It’s not a problem until someone dies…

One of the noteworthy activities coming out of BlackHat/DEF CON was the open letter to the auto industry from I am the Cavalry espousing 5 principles for making the computers in cars safer – before someone gets hurt. As our pal Josh Corman says in a CSO article on the initiative: “This initiative is not only about finding bugs,” Corman said. It’s about building relationships between researchers, industry and government, which is much harder, he said. [sic] It is indeed all about the relationships. Researchers (most notably Charlie Miller and Chris Valasek) have hacked the crap out of cars, because all these fancy car tech systems are just computers with WiFi and/or Bluetooth. Egads! Of course they can be hacked. The question is whether auto makers will get ahead of the issue. The principles are pretty straightforward. Things like building security in, having independent researchers try to break it, updating software remotely, and isolating important stuff (such as the steering system and power train). This isn’t brain surgery and some auto makers (notably Tesla) are hiring teams to do a lot of this research on their own cars. I applaud the efforts of the Cavalry and other organizations which work to build these relationships and progress based on mutual interest, without an adversarial relationship. There was a bunch of trolling on Twitter earlier this week, which was largely about the futility of these movements. Just because it’s hard doesn’t mean it’s not worth doing. Of course security will get better in cars and other areas where connectivity is expected (like medical devices). It can happen via productive discussions with organizations like the Cavalry. Or it can happen after someone dies, when Congress gets involved to grandstand and hijack the conversation. The choice lies with industry. We’ll see how it goes. Photo credit: “cavalry charge” originally uploaded by The U.S. Army Share:

Read Post

Friday Summary: August 15, 2014

Oddly enough my big takeaway from the Black Hat security conference was not about security – it was about innovation. It seems many of the disruptive trends we have been talking about are finally taking hold, finding mainstream acceptance and recognition. We have been talking about cloud computing for a long time – Rich has been teaching cloud security for four years now – but people seem to be really ‘getting’ it. It takes time for the mainstream to fully embrace new technologies, and only then do we see disruption fully take effect. It is as if you need to step fully into the new environment before what’s really possible takes shape and starts to manifest itself. Fo example, when the Internet hit big in 1996 or so, we talked about how this would hurt “brick and mortar” retail, but it was a good 7 to 10 years before that reality fully manifested. Only then did the change take full effect, and few industries were left untouched. We are just now reaching that point with the cloud, mobile, and NoSQL databases, and getting here has been exciting! When I talk about security analytics it is nearly impossible for me to do so without first talking about NoSQL and the value of “big data”. NoSQL enables me to inexpensively scale up to collect all the data I need. NoSQL allows me to easily pull new and complex data types for analysis. NoSQL facilitates more programmatic use of stored data, and my choice of NoSQL architecture lets me tailor a solution to analytics or real-time response. Security analytics is the goal, and you don’t need to have NoSQL, but the disruptive innovation of NoSQL makes it better and cost-effective. NoSQL has been around for a long time, but the possibilities for security analytics are only being widely considered now that most firms have taken their first steps into the new world. The same is true for DevOps, which is the culmination of several technology advancements reinforcing each other. The API economy is making the cloud, mobile, and various other services accessible. It is being driven by development teams who need to be more agile and efficient. DevOps offers virtual on-demand resources. DevOps does not depend on the cloud, but the cloud makes it better. This evolution of several pieces has suddenly created something bigger than the sum of its parts. Even better, all these new technologies build in security components. I was more amazed to see disruptive innovation manifest, but there were significant efforts to build security into each of these trends. Life will be very interesting over the next 4-5 years. On to the Summary: Webcasts, Podcasts, Outside Writing, and Conferences Mike quoted on context-aware security in SearchNetworking. Mike quoted in coverage of Wendy Nather as a “Power Player” in IT Security. Wendy is awesome and one of our favorite people in the industry. Mike couldn’t be happier to be quoted. Mike’s “Change Agent”: Trusted Information Systems. Mike did a blog post/video for Digital Guardian naming a “change agent” with an impact on how security has evolved… Check it out. Adrian and Mort talk Big Data with George Hulme. Mort quoted in “Communicating at the speed of DevOps”. Favorite Securosis Posts Mike Rothman: Suing Gartner. I’m surprised I didn’t get more comments on this post. Kind of counter-intuitive. Unless maybe it’s not and everyone else figured out that NetScout is grandstanding before I did… Adrian Lane: Butterflies. Morphing. It’s this week’s theme. Dave Lewis: Trolling Mass Media. Other Securosis Posts It’s not a problem until someone dies…. Cloud File Storage and Collaboration: Additional Security Features. Friday Summary, August 1, 2014: Productivity Metrics edition. Favorite Outside Posts Mike Rothman: Mark Twain’s Top 9 Tips for Living a Kick-Ass Life. Adrian Lane: Military Companies Brace for Rules on Monitoring Hackers. It’s one thing to disclose a breach to a partner – it’s another to let the partner conduct the forensic analysis. Most firms don’t trust their business partners enough to give them unfettered access to their systems. And the government has many interests outside supplier agreements. We will see how this shakes out. James Arlen: SEC failed to guard sensitive information. Dave Lewis: Weak Passwords: Mel Brooks Warned Us. David Mortman: Multipath TCP speeds up the internet so much that security breaks. <– Ooops. AKA stateful firewalls break multi-homed BGP if you don’t architect correctly…. Research Reports and Presentations The 2015 Endpoint and Mobile Security Buyer’s Guide. Analysis of the 2014 Open Source Development and Application Security Survey. Defending Against Network-based Distributed Denial of Service Attacks. Reducing Attack Surface with Application Control. Leveraging Threat Intelligence in Security Monitoring. The Future of Security: The Trends and Technologies Transforming Security. Security Analytics with Big Data. Security Management 2.5: Replacing Your SIEM Yet? Defending Data on iOS 7. Eliminate Surprises with Security Assurance and Testing. Top News and Posts Espionage programs linked to spying on former Soviet targets. Dan Geer’s Blackhat Keynote. The Lie Behind 1.2 Billion Stolen Passwords. Is Amazon Web Services Really Down and Out? Facebook Buys Security Firm PrivateCore. 8 Patterns For Continuous Code Security. Safari for OS X gets “click-to-own” security holes patched. Tenn. Firm Sues Bank Over $327K Cyberheist via Krebs. Last Hacker Standing, Episode IV – The Last Hope. Martin’s new podcast. Snowden says NSA was responsible for 2012 Syrian internet blackout. Dead Simple Encryption. Forget encryption: Why won’t anyone build an open-source key manager? Security Kahuna Podcast: Las Vegas Edition. ERP: Protecting the pipeline by focusing on business-critical platforms. Improving Malware Detection in Firefox. Share:

Read Post

Totally Transparent Research is the embodiment of how we work at Securosis. It’s our core operating philosophy, our research policy, and a specific process. We initially developed it to help maintain objectivity while producing licensed research, but its benefits extend to all aspects of our business.

Going beyond Open Source Research, and a far cry from the traditional syndicated research model, we think it’s the best way to produce independent, objective, quality research.

Here’s how it works:

  • Content is developed ‘live’ on the blog. Primary research is generally released in pieces, as a series of posts, so we can digest and integrate feedback, making the end results much stronger than traditional “ivory tower” research.
  • Comments are enabled for posts. All comments are kept except for spam, personal insults of a clearly inflammatory nature, and completely off-topic content that distracts from the discussion. We welcome comments critical of the work, even if somewhat insulting to the authors. Really.
  • Anyone can comment, and no registration is required. Vendors or consultants with a relevant product or offering must properly identify themselves. While their comments won’t be deleted, the writer/moderator will “call out”, identify, and possibly ridicule vendors who fail to do so.
  • Vendors considering licensing the content are welcome to provide feedback, but it must be posted in the comments - just like everyone else. There is no back channel influence on the research findings or posts.
    Analysts must reply to comments and defend the research position, or agree to modify the content.
  • At the end of the post series, the analyst compiles the posts into a paper, presentation, or other delivery vehicle. Public comments/input factors into the research, where appropriate.
  • If the research is distributed as a paper, significant commenters/contributors are acknowledged in the opening of the report. If they did not post their real names, handles used for comments are listed. Commenters do not retain any rights to the report, but their contributions will be recognized.
  • All primary research will be released under a Creative Commons license. The current license is Non-Commercial, Attribution. The analyst, at their discretion, may add a Derivative Works or Share Alike condition.
  • Securosis primary research does not discuss specific vendors or specific products/offerings, unless used to provide context, contrast or to make a point (which is very very rare).
    Although quotes from published primary research (and published primary research only) may be used in press releases, said quotes may never mention a specific vendor, even if the vendor is mentioned in the source report. Securosis must approve any quote to appear in any vendor marketing collateral.
  • Final primary research will be posted on the blog with open comments.
  • Research will be updated periodically to reflect market realities, based on the discretion of the primary analyst. Updated research will be dated and given a version number.
    For research that cannot be developed using this model, such as complex principles or models that are unsuited for a series of blog posts, the content will be chunked up and posted at or before release of the paper to solicit public feedback, and provide an open venue for comments and criticisms.
  • In rare cases Securosis may write papers outside of the primary research agenda, but only if the end result can be non-biased and valuable to the user community to supplement industry-wide efforts or advances. A “Radically Transparent Research” process will be followed in developing these papers, where absolutely all materials are public at all stages of development, including communications (email, call notes).
    Only the free primary research released on our site can be licensed. We will not accept licensing fees on research we charge users to access.
  • All licensed research will be clearly labeled with the licensees. No licensed research will be released without indicating the sources of licensing fees. Again, there will be no back channel influence. We’re open and transparent about our revenue sources.

In essence, we develop all of our research out in the open, and not only seek public comments, but keep those comments indefinitely as a record of the research creation process. If you believe we are biased or not doing our homework, you can call us out on it and it will be there in the record. Our philosophy involves cracking open the research process, and using our readers to eliminate bias and enhance the quality of the work.

On the back end, here’s how we handle this approach with licensees:

  • Licensees may propose paper topics. The topic may be accepted if it is consistent with the Securosis research agenda and goals, but only if it can be covered without bias and will be valuable to the end user community.
  • Analysts produce research according to their own research agendas, and may offer licensing under the same objectivity requirements.
  • The potential licensee will be provided an outline of our research positions and the potential research product so they can determine if it is likely to meet their objectives.
  • Once the licensee agrees, development of the primary research content begins, following the Totally Transparent Research process as outlined above. At this point, there is no money exchanged.
  • Upon completion of the paper, the licensee will receive a release candidate to determine whether the final result still meets their needs.
  • If the content does not meet their needs, the licensee is not required to pay, and the research will be released without licensing or with alternate licensees.
  • Licensees may host and reuse the content for the length of the license (typically one year). This includes placing the content behind a registration process, posting on white paper networks, or translation into other languages. The research will always be hosted at Securosis for free without registration.

Here is the language we currently place in our research project agreements:

Content will be created independently of LICENSEE with no obligations for payment. Once content is complete, LICENSEE will have a 3 day review period to determine if the content meets corporate objectives. If the content is unsuitable, LICENSEE will not be obligated for any payment and Securosis is free to distribute the whitepaper without branding or with alternate licensees, and will not complete any associated webcasts for the declining LICENSEE. Content licensing, webcasts and payment are contingent on the content being acceptable to LICENSEE. This maintains objectivity while limiting the risk to LICENSEE. Securosis maintains all rights to the content and to include Securosis branding in addition to any licensee branding.

Even this process itself is open to criticism. If you have questions or comments, you can email us or comment on the blog.