Unused security intelligence is, well… dumb

The hype cycle for Threat Intelligence is just getting going. It will soon join advanced malware, BYOD, and Big Data as terms that mean nothing because they have been poked, prodded, manipulated, and otherwise killed by vendor hyperbole. We have done a bunch of research into how to use threat intelligence (Early Warning, Network-based Threat Intelligence, and Email-based Threat Intelligence), so we get the value of benefiting from other folks’ misfortune and learning from how they were attacked. But I also know that our papers run 15-20 pages and usually fall into the category of tl;dr. So let me point to a few posts Scott Crawford put out there. The first talks about integration and its importance for dealing with the kinds of attacks you face. The other post I want to highlight is next in that series, bringing up the sticky issue of actually integrating threat intelligence into your control sets. It is simply this: in order for intelligence to factor into effective response, proactive defense or environment hardening, security intelligence systems must be able to send data out as well as take it in. Intelligence has historically been positioned as a differentiator for a product and/or service, not as a stand-alone offering with its own value. That’s changing, but not quickly enough. Scott’s points are exactly right – whether you are talking about security intelligence (the new term for SIEM) or threat intelligence, the data needs to be available in a number of formats for import/export to make sure you can actually use it. Scott doesn’t sugarcoat the ongoing concerns of operations folks or their unwillingness to allow any kind of automation to reconfigure controls and defenses. And clearly a filter needs to be applied. The stuff you know is bad should be blocked. If you aren’t sure, your layers need to come into play. Sure, there are lots of reasons beyond the limitations of monitoring technology why we wouldn’t want to do this. Automating blocking at scale would do a little more than step on the toes of IT operations and irk our insect overlords, if what we effectively build is the Mother of All Denial of Service Vehicles that raises existing problems with false positives to an entirely new level. But the point is the point. All that time you have spent collecting data and doing some simple analysis has positioned you to take the next step toward Scott’s concept of data-driven security. Let me simplify the issue a bit more. Having great intelligence doesn’t help if you can’t use it. That would be, well, just dumb. Photo credit: “#dumb” originally uploaded by get directly down Share:

Read Post

Friday Summary: April 12, 2013

Ever start a simple project – or perhaps ask for something simple to be done on your behalf – and get far more than you bargained for? Sometimes the seemingly simple things reach up and bite you. I was thinking about this two weeks ago, in the middle of some weekend gardening, expecting to tackle a small irrigation leak that popped up during the winter. I went out to the yard with the handful of tools I would need and started scouting around the pool of standing water to locate the source of the leak, and I found it – more or less. It was buried under some mud, so before I could fix the leak I needed to remove the mud around the irrigation line. Before I could remove the mud I needed to remove the giant rat’s nest on top of the mud – stuffed full of Cholla. Literally. It apperas a rat ate the irrigation line and then used it as a private port-o-let. But in order to remove the rat’s nest I needed to remove the 45 lbs of prickly pear cactus that formed the roof of the rat’s nest. Before I could remove that cactus, I needed to remove the 75 lb Agave that arched over the prickly pear. Before I could get to the agave I needed to remove a dead vine. Before I could cut out the vine I need to remove some tree branches. Each step required a new trip to the garage to collect another tool. And so it went for the next three hours, until I finally found the line and fixed the leak. When I finally finished that sequence I was rewarded with 30 minutes tweezing prickly pear micro-thorns from my fingers. What should have taken minutes took the entire morning, and left painful reminders. Which brings me to IT: those who provision data centers and migrate backbone business applications know exactly what this feels like – as I was reminded when I told a couple friends about my experience, and they laughed at me. That described their life. They deal with layers of operational, security, regulatory, and budgetary hurdles – mixed liberally with rat droppings – all the time. Someone asks for a small server to host a small web portal and before you know it someone is asking how PCI compliance will be addressed. Say what you will about cost savings being a driver for cloud services – simplicity (or at least avoidance of complexity) is a major driver too. Sometime it’s just better to have a third party do it on your behalf – and that comes (anonymously of course) from some IT professionals. On to the Summary: Favorite Securosis Posts Gal: Security FUD hits investors. HP bought ArcSight, right? Adrian Lane: Gaming the Narcissist. Fun read, and a topic to consider when weighing potential employers, but I’ll offer an alternative view: 1980 to 2008 was itself a wild period for company performance – see Warren Buffet’s speech from November 1999 for what I mean. I’d say Narcissist CEOs succeeded or simply ran off the tracks faster in that window. David Mortman: Should the Red (Team) be dead? Mike Rothman: Should the Red (Team) Be dead? Yup, it’s mine, but this one created a bit of discussion and even a comment by HD Moore… Other Securosis Posts Incite 4/10/2013: 103. Friday Summary, Gattaca Edition: April 5, 2012. Favorite Outside Posts Rich: Analyzing Malicious PDFs or: How I Learned to Stop Worrying and Love Adobe Reader (Part 1). Adrian Lane: Oracle Details Big Data Strategy. The FUD, it burns, it burns! My not favorite post this week – I recommend you, with your best Borat impersonation, yell not! after every quote and claim. It’s fun and more accurately reflects what’s happening in the big data market. Gal: Alleged Carberp Botnet Ringleader Busted. They’re doing it wrong: Rule #1. You’re supposed to steal from countries where you do not reside, and with whom your home country has no extradition treaty. Rule #2. Don’t steal tons of money from Russian and Ukranian banks regardless of where you live, but especially if you’re violating rule #1 and you live in Russia or Ukraine… Dave Lewis: Secrets of FBI Smartphone Surveillance Tool Revealed in Court Fight. Gunnar: Bitcoin – down ~50% in a day, first DDoS currency crash. David Mortman: Tor Hidden-Service Passive De-Cloaking. Mike Rothman: Who Wrote the Flashback OS X Worm? All of you aspiring security researchers can once again thank Brian Krebs for showing you how it’s done. And be thankful Krebs has figured out how to make a living from doing this great research and sharing it with us. Project Quant Posts Email-based Threat Intelligence: To Catch a Phish. Network-based Threat Intelligence: Searching for the Smoking Gun. Understanding and Selecting a Key Management Solution. Building an Early Warning System. Implementing and Managing Patch and Configuration Management. Defending Against Denial of Service (DoS) Attacks. Securing Big Data: Security Recommendations for Hadoop and NoSQL Environments. Tokenization vs. Encryption: Options for Compliance. Top News and Posts Security Lessons from the Big DDoS Attacks. A couple weeks old but I just saw it. Bitcoin crashes – lose 1/2 value. Vudu resets user passwords after hard drives lost in office burglary. DEA Accused Of Leaking Misleading Info Falsely Implying That It Can’t Read Apple iMessages. Windows XP still maintains 39% overall market share. Speechless. Windows XP Security Updates ending in one year. Update your calendars! North Korean military blamed for “wiper” cyber attacks against South Korea. Lessons from the Spamhaus DDoS incident. Microsoft Reportedly Adding Two-Factor Authentication to User Accounts. Google will fight secretive national security letters in court. FBI’s Smartphone Surveillance Tool Explained In Court Battle. IsoHunt Demands Jury Trial. Critical Fixes for Windows, Flash & Shockwave via Krebs. Blog Comment of the Week This week’s best comment goes to HD Moore, in response to Should the Red (Team) be dead? It isn’t clear why Gene believes that CTF contests have any correlation to professional red teams. A similar comparison would be hackathons to software engineering. In both cases you approach the problem differently and the participants learn a

Read Post

Totally Transparent Research is the embodiment of how we work at Securosis. It’s our core operating philosophy, our research policy, and a specific process. We initially developed it to help maintain objectivity while producing licensed research, but its benefits extend to all aspects of our business.

Going beyond Open Source Research, and a far cry from the traditional syndicated research model, we think it’s the best way to produce independent, objective, quality research.

