Securosis

Research

Friday Summary: March 9, 2012

By Adrian Lane: I learned something from the e10+ session during RSA. Usually it’s my least favorite event but this year was different – it was most favorite, and not just because Rich and Mike were instrumental in putting it together. The consumerization presentation was really informative – the audience responses surprised me – but the breach victim “fireside chat” was awesome. The only way we could mimic the human stress angle in a preparedness drill is to set part of your office on fire during a press conference, or taze IT personnel as they rummage through logs. Don’t discount the stress factor in breach planning. Around the time of the RSA conference I have had a few discussions with VCs about technology acquisition. We discussed market trends, total market revenue estimates, sales opportunities, how products should be sold, and what changes in the ‘go-to-market’ strategy were needed to turn the company around. At the end of the day, the investment was a non-starter. Not because of the market, or the value of the technology, but because of the level of trust in the management team. They simply got “a bad feeling” they could not overcome. People not trusting people. I know several other bloggers have mentioned the exotic cars this year in vendor booths on the conference floor. What’s the connection with security? Nothing. Absolutely nothing. But they sure pulled in the crowds. Cars and booth babes with matching attire. I admit the first time I swung by Fortinet’s booth was to see the Ferrari. Sure, it was an unapologetic lure. And it worked. I even took a photo, I was so impressed with the beauty of its engineering. Nice, huh? It’s too easy to be dispassionate about security, especially when talking about cryptography or key management. Heck, I have seen presentations on social engineering that had the sex appeal of paint brushes. How many of you have seen the “blinky light phenomena”, where buyers prefer hardware over software because there was a very cool looking (read: tangible) representation of their investment? But security users – or should I say security buyers – are motivated by human factors like everyone else. Too many CTOs I speak with talk about what we should be doing in security, or the right way to solve security problems. They fail to empathize with IT guys who are trying to get multiple jobs done without much fanfare. And many of them don’t want to talk about it – they want to get out of their cubicles for a day, walk around some shiny cars, have someone listen to their security issues and bring some tchochkes back to their desks. Human behavior is not just an exploit vector – it’s also part of the solution space. On to the Summary: Webcasts, Podcasts, Outside Writing, and Conferences Mike quoted on Bank Info Security. Adrian’s DR article on Deleting Databases. Rich quoted on Daring Fireball about OS X Gatekeeper. Adrian talks Tokenization at RSA Conference. Adrian quoted in CSO on Big Data. Favorite Securosis Posts Mike Rothman: Burnout. This is a great post by Rich. Read. it. now. Adrian Lane: Bringing Sexy back (to Security): Mike’s RSAC 2012 Wrap-up. Rich: Lazy Deal Analysis in this week’s Incite Other Securosis Posts Incite 3/7/2012: Perspective. Upcoming Cloud Security Training Courses. Objectivity Matters. Implementing DLP: Ongoing Management. Implementing DLP: Deploy. The Securosis Guide to RSA 2012. The Last Friday before the 2012 RSA Conference. RSA Conference 2012 Guide: Cloud Security. RSA Conference 2012 Guide: Data Security. RSA Conference 2012 Guide: Security Management and Compliance. Favorite Outside Posts Rich: How’s that secrecy working out? The bad guys talk. We don’t. Guess who has the advantage? Dave Lewis: Researchers find MYSTERY programming language in Duqu Trojan. It shows both skill and dedication to create your own language to write malware. But why? Anti-reverse engineering? Sounds spook-y! Mike Rothman: Heartland 2011. Gunnar revisits the impact of the breach Heartland’s on business operations. Some folks will use this as proof that a high-profile breach is nothing but brief event. Heartland clearly responded effectively and got their business back on a nice growth path. But don’t make the mistake that correlation = causation. It’s a data point, nothing more nor less. Adrian Lane: The Ruby/GitHub hack: translated. The only lucid discussion of the GitHub incident I’ve seen, and a nice breakdown of the issue. Project Quant Posts Malware Analysis Quant: Metrics–Monitor for Reinfection. Malware Analysis Quant: Metrics–Remediate. Malware Analysis Quant: Metrics–Find Infected Devices. Malware Analysis Quant: Metrics–Define Rules and Search Queries. Research Reports and Presentations Network-Based Malware Detection: Filling the Gaps of AV. Tokenization Guidance Analysis: Jan 2012. Applied Network Security Analysis: Moving from Data to Information. Tokenization Guidance. Security Management 2.0: Time to Replace Your SIEM? Fact-Based Network Security: Metrics and the Pursuit of Prioritization. Tokenization vs. Encryption: Options for Compliance. Top News and Posts We Need to Talk About Android. The practical side of app security. East Villager is ID’d as leading hacker with Anonymous group. Consumerization is not BYOD, and what that means for security. Head of Lulzsec Arrested. TSA Pooh-Poohs Video Purporting to Defeat Airport Body Scanners The video is a ‘must see’. Adobe patches critical flaws. Feels like I write that sentence every week. Tips for NOT getting Hacked on the Web. I would have said “for the common man”, and I would included a recommendation to not click email links, but solid advice for basic user protection! Fake AV attack targets WordPress users. Apparently some people we know have experienced this. Apple releases Configurator app for Mac. With all the hoopla surrounding the new iPad and Apple TV releases, you might have missed this important iDevice management tool. Still Life With Anonymous. In case you missed it, just before the RSA Conference, Imperva launched a report containing their findings on Anonymous. Mitt Romney or Mr. Burns? OK, it’s political, but it’s really funny. Hackers grab Michael Jackson songs from Sony. Google Pay Out $47,500 in bug bounties. This program is working, people! Take note. Blog Comment of the Week Remember, for every comment selected, Securosis makes a

Share:
Read Post

Totally Transparent Research is the embodiment of how we work at Securosis. It’s our core operating philosophy, our research policy, and a specific process. We initially developed it to help maintain objectivity while producing licensed research, but its benefits extend to all aspects of our business.

