Securosis

Research

When is a Hack a Breach?

As the hubbub over Apple, Twitter, and Facebook being hacked with the Java flaw slowly ebbs, word hit late last week that Microsoft was also hit in the attack. Considering the nature of the watering hole attack, odds are that many many other companies have been affected. This begs the question: does it matter? The headlines screamed “Apple and Facebook Hacked”, and technically that’s true. But as I wrote in the Data Breach Triangle, it isn’t really a breach unless the attacker gets in, steals or damages something, and gets out. Lockheed uses the same principle with its much-sexier-named Kill Chain. Indications are that Apple and Microsoft, and possibly Facebook, all escaped unscathed. Some developers’ computers were exploited, the bad guys got in, they were detected, and nothing bad happened. I do not know if that was the full scope of the exploits, but it isn’t unrealistic, and successful hacks that aren’t full-on breaches happen all the time. I care about outcomes. And someone bypassing some controls but being stopped is what defense in depth is all about. But you rarely see that in the headlines, or even in many of our discussions in the security world. It is the exact reason I didn’t really write about the hacks here before – from what I could tell some of the vendors disclosed only because they knew it probably would have come out once the first disclosure happened, because their use of the site was public. Share:

Share:
Read Post

The Nexus Is Live with the Cloud Security Alliance!

After two years of development, yesterday we flipped the switch and our Nexus product is officially live with our first partner, the Cloud Security Alliance. After all the stress of a nearly-failed launch (one of our security controls decided to filter the payment system) it is incredibly exciting to have this out there for paying customers. Here are some details: You can access the CSA Nexus at nexus.cloudsecurityalliance.org. Subscriptions are $200 annually, and it is available internationally. We launched with the CSA first because the timing was better to support a number of CSA initiatives. Also, we decided to completely rework our content structure for Securosis research to better fit our target market, and that will take us a few months. The systems are otherwise identical, running on the same platform (ain’t SaaS wonderful?). CSA customers gain access to existing and draft CSA research, some exclusive non-public research, and all the Securosis cloud research under development. Since we will be charging a lot more for the full Securosis library, this is a good way for cloud-only people to get discounted access to the exact same content. In other news, I’m a crappy sales guy. Questions submitted to the Ask an Analyst system will be handled by Securosis and CSA experts, depending on who is best for the question at hand. That’s right, full access to Securosis analysts for only $200 (on cloud issues). To support the CSA, we added a full discussion (forum) system that’s tightly integrated with the research, as well as the ability to ask the community (public) questions, not just the experts. You get to pick who you are asking when you submit a question, and our experts will watch both queues. Think of it like Quora or Stack Overflow, except you get to pick whether you want a guaranteed answer from us or responses from your peers. CSA enterprise members get licenses to the system as part of their memberships. We will have more activities and announcements over the next weeks and months, but those are the basics. We really aren’t aware of anything like this on the market that combines structured, professional research with access to both experts and peers for direct answers to your tough questions. Then again, for once, we are totally and completely biased. I also need to thank our developers JT and Jon, and James at our hosting provider (no links because they aren’t ready to take more business right now). I think once you look at what we built, you’ll be amazed that a small company without external funding could pull this off. Share:

Share:
Read Post

Everything I need to know about security, I learned in kindergarten

Let’s just say I almost failed sharing back in kindergarten. Almost 40 years later I’m not a hell of a lot better at sharing (just ask my kids), but if you want to be good at security, you had better do better at sharing than me. Good points here by Don Srebnick (CISO of the City of NY) on using an ISAC to your advantage: A structure for this type of sharing has been developed within multiple sectors. If you haven’t heard, the Information Sharing and Analysis Center, or ISAC, is that structure. An ISAC provides members with a private community for dispensing information about security threats, incidents and response, and critical infrastructure protection. ISACs are an effective method of sharing your information without direct attribution. If your site is under cyber attack or you become aware of an imminent threat to your sector, details can be exchanged without ever revealing your identity, thereby facilitating sharing, but maintaining confidentiality. I’ve been doing a lot of research on threat intelligence and believe (as many of the CISOs I speak with believe) that no one organization can do it themselves. The only way to shorten the window between attack and detection is to get much better at searching for indicators of compromise in your environment. And bi-directional sharing of the attacks you’re seeing, and learning about attacks similar organizations are seeing, are becoming key success criteria for security in the age of advanced attackers. The New School guys were absolutely right years ago about the need to share. They were just way ahead of the curve. It’s good to see a lot more discussion about sharing happening in the industry. It’s about time… Photo credit: “Sharing” originally uploaded by Toban Black Share:

Share:
Read Post

Totally Transparent Research is the embodiment of how we work at Securosis. It’s our core operating philosophy, our research policy, and a specific process. We initially developed it to help maintain objectivity while producing licensed research, but its benefits extend to all aspects of our business.

Going beyond Open Source Research, and a far cry from the traditional syndicated research model, we think it’s the best way to produce independent, objective, quality research.

Here’s how it works:

  • Content is developed ‘live’ on the blog. Primary research is generally released in pieces, as a series of posts, so we can digest and integrate feedback, making the end results much stronger than traditional “ivory tower” research.
  • Comments are enabled for posts. All comments are kept except for spam, personal insults of a clearly inflammatory nature, and completely off-topic content that distracts from the discussion. We welcome comments critical of the work, even if somewhat insulting to the authors. Really.
  • Anyone can comment, and no registration is required. Vendors or consultants with a relevant product or offering must properly identify themselves. While their comments won’t be deleted, the writer/moderator will “call out”, identify, and possibly ridicule vendors who fail to do so.
  • Vendors considering licensing the content are welcome to provide feedback, but it must be posted in the comments - just like everyone else. There is no back channel influence on the research findings or posts.
    Analysts must reply to comments and defend the research position, or agree to modify the content.
  • At the end of the post series, the analyst compiles the posts into a paper, presentation, or other delivery vehicle. Public comments/input factors into the research, where appropriate.
  • If the research is distributed as a paper, significant commenters/contributors are acknowledged in the opening of the report. If they did not post their real names, handles used for comments are listed. Commenters do not retain any rights to the report, but their contributions will be recognized.
  • All primary research will be released under a Creative Commons license. The current license is Non-Commercial, Attribution. The analyst, at their discretion, may add a Derivative Works or Share Alike condition.
  • Securosis primary research does not discuss specific vendors or specific products/offerings, unless used to provide context, contrast or to make a point (which is very very rare).
    Although quotes from published primary research (and published primary research only) may be used in press releases, said quotes may never mention a specific vendor, even if the vendor is mentioned in the source report. Securosis must approve any quote to appear in any vendor marketing collateral.
  • Final primary research will be posted on the blog with open comments.
  • Research will be updated periodically to reflect market realities, based on the discretion of the primary analyst. Updated research will be dated and given a version number.
    For research that cannot be developed using this model, such as complex principles or models that are unsuited for a series of blog posts, the content will be chunked up and posted at or before release of the paper to solicit public feedback, and provide an open venue for comments and criticisms.
  • In rare cases Securosis may write papers outside of the primary research agenda, but only if the end result can be non-biased and valuable to the user community to supplement industry-wide efforts or advances. A “Radically Transparent Research” process will be followed in developing these papers, where absolutely all materials are public at all stages of development, including communications (email, call notes).
    Only the free primary research released on our site can be licensed. We will not accept licensing fees on research we charge users to access.
  • All licensed research will be clearly labeled with the licensees. No licensed research will be released without indicating the sources of licensing fees. Again, there will be no back channel influence. We’re open and transparent about our revenue sources.

In essence, we develop all of our research out in the open, and not only seek public comments, but keep those comments indefinitely as a record of the research creation process. If you believe we are biased or not doing our homework, you can call us out on it and it will be there in the record. Our philosophy involves cracking open the research process, and using our readers to eliminate bias and enhance the quality of the work.

On the back end, here’s how we handle this approach with licensees:

  • Licensees may propose paper topics. The topic may be accepted if it is consistent with the Securosis research agenda and goals, but only if it can be covered without bias and will be valuable to the end user community.
  • Analysts produce research according to their own research agendas, and may offer licensing under the same objectivity requirements.
  • The potential licensee will be provided an outline of our research positions and the potential research product so they can determine if it is likely to meet their objectives.
  • Once the licensee agrees, development of the primary research content begins, following the Totally Transparent Research process as outlined above. At this point, there is no money exchanged.
  • Upon completion of the paper, the licensee will receive a release candidate to determine whether the final result still meets their needs.
  • If the content does not meet their needs, the licensee is not required to pay, and the research will be released without licensing or with alternate licensees.
  • Licensees may host and reuse the content for the length of the license (typically one year). This includes placing the content behind a registration process, posting on white paper networks, or translation into other languages. The research will always be hosted at Securosis for free without registration.

Here is the language we currently place in our research project agreements:

Content will be created independently of LICENSEE with no obligations for payment. Once content is complete, LICENSEE will have a 3 day review period to determine if the content meets corporate objectives. If the content is unsuitable, LICENSEE will not be obligated for any payment and Securosis is free to distribute the whitepaper without branding or with alternate licensees, and will not complete any associated webcasts for the declining LICENSEE. Content licensing, webcasts and payment are contingent on the content being acceptable to LICENSEE. This maintains objectivity while limiting the risk to LICENSEE. Securosis maintains all rights to the content and to include Securosis branding in addition to any licensee branding.

Even this process itself is open to criticism. If you have questions or comments, you can email us or comment on the blog.