Securosis

Research

There’s a Reason We Have Security (or any) Experts

I’m on a break here in Orlando and made the mistake of checking my work email. A coworker from another team is pushing a prediction around data security that, depending on how you interpret it, is either: Already in multiple commercial products No harder to break than existing technologies I won’t name names or even the specific proposal, but now we’re in a big internal debate since I’m fighting publication of a prediction that I think could embarrass us among security professionals. Unfortunately this person’s team is backing him/her and are really excited about this new security concept, without really understanding security. We see this all the time in any complex field of study or practice. Someone from the outside, either left field or a related field, gets a really cool idea that they think is paradigm shifting. This person believes their outside view is “clearer” than those stuck in the tradition of their various area of expertise. On very rare occasion such genius exists. But it isn’t you. When I was younger I made the same mistake myself; all of us egotistical analytical or academic types are prone to errors of youth or inexperience. Some fields are more prone to, what I’ll call “exploding lightbulbs” than others. Physicists, cryptographers, and doctors battle this on a sometimes daily basis. The truth is we have experts for a reason. I’ve read that true expertise can take 10 years of experience in a field under most circumstances. It takes that long to learn the basic skills & history, and gain necessary practical experience. You can be really good or smart in a field, but expertise takes a lot longer. We see it all the time in security. Someone out of networking, development, or wherever reads a book or takes a course and considers themselves an expert. Really, they’re just starting down the path. In some cases they might be an expert in some small area, but it doesn’t translate to the entire field. I was a paramedic. I’m not a doctor, even if I might catch some doctor’s mistakes on occasion. But when I think I know more than the doctor, and I’m wrong, I become very dangerous. It’s the same in security and many other fields. I was good at security fairly early on, but it took many years to become an expert. And even then, my expertise is only really deep in a couple of areas and some general principles. We have experts for a reason, and not every practitioner is an expert. Expertise takes time, study, experience, and hard work. In security if you think: You’ve invented a new, unbreakable encryption algorythm You just created a new, unbreakable defense against 0day attacks You perfected any single tool, at any layer, that can stop any attack, of any kind You built something to eliminate the insider threat You can take a couple classes and defend a large enterprise You have designed unbreakable DRM You’re wrong. If it’s really important to you go immerse yourself and become an expert. And I’m not talking about some 5 day CISSP class. Take the time, be an expert, or work with experts to convert your theoretical idea to reality. Very rarely that bright bulb won’t explode. But most of the time we’re left with ugly shards of glass that just hurt everyone standing nearby. Share:

Share:
Read Post

Enterprise DRM- Not Dead, Just in Suspended Animation

I just finished up my last of 4 presentations here in Orlando and am enjoying a nice PB&J and merlot here in my room. Too much travel really kills the taste buds for hotel food. Today’s presentation was on data security; the area I’ve been focusing on during my 5 years as an analyst. And when you talk about data security you have to talk about DRM. Enterprise DRM is quite different from consumer DRM, even if they both follow the same basic principles. One of the biggest differences being enterprise DRM is focused on reducing the risk of exposure, consumer DRM on eliminating it (you know, the mythical perfect security). There are a few third party DRM vendors but Microsoft and Adobe are the big elephants in the room. But even those behemoths struggle for more than a workgroup-scale deployment (oh, they may sell seats but few people use it day to day). Which, as we struggle with problems like information leaks, seems pretty weird. I mean here we have a technology that can stop everything from unapproved email forwarding, to printing, to cutting and pasting. Seems pretty ideal, so what’s the problem? All that capability comes with a price- not sticker price, but deep enterprise integration with every single application that needs to read the content. But that’s not the big problem. The big problem is DRM relies on the people creating documents actually remembering to turn on the DRM, then understanding which rights to apply, and then figuring out who the heck is supposed to have all those various rights. I can barely remember my family, never mind which of my far flung coworkers should be allowed to print the doc I just sent them. Thus most DRM deployments don’t make it past the workgroup. Now imagine if the rights were automatically applied, or at least suggested, based on the content of the document. If there’s a credit card number one set of rules is applied. If it’s an engineering plan, or a secret marketing doc (based on the verbiage inside) different rules are set. All based on central policies. Sure, it won’t catch everything, but it’s a heck of a lot better than not doing anything. Hmm… I wonder where we could find a policy based tool capable of taking action based on deep content inspection using advanced linguistic, statistical, or conceptual analysis? Oh yeah- content monitoring and filtering, often called information leak prevention. CMF will save DRM. It will make it viable outside the workgroup by taking everyday decisions out of the hands of overworked employees, while applying central policies based on what’s actually in the files. It won’t work every time, and users will often have to confirm the correct rights are applied, but it’s the only way enterprise DRM is viable. Share:

Share:
Read Post

Totally Transparent Research is the embodiment of how we work at Securosis. It’s our core operating philosophy, our research policy, and a specific process. We initially developed it to help maintain objectivity while producing licensed research, but its benefits extend to all aspects of our business.

Going beyond Open Source Research, and a far cry from the traditional syndicated research model, we think it’s the best way to produce independent, objective, quality research.

Here’s how it works:

  • Content is developed ‘live’ on the blog. Primary research is generally released in pieces, as a series of posts, so we can digest and integrate feedback, making the end results much stronger than traditional “ivory tower” research.
  • Comments are enabled for posts. All comments are kept except for spam, personal insults of a clearly inflammatory nature, and completely off-topic content that distracts from the discussion. We welcome comments critical of the work, even if somewhat insulting to the authors. Really.
  • Anyone can comment, and no registration is required. Vendors or consultants with a relevant product or offering must properly identify themselves. While their comments won’t be deleted, the writer/moderator will “call out”, identify, and possibly ridicule vendors who fail to do so.
  • Vendors considering licensing the content are welcome to provide feedback, but it must be posted in the comments - just like everyone else. There is no back channel influence on the research findings or posts.
    Analysts must reply to comments and defend the research position, or agree to modify the content.
  • At the end of the post series, the analyst compiles the posts into a paper, presentation, or other delivery vehicle. Public comments/input factors into the research, where appropriate.
  • If the research is distributed as a paper, significant commenters/contributors are acknowledged in the opening of the report. If they did not post their real names, handles used for comments are listed. Commenters do not retain any rights to the report, but their contributions will be recognized.
  • All primary research will be released under a Creative Commons license. The current license is Non-Commercial, Attribution. The analyst, at their discretion, may add a Derivative Works or Share Alike condition.
  • Securosis primary research does not discuss specific vendors or specific products/offerings, unless used to provide context, contrast or to make a point (which is very very rare).
    Although quotes from published primary research (and published primary research only) may be used in press releases, said quotes may never mention a specific vendor, even if the vendor is mentioned in the source report. Securosis must approve any quote to appear in any vendor marketing collateral.
  • Final primary research will be posted on the blog with open comments.
  • Research will be updated periodically to reflect market realities, based on the discretion of the primary analyst. Updated research will be dated and given a version number.
    For research that cannot be developed using this model, such as complex principles or models that are unsuited for a series of blog posts, the content will be chunked up and posted at or before release of the paper to solicit public feedback, and provide an open venue for comments and criticisms.
  • In rare cases Securosis may write papers outside of the primary research agenda, but only if the end result can be non-biased and valuable to the user community to supplement industry-wide efforts or advances. A “Radically Transparent Research” process will be followed in developing these papers, where absolutely all materials are public at all stages of development, including communications (email, call notes).
    Only the free primary research released on our site can be licensed. We will not accept licensing fees on research we charge users to access.
  • All licensed research will be clearly labeled with the licensees. No licensed research will be released without indicating the sources of licensing fees. Again, there will be no back channel influence. We’re open and transparent about our revenue sources.

In essence, we develop all of our research out in the open, and not only seek public comments, but keep those comments indefinitely as a record of the research creation process. If you believe we are biased or not doing our homework, you can call us out on it and it will be there in the record. Our philosophy involves cracking open the research process, and using our readers to eliminate bias and enhance the quality of the work.

On the back end, here’s how we handle this approach with licensees:

  • Licensees may propose paper topics. The topic may be accepted if it is consistent with the Securosis research agenda and goals, but only if it can be covered without bias and will be valuable to the end user community.
  • Analysts produce research according to their own research agendas, and may offer licensing under the same objectivity requirements.
  • The potential licensee will be provided an outline of our research positions and the potential research product so they can determine if it is likely to meet their objectives.
  • Once the licensee agrees, development of the primary research content begins, following the Totally Transparent Research process as outlined above. At this point, there is no money exchanged.
  • Upon completion of the paper, the licensee will receive a release candidate to determine whether the final result still meets their needs.
  • If the content does not meet their needs, the licensee is not required to pay, and the research will be released without licensing or with alternate licensees.
  • Licensees may host and reuse the content for the length of the license (typically one year). This includes placing the content behind a registration process, posting on white paper networks, or translation into other languages. The research will always be hosted at Securosis for free without registration.

Here is the language we currently place in our research project agreements:

Content will be created independently of LICENSEE with no obligations for payment. Once content is complete, LICENSEE will have a 3 day review period to determine if the content meets corporate objectives. If the content is unsuitable, LICENSEE will not be obligated for any payment and Securosis is free to distribute the whitepaper without branding or with alternate licensees, and will not complete any associated webcasts for the declining LICENSEE. Content licensing, webcasts and payment are contingent on the content being acceptable to LICENSEE. This maintains objectivity while limiting the risk to LICENSEE. Securosis maintains all rights to the content and to include Securosis branding in addition to any licensee branding.

Even this process itself is open to criticism. If you have questions or comments, you can email us or comment on the blog.