably did not often make out the numbers either, but somehow we knew who was who. We knew where our favorite players on the field were, and the red streak on the bottom of the screen pounding a blue colored blob must be number 42. Our brain filled in and sharpened the picture for us.

Tokenization: Token Servers, Part 2 (Architecture, Integration, and Management)

Fri, 23 Jul 2010 00:00:00 +0000

Our last post covered the core functions of the tokenization server. Today we’ll finish our discussion of token servers by covering the externals: the primary architectural models, how other applications communicate with the server(s), and supporting systems management functions.

Tokenization: Token Servers

Thu, 22 Jul 2010 00:00:00 +0000

In our previous post we covered token creation, a core feature of token servers. Now we’ll discuss the remaining behind-the-scenes features of token servers: securing data, validating users, and returning original content when necessary. Many of these services are completely invisible to end users of token systems, and for day to day use you don’t need to worry about the details. But how the token server works internally has significant effects on performance, scalability, and security. You need to assess these functions during selection to ensure you don’t run into problems down the road.

Incite 7/20/2010: Visiting Day

Wed, 21 Jul 2010 00:00:00 +0000

Back when I went to sleepaway camp as a kid I always looked forward to Visiting Day. Mostly for the food, because after a couple weeks of camp food anything my folks brought up was a big improvement. But I admit it was great to see the same families year after year (especially the family that brought enough KFC to feed the entire camp) and to enjoy a day of R&R with your own family before getting back to the serious business of camping.

The Cancer within Evidence Based Research Methodologies

Wed, 21 Jul 2010 00:00:00 +0000

Alex Hutton has a wonderful must-read post on the Verizon security blog on Evidence Based Risk Management.

Alex and I (along with others including Andrew Jaquith at Forrester, as well as Adam Shostack and Jeff Jones at Microsoft) are major proponents of improving security research and metrics to better inform the decisions we make on a day to day basis. Not just generic background data, but the kinds of numbers that can help answer questions like “Which security controls are most effective under XYZ circumstances?”

FireStarter: an Encrypted Value Is Not a Token!

Mon, 19 Jul 2010 00:00:00 +0000

We’ve been writing a lot on tokenization as we build the content for our next white paper, and in Adrian’s response to the PCI Council’s guidance on tokenization. I want to address something that’s really been ticking me off…

Pricing Cyber-Policies

Mon, 19 Jul 2010 00:00:00 +0000

Every time I think I’m making progress on controlling my cynical gene, I see something that sets me back almost to square one. I’ve been in this game for a long time, and although I think subconsciously I know some things are going on, it’s still a bit shocking to see them in print.

Tokenization: The Tokens

Sun, 18 Jul 2010 00:00:00 +0000

In this post we’ll dig into the technical details of tokens. What they are and how they are created; as well as some of the options for security, formatting, and performance. For those of you who read our stuff and tend to skim the more technical posts, I recommend you stop and pay a bit more attention to this one. Token generation and structure affect the security of the data, the ability to use the tokens as surrogates in other applications, and the overall performance of the system. In order to differentiate the various solutions, it’s important to understand the basics of token creation.

Comments on Visa’s Tokenization Best Practices

Fri, 16 Jul 2010 00:00:00 +0000

If you are interested in tokenization, check out Visa’s Tokenization Best Practices guide, released this week. The document is a very short four pages. It highlights the basics and is helpful in understanding minimum standards for deployment. That said, I think some simple changes would make the recommendations much better and deployments more secure.

Color-blind Swans and Incident Response

Thu, 15 Jul 2010 00:00:00 +0000

I read Nassim Taleb’s “Black Swan” a few years ago and it was very instructive for me. I wrote about it a few times in a variety of old Incites (here and here), and the key message I took away was the futility of trying to build every scenario into a threat model, defensive posture, or security strategy.

