Answering Dan Geer: It’s Time to Reexamine Priorities and Revisit Paradigms

Dan Geer wrote an article for SC Magazine on The enterprise information protection paradigm, discussing the fundamental disconnect between the derived value of data and the investment to protect information. He asks the important question: If we reap ever increasing returns on information, where is the investment to protect the data? Dan has an eloquent take on a long-standing viewpoint in the security community that Enterprise Information Protection (EIP) is a custodial responsibility of corporations, as it is core to generation of revenue and thus the company’s value. Dan’s point that we don’t pay enough attention (and spend enough money and time) on data security is inarguable – we lose a lot of data, and it costs. His argument that we should concentrate on (unification of) existing technologies (such as encryption, audit, NAC, and DLP), however, is flawed – we already have lots of this technology, so more of the same is not the answer. Part of our problem is that in the real world, inherent security is only part of the answer. We also have external support, such as police who arrest bank robbers – it’s not entirely up to the bank to stop bank robbers. In the computer security world – for various reasons – legal enforcement is highly problematic and much less aggressive than for physical crimes like robbery. I don’t have a problem with Dan’s reasoning on this issue. His argument for the motivation to secure information is sound. I do, however, take issue with a couple of the examples he uses to bridge his reasoning from one point to the next. First, Dan states, “We have spent centuries learning about securing the physical world, plus a few years learning about securing the digital world. What we know to be common to both is this: That which cannot be tolerated must be prevented.” He puts that in very absolute terms, and I do not believe it is true in either the physical or electronic realms. For example, our society absolutely does not tolerate bank robberies. However, preventative measures are miniscule. The banks are open for business and pretty much anyone can walk in the door. Rather than prevent a robbery, we collect information from witnesses, security cameras, and other forensic information – to find, catch, and punish bank robbers. We hope that the threat of the penalty will deter most potential robbers, and sound police work will allow us to catch up with the remainder who are daring enough to commit these crimes. While criminals are very good at extracting real value from virtual objects, law enforcement has done a crappy job at investigating, punishing, and (indirectly) deterring crimes in and around data theft. These two crucial factors are absent in electronic crimes in comparison to physical crimes. It’s not that we can’t – it’s that we don’t. This is not to undermine Dan’s basic point – that enterprises which derive value from data are not protecting themselves sufficiently, and contributorily negligent. But stating that “The EIP mechanism – an unblinking eye focused on information – has to live where the data lives.” and “EIP unifies data leakage prevention (DLP), network access control (NAC), encryption policy and enforcement, audit and forensics,” argues that network and infrastructure security are the answer. As Gunnar Peterson has so astutely pointed out many times, while the majority of IT spending is in data management applications, our security spending is predominately in and around the network. That means the investments made today are to secure data at rest and data in motion, rather than data in use. Talking about EIP as an embodiment of NAC & DLP and encryption policy reinforces the same suspect security investment choices we have been making for some time. We know how to effectively secure data “at that point where data-at-rest becomes data-in-motion”. The problem is we suck ” … at the point of use where data is truly put at risk …” – that’s not network or infrastructure, but rather in applications. A basic problem with data security is that we do not punish crimes at anywhere near the same rate as we do physical crimes. There is no (or almost no) deterrence, because examples of capturing and punishing crimes are missing. Further, investment in data security is typically misguided. I understand how this happens – protecting data in use is much harder than encrypting TCP/IP or disk drives – but where we invest is a critical part of the issue. I don’t want this to come across as disagreement with Dan’s underlying premise, but I do want to stress that we need to make more than one evolutionary shift. Share:

Read Post

RSAC 2010 Guide: Endpoint Security

The fun is just beginning. We continue our trip through the Securosis Guide to the RSA Conference 2010 by discussing what we expect to see relative to Endpoint Security. Endpoint Security Anti-virus came onto the scene in the early 90’s to combat viruses proliferated mostly by sneakernet. You remember sneakernet, don’t you? Over the past two decades, protecting the endpoint has become pretty big business, but we need to question the effectiveness of traditional anti-virus and other endpoint defenses, given the variety of ways to defeat those security controls. This year we expect many of the endpoint vendors to start espousing “value bundles” and alternative controls such as application whitelisting, while jumping on the cloud bandwagon to address the gap between claims and reality. What We Expect to See There are four areas of interest at the show for endpoint security: The Suite Life: There are many similarities between current endpoint security suites and office automation suites in the early part of the decade. The applications don’t work particularly well, but in order to keep prices up, more and more stuff you don’t need gets bundled into the package. There is no end to that trend in sight, as the leading endpoint agent companies have been acquiring new technologies (such as full disk encryption and DLP) to broaden their suites and maintain their price points. But at the show this year, it’s reasonable to go to your favorite endpoint agent vendor and ask them why they can’t seem to “get ahead of the threat.” Yes, that is a rhetorical question, but we Securosis folks like to see vendors squirm, so that would be a good way to start the conversation. Also be on the lookout for the folks offering “Free AV” and talking about how ridiculous it is to be paying for AV nowadays. Just be aware, the big booths with the Eastern European models don’t come cheap, so they will get their pound of flesh in the form of management consoles and upselling to more full-featured suites (which actually may do something). The Cloud Messiah: Endpoint vendors aren’t the only ones figuring the ‘cloud’ will save them from all their issues, but they will certainly be talking about how integrating malware defenses into the ‘cloud’ will increase effectiveness and keep the attackers at bay. This is another game of three-card monty, and the endpoint vendors are figuring you won’t know the difference. After you’ve asked the vendor why they can’t stop even simplistic web attacks or detect a ZeuS infection, they’ll probably start talking about “shared intelligence” and the great googly-moogly malware engine in the sky. At this point, ask a pretty simple question: “How do you win this arms race?” With 2-3 million new malware attacks happening this year, how long can this signature-based approach work? That should make for more interesting conversation. Control Strategies: Given that traditional anti-virus is mostly useless against today’s attacks, you are going to hear a number of smaller application whitelisting vendors start to go more aggressively after the endpoint security companies. But this category (along with USB device control technology) suffers from a perception that the technology breaks applications and impacts user experience. As with every competitive tete-a-tete, there is some truth to that argument. So challenge the white listing vendors on how they impact the user experience (or don’t) and can provide similar value to an endpoint security suite (firewall, HIPS, full disk encryption, etc.). Laptop Encryption: You’ll likely also be hearing about another feature of most of the endpoint suites: full disk encryption (FDE). There will be lots of FUD about the costs of disclosure and why it’s just a lot easier to encrypt your mobile devices and be done with it. For once, the vendor mouthpieces are absolutely right. But this brings us to the question of what features you need, whether FDE should be bundled into your endpoint suite, and how you can recover data when users inevitably lose passwords and devices are stolen. So if you have mobile users (and who doesn’t?), it’s not an issue of whether you need the technology – it’s the most effective way to procure and deploy. For those so inclined (or impatient), you can download the entire guide (PDF). Or check out the other posts in our RSAC Guide: Network Security, Data Security, and Application Security. Share:

Read Post

Webcast on Thursday: Pragmatic Database Compliance and Security

Auditors got you down? Struggling to manage all those pesky database-related compliance issues? Thursday I’m presenting a webcast on Pragmatic Database Compliance and Security. It builds off the base of Pragmatic Database Security, but is more focused on compliance, with top tips for your favorite regulations. It is sponsored by Oracle, and you can sign up here. We’ll cover most of the major database security domains, and I’ll show specifically how to apply them to major regulations (PCI, HIPAA, SOX, and privacy regs). If you are a DBA or security professional with database responsibilities, there’s some good stuff in here for you. Share:

Read Post

Totally Transparent Research is the embodiment of how we work at Securosis. It’s our core operating philosophy, our research policy, and a specific process. We initially developed it to help maintain objectivity while producing licensed research, but its benefits extend to all aspects of our business.

Going beyond Open Source Research, and a far cry from the traditional syndicated research model, we think it’s the best way to produce independent, objective, quality research.

Here’s how it works:

  • Content is developed ‘live’ on the blog. Primary research is generally released in pieces, as a series of posts, so we can digest and integrate feedback, making the end results much stronger than traditional “ivory tower” research.
  • Comments are enabled for posts. All comments are kept except for spam, personal insults of a clearly inflammatory nature, and completely off-topic content that distracts from the discussion. We welcome comments critical of the work, even if somewhat insulting to the authors. Really.
  • Anyone can comment, and no registration is required. Vendors or consultants with a relevant product or offering must properly identify themselves. While their comments won’t be deleted, the writer/moderator will “call out”, identify, and possibly ridicule vendors who fail to do so.
  • Vendors considering licensing the content are welcome to provide feedback, but it must be posted in the comments - just like everyone else. There is no back channel influence on the research findings or posts.
    Analysts must reply to comments and defend the research position, or agree to modify the content.
  • At the end of the post series, the analyst compiles the posts into a paper, presentation, or other delivery vehicle. Public comments/input factors into the research, where appropriate.
  • If the research is distributed as a paper, significant commenters/contributors are acknowledged in the opening of the report. If they did not post their real names, handles used for comments are listed. Commenters do not retain any rights to the report, but their contributions will be recognized.
  • All primary research will be released under a Creative Commons license. The current license is Non-Commercial, Attribution. The analyst, at their discretion, may add a Derivative Works or Share Alike condition.
  • Securosis primary research does not discuss specific vendors or specific products/offerings, unless used to provide context, contrast or to make a point (which is very very rare).
    Although quotes from published primary research (and published primary research only) may be used in press releases, said quotes may never mention a specific vendor, even if the vendor is mentioned in the source report. Securosis must approve any quote to appear in any vendor marketing collateral.
  • Final primary research will be posted on the blog with open comments.
  • Research will be updated periodically to reflect market realities, based on the discretion of the primary analyst. Updated research will be dated and given a version number.
    For research that cannot be developed using this model, such as complex principles or models that are unsuited for a series of blog posts, the content will be chunked up and posted at or before release of the paper to solicit public feedback, and provide an open venue for comments and criticisms.
  • In rare cases Securosis may write papers outside of the primary research agenda, but only if the end result can be non-biased and valuable to the user community to supplement industry-wide efforts or advances. A “Radically Transparent Research” process will be followed in developing these papers, where absolutely all materials are public at all stages of development, including communications (email, call notes).
    Only the free primary research released on our site can be licensed. We will not accept licensing fees on research we charge users to access.
  • All licensed research will be clearly labeled with the licensees. No licensed research will be released without indicating the sources of licensing fees. Again, there will be no back channel influence. We’re open and transparent about our revenue sources.

In essence, we develop all of our research out in the open, and not only seek public comments, but keep those comments indefinitely as a record of the research creation process. If you believe we are biased or not doing our homework, you can call us out on it and it will be there in the record. Our philosophy involves cracking open the research process, and using our readers to eliminate bias and enhance the quality of the work.

On the back end, here’s how we handle this approach with licensees:

  • Licensees may propose paper topics. The topic may be accepted if it is consistent with the Securosis research agenda and goals, but only if it can be covered without bias and will be valuable to the end user community.
  • Analysts produce research according to their own research agendas, and may offer licensing under the same objectivity requirements.
  • The potential licensee will be provided an outline of our research positions and the potential research product so they can determine if it is likely to meet their objectives.
  • Once the licensee agrees, development of the primary research content begins, following the Totally Transparent Research process as outlined above. At this point, there is no money exchanged.
  • Upon completion of the paper, the licensee will receive a release candidate to determine whether the final result still meets their needs.
  • If the content does not meet their needs, the licensee is not required to pay, and the research will be released without licensing or with alternate licensees.
  • Licensees may host and reuse the content for the length of the license (typically one year). This includes placing the content behind a registration process, posting on white paper networks, or translation into other languages. The research will always be hosted at Securosis for free without registration.

Here is the language we currently place in our research project agreements:

Content will be created independently of LICENSEE with no obligations for payment. Once content is complete, LICENSEE will have a 3 day review period to determine if the content meets corporate objectives. If the content is unsuitable, LICENSEE will not be obligated for any payment and Securosis is free to distribute the whitepaper without branding or with alternate licensees, and will not complete any associated webcasts for the declining LICENSEE. Content licensing, webcasts and payment are contingent on the content being acceptable to LICENSEE. This maintains objectivity while limiting the risk to LICENSEE. Securosis maintains all rights to the content and to include Securosis branding in addition to any licensee branding.

Even this process itself is open to criticism. If you have questions or comments, you can email us or comment on the blog.