Research

Nothing amuses me more than some nice vendor-on-vendor smackdown action. Well, plenty of things amuse me more, especially Big Bang Theory and cats on YouTube, but the vendor thing is still moderately high on my list. So I quite enjoyed this Dark Reading article on the release of the Oracle Database Firewall. But perhaps a little outside perspective will help. Here are the important bits: As mentioned in the article, this is the first Secerno product release since their acquisition. Despite what Oracle calls it, this is a Database Activity Monitoring product at its core. Just one with more of a security focus than audit/compliance, and based on network monitoring (it lacks local activity monitoring, which is why it’s weaker for compliance). Many other DAM products can block, and Secerno can monitor. I always thought it was an interesting product. Most DAM products include network monitoring as an option. The real difference with Secerno is that they focused far more on the security side of the market, even though historically that segment is much smaller than the audit/monitoring/compliance side. So Oracle has more focus on blocking, and less on capturing and storing all activity. It is not a substitute for Database Activity Monitoring products, nor is it “better” as Oracle claims. Because it is a form of DAM, but – as mentioned by competitors in the article – you still need multiple local monitoring techniques to handle direct access. Network monitoring alone isn’t enough. I’m sure Oracle Services will be more than happy to connect Secerno and Oracle Audit Vault to do this for you. Secerno basically whitelists queries (automatically) and can block unexpected activity. This appears to be pretty effective for database attacks, although I haven’t talked to any pen testers who have gone up against it. (They do also blacklist, but the whitelist is the main secret sauce). Secerno had the F5 partnership before the Oracle acquisition. It allowed you to set WAF rules based on something detected in the database (e.g., block a signature or host IP). I’m not sure if they have expanded this post-acquisition. Imperva is the only other vendor that I know of to integrate DAM/WAF. Oracle generally believes that if you don’t use their products your are either a certified idiot or criminally negligent. Neither is true, and while this is a good product I still recommend you look at all the major competitors to see what fits you best. Ignore the marketing claims. Odds are your DBA will buy this when you aren’t looking, as part of some bundle deal. If you think you need DAM for security, compliance, or both… start an assessment process or talk to them before you get a call one day to start handling incidents. In other words: a good product with advantages and disadvantages, just like anything else. More security than compliance, but like many DAM tools it offers some of both. Ignore the hype, figure out your needs, and evaluate to figure out which tool fits best. You aren’t a bad person if you don’t buy Oracle, no matter what your sales rep tells your CIO. And seriously – watch out for the deal bundling. If you haven’t learned anything from us about database security by now, hopefully you at least realize that DBAs and security don’t always talk as much as they should (the same goes for Guardium/IBM). If you need to be involved in any database security, start talking to the DBAs now, before it’s too late. BTW, not to toot our own horns, but we sorta nailed it in our original take on the acquisition. Next we will see their WAF messaging. And we have some details of how Secerno works. Share:

I’ve been in the security business a long time. I have enjoyed up cycles through the peaks, and back down the slope to the inevitable troughs. One of my observations getting back from RSAC 2011 is the level of sheer frustration on the part of many security professionals today. Frustration with management, frustration with users, frustration with vendors. Basically lots of folks are burnt out and mad at the world. Maybe it’s just the folks who show up at RSA, but I doubt it. This seems to be true across the industry. A rather blunt tweet from 0ph3lia sums up the way lots of you feel: Every day I’m filled with RAGE at this f***ing industry & the fact that I work in it. Maybe I’m just not cut out for the security industry. This is a manifestation of many things. Tight budgets for a few years. The ongoing skills gap. Idiotic users and management. Lying vendors. All contribute to real job dissatisfaction on broad scale. So do you just give up? Get a job at Starbucks or in a more general IT role? Leave the big company and go to a smaller one, or vice versa? Is the grass going to be greener somewhere else? Only you can answer that question. But many folks got into this business over the past 5 years because security offered assured employment. And they were right. There are tons of opportunities, but at a significant cost. I joke that security is Bizarro World, where a good day is when nothing happens. You are never thanked for stopping the attack, but instead vilified when some wingnut leaves their laptop in a coffee shop or clicks on some obvious phish. You don’t control much of anything, have limited empowerment, and are still expected to protect everything that needs to be protected. For many folks, going to work is like lying on a bed of nails for 10-12 hours a day. So basically to be successful in security you need an attitude adjustment. Shack had a good riff on this yesterday. You can’t own the behaviors of the schmucks who work for your company. Not and stay sane. Sure, you may be blamed when something bad happens, but you have to separate blame from responsibility. If you do your best, you should sleep well. If you can’t sleep or are grumpy because security gets no love and you get blame for user stupidity; or because you have to get a new job every 2-3 years; or for any of the million other reasons you may hate doing security; then it’s okay to give up. Your folks and/or your kids will still love you. Promise. I gave up being a marketing guy because I hated it. That’s right, I said it. I gave up. After my last marketing gig ended, I was done. Finito. No amount of money was worth coming home and snapping at my family because of a dickhead sales guy, failed lead generation campaign, or ethically suspect behavior from a competitor. My life is too short to do something I hate. So is yours. So do some soul searching. If security is no good for you, get out. Do something else. Change is good. Stagnation and anger are not. -Mike Photo credits: “happiness is a warm gun” originally uploaded by badjonni Domo Arigato My gratitude knows no bounds regarding winning the “Most Entertaining Security Blog” award at the Social Security Blogger Awards last week. Really. Truly. Honestly. I’ve got to thank the Boss because she’ll kick my ass if I don’t mention her first every time. Then I need to thank Rich and Adrian (and our extended contributor family) who put up with my nonsense every day. But most of all, I need to thank you. Every time you come up to me at a show and tell me you read my stuff (and actually like it), it means everything to me. I’m always telling you that I know how lucky I am. And it’s times like these, and getting awards like this, that make it real for me. So thanks again and I’ll only promise that I’ll keep writing as long as you keep reading. -Mike Incite 4 U Marketecture does not solve security problems: That was my tweet regarding Cisco’s new marketecture SecureX. The good news is that Cisco has nailed the issues – namely the proliferation of mobile devices and the requisite re-architecting of networks to address the onslaught of bandwidth-hogging video traffic. This will fundamentally alter how we provide ingress and egress, and that will require change in our network security architectures. But what we don’t need is more PowerPoints of products in the pipeline, due at some point in the future. And that’s not even adressing the likelihood of data tagging actually working at scale. If Cisco had delivered on any of their other grand marketecture schemes (all of which looked great on paper), I’d have a little more patience, but they haven’t. Maybe Gillis and Co. have taken some kind of execution pill and will get something done. But until then I wouldn’t be budgeting for much. Is there a SKU for a marketecture? Cisco will probably have it first. – MR You can’t secure a dead horse: Well, technically you can secure an actual deceased horse, but you know what I mean. Microsoft is getting ready to release Service Pack 1 for Windows 7, but nearly all organizations I talk with still rely on Windows XP to some degree. You know, the last operating system Microsoft produced before the Trustworthy Computing Initiative. The one that’s effectively impossible to secure. No matter what we do, we can’t possibly expect to secure something that was never built for our current threat environment. We’re hitting the point where the risks clearly outweigh the non-security related justifications. FWIW, my new favorite saying is: “If you are more worried about the security risks of cloud computing and iOS devices than using XP

It amuses me that folks were shocked by the latest treasure trove of goodies from the HBGary email spool. Basically these folks built custom malware on behalf of their government clients. Ars Technica digs in (with pretty impressive technical depth, I might add) and makes clear what you should already know. We are in the midst of another cold war. This war is not being fought with nuclear warheads, but computer malware. It’s not visible to most people – and, honestly, most people don’t really care. They should, because the new attacks could knock down our power grids, contaminate our water supplies, and basically cause chaos. You all know I’m no Chicken Little – and to be clear I sleep very well at night. I wasn’t even a glimmer in my parents’ eyes when the Cuban Missile Crisis brought us to the brink, but the ramifications of an all-out cyber conflict are similar. Plenty of folks have semantic issues with calling computers attacking each other ‘war’, because no one actually bleeds (directly). And I agree with that, somewhat. Cyber conflict won’t result in a mushroom cloud or tens of thousands vaporized in a split second (not yet anyway), but the potential for indirect damage is real. But to make the point again, I sleep well at night because as much as it hurts to know there are foreign nations in our most critical stuff (yes, APT, I’m talking about you), we are in their stuff as well. Stuxnet, anyone? What makes you think we aren’t in all the major systems of our potential adversaries? Right, that would be a bad assumption. So we have a good old-fashioned standoff. Another Cold War. Mutually assured destruction is a pretty good deterrent to anyone actually initiating a cyber conflict. Why do you think the APT doesn’t bother to cover its tracks? They want us to know they are there. Duh. Back in the days of the original Cold War, the private sector was engaged to improve our warheads, defend against enemy warheads (remember Star Wars?), and come up with other innovations to give us a snowball’s chance of surviving a nuclear conflict. In this Cold War, we have the private sector providing new weapons (read: malware) and new defenses (your very own security industry) to give us a snowball’s chance of surviving a cyber-conflict. HBGary is not unique in this pursuit. Not by a long shot. There are no white hats or black hats in this game. You need to play both offense and defense. And clearly the US does. We never got the opportunity to see any of the Beltway bandits’ mail spools during the last Cold War, but I suspect we’d be similarly nauseated. But with that nausea comes a sense of relief that the best and the brightest (including Greg Hoglund) are working to protect our interests. Now I understand these weapons can just as easily be used against us, but that has always been the case. So I guess my message is to grow up, people. National security (whatever that means) is a messy business. Share:

I think Rich may still be sleep deprived, but on the upside his recap did elicit my loudest laugh of the day. See if you can spot the sentence that caused it. Rich’s Recap I wish I had something witty and insightful to say about the first full day of RSA, but that would involve actually seeing more of the show than my own presentations and the insides of meeting rooms. And while it’s technically the first day of the conference, it’s my third day of entirely too much talking and walking. So here are a few crib notes. Started the day by noticing I was supposed to record a video for a presentation I hadn’t written yet. Resolved post-breakfast-meeting thanks to a convenient coffee shop. Good thing it was on EDRM… not like anyone is using it anyway. I really am starting to see some interesting cloud-specific security tools floating around out there. Yes, there are a bunch of companies that just converted their existing software into virtual appliances, but the ones building from the ground up for cloud are showing some nice innovation. Serious improvement over last year. Gave my DLP talk today. I’ve stared at the same damn DLP slides for so many years now that I just couldn’t bring myself to look at them again. So I shut them off and went commando. I may have freaked some people out. One dude was writing bullet points on a pad and holding them in front of his face. Seems like most people liked it. Maybe. That’s what I’ll tell myself as I try to fall asleep tonight. Had a cloud panel with the worst freaking title in history. Something like “Public and private sectors: why are agencies hesitant to adopt the cloud?” No, seriously, I’m not making this *&%^ up. I figured 2 people might show up, but the room was full and the panel went well. Turns out we had the CISO of eBay, a senior legal counsel for security and privacy at GE, a muckety-muck from NIST, and the CSO of Qualys. Tons of audience questions, many around all the sticky issues of using cloud with some semblance of control. Guess what folks – if you have developers with corporate credit cards, you’re in the cloud. Show floor is full of blinky lights. Loud dudes in suits talking. Free cars. Seriously. I guess security is big business. All this work junk is seriously impeding my ability to consume vast amounts of frothy beverages. Early bed tonight, mostly due to losing my voice and still having 3 presentations to go. –Rich Did you catch it? If not, here it is. A quote that shall live on in infamy (at least if I have anything to do with it): “So I shut them off and went commando. I may have freaked some people out.” I’d say that’s a safe assumption, Rich. Next up we have The Old Man, aka Mike Here are my observations from today: I’m getting old: There was a time I could drink all night and be productive during the day. But those days have passed. It’s getting harder to ramp up my partying, knowing I have a number of panels and even more meetings tomorrow. Yes, I’m old. And the blue-haired booth babes that a nobody vendor had in their booth annoyed me. What the hell? Get off my lawn! RSA is not the real world: I had a conversation with a bunch of investors and needed to remind them that the messaging and solutions pushed at us at RSA are not reflective of the real needs of the market. Not even close. But in the reality distortion field of the Moscone Center it’s easy to forget that most companies don’t even know how many devices they have. Shamans and snake oil salesmen: We don’t make decisions based on data, but generally through a leap of faith. Do you know if your IPS or AV really works? If you said either yes or no, you are wrong. You have no idea. You may have a hunch, but you don’t have the data to actually know. So anything you buy to address an issue is a leap of faith. If you can grok the philosophy of whoever is selling you stuff, then they are shamans. But those are few and far between. Unfortunately most are charlatans selling snake oil backed by ridiculous promises and hyperbole that prey upon the suckers born every minute. And there are plenty of them. This industry sucks at marketing: In tooling around the show floor, I realized the entire industry can’t market worth a crap. Nonstop technical jargon, with stupid parlor tricks like magicians, booth babes, and smoothies focused on standing out from the crowd. How about trying this on for size? Tell customers what you do in simple, problem oriented terms. Nobody gives a shit about the size of your widget or your blinky lights. Other random thoughts: I really shouldn’t be around people for a week straight. Thankfully I’m unarmed. If you are going to drink to excess, STFU before you say something stupid. Folks who can bust your stuff don’t need to tell you that – those who need to boast can look forward to reading their email spool on a torrent. I also decided that if we ever have a SecurosisCon, I will give a keynote in an Elvis suit. And on that note, I’d better go to sleep before someone gets hurt. –Mike That’s right. Stay out of Mike’s way or he will run you down with his walker. Let’s just hope he doesn’t throw out his hip. Again. Share:

It’s worth noting that even sleep-deprived Rich is surprisingly coherent. Rich While the RSA show technically doesn’t start until tomorrow, there’s still a heck of a lot going on. For myself, the worst is actually over. And by “the worst”, I mean there are even odds I will actually sleep tonight. It all started yesterday when we delivered the very first CCSK certification class for the Cloud Security Alliance. I learned three things in the process: Managing other analysts on a project sucks major @$$. We totally need 2 days to cover this content. Heck, with our current slide deck we could easily fill 3-4 days. Running 5 power strips to tables in the Moscone center costs $2,100. Most of that was $157/hr for the box to plug the power strips into. The room only cost $6K for the day. Methinks I have never been so violated in my life. The class went well and we learned a heck of a lot. We still have a ton of work to tune the content and package it, but it was awesome to spend a full day teaching folks and getting feedback, as opposed to the usual analyst stuff. I’m starting to think this “cloud” thing might be big. Today we ran the e10+ program for people with 10+ years in security. I thought we’d delve deeply into technical issues, but they were mostly interested in how to work within their own organizations and prioritize security. To be honest I’m far more comfortable with the pure tech side of things (despite being an analyst), but I do understand that once you hit a certain point in your career the soft skills are more important. One of my favorite bits from the panel was from Richard Bejtlich. He said one of the ways they determine their priorities is to figure out what the bad guys are looking for. I think I’m going to call this “Attacker Driven Data Classification”. It makes a lot of sense: if the bad guys are looking for something, and it isn’t a high priority for you, at minimum you should figure out why they want it. Other than that things are going well. We started showing off the Securosis Nexus, which we will make public fairly soon. With that, it’s time to go to bed. I have two sessions tomorrow (my big DLP presentation and another on cloud and government), plus way too many meetings. Prepping for RSA is always hard, and I hate being away from my family, but it is kind of nice to catch up with folks and be social once (or twice) a year. –Rich Next up, Adrian What’s new is new. Rich and Mike put together this year’s e10+ seminar at RSA. And like most panels that involve Securosis, there were a couple testy moments when some of the participants took exception to Richard Bejtlich’s assertion that compromised data is exposed to the world in greater quantity – with far more public access to the content – than ever before. Some of the audience members felt we were seeing the same attacks over and over, and the threats of today are no different than we saw in 1985. In fact they went so far as to say “the cloud” was not much more than publicly available mainframes. David Mortman wins a prize for his rebuttal: “Yeah, RACF rules!” All kidding aside, I have been in the industry almost that long, and I can say that in some ways this later assertion is true; we still suck at application security, and DoS, non-repudiation, and spoofing work pretty much the same way they did in 1985. How these attacks occur is new, as they exploit both new and old technologies in interesting ways. But the thrust of Richard’s comment is absolutely correct: The speed and quantity of exfiltration is unprecedented. Further, what’s very new is the ability to widely distribute data and make stolen data available for search and inspection. Ten years ago I could push stolen information to FTP servers and hacker sites, but it data was not really accessible to people who did not know where to look for it, or did not understand how to grep through blobs of multi-format data. Now we have Google to do it for us. So what’s old is new again, but in many cases it’s just freakin’ new. –Adrian And now for something completely different: Mike 1) We need toddlers, not Kenyans. No offense to Kenyans, but one of the things that became crystal clear at the e10+ sessions this morning was the disparity of needs between the early adopters of security technologies and everyone else. You see the vendors and talking heads spend all their time talking about strategies to do advanced security against serious adversaries. But most of the world can’t even do the simple n00b blocking and tackling to defeat script kiddies. So basically most of the RSA Conference will be focused on these advanced strategies, which have very little bearing on the vast majority of organizations. It’s like our industry is hiring Kenyans to run a marathon, while everyone else barely walks. Maybe we need schoolteachers. This capabilities gap might be the most significant issue we face as an industry. Yes, even more than APT or WikiLeaks. Now do two shots, because I said both the buzzword bingo keywords. 2) The perimeter is dead. Long live the perimeter: Besides the fireworks of Cisco and Palo Alto screaming at each other during my panel at the America’s Growth Capital conference, we covered some important ground. First off, the perimeter is not dead. But it needs to get a lot smarter and much more distributed. As more stuff moves to the cloud and video clogs our networks, we need to gain visibility and control, working the areas we know we can access. That means applications. The other resonating point was the reality that with the massive bandwidth consumed by video, we need to provide

This is a bit of a different post for me. One exercise in the CCSK Enhanced Class which we are developing for the Cloud Security Alliance is to encrypt a block storage (EBS) volume attached to an AWS instance. There are a few different ways to do this but we decided on Trend Micro’s SecureCloud service for a couple reasons. First of all, setting it up is something we can handle within the time constraints of the class. The equivalent process with TrueCrypt or some other native encryption services within our AWS instance would take more time than we have, considering the CCSK Enhanced class is only one day and covers a ton of material. The other reason is that it supports my preferred architecture for encryption: the key server is separate from the encryption engine, which is separate from the data volume. This is actually pretty complex to set up using free/open source tools. Finally, they offer a free 60-day trial. The downside is that I don’t like using a vendor-specific solution in a class since it could be construed as endorsement. So please keep in mind that a) there are other options, and b) the fact that we use the tool for the class doesn’t mean this is the best solution for you. Ideally we will rotate tools as the class develops. For example, Porticor is a new company focusing on cloud encryption, and Vormetric is coming out with cloud-focused encryption. I think one of the other “V” companies is also bringing a cloud encryption product out this week. That said, SecureCloud does exactly what we need for this exercise. Especially since it’s SaaS based, which makes setting it up in the classroom much easier. Here’s how it works: The SaaS service manages keys and users. There is a local proxy AMI you instantiate in the same availability zone as your main instances and EBS volumes. Agents for Windows Server 2008 or CentOS implement the encryption operations. When you attach a volume, the agent requests a key from the proxy which communicates with the SaaS server. Once you approve the operation the key is sent back to the proxy, and then the agent, for local decryption. The keys are never stored locally in your availability zone, only used at the time of the transaction. You can choose to manually or automatically allow key delivery based on a variety of policies. This does, for example, give you control of multiple instances of the same image connecting to the encrypted volume on a per-instance basis. Someone can’t pull your image out of S3, run it, and gain access to the EBS volume, because the key is never stored with the AMI. This is my preferred encryption model to teach – especially for enterprise apps – because it separates out the key management and encryption operations. The same basic model is the one most well-designed applications use for encrypting data – albeit normally at the data/database level, rather than by volume. I’ve only tested the most basic features of the service and it works well. But there are a bunch of UI nits and the documentation is atrocious. It was much