Research Papers

Below are our top cloud security and DevOps posts, ordered as we suggest you read them rather than by posting data. This is just the start. The list will grow nearly daily as we write a ton of new content. We will also include links to our external content, including code on GitHub.

So what is RASP? Runtime Application Self-Protection (RASP) is an application security technology which embeds into an application or application runtime environment, examining requests at the application layer to detect attacks and misuse in real time. RASP functions in the application context, which enables it to monitor security – and apply controls – very precisely. This means better detection because you see what the application is being asked to do, and can also offer better performance,…

Threat Intelligence has made a significant difference in how organizations focus resources on their most significant risks. We concluded our Applied Threat Intelligence paper by pointing out that the industry needs to move past tactical TI use cases. Our philosophy demands a programmatic approach to security.

The good news for incident responders is that you no longer need to make the case for what you do and why it’s important. Everyone is watching. Here is a quote from the paper:

Being a security professional certainly was easier back in the day before all these newfangled devices had Internet connections. I’m not sure how we became the get off my lawn! guys, but here we are. You probably scan for PCs. Maybe you even have a program to find and monitor mobile devices on your networks (though probably not). But what about printers, physical security devices like cameras, control systems, healthcare devices, and the two dozen or so other types of devices on your networks?

New technologies scare some people. And the cloud is scaring lots of people. They worry about how data resides within networks they don’t control. They worry that attackers could compromise a multi-tenant environment. They worry they don’t have the tools or techniques to provide equivalent security to what they already have in their traditional data centers.

In this business environment, where more output is expected faster, while consuming fewer resources, organizations have little choice but to embrace outsourcing and other means of becoming more efficient while maintaining productivity. Interconnecting business technology systems accelerates inter-enterprise collaboration, but there are clear risks to providing access to external parties.

Despite having published a bunch of research over the years about SIEM, it’s still a very misunderstood and under utilized technology. Lots of organizations aggregate their logs (you can thank PCI-DSS for that), but not enough actually use their SIEM effectively. And it’s not like you can just look at some other shiny technology to replace the SIEM:

Securing_Hadoop_Final_V2.pdfBig data systems have become very popular because they offer a low-cost way to analyze enormous sets of rapidly changing data. But Hadoop, with its incredibly open and vibrant ecosystem, has enabled firms to completely tailor clusters to their business needs. This combination has made Hadoop the most popular big data framework in use today. And as adoption has ramped up, IT and security teams have found themselves tasked with getting a handle on data – and Hadoop…

We are excited about this research paper, because we are excited about what the DevOps approach has delivered to many organizations, both small and large, already. And even firms who have only recently started down the path toward a full DevOps process already enjoy the advantages of streamlined testing and build processing with continuous integration. Our focus for this research was on how to embed security and security testing into DevOps, leveraging automated workflows to implement security…

Most organizations have realized that threat prevention has limitations, so we have seen renewed focus on threat detection. But like most other security markets, the term threat detection has been distorted to cover almost everything. So we figure it’s time to clarify what threat detection is and how it is evolving to deal with advanced attacks, sophisticated adversaries, and limited resources.

One of the bigger issues when migrating to the cloud is translating and extending your existing security controls, especially our old friend, network security. While cloud networking may resemble what we are used to, under the covers it behaves, and is managed, very differently.

October 2015 is the deadline for merchants to adopt EMV-compliant credit card terminals, in exchange for a liability waiver for fraudulent card present transactions. Explaining the EMV shift and payment security is difficult – there is a great deal of confusion about what the shift means, what security it really delivers, and whether it actually offers real benefits for merchants. Part of the problem is that the card brands have chosen to focus all their marketing on a single oversimplified…

The more things change, the more they stay the same. We have been talking about Reacting Faster and Better for years and we will continue to do so, because trying to prevent every attack is and will remain futile. The best path forward is to continue advancing the ability to prevent attacks, while spending as much time on detecting attacks that successfully compromise your defenses. This detection-centric view of the world has been a central theme in our research; it highlights a variety of…

Threat Intelligence remains one of the hottest areas in security. With its promise to help organizations take advantage of information sharing, early results have been encouraging. We have researched Threat Intelligence deeply; focusing on where to get TI and the differences between gathering data from networks, endpoints, and general Internet sources. But we come back to the fact that having data is not enough – not now and not in the future.

We’ve seen a renaissance of sorts regarding endpoint security. To be clear, most of solutions in the market aren’t good enough. Attackers don’t have to be advanced to make quick work of the endpoint protection suites in place. That realization has created a wave of innovation on the endpoint that promises to provide a better chance to prevent and detect attacks. But the reality is far too many organizations can’t even get the fundamentals of endpoint security.

Today we see encryption growing at an accelerating rate in data centers, for a confluence of reasons. A trite way to summarize them is “compliance, cloud, and covert affairs”. Organizations need to keep auditors off their backs; keep control over data in the cloud; and stop the flood of data breaches, state-sponsored espionage, and government snooping (even by their own governments).

We have been writing extensively about the disruption currently hitting security, driven by cloud computing and mobility. Our Inflection: The Future of Security research directly addresses the lack of visibility caused by these macro trends. At the same time great automation and orchestration promise to enable security to scale to the cloud, in terms of both scale and speed. Meanwhile each day’s breach du jour in the mass media keeps security topics at the forefront, highlighting the importance…

This cloud thing is going to have major repercussions on how you protect technology assets over time. But what does that even mean? We start this paper by defining how and why the cloud is different, and then outline a number of trends we expect to come to fruition as described in our The Future of Security paper. Then we look at how security monitoring functions need to evolve, as an increasing amount of technology infrastructure runs in the cloud.

Amazon Web Services is one of the most secure public cloud platforms available, with deep datacenter security and many user-accessible security features. Building your own secure services on AWS requires properly using what AWS offers, and adding additional controls to fill the gaps.

If you’ve followed this blog for any length of time, you know we have talked about the troubles of integrating security testing and secure code development practices into and Agile development process. Security is trying to manage risks to the organization, including risks introduced by new technologies such as code. Development teams try to deliver quality code faster, which means jettisoning things that slow them down. Both want customers to be happy and deliver new products and services, but…

It’s all about the data. You want to make data useful by making it available to users and applications which can leverage it into actionable information. You share data between applications, partners, and analytics systems to derive the greatest business intelligence value possible. But what do you do when you cannot guarantee the security of those systems? How can you protect information regardless of where it moves? One approach is called Data Centric Security, and it is designed to protect…

We continue to investigate the practical uses of threat intelligence (TI) within your security program. After tackling how to Leverage Threat Intel in Security Monitoring, now we turn our attention to Incident Response and Management. In this paper, we go into depth on how your existing incident response and management processes can (and should) integrate adversary analysis and other threat intelligence sources to help narrow down the scope of your investigation.

This research paper provides a detailed approach for effectively deploying, managing, and integrating a Web Application Firewall into your application security program. Our research shows that WAFs have a bad name, not because of any specific technology flaw, but mostly due to mismanagement. So we wrote Pragmatic WAF Management to cover how WAFs work, why some customers fail to derive value, and how to effectively deploy a WAF to secure applications from the increasing variety of web-based…

One of the fastest growing cloud services is Cloud File Storage and Collaboration, also known as Enterprise Sync and Share. These tools allow organizations to centralize and manage unstructured data in entirely new ways. They also promise massive security benefits, including centralized control over unstructured data, with a full audit log of all user and device activity.