Securosis

Research

RSAC 2010 Guide: Content Security

Two business days and counting, so today and tomorrow we’ll be wrapping up our Securosis Guide to the RSA Conference 2010. This morning let’s hit what the industry calls “content security,” which is really email and web filtering. Rich just loves the term content security, so let’s see how many times we can say it. Email/Web (Content) Security In case you missed it, every email security vendor on the planet offers web content filtering within their portfolio of products and – for better or worse – the combination is now known as content security. No other security market has embraced the concept of ‘the cloud’ and SaaS offerings as enthusiastically as content security providers. In an effort to deal with increasing volumes of spam and malware without completely overhauling all your hardware, vendors offer outsourced content filtering as a cost effective way to add both capacity and capability. Almost all vendors offer traditional on-premise software or appliances, fortified with cloud services (most refer to this as a hybrid model) for additional screening of content. What We Expect to See There are three areas of interest at the show relative to content security: Fully Integrated Platforms: As you wander the show floor at Moscone Center, we expect every vendor to say that their web and email security platforms are completely integrated. What this usually means is that your reports are shared, but cloud and appliance consoles are separate, as is policy management. It’s funny how the vendors have such a flexible definition of ‘integrated.’ If you are looking at migrating to a combined solution, you need to dig in to see what is really integrated and what simply shares the same dashboard, how your user experience will change (for the better), and how effective & clean their results are – end users get grumpy if their favorite web sites are classified as unsafe or they get spam in their inboxes. Hybrid Cloud Services: We expect every vendor to offer a ‘cloud’ service in order to jump on the cloud bandwagon. This may be nothing more that an anti-spam or remote web filtering gateway deployed on shared infrastructure as a hosted service. The quality and diversity of cloud services varies greatly, as does the level of security provided by different cloud hosting companies. Once you get past the hype of certifications and technobabble, ask the vendors what types of audits and third party security certifications they will allow. Ask what sort of financial commitments they will make in the event that they fail to live up to their service level agreements, and what their SLAs with the cloud infrastructure providers look like. Those two questions usually halt the discussion, and will quickly distinguish hype mongers rom folks who have really thought through cloud deployment. DLP Lite: As we’ll see in the Data Security section, DLP is hot again. Thus we expect to see every content security vendor offering ‘DLP’ or ‘Data Loss Prevention’ within their products, but in reality most only offer regular expression checks of network content. Yes, they’ll be able to detect an account number or a social security number, but that is only a sliver of what DLP needs to be. Content discovery and more advanced forms of content inspection (heuristic, lexical, cyclic hash, etc.) will be noticeably absent. Again, we recommend you challenge the content security vendor to dig into their discovery and detection capabilities and prove it’s more than regular expressions. Keep in mind that a trade show demo is probably inadequate for you to sufficiently explore the advanced features, so your objective should be to identify 3-4 vendors for deep dives after the show. For those so inclined (or impatient), you can download the entire guide (PDF). Or check out the other posts in our RSAC Guide: Network Security, Data Security, Application Security, and Endpoint Security. Share:

Share:
Read Post

RSAC 2010 Guide: Virtualization and Cloud Security

Now that we are at the end of the major technology areas covered in the Securosis Guide to the RSA Conference 2010, let’s discuss one of the 3 big themes of the show: Virtualization and Cloud Security. Virtualization and Cloud Security The thing about virtualization and ‘cloud’ is that they really cut across pretty much every other coverage area. But given they’re new and shiny – which really means confusing and hype-ridden – we figured it was better to split out this topic, to provide proper context on what you’ll see, what to believe, and what is important. What We Expect to See For virtualization and cloud security there are four areas to focus on: Virtualization Security: The tools and techniques for locking down virtual machines and infrastructures. Most virtualization risk today is around improper management configuration and changes to networking, which may introduce new security issues or circumvent traditional network security controls. Focus on virtualization security management tools – especially configuration management that can handle the virtualization configuration, not just the operating system configuration and network security. Be careful when vendors over-promise on network security performance – you can’t simply move a physical appliance into a virtual appliance on shared hardware and expect the same performance. Security as a Service: A variety of new and existing security technologies can be delivered as services via the cloud. Early examples included cloud-based email filtering and DDoS protection, and we now have options for everything from web filtering, to log management, to vulnerability assessment, to configuration management. Many of these are hybrid models, which require some sort of point of presence server or appliance on your network. Security as a Service is especially interesting for mid-sized enterprises, since it’s often able to substantially reduce management and maintenance costs. Although many of these offerings don’t technically meet the definition of cloud computing, don’t tell the marketing departments. Cloud-Powered Security: Some vendors are leveraging cloud-based features to enhance their security product offerings. The product itself isn’t delivered from the cloud or aimed at securing the cloud, but uses the cloud to enhance its capabilities. For example, an anti-malware vendor that leverages cloud technologies to collect malware samples for signature generation. This is where we see the most abuse of the term ‘cloud’, and you should push the vendor on how the technology really works rather than relying on branding vapor. Cloud Security: The tools and techniques for securing cloud deployments. This is what most of us think of when we hear “cloud security”, but it’s what you’ll see the least of on the show floor. We suggest you attend the Cloud Security Alliance Summit on Monday (if you’re reading this before then) or Rich’s presentation with Chris Hoff on Tuesday at 3:40. You can also visit the Cloud Security Alliance in booth 2641. We guarantee your data center, application, and storage teams are looking hard at, or are already using, cloud and virtualization, so this is one area you’ll want to pay attention to despite the hype. For those so inclined (or impatient), you can download the entire guide (PDF). Or check out the other posts in our RSAC Guide: Network Security, Data Security, Application Security, Endpoint Security, and Content Security. Share:

Share:
Read Post

Retro Buffoonery

I’m probably not supposed to do this, as I took the security marketer’s oath to get my first VP Marketing gig. But I’m going to pull the curtain back on some of the wacky stuff vendors do to sell their product/services. Today’s specific tactic is what I’ll dub retro buffoonery, which is when a vendor looks back in time, and states that they could have stopped attack X, Y and Z – if only their products were deployed before the attack. You see this stuff all the time. Whether it was TJX, Heartland, ZeuS, or now the APT, vendor after vendor builds a marketing program saying they could have stopped or detected the attack. They build very specific timelines and show how their product theoretically defended customers. Note I said ‘theoretically’, because I’ve yet to see a case where a vendor had an actual customer to say “I didn’t get hosed by [Attack X] because I was using [Product Y].” To illustrate my point, let’s take a look at McAfee’s recent post-mortem on Operation Aurora. Now I’m singling out McAfee here, but there is nothing personal. Every vendor does it. I’ve done it probably a hundred times. If you work for a vendor, you’ve done it too. Rees Johnson, the blogger, did his job and pieced together a somewhat plausible story about how a combination of McAfee products could have been assembled to defend against the Aurora attack. Basically, if you had all your traffic going through a SSL proxy, had reputation working on every single gateway seeing network traffic, had whitelisting on every single device running code, and a huge research arm that could tell you there was something going on – then you could have detected the attack. Yeah, that doesn’t sound like either an economically feasible or realistic user experience situation – but let’s not split hairs here. And we know plenty of folks were running McAfee, but they don’t seem to have any success stories of actual Aurora detection ahead of the fact to share. Now to be clear, retro buffoonery tells a good marketing story and allows sales people to make a compelling case to customers for a company’s technology. Even better, by referencing a real attack, it can create enough customer urgency to get a check written. Which is good because security sales reps have those monthly BMW payments to make. But please understand, this Tuesday Morning Quarterback exercise will not help you protect your environment any better for the next attack. In the 20 years I’ve been in this business, we have proven to be lousy at predicting the future. How many of you predicted that a 0-day attack against IE6 on XP would constitute 30+ huge and successful attacks over the past 3 months? Probably the same folks who predicted SQL Slammer, TJX-style wireless POS attacks, and Heartland-style network sniffers. Even better, there are always multiple vendors telling stories about how different classes of products stop these attacks. Yet the attacks still happen, so it always gets back to the same thing – in hindsight, you’re sure you could’ve caught the attack. In reality, not so much. Vendors hope we’ll forget that it’s more than just a signature or a product that actually protects us against these attacks. We also must remember process and people complete the picture. Maybe if you backed up the truck and implemented everything McAfee has to sell you, you could have stopped Aurora. But probably not, because most companies have at least one unsuspecting employee who would have clicked on the wrong thing from the wrong place, and given the attacker a foothold on your network. And remember what persistent means. These folks are targeting you, so they’ll find a way in, regardless of how many cents per share you contribute to the bottom line of your favorite security vendor. So sorry, Mr. Retro Buffoonery Tuesday Morning Quarterback Always Completing the Pass Because It’s Easy to See in the Rear View Mirror, I don’t buy it. There are too many other things that go wrong to believe a wacky marketing claim that any set of products would stop a determined, well-funded attacker specifically targeting your organization. But you’ll see plenty of this bravado at the RSA Conference next week. And hopefully you’ll do as I do, and just laugh. Share:

Share:
Read Post

RSAC 2010 Guide: Security Management

To end a fine day, let’s continue through the Securosis Guide to the RSA Conference 2010 and discuss something that has been plaguing most of us since we started in this business: security management. Security Management For the past 20 years, we’ve been buying technologies to implement security controls. Yet management of all this security tends to be considered only when things are horribly broken – and they are. What We Expect to See There are four areas of interest at the show relative to security management: Log Religion: Driven by our friends at the PCI Security Standards Council, the entire industry has gotten the need to aggregate log data and do some level of analysis. Thank you, Requirement 10! So at the show this year, we’ll find a log management infestation, with a new vendor poking out of every nook and cranny to espouse a new architecture, disruptive pricing, or some other eye candy. And yes, you do need to collect logs, so focus your efforts at the show on figuring out what is the best fit for your organization. Are you just collecting logs, or do you need to correlate and alert? What are your volume and scalability requirements? What kind of reporting do you need? What about integration with the rest of your infrastructure? The point here is not to make a decision but to establish a short list of 3-4 vendors to dig deeper into after the show. Platform Mentality: Since security management is supposed to make your life easier, you don’t need to be a genius to realize that having a management console for every device type in your network doesn’t make a lot of sense. So you’ll hear a lot about SIEM + Log Management + Configuration/Patch + Vulnerability + Network Flow = Nirvana. To be clear, management leverage is good. Getting it by adding even more complexity to your environment: not so much. So to the degree that you are ready to start integrating management disciplines, focus your discussions on migration. How do you get to the promised land? Which hopefully doesn’t involve a truckload of high-priced consultants to do the ‘customization’. Risk Mumbo Jumbo: Risk is likely to be a hot topic at RSA as well. The more mature security programs have figured out that ‘security’ means nothing to senior management, but C-level folks get ‘risk’. Unfortunately, there are no accepted mechanisms to define or quantify risk. So when a vendor starts talking about “risk scores” you should focus on the amount of effort to get a risk model set up and what’s required to keep it up to date. You can’t go down to Best Buy and get Risk Management in a box, so the question is how much effort you are willing to put in to show a graph – which may or may not reflect reality – to the CFO. Operational Efficiency: Finally, you’ll likely hear a lot about improving the operations of your environment. That was a major theme last year in the depths of the recession, but the issue hasn’t gone away. This plays into the themes around integration and platforms, but ultimately there will be a number of niche tools (like firewall policy managers) designed to make your operational teams more efficient, saving money. Depending on the size and/or maturity of your security program, some of these tools may yield value. But adding yet another widget isn’t a good thing unless you can redeploy resources onto other functions by taking advantage of automation. For those so inclined (or impatient), you can download the entire guide (PDF). Or check out the other posts in our RSAC Guide: Network Security, Data Security, Application Security, Endpoint Security, Content Security, and Virtualization/Cloud Security. Share:

Share:
Read Post

Friday Summary: February 26, 2010

Next week is the RSA conference. You might have noticed from some of our recent blog entries. And I am really looking forward to it. It’s one of my favorite events, but I am especially anxious for good food. Yes, I want to see a bunch of friends, and yes, I have a lot of vendors I am anxious to catch up with to chat ‘bout some of their products. But honestly, all that takes a back seat to food. I like living in Arizona, but the food here sucks. Going to San Francisco, even the small hole-in-the-wall lunch places are excellent. In Phoenix, if you want a decent steak or good Mexican food, you’re covered. If you want Thai, Greek, Japanese or quality Chinese (and by that I mean a restaurant with less than two health code violations), you are out of luck. San Francisco? Every other block you find great places. And Italian. Really good Italian. sigh … What was I talking about? Oh yeah, food! Have you ever noticed that most security guys are into martial arts and food? Seriously. It’s true. Ask the people you know and you may be surprised at the pervasiveness of this phenomena. Combined with the fact that there are a lot of ‘foodies’ in the crowd of people I want to see, I am going look like I want to hang out, but still find quality pad thai. And I know there are going to be a dozen or so people I want to see who have the same priorities, so they won’t be offended by my ulterior motives. I plan to sneak off a couple of days and get a good lunch, and at least one evening for a good dinner, schedule be dammed! Maybe some of the noodle houses on the way up to Union Square or the hole-in-the-wall at the Embarcadero center that has surprisingly good sushi. Then swing by Peet’s on the way back for coffee that could fuel a nuclear reactor. Anyway, it’s a short Friday summary this week because I’ve got to pack and get my presentations ready. Hope to see you all there, and please shoot me an email if you are in town and want to catch up! Just say Venti-double-shot-iced-with-cream-n-splenda-shaken, and I’m there. On to the Summary: Webcasts, Podcasts, Outside Writing, and Conferences Rich interviewed by MacVoicesTV at Macworld on Security Threats and Hype. Adrian’s Webinar with Qualys on Database Vulnerability Assessment (reg req). Team Securosis’ RSA 2010 Conference Preview. Same video on blip.tv. Adrian quoted by Sentrigio. Rich and Adrian on Deep Content Analysis Techniques (video). Adrian’s Dark Reading posts on The Cost of Database Security. Adrian’s Webinar with Netezza on Understanding and Selecting a Database Activity Monitoring Solution (reg req). Favorite Securosis Posts Rich: Answering Dan Geer: It’s Time to Reexamine Priorities and Revisit Paradigms. One of the reasons Adrian and I started working together is that back when I was at Gartner and he was at IPLocks, we found ourselves kindred spirits on data security long before it was chic. Geer hits it out of the park with his call for focus on the data, but Adrian does a better job of providing context and priorities for focus. Check out our Data Security Research Library if you want to read more on information-centric/data security. David Mortman: Answering Dan Geer: It’s Time to Reexamine Priorities and Revisit Paradigms. Mike Rothman: Adrian’s “Answering Dan Geer” No one argues the importance of information protection, but the devil is in the details. Adrian: Rich’s Firestarter IT-GRC: The Paris Hilton of Unicorns. Rich beat me to the punch on this one! Other Securosis Posts RSAC 2010 Guide: Security Management Retro Buffoonery RSAC 2010 Guide: Virtualization and Cloud Security RSAC 2010 Guide: Content Security Webcast on Thursday: Pragmatic Database Compliance and Security RSAC 2010 Guide: Endpoint Security Incite 2/23/10: Flexibility RSAC 2010 Guide: Application Security RSAC 2010 Guide: Data Security RSVP for the Securosis and Threatpost Disaster Recovery Breakfast RSAC 2010 Guide: Network Security Introducing SecurosisTV: RSAC Preview RSAC 2010 Guide: Top Three Themes Upcoming Webinar: Database Activity Monitoring Favorite Outside Posts Rich: Uncommon Sense Makes Executives into Common Criminals. Great example of the social/government conflicts generated as new technology exceeds the personal frame of reference of those creating and enforcing laws. David Mortman: Identifying Opportunities for Improvement in Security Architecture. Mike Rothman: What if Bill Gates Never Wrote the Trusted Computing Memo? Normally I don’t waste time playing “what if?” games, but Dennis makes this one fun. Pepper: The Spy at Harriton High. So a school was spying on students… and making webcasts about it… and lying to the kids & families about it… and threatening students who futzed with the laptops. CRAP! Adrian: A nice overview post on Web Security Trust Models on the Freedom to Tinker blog. Project Quant Posts Project Quant: Database Security – Configuration Management Project Quant: Database Security – Masking Project Quant: Database Security – WAF Project Quant: Database Security – Encryption Project Quant – Project Comments Project Quant: Database Security – Protect through Monitoring Project Quant: Database Security – Audit Research Reports and Presentations Report: Database Assessment Top News and Posts Conflict of Interest: When Auditors Become Consultants. I keep hearing more and more about this, and from my perspective there is a lot left unspoken about Trustwave’s business models that will come under increasing scrutiny this year. Rsnake on Banks and the UUC. Google Execs Convicted in Italy. Microsoft Takedown of Waledec Botnet. Symantec State of Security Report. Glad the New School guys saw this as I would have missed it. It’s an interesting executive overview. Hacker Arrested in Billboard Porn Stunt. See? Those Russian hackers don’t just steal our credit card numbers – too bad the article doesn’t have pictures… Widespread Data Breaches Uncovered by FTC Probe. Watch that P2P file sharing folks! Criminals Hide Payment-Card Skimmers Inside Gas Station Pumps ‘Sophisticated’ Hack Hit Intel in January Blog Comment of the Week Remember, for every comment selected, Securosis makes a $25 donation to Hackers for Charity. This week’s best comment goes to Alan Shimel, in response to RSAC 2010 Guide: Network Security. And in case you think

Share:
Read Post

Totally Transparent Research is the embodiment of how we work at Securosis. It’s our core operating philosophy, our research policy, and a specific process. We initially developed it to help maintain objectivity while producing licensed research, but its benefits extend to all aspects of our business.

Going beyond Open Source Research, and a far cry from the traditional syndicated research model, we think it’s the best way to produce independent, objective, quality research.

Here’s how it works:

  • Content is developed ‘live’ on the blog. Primary research is generally released in pieces, as a series of posts, so we can digest and integrate feedback, making the end results much stronger than traditional “ivory tower” research.
  • Comments are enabled for posts. All comments are kept except for spam, personal insults of a clearly inflammatory nature, and completely off-topic content that distracts from the discussion. We welcome comments critical of the work, even if somewhat insulting to the authors. Really.
  • Anyone can comment, and no registration is required. Vendors or consultants with a relevant product or offering must properly identify themselves. While their comments won’t be deleted, the writer/moderator will “call out”, identify, and possibly ridicule vendors who fail to do so.
  • Vendors considering licensing the content are welcome to provide feedback, but it must be posted in the comments - just like everyone else. There is no back channel influence on the research findings or posts.
    Analysts must reply to comments and defend the research position, or agree to modify the content.
  • At the end of the post series, the analyst compiles the posts into a paper, presentation, or other delivery vehicle. Public comments/input factors into the research, where appropriate.
  • If the research is distributed as a paper, significant commenters/contributors are acknowledged in the opening of the report. If they did not post their real names, handles used for comments are listed. Commenters do not retain any rights to the report, but their contributions will be recognized.
  • All primary research will be released under a Creative Commons license. The current license is Non-Commercial, Attribution. The analyst, at their discretion, may add a Derivative Works or Share Alike condition.
  • Securosis primary research does not discuss specific vendors or specific products/offerings, unless used to provide context, contrast or to make a point (which is very very rare).
    Although quotes from published primary research (and published primary research only) may be used in press releases, said quotes may never mention a specific vendor, even if the vendor is mentioned in the source report. Securosis must approve any quote to appear in any vendor marketing collateral.
  • Final primary research will be posted on the blog with open comments.
  • Research will be updated periodically to reflect market realities, based on the discretion of the primary analyst. Updated research will be dated and given a version number.
    For research that cannot be developed using this model, such as complex principles or models that are unsuited for a series of blog posts, the content will be chunked up and posted at or before release of the paper to solicit public feedback, and provide an open venue for comments and criticisms.
  • In rare cases Securosis may write papers outside of the primary research agenda, but only if the end result can be non-biased and valuable to the user community to supplement industry-wide efforts or advances. A “Radically Transparent Research” process will be followed in developing these papers, where absolutely all materials are public at all stages of development, including communications (email, call notes).
    Only the free primary research released on our site can be licensed. We will not accept licensing fees on research we charge users to access.
  • All licensed research will be clearly labeled with the licensees. No licensed research will be released without indicating the sources of licensing fees. Again, there will be no back channel influence. We’re open and transparent about our revenue sources.

In essence, we develop all of our research out in the open, and not only seek public comments, but keep those comments indefinitely as a record of the research creation process. If you believe we are biased or not doing our homework, you can call us out on it and it will be there in the record. Our philosophy involves cracking open the research process, and using our readers to eliminate bias and enhance the quality of the work.

On the back end, here’s how we handle this approach with licensees:

  • Licensees may propose paper topics. The topic may be accepted if it is consistent with the Securosis research agenda and goals, but only if it can be covered without bias and will be valuable to the end user community.
  • Analysts produce research according to their own research agendas, and may offer licensing under the same objectivity requirements.
  • The potential licensee will be provided an outline of our research positions and the potential research product so they can determine if it is likely to meet their objectives.
  • Once the licensee agrees, development of the primary research content begins, following the Totally Transparent Research process as outlined above. At this point, there is no money exchanged.
  • Upon completion of the paper, the licensee will receive a release candidate to determine whether the final result still meets their needs.
  • If the content does not meet their needs, the licensee is not required to pay, and the research will be released without licensing or with alternate licensees.
  • Licensees may host and reuse the content for the length of the license (typically one year). This includes placing the content behind a registration process, posting on white paper networks, or translation into other languages. The research will always be hosted at Securosis for free without registration.

Here is the language we currently place in our research project agreements:

Content will be created independently of LICENSEE with no obligations for payment. Once content is complete, LICENSEE will have a 3 day review period to determine if the content meets corporate objectives. If the content is unsuitable, LICENSEE will not be obligated for any payment and Securosis is free to distribute the whitepaper without branding or with alternate licensees, and will not complete any associated webcasts for the declining LICENSEE. Content licensing, webcasts and payment are contingent on the content being acceptable to LICENSEE. This maintains objectivity while limiting the risk to LICENSEE. Securosis maintains all rights to the content and to include Securosis branding in addition to any licensee branding.

Even this process itself is open to criticism. If you have questions or comments, you can email us or comment on the blog.