harder to get this up and running the first time than I expected. Now for the meat. I’m posting this guide mostly for our students so they can cut and paste command lines, instead of having to do everything manually. So this is very specific to our class; but for the rest of you, once you run through the process you should be able to easily adjust it for your own requirements. Hopefully this will help fill the documentation gaps a bit… but you should still read Trend’s documentation, beacuse I don’t explain why I have you do all these steps. This also covers 2 of the class exercises because I placed some of the requirements we need later for encryption into the first, more basic, exercise: CCSK Enhanced Hands-on Exercises Preparation (Windows only) If you are a Windows user you must download an ssh client and update your key file to work with it. Download and run http://www.chiark.greenend.org.uk/~sgtatham/putty/latest/x86/putty-0.60-installer.exe. Go to Start > Program Files > PuTTY > PuTTYgen Click File, select *.*, and point it to your _name_.PEM key file. Click okay, and then Save Key, somewhere you will remember it. Download and install Firefox from http://mozilla.org. Create your first cloud server In this exercise we will launch our first AMI (Amazon Machine Image) Instance and apply basic security controls. Steps Download and install ElasticFox: http://aws.amazon.com/developertools/609?_encoding=UTF8&jiveRedirect=1. Log into the AWS EC2 Console: https://console.aws.amazon.com/ec2/home. Go to Account, then Security Credentials. Note your Access Keys. Direct link is https://aws-portal.amazon.com/gp/aws/developer/account/index.html. Click X.509 Certificates. Click Create a new Certificate. Download both the private key and certificate files, and save them where you will remember them. In Firefox, go to Tools > ElasticFox. Click Credentials, and then enter your Access Key ID and Secret Access Key. Then click Add. You are now logged into your account. If you do not have your key pair (not the certificate key we just created, but the AWS key you created when you set up your account initially) on your current system, you will need to create a new key pair and save a copy locally. To do this, click KeyPairs and then click the green button to create a new pair. Save the file where you will remember it. If you lose this key file, you will no longer be able to access the associated AMIs. Click Images. Set your Region to us-east-1. Paste “ami-8ef607e7” into the Search box. You want the CentOS image. Click the green power button to launch the image. In the New Instance(s) Tag field enter CCSK_Test1. Choose the Default security group, and availability zone us-east-1. Click Launch. ElasticFox will switch to the Instances tab, and your instance will show as Pending. Right-click and select Connect to Instance. You will be asked to open the Private Key File you saved when you set

It’s just a couple days until RSA Conference 2011. Is this your first time attending the security conference in San Francisco? Having attended for a few years now I can safely say that there are some things you should take into account before you show up. First of all, download the Securosis Guide to RSA 2011 (PDF) or (ePub). Next you need a plan. After you have completed registration, which I assume by this point you have, consider your options. When you arrive on site at the Moscone Center give yourself a good amount of time to get through registration and badge pickup. The conference folks manage a good job of processing people through, but there will be a lot of people. Give yourself enough time. Next up, what to see? There is far too much content to expect to see it all. As a result you need a plan for which talks to attend. RSA has a daily planner on its site that can help. This is a helpful resource, but it doesn’t entirely do it for me. I want something tailored to my interests. Thankfully, RSA has created a tool for that. Behold the personal scheduler! I should point out that you must be logged into the RSA Conference site to access that tool. So next ask yourself why you are coming to RSA. What are you there to learn? Or are you taking a break on the company dime? I know some of you are doing just that; I’ve seen it before. So be honest with yourself. Which tracks interest you? There are quite a few this year: Application and Development Business of Security Cloud Security (new for 2011) Cryptography Data Security Governance & Risk Compliance Hackers & Threats Hot Topics Industry Experts Law Policy & Government Professional Development Sponsor Case Studies Strategy & Architecture Technology Infrastructure (also new) Not to mention some great talks like these and programs like e10+ for more experienced attendees. That’s a lot to choose from, so I would suggest you do your homework and be sure to check into the talks before you arrive. It would be a shame to find that you’ve landed smack in the middle of an hour-long lecture on widgets when you’re more interested in grapple grommets. Then there is the shark tank: the convention floor. Sweet mother, this is one massive collection of vendors. All of them are hunting for your dollars. That’s the name of the game. They’re not all there just to hand out free t-shirts. These folks work for a living. Take some time to speak with them and get to know their products. You can show up in a suit and be swarmed, or conversely, dress down if you want to blend into the background. The most important thing to remember for the convention floor is to wear a comfortable pair of shoes. No, really. The first time I went to RSA my back was out of commission for several days afterwards. That said, enjoy your time at the conference and bring along your favourite headache remedy. After you’re done with the vendor parties don’t forget to show up for the Securosis Disaster Recovery Breakfast Thursday morning – and be sure to RSVP. Share:

With great pleasure we post the 2nd annual Securosis Guide to the RSA Conference, 2011 edition. Last year’s guide we built as an experiment, but it has now effectively become an encyclopedia of all things RSA. As you’ve been seeing all week, we list out our key themes and then break down each major section of the industry. In this complete version we include vendor lists for each section and a comprehensive vendor list (with URLs) for easy reference during the show. Rich summed it up best – it’s not really an RSA Guide, it’s more “What’s coming in the next year of security”, which happens to be published in time for RSA. Below are links to both PDF and ePub versions. I loaded the Guide onto my iPad this morning and it looks great, so you may want to do that as well (in iBooks you may need to select the PDF tab). Enjoy and tell your friends. It’s free. Let’s just hope it doesn’t show up verbatim in the World’s #1 Hacker’s next book. PDF version: Securosis-GuidetoRSAC2011.pdf ePub version: Securosis-GuidetoRSAC2011.epub PS: Vendors, if you are looking for a nice giveaway for one last blast to your prospect lists to give away all those valuable expo passes, feel free to distribute the Guide. No fees, no nothing. It’s our little Valentine’s Day gift to you. Share:

Security Management Compliance is still driving most of what happens from a management standpoint, which is why have a specific compliance section below. On the security management front, there was still plenty of activity in 2010. But most customers continued to feel the same way: underwhelmed. It’s still very hard to keep control of much of anything, which is problematic as the number of devices and amount of sensitive data grow exponentially. Good times. Good times. What We Expect to See There are a couple areas of interest at the show for security management: The (Not) Easy Button: Given the absolutely correct perspective of customers that security management is too complex, difficult, ponderous, and lots of other negative descriptors, we expect vendors to focus on ease of use for many of these security management tools (especially SIEM/Log Management). Don’t believe them. They continue to sell false hope. To be fair, the tools are much improved. Interfaces are better. User experience is tolerable. But it’s still not easy. 
So spend some time in the booth checking out interfaces. How you set up rules, analyze data, and generate reports. Make the demo dude go into excruciating detail on how things really get done with the tool. Remember, anything you select, you will need to live with. So do your homework and choose wisely. The next act for scanners: Vulnerability management is so 2005. But tack on some kind of cloud stuff and it’s, uh, 2007? The new new shiny object is configuration auditing/policy compliance. Which actually makes sense because you need to scrutinize the device to check for vulnerabilities, so why not just assess the configuration while you are at it. And just as with vulnerability scanning, the question will be whether you do it on-site or via a cloud service. Or both, because we expect most vendors to offer both. MSS comes of age: The good news is that folks finally realize it’s not novel to monitor firewalls or IPS themselves, and combined with consolidation of pretty much all the big players, this means MSS isn’t a big deal anymore. So the big vendors with big booths will be talking about their monitoring (and even management) services. If you still have 5 folks parsing firewall alerts, check out these offerings. At minimum it will be interesting to get a sense of how efficiently you do things internally. Just make sure you understand exactly what the service and support model is, because when alerts start firing you don’t want to be dialing the main number of a $100 billion telco. Start-up X, a Big IT company: Big IT, with its big management stacks and big professional services teams, will be at RSAC in force. Maybe they’ll even have a story for how all the crap they’ve bought over the past year makes Big IT finally relevant in the security space. You’ll see HP and IBM (and EMC and Cisco and Juniper) in 5-6 different booths each, because companies they acquired had already committed to exhibit in this year’s show. They should have one of those passport programs, just to make sure you visit all their booths to win an iPad or something like that. Compliance Compliance isn’t merely a major theme for