Securosis

Menu

Research

Friday Summary: July 29, 2011

Adrian Lane July 29, 2011 No Comments

It’s that time of year again. It’s time for me and most of the Securosis crew to travel to cooler climes and enjoy the refreshing breeze of the Nevada desert. Well, it’s cooler than Phoenix, anyway. Yes, I am talking about going to the Black Hat and Def Con security conferences in Las Vegas this August 1-7th. Every year I see something amazing – from shipping iPhones loaded with malware to hack whatever passes by to wicked database attacks. Always educational and usually a bit of fun too. It is Las Vegas after all! We’ll be participating in a couple talks this year at Black Hat. James Arlen is presenting on Security when Nano-seconds count. I have heard the backstory and seen the preview, so I can tell you the presentation is much more interesting than the published outline. What I knew about these networks only scratched the surface of what is going on, so I think you will be surprised by Jamie’s perspective on this topic. I have spoken to many vendors over the last couple months, claiming they can secure these networks – to which I respond “Not!” You’ll understand why Thursday, August 4th, at 1:45 in the Augustus V + VI room(s). Highly recommend. I will be on the “Securing Applications at Scale” panel with Jeremiah Grossman, Brad Arkin, Alex Hutton, and John Johnson. We have been talking about the sheer scale of the insecure application problem for a number of years, but things are getting worse, not better. Many verticals (looking at you, retail) are just beginning to understand how big the problem is and looking at what appears to be the insurmountable task of fixing their insecure code. We’ll be talking about the threats and our panelists’ recommendations for dealing with insecure code at scale. The session is Thursday, August 4th, at 10:00am in Augustus V + VI – just after the keynote. Come and check it out and bring your questions! I plan to attend Bryan Sullivan’s talk on Server-side JavaScript Injection, Dino Dai Zovi’s Apple iOS Security Evaluation, and David Litchfield’s Forensicating Oracle. That means I will miss a few other highlights, but you have to make sacrifices somewhere. The rest of Wednesday and Thursday I’ll be running around trying to catch up with friends, so ping me if you want to meet up. Oh, and if you are new to these conferences, CGI Security has a good pre-conference check list for how to keep your computers and phones from being hacked. There will be real hackers wandering around and they will hack your stuff! My phone got hit two years ago. Just about everything with electricity has been hit at one time or another – including the advertising kiosks in the halls and elevators. Take this stuff seriously. And if you must use wireless, I recommend you look at setting up Tunnelblick before you go. Oh, I almost forgot Buzzword Bingo! See you there! On to the Summary: Webcasts, Podcasts, Outside Writing, and Conferences James Arlen’s presentation covered in eWeek. Adrian quoted on tokenization. Rich’s Palisades DLP Webinar. The business-security disconnect that won’t die. Mike pontificates on understanding the business at Network World. Favorite Securosis Posts Adrian Lane: The Scarlet (Security) Letter. Mike Rothman: How can you not understand the business? Yes, it’s lame to favorite your own piece, but I think this one is important. It’s about knowing how to get things done in your business, which means you have to understand your business. James Arlen: Donate Your Bone Marrow. You could save a life. Do it now. Other Securosis Posts Accept Apathy – Save Users from Themselves and You from Yourself. Incite 7/27/11: Negotiating in front of the crowd. Question for Oracle Database Users. FireStarter: The Time for Corporate Password Managers. Hacking Spikes and the Real Time Media. Friday Summary: July 22, 2011. Rise of the Security Monkeys. Favorite Outside Posts Adrian Lane: Big Data…Where Data Analytics and Security Collide. Chris does a nice job of explaining the issue – this is what some security vendors are scrambling to deal with behind the scenes. Especially with federated data sources. Mike Rothman: Risk Analysis is a Voyage. Jay Jacobs sums up a lot of what I’ve been saying for a long time. No model is perfect. Most are bad. But at some point you have to start somewhere. So do that. Just get started. Adapt and improve as you learn. James Arlen: Automated stock trading poses fraud risk Project Quant Posts DB Quant: Index. NSO Quant: Index of Posts. NSO Quant: Health Metrics–Device Health. NSO Quant: Manage Metrics–Monitor Issues/Tune IDS/IPS. NSO Quant: Manage Metrics–Deploy and Audit/Validate. NSO Quant: Manage Metrics–Process Change Request and Test/Approve. Research Reports and Presentations Security Benchmarking: Going Beyond Metrics. Understanding and Selecting a File Activity Monitoring Solution. Database Activity Monitoring: Software vs. Appliance. React Faster and Better: New Approaches for Advanced Incident Response. Measuring and Optimizing Database Security Operations (DBQuant). Network Security in the Age of Any Computing. The Securosis 2010 Data Security Survey. Monitoring up the Stack: Adding Value to SIEM. Top News and Posts Feds Bust MIT Student. In the current climate the Feds are so desperate to get any success against hackers they sometimes go too far. They want 35 years in prison for a crime that demands 5 hours of community service. What a waste of time. Windows Malware Tricks Victims into Transferring Bank Funds. Cisco’s “unmitigated gall”. Police arrest ‘Topiary’. Sniffer hijacks secure traffic from unpatched iPhones. Korean Mega-hack. Earnings call transcript: Symantec. Earnings call transcript: Citrix Systems. Earnings call transcript: Fortinet. Apple Laptop Batteries Can Be Bricked. House panel approves data breach notification bill. Anti-Sec is not a cause, it’s an excuse. Azeri Banks Corner Fake AV, Pharma Market via Krebs. SIEM Montage. Gotta be a Montage! Anonymous Declares War on .mil. Apple Patches iOS PDF Exploit. Microsoft Patches Bluetooth Hole in July’s Patch Tuesday. Intego Releases iPhone Malware Scanner. Jury’s still out. Blog Comment of the Week Remember, for every

