RSA Conference 2012 Guide: Security Management and Compliance

As we continue with our tour through the RSA Conference, we’re in the home stretch. Today we’ll hit both security management and compliance, since the two are intrinsically linked. Security Management Security Management has been a dynamic and quickly evolving space that received a lot of attention at conference like RSA. Yet, we will probably see a little bit less visibility on the part of what we typically call security management (basically SIEM/Log Management) this year, because there will be fewer folks beating the drum for this technology. Why? That brings us to our first observation… I can haz your start-up Amazingly enough, the two highest profile SIEM/Log Management vendors were acquired on the same day last October. Q1Labs by IBM and Nitro Security by McAfee, which we wrote about in this post. This followed Big IT investing in the space over the previous few years (HP bought ArcSight in 2010 and RSA bought Network Intelligence in 2006 and Netwitness in earlier in 2011). So basically at the RSA show, you’ll see these security management platforms positioned clearly as the centerpiece of the security strategies of the Big security vendors. Cool, huh? The technology has moved from being an engine to generate compliance reports to a strategic part of the big security stack. What will you see from these big vendors? Mostly a vision about how buying into their big security stacks you’d be able to enforce a single policy across all of your security domains and gain tremendous operational leverage. I say vision because the reality is these deals have all closed within the last two years and true integration remains way down the line. So make sure to poke hard on the plans for true integration, as opposed to what the booth graphics say. And then add a year or two to their estimates. But there is one area of integration where you can get immediate value which is integration on the purchase order, which we don’t want to minimize. Being able to dramatically expand a security management implementation with money already committed to a 7 or 8-figure enterprise purchase agreement is a good thing. What about the Independents? You know, the handful that remain. These folks have no choice but to focus on the fact they aren’t a big company, but as we mentioned in the IBM/Q1 and MFE/Nitro deal analysis post, security management is a big company game now. But do check out these vendors to see them thinking somewhat out of the box relative to what’s next. Clearly you aren’t going to see a lot of forward thinking innovation out of the big vendors, as they need to focus more in integration. But the smaller vendors should be able to push the ball forward, and then see their innovations co-opted by the big guys. Yup, it’s a brutal world out there, but that’s how things work. Don’t forget about those pesky logs. As mentioned, a lot of focus will be on how SIEM becomes the centerpiece of the big IT companies security stacks. But let’s make the point that Log Management isn’t dead. You’ll see some companies looking to replicate the success of Splunk in focusing on not only security-oriented use cases for log data. That means things like the use cases discussed in our Monitoring Up the Stack research, and things like click stream analysis, transaction fraud detection, and pinpointing IT operations issues. Also expect to hear a bunch about log management in the cloud. For those smaller organizations, this kind of deployment model can make a lot of sense. But there are some multi-tenancy complications to storing your logs in someone else’s cloud. So be sure to ask very detailed and granular questions about how they segment and protect the log data you send to them. Platform hyperbole Finally let’s point out the place where you’ll need to cut through the vendor boasts and hyperbole with a machete. That’s these so-called platforms, described above. We’ve been talking for a long time about the need to go beyond logs for a more functional security management capability, and you’ll hear that at the show as well. But the question will remain, where does the platform begin? And where does it end? There is no clear answer. But let’s be very clear, we believe the security management platform of the future will be able to digest and analyze network full packet capture traffic. As we discussed in our Advanced Network Security Analysis research, to truly confirm a breach and understand the attacks used against you, it requires more granular information that exists in the logs. The question is to what degree the security management vendors acknowledge that. The vendors that have it either via acquisition (RSA) or partnership (everyone else), won’t shy away from this realization. The real question gets back to you. To what degree can your existing personnel and processes make effective use of packet capture data? if you don’t have the sophistication to do malware analysis or do a detailed forensic investigation in house, then logs are good for the time being. But if you are interested in full packet capture, then really hit the vendors on integration with their existing SIEM platform. Firing alerts in two separate consoles doesn’t help you do things faster, nor is clicking on a log record to isolate the packet capture data in another system going to be a long term solution. You’ll also still hear a bit about GRC, but the wind is out of those sails, and justifiably so. Not that IT-GRC platforms can’t add value, but most companies have a hard enough time getting their SIEM to correlate anything, so the idea of a big stack IT-GRC and the associate integration is challenging. Compliance We get the sense that most of the vendors are tired of talking about compliance as they have switched their focus to APT and ‘The Insider Threat’. You know, that sexy security stuff, while compliance continues to be the biggest driver of security spend. Though you know trade shows, the

