Securosis

Research

Sucking less is not a brand position

I guess if you have been around long enough, you have seen everything over and over again. I felt my age today when I saw yet another (lame) attempt to Move Security from a Cost Center to a Brand Differentiator. How many times have we security folks wished for the day we could get project funding because it helped the business either to make more money or to spend less money? Gosh, that would make life a lot easier. The holy grail has always been to position security as an enabling technology. Unfortunately it just isn’t. The only thing security enables is…uh…nothing. It gets back to assurances, and we security folks can’t make assurances either way. If you spend $X on $widget, maybe it will stop an attack. Maybe it won’t. If you don’t have $widget maybe you won’t even be attacked, so you might as well light a bag of money on fire. It’s like building a house on quicksand. To be fair, in some cases security is table stakes. For example you expect your private data to be protected. In a many cases you will be disappointed, but we don’t really see organizations positioning security as a differentiator. They make those pronouncements to allay our fears and eliminate an obstacle to purchase – not as a buying catalyst. But the most offensive part of the article comes later, in a section that at first seemed kind of logical. But this quote from some guy named Alan Wlasuk almost made me fall out of my chair: “But any company can shine in an industry environment where the majority of their competitors have suffered from confidence destroying security attacks.” Shine? Really? Your suggestion is that companies tells customers to do business with them because they suck less?? That’s how I read Alan’s statement. I’ll admit I clearly didn’t learn too much as a VP Marketing, but I do know it’s a bad idea to position and build campaigns around attributes with little to no longevity. So we should build our brands on being more secure? Unbreakable much? Thanks to our pals at LiquidMatrix for that little chuckle this morning. I thump vendors regularly for trying to run campaigns based on competitor breaches. Like when a token vendor (okay – all of them) tried to capitalize on the RSA token breach by positioning their tokens as more secure, whatever that means. Kicking the competition when they are down comes back to haunt you – we all live in glass housees. Sure enough, some of those very vendors had high profile issues with their own certificate authorities. Karma is a bitch, isn’t it? Take it from someone who has tried to position security as anything but a cost center for close to a decade. It doesn’t work. Your best bet is to realistically show the risk of not doing something, and let business people make their business decisions. And if your marketing folks tell you about this brand spanking new campaign to be launched based on a breach at your competitor, give them my number. I have a clue bat for them. Photo credit: “VISI Black Hat” originally uploaded by delta407 Share:

Share:
Read Post

Managed Services in a Security Management 2.0 World

As we posted the Security Management 2.0 series, we focused heavily on replacing an on-premise option with another on-premise option. We paid a bit of lip service to the managed SIEM/Log Management option, but not enough – the reality is that, under the proper, circumstances a managed service presents an interesting alternative to racking and stacking another set of appliances. So consider this a primer for managed services in the context of our Security Management 2.0 discussion. We will go through the drivers, use cases, and deployment architectures for those considering managed services. And we will provide cautions for areas where a service offering might not meet your expectations. Drivers for Managed Services We have no illusions about the amount of effort required to get a security management platform up and running, or what it takes to keep one current and useful. Many organizations have neither the time nor the resources to implement technology to help automate some of these key functions. So they are trapped on the hamster wheel of pain, reacting without sufficient visibility, but without time to invest in gaining that much-needed visibility into threats without diving deep into raw log files. A suboptimal situation for sure, and one that usually triggers discussions of managed services in the first place. Let’s be a bit more specific about situations where it’s worth a look at managed services. Lack of internal expertise: Even having people to throw at security management may not be enough. They need to be the right people – with expertise in confirming exposures, closing simple issues, and when to pull the alarm and escalate to the investigations team. Reviewing events, setting up policies, and managing the system, all take skills that come with training and time with the product. Clearly this is not a skill set you can just pick up anywhere – finding and keeping talented people is hard – so if you don’t have sufficient sophistication internally, that’s a good reason to check out a service alternative. Scalability of existing platform: You may have a decent platform, but perhaps it can’t scale to what you need for real-time analysis. As we discussed in the Platform Evaluation post, this is common for those deploying first generation database-based SIEM products, who then face a significant and costly upgrade to scale the system. This can also happen to acquisitive organizations, who bring on significant assets and need to integrate management capabilities quickly to get sufficient leverage. With a managed service offering scale is not an issue – any sizable provider is handling billions of events per day. Risk Transference: You have been burned before – that’s why you are looking at alternatives, right? You’re not sure what solution to select for the long haul. Why risk the investment when you can drop that monkey on someone else’s back? This allows you to focus on the functionality you need instead of vendor hyperbole and sniping. Ultimately you only need to be concerned with the application and the user experience, and all that other stuff is the provider’s problem. So selecting a provider becomes effectively an insurance policy to minimize your investment risk. Similarly, if you are worried about your ops team’s ability to keep a broad security management platform up and running, you can transfer operational risk to a safer outside team. Once again, that operational risk goes to the provider, who assumes responsibility for uptime and performance. Geographically dispersed small sites: Managed services also interest organizations which need to support many small locations. Think retail or other distribution-centric organizations, where the central site may have sufficient expertise but there is very little capability at the remote sites. That might work well – particularly if event traffic can be centrally aggregated. But if not, this presents a good opportunity for a service provider who can monitor the remote sites. Round the clock monitoring: Some organizations need to move from a 8-hour/5-day monitoring schedule to a round-the-clock approach. Whether this is driven by a breach, a new regulatory requirement, or some kind of religious awakening in the executive suite, staffing a security operations center (SOC) 24/7 is a huge undertaking. But a service provider can leverage that 24/7 staffing investment across many customers, and might be in a much better position to deliver round-the-clock services. Of course you can’t outsource thinking or accountability, so ultimately the buck stops with the internal team, but under the right circumstances managed services can address skills and capabilities gaps. So let’s dig into a few of the use cases that provide a good fit for managed SIEM or Log Management. Favorable Use Cases Many providers offer a managed SIEM/Log Management platform as the equal of an in-house solution, and that may be the case. Or it might not – depending on the sophistication of the implementation, as well as the capabilities of the provider’s technology and internal processes. Under the right circumstances you can get a managed SIEM offering to do (almost) everything you could with an in-house option, but in reality we very rarely see that. More often we see the following use cases when considering a service alternative: Device Monitoring: You have a ton of network and security devices and you don’t have the resources to properly monitor them. That’s a key situation where managed security management can help. These services are generally architected to aggregate data on your site and ship it to the service provider for analysis and alerting. The provider should have a correlation system to identify issues, and a bunch of analysts who can verify issues quickly and then give you a heads-up. Compliance Reporting: Another no-brainer for a services alternative is basic log aggregation and reporting – typically driven by a compliance requirement. This isn’t a very complicated use case, and it fits well with service offerings. It also gets you out of the business of managing storage and updating reports when a requirement changes. The provider should take care of all that for you.

