Securosis

Research

Incite 1/23/2013: Sustainability

You know those overnight successes who toiled in the background for 10 years before they finally broke through? How did they get there? How did they work through the Dip to reach the other side? I am fascinated by organizations which have success year after year. They seem to take the long view, set up the foundation, and stay committed to the plan. Even when other folks push for (and get) faster results, opting for short-term fixes. These band-aids may provide a short-term pop, but rarely result in longer-term results. Sure that’s part of my rationalization for why the Falcons lost at the precipice of the Super Bowl. That they have built the organization the right way over the past 5 years, and will be back. You see those attributes in all the NFL organizations that seem to be competitive year after year. They work the plan. They build through the draft. They don’t react to a bad season or two. It’s unlikely Pittsburgh or the NY Giants will blow up their environment because they missed the playoffs this year. They have stability. And that stability leads to sustained success. By the way, it’s not just my football obsession that cause me to fixate on this. As Rich said, we had a good 2012. But my paranoid self (I am a security guy, after all) continues to look for our Achilles heel. One good year – hell, even two good years – doesn’t mean the foundation for sustainable success is there. And as you see with all our new linky posts, even when things are going well, we need to adapt and change based on market realities. As Deming so famously said, “It is not necessary to change. Survival is not mandatory.” So I spent a good deal of time over the holidays digging into our good year. Partly because I was curious, but mostly trying to determine whether our results are sustainable. The honest answer is that I don’t know. I know what we did from an activity standpoint and we are still doing that. But past success is no guarantee of future results. So I will keep looking for holes in the story. We all keep looking for holes. We’ll keep trying new things to see what works, and more importantly what doesn’t. But most of all, we will continue to grind. We may not achieve sustained success, but it won’t be due to lack of effort. That I can guarantee. –Mike Photo credits: Sustainable Food Poster originally uploaded by Steven-L-Johnson Heavy Research We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, where you can get all our content in its unabridged glory. And you can get all our research papers too. Understanding Identity Management for Cloud Services Integration The Solution Space Introduction Newly Published Papers Building an Early Warning System Implementing and Managing Patch and Configuration Management Defending Against Denial of Service Attacks Securing Big Data: Security Recommendations for Hadoop and NoSQL Environments Pragmatic WAF Management: Giving Web Apps a Fighting Chance Incite 4 U The Hunt for Red October: Not that you had any doubts as to the sophistication of today’s attackers, but Kaspersky’s description of the Red October attack drives it home loudly and clearly. This is a multi-faceted effort undertaken over the past 5 years using sophisticated malware and tactics to infiltrate lots of places where information can be stolen and monetized. AlienVault worked with the Kaspersky folks to isolate the indicators of compromise (IoC) shown by Red October, and this is an example of Early Warning, but not early enough. You can now use the IoC information to see if you have devices already compromised. We will also see lots of hand wringing about who was behind the attacks. The stolen data is sensitive nation-state stuff, but that doesn’t mean nation-states are actually behind the attacks. Kaspersky says it’s Russian crime syndicates, adding a lot of news value to the research, but RSA says there isn’t enough information to draw a conclusion one way or the other. And at the end of the day, I’m not sure identifying the actor really makes a difference. It’s not like you can send them a cease and desist letter. – MR PCI drops pants, doesn’t care: Oh, PCI Standards Council, there you go again. The same people who claim, “no PCI compliant organization has ever been breached” apparently can’t even decide what their own standards are. Approved Scanning Vendors (ASVs) are the companies authorized to perform scans on Internet-facing applications. If you run so much as the smallest doggie donut web store, and you take credit cards, you need to be scanned. There’s an annual review process for ASVs, which costs $10K a shot, and according to Brett Hardin not only does everyone fail the first time, but the same report submitted twice under different letterhead gets graded differently. In the words of the grader, “Well, security and PCI-DSS aren’t exact sciences.” Uh huh, then how about some free passes? – RM Eyes on the prize: Every large retail firm I have spoken with has a VP or Director of Data Analytics. Macy’s foray into big data in the cloud is one example, and Target’s recent ‘success’ has been highlighted as well. Many other verticals have similar positions within marketing or IT. These people are popping up everywhere as data analysis becomes a core function of business. Make no mistake – big data is a huge trend and it is changing the way companies market and sell products. And assess risk. And evaluate investments. But every firm also has Identity and Access management, both for customers and employees. Ever hear about a VP of access and identity? Director? Me either. Every employee uses IAM every day, and it gates access to every electronic service. Think about that the next time you wonder where security ranks

Share:
Read Post

Totally Transparent Research is the embodiment of how we work at Securosis. It’s our core operating philosophy, our research policy, and a specific process. We initially developed it to help maintain objectivity while producing licensed research, but its benefits extend to all aspects of our business.

Going beyond Open Source Research, and a far cry from the traditional syndicated research model, we think it’s the best way to produce independent, objective, quality research.

Here’s how it works:

  • Content is developed ‘live’ on the blog. Primary research is generally released in pieces, as a series of posts, so we can digest and integrate feedback, making the end results much stronger than traditional “ivory tower” research.
  • Comments are enabled for posts. All comments are kept except for spam, personal insults of a clearly inflammatory nature, and completely off-topic content that distracts from the discussion. We welcome comments critical of the work, even if somewhat insulting to the authors. Really.
  • Anyone can comment, and no registration is required. Vendors or consultants with a relevant product or offering must properly identify themselves. While their comments won’t be deleted, the writer/moderator will “call out”, identify, and possibly ridicule vendors who fail to do so.
  • Vendors considering licensing the content are welcome to provide feedback, but it must be posted in the comments - just like everyone else. There is no back channel influence on the research findings or posts.
    Analysts must reply to comments and defend the research position, or agree to modify the content.
  • At the end of the post series, the analyst compiles the posts into a paper, presentation, or other delivery vehicle. Public comments/input factors into the research, where appropriate.
  • If the research is distributed as a paper, significant commenters/contributors are acknowledged in the opening of the report. If they did not post their real names, handles used for comments are listed. Commenters do not retain any rights to the report, but their contributions will be recognized.
  • All primary research will be released under a Creative Commons license. The current license is Non-Commercial, Attribution. The analyst, at their discretion, may add a Derivative Works or Share Alike condition.
  • Securosis primary research does not discuss specific vendors or specific products/offerings, unless used to provide context, contrast or to make a point (which is very very rare).
    Although quotes from published primary research (and published primary research only) may be used in press releases, said quotes may never mention a specific vendor, even if the vendor is mentioned in the source report. Securosis must approve any quote to appear in any vendor marketing collateral.
  • Final primary research will be posted on the blog with open comments.
  • Research will be updated periodically to reflect market realities, based on the discretion of the primary analyst. Updated research will be dated and given a version number.
    For research that cannot be developed using this model, such as complex principles or models that are unsuited for a series of blog posts, the content will be chunked up and posted at or before release of the paper to solicit public feedback, and provide an open venue for comments and criticisms.
  • In rare cases Securosis may write papers outside of the primary research agenda, but only if the end result can be non-biased and valuable to the user community to supplement industry-wide efforts or advances. A “Radically Transparent Research” process will be followed in developing these papers, where absolutely all materials are public at all stages of development, including communications (email, call notes).
    Only the free primary research released on our site can be licensed. We will not accept licensing fees on research we charge users to access.
  • All licensed research will be clearly labeled with the licensees. No licensed research will be released without indicating the sources of licensing fees. Again, there will be no back channel influence. We’re open and transparent about our revenue sources.

In essence, we develop all of our research out in the open, and not only seek public comments, but keep those comments indefinitely as a record of the research creation process. If you believe we are biased or not doing our homework, you can call us out on it and it will be there in the record. Our philosophy involves cracking open the research process, and using our readers to eliminate bias and enhance the quality of the work.

On the back end, here’s how we handle this approach with licensees:

  • Licensees may propose paper topics. The topic may be accepted if it is consistent with the Securosis research agenda and goals, but only if it can be covered without bias and will be valuable to the end user community.
  • Analysts produce research according to their own research agendas, and may offer licensing under the same objectivity requirements.
  • The potential licensee will be provided an outline of our research positions and the potential research product so they can determine if it is likely to meet their objectives.
  • Once the licensee agrees, development of the primary research content begins, following the Totally Transparent Research process as outlined above. At this point, there is no money exchanged.
  • Upon completion of the paper, the licensee will receive a release candidate to determine whether the final result still meets their needs.
  • If the content does not meet their needs, the licensee is not required to pay, and the research will be released without licensing or with alternate licensees.
  • Licensees may host and reuse the content for the length of the license (typically one year). This includes placing the content behind a registration process, posting on white paper networks, or translation into other languages. The research will always be hosted at Securosis for free without registration.

Here is the language we currently place in our research project agreements:

Content will be created independently of LICENSEE with no obligations for payment. Once content is complete, LICENSEE will have a 3 day review period to determine if the content meets corporate objectives. If the content is unsuitable, LICENSEE will not be obligated for any payment and Securosis is free to distribute the whitepaper without branding or with alternate licensees, and will not complete any associated webcasts for the declining LICENSEE. Content licensing, webcasts and payment are contingent on the content being acceptable to LICENSEE. This maintains objectivity while limiting the risk to LICENSEE. Securosis maintains all rights to the content and to include Securosis branding in addition to any licensee branding.

Even this process itself is open to criticism. If you have questions or comments, you can email us or comment on the blog.