It it was easy, everyone would be doing it…

We talk a lot about Big Data Security, and over the next couple years we will talk about it a lot more. But I think articles like Big Goals for Big Data are a bit misleading. But Preston Wood, Zions Bancorporation’s CISO and executive VP of security, finds it puzzling that so many find big data such a struggle. Really? The rest of the article goes through how Zions hit the wall with SIEM and needed to use Hadoop and associated technologies to meet his needs. It’s a good read and they make a number of very good points. The article even quotes Adrian, but we shouldn’t hold that against them. Our pal Alex Hutton weighs in a bit as well. “His advice? Do your homework before rushing in. Take all the necessary time to flesh out a detailed road map for the data you’re looking to process, carefully review how Hadoop will behave with the rest of your network, and develop a clear taxonomy model and strict metrics for it to follow.” That’s the rub. Most practitioners have neither the time or inclination to do the homework, structure the security program, and do things right. It’s all about instant gratification – which is why it’s much easier to get companies to install a magic box (which isn’t really magic) than it is to get them to change process and embrace foundation technology. This is an irritating truth at far too many organizations. But it is what it is. Zions has done a great job of building their security program on analytics, but that doesn’t mean it will be easy for other companies to do likewise. Share:

Read Post

No Limits—New York Times Hacked by China

A must-read reported by the Times itself: For the last four months, Chinese hackers have persistently attacked The New York Times, infiltrating its computer systems and getting passwords for its reporters and other employees. The timing of the attacks coincided with the reporting for a Times investigation, published online on Oct. 25, that found that the relatives of Wen Jiabao, China’s prime minister, had accumulated a fortune worth several billion dollars through business dealings. The article contains many more details than we usually see about these incidents. Pure APT, and I had Mandiant pegged as the responders by the second paragraph. Of greater interest AT&T’s role in initially identifying the attack. Some in the security community, especially researchers, like to dismiss APT, but there is no question that China (and others, including the US) are engaging in massive attack campaigns. The key difference is that China is brazen and appears to target anyone in the public who private sector who comes anywhere near their radar screen. This includes companies far smaller than the Times. Until there are consequences for these actions, don’t expect anything to slow down. Gumming up the Huawei deal doesn’t come close to a material consequence. Update: Looks like the Wall Street Journal is also under persistent attack from China. Share:

Read Post

Friday Summary: February 1, 2013

Plan. Build. Run. It’s a pretty straightforward process. One of those things that is so simple we rarely need to even call it out. We tend to structure our research this way, even if we use different terms that are more consistent with the context at hand. This morning my wife gave me one of those looks as I got all excited and mentioned our build phase was nearly over. You see, for the past four-plus years our lives have been in big-time family build mode. We knew we wanted kids, we planned a bit, and then started building the family. What I didn’t realize was the sort of stasis that you get into when you cram build mode into a short timeframe (three kids in under five years for us). Nothing is ever stable when you bring children into the picture, but life sort of goes on hold when you are having kids, in a weird way that’s different from adjusting to the various changes as they grow up. For example, our garage is chock full of strollers, baby clothes, and other accouterments. We can’t even throw away any toys because the next baby will need all the same stuff. Sophie the Giraffe ain’t cheap for a hunk of rubber, and it isn’t even worth pulling it out of rotation with our kids so close. I just know one day I will pull around the block and see a Hoarders film crew in front of my house. Cars? Carseats? Daycare costs? Vacation plans? Even framing family photos is all messed up when you know the next little bugger is on the way. I knew life would be more difficult with children, but I didn’t anticipate the time dilation as you put your life on hold for the build years. And let’s be perfectly clear – it is a hell of a lot easier on me than my wife. I’m not the one who has to plan my wardrobe nine months in advance. As the rest of the Securosis team, and many of you, head out to RSA, I will be back here in Phoenix working on our Build-to-Run transition. Well, more like witnessing – it’s not like I’m doing any of the real work. The Mogull family will be in full production mode, and we can start slowly cleaning out the dev archives. Er… maybe I’m working too much. Anyway, I’m as excited to know that we have three happy and healthy kids, and no more, as I am to meet the new one for the first time (really, they aren’t very exciting for the first six or so months anyway). We can start moving forward and enjoy the few short years we will have them around to wreck our sleep, break our sh**, and otherwise teach us levels of emotional pain we can’t possibly imagine. But damn, they’re cute. And while I miss the freedom of the pre-kid versions of our lives, this is exactly where I want to be at this point in my life. Without question or hesitation. Really, they’re very cute. On to the Summary: Webcasts, Podcasts, Outside Writing, and Conferences Big Data Tweet-jam roundup. Adrian quoted on Big Data. Rich quoted in the Economist on Android security. Rich reviews his favorite fitness gadget for TechHive. Favorite Securosis Posts Adrian Lane: No Limits – New York Times Hacked by China. Mike Rothman: Universal Plug and Play Vulnerable to Remote Code Injection. One of the things Adrian didn’t get in this post is that Rapid7’s tool requires Java. FAIL. David Mortman: IAM for cloud use cases. Rich: It it was easy, everyone would be doing it… Other Securosis Posts Remember, every jailbreak is a security exploit Incite 1/30/2013: Email autoFAIL The Internet is for Pr0n Gartner on Software Defined Security The Graduate: 2013 Style Threatpost on Active Defense The Inside Story of SQL Slammer Java Moving from Ridiculous to Surreal Marketers take the path of least resistance Mobile Commerce Numbers Don’t Lie In through the Barracuda Back Door Favorite Outside Posts Adrian Lane: Symantec Gets A Black Eye In Chinese Hack Of The New York Times. Low effectiveness, but who will remove it? Mike Rothman: Check Point, Juniper, Stonesoft shine in low-end network firewall test. I like the work NSS does to put these products through their paces. It can’t really reflect real world circumstances, but their tests are as close as we are going to get. Rich: Decoding SDN by Juniper. SDN is hitting, and it’s time to get up to speed on the fundamentals. David Mortman: Trust will make or break cloud ID management services. Rich (#2): Jeff Carr asks great questions on the NYT article. Top News and Posts Twitter flaw allowed third party apps to access direct messages Google Tells Cops to Get Warrants for User E-Mail, Cloud Data Backdoors Found in Barracuda Networks Gear serving malvertiseing. How Yahoo allowed hackers to hijack my neighbor’s e-mail account. Wikr updates iOS app. I like Wikr, but don’t have enough people to use it with. Blog Comment of the Week This week’s best comment goes to David, in response to Threatpost on Active Defense. Rich, I am promoting using the term “Active Response Continuum” instead of “active defense” for the reason you cite, which is the term is too vague to be meaningful in discussion. The Active Response Continuum includes everything you list above, using two ranges (one capacity to respond, the other aggressiveness of actions). For more on this concept, see David Dittrich and Kenneth E. Himma. Active Response to Computer Intrusions. Chapter 182 in Vol. III, Handbook of Information Security, 2005. abstract_id=790585 and my Honeynet Project blog post responding to someone promoting “active defense” Share:

Read Post

Totally Transparent Research is the embodiment of how we work at Securosis. It’s our core operating philosophy, our research policy, and a specific process. We initially developed it to help maintain objectivity while producing licensed research, but its benefits extend to all aspects of our business.

Going beyond Open Source Research, and a far cry from the traditional syndicated research model, we think it’s the best way to produce independent, objective, quality research.

Here’s how it works:

  • Content is developed ‘live’ on the blog. Primary research is generally released in pieces, as a series of posts, so we can digest and integrate feedback, making the end results much stronger than traditional “ivory tower” research.
  • Comments are enabled for posts. All comments are kept except for spam, personal insults of a clearly inflammatory nature, and completely off-topic content that distracts from the discussion. We welcome comments critical of the work, even if somewhat insulting to the authors. Really.
  • Anyone can comment, and no registration is required. Vendors or consultants with a relevant product or offering must properly identify themselves. While their comments won’t be deleted, the writer/moderator will “call out”, identify, and possibly ridicule vendors who fail to do so.
  • Vendors considering licensing the content are welcome to provide feedback, but it must be posted in the comments - just like everyone else. There is no back channel influence on the research findings or posts.
    Analysts must reply to comments and defend the research position, or agree to modify the content.
  • At the end of the post series, the analyst compiles the posts into a paper, presentation, or other delivery vehicle. Public comments/input factors into the research, where appropriate.
  • If the research is distributed as a paper, significant commenters/contributors are acknowledged in the opening of the report. If they did not post their real names, handles used for comments are listed. Commenters do not retain any rights to the report, but their contributions will be recognized.
  • All primary research will be released under a Creative Commons license. The current license is Non-Commercial, Attribution. The analyst, at their discretion, may add a Derivative Works or Share Alike condition.
  • Securosis primary research does not discuss specific vendors or specific products/offerings, unless used to provide context, contrast or to make a point (which is very very rare).
    Although quotes from published primary research (and published primary research only) may be used in press releases, said quotes may never mention a specific vendor, even if the vendor is mentioned in the source report. Securosis must approve any quote to appear in any vendor marketing collateral.
  • Final primary research will be posted on the blog with open comments.
  • Research will be updated periodically to reflect market realities, based on the discretion of the primary analyst. Updated research will be dated and given a version number.
    For research that cannot be developed using this model, such as complex principles or models that are unsuited for a series of blog posts, the content will be chunked up and posted at or before release of the paper to solicit public feedback, and provide an open venue for comments and criticisms.
  • In rare cases Securosis may write papers outside of the primary research agenda, but only if the end result can be non-biased and valuable to the user community to supplement industry-wide efforts or advances. A “Radically Transparent Research” process will be followed in developing these papers, where absolutely all materials are public at all stages of development, including communications (email, call notes).
    Only the free primary research released on our site can be licensed. We will not accept licensing fees on research we charge users to access.
  • All licensed research will be clearly labeled with the licensees. No licensed research will be released without indicating the sources of licensing fees. Again, there will be no back channel influence. We’re open and transparent about our revenue sources.

In essence, we develop all of our research out in the open, and not only seek public comments, but keep those comments indefinitely as a record of the research creation process. If you believe we are biased or not doing our homework, you can call us out on it and it will be there in the record. Our philosophy involves cracking open the research process, and using our readers to eliminate bias and enhance the quality of the work.

On the back end, here’s how we handle this approach with licensees:

  • Licensees may propose paper topics. The topic may be accepted if it is consistent with the Securosis research agenda and goals, but only if it can be covered without bias and will be valuable to the end user community.
  • Analysts produce research according to their own research agendas, and may offer licensing under the same objectivity requirements.
  • The potential licensee will be provided an outline of our research positions and the potential research product so they can determine if it is likely to meet their objectives.
  • Once the licensee agrees, development of the primary research content begins, following the Totally Transparent Research process as outlined above. At this point, there is no money exchanged.
  • Upon completion of the paper, the licensee will receive a release candidate to determine whether the final result still meets their needs.
  • If the content does not meet their needs, the licensee is not required to pay, and the research will be released without licensing or with alternate licensees.
  • Licensees may host and reuse the content for the length of the license (typically one year). This includes placing the content behind a registration process, posting on white paper networks, or translation into other languages. The research will always be hosted at Securosis for free without registration.

Here is the language we currently place in our research project agreements:

Content will be created independently of LICENSEE with no obligations for payment. Once content is complete, LICENSEE will have a 3 day review period to determine if the content meets corporate objectives. If the content is unsuitable, LICENSEE will not be obligated for any payment and Securosis is free to distribute the whitepaper without branding or with alternate licensees, and will not complete any associated webcasts for the declining LICENSEE. Content licensing, webcasts and payment are contingent on the content being acceptable to LICENSEE. This maintains objectivity while limiting the risk to LICENSEE. Securosis maintains all rights to the content and to include Securosis branding in addition to any licensee branding.

Even this process itself is open to criticism. If you have questions or comments, you can email us or comment on the blog.