Securosis

Research

Incite 1/20/2016 — Ch-ch-ch-ch-changes

I have always gotten great meaning from music. I can point back to times in my life when certain songs totally resonate. Like when I was a geeky teen and Rush’s Signals spoke to me. I saw myself as the awkward kid in Subdivisions who had a hard time fitting in. Then I went through my Pink Floyd stage in college, where “The Wall” dredged up many emotions from a challenging childhood and the resulting distance I kept from people. Then Guns ‘n Roses spoke to me when I was partying and raging, and to this day I remain shocked I escaped largely unscathed (though my liver may not agree). But I never really understood David Bowie. I certainly appreciated his music. And his theatrical nature was entertaining, but his music never spoke to me. In fact I’m listening to his final album (Blackstar) right now and I don’t get it. When Bowie passed away last week, I did what most people my age did. I busted out the Ziggy Stardust album (OK, I searched for it on Apple Music and played it) and once again gained a great appreciation for Bowie the musician. Bowie Changes Then I queued up one of the dozens of Bowie Greatest Hits albums. I really enjoyed reconnecting with Space Oddity, Rebel Rebel, and even some of the songs from “Let’s Dance”, if only for nostalgia’s sake. Then Changes came on. I started paying attention to the lyrics. Ch-ch-ch-ch-changes (Turn and face the strange) Ch-ch-changes Don’t want to be a richer man Ch-ch-ch-ch-changes (Turn and face the strange) Ch-ch-changes Just gonna have to be a different man Time may change me But I can’t trace time – David Bowie, “Changes” I felt the wave of meaning wash over me. Changes resonates for me at this moment in time. I mean really resonates. I’ve alluded that I have been going through many changes in my life the past few years. A few years ago I reached a crossroads. I remembered there are people who stay on shore, and others who set sail without any idea what lies ahead. Being an explorer, I jumped aboard the SS Uncertain, and embarked upon the next phase of my life. Yet I leave shore today a different man than 20 years ago. As the song says, time has changed me. I have more experience, but I’m less jaded. I’m far more aware of my emotions, and much less judgmental about the choices others make. I have things I want to achieve, but no attachment to achieving them. I choose to see the beauty in the world, and search for opportunities to connect with people of varied backgrounds and interests, rather than hiding behind self-imposed walls. I am happy, but not satisfied, because there is always another place to explore, more experiences to have, and additional opportunities for growth and connection. Bowie is right. I can’t trace time and I can’t change what has already happened. I’ve made mistakes, but I have few regrets. I have learned from it all, and I take those lessons with me as I move forward. I do find it interesting that as I complete my personal transformation, it’s time to evolve Securosis. You’ll learn more about that next week, but it underscores the same concept. Ch-ch-ch-ch-changes. Nothing stays the same. Not me. Not you. Nothing. You can turn and face the strange, or you can rue for days gone by from your chair on the shore. You know how I choose. –Mike Photo credit: “Chchchange” from Cole Henley The fine folks at the RSA Conference posted the talk Jennifer Minella and I did on mindfulness at the 2014 conference. You can check it out on YouTube. Take an hour. Your emails, alerts, and Twitter timeline will be there when you get back. Securosis Firestarter Have you checked out our video podcast? Rich, Adrian, and Mike get into a Google Hangout and… hang out. We talk a bit about security as well. We try to keep these to 15 minutes or less, and usually fail. Dec 8 – 2015 Wrap Up and 2016 Non-Predictions Nov 16 – The Blame Game Nov 3 – Get Your Marshmallows Oct 19 – re:Invent Yourself (or else) Aug 12 – Karma July 13 – Living with the OPM Hack May 26 – We Don’t Know Sh–. You Don’t Know Sh– May 4 – RSAC wrap-up. Same as it ever was. March 31 – Using RSA March 16 – Cyber Cash Cow March 2 – Cyber vs. Terror (yeah, we went there) February 16 – Cyber!!! February 9 – It’s Not My Fault! January 26 – 2015 Trends January 15 – Toddler Heavy Research We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, with our content in all its unabridged glory. And you can get all our research papers too. SIEM Kung Fu Fundamentals Building a Threat Intelligence Program Success and Sharing Using TI Gathering TI Introduction Network Security Gateway Evolution Introduction Recently Published Papers Threat Detection Evolution Building Security into DevOps Pragmatic Security for Cloud and Hybrid Networks EMV Migration and the Changing Payments Landscape Applied Threat Intelligence Endpoint Defense: Essential Practices Cracking the Confusion: Encryption & Tokenization for Data Centers, Servers & Applications Security and Privacy on the Encrypted Network Monitoring the Hybrid Cloud Best Practices for AWS Security The Future of Security Incite 4 U Everyone is an insider: Since advanced threat detection is still very shiny, it’s not a surprise that attention has swung back to the insider threat. It seems that every 4-5 years people remember that insiders have privileged access and can steal things if they so desire. About the same time, some new technology appears that promises to identify those malicious employees and save your bacon. Then it turns out finding the insiders is hard and everyone focuses on the latest shiny attack

Share:
Read Post

Incite 1/13/2016: Permitted

I’m not sure how it happened, but XX1 turned 15 in November and got her driver’s permit. Wait, what?!?! That little girl can now drive. Like, legally? WTF? Clearly it is now January, and I am still in shock that 15 years has passed by in the blink of an eye. Now it’s on me to teach her to drive. She’ll take a driver’s ed course in February, so that will help and give her some practical experience with someone who actually drives with teenagers for a living. Is that on the list of worst jobs? Second to elephant cage cleaner at the zoo, driving with inexperienced drivers seems like my version of hell on earth. Then I remembered back to when I learned to drive. My Dad had a ‘72 Bug for me that he drove around. He picked me up and drove me to the local town pool parking lot. He taught me how to balance the clutch (yes, it was a stick shift) and start, stop, drive in a straight line, and turn. I recall him being extraordinarily patient as I smoked the clutch and stalled out 10 times. But after a while I got the hang of it.   Then he said, “OK Mike. Drive home.” WHAT? I was kind of in shock. It was maybe 3 miles to my house, but it was 3 miles of real road. Road with other drivers on it. I almost crapped my pants, but we got home in one piece. Dad would let me drive most places after that, even on the highway and on bridges. He remained incredibly patient, even when I stalled 10 times on a slight incline with about 50 cars behind me sitting on their horns. Yup, crapped my pants that time too. I remember that like it was yesterday, but it was 31 years ago. Damn. So before winter break I took XX1 out to the parking lot of the library. She got into the driver’s seat and I almost crapped my pants. You getting the recurring theme here? She had no idea what she was doing. I have an automatic transmission, so she didn’t have to worry about the clutch, but turning the car is a learned skill, and stopping without giving me whiplash was challenging for a little while. She did get the hang of it, but seeing her discomfort behind the wheel convinced me that my plan of having her drive home (like my Dad did to me) wouldn’t be a great idea. Neither for her self-esteem nor my blood pressure. She’ll get the hang of it, and I have to remember that she’s different than me and I’m a different teacher than my Dad. We’ll get her driving at her pace. After she takes the driver’s ed class I’ll have her start driving when she’s with me. Before we know it, she’ll have 25-30 hours behind the wheel. But I’m not taking any chances. I plan on sending her to an advanced driving school. My cousin sent me a link to this great program in NC called B.R.A.K.E.S, which provides a 4-hour defensive driving workshop specifically for teens. I’m also going to take her to a Skip Barber racing class or something similar, so she can learn how to really handle the car. Sure it’s expensive, but she’s important cargo, commanding a two-ton vehicle, so I want to make sure she’s prepared. But I have to understand this is a metaphor for the rest of her life. As parents we can prepare her to the best of our ability. Then we need to let her loose to have her own experiences and learn her lessons. She can count on our support through the inevitable ups and downs. My little girl is growing up. –Mike Photo credit: “International Driving Permit” from Tony Webster The fine folks at the RSA Conference posted the talk Jennifer Minella and I did on mindfulness at the 2014 conference. You can check it out on YouTube. Take an hour. Your emails, alerts, and Twitter timeline will be there when you get back. Securosis Firestarter Have you checked out our new video podcast? Rich, Adrian, and Mike get into a Google Hangout and… hang out. We talk a bit about security as well. We try to keep these to 15 minutes or less, and usually fail. Dec 8 – 2015 Wrap Up and 2016 Non-Predictions Nov 16 – The Blame Game Nov 3 – Get Your Marshmallows Oct 19 – re:Invent Yourself (or else) Aug 12 – Karma July 13 – Living with the OPM Hack May 26 – We Don’t Know Sh–. You Don’t Know Sh– May 4 – RSAC wrap-up. Same as it ever was. March 31 – Using RSA March 16 – Cyber Cash Cow March 2 – Cyber vs. Terror (yeah, we went there) February 16 – Cyber!!! February 9 – It’s Not My Fault! January 26 – 2015 Trends January 15 – Toddler Heavy Research We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, with our content in all its unabridged glory. And you can get all our research papers too. SIEM Kung Fu Fundamentals Building a Threat Intelligence Program Success and Sharing Using TI Gathering TI Introduction Network Security Gateway Evolution Introduction Recently Published Papers Threat Detection Evolution Building Security into DevOps Pragmatic Security for Cloud and Hybrid Networks EMV Migration and the Changing Payments Landscape Applied Threat Intelligence Endpoint Defense: Essential Practices Cracking the Confusion: Encryption & Tokenization for Data Centers, Servers & Applications Security and Privacy on the Encrypted Network Monitoring the Hybrid Cloud Best Practices for AWS Security The Future of Security Incite 4 U Security as a business problem: The more things change, the more they stay the same. NetworkWorld’s Overcoming stubborn execs for security sake took me back to 2006, right before I wrote the Pragmatic CSO. Senior management doesn’t get it? Yup. Mid-managers want to circumvent the rules? Yup. On and on it goes, and we run on the hamster wheel for

Share:
Read Post

SIEM Kung Fu: Fundamentals [New Series]

Another SIEM blog series? Really? Why are we still talking about SIEM? Isn’t that old technology? Hasn’t it been subsumed by new and shiny security analytics products and services? Be honest – those thoughts crossed your mind, especially because we have published a lot of SIEM related research over the past few years. We previously worked through the basics of the technology and how to choose the right SIEM for your needs. A bit over a year ago we looked into how to monitor hybrid cloud environments. The fact is SIEM has become somewhat of a dirty word, but that’s ridiculous. Security monitoring needs to be a core, fundamental, aspect of every security program. SIEM – in various flavors, using different technologies and deployment architectures – is how you do security monitoring. So it’s not about getting rid of the technology – it’s more about how to get the most out of your existing investment, and ensuring you can handle the advanced threats facing organizations today. But we understand how SIEM got its bad name. Early versions of the technology were hard to use, and required significant integration just to get up and running. You needed to know what attacks you were looking for, and unfortunately most adversaries don’t send attack playbooks ahead of time. Operating an early SIEM required a ninja DBA, and even then queries could take hours (or days for full reports) to complete. Adding a new use case with additional searches and correlations required an act of Congress and a truckload of consultants. It’s not surprising organizations lost their patience with SIEM. So the technology was relegated to generating compliance reports and some very simple alerts, while other tools were used to do ‘real’ security monitoring. But as with most other areas of security technology, SIEM has evolved. Security monitoring platforms now support a bunch of additional data types, including network packets. The architectures have evolved to scale more efficiently and have integrated fancy new ‘Big Data’ analytics engines to improve detection accuracy, even for attacks you haven’t seen before. Threat intelligence is integrated into the SIEM directly, so you can look for attacks on other organizations before they are launched at you. So our new SIEM Kung Fu series will streamline our research to focus on what you need to know to get the most out of your SIEM, and solve the problems you face today by increasing your capabilities (the promised Kung Fu). But first let’s revisit the key use cases for SIEM and what is typically available out of the box with SIEM tools.     Alerting The original use case for SIEM was security alert reduction. IDS and firewall devices were pumping out too many alerts, and you needed a way to figure out which of them required attention. That worked for a little while, but then adversaries got a lot better and learned to evade many of the simple correlations available with first-generation SIEM. Getting actionable alerts from your SIEM is the most important use case for the technology. Many different techniques are used to detect these attacks. You can hunt for anomalies that kinda-sorta look like they could be an attack or you can do very sophisticated analytics on a wide variety of data sources to detect known attack patterns. What you cannot do any more is depend on simple file-based detection, because modern attacks are far more complicated. You need to analyze inbound network traffic (to find reconnaissance), device activity (for signs of compromise), and outbound network traffic (for command and control / botnet communications) as well. And that’s a simplified view of how a multi-faceted attack works. Sophisticated attacks require sophisticated analysis to detect and verify. Out of the box a SIEM offer a number of different patterns to detect attacks. These run the gamut from simple privilege escalation to more sophisticated botnet activity and lateral movement. Of course these built-in detections are generic and need to be tuned to your specific environment, but they can give you a head start for finding malicious activity in your environment. This provides the quick win which has historically eluding many SIEM projects, and builds momentum for continued investment in SIEM technology. SIEM technology has advanced to the point where it can find many attacks without a lot of integration and customization. But to detect advanced and targeted attacks by sophisticated adversaries, a tool can only get you so far. You need to evolve how you use security monitoring tools. You cannot just put a shiny new tool in place and expect advanced adversaries to go away. That will be our area of focus for the later posts in this series. Forensics Once you have determined an attack is under way – or more accurately, once you have detected one of the many attacks happening in your environment – you need to investigate the attack and figure out the extent of the damage. We have documented the incident response process, especially within the context of integrating threat intelligence, and SIEM is a critical tool to aggregate data and provide a platform for search and investigation. Out of the box a SIEM will enable responders to search through aggregated security data. Some tools offer visualizations to help users see anomalous activity, and figure out where certain events happened in the timeline. But you will still need a talented responder to really dig into an attack and figure out what’s happening. No tool can take an incident response from cradle to grave. So the SIEM is not going to be the only tool your incident responders use. But in terms of efficiently figuring out what’s been compromised, the extent of the damage, and an initial damage assessment, the SIEM should be a keystone of your process. Especially given the ability of a SIEM to capture and analyze network packets, providing more granularity and the ability to build a timeline of what really happened during the attack. Compliance Finally, the SIEM remains instrumental for generating compliance reports, which are still a

Share:
Read Post

Incite 1/6/2016 — Recharging

The last time I took 2 weeks off was probably 20 years ago. As I write that down, it makes me sad. I’ve been been running pretty hard for a long time. Even when I had some forced vacations (okay, when I got fired), I took maybe a couple days off before I started focusing on the next thing. Whether it was a new business or a job, I got consumed by what was next almost immediately. I didn’t give myself any time to recharge and heal from the road rash that accumulated from one crappy job after another. Even when things are great, like the past 6 years working with Rich and Adrian, I didn’t take a block of time off. I was engaged and focused and I couldn’t wait to jump into the next thing. So I would. I spent day after day during the winter holidays as the only person banging away at their laptop at the coffee shop while everyone else was enjoying catching up with friends over Peppermint Mocha lattes. recharge I rationalized that I could be more productive because my phone wasn’t ringing off the hook and I wasn’t getting my normal flow of email. There wasn’t much news being announced and my buddies weren’t blogging at all. So I could just bang away at the projects I didn’t have time for during the year. Turns out that was nonsense. I was largely unproductive during winter break. I read a lot, spent time thinking, and it was fine. But it didn’t give me a chance to recharge because there was no separation. The truth is I didn’t know how to relax. Maybe I was worried I wouldn’t be able to start back up again if I took that much time away. It turns out the projects that didn’t get done during the year didn’t get done over break because I didn’t want to do them. So they predictably dragged on through winter break and then into the next year. That changed this year. I’m just back from two weeks pretty much off the grid. I took a week away with my kids. We went to Florida and checked out a Falcons game in Jacksonville, the Kennedy Space Center in Cape Canaveral, and Universal Studios in Orlando. We were able to work in some family time in South Florida for Xmas before heading back to Atlanta. I stayed on top of email, but only to respond to the most urgent requests. All two of them. I didn’t bring my laptop, so if I couldn’t take care of it on my iPad, it wasn’t getting done. Then I took a week of adult R&R on the beach in Belize. I’m too cheap to pay for international cellular roaming, so my connectivity was restricted to when I could connect to crappy WiFi service. It was hard to check email or hang out in our Slack room during a snorkeling trip or an excursion down the Monkey River. So I didn’t. And the world didn’t end. The projects that dragged through the year didn’t get done. But they weren’t going to get done anyway and it was a hell of a lot more fun to be in Belize than a crappy coffee shop pretending to work. I came back from the time off recharged and ready to dive into 2016. We’ve got a lot of strategic decisions to make as the technology business evolves towards cloud-everything and we have to adapt with it. I don’t spend a lot of time looking backwards and refuse to judge myself for not unplugging for all those years. But I’ll tell you, there will be more than one period of time where I’ll be totally unplugged in 2016. And I’ll be a hell of a lot more focused and productive when I return. –Mike Photo credit: “Recharging Danbo Power” from Takashi Hososhima The fine folks at the RSA Conference posted the talk Jennifer Minella and I did on mindfulness at the 2014 conference. You can check it out on YouTube. Take an hour. Your emails, alerts, and Twitter timeline will be there when you get back. Securosis Firestarter Have you checked out our new video podcast? Rich, Adrian, and Mike get into a Google Hangout and… hang out. We talk a bit about security as well. We try to keep these to 15 minutes or less, and usually fail. Dec 8 – 2015 Wrap Up and 2016 Non-Predictions Nov 16 – The Blame Game Nov 3 – Get Your Marshmallows Oct 19 – re:Invent Yourself (or else) Aug 12 – Karma July 13 – Living with the OPM Hack May 26 – We Don’t Know Sh–. You Don’t Know Sh– May 4 – RSAC wrap-up. Same as it ever was. March 31 – Using RSA March 16 – Cyber Cash Cow March 2 – Cyber vs. Terror (yeah, we went there) February 16 – Cyber!!! February 9 – It’s Not My Fault! January 26 – 2015 Trends January 15 – Toddler Heavy Research We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, with our content in all its unabridged glory. And you can get all our research papers too. Building a Threat Intelligence Program Success and Sharing Using TI Gathering TI Introduction Network Security Gateway Evolution Introduction Recently Published Papers Threat Detection Evolution Building Security into DevOps Pragmatic Security for Cloud and Hybrid Networks EMV Migration and the Changing Payments Landscape Applied Threat Intelligence Endpoint Defense: Essential Practices Cracking the Confusion: Encryption & Tokenization for Data Centers, Servers & Applications Security and Privacy on the Encrypted Network Monitoring the Hybrid Cloud Best Practices for AWS Security The Future of Security Incite 4 U Cloud vs. on-prem. Idiotic discussions continue: Do me a favor and don’t read this article trying to get to the bottom of whether the public cloud or on-prem

Share:
Read Post

Incite 12/15/2015: Looking Forward

In last week’s Incite I looked backwards at 2015. As we close out this year (this will be the last Incite in 2015), let me take a look forward at what’s in store for 2016. Basically I don’t have any clue. I could lie to you and say I’ve got it all figured out, but I don’t. I fly by the seat of my pants pretty much every day of my life. And any time I think I have things figured out, I get a reminder (usually pretty harsh) that I don’t know squat. One thing I’m comfortable predicting is that things will be changing. Because they always do. Some years the change is very significant, like in 2015. Other years less so. But all the same, change is constant in my world. We’re going to do some different things at Securosis next year. We are very pleased with how we have focused our research toward cloud security, and plan to double down on that in 2016. We’ll roll out some new offerings, though I’m not exactly sure when or what they’ll be. We have a ton of ideas, and now we have to figure out which of them make the most sense, because we have more ideas than time or resources. Rich, Adrian, and I will get together in January and make those decisions – and it will involve beer. Personally, I’ll continue my path of growth because well, growth. That includes trying new things, traveling to new places, and making new friends. I’m not going to set any goals besides that I want to wake up every morning, maintain my physical health, and continue my meditation and spiritual practices. My kids are at an age where they need my presence and guidance, even though they will likely not listen, because teenagers know everything. Which basically means I’ll also need to be there to pick them up when they screw things up (and they will), and try to not say I told you so too many times. I’ll also tell my story of transformation through the year. I’m not ready to do that yet, but I will because it’s an interesting story and I think it will resonate with some of you. It also ensures that I will remember as time marches on. I spent some time earlier in the year reading through old Incites and it was a great reminder of my journey. Overall I’m very excited about 2016 and continuing to live with a view toward potential and not limitations. I’m focused on making sure those I love know they are special every single day. I’m committed to being happy where I am, grateful for how I got here, and excited for what is to come. I’ll ring in the New Year in a tropical paradise, and play the rest by ear. All of us at Securosis are grateful for your support, and we wish you a healthy and happy 2016. –Mike Photo credit: “looking forward to” from Elizabeth M The fine folks at the RSA Conference posted the talk Jennifer Minella and I did on mindfulness at the 2014 conference. You can check it out on YouTube. Take an hour. Your emails, alerts, and Twitter timeline will be there when you get back. Securosis Firestarter Have you checked out our new video podcast? Rich, Adrian, and Mike get into a Google Hangout and… hang out. We talk a bit about security as well. We try to keep these to 15 minutes or less, and usually fail. Dec 8 – 2015 Wrap Up and 2016 Non-Predictions Nov 16 – The Blame Game Nov 3 – Get Your Marshmallows Oct 19 – re:Invent Yourself (or else) Aug 12 – Karma July 13 – Living with the OPM Hack May 26 – We Don’t Know Sh–. You Don’t Know Sh– May 4 – RSAC wrap-up. Same as it ever was. March 31 – Using RSA March 16 – Cyber Cash Cow March 2 – Cyber vs. Terror (yeah, we went there) February 16 – Cyber!!! February 9 – It’s Not My Fault! January 26 – 2015 Trends January 15 – Toddler Heavy Research We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, with our content in all its unabridged glory. And you can get all our research papers too. Building a Threat Intelligence Program Success and Sharing Using TI Gathering TI Introduction Network Security Gateway Evolution Introduction Recently Published Papers Threat Detection Evolution Building Security into DevOps Pragmatic Security for Cloud and Hybrid Networks EMV Migration and the Changing Payments Landscape Applied Threat Intelligence Endpoint Defense: Essential Practices Cracking the Confusion: Encryption & Tokenization for Data Centers, Servers & Applications Security and Privacy on the Encrypted Network Monitoring the Hybrid Cloud Best Practices for AWS Security The Future of Security Incite 4 U Good deed for the holidays: You too can help make software security better! OWASP, the Open Web Application Security Project, is developing a new set of secure coding guidelines for software developers. This document will be a great aid to developers who want to get up to speed on secure coding. It offers a succinct set of code examples – in most of the widely used programming languages – which address the top ten security coding flaws. And what developer doesn’t love easy to understand code examples? But wait, there’s more! This effort is truly open, so you get to participate in building the guidelines: the document I referenced is open for public comments and direct editing! So if you think the document is missing something, or there are better examples to be offered, or you think something is wrong, you can improve it. Do a good deed for the holidays and contribute. – AL Happy Holidays. Let’s make some crap up… It’s the holiday season. So obviously we will be subjected to everyone’s predictions of what’s in store for 2016. As you can tell from our last FireStarter of the year, we don’t buy into predictions. But the IDC folks don’t have any issue making things up. Their

Share:
Read Post

Building a TI Program: Success and Sharing

To wrap up our series on Building a Threat Intelligence Program (Introduction; Gathering TI; Using TI), we need to jump back to the beginning for a bit. How do you define success of the program? More importantly, how can you kickstart the program with a fairly high-profile success to show the value of integrating external data into your defenses, and improve your security posture? That involves getting a quick win and then publicizing it. Quick Win The lowest-hanging fruit in threat intel is using it to find an adversary already in your environment who you didn’t know about. Of course it would be better if you didn’t have an active adversary within your defenses, but that is frankly an unlikely scenario. The reality is that some devices in your environment are already compromised – it’s a question of whether you know about them. You are already doing security monitoring (you can thank compliance for that), so it’s just a matter of searching your existing repository of security data for indicators from your threat feeds. Any log aggregation or SIEM platform will perform a search like this. Of course it’s a manual process, and that’s fine for right now – you’re just looking for a quick win. Once you complete the search one of two things happens. Perhaps you found an active adversary you didn’t know about. You can drop the proverbial mic at this point – you have proven the value of external threat intel clearly. But before you spend a lot of time congratulating yourself, you have an incident response to get moving. Obviously you’ll document it, and be able to tell a compelling story of how TI was instrumental in identifying the attack earlier than you would have discovered it otherwise. If you don’t find a smoking gun you’ll need to be a little more creative. We suggest loading up a list of known bad IP addresses into your egress firewall and looking for the inevitable traffic to those sites, which may indicate C&C nodes or other malicious activity. The value isn’t as pronounced as finding an active adversary, but it illustrates your new ability to find malicious traffic sooner using a TI feed. Keep in mind that the Quick Win is just that. It’s shows short-term value for an investment in threat intel. This can (and should) take place within any proof of concept you run with TI vendors during procurement. If you aren’t getting immediate value, either you are using the wrong data source and/or tool, or you already had a strong security posture and will likely get better short-term value from another project. Sustained Success We didn’t call this series “Getting a Quick Win with TI”, so we need to expand our aperture a bit and focus on turning the quick win into sustainable success. Of course you accomplish this by examining your process from a process-centric perspective. There are three main aspects of building out the program from the success of a quick win: Operationalizing TI: We covered this in depth in our last post on Using TI. We suggest starting by integrating the TI into your security monitoring environment. Once that is operational you can add additional use cases, such as integrating into your perimeter gateways and egress filters for proactive blocking, as well as leveraging the data within your incident response process. Evaluating TI Sources: This is a key aspect of optimizing your program. You cannot just assume the data source(s) you selected now will provide the same impact over time. Things change, including adversaries and TI providers. You are under constant scrutiny for how your security program is performing, so your TI vendors (actually all your vendors) will be under similar scrutiny. You should be able to close the loop by tracking TI, to alerts, to blocked or identified attacks, by instrumenting your security environment to track this data. Some commercial TI platforms offer this information directly, but alternately you could build it into your SIEM or other controls. Selling the Value: Senior executives, including your CIO, have a lot of things to deal with every day. You cannot count on them remembering much beyond the latest fire to appear in the inbox today. So you need to systematically produce reports that show the value of TI. This should be straightforward, usings your instrumentation for evaluating TI sources. This is another topic to cover in your periodic meetings with senior management. Especially when the renewal is coming up and you need to keep the funding. Executing on a successful security program requires significant planning and consistent execution. You cannot afford to focus only on the latest attack or incident (although you also need to do some of that), but must also also think and act strategically; here a programmatic approach offers huge dividends. If you really want to magnify your impact, you’ll need to move beyond tactical day-to-day security battles, and implement a program for both TI and security activities in general. Sharing The success of threat intelligence hinges upon organizations sharing information about adversaries and tactics, so everyone can benefit from surviving attacks. For years this information sharing seemed like an unnatural act to enterprises. A number of threat intelligence vendors emerged to fill the gap, gathering data from a variety of open and proprietary sources. But we see a gradual growth in willingness of organizations to share information with other organizations of similar size or within an industry. Of course threat information can be sensitive, so sharing with care and diligence are critical aspects of a threat intelligence program. The first decision point for sharing is to define the constituency to share information with. This can be a variety of organizations, including: ISAC: Many the larger industries are standing up their own Information Sharing and Analysis Centers (ISAC), either as part of an industry association or funded by the larger companies in the industry. These ISACs are objective and exist to provide a safe place to collect and share industry threat information, and also offer value-added data analysis. If there is an ISAC for your industry,

Share:
Read Post

Threat Detection Evolution [New Paper]

Most organizations have realized that threat prevention has limitations, so we have seen renewed focus on threat detection. But like most other security markets, the term threat detection has been distorted to cover almost everything. So we figure it’s time to clarify what threat detection is and how it is evolving to deal with advanced attacks, sophisticated adversaries, and limited resources.   From the paper: Not to worry – we haven’t become the latest security Chicken Little, warning everyone that the sky is falling. Mostly because it fell a long time ago, and we have been picking up the pieces ever since. It can be exhausting to chase alert after alert, never really knowing which are false positives and which indicate real active adversaries in your environment. Something has to change. We need to advance the practice of detection, to provide better and more actionable alerts. This requires thinking more broadly about detection, and starting to integrate the various different security monitoring systems in use today. Our Threat Detection Evolution paper starts by reviewing security data collection, including both internal and external data sources that can facilitate detection efforts. Next we discuss how to use that data ti reliably figure out what is an attack. We wrap up by going through th process, using a quick wins scenario to show the concepts in action. We would like to thank AlienVault for licensing the content in this paper. Our unique Totally Transparent Research model allows us to do objective and useful research and still make ends meet, so you should thank them too. The landing page for the paper is here. Direct download: Threat Detection Evolution (PDF) Share:

Share:
Read Post

Incite 12/9/2015: Looking Backwards

As a guy who pretty much always looks forward, I still find it useful at the end of each calendar year to look backwards and evaluate where I am in life and what (if anything) I want to focus on in the coming year. 2015 has been a very interesting year, both personally and professionally. I’m at an age where transformation happens, and that has been a real focus for me. I’ve spent a long time evaluating every aspect of my life and making changes, some small and some very significant. Trying to navigate those changes gracefully requires focus and effort. From a business perspective, it’s a pretty good time to be in the security industry. You have seen a slowdown in our blog activity over the past couple months because our business continues to evolve and we’ve been doing a lot more work out of the public eye. We’ve been called in to do a lot more strategic advisory, and we’re even starting to do security architecture work for some enterprise organizations, typically around cloud initiatives. We’re also increasingly being called into diligence efforts for companies considering acquisitions, and investors considering putting large sums of money to work in this space. These are pretty intense gigs and that usually means more external projects lag a bit. We also aren’t sure how long the good times will continue to roll, so we usually jump on diligence projects. Personally, suffice it to say things are substantially different for me, though I’m not going to go into detail at this point. Different is scary for most people, but I’ve always embraced change, so my challenge is more about having the patience to let the world around me adapt. My kids continue to amaze me with how they are growing into fantastic people, and this past year they’ve navigated new schools and additional workload with minimum drama and angst. You can’t entirely avoid drama and angst (not as a teenager anyway), but their Mom and I are proactive about making them aware of the drama. Physically I’m still working my program, running two half marathons and continuing my yoga practice. I’m making many new friends who provide different perspectives on life, and I’ve been able to fulfill a need for social activity I didn’t even know I had. As I look back at 2015, I realize that the signs of significant disruption were there both personally and professionally. It has been a long road, and I finally feel that my world is opening up and I’m moving toward my potential, away from my self-imposed limitations. I’m really excited for what’s next. All is see ahead is blue sky. As I wrap up the Incite next week, I’ll ruminate a little into what the path ahead looks like. –Mike Photo credit: “Emu (Dromaius novaehollandiae) looking backwards at Auckland Zoo” from Wikimedia Commons The fine folks at the RSA Conference posted the talk Jennifer Minella and I did on mindfulness at the 2014 conference. You can check it out on YouTube. Take an hour. Your emails, alerts, and Twitter timeline will be there when you get back. Securosis Firestarter Have you checked out our new video podcast? Rich, Adrian, and Mike get into a Google Hangout and… hang out. We talk a bit about security as well. We try to keep these to 15 minutes or less, and usually fail. Dec 8 – 2015 Wrap Up and 2016 Non-Predictions Nov 16 – The Blame Game Nov 3 – Get Your Marshmallows Oct 19 – re:Invent Yourself (or else) Aug 12 – Karma July 13 – Living with the OPM Hack May 26 – We Don’t Know Sh–. You Don’t Know Sh– May 4 – RSAC wrap-up. Same as it ever was. March 31 – Using RSA March 16 – Cyber Cash Cow March 2 – Cyber vs. Terror (yeah, we went there) February 16 – Cyber!!! February 9 – It’s Not My Fault! January 26 – 2015 Trends January 15 – Toddler Heavy Research We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, with our content in all its unabridged glory. And you can get all our research papers too. Building Security into DevOps The Role of Security in DevOps Tools and Testing in Detail Security Integration Points The Emergence of DevOps Introduction Building a Threat Intelligence Program Using TI Gathering TI Introduction Network Security Gateway Evolution Introduction Recently Published Papers Pragmatic Security for Cloud and Hybrid Networks EMV Migration and the Changing Payments Landscape Applied Threat Intelligence Endpoint Defense: Essential Practices Cracking the Confusion: Encryption & Tokenization for Data Centers, Servers & Applications Security and Privacy on the Encrypted Network Monitoring the Hybrid Cloud Best Practices for AWS Security Securing Enterprise Applications Secure Agile Development The Future of Security Incite 4 U R marks the spot: NetworkWorld ran a great article examining how the Verizon Data Breach report folks use R to do the analysis and generate the charts in their widely read report. I personally haven’t played with statistical programs since I was in college, but there is an increasing need for math people (although we call them data scientists now) to perform the analysis to mine through all of that security data and figure out what’s going on. I tell many younger folks, who ask what they should focus on, to dust off their programming/scripting skills – security automation is coming. The other thing I now suggest is for the math-inclined to study a lot more statistics and get to know these kinds of tools. The future is here and it seems to require math (so says the writer). – MR Pre-owned: If you’re wondering how the credit card you just got two weeks ago already got popped, here is on possible answer. Samy Kamkar demonstrated that AmEx-based new card numbers are predictably generated from the previous numbers allowing crackers to guess the number of the next card they issue you. If you’re an application developer, this is why you need to be careful with sequence generators – they tend

Share:
Read Post

Incite 12/2/2015: Grateful Habits

A week ago most folks in the US were in food comas from the Thanksgiving feast. Of course this is a great time of year to be grateful for what you have. Whether it’s family, health, work, or anything else. This morning I got a great reminder that expressing gratitude is a habit, which requires daily work – especially for security people. I was doing a speaking gig for a client in Atlanta, and I ran into an old friend who traveled in for the seminar. We were catching up and he mentioned how busy he was and that it was a bit overwhelming. I jumped right in because we at Securosis are pretty busy ourselves. But then I got a flash of awareness and decided I had to break the cycle. I specifically asked whether he remembered 10 years ago when no one cared about security? I certainly do. A lot of you (like Rich, Adrian, and myself) did security before security was cool. You remember talking to blank stares when evangelizing the importance of security. You remember cleaning the same malware off the same person’s device, over and over again, because they just couldn’t understand why they can’t click ads on questionable sites. You also remember looking for a new job when the senior team needed a scapegoat after yet another breach, after they didn’t listen to what you said the first time. It’s a different situation now. Many folks still don’t understand what they need to do, but they don’t really argue about the importance of security any more. Most of us have a bigger issue finding talent to fill open positions, rather than making the case for why any security people are needed. These are things to be grateful for. It turns out that a little gratitude leads to a lot. So if you have any interest, don’t just think about being thankful around the holidays. Start the day by making a list of 2 or 3 things you are grateful for every day. It’s hard to get into the right mindset to get things done, when you wake up overwhelmed by the amount of stuff that needs to get done. So break that cycle too. Think about what’s working in your life. It doesn’t have to be a lot. Just a little thing. Take a small step toward feeling gratitude every day. I do this consistently, every day. It puts me in the right frame of mind. I’m thankful for so many things, but none more than the habits I have established over the past few years, which have made a huge difference in my life. –Mike The fine folks at the RSA Conference posted the talk Jennifer Minella and I did on mindfulness at the 2014 conference. You can check it out on YouTube. Take an hour. Your emails, alerts, and Twitter timeline will be there when you get back. Securosis Firestarter Have you checked out our new video podcast? Rich, Adrian, and Mike get into a Google Hangout and… hang out. We talk a bit about security as well. We try to keep these to 15 minutes or less, and usually fail. Nov 16 — The Blame Game Nov 3 – Get Your Marshmallows Oct 19 – re:Invent Yourself (or else) Aug 12 – Karma July 13 – Living with the OPM Hack May 26 – We Don’t Know Sh–. You Don’t Know Sh– May 4 – RSAC wrap-up. Same as it ever was. March 31 – Using RSA March 16 – Cyber Cash Cow March 2 – Cyber vs. Terror (yeah, we went there) February 16 – Cyber!!! February 9 – It’s Not My Fault! January 26 – 2015 Trends January 15 – Toddler December 18 – Predicting the Past November 25 – Numbness Heavy Research We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, with our content in all its unabridged glory. And you can get all our research papers too. Building Security into DevOps The Role of Security in DevOps Tools and Testing in Detail Security Integration Points The Emergence of DevOps Introduction Building a Threat Intelligence Program Using TI Gathering TI Introduction Network Security Gateway Evolution Introduction Recently Published Papers Pragmatic Security for Cloud and Hybrid Networks EMV Migration and the Changing Payments Landscape Applied Threat Intelligence Endpoint Defense: Essential Practices Cracking the Confusion: Encryption & Tokenization for Data Centers, Servers & Applications Security and Privacy on the Encrypted Network Monitoring the Hybrid Cloud Best Practices for AWS Security Securing Enterprise Applications Secure Agile Development The Future of Security Incite 4 U Can security be fixed? Is it broken? I’ve gotta send a hat tip to my friend Don, who pointed out this article on TechCrunch explaining how Humility, Accountability And Creative Thinking Can Fix IT Security. Really? A lot of the security folks I know are pretty humble and creative. It’s not like they sit around and talk about how great they are while the city is burning. But aside from the clickbait title, there are some decent points in that post. I especially like the idea of killing silver bullet syndrome. There is no single answer for dealing with sophisticated adversaries. I also agree that security will need to evolve as the cloud and mobility continue to take root. Inflection anyone? The article also points out the need to share information, and that’s all about Threat Intelligence. But I still push back on the contention that security is broken. It’s not broken, because that supposes that it can be fixed. I posit that you don’t win security – you just survive to fight another day. – MR Student jobs: It appears the FBI is funding security vulnerability research; not for bug bounties, but to conduct surveillance. Recently they paid University students to hack Tor networks so they could inspect Tor traffic and de-anonymize Tor users. The FBI’s disclosed target could have been tracked financially, and Tor offers law enforcement other means to locate users, which implies (shockingly) their goal was something more than

Share:
Read Post

Incite 10/21/2015: Appreciating the Classics

It has been a while since I’ve mentioned my gang of kids. XX1, XX2 and the Boy are alive and well, despite the best efforts of their Dad. All of them started new schools this year, with XX1 starting high school (holy crap!) and the twins starting middle school. So there has been a lot of adjustment. They are growing up and it’s great to see. It’s also fun because I can start to pollute them with the stuff that I find entertaining. Like classic comedies. I’ve always been a big fan of Monty Python, but that wasn’t really something I could show an 8-year-old. Not without getting a visit from Social Services. I knew they were ready when I pulled up a YouTube of the classic Mr. Creosote sketch from The Meaning of Life, and they were howling. Even better was when we went to the FroYo (which evidently is the abbreviation for frozen yogurt) place and they reminded me it was only a wafer-thin mint.   I decided to press my luck, so one Saturday night we watched Monty Python and the Holy Grail. They liked it, especially the skit with the Black Knight (It’s merely a flesh wound!). And the ending really threw them for a loop. Which made me laugh. A lot. Inspired by that, I bought the Mel Brooks box set, and the kids and I watched History of the World, Part 1, and laughed. A lot. Starting with the gorilla scene, we were howling through the entire movie. Now at random times I’ll be told that “it’s good to be the king!” – and it is. My other parenting win was when XX1 had to do a project at school to come up with a family shield. She was surprised that the Rothman clan didn’t already have one. I guess I missed that project in high school. She decided that our family animal would be the Honey Badger. Mostly because the honey badger doesn’t give a _s**t_. Yes, I do love that girl. Even better, she sent me a Dubsmash, which is evidently a thing, of her talking over the famous Honey Badger clip on YouTube. I was cracking up. I have been doing that a lot lately. Laughing, that is. And it’s great. Sometimes I get a little too intense (yes, really!) and it’s nice to have some foils in the house now, who can help me see the humor in things. Even better, they understand my sarcasm and routinely give it right back to me. So I am training the next generation to function in the world, by not taking themselves so seriously, and that may be the biggest win of all. –Mike Photo credit: “Horse Laugh” originally uploaded by Bill Gracey Thanks to everyone who contributed to my Team in Training run to battle blood cancers. We’ve raised almost $6,000 so far, which is incredible. I am overwhelmed with gratitude. You can read my story in a recent Incite, and then hopefully contribute (tax-deductible) whatever you can afford. Thank you. The fine folks at the RSA Conference posted the talk Jennifer Minella and I did on mindfulness at the 2014 conference. You can check it out on YouTube. Take an hour. Your emails, alerts, and Twitter timeline will be there when you get back. Securosis Firestarter Have you checked out our new video podcast? Rich, Adrian, and Mike get into a Google Hangout and… hang out. We talk a bit about security as well. We try to keep these to 15 minutes or less, and usually fail. Oct 19 – re:Invent Yourself (or else) Aug 12 – Karma July 13 – Living with the OPM Hack May 26 – We Don’t Know Sh–. You Don’t Know Sh– May 4 – RSAC wrap-up. Same as it ever was. March 31 – Using RSA March 16 – Cyber Cash Cow March 2 – Cyber vs. Terror (yeah, we went there) February 16 – Cyber!!! February 9 – It’s Not My Fault! January 26 – 2015 Trends January 15 – Toddler December 18 – Predicting the Past November 25 – Numbness October 27 – It’s All in the Cloud October 6 – Hulk Bash Heavy Research We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, with our content in all its unabridged glory. And you can get all our research papers too. Building Security into DevOps The Role of Security in DevOps Tools and Testing in Detail Security Integration Points The Emergence of DevOps Introduction Building a Threat Intelligence Program Using TI Gathering TI Introduction Network Security Gateway Evolution Introduction Recently Published Papers Pragmatic Security for Cloud and Hybrid Networks EMV Migration and the Changing Payments Landscape Applied Threat Intelligence Endpoint Defense: Essential Practices Cracking the Confusion: Encryption & Tokenization for Data Centers, Servers & Applications Security and Privacy on the Encrypted Network Monitoring the Hybrid Cloud Best Practices for AWS Security Securing Enterprise Applications Secure Agile Development The Future of Security Incite 4 U The cloud poster child: As discussed in this week’s FireStarter, the cloud is happening faster than we expected. And that means security folks need to think about things differently. As if you needed more confirmation, check out this VentureBeat profile of Netflix and their movement towards shutting down their data centers to go all Amazon Web Services. The author of the article calls this the future of enterprise tech and we agree. Does that mean existing compute, networking, and storage vendors go away? Not overnight, but in 10-15 years infrastructure will look radically different. Radically. But in the meantime, things are happening fast, and folks like Netflix are leading the way. – MR Future – in the past tense: TechCrunch recently posted The Future of Coding Is Here, outlining how the arrival of APIs (Application Programming Interfaces) has ushered in a new era of application development. The fact is that RESTful APIs have pretty much been the lingua franca of software development since 2013, with thousands of APIs available for common services. By the end of 2013 every major API gateway vendor had been acquired by a big IT company. That was because APIs are an enabling

Share:
Read Post

Totally Transparent Research is the embodiment of how we work at Securosis. It’s our core operating philosophy, our research policy, and a specific process. We initially developed it to help maintain objectivity while producing licensed research, but its benefits extend to all aspects of our business.

Going beyond Open Source Research, and a far cry from the traditional syndicated research model, we think it’s the best way to produce independent, objective, quality research.

Here’s how it works:

  • Content is developed ‘live’ on the blog. Primary research is generally released in pieces, as a series of posts, so we can digest and integrate feedback, making the end results much stronger than traditional “ivory tower” research.
  • Comments are enabled for posts. All comments are kept except for spam, personal insults of a clearly inflammatory nature, and completely off-topic content that distracts from the discussion. We welcome comments critical of the work, even if somewhat insulting to the authors. Really.
  • Anyone can comment, and no registration is required. Vendors or consultants with a relevant product or offering must properly identify themselves. While their comments won’t be deleted, the writer/moderator will “call out”, identify, and possibly ridicule vendors who fail to do so.
  • Vendors considering licensing the content are welcome to provide feedback, but it must be posted in the comments - just like everyone else. There is no back channel influence on the research findings or posts.
    Analysts must reply to comments and defend the research position, or agree to modify the content.
  • At the end of the post series, the analyst compiles the posts into a paper, presentation, or other delivery vehicle. Public comments/input factors into the research, where appropriate.
  • If the research is distributed as a paper, significant commenters/contributors are acknowledged in the opening of the report. If they did not post their real names, handles used for comments are listed. Commenters do not retain any rights to the report, but their contributions will be recognized.
  • All primary research will be released under a Creative Commons license. The current license is Non-Commercial, Attribution. The analyst, at their discretion, may add a Derivative Works or Share Alike condition.
  • Securosis primary research does not discuss specific vendors or specific products/offerings, unless used to provide context, contrast or to make a point (which is very very rare).
    Although quotes from published primary research (and published primary research only) may be used in press releases, said quotes may never mention a specific vendor, even if the vendor is mentioned in the source report. Securosis must approve any quote to appear in any vendor marketing collateral.
  • Final primary research will be posted on the blog with open comments.
  • Research will be updated periodically to reflect market realities, based on the discretion of the primary analyst. Updated research will be dated and given a version number.
    For research that cannot be developed using this model, such as complex principles or models that are unsuited for a series of blog posts, the content will be chunked up and posted at or before release of the paper to solicit public feedback, and provide an open venue for comments and criticisms.
  • In rare cases Securosis may write papers outside of the primary research agenda, but only if the end result can be non-biased and valuable to the user community to supplement industry-wide efforts or advances. A “Radically Transparent Research” process will be followed in developing these papers, where absolutely all materials are public at all stages of development, including communications (email, call notes).
    Only the free primary research released on our site can be licensed. We will not accept licensing fees on research we charge users to access.
  • All licensed research will be clearly labeled with the licensees. No licensed research will be released without indicating the sources of licensing fees. Again, there will be no back channel influence. We’re open and transparent about our revenue sources.

In essence, we develop all of our research out in the open, and not only seek public comments, but keep those comments indefinitely as a record of the research creation process. If you believe we are biased or not doing our homework, you can call us out on it and it will be there in the record. Our philosophy involves cracking open the research process, and using our readers to eliminate bias and enhance the quality of the work.

On the back end, here’s how we handle this approach with licensees:

  • Licensees may propose paper topics. The topic may be accepted if it is consistent with the Securosis research agenda and goals, but only if it can be covered without bias and will be valuable to the end user community.
  • Analysts produce research according to their own research agendas, and may offer licensing under the same objectivity requirements.
  • The potential licensee will be provided an outline of our research positions and the potential research product so they can determine if it is likely to meet their objectives.
  • Once the licensee agrees, development of the primary research content begins, following the Totally Transparent Research process as outlined above. At this point, there is no money exchanged.
  • Upon completion of the paper, the licensee will receive a release candidate to determine whether the final result still meets their needs.
  • If the content does not meet their needs, the licensee is not required to pay, and the research will be released without licensing or with alternate licensees.
  • Licensees may host and reuse the content for the length of the license (typically one year). This includes placing the content behind a registration process, posting on white paper networks, or translation into other languages. The research will always be hosted at Securosis for free without registration.

Here is the language we currently place in our research project agreements:

Content will be created independently of LICENSEE with no obligations for payment. Once content is complete, LICENSEE will have a 3 day review period to determine if the content meets corporate objectives. If the content is unsuitable, LICENSEE will not be obligated for any payment and Securosis is free to distribute the whitepaper without branding or with alternate licensees, and will not complete any associated webcasts for the declining LICENSEE. Content licensing, webcasts and payment are contingent on the content being acceptable to LICENSEE. This maintains objectivity while limiting the risk to LICENSEE. Securosis maintains all rights to the content and to include Securosis branding in addition to any licensee branding.

Even this process itself is open to criticism. If you have questions or comments, you can email us or comment on the blog.