Share:
Read Post

New Blog Series: Fact-Based Network Security: Metrics and the Pursuit of Prioritization

Mike Rothman July 29, 2011 1 Comment

As you can tell from our activity on the blog, we’ve been in the (relatively) slower summer season. Well, that’s over. Today we start one blog series, and another is hot on its heels (probably starting within 2 weeks). With our research pipeline, I suspect all three of us will be pretty busy through the fall. I’m pretty excited about the new series, which has the working title: Fact-based Network Security: Metrics and the Pursuit of Prioritization because it’s the next step in fleshing out many of our thoughts on network security. Over the past 18 months we have talked about the evolution of the enterprise firewall, quantifying the network security operations process, and benchmarking your efforts. These are key aspects of an increasingly mature network security program. Why is this important? Our current challenges of trying to protect our environments are no secret. The attackers only have to get it right once, and some of them are doing it more for Lulz than financial gain. We are also dealing with state-sponsored adversaries, which means they have virtually unlimited resources and you don’t. So you need to choose your activities wisely and optimize every bit of your resources, just to stay in the same place. Unfortunately we haven’t been choosing wisely. You see, most folks treat network security as a game of Whack-a-Mole. Each time a mole pops above the surface, you try to it smack down. Usually that mole squeals loudest, regardless of its actual importance. But we all know we’re spending a chunk of our time trying to satisfy certain people, hoping we can get them to stop calling – and that unfortunately that’s much more about annoyance and persistence than the actual importance of their demands. Responding to the internal squeaky wheels clearly isn’t working. Neither is the crystal ball, hocus pocus, or any other unscientific method. Clearly there must be a beter way. Let’s imagine a day when you could look at your list, and know which activities and tasks would cause the greatest risk reduction. How much would your blood pressure drop if you could tell the squeaky wheel that his top priority project was just not that much of a priority? And have the data to back it up? That’s what Fact-based Security is all about. Lots of folks have metrics, but are they chosen and collected with an eye toward specific outcomes that matter to your business? Gather metrics that guide and substantiate the decisions you need to make every day. Which change on which device is most important? Which attack path presents the biggest risk, and what’s required to fix it? The data for this analysis exists, but most organizations don’t use it. In this series we will investigate these issues and propose a philosophy to guide data-driven decisions. Of course, we aren’t talking about using SkyNet to determine what your security droids do on a daily basis. But your activities need to be weighed in terms of outcomes relevant to the business, which requires first understanding the risks you face – and more importantly assessing the relative values of what you need to protect. Then we’ll talk about what these reasonable outcomes should be and the operational metrics to get there. Only once we have a handle on those issues can we talk about an operational process to underlie everything done with these metrics. With outcomes as a backdrop, using that data to make decisions can have a huge impact on both the effectiveness and efficiency of any security organization. We all know that having and using metrics are totally different. Then we’ll dig into the compliance benefits of fact-based security, but suffice it to say that assessors love to see data – especially data relevant to good security outcomes. We’ll wrap the series by walking through a scenario where we actually apply these practices to a simple environment. That should give you the ammo you need to get started and to make a difference in your operational program(s). So strap in and get ready to roll. Let me remind everyone that our research process depends on critical feedback from you, our readers. If we are off-base, let us know in the comments. Between the last blog post and packaging up the research as a paper, we evolve the paper based on your comments. We really do. I’ll also mention that the rest of this series will show up in our Heavy Feed and on the email list, so make sure you subscribe if you want to see how the research sausage is made. Before we dive in, we should thank the sponsor of this research, RedSeal Systems. We are building the paper through our Totally Transparent Research process, so it’s all objective research, but don’t forget it’s through the generosity of our sponsors that you get to leverage our research for a pretty OK price. Share:

Share:
Read Post
dinosaur-sidebar

Research

view all

Sign Up for Our Newsletter

Totally Transparent Research is the embodiment of how we work at Securosis. It’s our core operating philosophy, our research policy, and a specific process. We initially developed it to help maintain objectivity while producing licensed research, but its benefits extend to all aspects of our business.

Going beyond Open Source Research, and a far cry from the traditional syndicated research model, we think it’s the best way to produce independent, objective, quality research.

Here’s how it works:

  • Content is developed ‘live’ on the blog. Primary research is generally released in pieces, as a series of posts, so we can digest and integrate feedback, making the end results much stronger than traditional “ivory tower” research.
  • Comments are enabled for posts. All comments are kept except for spam, personal insults of a clearly inflammatory nature, and completely off-topic content that distracts from the discussion. We welcome comments critical of the work, even if somewhat insulting to the authors. Really.
  • Anyone can comment, and no registration is required. Vendors or consultants with a relevant product or offering must properly identify themselves. While their comments won’t be deleted, the writer/moderator will “call out”, identify, and possibly ridicule vendors who fail to do so.
  • Vendors considering licensing the content are welcome to provide feedback, but it must be posted in the comments - just like everyone else. There is no back channel influence on the research findings or posts.
    Analysts must reply to comments and defend the research position, or agree to modify the content.
  • At the end of the post series, the analyst compiles the posts into a paper, presentation, or other delivery vehicle. Public comments/input factors into the research, where appropriate.
  • If the research is distributed as a paper, significant commenters/contributors are acknowledged in the opening of the report. If they did not post their real names, handles used for comments are listed. Commenters do not retain any rights to the report, but their contributions will be recognized.
  • All primary research will be released under a Creative Commons license. The current license is Non-Commercial, Attribution. The analyst, at their discretion, may add a Derivative Works or Share Alike condition.
  • Securosis primary research does not discuss specific vendors or specific products/offerings, unless used to provide context, contrast or to make a point (which is very very rare).
    Although quotes from published primary research (and published primary research only) may be used in press releases, said quotes may never mention a specific vendor, even if the vendor is mentioned in the source report. Securosis must approve any quote to appear in any vendor marketing collateral.
  • Final primary research will be posted on the blog with open comments.
  • Research will be updated periodically to reflect market realities, based on the discretion of the primary analyst. Updated research will be dated and given a version number.
    For research that cannot be developed using this model, such as complex principles or models that are unsuited for a series of blog posts, the content will be chunked up and posted at or before release of the paper to solicit public feedback, and provide an open venue for comments and criticisms.
  • In rare cases Securosis may write papers outside of the primary research agenda, but only if the end result can be non-biased and valuable to the user community to supplement industry-wide efforts or advances. A “Radically Transparent Research” process will be followed in developing these papers, where absolutely all materials are public at all stages of development, including communications (email, call notes).
    Only the free primary research released on our site can be licensed. We will not accept licensing fees on research we charge users to access.
  • All licensed research will be clearly labeled with the licensees. No licensed research will be released without indicating the sources of licensing fees. Again, there will be no back channel influence. We’re open and transparent about our revenue sources.

In essence, we develop all of our research out in the open, and not only seek public comments, but keep those comments indefinitely as a record of the research creation process. If you believe we are biased or not doing our homework, you can call us out on it and it will be there in the record. Our philosophy involves cracking open the research process, and using our readers to eliminate bias and enhance the quality of the work.

On the back end, here’s how we handle this approach with licensees:

  • Licensees may propose paper topics. The topic may be accepted if it is consistent with the Securosis research agenda and goals, but only if it can be covered without bias and will be valuable to the end user community.
  • Analysts produce research according to their own research agendas, and may offer licensing under the same objectivity requirements.
  • The potential licensee will be provided an outline of our research positions and the potential research product so they can determine if it is likely to meet their objectives.
  • Once the licensee agrees, development of the primary research content begins, following the Totally Transparent Research process as outlined above. At this point, there is no money exchanged.
  • Upon completion of the paper, the licensee will receive a release candidate to determine whether the final result still meets their needs.
  • If the content does not meet their needs, the licensee is not required to pay, and the research will be released without licensing or with alternate licensees.
  • Licensees may host and reuse the content for the length of the license (typically one year). This includes placing the content behind a registration process, posting on white paper networks, or translation into other languages. The research will always be hosted at Securosis for free without registration.

Here is the language we currently place in our research project agreements:

Content will be created independently of LICENSEE with no obligations for payment. Once content is complete, LICENSEE will have a 3 day review period to determine if the content meets corporate objectives. If the content is unsuitable, LICENSEE will not be obligated for any payment and Securosis is free to distribute the whitepaper without branding or with alternate licensees, and will not complete any associated webcasts for the declining LICENSEE. Content licensing, webcasts and payment are contingent on the content being acceptable to LICENSEE. This maintains objectivity while limiting the risk to LICENSEE. Securosis maintains all rights to the content and to include Securosis branding in addition to any licensee branding.

Even this process itself is open to criticism. If you have questions or comments, you can email us or comment on the blog.