Research

I guess if you have been around long enough, you have seen everything over and over again. I felt my age today when I saw yet another (lame) attempt to Move Security from a Cost Center to a Brand Differentiator. How many times have we security folks wished for the day we could get project funding because it helped the business either to make more money or to spend less money? Gosh, that would make life a lot easier. The holy grail has always been to position security as an enabling technology. Unfortunately it just isn’t. The only thing security enables is…uh…nothing. It gets back to assurances, and we security folks can’t make assurances either way. If you spend $X on $widget, maybe it will stop an attack. Maybe it won’t. If you don’t have $widget maybe you won’t even be attacked, so you might as well light a bag of money on fire. It’s like building a house on quicksand. To be fair, in some cases security is table stakes. For example you expect your private data to be protected. In a many cases you will be disappointed, but we don’t really see organizations positioning security as a differentiator. They make those pronouncements to allay our fears and eliminate an obstacle to purchase – not as a buying catalyst. But the most offensive part of the article comes later, in a section that at first seemed kind of logical. But this quote from some guy named Alan Wlasuk almost made me fall out of my chair: “But any company can shine in an industry environment where the majority of their competitors have suffered from confidence destroying security attacks.” Shine? Really? Your suggestion is that companies tells customers to do business with them because they suck less?? That’s how I read Alan’s statement. I’ll admit I clearly didn’t learn too much as a VP Marketing, but I do know it’s a bad idea to position and build campaigns around attributes with little to no longevity. So we should build our brands on being more secure? Unbreakable much? Thanks to our pals at LiquidMatrix for that little chuckle this morning. I thump vendors regularly for trying to run campaigns based on competitor breaches. Like when a token vendor (okay – all of them) tried to capitalize on the RSA token breach by positioning their tokens as more secure, whatever that means. Kicking the competition when they are down comes back to haunt you – we all live in glass housees. Sure enough, some of those very vendors had high profile issues with their own certificate authorities. Karma is a bitch, isn’t it? Take it from someone who has tried to position security as anything but a cost center for close to a decade. It doesn’t work. Your best bet is to realistically show the risk of not doing something, and let business people make their business decisions. And if your marketing folks tell you about this brand spanking new campaign to be launched based on a breach at your competitor, give them my number. I have a clue bat for them. Photo credit: “VISI Black Hat” originally uploaded by delta407 Share:

As we posted the Security Management 2.0 series, we focused heavily on replacing an on-premise option with another on-premise option. We paid a bit of lip service to the managed SIEM/Log Management option, but not enough – the reality is that, under the proper, circumstances a managed service presents an interesting alternative to racking and stacking another set of appliances. So consider this a primer for managed services in the context of our Security Management 2.0 discussion. We will go through the drivers, use cases, and deployment architectures for those considering managed services. And we will provide cautions for areas where a service offering might not meet your expectations. Drivers for Managed Services We have no illusions about the amount of effort required to get a security management platform up and running, or what it takes to keep one current and useful. Many organizations have neither the time nor the resources to implement technology to help automate some of these key functions. So they are trapped on the hamster wheel of pain, reacting without sufficient visibility, but without time to invest in gaining that much-needed visibility into threats without diving deep into raw log files. A suboptimal situation for sure, and one that usually triggers discussions of managed services in the first place. Let’s be a bit more specific about situations where it’s worth a look at managed services. Lack of internal expertise: Even having people to throw at security management may not be enough. They need to be the right people – with expertise in confirming exposures, closing simple issues, and when to pull the alarm and escalate to the investigations team. Reviewing events, setting up policies, and managing the system, all take skills that come with training and time with the product. Clearly this is not a skill set you can just pick up anywhere – finding and keeping talented people is hard – so if you don’t have sufficient sophistication internally, that’s a good reason to check out a service alternative. Scalability of existing platform: You may have a decent platform, but perhaps it can’t scale to what you need for real-time analysis. As we discussed in the Platform Evaluation post, this is common for those deploying first generation database-based SIEM products, who then face a significant and costly upgrade to scale the system. This can also happen to acquisitive organizations, who bring on significant assets and need to integrate management capabilities quickly to get sufficient leverage. With a managed service offering scale is not an issue – any sizable provider is handling billions of events per day. Risk Transference: You have been burned before – that’s why you are looking at alternatives, right? You’re not sure what solution to select for the long haul. Why risk the investment when you can drop that monkey on someone else’s back? This allows you to focus on the functionality you need instead of vendor hyperbole and sniping. Ultimately you only need to be concerned with the application and the user experience, and all that other stuff is the provider’s problem. So selecting a provider becomes effectively an insurance policy to minimize your investment risk. Similarly, if you are worried about your ops team’s ability to keep a broad security management platform up and running, you can transfer operational risk to a safer outside team. Once again, that operational risk goes to the provider, who assumes responsibility for uptime and performance. Geographically dispersed small sites: Managed services also interest organizations which need to support many small locations. Think retail or other distribution-centric organizations, where the central site may have sufficient expertise but there is very little capability at the remote sites. That might work well – particularly if event traffic can be centrally aggregated. But if not, this presents a good opportunity for a service provider who can monitor the remote sites. Round the clock monitoring: Some organizations need to move from a 8-hour/5-day monitoring schedule to a round-the-clock approach. Whether this is driven by a breach, a new regulatory requirement, or some kind of religious awakening in the executive suite, staffing a security operations center (SOC) 24/7 is a huge undertaking. But a service provider can leverage that 24/7 staffing investment across many customers, and might be in a much better position to deliver round-the-clock services. Of course you can’t outsource thinking or accountability, so ultimately the buck stops with the internal team, but under the right circumstances managed services can address skills and capabilities gaps. So let’s dig into a few of the use cases that provide a good fit for managed SIEM or Log Management. Favorable Use Cases Many providers offer a managed SIEM/Log Management platform as the equal of an in-house solution, and that may be the case. Or it might not – depending on the sophistication of the implementation, as well as the capabilities of the provider’s technology and internal processes. Under the right circumstances you can get a managed SIEM offering to do (almost) everything you could with an in-house option, but in reality we very rarely see that. More often we see the following use cases when considering a service alternative: Device Monitoring: You have a ton of network and security devices and you don’t have the resources to properly monitor them. That’s a key situation where managed security management can help. These services are generally architected to aggregate data on your site and ship it to the service provider for analysis and alerting. The provider should have a correlation system to identify issues, and a bunch of analysts who can verify issues quickly and then give you a heads-up. Compliance Reporting: Another no-brainer for a services alternative is basic log aggregation and reporting – typically driven by a compliance requirement. This isn’t a very complicated use case, and it fits well with service offerings. It also gets you out of the business of managing storage and updating reports when a requirement changes. The provider should take care of all that for you.

Heading down into Atlanta last week for the BSides ATL conference, I got into my car and the magic began. I whipped out my magic box and pulled up the address on the Maps app, just to make sure I remembered where it is. Then I fired up Pandora, which dutifully streamed rocking music to my Bluetooth-equipped car stereo. I checked out the NaviGAtor mobile site for real-time traffic data; then I was set and on my way. Wait. What? Think about this for a second. None of what I just described was even possible 4 years ago. I normally just take all this rapid technology evolution for granted, but that day I reflected a bit on how surreal that entire trip was. The idea of having a personalized radio station streaming from the Internet and playing through my car stereo? Ha! Having a fairly accurate map and an idea of traffic before I stumbled into bumper to bumper mayhem? Maybe in a science fiction movie, or something. But no, this stuff happens every day on a variety of smartphones, enabled by fairly ubiquitous wireless Internet connectivity. As another example, Rich just texted me on Monday to let me know he deposited my monthly commission check to our bank from his device, while taking a potty break during a strategy day. Yeah, that’s probably TMI. My bad. Our recently departed leader talked about the sense of “childlike wonder” you get when discovering these applications that enable totally different ways of communicating and living. And it’s true. As I drove down the highway, jamming to my music, with no traffic because I routed around the congestion, I could only marvel at how things have changed. It’s a far cry from my first bag phone. Or that ancient StarTac, which was state of the art, what, five years ago? How can you not be excited by the future? We have only just scratched the surface on how these little computers will change the way we do things. Bandwidth will get broader. Devices will get smarter. Apps will get more capable. And we’ll all benefit. Maybe. It takes a lot of self-control to just enjoy the music while I’m driving. The inclination is to multi-task, at all times. You know, checking Twitter, texting, and catching up on email, in a metal projectile traveling about 70mph, surrounded by other metal projectiles traveling just as fast. That can’t end well. As with everything, there is a downside to this connectivity. It’s hard to just shut down the distractions and think, or to focus enough to stay on the road. It seems the only place I can get some peace is on a plane, and even there I can get WiFi (though I tend not to connect on most flights). The good news is that nothing I do is really that urgent. My Twitter can wait 15 minutes until I stop moving. But it doesn’t mean I don’t have to make a conscious effort to stay focused on the road. I do, and you probably do as well. I guess what is most amazing to me is that my kids have no idea that there was a time when all this stuff didn’t exist. The idea of not being able to text whenever they wanted? Madness. A world without Words with Friends? A time when they could only listen to 10 CDs because that’s all they could carry in their travel bag? They can hardly remember what a CD is. Nor should they. It’s not like when I was a kid I had any concept of a world where we hung out by the radio to get news, sports, entertainment – basically everything. But that’s how my folks grew up. I wonder if someday SkyNet will look back and wonder what things were like before it was self-aware? Oy, that’s a slippery slope. -Mike Photo credits: “Childlike Wonder” originally uploaded by SashaW Incite 4 U Peeking into Dan’s brain: There are a select few folks who really make me think. Like every time I talk to them (which isn’t enough), I have to bring my A game, just to hold a conversation. Dan Geer is one of those folks. So when the Threatpost folks asked Dan about the research agenda in security, he didn’t disappoint. He starts by proposing that we’d need a lot less research if we put into practice what we already know, and that we should research why we don’t do that. Yeah, Dan makes recursive thinking cool. Then there are other nuggets about building systems too complex to effectively manage, the strategic importance of traffic analysis, and the security implications of IPv6. He may not have all those research-grade answers yet, but Dan certainly knows the questions to ask. – MR Johnny doesn’t care: Carnegie Mellon released a research paper called Why Johnny Can’t Opt Out, an examination of tools to thwart online behavioral monitoring, and how users use them. I recommend downloading the paper and taking a quick look at the study – it contains some interesting stuff, but I am a bit disappointed by several aspects. First, the executive summary makes it sound like the tools they surveyed are ineffective, when that’s clearly not the case. They found users were confused by the UIs of the respective products and failed to configure the products correctly. OK, that’s reasonable – most utilities leave a bit to be desired from a user experience standpoint. But not all offerings are like that; for example Ghostery’s setup wizard is dead simple to use, but the data is the data. The other thing that bothered me was not testing NoScript (a fantastic tool!) as another privacy tactic. The final annoyance was their assumption that users do not want privacy tools to hinder usability! WTF? They do understand behavioral advertising is woven into the web’s fabric, right? That “no hindrance” requirement eliminates NoScript, and stymies any effective product, because there’s no way to eliminate certain risks