Friday Summary: July 15, 2010

Thu, 15 Jul 2010 00:00:00 +0000

I’ve been living full time in Phoenix, Arizona for about 5 years now, and about 2 years part time before that. This was after spending my entire adult life in Boulder Colorado thanks to parole at the age of 18 from New Jersey. Despite still preferring the Broncos over the Cardinals, I think I’ve mostly adjusted to the change.

Home Business Payment Security

Wed, 14 Jul 2010 00:00:00 +0000

We have covered this before, but every now and again I run into a new slant on who bears responsibility for online transaction safety. Bank? Individual? If both, where do the responsibilities begin and end?

Incite 7/14/2010: Mello Yello

Wed, 14 Jul 2010 00:00:00 +0000

I’m discovering that you do mellow with age. I remember when I first met the Boss how mellow and laid back her Dad was. Part of it is because he doesn’t hear too well anymore, which makes him blissfully unaware of what’s going on. But he’s also mellowed, at least according to my mother in law. He was evidently quite a hothead 40 years ago, but not any more. She warned me I’d mellow too over time, but I just laughed. Yeah, yeah, sure I will.

Simple Ideas to Start Improving the Economics of Cybersecurity

Wed, 14 Jul 2010 00:00:00 +0000

Today Howard Schmidt meets with Secretary of Commerce Gary Locke and Department of Homeland Security Secretary Janet Napolitano to discuss ideas for changing the economics of cybersecurity. Howard knows his stuff, and recognizes that this isn’t a technology problem, nor something that can be improved with some new security standard or checklist. Crime is a function of economics, and electronic crime is no exception.

Tokenization Architecture: The Basics

Tue, 13 Jul 2010 00:00:00 +0000

Fundamentally, tokenization is fairly simple. You are merely substituting a marker of limited value for something of greater value. The token isn’t completely valueless – it is important within its application environment – but that value is limited to the environment, or even a subset of that environment.

Preliminary Results from the Data Security Survey

Mon, 12 Jul 2010 00:00:00 +0000

We’ve seen an absolutely tremendous response to the data security survey we launched last month. As I write this we are up to 1,154 responses, with over 70% of respondents completing the entire survey. Aside from the people who took the survey, we also received some great help building the survey in the first place (especially from the Security Metrics community). I’m really loving this entire open research thing.

Friday Summary: July 9, 2010

Fri, 09 Jul 2010 00:00:00 +0000

Today is the deadline for RSA speaker submissions, so the entire team was scrambling to get our presentation topics submitted before the server crash late rush. One of the things that struck me about the submission suggestions is that general topics are discouraged. RSA notes in the submission guidelines that 60% of the attendees have 10 or more years of security experience. I think the idea is that, if your audience is more advanced, introductory or general audience presentations don’t hold the audience’s attention so intermediate and advanced sessions are encouraged. And I bet they are right about that, given the success of other venues like BlackHat, Defcon, and Security B-Sides. Still, I wonder if that is the right course of action. Has security become a private club? Are we so caught up in the security ‘echo chamber’ we forget about the mid-market folks without the luxury of full-time security experts on staff? Perhaps security just is not very interesting without some novel new hack. Regardless, it seems like it’s the same group of us, year after year, talking about the same set of issues and problems.

Taking the High Road

Fri, 09 Jul 2010 00:00:00 +0000

This is off topic but I need to vent a bit. I’ve followed the LeBron James free-agency saga with amusement. Thankfully I was in the air last night during the “Decision” TV special, so I didn’t have any temptation to participate in the narcissistic end of a self-centered two weeks. LeBron and his advisors did a masterful job of playing the media, making them believe anything was possible, and then doing the smartest thing and heading to Miami to join the Heat.

Top 3 Steps to Simplify DLP without Compromise

Fri, 09 Jul 2010 00:00:00 +0000

Just when I thought I was done talking about DLP, interest starts to increase again. Below is an article I wrote up on how to minimize the complexity of a DLP deployment. This was for the Websense customer newsletter/site, but is my usual independent perspective.

