Anton Chuvakin

Friday Summary, April 3, 2009

By Adrian Lane

The big news at Securosis this week centered around the Conficker worm. As Rich blogged earlier in the week, he got a call from Dan Kaminsky on Saturday with the outline of what was going on. Rich and I scrambled Saturday to reach as many AV vendors as we could to get the word out. While some were initially a little annoyed at getting called on their cell phones Saturday afternoon, everyone was really eager to see what Tillmann Werner and Felix Leder had discovered and get their scanning tools updated. I expected things to be quiet on April 1st. A lot of security researchers have been watching and studying the worm's behavior, and devising plans for detecting and containing the threat. I imagine the authors of the worm are reading every bit of news they can get their hands on and learning how to improve their code in response. This has been fascinating to watch. Thanks again to the Honeynet Project and Dan Kaminsky for doing a great job, and for involving us in the effort.

On a more personal note, you probably have noticed that neither Rich nor I have been blogging as much lately, partially due to our desire to not create more work for ourselves prior to the new site launch; partially because, well, family comes first. For those of you who know me, you know I have dogs. When people ask me if I have kids, I typically say "No, I have dogs." What I mean to say is "Yes, several; of the four legged variety." March has been a terrible month for me because in the first few days one of my puppies went into kidney failure as she had been prescribed the wrong pain medication and dosage. I spent 5 days at the emergency vet clinic with her, even signing the DNR papers as we did not think she would make it. Happy to say she did, and is slowly recovering her ability to walk and some of the 30 lbs. she lost. A couple of days after I got back from Source Boston, her brother, and our all time favorite, started having trouble breathing. To make a long story short, we found cancer everywhere, and he only made it five days after his first visible symptoms, dying in my lap Tuesday morning. We know even several of you hardened veterinarians and long time breeders who have "seen it all" shed a tear over this one, and Emily and I understand and appreciate your heartfelt condolences. Looking forward to a much brighter and happier April.

And now for the week in review... at least what little of it I managed to notice:

Webcasts, Podcasts, Outside Writing, and Conferences:

• Rich presented "Building a Web Application Security Program" at the Phoenix SANS training. We'll get it posted once we transfer over to the new site.
• Rich's article on Search Security on Data Loss Prevention Benefits in the Real World is available.
• Rich and Martin hosted episode 184 144 of The Network Security Podcast this week, covering not only Conficker news, but also a ton of stuff regarding security on the Mac platform with Dino Dai Zovi. Even recommended by the Macalope!

Favorite Securosis Posts:

• Rich: Looking forward to getting ASS Certification.
• Adrian: Rich's post on Detecting Conficker

Favorite Outside Posts:

• Adrian: Know Your Enemy: Containing Conficker was a fascinating paper.
• Rich: From Anton Chuvakin's Blog: Thoughts and Notes from PCI DSS Hearing in US House of Representatives.

Top News and Posts:

• Microsoft Security Advisory 969136 for MS Office PowerPoint.
• Internet too dangerous? I think most people just do not appreciate how dangerous it is.
• Conficker 'eye-chart'. This is a great idea and works for several malware variants.
• One topic I really wanted to blog on this week was the Internet Crime Complaint Center report that incidents (discovered and reported, of course) were up 33% year over year.
• Mini-Botnets. Smaller, just as much of a problem.
• The Open Cloud Manifesto. Ugh. Too many grandstanders with too little to say. If Hoff wants to fight that fight, fine, but it feels like yelling at the wind to me. Just not worth the time jumping into this mess until there is a bit more of a market. Don't get me wrong- Rich and I will cover cloud and virtualization security in the future, maybe even this year. But not in response to this, and when we do, will will try to have something to say that does not suck.

Blog Comment of the Week:

This week's best comment was from 'Anonymous':

@Andre, I think once the Institute store makes its exclusive gear available, you should be the first to buy an ASS hat.

We are working on the merchandise page for the new site ... we will be sure to stock those hats.

–Adrian Lane

Don’t Sell “Compliance” If It Isn’t A Checkbox

By Rich

Perusing my blogs this morning I caught a post by Anton on DLP and compliance. That's the blogging equivalent of chaining a nice fat bunny to a stake in the middle of coyote territory here in Phoenix (in other words, the park behind our house). I, as the rabid coyote of DLP-ness, am compelled to respond.

Anton starts by wondering why he doesn't see compliance more in DLP vendor literature:

Today I was thinking about DLP again :-) (yes, I know that "content monitoring and protection" - CMF - is a better description) Specifically, I was thinking about DLP and compliance. At first, it was truly amazing to me that DLP vendors "under-utilize" compliance in their messaging. In other words, they don't push the "C-word" as strongly as many other security companies. Compliance dog doesn't snarl at you from their front pages and it doesn't bite you in you ass when you read the whitepapers, etc. Sure, it is mentioned there, but, seemingly, as an after-thought.

Then, he nails the answer:

But you know what? I actually think that it is something different, much more sinister. It is the ominous checklist mentality (here too)! You know, DLP is newer than most regulations (PCI DSS, HIPAA, FISMA, etc) and - what a shock! - the documentation for these mandates just doesn't mention DLP (or CMF) by name. Sure, they talk about data protection (e.g. PCI DSS Requirements 3 and 4), but mostly in terms of encryption, access control, logging (of course!). Also, PCI DSS directly and explicitly says "get a firewall", "deploy log management", "get scanned", "install and update AV" - but where is DLP? Ain't there...

I've spent a heck of a lot of time working with DLP vendors and users, and this is a problem that affects technologies beyond just DLP. Early on, the DLP vendors all talked about how they'd make you SOX, HIPAA, or XXX compliant. Problem was, there isn't a regulation out there that requires DLP. The customer conversations went like this:

Vendor: PCI compliance is bad. Buy DLP. User: Okay, is that section 3.1 or 3.2 that requires DLP? Vendor: It's not in there yet, but... {sales guy monkey dance} User: Ah. I see. Can you come back after we finish remediating our audit deficiencies? Say in 2012? Q3?

The truth is that DLP can help significantly with compliance with a variety of regulations, but none of them require it. As a result, vendors have softened their message and the good ones adjust it to show this value. I don't know if I really influenced this, but it's something I've spent a lot of time working on with my vendor clients over the years.

Other markets face this same challenge, and if you look back they almost always start by hitting compliance for the apparently easy cash, and are then forced to adjust messaging unless they are explicitly required. Users also face the same problem:

User: We need to do X for compliance with Y. Money Guy/Boss: Okay, where is that on the audit report? User: It's not, but {monkey dance}. Money Guy/Boss: Ah. I see. Maybe we can discuss this during your annual review.

Be it a vendor or an end user, the compliance sell is either the easiest or hardest you'll ever face. If the regulation (or your auditor) explicitly requires something, there's an immediate business justification. While there's a lot more to compliance, if it isn't on that list you can't sell it with merely the C word.

Instead, evaluate the tool or process in the context of compliance and show the business benefits. Does it reduce compliance costs? Does it reduce your risk of an exposure? For example, DLP content discovery, by identifying where credit card data is stored, can reduce both audit costs and the risk of non-compliance. Database Activity Monitoring can reduce SOX audit costs and the cost of maintaining appropriate logging on financial databases. There are a ton of internal process changes that improve audit efficiency and reduce the burden of generating compliance reports last minute every year or quarter.

When something is on the checklist, sell it as compliance. When it's off that list, sell it as cost or risk reduction. If it doesn't hit those categories, buy a monkey to do the dance- it's cuter than you are and more likely to get the banana.

–Rich