Going beyond Open Source Research, and a far cry from the traditional syndicated research model, we think it’s the best way to produce independent, objective, quality research.

Here’s how it works:

  • Content is developed ‘live’ on the blog. Primary research is generally released in pieces, as a series of posts, so we can digest and integrate feedback, making the end results much stronger than traditional “ivory tower” research.
  • Comments are enabled for posts. All comments are kept except for spam, personal insults of a clearly inflammatory nature, and completely off-topic content that distracts from the discussion. We welcome comments critical of the work, even if somewhat insulting to the authors. Really.
  • Anyone can comment, and no registration is required. Vendors or consultants with a relevant product or offering must properly identify themselves. While their comments won’t be deleted, the writer/moderator will “call out”, identify, and possibly ridicule vendors who fail to do so.
  • Vendors considering licensing the content are welcome to provide feedback, but it must be posted in the comments - just like everyone else. There is no back channel influence on the research findings or posts.
    Analysts must reply to comments and defend the research position, or agree to modify the content.
  • At the end of the post series, the analyst compiles the posts into a paper, presentation, or other delivery vehicle. Public comments/input factors into the research, where appropriate.
  • If the research is distributed as a paper, significant commenters/contributors are acknowledged in the opening of the report. If they did not post their real names, handles used for comments are listed. Commenters do not retain any rights to the report, but their contributions will be recognized.
  • All primary research will be released under a Creative Commons license. The current license is Non-Commercial, Attribution. The analyst, at their discretion, may add a Derivative Works or Share Alike condition.
  • Securosis primary research does not discuss specific vendors or specific products/offerings, unless used to provide context, contrast or to make a point (which is very very rare).
    Although quotes from published primary research (and published primary research only) may be used in press releases, said quotes may never mention a specific vendor, even if the vendor is mentioned in the source report. Securosis must approve any quote to appear in any vendor marketing collateral.
  • Final primary research will be posted on the blog with open comments.
  • Research will be updated periodically to reflect market realities, based on the discretion of the primary analyst. Updated research will be dated and given a version number.
    For research that cannot be developed using this model, such as complex principles or models that are unsuited for a series of blog posts, the content will be chunked up and posted at or before release of the paper to solicit public feedback, and provide an open venue for comments and criticisms.
  • In rare cases Securosis may write papers outside of the primary research agenda, but only if the end result can be non-biased and valuable to the user community to supplement industry-wide efforts or advances. A “Radically Transparent Research” process will be followed in developing these papers, where absolutely all materials are public at all stages of development, including communications (email, call notes).
    Only the free primary research released on our site can be licensed. We will not accept licensing fees on research we charge users to access.
  • All licensed research will be clearly labeled with the licensees. No licensed research will be released without indicating the sources of licensing fees. Again, there will be no back channel influence. We’re open and transparent about our revenue sources.

In essence, we develop all of our research out in the open, and not only seek public comments, but keep those comments indefinitely as a record of the research creation process. If you believe we are biased or not doing our homework, you can call us out on it and it will be there in the record. Our philosophy involves cracking open the research process, and using our readers to eliminate bias and enhance the quality of the work.

On the back end, here’s how we handle this approach with licensees:

  • Licensees may propose paper topics. The topic may be accepted if it is consistent with the Securosis research agenda and goals, but only if it can be covered without bias and will be valuable to the end user community.
  • Analysts produce research according to their own research agendas, and may offer licensing under the same objectivity requirements.
  • The potential licensee will be provided an outline of our research positions and the potential research product so they can determine if it is likely to meet their objectives.
  • Once the licensee agrees, development of the primary research content begins, following the Totally Transparent Research process as outlined above. At this point, there is no money exchanged.
  • Upon completion of the paper, the licensee will receive a release candidate to determine whether the final result still meets their needs.
  • If the content does not meet their needs, the licensee is not required to pay, and the research will be released without licensing or with alternate licensees.
  • Licensees may host and reuse the content for the length of the license (typically one year). This includes placing the content behind a registration process, posting on white paper networks, or translation into other languages. The research will always be hosted at Securosis for free without registration.

Here is the language we currently place in our research project agreements:

Content will be created independently of LICENSEE with no obligations for payment. Once content is complete, LICENSEE will have a 3 day review period to determine if the content meets corporate objectives. If the content is unsuitable, LICENSEE will not be obligated for any payment and Securosis is free to distribute the whitepaper without branding or with alternate licensees, and will not complete any associated webcasts for the declining LICENSEE. Content licensing, webcasts and payment are contingent on the content being acceptable to LICENSEE. This maintains objectivity while limiting the risk to LICENSEE. Securosis maintains all rights to the content and to include Securosis branding in addition to any licensee branding.

Even this process itself is open to criticism. If you have questions or comments, you can email us or comment on the blog.