School’s out for Summer

Thu, 08 Jul 2010 00:00:00 +0000

I saw an interesting post on InformationWeek about protecting your network and systems from the influx of summer workers. The same logic goes for the December holidays – when additional help is needed to stock shelves, pack boxes, and sell things. These temporary folks can do damage – more because they have no idea what they can/should do rather than thanks to any malicious intent.

Incite 7/7/2010: The Mailbox Vigil

Wed, 07 Jul 2010 00:00:00 +0000

The postman (or postwoman) doesn’t really get any love. Not any more. In the good old days, we’d always look forward to what goodies the little white box truck, with the steering wheel on the wrong side, would bring. Maybe it was a birthday card (with a check from Grandma). Or possibly a cool catalog. Or maybe even a letter from a friend.

Understanding and Selecting SIEM/LM: Selection Process

Fri, 02 Jul 2010 00:00:00 +0000

Now that you thoroughly understand the use cases and technology underpinning of SIEM and Log Management platforms, it’s time to flex your knowledge and actually buy one. As with most of our research at Securosis, we favor mapping out a very detailed process, and leaving you to decide which steps make sense in your situation. So we don’t expect every organization to go through every step in this process. Figure out what will work for your organization and do that.

Friday Summary: July 1, 2010

Thu, 01 Jul 2010 00:00:00 +0000

Earlier this week I was at the gym. I’d just finished a pretty tough workout and dropped down to the cafe area to grab one of those adult candy bars that tastes like cardboard and claims to give you muscles, longer life, and sexual prowess while climbing mountains. At least, that’s what I think they claim based on the pictures on the box. (And as a former mountain rescue professional, the technical logistics of the last claim aren’t worth the effort and potential injuries to sensitive bits).

IBM gets a BigFix for Tivoli Endpoint Management

Thu, 01 Jul 2010 00:00:00 +0000

IBM continues to be aggressive with acquisitions, grabbing BigFix today for an undisclosed amount. Given BigFix’s aspirations (they were moving toward a public offering), I’m a bit surprised the economics weren’t disclosed, but it was likely a decent sized deal.

Know Your Adversary

Thu, 01 Jul 2010 00:00:00 +0000

I spent some time on the road this week, and it was great to see some old friends, meet some new ones, come up to speed on some topics, and more than anything take some time to listen. With my head full of dancing fairies relative to what’s really going on out there, I was interested when I came across Jack Freund’s post on the RiskAnalysis blog called “Executives are not Stupid.” Jack leads off the discussion by mentioned that “You don’t fall into a job to run a company or a line of business.”

Tokenization: the Business Justification

Thu, 01 Jul 2010 00:00:00 +0000

Justifying an investment in tokenization is actually two separate steps – first justifying an investment to protect the data, and then choosing to use tokenization.

Understanding and Selecting SIEM/LM: Integration

Thu, 01 Jul 2010 00:00:00 +0000

They say that no man is an island, and in the security space that’s very true. No system is, either – especially those tasked with some kind of security management. We get caught up in SIEM and Log Management platforms to suck in every piece of information they can to help with event correlation and analysis, but when it comes down to it security management is just one aspect of an enterprise’s management stack. SIEM/Log Management is only one discipline in the security management chain, and must feed some portion of its analysis to supporting systems. So clearly integration is key, both to getting value from SIEM/LM, and to making sure the rest of the organization is on board with buying and deploying the technology.

Incite 6/30/2010: Embrace Individuality

Wed, 30 Jun 2010 00:00:00 +0000

I still go see a lot of live music. Yes, it’s a luxury, but I’d rather give something else up than my handful (OK, maybe two handfuls) of shows every year. On Monday night we saw Sting with his big orchestra. It was definitely a more mellow show than when we saw him a few years ago with his band (right, The Police), but it was a good show nonetheless.

Understanding and Selecting a Tokenization Solution: Introduction

Wed, 30 Jun 2010 00:00:00 +0000

Updated: 06/30/2010

One of the most daunting tasks in information security is protecting sensitive data in (often complex and distributed) enterprise applications. Even the most hardened security professionals enters these projects with at least a modicum of trepidation. Coordinating effective information protection across application, database, storage, and server teams is challenging under the best of circumstances – and much tougher when also facing the common blend of legacy systems and conflicting business requirements.