the show, it’s also likely the biggest driver of your security spending. But that doesn’t mean folks don’t want to minimize the cost and hassle of compliance, so scope reduction will be a major theme that we hear throughout the show. While there’s no such thing as a compliance solution, many security technologies play major roles in helping achieve and maintain compliance. What We Expect to See With compliance we will see a mix of regulation-focused messages and compliance-specific technologies: PCI & Tokenization: The Payment Card Industry Data Security Standard (PCI-DSS) is the single regulation that generates the most attention, and a lot of the growth for security and compliance spending. And frankly, especially within the retail and finance verticals, companies are looking to reduce costs and minimize PCI audits. It’s viewed as little more than a tax on the business so they want to at least reduce — if not eliminate — the expense. At the show this year, we expect you’ll hear and see a lot about tokenization. This approach substitutes credit card numbers stored at a merchant site with a harmless, well, token. It only represents the credit card transaction, so a stolen token cannot be used to commit fraud. At the show, focus on the sessions where savvy users talk about how they reduce the scope of PCI audits along with the associated costs of securing credit card data using this approach. While only a handful of tokenization vendors will be at the show, many of the payment processors have partnered with technology providers to offer tokenization as a managed service. Expect to see plenty of interest and discussion on this topic, and long lines at select vendor booths. There’s an App for That: Expect to see vendors offer neat iPhone and iPad apps for their management and reporting products. Sure, reports and dashboards are popular with vendors because they bring the eye candy sales teams want to demonstrate product value. But what’s cooler than a fancy dashboard? A fancy new iPhone. Put the two together and it’s like two great eye-candies that go great together! It’s going to be a big hit. Not just because anyone really wants to take that FISMA report with them in their pocket; it’s because IT, sales, and marketing all secretly lust after the new toy. It’s the thought of catching a spring training game while configuring SIEM policies. Does it make you more productive? Maybe. But having your IT products running on the toy justifies the purchase of both. Yeah, anywhere, anytime access is pretty cool too, but it’s like getting two for one. Expect to see this everywhere! GRC Oopsie: Last year we expected to see a lot of collateral about GRC: Governance, Risk, and Compliance. And we

We keep pretty busy schedules at RSA every year. But the good news is we do a number of speaking sessions and make other appearances throughout the week. Here is where you can find us: Speaking Sessions DAS-106: Everything You Ever Wanted to Know about DLP – Rich (Tuesday, Feb 15, 1pm) CLD-108: Private and Government Sectors: Why are Agencies Hesitant to Adopt Cloud? – Rich moderates (Tuesday, Feb 15, 3:40pm) DAS-203: Cutting through the Data Loss Prevention Confusion: DLP Myths Busted – Rich (Wednesday, Feb 16, 11:10am) P2P-203A: Evolving Perimeter(s): Protecting the Stuff That’s Really Important – Mike (Wednesday, Feb 16, 11:10am) BUS-303: Putting the Fun in Dysfunctional – How the Security Industry Really Works – Rich and Mike (Thursday, Feb 17, 11:10am) AND-304: Agile Development, Security Fail – Adrian (Thursday, Feb 17, 1pm) EXP-402: Cloudiquantanomidatumcon: The Infra/Info-Centric Debate in the Cloud – Rich and Chris Hoff (Friday, Feb 18, 10:10am) Other Events e10+: Rich and Mike are the hosts and facilitators for the RSA Conference’s e10+ program targeting CISO types. That’s Monday morning from 8:30 to noon. America’s Growth Capital Conference: Mike will be moderating a panel on the future of network security at the AGC Conference with folks from Cisco, Juniper, Palo Alto, Packet Motion, and Fidelis. This session is Monday at 2:15pm. Security Blogger Meet up: Securosis will be at the 4th annual Security Blogger Meet up at the classified location. You need to have a blog and be pre-registered to get in. Disaster Recovery Breakfast: Once again this year Securosis will be hosting the Disaster Recovery Breakfast on Thursday, Feb 17 between 8 and 11 with help from our friends at Threatpost and Schwartz Communications. RSVP and enjoy a nice quiet breakfast with plenty of food, coffee, recovery items (aspirin & Tums), and even the hair of the dog for those of you not quite ready to sober up. Holding court at the W: If you are up for late night hijinx – and like to laugh at stumbling, bumbling security industry folks – show up at the W’s lobby bar after the parties break up. It’s always a good time and you are very likely to see one or all of us Securosis folks there getting into trouble. And accepting drink donations. Fortinet Panels: Mike will also be moderating the Security Mythbusting: Blowing up the Security Hype panels at Fortinet’s booth (#923) Tuesday and Wednesday from 1:30-2pm. Travel safe and we’ll see you at RSA… Share: