The Mid-market Security Squeeze

Most folks appreciate the challenges of securing a mid-sized company. They have important data and enough employees that someone is going to screw something up. They often don’t have the budget or infrastructure maturity to take security seriously. Many get by due more to obscurity (who is going to attack them?) than any active controls. And as automated tools make it easier to find chinks in any and every company’s armor, the seriousness of the problem is going to become much higher-profile. No less than Dan Geer has weighed in on the topic in a CSO contribution. He looks at it from the perspective of what the mid-sized company can do and what they can’t. By introducing the concept of a third party, which he calls a mentor, Dan is talking about helping an organization kickstart their security program and prioritize. Later, the mentor can move on to their next stop, when the organization is ready to do stand on its own. Information protection means a program, not a tool, not a silver bullet, not a small number of enlightened facts. It means learning what it is that you don’t know that you don’t know (without the expensive embarrassment of the serious errors our opponents will surely deliver). An information protection program is, at its best, something that a mentor jump starts for you and, over time, brings you to the point where whether you take it over entirely for yourself, or keep it as a partnership with your mentor, is a choice that you make for reasons that no longer include whether you know what you are doing. Everyone understands that, say, driving tractor trailers or doing surgery is not something you would teach yourself. Basically Dan is calling for the mentor to take a snapshot of an organization and use their experience, methods, and analysis to help the organization prioritize what they should fix first. This first-things-first approach demands a mentor with the tools to take a high definition photograph of your information in motion movement – the source, target, frequency, volume, etc., mentioned above. If experience is a guide, then you will have some surprises. Again, this is nothing to be ashamed of, but better you get those surprises quickly and from a trusted mentor rather than reading about your data breach in a newspaper. Note that the kind of mentor we suggest is not a penetration tester, not an auditor, not a per-diem consultant, and not a reformed criminal peddling a product. Dan is one of the big thinkers in the business, and he doesn’t talk much. But when he does, pay attention. As with any out of the box thinking, you can come up with a million reasons why something like this won’t work. But we should focus on how to make something like this happen; as technology advances (yes, Big Data) this kind of concept becomes more achievable. The reality is that far too many organization don’t know what they don’t know. And until they do things aren’t going to get better. Photo credit: “MSH0110-12 Squeeze Me” originally uploaded by f1uffster (Jeanie) Share:

Read Post

Friday Summary: January 25, 2013

Will Hadoop be to NoSQL what Red Hat is to Linux? Will it become more known for commercial flavors than the open-source core? Lately I have been noticing similarities between the two life-cycles, with the embrace of packaged variants. What I notice is this: In 1994 I replaced an unreliable BSD distribution with a Slackware distribution of Linux – itself a UNIX derivative. Suddenly “this old PC” was not only reliable, it felt 5x faster than it did running from the Windows partition. Slackware Linux was a great product limited to the realm of uber-geeks – you needed to assemble and compile before you could use it. But you could customize it any way you wanted – and it put a truly powerful OS on the desktop – free. Then Linux started to go a bit mainstream as it allowed us to cost-effectively run applications that previously required a substantial investment and very particular hardware. Caldera was a big deal for a while because they produced a ‘corporate’ flavor. Some companies noticed Linux was a powerful platform and embraced it; others viewed it – along with most open source – as a security threat. But its flexibility and ability to deliver a server-quality OS on commodity hardware were too compelling to ignore. Then we got ‘professional’ distributions, tools, and services. Adoption rates really started to take off. But while the free and open nature of the platform still roots the movement, it started to feel like you need a commercial version for support and tools. These days few people grab different pieces and assemble their own custom Linux distributions. I think Big Data is already moving from the fully open source “piece it together yourself” model into complete productized versions. If that’s true I expect to see the 125+ versions of NoSQL begin to simplify, dropping many of the esoteric distributions, likely boiling the market down to a few main players within the next few years – and eventually the Big Data equivalent of a LAMP stack. After that the NoSQL growth curve will be about standardized versions of Hadoop. The question is whether it will look more like Red Hat or Ubuntu? This really has nothing to do with security, but I thought there were too many similarities to ignore. -Adrian On to the Summary: Webcasts, Podcasts, Outside Writing, and Conferences Milestone: Episode 300 of NetSec podcast. Mike quoted on Reuters on Cisco’s network security competitiveness. Mike quoted in the Merc about Cisco’s network security (missed) opportunity. Favorite Securosis Posts Mike Rothman: Don’t respond to a breach like this. Small minds make poor decisions. And everyone else should continue to do the right thing, even if small minds can’t understand it and take action against it. Adrian Lane: Emotional Whiplash. Mike nailed it. And I only saw the first and fourth quarters! Favorite Outside Posts Adrian Lane: “Cyber” Insurance and an Opportunity. Fascinating. Mike Rothman: XSS, password flaws found in popular ESPN app. Man, this sucks. Any big sports fan uses the ESPN app. Good thing it doesn’t store anything sensitive because I can’t live without my scores and NFL news. Recent Research Papers Building an Early Warning System. Implementing and Managing Patch and Configuration Management. Defending Against Denial of Service (DoS) Attacks. Securing Big Data: Security Recommendations for Hadoop and NoSQL Environments. Tokenization vs. Encryption: Options for Compliance. Pragmatic Key Management for Data Encryption. The Endpoint Security Management Buyer’s Guide. Pragmatic WAF Management: Giving Web Apps a Fighting Chance. Top News and Posts Aaron Swartz’s death Backdoors Found in Barracuda Networks Gear Google Tells Cops to Get Warrants for User E-Mail, Cloud Data Twitter flaw allowed third party apps to access direct messages Blog Comment of the Week This week’s best comment goes to -ds, in response to It’s just Dropbox. What’s the risk?. If we make security break users, we make users break security. This is such a basic principle. I’m tired of being in an industry where my peers would rather have the illusion of control then actual, effective, risk proportinate security. We have so many pretenders and unfortunately many of them are loud voices and dominate the coversation to the extent that newly minted security practicioners think they are the ideal. Next one of them that says “we do X because it is a best practice” is getting a wedgie. Share:

Read Post

Symantec Realigns

Symantec released their quarterly earnings today, which is the sort of thing we usually ignore. Especially because it’s only the third quarter, and not even a playoff game (I really need to hang out with Mike less). However… The learning period is over for new CEO Steve Bennett, and he is starting to implement his game plan. There shouldn’t be any surprises considering his background at GE – the focus is on streamlining, realigning assets, and reducing workforce cruft – especially in the middle and executive management levels. Talk is cheap and change is hard, so Bennett has his work cut out for him. The strategy of executing better in the field and with product delivery isn’t without risk. But it’s not like they really had a choice. Their sales costs were much higher than comparables in the industry, so that needed to be fixed. Organic innovation and acquired product integration have been problematic for years. At the same time Symantec drank at the trough of high multiple M&A to drive revenue growth, but too many of those deals didn’t pan out. So the focus will be on the stuff they already have, and even if they do more M&A given the return of capital to shareholders (in the form of a dividend and stock buyback), you’d look for lower priced and accretive deals. One message came across loud and clear: Don’t expect short term magic. Bennett managed expectations that this would be a multi-year process. What does this mean to you? SMB is now tied to consumer, not enterprise. That makes sense on the surface but is likely a tricky move under the covers, depending on where they draw the SMB line. Especially as more and more SMB customers look to the cloud for key services like web and email security and backup. On the enterprise side there will be some turmoil as they move BUs around, focus on profitable products, and perhaps start dropping distractions. This usually slows innovation, despite saying they are investing more into R&D. For most of you this won’t mean much yet, except that you should expect deck chairs to move even in the middle of deals. I don’t expect significant changes in the main product lines, and there is some base there to build on – per the article: The company also plans to increase research and development into areas such as mobile workforce productivity, data center security, integrated backup, information security services, cloud-based information management, and identity and content-aware security. Symantec really struggled with focus for a long time. They have started to clean that up, but nothing that big turns quickly. Mike might have more to add, but most of this won’t affect the enterprise business too much unless they decide to dump something big, and there’s no question they will be dumping little things that aren’t profitable enough. We don’t think they know what won’t make the cut at this point, but clearly some stuff will need to go. I suspect the SMB re-org/transition will be messy, but Symantec hasn’t had much of a strategy or success there for a while anyway. Basically, they are moving to address issues that the entire market has been pointing out for years. That should be good news to those Symantec faithful, and business as usual for everyone else. Share:

Read Post

Totally Transparent Research is the embodiment of how we work at Securosis. It’s our core operating philosophy, our research policy, and a specific process. We initially developed it to help maintain objectivity while producing licensed research, but its benefits extend to all aspects of our business.

Going beyond Open Source Research, and a far cry from the traditional syndicated research model, we think it’s the best way to produce independent, objective, quality research.

Here’s how it works:

  • Content is developed ‘live’ on the blog. Primary research is generally released in pieces, as a series of posts, so we can digest and integrate feedback, making the end results much stronger than traditional “ivory tower” research.
  • Comments are enabled for posts. All comments are kept except for spam, personal insults of a clearly inflammatory nature, and completely off-topic content that distracts from the discussion. We welcome comments critical of the work, even if somewhat insulting to the authors. Really.
  • Anyone can comment, and no registration is required. Vendors or consultants with a relevant product or offering must properly identify themselves. While their comments won’t be deleted, the writer/moderator will “call out”, identify, and possibly ridicule vendors who fail to do so.
  • Vendors considering licensing the content are welcome to provide feedback, but it must be posted in the comments - just like everyone else. There is no back channel influence on the research findings or posts.
    Analysts must reply to comments and defend the research position, or agree to modify the content.
  • At the end of the post series, the analyst compiles the posts into a paper, presentation, or other delivery vehicle. Public comments/input factors into the research, where appropriate.
  • If the research is distributed as a paper, significant commenters/contributors are acknowledged in the opening of the report. If they did not post their real names, handles used for comments are listed. Commenters do not retain any rights to the report, but their contributions will be recognized.
  • All primary research will be released under a Creative Commons license. The current license is Non-Commercial, Attribution. The analyst, at their discretion, may add a Derivative Works or Share Alike condition.
  • Securosis primary research does not discuss specific vendors or specific products/offerings, unless used to provide context, contrast or to make a point (which is very very rare).
    Although quotes from published primary research (and published primary research only) may be used in press releases, said quotes may never mention a specific vendor, even if the vendor is mentioned in the source report. Securosis must approve any quote to appear in any vendor marketing collateral.
  • Final primary research will be posted on the blog with open comments.
  • Research will be updated periodically to reflect market realities, based on the discretion of the primary analyst. Updated research will be dated and given a version number.
    For research that cannot be developed using this model, such as complex principles or models that are unsuited for a series of blog posts, the content will be chunked up and posted at or before release of the paper to solicit public feedback, and provide an open venue for comments and criticisms.
  • In rare cases Securosis may write papers outside of the primary research agenda, but only if the end result can be non-biased and valuable to the user community to supplement industry-wide efforts or advances. A “Radically Transparent Research” process will be followed in developing these papers, where absolutely all materials are public at all stages of development, including communications (email, call notes).
    Only the free primary research released on our site can be licensed. We will not accept licensing fees on research we charge users to access.
  • All licensed research will be clearly labeled with the licensees. No licensed research will be released without indicating the sources of licensing fees. Again, there will be no back channel influence. We’re open and transparent about our revenue sources.

In essence, we develop all of our research out in the open, and not only seek public comments, but keep those comments indefinitely as a record of the research creation process. If you believe we are biased or not doing our homework, you can call us out on it and it will be there in the record. Our philosophy involves cracking open the research process, and using our readers to eliminate bias and enhance the quality of the work.

On the back end, here’s how we handle this approach with licensees:

  • Licensees may propose paper topics. The topic may be accepted if it is consistent with the Securosis research agenda and goals, but only if it can be covered without bias and will be valuable to the end user community.
  • Analysts produce research according to their own research agendas, and may offer licensing under the same objectivity requirements.
  • The potential licensee will be provided an outline of our research positions and the potential research product so they can determine if it is likely to meet their objectives.
  • Once the licensee agrees, development of the primary research content begins, following the Totally Transparent Research process as outlined above. At this point, there is no money exchanged.
  • Upon completion of the paper, the licensee will receive a release candidate to determine whether the final result still meets their needs.
  • If the content does not meet their needs, the licensee is not required to pay, and the research will be released without licensing or with alternate licensees.
  • Licensees may host and reuse the content for the length of the license (typically one year). This includes placing the content behind a registration process, posting on white paper networks, or translation into other languages. The research will always be hosted at Securosis for free without registration.

Here is the language we currently place in our research project agreements:

Content will be created independently of LICENSEE with no obligations for payment. Once content is complete, LICENSEE will have a 3 day review period to determine if the content meets corporate objectives. If the content is unsuitable, LICENSEE will not be obligated for any payment and Securosis is free to distribute the whitepaper without branding or with alternate licensees, and will not complete any associated webcasts for the declining LICENSEE. Content licensing, webcasts and payment are contingent on the content being acceptable to LICENSEE. This maintains objectivity while limiting the risk to LICENSEE. Securosis maintains all rights to the content and to include Securosis branding in addition to any licensee branding.

Even this process itself is open to criticism. If you have questions or comments, you can email us or comment on the blog.