Understanding and Selecting SIEM/LM: Advanced Features

Wed, 30 Jun 2010 00:00:00 +0000

We’ve already discussed the basic features of a SIEM/Log Management platform, including collection, aggregation and normalization, correlation and alerting, reporting and forensics, and deployment architectures. But these posts cover the core functions, and are part of what each products in the space will bring to the table.

Understanding and Selecting SIEM/LM: Data Management

Tue, 29 Jun 2010 00:00:00 +0000

We covered SIEM and Log Management deployment architectures in depth to underscore how different models are used to deal with scalability and data management issues. In some cases these deployment choices are driven by the underlying data handling mechanism within the product. In other words each platform stores and manages data differently – these decisions have significant impact on product scalability, data management, and reporting & forensics capabilities. Here we discuss the different internal data storage models, with advantages and disadvantages of each.

DB Quant: Manage Metrics, Part 3, Change Management

Fri, 25 Jun 2010 00:00:00 +0000

Believe it or not, we are down to our final metrics post! We’re going to close things out today with change management – something that isn’t specific to security, but comes with security implications.

Friday Summary: June 25, 2010

Fri, 25 Jun 2010 00:00:00 +0000

Thursday was totally shot. I wasted the entire day standing around. Eight hours and twenty nine minutes standing in line. I got in line at 5:50 AM and did not get back in my car until 3:00.

Are Secure Web Apps Possible?

Thu, 24 Jun 2010 00:00:00 +0000

We security folks are a tough crowd, and we have trouble understanding why stuff that is obvious to us isn’t so obvious to everyone else. We wonder why app developers can’t understand how to develop a secure application. Why can’t they grok SDL or run a damn scanner against the application before it goes live? Q/A? Ha. Obviously that’s for losers. And those sentiments aren’t totally misplaced. There is a tremendous amount of apathy regarding software security, and the incentives for developers to do it right just aren’t there.

Incite 6/23/2010: Competitive Fire

Wed, 23 Jun 2010 00:00:00 +0000

I’ve always been pretty competitive. For instance, back in high school my friends and I would make boasts about how we’d have more of this or that, and steal the other’s wife, etc. Yes, it was silly high school ego run rampant, but I thought life was a zero sum game back then. Win/win was not in my vocabulary. I win, you lose, that’s it.

The Open Source Database Security Project

Wed, 23 Jun 2010 00:00:00 +0000

I am thinking about writing a guide to secure open source databases, including verification queries. Do you all think that would be useful?

Trustwave, Acquisitions, PCI, and Navigating Conflicts of Interest

Tue, 22 Jun 2010 00:00:00 +0000

This morning Trustwave announced their acquisition of Breach Security, the web application firewall vendor.

Trustwave’s been on an acquisition streak for a while now, picking up companies such as Mirage (NAC), Vericept (DLP), BitArmor (encryption), and Intellitactics (log management/SIEM). Notice any trends? All these products have a strong PCI angles, none of the companies were seeing strong sales (Trustwave doesn’t do acquisitions for large multiples of sales), and all were more mid-market focused.

Understanding and Selecting SIEM/LM: Deployment Models

Tue, 22 Jun 2010 00:00:00 +0000

We have covered the major features and capabilities of SIEM and Log Management tools, so now let’s discuss architecture and deployment models. Each architecture addresses a specific issue, such as coverage for remote devices, scaling across hundreds of thousands of devices, real-time analysis, or handling millions of events per second. Each has advantages and disadvantages in analysis performance, reporting performance, scalability, storage, and cost.

FireStarter: Is Full Disk Encryption without Pre-Boot Secure?

Mon, 21 Jun 2010 00:00:00 +0000

This FireStarter is more of a real conversation starter than a definitive statement designed to rile everyone up.

