Research Papers on Securosis

The Universal Cloud Threat Model

Tue, 23 Apr 2024 00:00:00 +0000

The Universal Cloud Threat Model is a collaboration between PrimeHarbor Technologies and Securosis. It is a cloud-centric threat model to help organizations focus security efforts on the most-common attacks most organizations will experience. The UCTM is designed as an adjunct to other threat models. From the introduction:

Modernizing SecOps for Cloud

Fri, 23 Feb 2024 00:00:00 +0000

Security Operations, SecOps for short, has been one of the more difficult security domains to modernize for cloud. It requires a combination of new subject matter expertise, new technologies, process updates, and even a slightly different mindset. Cloud impacts SecOps in ways both obvious and subtle, and because most organizations still have datacenters and offices, teams need to add new skills and update operations while still supporting everything already on their plates. It’s a daunting challenge, but one that can be made much easier to tackle by distilling down, into the core of how cloud changes things, and taking lessons from the successes of early adopters.

Data Security in the SaaS Age

Sat, 26 Jun 2021 00:00:00 +0000

Data security remains elusive. You can think of it as something of a holy grail. We’ve been espousing the idea of data-centric security for years, focusing on protecting the data, so you can worry less about securing devices, networks, and associated infrastructure. As with most big ideas, it seemed like a good idea at the time.

Securing APIs: The New Application Attack Surface

Sat, 26 Jun 2021 00:00:00 +0000

The way applications are built, deployed, and maintained in most organizations is being disrupted. Macro changes include the ongoing cloud migration disrupting the tech stack, new application design patterns bringing microservices to the forefront, and DevOps changing dev/release practices. As we’ve been slowly navigating this sea change, the common thread across these changes is increasing reliance on Application Programming Interfaces (APIs).

Security Hygiene: The First Line of Security

Sat, 26 Jun 2021 00:00:00 +0000

After many decades as security professionals, it’s depressing to keep seeing the same issues and mistakes. It feels like we’re stuck in hacker Groundhog Day. Get up, clean up the mistakes made by users or administrators, handle a new attack, and fill out compliance reports, only to have to do it all over again the next day.

Enterprise DevSecOps

Tue, 10 Dec 2019 00:00:00 +0000

This is our latest iteration on how to build a DevSecOps program. This research paper is the result of hundreds of hours of research and several hundred conversations with Fortune 1000 firms on the challenges companies face and the problems they are most interested in tackling. We go deep into covering all phases and facets of secure application development. And we did a complete reversal on the naming convention; from DevOps to DevSecOps. It became obvious during our calls that despite the idealism involved with leaving ‘Sec’ out of the title, security is getting short shifted and it needs to be called out.

Understanding and Selecting RASP 2019 Research Paper

Tue, 19 Nov 2019 00:00:00 +0000

So what is RASP? Runtime Application Self-Protection (RASP) is an application security technology which embeds into an application or application runtime environment, examining requests at the application layer to detect attacks and misuse in real time. RASP functions in the application context, which enables it to monitor security – and apply controls – very precisely. This means better detection because you see what the application is being asked to do, and can also offer better performance, as you only need to check the relevant subset of policies for each request.

Security Monitoring State of the Union

Mon, 27 May 2019 00:00:00 +0000

A few years ago we wrote a paper called Security Monitoring Team of Rivals , which really highlighted the reality that you had to make your SIEM and security analytics products work together. The analytics platforms could not provide the broader capabilities delivered by the SIEM, especially in the areas of compliance and incident response. And the SIEM wasn’t really built to do higher end analytics, and it showed when trying to do anything but fairly simple correlation.

Multi-Cloud Key Management 2019

Thu, 16 May 2019 00:00:00 +0000

Discussion on multi-cloud strategies is atop the list of inbound questions customer ask us. “How do you architect applications and what technologies will promote a cloud neutral approach?” is what is commonly asked, and all have a fear of vendor lock-in. As such, they want critical security controls to be under their control. And given most customers worry over control of encryption keys, key management is always a major issue. As such, we are re-launching our research work on multi-cloud key management. Infrastructure as a Service entails handing over some security and operational control to the service provider. But responsibility for your data security does go along with it. Your provider ensures compute, storage, and networking components are secure from external attackers and other tenants, but you must protect your data and application access to it. That means you need to control the elements of the cloud that related to data access and security, to avoid any possibility of your cloud vendor(s) viewing it.

Making an Impact with Security Awareness Training

Sat, 29 Dec 2018 00:00:00 +0000

If you want your organization to take security awareness training seriously, you need to plan for that. If you don’t know what success looks like you are unlikely to get there. To define success you need a firm understanding of why the organization needs awareness training. We are talking about communicating business justification for security awareness training, and more importantly what results you expect from your organization’s investment of time and resources.

Scaling Network Security

Sat, 29 Dec 2018 00:00:00 +0000

Existing network security architectures, based mostly on preventing attacks from external adversaries, don’t reflect the changing dynamics of enterprise networks. With business partners and other trusted parties needing more access to corporate data and the encapsulation of most application traffic in standard protocols (Port 80 and 443), digging a moat around your corporate network no longer provides the protection your organization needs. Additionally, network speeds continue to increase putting a strain on inline network security controls that much scale at the same rate as the networks.

Evolving to Security Decision Support

Fri, 01 Jun 2018 00:00:00 +0000

Not that it was ever really easy, but at least you used to know what tactics adversaries were using, and had a general idea of where they would end up, because you knew where your important data was, and which (single) type of device normally accessed it: the PC. It’s hard to believe we now long for the days of early PCs and centralized data repositories. Given the changes in the attack surface and capabilities of adversaries, you need a better way to assess your organization’s security posture, detect attacks, and determine applicable methods to work around and eventually remediate exposures in your environment.

Complete Guide to Enterprise Container Security

Mon, 02 Apr 2018 00:00:00 +0000

Our newest paper, A Complete Guide to Enterprise Container Security, is a full update of our previous research on container security. A lot has happened over the last 18 months, which prompted a significant rewrite of our original content. As more organizations accept that containers are now the common media for applications, the platform focus is shifting to containers, with steps taken at each stage of the container lifecycle to ensure what actually goes into production is fully tested.

The Future of Security Operations

Fri, 23 Mar 2018 00:00:00 +0000

Security teams are behind the 8 ball. It’s not like the infrastructure is getting less complicated. Or additional resources and personnel are dropping from the sky to save the day. Given that traditional security operations approaches will not scale to meet the requirements of protecting data in today’s complicated and increasingly cloud-based architectures, what to do? Well, we need to think differently.

Understanding Secrets Management

Tue, 02 Jan 2018 00:00:00 +0000

If you’ve worked in IT or development you have seen it before: user names and passwords sitting in a file. When your database starts up, or when you run an automation script, it grabs the credentials it needs to function. The problem is obvious: admins and attackers alike know this common practice, and they both know where to look for easy access to applications and services.

Understanding and Selecting a DLP Solution v3

Sat, 30 Dec 2017 00:00:00 +0000

Selecting DLP technology can still be very confusing, as various aspects of DLP have appeared in a variety of other product categories as value-add features, blurring the lines between purpose-built DLP solutions and traditional security controls, including next-generation firewalls and email security gateways. Meanwhile purpose-built DLP tools continue to evolve – expanding coverage, features, and capabilities to address advanced and innovative means of exfiltrating data.

