Securosis

Research

Face ID is the Future of Security (Authentication)

Every year, as I travel the security conference circuit, hallway conversations always turn to, “See anything interesting?”. To be honest, I can’t remember the last time I was excited about an honestly cool security technology (which I didn’t create myself, but let’s not go there today). I see plenty of cloud innovation, and plenty of security evolution, but not a lot of revolution. A week ago I picked up my iPhone X. Although I received a background brief on Face ID a couple weeks earlier, I hadn’t gotten my hands on it until then. And, really, didn’t get to play with it until the next day after spending 5 hours restoring my data (all 200 GB of it). Face ID is the most compelling security advance I have seen in a very long time. It’s game-changing not merely due to technology, but also thanks to design and implementation. Apple has created a new authentication modality. First things first: Face ID nails nearly every criteria I came up with to evaluate it. The false positive rate, within certain genetic constraints, is 1 in a million compared, to 1 in 50,000. The inherent security architecture doesn’t look quite as tied to hardware as Touch ID (because the phone needs the sensor package for other capabilities), but does appear to be either as strong (including the software implementation) or close enough in practical circumstances. Watch enough videos of journalists buying masks of their own faces, and it’s clear Face ID is more expensive to circumvent than Touch ID. We haven’t actually seen a public crack yet, but I always assume it will happen eventually. Because history. Apple sometimes has a weak spot underestimating adversaries in their threat models, but they did a good job on this one. In my pre-release article I wrote: Face ID doesn’t need to be the same as Touch ID – it just needs to work reasonably equivalently in real-world use. In my personal experience, and with every user I’ve talked with and in every article I’ve read, Face ID’s core usability is equal to or greater than Touch ID’s. For example, it doesn’t work as well at many angles you could touch your phone from, but it works better in the kitchen and after a shower/workout. I’ve tested it in all sorts of lighting conditions and haven’t found one that trips it up yet. The only downside is I can’t register my wife’s face, and we were become accustomed to using Touch ID on each other’s devices. I do believe it’s slower at actual recognition, but it’s nearly impossible to notice due to the implementation. Face ID is tightly bound to activity, which masks its latency. For example, the time to swipe your fingers is long enough to unlock, where with Touch ID recognition and unlocking were the same action, which made the latency more visible. But I think it’s time to justify that hyperbolic headline. Apple didn’t just throw a facial recognition sensor into the iPhone and replace a fingerprint sensor – they enabled a new security modality. I call this “continuous authentication”. When you use an iPhone you look at the iPhone (some calls and music listening excepted). Instead of unlocking your iPhone once and opening up everything, or requiring you to put your finger on the sensor when an app or feature wants to re-authenticate, the phone can quickly scan your face on demand. And the iPhone does this constantly. Here are the examples I’ve discovered so far: It’s already been widely reported that notification, by default, don’t show details on the lock screen until you look at the iPhone. This is my favorite new feature because it improves security with effectively zero usability impact. I always disabled Control Center on the lock screen for security reasons, but like notifications, just looking at my phone unlocks it. It’s just too bad my thumb can’t reach that upper right corner. Safari now (optionally) uses Face ID before filling in passwords on web sites. Previously, even with Touch ID, they filled in automatically when the phone was unlocked. Apple Pay and the App Store now authenticate with your face without separate authentication actions. Apps can authenticate as you open them. This is where I notice that Face ID is a likely bit slower, but because I don’t need to take another action it feels faster. The lock screen and Safari passwords are, to my knowledge, legitimately new modalities. The others are evolutions of previous use cases. Face ID allows your iPhone to authenticate you under nearly every circumstance you would use your phone and need to authenticate, but without requiring any user action. I think we are just scratching the surface of what’s possible here. Yes, we’ve used tools like Yubikeys plugged into devices to keep sessions open, but I think it’s clear how this is different. This is just the first generation of Face ID. Imagine the use cases once it evolves and can, for example, register multiple users. My Xbox Kinect (may it rest in peace) already does this pretty well, so we know it’s possible (Kinect’s implementation is as secure, and it’s a lot bigger). One of the biggest problems in healthcare security is quickly authenticating to shared workstations in clinical environments… I could see a future version of Face ID significantly addressing that problem. I previously said that Touch ID enables you to use a strong password with the convenience of no password at all. Face ID not only exceeds that mark, it may be the ultimate expression of it, by deeply integrating effortless authentication throughout the user experience without requiring new behaviors. That, my friends, is the power of security design, not just security engineering. Share:

Share:
Read Post

Endpoint Advanced Protection Buyer’s Guide: Key Prevention Technologies

After exploring prevention approaches, you should understand some common technologies which are foundational to endpoint advanced prevention offerings. Machine Learning Machine learning is a catch-all term to indicate that the endpoint protection vendor uses sophisticated mathematical analysis on a large set of data to generate models for detecting malicious files or activity on devices. There are a couple mathematical algorithms which can improve malware prevention. Static file analysis: With upwards of a billion malicious file samples in circulation, mathematical analysis of malware can pinpoint commonalities across malicious files. With a model of what malware looks like, advanced prevention products then Share:

Share:
Read Post

The Future of Security Operations: Behind the 8 Ball

As the velocity of technology infrastructure change continues to increase, it is putting serious stress on Security Operations (SecOps). This has forced security folks to face the fact that operations has never really been our forte. That’s a bit harsh, but denial never helps address serious problems. The case is fairly strong that most organizations are pretty bad at security operations. How many high-profile breaches could have been avoided if one of many alerts was acted upon? How many attacks were made possible by not having properly patched servers or infrastructure? How many successful compromises resulted from human error? If your answer to any of those questions was greater than zero, there is room for improvement. But there is no cavalry off in the distance to magically address operational issues. If anything, SecOps is going to get harder for five reasons: Adversary innovation: Our adversaries are innovating and finding ways to compromise devices using both old and new tactics. They follow the path of least resistance to achieve their mission with focus and persistence. Infrastructure complexity and velocity: With the advent of SaaS and the public cloud, technology infrastructure is getting more complicated and changes happen much faster than before. Data ends up in environments you don’t control and can’t really monitor, yet you still have to protect it. More devices, more places: It seems every employee nowadays has multiple devices which need to connect to sensitive stuff, and they want to access corporate systems from wherever they are. What could possibly go wrong with that? Compounding the issue are IoT and other embedded devices connecting to networks, dramatically increasing where you can be attacked. Maintaining visibility into and understanding of your attack surface and security posture continue to get harder. Hunters hunt: For a long time security folks could be blissfully unaware of the stuff they didn’t find. If the monitor missed it, what could they do besides clean up the mess afterwards? Now organizations proactively look for signs of active adversaries, and these hunters are good at what they do. So in additional to all those alerts, you need have to handle the stuff the hunters find. Skills gap: We’ve been talking about a serious security skills gap for a long time. But it’s not getting any better. There just aren’t enough security people to meet demand, and the problem gets more acute each day. Progress But the news isn’t all bad. By understanding the attacks which may be coming at you through more effective use of threat intelligence, you can benefit from the misfortune of others. You don’t need to wait until you experience an attack and then configure your monitoring environment to look for it. Additionally, enhanced security analytics makes it easier to wade through all the noise to find patterns of attacks, and to pinpoint anomalous behavior which may indicat malicious activity. Integration of threat intelligence and security analytics provides Security Decision Support. It is a key lever for scaling and improving the effectiveness of a security team. We will flesh out these ideas in detail in a blog series. But even with more actionable and prioritized alerts, someone still has to do something. You know: security operations. In many case, this is where everything falls apart. To illustrate, the security teams involved in two of the highest-profile breaches of the last few years (Target and Equifax) were alerted to adversary activity more than once before the breaches became apparent. They just didn’t execute on a strategy to stop either attack before it became a catastrophe. To be fair, it’s easy criticize organizations after they’ve suffered a massive breach. That’s not the point. We bring them up as reminders of a concept we have been talking about for more than a decade: Respond Faster and Better. That’s what it’s all about. As an industry we need to figure out how to more effectively operationalize world-class security practices, quickly and effectively. And yes, we do understand this is much easier to say than to do. But why is this so hard? Let’s examine what security operations tends to do with their time. Those of you with backgrounds in manufacturing probably remember time and motion studies performed to improve productivity of factory workers. Security is far from a factory floor, but the concept applies. Can SecOps be streamlined by figuring out and optimizing whatever takes up a lot of time? We believe the answer is a resounding yes. A lot of security operational tasks involve updates, policy changes, compliance reporting, and other tedious and rote tasks. Certainly there are periods of intense activity, such as triaging a new attack or trying to figure out an effective workaround to an attack. But there is plenty of time spent on distinctly unsexy things. This also causes unmet expectations for people entering the security field. Most entrants have dreams of being a l33t haXor or a threat hunter. Very few wake up excited to tackle change control for a list of firewall changes, or to reimage endpoints after the CEO clicked one of those links. Again. And even if you could find people who get excited about security operations, they would still be human. Which basically means they make errors. But when you need every update and every change to be done right, for fear of opening a hole in your environment large enough to drive a truck (or all your proprietary data – or all your customer data) through, perfection needs to be the goal – even though people are not perfect, no matter how hard they work. Behind the 8 Ball So SecOps is behind the 8 ball, by definition. The deck is stacked against us. The attack surface is growing, the adversaries are getting better, and all we have is ingenuity, a metric crap ton of alerts, and too few humans to get things done. Yep, it sounds like Mission: Impossible. So what? Do we give up? Just pack it in and take a job at a

Share:
Read Post

Totally Transparent Research is the embodiment of how we work at Securosis. It’s our core operating philosophy, our research policy, and a specific process. We initially developed it to help maintain objectivity while producing licensed research, but its benefits extend to all aspects of our business.

Going beyond Open Source Research, and a far cry from the traditional syndicated research model, we think it’s the best way to produce independent, objective, quality research.

Here’s how it works:

  • Content is developed ‘live’ on the blog. Primary research is generally released in pieces, as a series of posts, so we can digest and integrate feedback, making the end results much stronger than traditional “ivory tower” research.
  • Comments are enabled for posts. All comments are kept except for spam, personal insults of a clearly inflammatory nature, and completely off-topic content that distracts from the discussion. We welcome comments critical of the work, even if somewhat insulting to the authors. Really.
  • Anyone can comment, and no registration is required. Vendors or consultants with a relevant product or offering must properly identify themselves. While their comments won’t be deleted, the writer/moderator will “call out”, identify, and possibly ridicule vendors who fail to do so.
  • Vendors considering licensing the content are welcome to provide feedback, but it must be posted in the comments - just like everyone else. There is no back channel influence on the research findings or posts.
    Analysts must reply to comments and defend the research position, or agree to modify the content.
  • At the end of the post series, the analyst compiles the posts into a paper, presentation, or other delivery vehicle. Public comments/input factors into the research, where appropriate.
  • If the research is distributed as a paper, significant commenters/contributors are acknowledged in the opening of the report. If they did not post their real names, handles used for comments are listed. Commenters do not retain any rights to the report, but their contributions will be recognized.
  • All primary research will be released under a Creative Commons license. The current license is Non-Commercial, Attribution. The analyst, at their discretion, may add a Derivative Works or Share Alike condition.
  • Securosis primary research does not discuss specific vendors or specific products/offerings, unless used to provide context, contrast or to make a point (which is very very rare).
    Although quotes from published primary research (and published primary research only) may be used in press releases, said quotes may never mention a specific vendor, even if the vendor is mentioned in the source report. Securosis must approve any quote to appear in any vendor marketing collateral.
  • Final primary research will be posted on the blog with open comments.
  • Research will be updated periodically to reflect market realities, based on the discretion of the primary analyst. Updated research will be dated and given a version number.
    For research that cannot be developed using this model, such as complex principles or models that are unsuited for a series of blog posts, the content will be chunked up and posted at or before release of the paper to solicit public feedback, and provide an open venue for comments and criticisms.
  • In rare cases Securosis may write papers outside of the primary research agenda, but only if the end result can be non-biased and valuable to the user community to supplement industry-wide efforts or advances. A “Radically Transparent Research” process will be followed in developing these papers, where absolutely all materials are public at all stages of development, including communications (email, call notes).
    Only the free primary research released on our site can be licensed. We will not accept licensing fees on research we charge users to access.
  • All licensed research will be clearly labeled with the licensees. No licensed research will be released without indicating the sources of licensing fees. Again, there will be no back channel influence. We’re open and transparent about our revenue sources.

In essence, we develop all of our research out in the open, and not only seek public comments, but keep those comments indefinitely as a record of the research creation process. If you believe we are biased or not doing our homework, you can call us out on it and it will be there in the record. Our philosophy involves cracking open the research process, and using our readers to eliminate bias and enhance the quality of the work.

On the back end, here’s how we handle this approach with licensees:

  • Licensees may propose paper topics. The topic may be accepted if it is consistent with the Securosis research agenda and goals, but only if it can be covered without bias and will be valuable to the end user community.
  • Analysts produce research according to their own research agendas, and may offer licensing under the same objectivity requirements.
  • The potential licensee will be provided an outline of our research positions and the potential research product so they can determine if it is likely to meet their objectives.
  • Once the licensee agrees, development of the primary research content begins, following the Totally Transparent Research process as outlined above. At this point, there is no money exchanged.
  • Upon completion of the paper, the licensee will receive a release candidate to determine whether the final result still meets their needs.
  • If the content does not meet their needs, the licensee is not required to pay, and the research will be released without licensing or with alternate licensees.
  • Licensees may host and reuse the content for the length of the license (typically one year). This includes placing the content behind a registration process, posting on white paper networks, or translation into other languages. The research will always be hosted at Securosis for free without registration.

Here is the language we currently place in our research project agreements:

Content will be created independently of LICENSEE with no obligations for payment. Once content is complete, LICENSEE will have a 3 day review period to determine if the content meets corporate objectives. If the content is unsuitable, LICENSEE will not be obligated for any payment and Securosis is free to distribute the whitepaper without branding or with alternate licensees, and will not complete any associated webcasts for the declining LICENSEE. Content licensing, webcasts and payment are contingent on the content being acceptable to LICENSEE. This maintains objectivity while limiting the risk to LICENSEE. Securosis maintains all rights to the content and to include Securosis branding in addition to any licensee branding.

Even this process itself is open to criticism. If you have questions or comments, you can email us or comment on the blog.