Over the past couple months I’ve talked with a few organizations – some of them quite large – deploying full disk encryption for laptops but skipping the pre-boot environment.

Return of the Security Start-up?

Mon, 21 Jun 2010 00:00:00 +0000

As Rich described on Friday, he, Adrian, and I were sequestered at the end of last week working on our evil plans for world domination. But we did take some time for meetings, and we met up with a small company, the proverbial “last company standing” in a relatively mature market. All their competitors have been acquired and every deal they see involves competing with a multi-billion dollar public company.

Friday Summary: June 18, 2009

Fri, 18 Jun 2010 00:00:00 +0000

Dear Securosis readers,

The Friday Summary is currently unavailable. Our staff is at an offsite in an undisclosed location completing our world domination plans. We apologize for the inconvenience, and instead of our full summary of the week’s events here are a few links to keep you busy. If you need more, Mike Rothman suggests you “find your own &%^ news”.

Doing Well by Doing Good (and Protecting the Kids)

Thu, 17 Jun 2010 00:00:00 +0000

My kids are getting more sophisticated in their computer usage. I was hoping I could put off the implementation of draconian security controls on their computers for a while. More because I’m lazy and it will dramatically increase the amount of time I spend supporting the in-house computers. But hope is not a strategy, my oldest will be 10 this year, and she is curious – so it’s time.

Incite 6/16/2010: Fenced in

Wed, 16 Jun 2010 00:00:00 +0000

I spent last weekend at my 20th college reunion. I dutifully flew into Ithaca, NY to see many Cornell friends and (fraternity) brothers. It was a great trip, but I did have an experience that reminded me I’m no spring chicken any more.

Take Our Data Security Survey & Win an iPad

Wed, 16 Jun 2010 00:00:00 +0000

One of the biggest problems in security is that we rarely have a good sense of which controls actually improve security outcomes. This is especially true for newer areas like data security, filled with tools and controls that haven’t been as well tested or widely deployed as things like firewalls.

Need to know the time? Ask the consultant.

Tue, 15 Jun 2010 00:00:00 +0000

You all know the story. If you need to know the time, ask the consultant, who will then proceed to tell you the time from your own watch. We all laugh, but there is a lot of truth in this joke – as there usually is. Consultants are a necessary evil for many of us. We don’t have the leeway to hire full time employees (especially when Wall Street is still watching employee rolls like hawks), but we have too much work to do. So we bring in some temporary help to get stuff done.

Top 5 Security Tips for Small Business

Tue, 15 Jun 2010 00:00:00 +0000

We in the security industry tend to lump small and medium businesses together into “SMB”, but there are massive differences between a 20-person retail outlet and even a 100-person operation. These suggestions are specifically for small businesses with limited resources, based on everything we know about the latest threats and security defenses.

If You Had a 3G iPad Before June 9, Get a New SIM

Mon, 14 Jun 2010 00:00:00 +0000

If you keep up with the security news at all, you know that on June 9th the email addresses and the device ICC-ID for at least 114,000 3G iPad subscribers were exposed.

Friday Summary: June 11, 2010

Fri, 11 Jun 2010 00:00:00 +0000

This Monday’s FireStarter prompted a few interesting behind-the-scenes conversations with a handful of security vendors centering on product strategy in the face of the recent acquisitions in Database Activity Monitoring. The questions were mostly around the state of the database activity monitoring market, where it is going, and how the technology complements and competes with other security technologies. But what I consider a common misconception came up in all of these exchanges, having to do with the motivation behind Oracle & IBMs recent acquisitions. The basic premise went something like: “Of course IBM and Oracle made investments into DAM – they are database vendors. They needed this technology to secure databases and monitor transactions. Microsoft will be next to step up to the plate and acquire one of the remaining DAM vendors.”

Insider Threat Alive and Well

Fri, 11 Jun 2010 00:00:00 +0000

Is it me or has the term “insider threat” disappeared from security marketing vernacular? Clearly insiders are still doing their thing. Check out a recent example of insider fraud at Bank of America. The perpetrator was a phone technical support rep, who would steal account records when someone called for help. Awesome.

Understanding and Selecting SIEM/LM: Reporting and Forensics

Thu, 10 Jun 2010 00:00:00 +0000

Reporting and Forensics are the principal products of a SIEM system. We have pushed, prodded, and poked at the data to get it into a manageable format, so now we need to put it to use. Reports and forensic analysis are the features most users work with on a day to day basis. Collection, normalization, correlation and all the other things we do are just to get us to the point where we can conduct forensics and report on our findings. These features play a big part in customer satisfaction, so while we’ll dig in to describe how the technology works, we will also discuss what to look for when making buying decisions.

Incite 6/9/2010: Creating Excitement

Wed, 09 Jun 2010 00:00:00 +0000

Some businesses are great at creating excitement. Take Apple, for instance. They create demand for their new (and upgraded) products, which creates a feeding frenzy when the public can finally buy the newest shiny object. 2 million iPads in 60 days is astounding. I suspect they’ll move a bunch of iPhone 4 units on June 24 as well (I know I’ll be upgrading mine and the Boss’). They’ve created a cult around their products, and it generates unbelievable excitement whenever there is a new toy to try.

Draft Data Security Survey for Review

Mon, 07 Jun 2010 00:00:00 +0000

Hey everyone,

As mentioned the other day, I’m currently putting together a big data security survey to better understand what data security technologies you are using, and how effective they are.

FireStarter: Get Ready for Oracle’s New WAF

Mon, 07 Jun 2010 00:00:00 +0000

We have written a lot about Oracle’s acquisition of Secerno: the key points of the acquisition, the Secerno technology, and some of the business benefits Oracle gets with the Secerno purchase. We did so mainly because Database Activity Monitoring (DAM) is a technology that Rich and I are intimately familiar with, and this acquisition shakes up the entire market. But we suspect there is more. Rich and I have a feeling that this purchase signals Oracle’s mid-term security strategy, and the Secerno platforms will comprise the key component. We don’t have any inside knowledge, but there are too many signals to go unnoticed so we are making a prediction, and our analysis goes something like this:

Friday Summary: June 4, 2010

Thu, 03 Jun 2010 00:00:00 +0000

There’s nothing like a crisis to bring out the absolute stupidity in a person… especially if said individual works for a big company or government agency. This week alone we’ve had everything from the ongoing BP disaster (the one that really scares me) to the Israeli meltdown. And I’m sure Sarah Palin is in the mix there someplace.

The Public/Private Pendulum Keeps Swinging

Thu, 03 Jun 2010 00:00:00 +0000

They say the grass is always greener on the other side, and I guess for some folks it is. Most private companies (those which believe they have sustainable businesses, anyway) long for the day when they will be able to trade on the public markets. They know where the Ferrari deal is, and seem to dismiss the angst of Sarbanes-Oxley. On the other hand, most public companies would love the freedom of not having to deal with the quarterly spin cycle and those pesky shareholders who want growth now.

White Paper Released: Endpoint Security Fundamentals

Thu, 03 Jun 2010 00:00:00 +0000

Endpoint Security is a pretty broad topic. Most folks associate it with traditional anti-virus or even the newfangled endpoint security suites. In our opinion, looking at the issue just from the perspective of the endpoint agent is myopic. To us, endpoint security is as much a program as anything else.

Incite 6/2/2010: Smuggler’s Blues

Wed, 02 Jun 2010 00:00:00 +0000

Given the craziness of my schedule, I don’t see a lot of movies in the theater anymore. Hard to justify the cost of a babysitter for a movie, when we can sit in the house and watch movies (thanks, Uncle Netflix!). But the Boss does take the kids to the movies because it’s a good activity, burns up a couple hours (especially in the purgatory period between the end of school and beginning of camp), and most of the entertainment is pretty good.

Thoughts on Privacy and Security

Wed, 02 Jun 2010 00:00:00 +0000

I was catching up on my reading today, and this post by Richard Bejtlich reminded me of the tension we sometimes see between security and privacy. Richard represents the perspective of a Fortune 5 security operator who is tasked with securing customer information and intellectual property, while facing a myriad of international privacy laws – some of which force us to reduce security for the sake of privacy (read the comments).

Understanding and Selecting a SIEM/LM: Correlation and Alerting

Wed, 02 Jun 2010 00:00:00 +0000

Continuing our discussion of core SIEM and Log Management technology, we now move into event correlation. This capability was the holy grail that drove most investment in early SIEM products, and probably the security technology creating the most consistent disappointment amongst its users. But ultimately the ability to make sense of the wide variety of data streams, and use them to figure out what is under attack or compromised, is essential to any security practice. This means that despite the disappointments, there will continue to be plenty of interest in correlation moving forward.

FireStarter: In Search of… Solutions

Tue, 01 Jun 2010 00:00:00 +0000

A holy grail of technology marketing is to define a product category. Back in the olden days of 1998, it was all about establishing a new category with interesting technology and going public, usually on nothing more than a crapload of VC money and a few million eyeballs.

On “Security engineering: broken promises”

Tue, 01 Jun 2010 00:00:00 +0000

Recently Michael Zalewski posted a rant about the state of security engineering in Security engineering: broken promises. I posted my initial response to this on Twitter: “Great explanation of the issue, zero thoughts on solutions. Bored now.” I still stand behind that response. As a manager, problems without potential solutions are useless to me. The solutions don’t need to be deep technical solutions – sometimes the solution is to monitor or audit. Sometimes the solution is to do nothing, accept the risk, and make a note of it in case it comes up in conversation or an audit.

Friday Summary: May 28, 2010

Fri, 28 May 2010 00:00:00 +0000

We get a lot of requests to sponsor this blog. We got several this week. Not just the spammy “Please link with us,” or “Host our content and make BIG $$$” stuff. And not the PR junk that says “We are absolutely positive your readers would just love to hear what XYZ product manager thinks about data breaches,” or “We just released 7.2.2.4 version of our product, where we changed the order of the tabs in our web interface!” Yeah, we get fascinating stuff like that too. Daily. But that’s not what I am talking about. I am talking about really nice, personalized notes from vendors and others interested in supporting the Securosis site. They like what we do, they like that we are trying to shake things up a bit, and they like the fact that we are honest in our opinions. So they write really nice notes, and they ask if they can give us money to support what we do.

The Hidden Costs of Security

Fri, 28 May 2010 00:00:00 +0000

When I was abroad on vacation recently, the conversation got to the relative cost of petrol (yes, gasoline) in the States versus pretty much everywhere else. For those of you who haven’t travelled much, fuel tends to be 70-80% more expensive elsewhere. Why is that?

Understanding and Selecting SIEM/LM: Aggregation, Normalization, and Enrichment

Thu, 27 May 2010 00:00:00 +0000

In the last post on Data Collection we introduced the complicated process of gathering data. Now we need to understand how to put it into a manageable form for analysis, reporting, and long-term storage for forensics.

Code Re-engineering

Wed, 26 May 2010 00:00:00 +0000

I just ran across a really interesting blog post by Joel Spolsky from last April: Things You Should Never Do, Part 1. Actually. the post pissed me off. This is one of those hot-button topics that I have had to deal with several times in my career, and have had to manage in the face of entrenched beliefs. His statement is t hat you should never rewrite a code base from scratch. The reasoning is “No major firm has ever successfully survived a product rewrite. Just look at Netscape … ” Whatever.