Read Post

Understanding and Selecting DSP: Core Components

Those of you familiar with DAM already know that over the last four years DAM solutions have been bundled with assessment and auditing capabilities. Over the last two years we have seen near universal inclusion of discovery and rights management capabilities. DAM is the centerpiece of a database security strategy, but as a technology it is just one of a growing number of important database security tools. We have already defined Database Security Platform, so now let’s spend a moment looking at the key components, how we got here, and where the technology and market are headed. We feel this will fully illustrate the need for the name change. Database Security Platform Origins The situation is a bit complicated, so we include a diagram that maps out the evolution. Database Activity Monitoring originated from leveraging core database auditing features, but quickly evolved to include supporting event collection capabilities: Database Auditing using native audit capabilities. Database Activity Monitoring using network sniffing to capture activity. Database Activity Monitoring with server agents to capture activity. So you either used native auditing, a network sniffer, or a local agent to track database activity. Native auditing had significant limitations – particularly performance – so we considered the DAM market distinct from native capabilities. Due to customer needs, most products combined network monitoring and agents into single products – perhaps with additional collection capabilities, such as memory scanning. The majority of deployments were to satisfy compliance or audit requirements, followed by security. There were also a range of distinct database security tools, generally sold standalone: Data Masking to generate test data from protection data, and to protect sensitive information while retaining important data size and structural characteristics. Database Assessment (sometimes called Database Vulnerability Assessment) to assess database configurations for security vulnerabilities and general configuration policy compliance. User Rights Management to evaluate user and group entitlements, identify conflicts and policy violations, and otherwise help manage user rights. File Activity Monitoring to monitor (and sometimes filter) non-database file activity. Other technologies have started appearing as additional features in some DAM products: Content Discovery and Filtering to identify sensitive data within databases and even filter query results. Database Firewalls which are essentially DAM products placed inline and set to filter attack traffic, not merely monitor activity. The following graph shows where we are today: As the diagram shows, many of these products and features have converged onto single platforms. There are now products on the market which contain all these features, plus additional capabilities. Clearly the term “Database Activity Monitoring” only covers a subset of what these tools offer. So we needed a new name to better reflect the capabilities of these technologies. As we looked deeper we realized how unusual standalone DAM products were (and still are). It gradually became clear that we were watching the creation of a platform, rather than the development of a single-purpose product. We believe the majority of database security capabilities will be delivered either as a feature of a database management system, or in these security products. We have decided to call them Database Security Platforms, as that best reflects the current state of the market and how we see it evolving. Some of these products include non-database features designed for data center security – particularly File Activity Monitoring and combined DAM/Web Application Firewalls. We wouldn’t be surprised to see this evolve into a more generic data center security play, but it’s far too early to see that as a market of its own. Market and Product Evolution We already see products differentiating based on user requirements. Even when feature parity is almost complete between products, we sometimes see vendors shifting them between different market sectors. We see primary use cases, and we expect products to differentiate along these lines over time: Application and Database Security: These products focus more on integrating with Web Application Firewalls and other application security tools. They place a higher priority on vulnerability and exploit detection and blocking; and sell more directly to security, application, and database teams. Data and Data Center Security: These products take a more data-centric view of security. Their capabilities will expand more into File Activity Monitoring, and they will focus more on detecting and blocking security incidents. They sell to security, database, and data center teams. Audit and Compliance: Products that focus more on meeting audit requirements – and so emphasize monitoring capabilities, user rights management, and data masking. While there is considerable feature overlap today, we expect differentiation to increase as vendors pursue these different market segments and buying centers. Even today we see some products evolving primarily in one of these directions, which is often reflected in their sales teams and strategies. This should give you a good idea of how we got here from the humble days of DAM, and why this is more than just a rebranding exercise. We don’t know of any DAM-only tools left on the market, so that name clearly no longer fits. As a user and/or buyer we also think it’s important to know which combination of features to look at, and how they can indicate the future of your product. Without revisiting the lessons learned from other security platforms, suffice it to say that you will want a sense of which paths the vendor is heading down before locking yourself into a product that might not meet your needs in 3-5 years. Share:

Read Post

Webcast Wednesday 22nd: Tokenization Scope Reduction

Just a quick announcement that this Wednesday I will be doing a webcast on how to reduce PCI-DSS scope and audit costs with tokenization. This will cover the meaty part of our Tokenization Guidance paper from last year. In the past I have talked about issues with the PCI Council’s Tokenization supplement; now I will dig into how tokenization affects credit card processing systems, and how supplementary systems can fall out of scope. The webcast will start at 11am PST and run for an hour. You can sign up at the sponsor’s web site. Share:

Read Post

Malware Analysis Quant: Documenting Metrics (and survey is still going)

Just a little President’s Day update on the Malware Analysis Quant project. At the end of last month we packaged up all the process descriptions into a spiffy paper, which you can download and check out. We have been cranking away at the second phase of the research, and the first step of that is the survey. Here is a direct survey link, and we would love your input. Even if you don’t do in-depth malware analysis every day, that’s instructive, as we try to figure out how many folks actually do this work, and how many rely on their vendors to take care of it. Finally, we have also started to document the metrics that will comprise the cost model which is the heart of every Quant project. Here are links to the metrics posts we include both in the Heavy feed and on the Project Quant blog. Metrics – Confirm Infection Metrics – Build Testbed Metrics – Static Analysis Metrics – Dynamic Analysis Metrics – The Malware Profile One last note: as with all of projects, our research methodology is dynamic. That means posting something on our blog is just the beginning. So if you read something you don’t agree with let us know, and work with us to refine the research. Leave a comment on the blog, or if for some reason you can’t do that drop us an email. Share:

Read Post

Totally Transparent Research is the embodiment of how we work at Securosis. It’s our core operating philosophy, our research policy, and a specific process. We initially developed it to help maintain objectivity while producing licensed research, but its benefits extend to all aspects of our business.

Going beyond Open Source Research, and a far cry from the traditional syndicated research model, we think it’s the best way to produce independent, objective, quality research.

Here’s how it works:

  • Content is developed ‘live’ on the blog. Primary research is generally released in pieces, as a series of posts, so we can digest and integrate feedback, making the end results much stronger than traditional “ivory tower” research.
  • Comments are enabled for posts. All comments are kept except for spam, personal insults of a clearly inflammatory nature, and completely off-topic content that distracts from the discussion. We welcome comments critical of the work, even if somewhat insulting to the authors. Really.
  • Anyone can comment, and no registration is required. Vendors or consultants with a relevant product or offering must properly identify themselves. While their comments won’t be deleted, the writer/moderator will “call out”, identify, and possibly ridicule vendors who fail to do so.
  • Vendors considering licensing the content are welcome to provide feedback, but it must be posted in the comments - just like everyone else. There is no back channel influence on the research findings or posts.
    Analysts must reply to comments and defend the research position, or agree to modify the content.
  • At the end of the post series, the analyst compiles the posts into a paper, presentation, or other delivery vehicle. Public comments/input factors into the research, where appropriate.
  • If the research is distributed as a paper, significant commenters/contributors are acknowledged in the opening of the report. If they did not post their real names, handles used for comments are listed. Commenters do not retain any rights to the report, but their contributions will be recognized.
  • All primary research will be released under a Creative Commons license. The current license is Non-Commercial, Attribution. The analyst, at their discretion, may add a Derivative Works or Share Alike condition.
  • Securosis primary research does not discuss specific vendors or specific products/offerings, unless used to provide context, contrast or to make a point (which is very very rare).
    Although quotes from published primary research (and published primary research only) may be used in press releases, said quotes may never mention a specific vendor, even if the vendor is mentioned in the source report. Securosis must approve any quote to appear in any vendor marketing collateral.
  • Final primary research will be posted on the blog with open comments.
  • Research will be updated periodically to reflect market realities, based on the discretion of the primary analyst. Updated research will be dated and given a version number.
    For research that cannot be developed using this model, such as complex principles or models that are unsuited for a series of blog posts, the content will be chunked up and posted at or before release of the paper to solicit public feedback, and provide an open venue for comments and criticisms.
  • In rare cases Securosis may write papers outside of the primary research agenda, but only if the end result can be non-biased and valuable to the user community to supplement industry-wide efforts or advances. A “Radically Transparent Research” process will be followed in developing these papers, where absolutely all materials are public at all stages of development, including communications (email, call notes).
    Only the free primary research released on our site can be licensed. We will not accept licensing fees on research we charge users to access.
  • All licensed research will be clearly labeled with the licensees. No licensed research will be released without indicating the sources of licensing fees. Again, there will be no back channel influence. We’re open and transparent about our revenue sources.

In essence, we develop all of our research out in the open, and not only seek public comments, but keep those comments indefinitely as a record of the research creation process. If you believe we are biased or not doing our homework, you can call us out on it and it will be there in the record. Our philosophy involves cracking open the research process, and using our readers to eliminate bias and enhance the quality of the work.

On the back end, here’s how we handle this approach with licensees:

  • Licensees may propose paper topics. The topic may be accepted if it is consistent with the Securosis research agenda and goals, but only if it can be covered without bias and will be valuable to the end user community.
  • Analysts produce research according to their own research agendas, and may offer licensing under the same objectivity requirements.
  • The potential licensee will be provided an outline of our research positions and the potential research product so they can determine if it is likely to meet their objectives.
  • Once the licensee agrees, development of the primary research content begins, following the Totally Transparent Research process as outlined above. At this point, there is no money exchanged.
  • Upon completion of the paper, the licensee will receive a release candidate to determine whether the final result still meets their needs.
  • If the content does not meet their needs, the licensee is not required to pay, and the research will be released without licensing or with alternate licensees.
  • Licensees may host and reuse the content for the length of the license (typically one year). This includes placing the content behind a registration process, posting on white paper networks, or translation into other languages. The research will always be hosted at Securosis for free without registration.

Here is the language we currently place in our research project agreements:

Content will be created independently of LICENSEE with no obligations for payment. Once content is complete, LICENSEE will have a 3 day review period to determine if the content meets corporate objectives. If the content is unsuitable, LICENSEE will not be obligated for any payment and Securosis is free to distribute the whitepaper without branding or with alternate licensees, and will not complete any associated webcasts for the declining LICENSEE. Content licensing, webcasts and payment are contingent on the content being acceptable to LICENSEE. This maintains objectivity while limiting the risk to LICENSEE. Securosis maintains all rights to the content and to include Securosis branding in addition to any licensee branding.

Even this process itself is open to criticism. If you have questions or comments, you can email us or comment on the blog.