Share:
Read Post

Incite 11/9/11: Childlike Wonder

Heading down into Atlanta last week for the BSides ATL conference, I got into my car and the magic began. I whipped out my magic box and pulled up the address on the Maps app, just to make sure I remembered where it is. Then I fired up Pandora, which dutifully streamed rocking music to my Bluetooth-equipped car stereo. I checked out the NaviGAtor mobile site for real-time traffic data; then I was set and on my way. Wait. What? Think about this for a second. None of what I just described was even possible 4 years ago. I normally just take all this rapid technology evolution for granted, but that day I reflected a bit on how surreal that entire trip was. The idea of having a personalized radio station streaming from the Internet and playing through my car stereo? Ha! Having a fairly accurate map and an idea of traffic before I stumbled into bumper to bumper mayhem? Maybe in a science fiction movie, or something. But no, this stuff happens every day on a variety of smartphones, enabled by fairly ubiquitous wireless Internet connectivity. As another example, Rich just texted me on Monday to let me know he deposited my monthly commission check to our bank from his device, while taking a potty break during a strategy day. Yeah, that’s probably TMI. My bad. Our recently departed leader talked about the sense of “childlike wonder” you get when discovering these applications that enable totally different ways of communicating and living. And it’s true. As I drove down the highway, jamming to my music, with no traffic because I routed around the congestion, I could only marvel at how things have changed. It’s a far cry from my first bag phone. Or that ancient StarTac, which was state of the art, what, five years ago? How can you not be excited by the future? We have only just scratched the surface on how these little computers will change the way we do things. Bandwidth will get broader. Devices will get smarter. Apps will get more capable. And we’ll all benefit. Maybe. It takes a lot of self-control to just enjoy the music while I’m driving. The inclination is to multi-task, at all times. You know, checking Twitter, texting, and catching up on email, in a metal projectile traveling about 70mph, surrounded by other metal projectiles traveling just as fast. That can’t end well. As with everything, there is a downside to this connectivity. It’s hard to just shut down the distractions and think, or to focus enough to stay on the road. It seems the only place I can get some peace is on a plane, and even there I can get WiFi (though I tend not to connect on most flights). The good news is that nothing I do is really that urgent. My Twitter can wait 15 minutes until I stop moving. But it doesn’t mean I don’t have to make a conscious effort to stay focused on the road. I do, and you probably do as well. I guess what is most amazing to me is that my kids have no idea that there was a time when all this stuff didn’t exist. The idea of not being able to text whenever they wanted? Madness. A world without Words with Friends? A time when they could only listen to 10 CDs because that’s all they could carry in their travel bag? They can hardly remember what a CD is. Nor should they. It’s not like when I was a kid I had any concept of a world where we hung out by the radio to get news, sports, entertainment – basically everything. But that’s how my folks grew up. I wonder if someday SkyNet will look back and wonder what things were like before it was self-aware? Oy, that’s a slippery slope. -Mike Photo credits: “Childlike Wonder” originally uploaded by SashaW Incite 4 U Peeking into Dan’s brain: There are a select few folks who really make me think. Like every time I talk to them (which isn’t enough), I have to bring my A game, just to hold a conversation. Dan Geer is one of those folks. So when the Threatpost folks asked Dan about the research agenda in security, he didn’t disappoint. He starts by proposing that we’d need a lot less research if we put into practice what we already know, and that we should research why we don’t do that. Yeah, Dan makes recursive thinking cool. Then there are other nuggets about building systems too complex to effectively manage, the strategic importance of traffic analysis, and the security implications of IPv6. He may not have all those research-grade answers yet, but Dan certainly knows the questions to ask. – MR Johnny doesn’t care: Carnegie Mellon released a research paper called Why Johnny Can’t Opt Out, an examination of tools to thwart online behavioral monitoring, and how users use them. I recommend downloading the paper and taking a quick look at the study – it contains some interesting stuff, but I am a bit disappointed by several aspects. First, the executive summary makes it sound like the tools they surveyed are ineffective, when that’s clearly not the case. They found users were confused by the UIs of the respective products and failed to configure the products correctly. OK, that’s reasonable – most utilities leave a bit to be desired from a user experience standpoint. But not all offerings are like that; for example Ghostery’s setup wizard is dead simple to use, but the data is the data. The other thing that bothered me was not testing NoScript (a fantastic tool!) as another privacy tactic. The final annoyance was their assumption that users do not want privacy tools to hinder usability! WTF? They do understand behavioral advertising is woven into the web’s fabric, right? That “no hindrance” requirement eliminates NoScript, and stymies any effective product, because there’s no way to eliminate certain risks

Share:
Read Post

Totally Transparent Research is the embodiment of how we work at Securosis. It’s our core operating philosophy, our research policy, and a specific process. We initially developed it to help maintain objectivity while producing licensed research, but its benefits extend to all aspects of our business.

Going beyond Open Source Research, and a far cry from the traditional syndicated research model, we think it’s the best way to produce independent, objective, quality research.

Here’s how it works:

  • Content is developed ‘live’ on the blog. Primary research is generally released in pieces, as a series of posts, so we can digest and integrate feedback, making the end results much stronger than traditional “ivory tower” research.
  • Comments are enabled for posts. All comments are kept except for spam, personal insults of a clearly inflammatory nature, and completely off-topic content that distracts from the discussion. We welcome comments critical of the work, even if somewhat insulting to the authors. Really.
  • Anyone can comment, and no registration is required. Vendors or consultants with a relevant product or offering must properly identify themselves. While their comments won’t be deleted, the writer/moderator will “call out”, identify, and possibly ridicule vendors who fail to do so.
  • Vendors considering licensing the content are welcome to provide feedback, but it must be posted in the comments - just like everyone else. There is no back channel influence on the research findings or posts.
    Analysts must reply to comments and defend the research position, or agree to modify the content.
  • At the end of the post series, the analyst compiles the posts into a paper, presentation, or other delivery vehicle. Public comments/input factors into the research, where appropriate.
  • If the research is distributed as a paper, significant commenters/contributors are acknowledged in the opening of the report. If they did not post their real names, handles used for comments are listed. Commenters do not retain any rights to the report, but their contributions will be recognized.
  • All primary research will be released under a Creative Commons license. The current license is Non-Commercial, Attribution. The analyst, at their discretion, may add a Derivative Works or Share Alike condition.
  • Securosis primary research does not discuss specific vendors or specific products/offerings, unless used to provide context, contrast or to make a point (which is very very rare).
    Although quotes from published primary research (and published primary research only) may be used in press releases, said quotes may never mention a specific vendor, even if the vendor is mentioned in the source report. Securosis must approve any quote to appear in any vendor marketing collateral.
  • Final primary research will be posted on the blog with open comments.
  • Research will be updated periodically to reflect market realities, based on the discretion of the primary analyst. Updated research will be dated and given a version number.
    For research that cannot be developed using this model, such as complex principles or models that are unsuited for a series of blog posts, the content will be chunked up and posted at or before release of the paper to solicit public feedback, and provide an open venue for comments and criticisms.
  • In rare cases Securosis may write papers outside of the primary research agenda, but only if the end result can be non-biased and valuable to the user community to supplement industry-wide efforts or advances. A “Radically Transparent Research” process will be followed in developing these papers, where absolutely all materials are public at all stages of development, including communications (email, call notes).
    Only the free primary research released on our site can be licensed. We will not accept licensing fees on research we charge users to access.
  • All licensed research will be clearly labeled with the licensees. No licensed research will be released without indicating the sources of licensing fees. Again, there will be no back channel influence. We’re open and transparent about our revenue sources.

In essence, we develop all of our research out in the open, and not only seek public comments, but keep those comments indefinitely as a record of the research creation process. If you believe we are biased or not doing our homework, you can call us out on it and it will be there in the record. Our philosophy involves cracking open the research process, and using our readers to eliminate bias and enhance the quality of the work.

On the back end, here’s how we handle this approach with licensees:

  • Licensees may propose paper topics. The topic may be accepted if it is consistent with the Securosis research agenda and goals, but only if it can be covered without bias and will be valuable to the end user community.
  • Analysts produce research according to their own research agendas, and may offer licensing under the same objectivity requirements.
  • The potential licensee will be provided an outline of our research positions and the potential research product so they can determine if it is likely to meet their objectives.
  • Once the licensee agrees, development of the primary research content begins, following the Totally Transparent Research process as outlined above. At this point, there is no money exchanged.
  • Upon completion of the paper, the licensee will receive a release candidate to determine whether the final result still meets their needs.
  • If the content does not meet their needs, the licensee is not required to pay, and the research will be released without licensing or with alternate licensees.
  • Licensees may host and reuse the content for the length of the license (typically one year). This includes placing the content behind a registration process, posting on white paper networks, or translation into other languages. The research will always be hosted at Securosis for free without registration.

Here is the language we currently place in our research project agreements:

Content will be created independently of LICENSEE with no obligations for payment. Once content is complete, LICENSEE will have a 3 day review period to determine if the content meets corporate objectives. If the content is unsuitable, LICENSEE will not be obligated for any payment and Securosis is free to distribute the whitepaper without branding or with alternate licensees, and will not complete any associated webcasts for the declining LICENSEE. Content licensing, webcasts and payment are contingent on the content being acceptable to LICENSEE. This maintains objectivity while limiting the risk to LICENSEE. Securosis maintains all rights to the content and to include Securosis branding in addition to any licensee branding.

Even this process itself is open to criticism. If you have questions or comments, you can email us or comment on the blog.