Friday Summary: June 17, 2011By Adrian Lane
Where would you invest? The Reuters article about Silicon Valley VCs betting on new technologies to protect computer networks got me thinking about where I would invest in computer security. This is a very tough question, because where I would invest in security technologies as a CIO is different than where I would invest as a venture capitalist. I can see security bets to address most CIOs’ need to spend money, or and quite different technologies address noisy threats, which could make investors money. As Gunnar pointed out in Unfrozen Caveman Attacker (my favorite post this week) firewalls, anti-virus, and anti-malware are SSDD – but clearly people are buying plenty of it.
As long as we are playing with Monopoly money, as a CIO facing today’s threats I would invest in the following areas (regardless of business type):
- Endpoint encryption – the easiest-to-use products I could find – to protect USB sticks, laptops, mobile and cloud data.
- As little as possible in ‘content’ security for email and web to slow down spam, phishing, and malware.
- Browser security to thwart drive-by attacks.
- Application layer monitoring both for specific applications like web apps and databases, alongside generic application controls and monitoring for approved applications.
- And (probably) file integrity monitoring tools.
- A logging service.
- Identity, Access, and Authorization management systems – the basis for determining what users are allowed access and what they can do.
From there it’s all about effective deployment of these technologies, with small shifts in focus to fit specific business requirements. Note that I am ignoring compliance considerations, just thinking about data and system security.
But as a VC, I would invest in what I think will sell. And I can sell lots of things:
- “Next Generation Firewalls”
- Cloud and virtual security products – whatever that may be.
- Anti-Virus, in response to the pervasive fear of system takeover – despite its lack of effectiveness for detection or removal.
- Anti-malware – with the escalating number of attacks in the news, this another easy sell.
- Anything under the label “Mobile Security”.
- Finally, anything compliance related: technologies that help people quickly achieve compliance with some aspect of PCI, HITECH or some portion of a requirement.
Quick sales growth is about addressing visible customer pain points – real or perceived. It’s not about selling snake oil – it’s about quick wins and whatever customers demand.
On to the Summary:
Webcasts, Podcasts, Outside Writing, and Conferences
Favorite Securosis Posts
- Adrian Lane: Truth and (Dis)Information.
- Mike Rothman: Secure Passwords Sans Sales Pitch. The antidote for brute force is: a password manager.
Other Securosis Posts
- The Hazards of Generic Communications.
- Stop Asking for Crap You Don’t Need and Won’t Use.
- Incite 6/15/2011: Shortcut to Hypocrisy.
- More Control Doesn’t Equal More Secure.
- Balancing the Short & Long Term.
Favorite Outside Posts
- Adrian Lane: Unfrozen Caveman Attacker. Moog like SQL injection! SQL injection WORK!
- Mike Rothman: Asymmetry of People’s Time in Security Incidents. Lenny points out why it’s hard to be a security professional. We have more to cover and have to expend exponentially more resources than the bad guys. And this asymmetry goes way beyond incident response.
Project Quant Posts
- DB Quant: Index.
- NSO Quant: Index of Posts.
- NSO Quant: Health Metrics–Device Health.
- NSO Quant: Manage Metrics–Monitor Issues/Tune IDS/IPS.
- NSO Quant: Manage Metrics–Deploy and Audit/Validate.
Research Reports and Presentations
- Understanding and Selecting a File Activity Monitoring Solution.
- Database Activity Monitoring: Software vs. Appliance.
- React Faster and Better: New Approaches for Advanced Incident Response.
- Measuring and Optimizing Database Security Operations (DBQuant).
Top News and Posts
- Use of Exploit Kits on the Rise Why? Because they work. And because you can create hacks quickly. Sound like a good productivity app?
- Big Blue at 100.
- Citi Credit Card Hack Bigger Than Originally Disclosed. Apparently the vulnerability was to simple URL substitution – you know, randomly editing the credit card number or user ID. Shocking if true!
- Adobe’s Quarterly Patch Update.
- 34 Security Flaws Patched (Microsoft).
- New PCI Guidance around Virtualization (PDF). Rich and Adrian will post analysis of this next week.
- EU Wants to Criminalize Hacking Tools. D’oh!
- Lulz DDoS on CIA.gov.
- Beaker vMotioned.
- Projector Passwords? Valid point about security prohibiting you from doing your job, and more evidence that Sony is focused on the wrong threats and shooting itself in the foot as a result.
- More Malicious Android Apps.
Blog Comment of the Week
you’re not nuts. telling your opponent how you intend to attack them, thereby giving them an opportunity to deploy countermeasures, would be a great way to cause your strategy to fail.
even in the unlikely event that the authorities believe they’ve already gotten all the information they need out of these informants, there are always new actors entering the arena that the informants could have been useful against if their existence hadn’t been given away.
the only way this makes sense for an intelligent actor is if the claim about informants is psyops, as you suggest.
unfortunately, i don’t think we can’t assume the authorities are that intelligent. it would certainly be nice if they were, but high-level stupidity is not unheard of.