Gaming the Tetragon

Wed, 26 May 2010 00:00:00 +0000

Rich highlighted a great post from Rocky DiStefano of Visible Risk in today’s Incite:

Blame the addicts – When I was working at Gartner, nothing annoyed me more than those client calls where all they wanted me to do was read them the Magic Quadrant and confirm that yes, that vendor really is in the upper right corner. I could literally hear them checking their “talked to the analyst” box. An essential part of the due diligence process was making sure their vendor was a Leader, even if it was far from the best option for them. I guess no one gets fired for picking the upper right. Rocky DeStefano nails how people see the Magic Quadrant in his Tetragon of Prestidigitation post. Don’t blame the analyst for giving you what you demand – they are just giving you your fix, or you would go someplace else. – RM

Incite 5/26/2010: Funeral for a Friend

Wed, 26 May 2010 00:00:00 +0000

I don’t like to think of myself as a sentimental guy. I have very few possessions that I really care about, and I don’t really fall into the nostalgia trap. But I was shaken this week by the demise of a close friend. We were estranged for a while, but about a year ago we got back in touch and now that’s gone.

Quick Wins with DLP Presentation

Wed, 26 May 2010 00:00:00 +0000

Yesterday I gave this presentation as a webcast for McAfee, but somehow my last 8 slides got dropped from the deck. So, as promised, here is a PDF of the slides.

A Phish Called Tabby

Tue, 25 May 2010 00:00:00 +0000

Thanks to Aza Raskin, this week we learned of a new phishing attack, dubbed “tabnabbing” by Brian Krebs. It opening a tab (unbeknownst to the user), changes the favicon, and does a great job of impersonating a web page – or a bank account, or any other phishing target. Through the magic of JavaScript, the tabs can be controlled and the attack made very hard to detect since it preys on the familiarity of users with common webmail and banking interfaces.

Thoughts on Diversity and False Diversity

Tue, 25 May 2010 00:00:00 +0000

Mike Bailey highlights a key problem with web applications in his post on diversity. Having dealt with these issues as a web developer (a long time ago), I want to add a little color.

Understanding and Selecting SIEM/LM: Data Collection

Tue, 25 May 2010 00:00:00 +0000

The first four posts our the SIEM series dealt with understanding what SIEM is, and what problems it solves. Now we move into how to select the right product/solution/service for your organization, and that involves digging into the technology behind SIEM and log management platforms. We start with the foundation of every SIEM and Log Management platform: data collection. This is where we collect data from the dozens of different types of devices and applications we monitor. ‘Data’ has a pretty broad meaning – here it typically refers to event and log records but can also include flow records, configuration data, SQL queries, and any other type of standard data we want to pump into the platform for analysis.

FireStarter: The Only Value/Loss Metric That Matters

Mon, 24 May 2010 00:00:00 +0000

As some of you know, I’ve always been pretty critical of quantitative risk frameworks for information security, especially the Annualized Loss Expectancy (ALE) model taught in most of the infosec books. It isn’t that I think quantitative is bad, or that qualitative is always materially better, but I’m not a fan of funny math.

The Laziest Phisher in the World

Fri, 21 May 2010 00:00:00 +0000

I seriously got this last night and just had to share. It’s the digital equivalent of sending someone a letter that says, “Hello, this is a robber. Please put all your money in a self addressed stamped envelope and mail it to…”

The Secerno Technology

Fri, 21 May 2010 00:00:00 +0000

I ran long on yesterday’s Oracle Buys Secerno, but it is worth diving into Secerno’s technology to understand why this is a good fit for Oracle. I get a lot of questions about Secerno product, from customers unclear how the technology works. Even other database activity monitoring vendors ask – some because they want to know what the product is really capable of, others who merely want to vent their frustration at me for calling Secerno unique. And make no mistake – Secerno is unique, despite competitor claims to the contrary. Unlike every other vendor in the market, Secerno analyzes the SQL query construct. They profile valid queries, and accept only queries that have the right structure. This is not content monitoring, not traditional behavioral monitoring, not context monitoring, and not even attribute-based monitoring, but looking at the the query language itself. Consider that any SQL query (e.g., SELECT, INSERT, UPDATE, CREATE, etc.) has dozens of different options, allowing hundreds of variations. You can build very complex logic, including embedding other queries and special characters. Consider an Oracle INSERT operation as an example. The (pseudo) code might look like:

Australian Border Security Insanity