Here’s how it works:

  • Content is developed ‘live’ on the blog. Primary research is generally released in pieces, as a series of posts, so we can digest and integrate feedback, making the end results much stronger than traditional “ivory tower” research.
  • Comments are enabled for posts. All comments are kept except for spam, personal insults of a clearly inflammatory nature, and completely off-topic content that distracts from the discussion. We welcome comments critical of the work, even if somewhat insulting to the authors. Really.
  • Anyone can comment, and no registration is required. Vendors or consultants with a relevant product or offering must properly identify themselves. While their comments won’t be deleted, the writer/moderator will “call out”, identify, and possibly ridicule vendors who fail to do so.
  • Vendors considering licensing the content are welcome to provide feedback, but it must be posted in the comments - just like everyone else. There is no back channel influence on the research findings or posts.
    Analysts must reply to comments and defend the research position, or agree to modify the content.
  • At the end of the post series, the analyst compiles the posts into a paper, presentation, or other delivery vehicle. Public comments/input factors into the research, where appropriate.
  • If the research is distributed as a paper, significant commenters/contributors are acknowledged in the opening of the report. If they did not post their real names, handles used for comments are listed. Commenters do not retain any rights to the report, but their contributions will be recognized.
  • All primary research will be released under a Creative Commons license. The current license is Non-Commercial, Attribution. The analyst, at their discretion, may add a Derivative Works or Share Alike condition.
  • Securosis primary research does not discuss specific vendors or specific products/offerings, unless used to provide context, contrast or to make a point (which is very very rare).
    Although quotes from published primary research (and published primary research only) may be used in press releases, said quotes may never mention a specific vendor, even if the vendor is mentioned in the source report. Securosis must approve any quote to appear in any vendor marketing collateral.
  • Final primary research will be posted on the blog with open comments.
  • Research will be updated periodically to reflect market realities, based on the discretion of the primary analyst. Updated research will be dated and given a version number.
    For research that cannot be developed using this model, such as complex principles or models that are unsuited for a series of blog posts, the content will be chunked up and posted at or before release of the paper to solicit public feedback, and provide an open venue for comments and criticisms.
  • In rare cases Securosis may write papers outside of the primary research agenda, but only if the end result can be non-biased and valuable to the user community to supplement industry-wide efforts or advances. A “Radically Transparent Research” process will be followed in developing these papers, where absolutely all materials are public at all stages of development, including communications (email, call notes).
    Only the free primary research released on our site can be licensed. We will not accept licensing fees on research we charge users to access.
  • All licensed research will be clearly labeled with the licensees. No licensed research will be released without indicating the sources of licensing fees. Again, there will be no back channel influence. We’re open and transparent about our revenue sources.

In essence, we develop all of our research out in the open, and not only seek public comments, but keep those comments indefinitely as a record of the research creation process. If you believe we are biased or not doing our homework, you can call us out on it and it will be there in the record. Our philosophy involves cracking open the research process, and using our readers to eliminate bias and enhance the quality of the work.

On the back end, here’s how we handle this approach with licensees:

  • Licensees may propose paper topics. The topic may be accepted if it is consistent with the Securosis research agenda and goals, but only if it can be covered without bias and will be valuable to the end user community.
  • Analysts produce research according to their own research agendas, and may offer licensing under the same objectivity requirements.
  • The potential licensee will be provided an outline of our research positions and the potential research product so they can determine if it is likely to meet their objectives.
  • Once the licensee agrees, development of the primary research content begins, following the Totally Transparent Research process as outlined above. At this point, there is no money exchanged.
  • Upon completion of the paper, the licensee will receive a release candidate to determine whether the final result still meets their needs.
  • If the content does not meet their needs, the licensee is not required to pay, and the research will be released without licensing or with alternate licensees.
  • Licensees may host and reuse the content for the length of the license (typically one year). This includes placing the content behind a registration process, posting on white paper networks, or translation into other languages. The research will always be hosted at Securosis for free without registration.

Here is the language we currently place in our research project agreements:

Content will be created independently of LICENSEE with no obligations for payment. Once content is complete, LICENSEE will have a 3 day review period to determine if the content meets corporate objectives. If the content is unsuitable, LICENSEE will not be obligated for any payment and Securosis is free to distribute the whitepaper without branding or with alternate licensees, and will not complete any associated webcasts for the declining LICENSEE. Content licensing, webcasts and payment are contingent on the content being acceptable to LICENSEE. This maintains objectivity while limiting the risk to LICENSEE. Securosis maintains all rights to the content and to include Securosis branding in addition to any licensee branding.

Even this process itself is open to criticism. If you have questions or comments, you can email us or comment on the blog.