Research

We’re happy to post the next SecurosisTV episode, in which yours truly goes through the Low Hanging Fruit of Endpoint Security. This is a pretty high-level view of the 7 different tactics (discussed in much more detail in the post), intended to give you a quick (6 minute) perspective on how to improve endpoint security posture with minimal effort. Direct Link: http://blip.tv/file/3281010 See it on YouTube: http://www.youtube.com/watch?v=jUIwjc5jwN8 Yes, we know embedding a video is not NoScript friendly, so for each video we will also include a direct link to the page on blip.tv and on YouTube. We just figure most of you are as lazy as we are, and will appreciate not having to leave our site. We’re also learning a lot about video production with each episode we do. Any comments you have on the video would be much appreciated. Whether it’s valuable, what we can do to improve the quality (besides getting new talent), and any other feedback you may have. Share:

As I’ve been digesting all I saw and heard last week at the RSA show, the major topic of wireless security re-emerged with a vengeance. To be honest, wireless security had kind of fallen off my radar for a while. Between most of the independent folks being acquired (both on the wireless security and wireless infrastructure sides) and lots of other shiny objects, there just wasn’t that much to worry about. We all know retailers remained worried (thanks, Uncle TJX!) and we saw lots of folks looking to segregate guest access from their branch networks when offering wireless to customers or guests. But WEP was dead and buried (right?) and WPA2 seemed reasonably stable. What was left to worry about? As with everything else, at some point folks realized that managing all these overlay networks and maintaining security is a pain in the butt. So the vendors inevitably get around to collapsing the networks and providing better management – which is what we saw at RSA. Secure Wireless Cisco puffed its chest out a bit and announced its Security Without Borders strategy, which sounds like someone over there overdosed on some Jack Welch books (remember borderlessness?). Basically they are finally integrating their disparate security devices, pushing the IronPort and ASA boxes to talk to each other, and adding some stuff to the TrustSec architecture. In concept, being able to enable business users to access information from any device and any location with a high degree of ease and security sounds great. But the devil is in the details, which makes this feels a lot like the “self-defending network.” Great idea, not so hot on delivery. So if you have Cisco everywhere and can be patient, the pieces are there. But if you work in a heterogeneous world or have problems today, then this is more slideware from Cisco. Wireless Security On the other side of the coin, you have the UTM vendors expanding from their adjacent markets. Both Fortinet and Astaro made similar announcements about entering the wireless infrastructure market. Given existing strength in the retail market, it makes sense for UTM vendors to introduce thin access points, moving management intelligence to (you guessed it) their UTM gateways. Introducing and managing wireless security policy from an enterprise perspective is a no-brainer (rogue access points die die die), though there isn’t much new here. The wireless infrastructure folks have been doing this for a while (at a cost, of course). The real barrier to success here isn’t technology, it’s politics. Most network folks like to buy gear from network companies, so will it be the network team or the security team defining the next wave of wireless infrastructure roll-out? Who Wins? My bet is on the network team, which means “secure wireless” will prevail eventually. I suspect everyone understands security must be a fundamental part of networks, data centers, endpoints, and applications, but that’s not going to happen any time soon. Rugged or not. This provides an opening for companies like Fortinet and Astaro. But to be clear, they have to understand they are selling to different customers, where they have very little history or credibility. And since the security market still consists mostly of lemmings, I suspect you’ll see a bunch more wireless security activity over the next few months as competitors look to catch up with Cisco’s slideware. Share:

To stir the pot a bit before the RSA Conference, I did a FireStarter wondering out loud if social media would ever replace big industry conferences. Between the comments and my experiences last week, I’d say no. Though I can say social media provides the opportunity to make business acquaintances into friends and let loudmouths like Rich, Adrian and myself make a living having on an opinion (often 3 or 4 between us). So I figured this week, I’d do a Top 10 list of things I can’t do on Twitter, which will keep me going to the RSA Conference as long as they keep letting me in. This is your life – Where else can I see 3 CEOs who fired me in one room (the AGC conference)? Thankfully I left my ice pick in the hotel room that morning. Everybody knows your name – Walk into the W Hotel after 9pm, and if you’ve been in the business more than a week, odds are you’ll see plenty of people you know. Trend spotting – As we expected, there was lots of APT puffery at the show, but I also saw lots of activity on wireless security – that was mildly surprising. And group conversations provided additional unexpected perspectives. Can’t do that on Twitter. Evasive maneuvers – To save some coin, I don’t stay in the fancy hotels. But that means you have to run the panhandler gauntlet between the parties and the hotel. I was a bit out of practice, but escaped largely unscathed. Rennaissance security folks – It seems lots of security folks are pretty adept at some useful skills. Like procuring entire bottles of top shelf liquor at parties. Yes, very useful indeed. Seeing the sights – I know Shimmy doesn’t like booth babes, but that’s his problem. I thought I took a wrong turn when I got to the Barracuda party and ended up at the Gold Club, though I was happy I had a stack of $1s in my pocket. Making new friends – The fine folks at SafeNet held a book signing for The Pragmatic CSO at the show. I got to meet lots of folks and they even got to take home copies. Can’t do that on Twitter either. Splinter conferences – Given the centralization of people that go to RSA, a lot of alternative gatherings happen during RSA week. Whether it’s BSides, Cloud Security Alliance, Metricon, AGC, or others, most folks have alternatives to RSA Conference panel staples. Recovery Breakfast – Once again, we held our Disaster Recovery Breakfast and it was the place to be on Thursday morning. A who’s who of security royalty passed through to enjoy the coffee, bloody mary’s, and hot tasty breakfast. Thanks to Threatpost for co-sponsoring with us. Elfin underwear – Where else can your business partner pull down his pants in front of 500 people and not get put in the slammer? That’s right, RSA. Check it out – it was really funny. So in a nutshell, from an educational standpoint I’m not sure spending a week at the RSA Conference makes sense for most practitioners. But from a networking and fun perspective, it remains the best week of the year. And thankfully I have 12 months to dry out and rest my liver for next year’s show. – Mike Photo credit: “Frank Chu Bsides SF” originally uploaded by my pal St0rmz Incite 4 U Ah, digging out from under the RSA mayhem is always fun. There was lots to see, many meaningless announcements, and plenty of shiny objects. Here is a little smattering of stuff that happened at the show, as well as a few goodies not there. AP(ressure)T Explained – As Rich pointed out, APT was in full swing last week at RSA and Richard Bejtlich has been calling out folks with extreme malice for this kind of behavior – which we all think is awesome. But to really understand the idiocy, you need to relate it to something you can understand. Which is why I absolutely loved Richard’s analogy of how martial arts folks dealt with a new technique based on pressure points. Read this a post a few times and it will click. Folks either jump on the bandwagon or say the bandwagon is stupid. Not many realize something new and novel is happening and act accordingly. – MR Patch Tuesday, Exploit Monday – You have to feel for the guys in the Microsoft security center. They line up their latest patch set, and some bad guys blow it by attacking unpatched vulnerabilities before Microsoft can include them in the latest release. I’m a big fan of the Patch Tuesday cycle, but that means anything released on “Exploit Wednesday” or even close to Patch Tuesday potentially has a month to run before Microsoft can fix it. MS is pretty good at releasing out of band patches if something is being widely exploited, and they’re the ones providing the warning, but it makes me long for the days when an 0day was so rare as to be nearly mythical. This latest attack hits IE 6 and 7 on various platforms, and you can mitigate with a content filtering gateway or an alternative browser, or by following some suggestions in the linked article (setting IE security zone settings to High). – RM Creating the Insecurity Index – If we know that your A/V and anti-malware only catch 20% of malicious code, or your firewall only blocks 20%, and your WAF only blocks 60% of application flaws, and so on, can we create some meaningful metrics on application security FAIL? Kind of a Mean Time Between Failure analysis for IT? I got to thinking about this when talking to Kelly Jackson Higgins at RSA about her post on Dark Reading regarding application testing, which found that 60% of applications they tested remained vulnerable. To me this is not a surprise at all, given that most adopt a security model to surround applications with add-on services and appliances to protect the application from the nasty attackers and viruses rather than fix the code itself. For most large organizations the amount of work necessary to fix