Dynamic Security Asssessment

Sun, 17 Dec 2017 00:00:00 +0000

We have been fans of testing the security of infrastructure and applications – at least as long as we have been researching security. As useful as it is for understanding which devices and applications are vulnerable, a simple scan provides limited information. Penetration tests are useful because they provide a sense of what is really at risk. But a pen test is resource-intensive and expensive – especially if you use an external testing firm. And the results characterize your environment at a single point in time. As soon as you blink your environment has changed, and the validity of your findings starts to degrade.

Endpoint Advanced Protection

Thu, 09 Nov 2017 00:00:00 +0000

Innovation comes and goes in security. Back in 2007 network security had been stagnant for more than a few years. It was the same old same old. Firewall does this. IPS does that. Web proxy does a third thing. None of them did their jobs particularly well, all struggling to keep up with attacks encapsulated in common protocols. Then the next generation firewall emerged, and it turned out that regardless of what it was called, it was more than a firewall. It was the evolution of the network security gateway.

Intro to Threat Operations

Mon, 06 Nov 2017 00:00:00 +0000

Can you really ‘manage’ threats? Is that even a worthwhile goal? And how do you even define a threat? We have seen better descriptions of how adversaries operate by abstracting multiple attacks/threats into a campaign, capturing a set of interrelated attacks with a common mission. A campaign is a better way to think about how you are being attacked than the piecemeal approach of treating every attack as an independent event and defaulting to the traditional threat management cycle: Prevent (good luck!), Detect, Investigate, and Remediate.

Multi-cloud Key Management

Wed, 24 May 2017 00:00:00 +0000

We are proud to announce the launch of our newest research paper, on multi-cloud key management, covering how to tackle data security and compliance issues in diverse cloud computing environments. Infrastructure as a Service entails handing over ownership and operational control of IT infrastructure to a third party. But responsibility for data security cannot go along with it. Your provider ensures compute, storage, and networking components are secure from external attackers and other tenants, but you must protect your data and application access to it. Some of you trust your cloud providers, while others do not. Or you might trust one cloud service but not others. Regardless, to maintain control of your data you must engineer cloud security controls to ensure compliance with internal security requirements, as well as regulatory and contractual obligations. That means you need to control the elements of the cloud that related to data access and security, to avoid any possibility of your cloud vendor(s) viewing it.

Securing SAP Cloud Environments

Sat, 08 Apr 2017 00:00:00 +0000

Migrating Hana and other SAP applications to a cloud environments is a complicated process, even with the tools and services SAP provides. For many organizations security was primary barrier to adoption. But SAP and other cloud service vendors have closed many security gaps, so now we can trust that the environment and applications are at least as secure as an on-premise installation – provided you leverage appropriate security models for the cloud. But that’s where we often see a breakdown: enterprises are not taking sufficient advantage of cloud security. Additionally, because there is no single model for SAP cloud security, transitioning other business applications to the cloud often results in greater cost, less scalability, and decreased security. From the paper:

Security Analytics Team of Rivals

Thu, 06 Apr 2017 00:00:00 +0000

Given the challenges in detecting attackers, clearly existing approaches to threat detection aren’t working well enough. As such, innovative companies are bringing new products to market to address the perceived issues with existing technologies. These security analytics offerings basically use better math to detect attackers, leveraging techniques that didn’t exist when existing tools hit the market 10 years ago. The industry’s marketing machinery is making these new analytics tools akin to the Holy Grail, but per usual the hype far outstrips the reality.

Assembling A Container Security Program

Wed, 04 Jan 2017 00:00:00 +0000

Our paper, Assembling a Container Security Program, covers a broad range of topics around how to securely build, manage, and deploy containers. During our research we learned that issues often arise early in the software development or container assembly portion of the build process, so we cover much more than merely runtime security – the focus of most container security research. We also discovered that operations teams struggle with getting control over containers, so we also cover a number of questions regarding monitoring, auditing, and management.

Maximizing WAF Value

Wed, 28 Dec 2016 00:00:00 +0000

We talk frequently about the importance of having the right people and processes to make security effective. This is definitely true for Web Application Firewalls (WAF), a fairly mature technology which has been fighting perception issues for years. This quote from the paper nets it out:

Managed Security Monitoring

Thu, 08 Dec 2016 00:00:00 +0000

Nobody really argues any more about whether to perform security monitoring. Compliance mandates answered that question, and the fact is that without granular security monitoring and analytics you don’t have much chance to detect attacks. But there is an open question about the best way to monitor your environment, especially given the headwinds facing your security team.

Collected Cloud Security and DevOps Posts

Mon, 31 Oct 2016 00:00:00 +0000

Below are our top cloud security and DevOps posts, ordered as we suggest you read them rather than by posting data. This is just the start. The list will grow nearly daily as we write a ton of new content. We will also include links to our external content, including code on GitHub.

Understanding and Selecting RASP

Mon, 29 Aug 2016 00:00:00 +0000

Building a Threat Intelligence Program

Thu, 30 Jun 2016 00:00:00 +0000

Threat Intelligence has made a significant difference in how organizations focus resources on their most significant risks. We concluded our Applied Threat Intelligence paper by pointing out that the industry needs to move past tactical TI use cases. Our philosophy demands a programmatic approach to security.

Incident Response in the Cloud Age

Tue, 28 Jun 2016 00:00:00 +0000

The good news for incident responders is that you no longer need to make the case for what you do and why it’s important. Everyone is watching. Here is a quote from the paper:

Shining a Light on Shadow Devices

Wed, 15 Jun 2016 00:00:00 +0000

Being a security professional certainly was easier back in the day before all these newfangled devices had Internet connections. I’m not sure how we became the get off my lawn! guys, but here we are. You probably scan for PCs. Maybe you even have a program to find and monitor mobile devices on your networks (though probably not). But what about printers, physical security devices like cameras, control systems, healthcare devices, and the two dozen or so other types of devices on your networks?

Building Resilient Cloud Network Architectures

Thu, 09 Jun 2016 00:00:00 +0000

New technologies scare some people. And the cloud is scaring lots of people. They worry about how data resides within networks they don’t control. They worry that attackers could compromise a multi-tenant environment. They worry they don’t have the tools or techniques to provide equivalent security to what they already have in their traditional data centers.

Building a Vendor (IT) Risk Management Program

Sun, 05 Jun 2016 00:00:00 +0000

In this business environment, where more output is expected faster, while consuming fewer resources, organizations have little choice but to embrace outsourcing and other means of becoming more efficient while maintaining productivity. Interconnecting business technology systems accelerates inter-enterprise collaboration, but there are clear risks to providing access to external parties.

SIEM Kung Fu

Tue, 10 May 2016 00:00:00 +0000

Despite having published a bunch of research over the years about SIEM, it’s still a very misunderstood and under utilized technology. Lots of organizations aggregate their logs (you can thank PCI-DSS for that), but not enough actually use their SIEM effectively. And it’s not like you can just look at some other shiny technology to replace the SIEM:

Securing Hadoop: Recommendations for Hadoop Security

Tue, 29 Mar 2016 00:00:00 +0000

Securing_Hadoop_Final_V2.pdfBig data systems have become very popular because they offer a low-cost way to analyze enormous sets of rapidly changing data. But Hadoop, with its incredibly open and vibrant ecosystem, has enabled firms to completely tailor clusters to their business needs. This combination has made Hadoop the most popular big data framework in use today. And as adoption has ramped up, IT and security teams have found themselves tasked with getting a handle on data – and Hadoop cluster – security.

Building Security Into DevOps

Thu, 10 Dec 2015 00:00:00 +0000

We are excited about this research paper, because we are excited about what the DevOps approach has delivered to many organizations, both small and large, already. And even firms who have only recently started down the path toward a full DevOps process already enjoy the advantages of streamlined testing and build processing with continuous integration. Our focus for this research was on how to embed security and security testing into DevOps, leveraging automated workflows to implement security testing, and providing fast feedback to developers when something is amiss. We offer a basic overview of DevOps, followed by several perspectives on how security folks and developers can work together to engineer security into a DevOps pipeline.

Threat Detection Evolution

Thu, 10 Dec 2015 00:00:00 +0000

Most organizations have realized that threat prevention has limitations, so we have seen renewed focus on threat detection. But like most other security markets, the term threat detection has been distorted to cover almost everything. So we figure it’s time to clarify what threat detection is and how it is evolving to deal with advanced attacks, sophisticated adversaries, and limited resources.

Pragmatic Security for Cloud and Hybrid Networks

Mon, 05 Oct 2015 00:00:00 +0000

One of the bigger issues when migrating to the cloud is translating and extending your existing security controls, especially our old friend, network security. While cloud networking may resemble what we are used to, under the covers it behaves, and is managed, very differently.

EMV Migration and the Changing Payments Landscape

Fri, 04 Sep 2015 00:00:00 +0000

October 2015 is the deadline for merchants to adopt EMV-compliant credit card terminals, in exchange for a liability waiver for fraudulent card present transactions. Explaining the EMV shift and payment security is difficult – there is a great deal of confusion about what the shift means, what security it really delivers, and whether it actually offers real benefits for merchants. Part of the problem is that the card brands have chosen to focus all their marketing on a single oversimplified value statement: the liability shift for card present transactions through non-EMV-compliant terminals. But digging into the specifications and working through the rollout process reveals a much larger change underway, with much broader ramifications. Unfortunately the press has failed to realize these implications, so the conversation has focused on liability, and lost sight of what else is going on. We produced this research paper to explain the additional changes underlying the EMV shift, its full impact on merchant security and operations, and where the shift will take the payment ecosystem.

Network-based Threat Detection

Sun, 30 Aug 2015 00:00:00 +0000

The more things change, the more they stay the same. We have been talking about Reacting Faster and Better for years and we will continue to do so, because trying to prevent every attack is and will remain futile. The best path forward is to continue advancing the ability to prevent attacks, while spending as much time on detecting attacks that successfully compromise your defenses. This detection-centric view of the world has been a central theme in our research; it highlights a variety of areas to focus on – including the network, endpoints, and applications.

Applied Threat Intelligence

Mon, 17 Aug 2015 00:00:00 +0000

Threat Intelligence remains one of the hottest areas in security. With its promise to help organizations take advantage of information sharing, early results have been encouraging. We have researched Threat Intelligence deeply; focusing on where to get TI and the differences between gathering data from networks, endpoints, and general Internet sources. But we come back to the fact that having data is not enough – not now and not in the future.

Endpoint Defense: Essential Practices

Mon, 30 Mar 2015 00:00:00 +0000

We’ve seen a renaissance of sorts regarding endpoint security. To be clear, most of solutions in the market aren’t good enough. Attackers don’t have to be advanced to make quick work of the endpoint protection suites in place. That realization has created a wave of innovation on the endpoint that promises to provide a better chance to prevent and detect attacks. But the reality is far too many organizations can’t even get the fundamentals of endpoint security.

Cracking the Confusion: Encryption and Tokenization for Data Centers, Servers, and Applications

Fri, 20 Mar 2015 00:00:00 +0000

Today we see encryption growing at an accelerating rate in data centers, for a confluence of reasons. A trite way to summarize them is “compliance, cloud, and covert affairs”. Organizations need to keep auditors off their backs; keep control over data in the cloud; and stop the flood of data breaches, state-sponsored espionage, and government snooping (even by their own governments).

Security and Privacy on the Encrypted Network

Wed, 04 Feb 2015 00:00:00 +0000

We have been writing extensively about the disruption currently hitting security, driven by cloud computing and mobility. Our Inflection: The Future of Security research directly addresses the lack of visibility caused by these macro trends. At the same time great automation and orchestration promise to enable security to scale to the cloud, in terms of both scale and speed. Meanwhile each day’s breach du jour in the mass media keeps security topics at the forefront, highlighting the importance of protecting critical information.

Monitoring the Hybrid Cloud: Evolving to the CloudSOC

Sun, 25 Jan 2015 00:00:00 +0000

This cloud thing is going to have major repercussions on how you protect technology assets over time. But what does that even mean? We start this paper by defining how and why the cloud is different, and then outline a number of trends we expect to come to fruition as described in our The Future of Security paper. Then we look at how security monitoring functions need to evolve, as an increasing amount of technology infrastructure runs in the cloud.

Security Best Practices for Amazon Web Services

Mon, 19 Jan 2015 00:00:00 +0000

Amazon Web Services is one of the most secure public cloud platforms available, with deep datacenter security and many user-accessible security features. Building your own secure services on AWS requires properly using what AWS offers, and adding additional controls to fill the gaps.

Secure Agile Development

Thu, 06 Nov 2014 00:00:00 +0000

If you’ve followed this blog for any length of time, you know we have talked about the troubles of integrating security testing and secure code development practices into and Agile development process. Security is trying to manage risks to the organization, including risks introduced by new technologies such as code. Development teams try to deliver quality code faster, which means jettisoning things that slow them down. Both want customers to be happy and deliver new products and services, but underlying goals of risk reduction and maximized efficiency do not inherently mesh, causing friction.

Trends in Data Centric Security White Paper

Tue, 28 Oct 2014 00:00:00 +0000

It’s all about the data. You want to make data useful by making it available to users and applications which can leverage it into actionable information. You share data between applications, partners, and analytics systems to derive the greatest business intelligence value possible. But what do you do when you cannot guarantee the security of those systems? How can you protect information regardless of where it moves? One approach is called Data Centric Security, and it is designed to protect data instead of infrastructure. Here is an except from our paper:

Leveraging Threat Intelligence in Incident Response/Management

Thu, 02 Oct 2014 00:00:00 +0000

We continue to investigate the practical uses of threat intelligence (TI) within your security program. After tackling how to Leverage Threat Intel in Security Monitoring, now we turn our attention to Incident Response and Management. In this paper, we go into depth on how your existing incident response and management processes can (and should) integrate adversary analysis and other threat intelligence sources to help narrow down the scope of your investigation.

Pragmatic WAF Management: Giving Web Apps a Fighting Chance

Sat, 20 Sep 2014 00:00:00 +0000

This research paper provides a detailed approach for effectively deploying, managing, and integrating a Web Application Firewall into your application security program. Our research shows that WAFs have a bad name, not because of any specific technology flaw, but mostly due to mismanagement. So we wrote Pragmatic WAF Management to cover how WAFs work, why some customers fail to derive value, and how to effectively deploy a WAF to secure applications from the increasing variety of web-based attacks. This excerpt summarizes the paper:

The Security Pro’s Guide to Cloud File Storage and Collaboration

Fri, 12 Sep 2014 00:00:00 +0000

One of the fastest growing cloud services is Cloud File Storage and Collaboration, also known as Enterprise Sync and Share. These tools allow organizations to centralize and manage unstructured data in entirely new ways. They also promise massive security benefits, including centralized control over unstructured data, with a full audit log of all user and device activity.

Analysis of the 2014 Open Source Development and Application Security Survey

Mon, 14 Jul 2014 00:00:00 +0000

Open source software is ubiquitous. Nearly every company is running some. Many organizations are not even aware of it – or at least weren’t until the Heartbleed vulnerability. Then they discovered what many firms already know: there is open source running in your company, and it’s an integral part of your operations.

The 2015 Endpoint and Mobile Security Buyer’s Guide

Mon, 14 Jul 2014 00:00:00 +0000

In an uncommon occurrence we have updated one of our papers within a year of publication. As mentioned in the latest version of our Endpoint Security Buyer’s Guide, mobile devices are just additional endpoints that need to be managed like any other device. But it became clear that we needed to dig a bit deeper into securing mobile endpoints.

2014 Open Source Development and Application Security Survey Analysis

Wed, 09 Jul 2014 00:00:00 +0000

Advanced Endpoint and Server Protection

Sun, 06 Jul 2014 00:00:00 +0000

Anti-virus is basically dead, at least according to the biggest anti-virus vendor. The good news is that signature-based AV has actually been dead for a long time; even the big players have been broadening their capabilities to assess, prevent, detect, and investigate advanced malware on endpoints and servers. There has been a tremendous amount of activity and innovation in protecting endpoint and servers, driven by necessity:

Defending Against Network-based Distributed Denial of Service (DDoS) Attacks

Sun, 27 Apr 2014 00:00:00 +0000

What’s a couple hundred gigabits per second of traffic between friends, right? Because that is the magnitude of recent volumetric denial of service attacks, which means regardless of who you are, you need a plan to deal with that kind of onslaught.

Reducing Attack Surface with Application Control

Sun, 16 Mar 2014 00:00:00 +0000

Attacks keep happening. Breaches keep happening. Senior management keeps wondering what the security team is doing.

The lack of demonstrable progress [in stopping malware] comes down to two intertwined causes. First, devices are built using software that has defects attackers can exploit. Nothing is perfect, especially not software, so every line of code presents an attack surface. Second, employees can be fooled into taking action (such as installing software or clicking a link) that enables attacks to succeed.

Leveraging Threat Intelligence in Security Monitoring

Sun, 09 Mar 2014 00:00:00 +0000

As we continue our research into the practical uses of threat intelligence (TI), we have documented how TI should change existing security monitoring (SM) processes. In our Leveraging Threat Intelligence in Security Monitoring paper, we go into depth on how to update your security monitoring process to integrate malware analysis and threat intelligence. Updating our process maps demonstrates that we don’t consider TI a flash in the pan – it is a key aspect of detecting advanced adversaries as we move forward.

The Future of Security: The Trends and Technologies Transforming Security

Tue, 25 Feb 2014 00:00:00 +0000

This paper originally started with a blog post called Inflection that looked at a series of developing security trends and attempted to predict their eventual outcome. I researched for nearly 18 months; this paper compiles my thoughts on where the security industry is headed, why, and how it affects us now. From the introduction:

Security Management 2.5: Replacing Your SIEM Yet?

Thu, 13 Feb 2014 00:00:00 +0000

Has your SIEM failed to meet expectations despite significant investment? Has your platform failed to keep up with emerging threats and scalability requirements? If you are questioning whether your existing product or service can get the job done, you are not alone. Given the rapid evolution of requirements, and the changing needs of enterprise users, it is no surprise that many vendors have been passed by as they work to address market demands from 4 years ago. You are likely more than a little frustrated by the difficulty of managing, scaling, and actually doing something useful with SIEM. But there comes a point where the futility of riding a mule in a horse race becomes obvious, and then it’s time to find a replacement steed.

Defending Data on iOS 7

Mon, 10 Feb 2014 00:00:00 +0000

iOS 7 is a significant update, with serious implications for enterprise management and data security (don’t worry, all good).

The short version is that iOS is quite secure – far more than a general-purpose computer. But you need to understand Apple’s security philosophy to comprehend their design decisions and your integration options. Apple has a clear vision of the future for BYOD, and it is very different than the way most organizations have managed personal devices in the past.

Eliminate Surprises with Security Assurance and Testing

Sun, 19 Jan 2014 00:00:00 +0000

We have always been fans of making sure applications and infrastructure are ready for prime time before letting them loose on the world. It’s important not to just use basic scanner functions either – your adversaries are unlikely to limit their tactics to things you find in an open source scanner. Security Assurance and Testing enables organizations to limit the unpleasant surprises that happen when launching new stuff or upgrading infrastructure.

What CISOs Need to Know about Cloud Computing

Thu, 09 Jan 2014 00:00:00 +0000

One of a CISO’s most difficult challenges is sorting the valuable wheat from the overhyped chaff, and then figuring out what it all means in terms of risk to the organization. There is no shortage of technology or threat trends, and CISOs need to determine which matter and how they impact security.

Defending Against Application Denial of Service Attacks

Tue, 24 Dec 2013 00:00:00 +0000

Denial of Service attacks can encompass a number of different tactics, all aimed at impacting the availability of your applications and/or infrastructure. In Defending Against Denial of Service Attacks we described both network-based and application-targeting attacks. In this paper we dig much deeper into application DoS attacks. For good reason – as the paper says:

Executive Guide to Pragmatic Network Security Management

Sat, 21 Dec 2013 00:00:00 +0000

Managing network security at scale is not easy, but the organizations that do it best tend to follow a predictable and repeatable pattern. This paper distills those lessons into a pragmatic process designed for larger organizations and those with more complicated networks, such as medium-sized businesses with multiple locations. We don’t claim our process is magical or easy, but it’s certainly easier than any alternatives we are aware of. Even if you only pick out a few tidbits, our process should help you refine and operate your network security more efficiently.

Security Awareness Training Evolution

Mon, 11 Nov 2013 00:00:00 +0000

Everyone has an opinion about security awareness training, and most of them are negative. Waste of time! Ineffective! Boring! We have heard them all. And the criticism isn’t wrong – much of the content driving security awareness training is lame. Which is probably the kindest thing we can say about it. But it doesn’t need to be that way. Actually, it cannot remain this way – there is too much at stake. Users remain the lowest-hanging fruit for attackers, and as long as that is the case attackers will continue to target them. Educating users about security is not a panacea, but it can and does help.

Firewall Management Essentials

Thu, 10 Oct 2013 00:00:00 +0000

We all know and love the firewall. The cornerstone of every organization’s network security defense, firewalls enforce access control policies and determine what can and cannot enter your network. But, like almost every device you have had for a while, you take them for granted and perhaps don’t pay as much attention as you need to. Until a faulty rule change opens up a hole in your perimeter large enough to drive a tanker through. Then you get some religion about more effectively managing these devices.

A Practical Example of Software Defined Security

Thu, 03 Oct 2013 00:00:00 +0000

A few months back I did a series of posts on how to leverage Amazon EC2, APIs, Chef, and Ruby to improve security over what you can do with traditional infrastructure. I decided to collect these posts together, clean them up, and release them as a standalone paper.

Continuous Security Monitoring

Thu, 26 Sep 2013 00:00:00 +0000

Continuous Monitoring has become an overused and overhyped term in security circles, driven by US Government mandate (now called Continuous Diagnostics and Mitigation). But that doesn’t change the fact that monitoring needs to be a cornerstone of your security program, within the context of a risk-based paradigm. So your pals at Securosis did their best to document how you should think about Continuous Security Monitoring and how to get there.

API Gateways: Where Security Enables Innovation

Mon, 16 Sep 2013 00:00:00 +0000

API gateways are an emerging hot spot in IT services. They offer platforms for companies to selectively leverage IT systems for end user use. But well beyond just slapping a web server in front of an app, gateways both facilitate use of an application and protect it. Gateways enable third party developers, outside your organization, to support different use cases in different environments – such as new applications, mobile apps, and service mash-ups – while allowing you to control security, function, and access to data. They provide a glue layer between your systems and the outside world.

Threat Intelligence for Ecosystem Risk Management

Mon, 16 Sep 2013 00:00:00 +0000

Most folks think the move towards the extended enterprise is very cool. You know, get other organizations to do the stuff your organization isn’t great at. It’s a win/win, right? From a business standpoint, there are clear advantages to building a robust ecosystem that leverages the capabilities of all organizations. But from a security standpoint, the extended enterprise adds a tremendous amount of attack surface.

Identity and Access Management for Cloud Services

Thu, 05 Sep 2013 00:00:00 +0000

We are proud to announce the availability of our Cloud Identity and Access Management research paper. While you have likely been hearing a lot about cloud services and mobile identity, how it all works is not typically presented. Our goal for this research paper is simple: Present the trends in IAM in a clear fashion so that security and software development professionals understand the new services at their disposal. This paper shows how cloud computing is driving extensible architectures and standardization of identity protocols, and how identity and authorization is orchestrated across in-house IT and external cloud services. Changes to IAM architectures provide the means to solve multiple challenges; additionally, external service providers offer commoditized integration with the cloud and mobile devices — reducing development and management burdens.

Dealing with Database Denial of Service

Wed, 04 Sep 2013 00:00:00 +0000

You have heard of denial of service attacks, but database denial of service? It may come as a surprise, but database denial of service attacks have become common over the past decade. Lately they are very popular among attackers, as network-based attacks become more difficult. We have begun to see a shift in Denial of Service (DoS) tactics by attackers, moving up the stack from networks to servers and from servers to the application layer. Over the last 18 months we have also witnessed a new wave of vulnerabilities and isolated attacks against databases, all related to denial of service. We don’t hear much about them because they are lost among the din of network DoS and even SQL injection (SQLi) attacks.

The 2014 Endpoint Security Buyer’s Guide

Wed, 21 Aug 2013 00:00:00 +0000

Our updated and revised 2014 Endpoint Security Buyer’s Guide updates our research on key endpoint management functions, including patch and confirmation management and device control. We have also added coverage of anti- … malware, mobility, and BYOD. All very timely and relevant topics. The bad news is that securing endpoints hasn’t gotten any easier. Employees still click things, and attackers have gotten better at evading perimeter defenses and obscuring attacks.

The CISO’s Guide to Advanced Attackers

Sun, 18 Aug 2013 00:00:00 +0000

Much of the security industry spends significant time and effort focused on how hard it is to deal with today’s attacks. Adversaries continue to improve their tactics. Senior management doesn’t get it, until there is a breach… then your successor can educate them. And the compliance mandates hanging over your organization like albatross remain 3-4 years behind the attacks you see daily. The vendor community compounds the issues by positioning every product and/or service as a solution to the APT problem. Which means they don’t really understand advanced attackers at all. But complaining doesn’t solve problems, so we put together a CISO’s Guide to Advanced Attackers to help you structure a programmatic effort to deal with these adversaries.

Defending Cloud Data with Infrastructure Encryption

Mon, 22 Jul 2013 00:00:00 +0000

The benefits of Infrastructure as a Service (IaaS), public or private, are driving more and more organizations to cloud computing; but one of the biggest concerns – even for internal deployments – is data security. The cloud fundamentally changes how data is stored, and brings both security and compliance concerns. We see this creating a resurgence of interest in encryption, with some very practical approaches available:

Network-based Malware Detection 2.0: Assessing Scale, Accuracy and Deployment

Thu, 18 Jul 2013 00:00:00 +0000

Detecting malware feels like a losing battle. Between advanced attacks, innovative attackers, and well-funded state-sponsored and organized crime adversaries, organizations need every advantage they can get to stop the onslaught. We first identified and documented Network-Based Malware Detection (NBMD) devices as a promising technology back in early 2012, and they have made a difference in detecting malware at the perimeter. Of course nothing is perfect, but every little bit helps.

Quick Wins with Website Protection Services

Wed, 03 Jul 2013 00:00:00 +0000

Simple website compromises can feel like crimes with no clear victims. Who cares if the Joey’s Bag of Donuts website gets popped? But that is not a defensible position any more. Attackers don’t just steal data from these websites – they also use them to host malware, command and control nodes, and proxies to defeat IP reputation systems.

Email-based Threat Intelligence: To Catch a Phish

Thu, 21 Mar 2013 00:00:00 +0000

The next chapter in our Threat Intelligence arc, which started with Building an Early Warning System and then delved down to the network in Network-based Threat Intelligence, now moves on to the content layer. Or at least one layer. Email continues to be the predominant initial attack mechanism. Whether it is to deliver a link to a malware site or a highly targeted spear phishing email, many attacks begin in the inbox.

Network-based Threat Intelligence: Searching for the Smoking Gun

Sun, 03 Mar 2013 00:00:00 +0000

Hot on the heels of our Building an Early Warning System paper, we have taken a much deeper look at the network aspect of threat intelligence in Network-based Threat Intelligence. We have always held to the belief that the network never lies (okay – almost never), and that provides a great basis on which to build an Early Warning System.

Understanding and Selecting a Key Management Solution

Tue, 05 Feb 2013 00:00:00 +0000

Between new initiatives such as cloud computing, and new mandates driven by the continuous onslaught of compliance, managing encryption keys is evolving from something only big banks worry about into something which pops up at organizations of all sizes and shapes. Whether it is to protect customer data in a new web application, or to ensure that a lost backup tape doesn’t force you to file a breach report, more and more organizations are encrypting more data in more places than ever before. And behind all of this is the ever-present shadow of managing all those keys.

Building an Early Warning System

Mon, 21 Jan 2013 00:00:00 +0000

One topic that has resonated with the industry has been Early Warning. Clearly looking through the rearview mirror and trying to contain the damage from attacks already in process hasn’t been good enough, so figuring out a way to continue shortening the window between attack and detection continues to be a major objective for fairly mature security programs. Early Warning is all about turning security management on its head, using threat intelligence on attacks against others to improve your own defenses.

Defending Against Denial of Service (DoS) Attacks

Sat, 29 Dec 2012 00:00:00 +0000

We are pleased to put the finishing touches on our Denial of Service (DoS) research and distribute the paper. Unless you have had your head in the sand for the last year, you know DoS attacks are back with a vengeance, knocking down sites both big and small. That has created a situation where it’s no longer viable to ignore the threat, and we all need to think about what to do when we inevitably become a target.

Implementing and Managing Patch and Configuration Management

Thu, 29 Nov 2012 00:00:00 +0000

If you recall back to the Endpoint Security Management Buyer’s Guide, we identified 4 specific controls typically used to manage the security of endpoints, and broke them up into periodic and ongoing controls. That paper helped you identify what was important and guided you through the buying process. At the end of that process you face a key question – what now? It’s time to implement and manage your new toys, so this paper will provide a series of processes and practices for successfully implementing and managing patch and configuration management tools.

Securing Big Data: Recommendations for Securing Hadoop and NoSQL

Mon, 05 Nov 2012 00:00:00 +0000

Big Data: massively scalable distributed data environments.

Big data systems have become incredibly popular, because they offer a low-cost way to analyze enormous sets of rapidly changing data. But the sad fact is that Hadoop, Mongo, Couch and Riak have almost no built-in security capabilities, leaving data exposed on every storage node. This research paper discusses how to deploy the most fundamental data security controls – including encryption, isolation, and access controls/identity management – for a big data system. But before we discuss how to secure big data , we have to decide what big data is. So we start with a definition of big data, what it provides, and how it poses different security challenges than prior data storage clusters and database systems. From there we branch out into two major areas of concern: high-level architectural considerations and tactical operational options. Finally, we close with several recommendations for security technologies to solve specific big data security problems, while meeting the design challenges of scalability and distributed management, which are fundamental to big data clusters.

Tokenization vs. Encryption: Options for Compliance

Wed, 24 Oct 2012 00:00:00 +0000

The paper discusses the use of tokenization for payment data, personal information, and health records. It covers two important areas of tokenization: First, the paper is one of the few critical examinations of tokenization’s suitability for compliance. There are many possible applications of tokenization, some of which make compliance easier, and others which are simply not practical. Second, the paper dispels the myth that tokenization replaces encryption – in fact tokenization and encryption compliment each other. This version has been updated to include PCI guidance on tokenization.

Pragmatic Key Management for Data Encryption

Fri, 19 Oct 2012 00:00:00 +0000

Few terms strike as much dread in the hearts of security professionals as key management. Those two simple words evoke painful memories of massive PKI failures, with millions spent to send encrypted email to the person in the adjacent cube. Or perhaps they recall the head-splitting migraine you got when assigned to reconcile incompatible proprietary implementations of a single encryption standard. Or memories of half-baked product implementations that worked fine in isolation on a single system, but were effectively impossible to manage at scale. Where by scale I mean “more than one”.

The Endpoint Security Management Buyer’s Guide

Sun, 30 Sep 2012 00:00:00 +0000

This paper provides a strategic view of Endpoint Security Management, addressing the complexities caused by malware’s continuing evolution, device sprawl, and mobility/BYOD. The paper focuses on periodic controls that fall under good endpoint hygiene (such as patch and configuration management) and ongoing controls (such as device control and file integrity monitoring) to detect unauthorized activity and prevent it from completing. The crux of our findings involve use of an endpoint security management platform to aggregate the capabilities of these individual controls, providing policy and enforcement leverage to decrease cost of ownership, and increasing the value of endpoint security management.

Understanding and Selecting Data Masking Solutions

Thu, 16 Aug 2012 00:00:00 +0000

Understanding and Selecting Data Masking Solutions, our newest paper, covers use cases, features, and deployment models; it also outlines how masking technologies work. We started the research to understand big changes we saw happening with masking products, with many new customer inquires for use cases not traditionally associated with data masking. We wanted to discuss these changes and share what we see with the community. This work is the result of dozens of conversations with vendors, customers, and security professionals over the last 18 months, discussed openly on the blog during our development process.

Evolving Endpoint Malware Detection: Dealing with Advanced and Targeted Attacks

Thu, 12 Jul 2012 00:00:00 +0000

We’ve been spending a lot of time recently doing research on malware, both the tactics of the attackers and understanding the next wave of detection approaches. That’s resulted in a number of reports, including network-based approaches to detect malware at the perimeter, and the Herculean task of decomposing the processes involved in confirming an infection, analyzing the malware, and tracking its proliferation in our Malware Analysis Quant. But those approaches largely didn’t address what’s required to detect malware on the devices themselves, and block the behaviors we know are malicious.

Implementing and Managing a Data Loss Prevention Solution

Tue, 19 Jun 2012 00:00:00 +0000

Data Loss Prevention (DLP) is one of the farthest reaching tools in the security arsenal. A single DLP platform touches endpoints, network, email servers, web gateways, storage, directory servers, and more. There are more potential integration points than just about any other security tool – with the possible exception of SIEM. And then we need to build policies, define workflow, and implement blocking… all based on nebulous concepts like “customer data” and “intellectual property”. It is no wonder many organizations are intimidated by the prospect of implementing a large DLP deployment. But on our 2010 survey indicates that over 40% of organizations use some form of DLP.

Report: Understanding and Selecting a Database Security Platform

Wed, 30 May 2012 00:00:00 +0000

Understanding and Selecting a Database Security Platform

This paper examines business requirements for securing databases; it also discusses how these requirements are addressed by assessment, discovery, monitoring, auditing, and blocking technologies. DSP is the next evolution after Database Activity Monitoring (DAM), integrating several new technologies into a unified platform for compliance and security, which identifies and reports on transactions that fail to meet business best practices. There are a wide variety of ways to collect information in and around relational databases, and still more to analyze and report on those findings, so this research digs into the nuts and bolts to present a comparative analysis of the technology options available – along with how they address end user requirements. This research is recommended for use in conjunction with other application security tools; because many web and traditional applications rely on database technology to store, manage, and report on data – linking compliance and security requirements.

Understanding and Selecting a Database Security Platform

Wed, 30 May 2012 00:00:00 +0000

Understanding and Selecting a Database Security Platform

Vulnerability Management Evolution: From Tactical Scanner to Strategic Platform

Thu, 17 May 2012 00:00:00 +0000

Organizations have traditionally viewed vulnerability scanners as tactical products, largely commoditized and only valuable around audit time. How useful is a 100-page vulnerability report to an operations person trying to figure out what to fix next? Although those 100-page reports make auditors smile, as they offer a nice listing of audit deficiencies to address in the findings of fact. But the tide is definitely turning. We see a clear shift from a largely compliance-driven orientation to a more security-centric view. We document this evolution to a vulnerability/threat management platform in our new Vulnerability Management Evolution paper.

Watching the Watchers: Guarding the Keys to the Kingdom (Privileged User Management)

Thu, 26 Apr 2012 00:00:00 +0000

Most organizations focus on the attackers out there – which means they may miss attackers who have the credentials and knowledge to do real damage. These are “privileged users”, and far too many organizations don’t do enough to protect themselves from that group. By the way – this doesn’t necessarily require a malicious insider. It is very possible (if not plausible) that a privileged user’s device might gets compromised, giving an attacker access to the administrator’s credentials. A bad day all around. So we wrote a paper called Watching the Watchers: Guarding the Keys to the Kingdom describing the problem and offering ideas for solutions.

Network-Based Malware Detection: Filling the Gaps of AV

Thu, 09 Feb 2012 00:00:00 +0000

We know it’s a shock, but your endpoint protection suite isn’t doing a good enough job of blocking malware attacks. So the industry has resorted additional layers of inspection, detection, and even protection to address its shortcomings. One place focus is turning, which is seeing considerable innovation, is the network. We see a new set of devices and enhancements to existing perimeter platforms, focused on detecting and blocking malware. A paragraph from Network-Based Malware Detection: Filling the Gaps of AV says it best:

Applied Network Security Analysis: Moving from Data to Information

Thu, 15 Dec 2011 00:00:00 +0000

We have been saying for years that you can’t assume your defenses are sufficient to stop a focused and targeted attacker. That’s what React Faster and Better is all about. But say you actually buy into this philosophy: what now? How do you figure out the bad guys are in your house? And more importantly how they got there and what they are doing? The network is your friend because it never lies.

Tokenization Guidance

Mon, 12 Dec 2011 00:00:00 +0000

“We read the guidance but we don’t know what falls out of scope!” is the universal merchant complaint. “Where are the audit guidelines?” is the second most common criticism. On August 12, 2011, the PCI task force driving the study of tokenization published an “Information Supplement” called the PCI DSS Tokenization Guidelines. The merchant community was less than thrilled. The problem is that the PCI document is sorely lacking in actual guidance. Even the section on “Maximizing PCI DSS Scope Reduction” is a collection of broad security generalizations rather than practical advice. After spending the better part of two weeks on this wishy-washy paper we propose a better title, “Begrudging Acknowledgement of Tokenization Without Guidance”.

Security Management 2.0: Time to Replace Your SIEM?

Wed, 16 Nov 2011 00:00:00 +0000

Is it time? Are you waving the white flag? Has your SIEM failed to meet expectations despite significant investment? If you are questioning whether your existing product or service can get the job done, you are not alone. You likely have some battle scars from the difficulty of managing, scaling, and actually doing something useful with SIEM. Given the rapid evolution of SIEM/Log Management offerings – and the evolution of requirements, with new application models and this cloud thing – you should be wondering whether a better, easier, and less expensive solution meets your needs.

Fact-Based Network Security: Metrics and the Pursuit of Prioritization

Fri, 07 Oct 2011 00:00:00 +0000

What should you do right now? That’s one of the toughest questions for any security professional to answer. The list is endless, the priorities clear as mud, the risk of compromise ever present. But doing nothing is never the answer. We have been working with practitioners to answer that question for years, and we finally got around to documenting some of our approaches and concepts.

Security Benchmarking: Going Beyond Metrics

Thu, 16 Jun 2011 00:00:00 +0000

How do you answer the inevitable question “Are we good at security?” If you are like most organizations, you stutter quite a bit and then fall back to either irrelevant numbers (like AV or patch coverage) or a qualitative assessment – “We had 2 incidents last month, down from 5 the prior month prior”. Either way, the answer isn’t what management needs, or deserves.

Database Activity Monitoring: Software vs. Appliance

Wed, 01 Jun 2011 00:00:00 +0000

For Database Activity Monitoring, the deployment model directly effects performance, management, cost, and how well the technology serves your requirements. Appliances, software, and virtual appliances are the three basic deployment models for DAM. While many security platforms offer these same deployment models, what you have learned with firewalls or intrusion detection systems does not apply here – DAM is unique in the way it collects, processes, and ultimately manages information. This white paper provides an in-depth analysis of the tradeoffs between appliance, software, and virtual appliance implementations of Database Activity Monitoring. Each model includes particular advantages that make it a perfect fit for some environments, and completely unsuitable for others. Worse, the problems are not always clear until deployed into a production environment. The differences become more pronounced when monitoring virtual servers and cloud services, further clouding complicating direct comparisons. This paper is designed to help you make an informed decision on which model is right for your organization based upon operational, security, and compliance requirements.

Understanding and Selecting a File Activity Monitoring Solution

Wed, 01 Jun 2011 00:00:00 +0000

Four years ago, when we initially developed the Data Security Lifecycle, we mentioned a technology we called File Activity Monitoring. At the time we saw it as similar to Database Activity Monitoring, in that it would give us the same insight into file usage as DAM provides for database access. The technology did not actually exist, but it seemed like a very logical next step from DLP and DAM.

React Faster and Better: New Approaches for Advanced Incident Response

Fri, 15 Apr 2011 00:00:00 +0000

If you don’t already have attackers in your environment you will soon enough, so we have been spending a lot of time with clients figuring out how to respond in this age of APT (Advanced Persistent Threat) attackers and other attacks you have no shot at stopping. You need to detect and respond more effectively. We call this philosophy “React Faster and Better”, and have finally documented and collected our thoughts on the topic. Here are a couple excerpts from the paper to give you a feel for the issue and how we deal with it:

Measuring and Optimizing Database Security Operations (DBQuant)

Tue, 12 Apr 2011 00:00:00 +0000

The Database Security Operations Quant research project – Database Quant for short – was launched to develop an unbiased metrics model to describe the costs of securing database platforms. In the process we developed the most in-depth database security program framework we can find, as well as all the key metrics to measure database security efforts. Our goal is to provide organizations with a tool to better understand the security costs of configuring, monitoring, and managing databases. By capturing quantifiable and precise metrics that describe the daily activities database administrators, auditors, and security professionals, we can better understand the costs associated with security and compliance efforts. Database Quant was developed through independent research and community involvement, to accurately reflect all the substantive efforts that comprise a database security program.

Network Security in the Age of Any Computing

Thu, 31 Mar 2011 00:00:00 +0000

We all know of the inherent challenges that mobile devices and the need to connect to anything from anywhere present to security professionals. We’ve done some research on how to start securing those mobile devices, and now we have continued broadening that research with a look to a network-centric perspective on these issues. Let’s set the stage for this paper:

The Securosis 2010 Data Security Survey

Thu, 04 Nov 2010 00:00:00 +0000

This report contains the results, raw data, and analysis of our 2010 Data Security Survey.

Key findings include:

We received over 1,100 responses with a completion rate of over 70%, representing all major vertical markets and company sizes.

Monitoring up the Stack: Adding Value to SIEM

Tue, 02 Nov 2010 00:00:00 +0000

SIEM and Log Management platforms have seen significant investment, and the evolving nature of attacks means end users are looking for more ways to leverage their security investments. SIEM/Log Management does a good job of collecting data, but extracting actionable information remains a challenge. In part this is due to the “drinking from the fire hose” phenomenon, where the speed and volume of incoming data make it difficult to keep up. Additionally, the data needs to be pieced together with sufficient reference points from multiple event sources to provide context. But we find that the most significant limiting factor is often a network-centric perspective on data collection and analysis. As an industry we look at network traffic rather than transactions ; we look at packet density instead of services; we look at IP addresses rather than user identity. We lack context to draw conclusions about the amount of real risk any specific attack presents.

Network Security Operations Quant Report

Fri, 22 Oct 2010 00:00:00 +0000

The lack of credible and relevant network security metrics has been a thorn in the side of security practitioners for years. We don’t know how to define success. We don’t know how to communicate value. And ultimately, we don’t even know what we should be tracking operationally to show improvement – or failure – in our network security activities. The Network Security Operations (NSO) Quant research project was initiated to address these issues.

Network Security Ops Quant Metrics Model

Fri, 22 Oct 2010 00:00:00 +0000

As described in the Network Security Operations (NSO) Quant report, for each process we determined a set of metrics to quantify the cost of performing the activity. We designed the metrics to be as intuitive as possible while still capturing the necessary level of detail. The model collects an inclusive set of potential network security operations metrics, and as with each specific process we strongly encourage you to use what makes sense for your own environment.

Understanding and Selecting a DLP Solution

Thu, 21 Oct 2010 00:00:00 +0000

Data Loss Prevention has matured considerably since the first version of this report three years ago. Back then, the market was dominated by startups with only a couple major acquisitions by established security companies. The entire market was probably smaller than the leading one or two providers today. Even the term ‘DLP’ was still under debate, with a menagerie of terms like Extrusion Prevention, Anti-Data Leakage, and Information Loss Protection still in use (leading us to wonder who, exactly, wants to protect information loss?).

Understanding and Selecting an Enterprise Firewall

Mon, 18 Oct 2010 00:00:00 +0000

What? A research report on enterprise firewalls. Really? Most folks figure firewalls have evolved about as much over the last 5 years as ant traps. They’re wrong, of course, but people think of firewalls as old, static, and generally uninteresting. But this is unfounded. Firewalls continue to evolve, and their new capabilities can and should impact your perimeter architecture and firewall selection process. That doesn’t mean we will be advocating yet another rip and replace job at the perimeter (sorry, vendors), but there are definitely new capabilities that warrant consideration – especially as the maintenance renewals on your existing gear come due.

Understanding and Selecting a Tokenization Solution

Tue, 21 Sep 2010 00:00:00 +0000

Tokenization is currently one of the hottest topics in database and application security. In this report we explain what tokenization is, when it works best, and how it works – and give recommendations to help choose the best solution.

Data Encryption 101: A Pragmatic Approach to PCI

Tue, 07 Sep 2010 00:00:00 +0000

The Payment Card Industry (PCI) Data Security Standard (DSS) was developed to encourage and enhance cardholder data security and facilitate the broad adoption of consistent data security measures. The problem is that the guidance provided is not always clear. This is especially true when it comes to secure storage of credit card information. The gap between recommended technologies and how to employ them leaves a lot of room for failure. This white paper examines the technologies and deployment models appropriate for both security and compliance, and provides actionable advice on how to comply with the PCI-DSS specification.

Understanding and Selecting SIEM/Log Management

Thu, 26 Aug 2010 00:00:00 +0000

Anyone worried about security and/or compliance has probably heard about Security Information and Event Management (SIEM) and Log Management. But do you really understand what the technology can do for your organization, how the products are architected, and what is important when trying to pick a solution for your organization?

White Paper: Endpoint Security Fundamentals

Thu, 03 Jun 2010 00:00:00 +0000

Endpoint Security is a pretty broad topic. Most folks associate it with traditional anti-virus or even the newfangled endpoint security suites. In our opinion, looking at the issue just from the perspective of the endpoint agent is myopic. To us, endpoint security is as much a program as anything else.

Understanding and Selecting a Database Encryption or Tokenization Solution

Wed, 05 May 2010 00:00:00 +0000

This paper includes descriptions of major database encryption and tokenization technologies, a decision tree to help determine which type of encryption is best for you, and example use cases drawn from real world deployments.

Low Hanging Fruit: Quick Wins with Data Loss Prevention (V2.0)

Thu, 22 Apr 2010 00:00:00 +0000

Two of the most common criticisms of Data Loss Prevention (DLP) that comes up in user discussions are a) its complexity and b) the fear of false positives. Security professionals worry that DLP is an expensive widget that will fail to deliver the expected value – turning into yet another black hole of productivity. But when used properly DLP provides rapid assessment and identification of data security issues not available with any other technology.

Database Assessment

Mon, 15 Feb 2010 00:00:00 +0000

Our goal with this paper is to help customers cut through the marketing fluff, and spotlight the differentiators between current database assessment platforms and the previous generation of DBA tools. While we discuss the individual functional components that constitute assessment platforms, don’t get scared off by the technical discussions. We also cover business justification and compliance for those who are not responsible for managing databases, but need information from the database to do their jobs. We did our best to address questions that will be posed by the different groups who are interested in database assessment technologies.

Report: Database Assessment

Mon, 15 Feb 2010 00:00:00 +0000

Project Quant Metrics Model Report

Mon, 27 Jul 2009 00:00:00 +0000

This report represents the current findings of the Project Quant open patch management project. The report will be updated as the research continues and we refine the model. Please see the project site for more information.

Project Quant Survey Results and Analysis

Mon, 27 Jul 2009 00:00:00 +0000

This document includes our analysis of the Project Quant open patch management survey.

The survey is an ongoing project, and we will continue to release updated analysis and data as new responses are available. You can participate by clicking this link to take the survey.

Best Practices for Endpoint DLP

Fri, 24 Jul 2009 00:00:00 +0000

Data Loss Prevention

This paper covers our recommendations for using endpoint DLP- including major features, what to look for, and deployment recommendations. Since we generally recommend full-suite DLP solutions over endpoint only solutions, you will notice the paper focuses more on endpoint DLP as part of a larger DLP program.

Content Discovery Whitepaper

Fri, 24 Jul 2009 00:00:00 +0000

Content Discovery and DLP: Best Practices for Stored Data Discovery and Protection.

By: Rich Mogull

This paper outlines some of the techniques and technologies for content discovery as used by Data Loss Prevention Platforms, and the trade offs each provides.

Selecting a Database Activity Monitoring Solution

Fri, 24 Jul 2009 00:00:00 +0000

Understanding and Selecting a Database Activity Monitoring Solution white paper. This paper examines the business requirements for monitoring databases, as well as the technologies that assist in capturing and analyzing that activity. Rich discusses the compliance and security issues that organizations face, and the options they have at their disposal to identify and report on transactions that fail to meet business best practices. As there are many ways to collect information in and around relational databases, and still more methods to analyze and report on the findings, Rich digs into the nuts and bolts to offer the reader a comparative analysis of the technology options available, and how they address end user requirements. This research is recommended to be used in conjunction with other application security tools, as many web and traditional applications rely upon database technology to store, manage, and report on data – linking the compliance and security requirements together.

Web Application Security Program

Fri, 24 Jul 2009 00:00:00 +0000

Web Application Security is an incredibly difficult undertaking, and one of the papers we are most proud of is this one: Building a Web Application Security Program (attached below). Web Applications not only have many of the same threats and issues as traditional applications, but by their nature, have a whole additional set of issues to worry about as well. They require a different approach and analysis, and we hope that you will follow the use cases and adapt the technologies and process improvements suggested to meet your organizational needs. As the science of web application security is advancing very quickly, and as the attacks against web applications and platforms continues to evolve, our approach and recommendations will change. As we anticipate periodic updates to the content, we recommend that you periodically re-visit this section for alterations and amendments.

Securing Enterprise Applications

Tue, 16 Jun 2009 00:00:00 +0000

We cover application security extensively on this blog, but normally we are trying to demystify a specific technology area to help companies understand what to look for in products, and how to differentiate real capabilities from marketing fluff. But in light of recent conversations with large enterprises it has become clear that most of these firms have gaps in their security program, specifically in and around the major enterprise applications which are core to their business. This is surprising because platforms like SAP and Oracle have been in place for over a decade, so you might expect that every facet of security to have some coverage by now. And they are surprised to hear these gaps exist, after thinking their tools and processes provided complete coverage. So we decided to take a look at application platforms and highlight the common deficiencies we see. Here is an except from our paper:

The Business Justification for Data Security

Thu, 09 Apr 2009 00:00:00 +0000

The Business Justification for Data Security is one of our more important pieces of research. It describes how to evaluate data security investments, map the potential investment to your business needs, then build a business justification case. It starts with a discussion of data security issues, then reviews alternative models (and their flaws), and finishes presents our justification methodology. Attached is the Whitepaper.