Securosis

Research

Friday Summary: Ink Stained Wretch

I love writing. Except when I hate it. When people ask what I do for a living, I almost never say ‘writer’. I’m an analyst, who occasionally dabbles as a tech journalist, but pumps out more words in typical a year than many professional writers. When the muse is in my corner and the words flow smooth and swift like molten chocolate (sorry, need dessert), the process is incredibly gratifying. I can sometimes pop off a thousand words an hour and walk away deeply satisfied, with perhaps some light editing. That doesn’t really happen a lot since I had kids. More often I plan out a wonderful schedule with plenty of leisure time to settle into the words, build my story (because even tech pieces are stories), and enlighten readers with my content and wit. Then I don’t sleep, I lose a couple days to sick kids or other randomness, and hope beyond hope I can snag a few hours in a coffee shop, pace my caffeine intake perfectly, and maybe, just maybe, finish up before my deadline is so far past that the client forgets my name. Writing on deadline is tough – especially when family, illness, and the ongoing needs of running a business continually conspire to interfere with any plans. It doesn’t help to be a genetic procrastinator of such accomplishment that, in your formal college record, there is a note saying, “don’t cut him any breaks, he manipulates the system too much”. (It’s true – I saw the note in my physical file). Take this Summary. I am writing it in a hotel room in Toronto after a really rough couple weeks defined by illness (my own and one of my kids), right after a rough couple months going back to the holidays. There have been ear infections, stomach bugs, general sniffles, and 9-day fevers. I two stomach bugs 6 weeks, once on the day I needed to fly out to teach a cloud security class. Somehow, through all this, I managed to nail my target deadlines on the Future of Security series, a non-security article for a new publication (for me), and complete a good chunk of my RSA planning. I owe two different conferences four presentations (total), need to launch 2 papers in the next week, and add two more modules to my RSA demo code (overkill, but I would really like to pull it off). But I wouldn’t really have it any other way. Oh sure, I’d like less pressure, but look what I get to do on a daily basis… And running at this pace for so long has turned me into an honest-to-gosh writer, even outside the technology domain. I have written for The Magazine and soon The Loop – not even on security or technology! I was paid to tell stories, and that is deeply satisfying. And while I can’t say everything I write for Securosis excites me equally, some of my recent work has been very rewarding. I never set out to be a writer. And while I have no intention of writing the Great American Novel, I feel pretty lucky to get paid to write words read by thousands. It’s pretty special, and never something I take for granted. Even tonight. Locked in a sparse hotel room with a sniffly nose and an early wakeup call. I do, however, have cookies. On to the Summary: Webcasts, Podcasts, Outside Writing, and Conferences Rich quoted on the Yahoo email issue by the AP. Favorite Securosis Posts Mike Rothman: Security’s Future: Implications for Security Vendors. Lots of security vendors will keep their heads in the sand about the fundamental changes happening and how they will impact security. Don’t say we didn’t warn you… David Mortman: Security’s Future: What it Means (Part 3). Other Securosis Posts Incite 2/5/2014: Super Dud. Firestarter: Inevitable Doom. Security’s Future: Implications for Cloud Providers. Security’s Future: What it Means (Part 3). Security’s Future: Six Trends Changing the Face of Security. Quick Wins with TISM. TISM: The Threat Intelligence + Security Monitoring Process. Favorite Outside Posts Mike Rothman: Russell Brand: my life without drugs. You can’t understand addiction unless you’ve been there. Chilling view into the mind of an addict from Russell Brand. Mike Rothman: Kansas teen uses 3-D printer to make hand for boy. Who says we aren’t living in the future? And to think the kid did such an amazing thing using a 3D printer in a public library. Just amazing! David Mortman: Who owns the data in the Internet of Things? Adrian Lane: Think SQLi is old news? The PR hype machine got tired of talking about it, but the problem never went away. Diana Kelley beat me to the punch on this, and did a great job of explaining what to do about it. Rich: Brian Krebs with more Target details. Bad guys came in via an HVAC contractor. I believe it was a small exhaust port, right below the main port. Research Reports and Presentations Eliminate Surprises with Security Assurance and Testing. What CISOs Need to Know about Cloud Computing. Defending Against Application Denial of Service Attacks. Executive Guide to Pragmatic Network Security Management. Security Awareness Training Evolution. Firewall Management Essentials. A Practical Example of Software Defined Security. Continuous Security Monitoring. API Gateways: Where Security Enables Innovation. Identity and Access Management for Cloud Services. Top News and Posts Senate grills Target CFO on data breach Verizon Wages War on Netflix. Technically on Amazon AWS, although Netflix is the obvious target. Adobe pushes out-of-band patch for Flash. Target moving to Chip and PIN after attack. I’m in Canada and they look at me like I’m a freaking savage every time I have to swipe my credit card. But hey, we have PCI. No Comment of the Week this time – sorry. Share:

Share:
Read Post

Quick Wins with TISM

After making the case for threat intelligence (TI), and combining it with some ideas about how security monitoring (SM) is evolving – based both on customer needs and technology evolution – there is clear value in integrating TI into your SM efforts. But all that stuff is still conceptual. How can you actually apply this integrated process to shorten the window between compromise and detection? How can you get a quick win for the integration of TI and SM to build some momentum for your efforts? Finally, how do you ensure you can turn that quick win into sustainable leverage, producing increased accuracy and better prioritization of alerts from the SM platform? Let’s say you work for a big retailer with thousands of stores. You do tens of millions of transactions a month, and have credit card data for tens of millions of customers. Your organization is a high-profile target, so you have spent a bunch on security controls. Part of being a large Tier 1 merchant, at least from a PCI-DSS standpoint, is that the assessors are there pretty much every quarter. You can play the compensating control fandango to a point (and you do), but senior management understands the need to avoid becoming the latest object lesson on data breaches. So you get a bunch of resources and spend a bunch of money, with the clear responsibility to make sure private data remains private. But this is also the real world, and your organization is a big company. They have technology assets all over the place and employees come and go, especially around the holidays. They all have access to the corporate network, and no matter how much time you spend educating those folks they will make mistakes. This long preamble is just to illustrate that you get it. Your odds of keeping attackers out range between nil and less than nil. So security monitoring will be a key aspect of your plan to detect attackers. The good news is that you already aggregate a bunch of log data, mostly because you need to (thanks, PCI!). You can build on this foundation and use TI to start looking for attack patterns and other suspicious activity that others have seen to give you early warning of imminent attacks. Low Hanging Fruit With any new technology project you want to show value quickly and then parlay it into sustainable advantage. So let’s focus on obvious stuff that can yield the quick win you need. There are a couple areas to look at, but the path of least resistance tends to be finding devices that are already compromised and remediating them quickly. A couple fairly reliable TI sources can yield this kind of information quickly, as detailed earlier in this series. Once you identify the suspicious device, as discussed in The TI + SM Process, you need to collect more detailed data from it. Optimally you get deep endpoint (or server) telemetry including all file activity, registry and other configuration values, and a forensic capture of the device. To provide a full view of what’s going on you also want to capture the network traffic to and from it. Armed with that kind of information you can search for specific malware indicators and other clear manifestations of attack. Baselines At this point you have likely found some devices with issues, and acted decisively to remediate the issues and contain the damage. Once the actively compromised stuff is dealt with you can get a little more strategic about what to look for. Since you have been collecting data for a while (thanks again, PCI!), you can now build what should be a reasonable baseline of normal activity for these devices. Of course you will remove the data from compromised devices, and you will then be able to set alerts on activity that is not normal. That’s Security Monitoring 201 – not really novel. In this scenario you can accrue a lot of extra value by integrating TI into the process, by analyzing activity around devices that are no longer acting normal. You don’t have the smoking gun of seeing a device participating in a botnet, or sending traffic to known bad sites, but it isn’t acting normally so it warrants attention. Of course a lot of current malware isn’t easy to find, but you can leverage TI to look for emerging attacks. Let’s make this a little more tangible by going back to our example of the very large retailer. As with most big companies, you have a bunch of externally facing devices that serve up a variety of things to customers. Not all of them have access to mission critical data (unless you screw up your network segmentation), so they may not get much scrutiny or monitoring focus. But you can still track traffic in and out of them to see if or when they start acting strangely. If you see an externally facing web server start sending traffic to a bunch of other devices within its network segment, that is probably suspicious. Normally, they only send traffic across the internal network to the application server farm that provides the data for their applications. Communicating with other internal hosts is not normal, so you start pulling some additional telemetry from the devices and capturing their traffic. What integrating TI enables you to do with that now-suspicious device is to search for indicators and other behavior patterns you weren’t looking for. Any security monitoring platform is limited to looking for things you tell it to look for. With TI integrated you could identify traffic heading to an emerging botnet. Maybe you will be able to find new files and/or folders associated with a little-known malware kit. Since you haven’t seen this stuff before, you don’t know to look for it. But your TI provider is much more likely to see it, and they can tip your system what to look for. Without TI, when you identify a suspicious device, you are basically back to shooting in the dark. You have a device

Share:
Read Post

Totally Transparent Research is the embodiment of how we work at Securosis. It’s our core operating philosophy, our research policy, and a specific process. We initially developed it to help maintain objectivity while producing licensed research, but its benefits extend to all aspects of our business.

Going beyond Open Source Research, and a far cry from the traditional syndicated research model, we think it’s the best way to produce independent, objective, quality research.

Here’s how it works:

  • Content is developed ‘live’ on the blog. Primary research is generally released in pieces, as a series of posts, so we can digest and integrate feedback, making the end results much stronger than traditional “ivory tower” research.
  • Comments are enabled for posts. All comments are kept except for spam, personal insults of a clearly inflammatory nature, and completely off-topic content that distracts from the discussion. We welcome comments critical of the work, even if somewhat insulting to the authors. Really.
  • Anyone can comment, and no registration is required. Vendors or consultants with a relevant product or offering must properly identify themselves. While their comments won’t be deleted, the writer/moderator will “call out”, identify, and possibly ridicule vendors who fail to do so.
  • Vendors considering licensing the content are welcome to provide feedback, but it must be posted in the comments - just like everyone else. There is no back channel influence on the research findings or posts.
    Analysts must reply to comments and defend the research position, or agree to modify the content.
  • At the end of the post series, the analyst compiles the posts into a paper, presentation, or other delivery vehicle. Public comments/input factors into the research, where appropriate.
  • If the research is distributed as a paper, significant commenters/contributors are acknowledged in the opening of the report. If they did not post their real names, handles used for comments are listed. Commenters do not retain any rights to the report, but their contributions will be recognized.
  • All primary research will be released under a Creative Commons license. The current license is Non-Commercial, Attribution. The analyst, at their discretion, may add a Derivative Works or Share Alike condition.
  • Securosis primary research does not discuss specific vendors or specific products/offerings, unless used to provide context, contrast or to make a point (which is very very rare).
    Although quotes from published primary research (and published primary research only) may be used in press releases, said quotes may never mention a specific vendor, even if the vendor is mentioned in the source report. Securosis must approve any quote to appear in any vendor marketing collateral.
  • Final primary research will be posted on the blog with open comments.
  • Research will be updated periodically to reflect market realities, based on the discretion of the primary analyst. Updated research will be dated and given a version number.
    For research that cannot be developed using this model, such as complex principles or models that are unsuited for a series of blog posts, the content will be chunked up and posted at or before release of the paper to solicit public feedback, and provide an open venue for comments and criticisms.
  • In rare cases Securosis may write papers outside of the primary research agenda, but only if the end result can be non-biased and valuable to the user community to supplement industry-wide efforts or advances. A “Radically Transparent Research” process will be followed in developing these papers, where absolutely all materials are public at all stages of development, including communications (email, call notes).
    Only the free primary research released on our site can be licensed. We will not accept licensing fees on research we charge users to access.
  • All licensed research will be clearly labeled with the licensees. No licensed research will be released without indicating the sources of licensing fees. Again, there will be no back channel influence. We’re open and transparent about our revenue sources.

In essence, we develop all of our research out in the open, and not only seek public comments, but keep those comments indefinitely as a record of the research creation process. If you believe we are biased or not doing our homework, you can call us out on it and it will be there in the record. Our philosophy involves cracking open the research process, and using our readers to eliminate bias and enhance the quality of the work.

On the back end, here’s how we handle this approach with licensees:

  • Licensees may propose paper topics. The topic may be accepted if it is consistent with the Securosis research agenda and goals, but only if it can be covered without bias and will be valuable to the end user community.
  • Analysts produce research according to their own research agendas, and may offer licensing under the same objectivity requirements.
  • The potential licensee will be provided an outline of our research positions and the potential research product so they can determine if it is likely to meet their objectives.
  • Once the licensee agrees, development of the primary research content begins, following the Totally Transparent Research process as outlined above. At this point, there is no money exchanged.
  • Upon completion of the paper, the licensee will receive a release candidate to determine whether the final result still meets their needs.
  • If the content does not meet their needs, the licensee is not required to pay, and the research will be released without licensing or with alternate licensees.
  • Licensees may host and reuse the content for the length of the license (typically one year). This includes placing the content behind a registration process, posting on white paper networks, or translation into other languages. The research will always be hosted at Securosis for free without registration.

Here is the language we currently place in our research project agreements:

Content will be created independently of LICENSEE with no obligations for payment. Once content is complete, LICENSEE will have a 3 day review period to determine if the content meets corporate objectives. If the content is unsuitable, LICENSEE will not be obligated for any payment and Securosis is free to distribute the whitepaper without branding or with alternate licensees, and will not complete any associated webcasts for the declining LICENSEE. Content licensing, webcasts and payment are contingent on the content being acceptable to LICENSEE. This maintains objectivity while limiting the risk to LICENSEE. Securosis maintains all rights to the content and to include Securosis branding in addition to any licensee branding.

Even this process itself is open to criticism. If you have questions or comments, you can email us or comment on the blog.