Research

In response to this SC Magazine article (thanks @pauljudge), I tweeted: An important distinction to keep in mind when you read these articles. Share:

Yep – we are doing our very best to overload you with research this year. Here’s my latest. From the paper’s home page: Between new initiatives such as cloud computing, and new mandates driven by the continuous onslaught of compliance, managing encryption keys is evolving from something only big banks worry about into something which pops up at organizations of all sizes and shapes. Whether it is to protect customer data in a new web application, or to ensure that a lost backup tape doesn’t force you to file a breach report, more and more organizations are encrypting more data in more places than ever before. And behind all of this is the ever-present shadow of managing all those keys. Data encryption can be a tricky problem, especially at scale. Actually all cryptographic operations can be tricky; but we will limit ourselves to encrypting data rather than digital signing, certificate management, or other uses of cryptography. The more diverse your keys, the better your security and granularity, but the greater the complexity. While rudimentary key management is built into a variety of products – including full disk encryption, backup tools, and databases – at some point many security professionals find they need a little more power than what’s embedded in the application stack. This paper digs into the features, functions, and a selection process for key managers. Understanding and Selecting a Key Manager (PDF) Special thanks to Thales for licensing the content. Share:

Thanks to your friends at Accuvant labs. Very worth reading for security pros. Peter Morgan, Ryan Smith, Braden Thomas, and Josh Thomas did an excellent job breaking it down. Here’s the security risk: One important point to make is that unlike the previous jailbreakme.com exploits, which could be used against an unwitting victim, jailbreaks that require USB tethering have a lower security impact, and are usually only useful to the phone’s owner. Attackers are less interested because iPhones with a passcode set will refuse to communicate over USB if they are locked, unless they have previously paired with the connecting computer. So your phone is stolen and it’s locked, attackers won’t be able to jailbreak it. Therefore, only malicious code already running on your computer can leverage USB jailbreaks nefariously. In case you didn’t know, iOS devices that pair with a computer will re-pair with other user accounts on that computer. It is device-based, not user account based. Share:

It’s that time of year again. Time to get ready for a week of mayhem, debauchery, and the hunt for tchotchkes. OK, there isn’t a lot of debauchery at the RSA Conference besides the Barracuda party at the Gold Club, which we hear is an establishment of high repute. Realistically, you’ll spend most of your week fending off sales droids, gawking at booth babes (much to the chagrin of the security echo chamber), and maybe learning something about what’s new and exciting in security. As in previous years, your pals at Securosis have put together our 4th annual RSA Guide to give you some perspective on what to expect at the show and some of our key trends for the upcoming year. And we even include the snark for free. These themes are compiled and written by the entire Securosis team, so don’t pay too much attention to the posting author when you call us out. We’ll give you blog-reading faithful an early look, over the next 10 days, at what we expect to see at the show. So today we start with the key themes… Anti-Malware Everywhere Security folks have been dealing with malicious software since the days when your networking gear came with a swoosh on it. Yes, you young whippersnappers – back when sneakernet was the distribution vector for viruses. But what’s old is new again, and driven by advanced attackers who figured out that employees like to click on things, we expect almost every vendor at the show to be highlighting their ability to not block advanced attacks. Oh, was that a Freudian slip? Yes, you’ll hear a lot about newfangled approaches to stop advanced malware. The reality remains that sophisticated attackers can and will penetrate your defenses, regardless of how many shiny objects you buy to stop them. That doesn’t mean you should use 5-year-old technology to check the compliance box, but that’s another story for another day. Of course, kidding aside, there will be some innovative technologies in play to deal with this malware stuff. The ability to leverage cloud-based sandboxes that block malware on the network, advanced endpoint agents that look an awful lot like HIPS that works better, and threat intelligence services to learn who else got pwned and by what, are poised to improve detection. Of course these new tools aren’t a panacea, but they aren’t the flaming pile of uselessness that traditional AV has become. Many of the emerging products and services are quite young, so there won’t be much substantiation beyond outrageous claims about blocking this attack or that attack. So leave your checkbook at home but spend some time learning about the different approaches to stopping advanced malware. This will be an area of great interest to everyone through 2013. BYOD Is No BS We may not all be Anonymous, but we are certainly all consumers. It seems a little fruit company in Cupertino sparked the imaginations of technology users everywhere, so now the rest of us have to put out the fire. Technology used to be something you used at work, but now it is embedded into the fabric of our daily lives. So we shouldn’t be surprised as the workforce continually demands work tools that keep up with the things the kids are playing with in the back seat. While consumerization of IT is the trend of people bringing consumer-class devices and services into the workplace, BYOD encompasses the policies, processes, and technologies to safely enable this usage. In the past year we have moved beyond the hype stage, and we see more and more companies either developing or implementing their BYOD and general consumerization strategies. This trend won’t go away, you can’t stop it, and if you think you can block it you will get to find a new job. Even the government and financial services companies are starting to crack and take hard looks at supporting consumer devices and services. On the device side we see the core as Mobile Device Management, but MDM is merely the hook to enable all the other interesting technologies and controls. The constantly changing nature of BYOD and varied enterprise cultures will likely keep the market from ever maturing around a small set of options. We will see a huge range of options, from the mostly-mature MDM, to network access gateways (the rebirth of NAC), to containerized apps and security wrappers, to new approaches to encryption and DRM. And each of them is right… for someone. There is no silver bullet, but wandering the show floor is a great opportunity to see all the different approaches in one place and think about where they fit into your strategy and culture. Are you lockdown artists? Free-loving tech hippies? Odds are you can find the pieces to meet your requirements, but it definitely isn’t all completely there yet, regardless of what the sales droids say. The main thing to focus on is whether the approach is really designed for BYOD, or whether it’s just marketed as BYOD. There is a huge difference, and a fair number of vendors haven’t yet adjusted their products to this new reality beyond cosmetic changes. Think hard about which controls and deployment models will fit your corporate culture and, especially, workflows. Don’t look at approaches that take these wonderful consumer experiences and suck the life out of them, reverting to the crappy corporate tech you know you hate yourself. Yes, there will be a lot of hype, but this is a situation where we see more demand than supply at this point. Viva la revolucion! Security Big Data In the past two years at RSA we have heard a lot about risk management and risk reduction, which basically mean efficiently deploying security to focus on threats you face – rather than hypothetical threat scenarios or buying more protection than you need. This year’s risk management will be security analytics. Analytics is about risk identification, but the idea is that big data clusters mine the sea

I refer back to Rich’s Data Breach Triangle over and over again. It’s such a clear and concise way to describe a data breach – past or potential. And we continue to see examples of how focusing on breaking one leg of the triangle works. From How the RSA Attackers Swung and Missed at Lockheed Martin on Threatpost: “But instead of closing the door and shutting the attackers out, Lockheed’s team began monitoring their activities to see what they were doing, where they were going and what tactics they used.” The typical incident response playbook involves finding a compromised device and fixing it, but with today’s advanced attacks you can’t be sure you actually have eliminated the threat with a single remediation activity. So in some cases it makes more sense to observe the attackers, rather than [trying to] clean them up immediately. “The lesson, Adegbite said, is that preventing attackers from getting anything useful off a network is far more important than trying to prevent every attacker from getting in. “The investment to stop people from coming in is too high,” he said.” Break the egress leg of the triangle and there is no breach. And that’s why we focus on egress filtering and active protections like DLP in an effort to prevent exfiltration. Share: