Securosis

Research

Leverging TI in Incident Response/Management: Really Responding Faster

In the introduction to our Leveraging Threat Intelligence in Incident Response/Management series we described how the world has changed since we last documented our incident response process. Adversaries are getting better and using more advanced tactics. The difficulty is compounded by corporate data escaping our control into the cloud, and the proliferation of mobile devices. When we started talking about reacting faster back in early 2007, not many folks were talking about the futility of trying to block every attack. That is less of an issue now that the industry understands security is imperfect, and continues to shift resources to detection and response. Butt the problem becomes more acute as the interval between attack and exfiltration continues to decrease. The ultimate goal of any incident management process is to contain the damage of attacks. This requires you to investigate and find the root causes of attacks faster. The words are easy, but how? Where do you look? The possible attack paths are infinite. To really react faster you need to streamline your investigations and make the most of your resources. That starts with an understanding of what information would interest to attackers. From there you can identify potential adversaries and gather threat intelligence to figure out their targets and tactics. With that information you can protect yourself, look for indicators of compromise via monitoring, and streamline your response when you (inevitably) miss. Adversary Analysis We suggest stating with adversary analysis because the attacks you will see vary greatly based on the attacker’s mission and assessment of the most likely (and easiest) way to compromise your environment. Evaluate the Mission: To start the process you need to learn what’s important in your environment, which leads you to identify interesting targets for attackers. This usually breaks down into a few discrete categories including intellectual property, protected customer data, and business operations information. Profile the Adversary: To defend yourself you will need to not only know what adversaries are likely to look for, but what kinds of tactics those attackers typically use, by type of adversary. So next figure out which categories of attacker you are likely to face. Categories include unsophisticated (uses widely available tools), organized crime, competitors, and state-sponsored. Each class has a different range of capabilities. Identify Likely Attack Scenarios: Based on the mission and the adversary’s general tactics, put your attacker hat on and figure out the path you would most likely take to achieve the mission. At this point the attack has already taken place (or is still in progress) and you are trying to assess and contain the damage. Hopefully investigating your proposed paths will prove or disprove your hypothesis. Keep in mind that you don’t need to be exactly right about the scenario. You need to make assumptions about what the attacker has done, and you will not predict their actions perfectly. The objective here is to get a head start on response, which means narrowing down the investigation by focusing on specific devices and attacks. Gathering Threat Intelligence Armed with context on likely adversaries we can move on to intelligence gathering. This entail learning everything we can about possible and likely adversaries, profiling probable behaviors, and determining which kinds of defenses and controls make sense to address higher probability attacks. Be realistic about what you can gather yourself and what intel you may need to buy. Optimally you can devote some resources to gathering and processing intelligence on an ongoing basis based on the needs of your organization, but in the real world you may need to supplement your resources with external data sources. Threat Intelligence Indicators Here is a high-level overview of the general kinds of threat intelligence you are likely to leverage to streamline your incident response/management. Malware Malware analysis is maturing rapidly; it is now possible to quickly and thoroughly understand exactly what a malicious code sample does, and define both technical and behavioral indicators to seek out within your environment, as described in gory detail in Malware Analysis Quant. More sophisticated malware analysis is required because classical AV blacklisting is no longer sufficient in the face of polymorphic malware and other attacker tactics to defeat file signatures. Instead you will identify indicators of what malware did to a device. Malware identification has shifted from what file looks like to what it does. As part of your response/management process, you’ll need to identify the specific pieces of malware you’ve found on the compromised devices. You can do that via a web-based malware analysis service. You basically upload a hash of a malware file to the service – if it recognizes the malware (via a hash match), you get the the analysis within minutes; if not you can then upload the whole file for a fresh analysis. These services run malware samples through proprietary sandbox environments and other analysis engines to figure out what malware does, build a detailed profile, and return a comprehensive report including specific behaviors and indicators you can search your environment for. Malware also provides additional clues. Can you tie the malware to a specific adversary? Or at least a category of adversaries? Do you see these kinds of activities during reconnaissance, exploitation, or exfiltration – a useful clue to the degree the attack has progressed. Reputation Reputation data, since its emergence as a primary data source in the battle against spam, seems to have become a component of every security control. Which makes sense because entities that behave badly are likely to continue doing so. The most common reputation data is based on IP addresses, offered as a dynamic list of known bad and/or suspicious addresses. As with malware analysis, identifying an adversary helps you look for associated tactics. Aside from IP addresses, pretty much everything within your environment can (and should) have a reputation. Devices, URLs, domains, and files, for starters. If you see traffic going to a site known to be controlled by a particular adversary, you can look for other devices communicating with that adversary.

Share:
Read Post

It’s Just a Matter of Time

So a couple of weeks ago in the Incite (4th snippet) I gave Jamie Arlen huge kudos for being a soothsayer. At Black Hat 2011 Jamie presented an attack scenario attacking high frequency trading networks, and Bloomberg recently reported that attack actually hit a hedge fund. But the attack never happened. Yeah, it turns out the cyber expert at BAE Systems who identified the attack was allegedly presenting a scenario to the management team – not a real attack. The attack, she said, “was inaccurately presented as a client case study rather than as an illustrative example.” Those folks are spinning so fast, I’m getting dizzy. While laughing my butt off. But back to the point of Jamie’s research. The attack is plausible and feasible, so it’s just a matter of time before it does really happen, if it hasn’t already. Photo credit: “Pants on Fire” originally uploaded by Mike Licht Share:

Share:
Read Post

Incite 7/9/2014: One dollar…

A few weeks ago I was complaining about travel and not being home – mostly because I’m on family vacations and doing work I enjoy. I acknowledged these are first world problems. I didn’t appreciate what that means. You lose touch with a lot of folks’ reality when you are in the maelstrom of your own crap. I’m too busy. The kids have too many activities. There are too many demands on my time.   That all stopped over the weekend. On the recommendation of a friend, I bought and watched Living on One Dollar. It’s a documentary about 4 US guys who went down to a small town in Guatemala and lived on one dollar a day. That was about the median income for the folks in that town. Seeing the living conditions. Seeing the struggle. It’s hard to live on that income. There is no margin for error. If you get sick you’re screwed because you don’t have money for drugs. You might not be able to afford to send your kids to school. If you are a day laborer and you don’t get work that day, you might not be able to feed your kids. If the roof is leaking, you might not have any money to fix it. But you know what I saw in that movie? Not despondency. Not fatalism, though I’m sure some folks probably feel that from time to time. I saw optimism. People in the town were taking out micro-loans to start their own businesses and then using the profits to go to school to better themselves. I saw kindness. One of the only people in the town with a regular salaried job gave money to another family that couldn’t afford medicine to help heal a sick mother. This was money he probably couldn’t spare. But he did anyway. I saw kids who want to learn a new language. They understand they had to work in the fields and might not be able to go to school every year, but they want to learn. They want to better themselves. They have the indomitable human spirit. Where many people would see pain and living conditions no one should have to suffer through, these folks saw optimism. Or the directors of the documentary showed that. They showed the impact of micro-finance. Basically it made me reconnect with gratitude. For where I was born. For the family I was born into. For the opportunities I have had. For the work I have put in to capitalize on those opportunities. Many of us won the birth lottery. We have opportunities that billions of other people in the world don’t have. So what are you going to do with it? I’m probably late the bandwagon, but I’m going to start making micro-loans. I know lots of you have done that for years, and that’s great. I’ve been too wrapped up in my own crap. But it’s never too late to start, so that’s what I’m going to do. So watch the movie. And then decide what you can do to help. And then do it. –Mike The fine folks at the RSA Conference posted the talk Jennifer Minella and I did on mindfulness at the conference this year. You can check it out on YouTube. Take an hour and check it out. Your emails, alerts and Twitter timeline will be there when you get back. Securosis Firestarter Have you checked out our new video podcast? Rich, Adrian, and Mike get into a Google Hangout and.. hang out. We talk a bit about security as well. We try to keep these to 15 minutes or less, and usually fail. June 30 – G Who Shall Not Be Named June 17 – Apple and Privacy May 19 – Wanted Posters and SleepyCon May 12 – Another 3 for 5: McAfee/OSVDB, XP Not Dead, CEO head rolling May 5 – There Is No SecDevOps April 28 – The Verizon DBIR April 14 – Three for Five March 24 – The End of Full Disclosure March 19 – An Irish Wake March 11 – RSA Postmortem Heavy Research We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, with our content in all its unabridged glory. And you can get all our research papers too. Leveraging Threat Intelligence in Incident Response/Management Introduction Endpoint Security Management Buyer’s Guide (Update) Mobile Endpoint Security Management Trends in Data Centric Security Introduction Use Cases Open Source Development and Application Security Analysis Development Trends Application Security Introduction Understanding Role-based Access Control Advanced Concepts Introduction NoSQL Security 2.0 Understanding NoSQL Platforms Introduction Newly Published Papers Advanced Endpoint and Server Protection Defending Against Network-based DDoS Attacks Reducing Attack Surface with Application Control Leveraging Threat Intelligence in Security Monitoring The Future of Security Security Management 2.5: Replacing Your SIEM Yet? Defending Data on iOS 7 Eliminating Surprises with Security Assurance and Testing Not so much Incite 4 U Oh about that cyber-policy… It looks like folks are getting interested in cyber-insurance. At least in the UK. And it’s mainstream news now, given that an article on Business Insider about the market. After the predictable Target breach reference they had some interesting numbers on the growth of the cyber-insurance market. To a projected over $2 billion in 2014. So what are you buying? Beats me. Is it “insurance cover from hackers stealing customer data and cyber terrorists shutting down websites to demand a ransom”? I didn’t realize you could value your data and get reimbursed if it’s stolen. And how is this stuff priced? I have no idea. A professor offers a good assessment: “When it comes to cyber there are lots of risks and they keep changing, and you have a general absence of actuarial material. The question for the underwriter is how on earth do I cover this?” And how on earth do you collect on it? It

Share:
Read Post

Leveraging Threat Intelligence in Incident Response/Management

It’s hard to be a defender today. Adversaries continue to innovate, attacking software which is not under your control. These attacks move downstream as low-cost attack kits put weaponized exploits in the hands of less sophisticated adversaries, making them far more effective. But frequently attackers don’t even need to use innovative attacks because a little reconnaissance and a reasonably crafted phishing message can effectively target and compromise your employees. The good news is that we find very few still clinging to the hope that all attacks can be stopped by deploying the latest shiny object coming from a VC-funded startup. Where does that leave us? Pretty much where we have been for years. It is still about reacting faster – the sooner you know about an attack the sooner you can start managing it. In our IR fundamentals series and subsequent React Faster and Better paper, we mapped out a process for responding to these incidents completely and efficiently, utilizing tactics honed over decades in emergency response. But the world hasn’t stayed still over the past 3 years – not by a long shot. So let’s highlight a few things shifting the foundation under our (proverbial) feet. Better adversaries and more advanced tactics: Attackers continue to refine their tactics, progressing ever faster attack from to exfiltration. As we described in our Continuous Security Monitoring paper, attackers can be in and out with your data in minutes. That means if monitoring and assessment is not really continuous you leave a window of exposure. This puts a premium on reacting faster. Out of control data: If you haven’t read our paper on The Future of Security, do that now. We’ll wait. The paper explains how the combination of cloud computing and mobility fundamentally disrupts the way technology services are provisioned and delivered. They will have a broad and permanent impact on security, most obviously in that you lose most control over your data, because it can reside pretty much anywhere. So how can you manage incidents when you aren’t sure where the data is, and you may not have seen the attacks before? That could be the topic of the next Mission Impossible movie. Kidding aside, the techniques security professionals can use have evolved as well, thanks to the magic of Moore’s Law. Networks are faster, but we can now capture that traffic when necessary. Computers and devices are more powerful, but now we can collect detailed telemetry on them to thoroughly understand what happens to them. Most importantly, with our increasing focus on forensics, most folks don’t need to argue so hard that security data collection and analysis are critical to effectively responding and managing incidents. More Data As mentioned above, our technology to monitor infrastructure and analyze what’s going on has evolved quickly. Full network packet capture: New technologies have emerged that can capture multi-gbps network traffic and index it near real time for analysis. This provides much higher fidelity data for understanding what attackers might have done. Rather than trying to interpret log events and configuration changes, you can replay the attack and see exactly what happened and what was lost. This provides the kind of evidence essential for quickly identifying the root cause of an attack, as well as the basis for a formal investigation. Endpoint activity monitoring: We introduced this concept in our Endpoint Security Buyer’s Guide and fleshed it out in Advanced Endpoint and Server Protection. This approach enables you to collect detailed telemetry from endpoint devices, so you see every action on the device, including what software was executed and which changes were made – to the device and all its files. This granular activity history enable you to search for attack patterns (indicators of compromise) at any time. So even if you don’t know activity is malicious when it takes place, you can identify it later, so long as you keep the data. A ton of data: The good news is that, between network packets and endpoint telemetry, you have much more more data to analyze. The bad news is that you need technology that can actually analyze it. So we hear a lot about “big data” for security monitoring these days. Regardless of what it’s called by the industry hype machine; you need technologies to enable you to index, search through, and find patterns within the data – even when you don’t know exactly what you’re looking for. Fortunately other industries – like retail – have been analyzing data for unseen and unknown patterns for years, and many of their analytical techniques are now being applied to security. As a defender it is tough to keep up with attackers. But many of these new technologies help to fill the gaps. Technology is no longer the biggest issue for detecting, responding, and managing threats and attacks. The biggest problem is now the lack of skilled security professionals to do the work. In Search of… Responders It seems like every conversation we have with CISOs or other senior security professionals these days turns at some point to finding staff to handle attacks. Open positions stay open for extended periods. These organizations really need to be creative to find promising staffers and invest in training them, even though they often soon move on to a higher-paid consulting job or another firm. If you are in this position, you aren’t unique. Even the incident response specialist shops are resource constrained. There just aren’t enough people to meet demand. The security industry needs to address this on multiple fronts: Education: Continued investment in training people to understand core skills is required. More importantly, these folks need opportunities and resources to learn on the job – which is really the only way to keep up with modern attackers anyway. Automation: The tools need to continue evolving, to make response more efficient and accessible to less sophisticated staff. We are not talking about dumbing down the process, but instead about making it easier and more intuitive so less skilled folks

Share:
Read Post

Increasing the Cost of Compromise

It seems to be all threat intelligence all the time in the tech media, so I might as well jump on the bandwagon. My pals Wendy Nather of 451 and Jamie Blasco of AlienVault recently did a webcast on the topic. Dan Raywood has a good overview of the content. Wendy does the analyst thing and categorizes the different types of threat intelligence. She points out that sharing is taking place, but more slowly than it should. Jamie then makes a compelling case for why everyone should share threat intel when possible. Shared intelligence increases the cost of compromise. …by removing the secretive aspect, (i.e vendors keeping their threat intelligence close to their chests and monetising it – instead of making it freely available) we can force attackers to raise the bar and spend more and more money on their infrastructure, which decreases the return on investment for cyber criminals. Attackers make crazy money leveraging their tactics. They can buy an inexpensive attack kit (with Bitcoins) and use it a zillion times. If you aren’t talking to your buddy, you don’t know what to look for. If you don’t have a list of C&C nodes or patterns of exfiltration, then when they hit you it won’t immediately raise an alarm. And you will lose. By sharing information we can force attackers to change their attacks more frequently. They will need to turn over botnet nodes faster. Let’s cost them more to do business. Can we make enough difference for them to give up and stop attacking? NFW. They will still make a ton of coin, but over a long enough period this kind of information sharing can get rid of less sophisticated attackers who would make more money doing something legit – you know, like gaming search engine results. Photo credit: “Cento’s Prices (Awesome sign)” originally uploaded by Dave Fayram Share:

Share:
Read Post

Incite 7/2/2014 — Relativity

As you get older time seems to move faster. There may be something to these theories of Einstein. It’s hard to believe that yesterday was July 1. That means half of 2014 is in the rear view mirror. HALF. That’s unbelievable to me. Time is flying at the speed of light. I look at the list of things I wanted to do and it’s still largely unfinished. I did a bunch of things I didn’t expect to be doing. Though I guess that’s always the case. Back when I was flying solo at Security Incite, I would revisit my trends for the year and see what I got right and what not so much. We don’t do formal trends, though we do post our ideas for the coming year in our RSA Guide. We don’t really go back and check on those, so maybe I’ll do that over winter break. But right now, there is other work to be done. You see we are all in the maelstrom. It has been a crazy 6 months. The business keeps increasing in scale. We don’t. So it’s been sleep that fell off my table. I’m holding up pretty well, if I do say so myself. Maybe there is something to this healthy mindful lifestyle I’m working toward. Though I’m very cognizant of the fact these are first world problems. And on a relative basis, things probably couldn’t be going much better. Not while allowing us the flexibility we have running our own business. And no, I’m definitely not looking for sympathy that I’m working with great clients, doing cool projects. That my research agenda, which candidly was pretty opportunistic, turned out to be pretty close to what’s happening. That 5 years in our clients know what we do and how we do it, and continue to come back for me. These are good problems to have. It’s a good gig, and we all know it and are very thankful. But there is always that little voice in the back of my head. That little reminder that what goes up, eventually comes down. I have been around too long to think I have figured out how to suspend the laws of physics. That Einstein guy again! Bah! To be clear, I’m not doing this in a fearful or paranoid way. It’s not about me being scared that something will go wrong. It’s about wanting to be ready when it does. So I let my unconscious mind churn through the scenarios. While meditating I will indulge my internal planner for a short time to make sure I know how to respond. And then I let it go. The good news is this doesn’t consume me – not in the least. I’m not naive, so I know you need to assess all the possibilities. But I don’t assess them for long. I mean who has time for that? –Mike Photo credit: “Speed of Light” originally uploaded by John Talbot The fine folks at the RSA Conference posted the talk Jennifer Minella and I gave on mindfulness at the conference this year. You can check it out on YouTube. Take an hour and check it out. Your emails, alerts, and Twitter timeline will be there when you get back. Securosis Firestarter Have you checked out our new video podcast? Rich, Adrian, and Mike get into a Google Hangout and.. hang out. We talk a bit about security as well. We try to keep these to 15 minutes or less, and usually fail. June 30 – G Who Shall Not Be Named June 17 – Apple and Privacy May 19 – Wanted Posters and SleepyCon May 12 – Another 3 for 5: McAfee/OSVDB, XP Not Dead, CEO head rolling May 5 – There Is No SecDevOps April 28 – The Verizon DBIR April 14 – Three for Five March 24 – The End of Full Disclosure March 19 – An Irish Wake March 11 – RSA Postmortem Heavy Research We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, with our content in all its unabridged glory. And you can get all our research papers too. Endpoint Security Management Buyer’s Guide (Update) Mobile Endpoint Security Management Trends in Data Centric Security Introduction Open Source Development and Application Security Analysis Development Trends Application Security Introduction Understanding Role-based Access Control Advanced Concepts Introduction NoSQL Security 2.0 Understanding NoSQL Platforms Introduction Newly Published Papers Advanced Endpoint and Server Protection Defending Against Network-based DDoS Attacks Reducing Attack Surface with Application Control Leveraging Threat Intelligence in Security Monitoring The Future of Security Security Management 2.5: Replacing Your SIEM Yet? Defending Data on iOS 7 Eliminating Surprises with Security Assurance and Testing Incite 4 U Sell yourself: Epic post by Dave Elfering about the need to sell. Everyone sells. No matter what you do you are selling. In the CISO context you are selling your program and your leadership. As Dave says, “To truly lead and be effective people have to be sold on you; on what and who you are.” Truth. If your team (both upstream / senior management and downstream / security team) isn’t sold on you, you can’t deliver news they need to hear. And you’ll be delivering that news a lot – you are in security, right? That post just keeps getting better because it discusses the reality of leading. You need to know yourself. You need to be yourself. More wisdom: “Credentials and mad technical skills are great, but they’re not who you are. Titles are great, but they’re not who you are. Who you are is what you truly have to sell and the leader who instead relies on Machiavellian methods to self-serving ends is an empty suit.” If you can’t be authentic you can’t lead. Well said, Dave. – MR Security pin-up: Australia plans a rollout of PIN (Personal Identification Number) codes for credit and debit card transactions later this year. The Australian payment processors association’s current report shows total card fraud rates have doubled between 2008 and 2013. While the dollar amount per

Share:
Read Post

Updating the Endpoint Security Buyer’s Guide: Mobile Endpoint Security Management

In a rather uncommon occurrence, we are updating one of our papers within a year of publication. As shown by our recent deep dive into Advanced Endpoint and Server Protection, endpoint security is evolving pretty quickly. As mentioned in the latest version of our Endpoint Security Buyer’s Guide, mobile devices are just additional endpoints that need to be managed like any other device. But it has become clear that we need to dig a bit deeper into securing mobile endpoints, so we will. But the change requires a bit of context. We have said for years that management is the first problem users solve when introducing a new technology. Security comes only after management issues are under control. That has certainly been true of mobile devices, as evidenced by the rapid growth, maturity, and consolidation of Mobile Device Management (MDM) technologies. But you cannot really separate management from protection in the mobile endpoint context, as demonstrated by the fact that security features appeared very early among MDM offerings. Mobile devices are inherently better protected from malware attacks due to more modern mobile operating system architectures; so hygiene – including patching, configuration, and determining which applications can run on devices – becomes their key security requirement. This means there is leverage to gain by integrating mobile devices into the device management stack (where applicable) to enforce consistent policy regardless of device, ownership (for BYOD), or location. This has driven significant consolidation of mobile management companies into broader IT management players. In this update of the Endpoint Security Buyer’s Guide we will dig into mobile endpoint security management, defining more specifically what needs to be managed and protected. But most of all, we will focus on the leverage to be gained by managing these capabilities as part of your endpoint security management strategy. Defining Endpoints One of the key points we made early in the Endpoint Security Buyer’s Guide is that the definition of endpoint needs to be more inclusive. From a security standpoint if the device can run applications, access corporate data stores, and store corporate data locally, it is an endpoint and needs to be managed and protected. Smartphones and tablets clearly fit this bill, along with traditional PCs. Organizationally management of all these devices may not fall within a single operations group. That company-specific decision reflects business realities, particularly at large-scale enterprises with thousands of employees and huge IT shops which can afford specialist teams by device. In many smaller companies (the mid-market), we see these operational functions consolidated. But who does the work is less important than what is done to protect mobile endpoints – consistently and efficiently. Managing Endpoint Device Security Hygiene tends to be the main focus for managing mobile endpoint security, so here is a list of what that means in the mobile endpoint context: Enrollment: New devices show up, so registering each device and assigning it proper entitlements begins the process. This is typically handled via a self-service capability so users can register their devices and accept the organization’s policies (especially for employee-owned devices) without waiting for help desk intervention. Of course you cannot assume everyone gaining access will register their devices (especially attackers), so you will want some kind of passive discovery capability to identify unmanaged devices as well. Asset management: Next after enrollment comes the need to understand and track device configuration and security posture, which is really an asset management function. There may be other similar capabilities in use within the organization (such as a CMDB), in which case integration and interoperability with those systems is a requirement. OS configuration: Configuration of mobile endpoints should be based on policies defined by groups and roles within the organizations. These policies typically control many device aspects – including password strength, geolocation, activation lock, and device encryption. OS vendors offer robust and mature APIs to enable this capability, so most platforms offer have similar capabilities. Technology selection largely comes down to leverage managing policies within a consistent user experience across all devices. Patching: Software updates are critical to device security, so ensuring that mobile endpoints are patched in a timely fashion is another key aspect of mobile endpoint security. For mobile devices you will want to be sure you can update devices over the air, as they are often beyond reach of the corporate network, connecting to corporate networks only infrequently. Connectivity: An organization may want to actively control which networks devices use, especially because many public WiFi hotspots are simply insecure. So you will want the ability to specify and enforce policies for which networks devices can use, whether connections require a VPN to backhaul traffic through a central gateway, and whether to use a mobile VPN service to minimize the risk of man-in-the-middle and side-jacking attacks and snooping. Identity/group roles and policies: This capability involves integrating the mobile endpoint security management policy engine with Active Directory or another authoritative identity store. This leverages existing users and groups – managed elsewhere in the organization – to set MDM policies. As you build your mobile endpoint security management strategy, keep in mind that different operating systems offer different hooks and management capabilities. Mature PC operating systems offer one level of management maturity; mobile operating systems are maturing rapidly but don’t offer as much. So to provide a consistent experience and protection across devices you might need to reduce protection to the lowest common denominator of your least capable platform. Alternatively you can choose to support only certain functions on certain devices. For example PCs need to access corporate data (and SaaS application) over the corporate VPN, so they are easier to compromise and present more risk. Whereas more limited mobile devices, with better inherent protection, might be fine with less restrictive policies. This granularity can be established via policies within the endpoint security management platform. Over time MDM platforms will be able to compensate for limitations of underlying operating systems to provide a stronger protection as their capabilities mature. Managing Applications The improved security architectures of mobile operating systems have required attackers to increasingly

Share:
Read Post

Knucklehead-Employee.com

You have to love it when your employees take some initiative and aggressively take it to the competition who is cleaning your clock. They spend their time working the product, refining the messaging, and getting your mojo back in the market, right? Or you can just buy a domain like competitorFAIL.com and post some sophomoric insults at the competition. I’m pretty sure that favorably impacts the sales cycle, though it may more favorably impact the employee’s self-esteem. You might think this is a joke, but it’s not. Some HP ArcSight folks figured that if they couldn’t compete in the market, they might as well just insult Splunk, and that would help. They bought splunkfail.com and posted some zingers like this one on the Tweeter. “Splunk is a security company #AprilFoolsDay.” (April 1, 2014 @splunkfail). Seriously. This really happened. ROFL. Literally – I actually rolled on the floor laughing. The folks at Starbucks were not amused. Neither were the Splunk folks, and they (rightfully) complained to HP’s Ethics officer, who promptly dealt with the situation, resulting in those employees pulling down the site and giving the domain to Splunk. Though HP did claim no responsibility for the rogue employees. Maybe they will accept responsibility for providing an endless stream of LOLs for the rest of us. Share:

Share:
Read Post

Incite 6/25/2014: June Daze

I’m not sure why I ever think I’ll get anything done in June. I do try. I convince myself this year will be different. I look at the calendar and figure I’ll be able to squeeze in some writing. I’m always optimistic that I will be able to crank through it because there is stuff to get done. And then at the end of June I just shrug and say to myself, “Yup, another June gone and not much got done.” That’s not really true. I did a lot of travel. I took some great vacations with the family. I had great meetings with clients. But from a deliverables standpoint, not much got done at all. I shouldn’t be hard on myself because I have been at home a grand total of 30 hours for the entire month thus far. Seriously, 30 hours. Yes, I understand these are first world problems. I mentioned that the girls dance at Disney, then it was off to the west coast for a client meeting. Then I flew across the pond for a couple days in London for the Eskenzi PR CISO forum. For the first time (shocking!), I got to tour around London and it was great. What a cool city! Duh. As I mentioned in Solo Exploration I’ve made a point to explore cities I visit when possible, and equipped with my trusty mini-backpack I set out to see London. And I did. I saw shows. I checked out the sites with the rest of the tourists. I took selfies (since evidently that’s what all the kids do today). I met up with some friends of friends (non-work related) and former colleagues who I don’t get to see enough. It was great. But right when I got home, it was a frantic couple hours of packing to get ready for the annual beach trip with my in-laws. Yup, told you this was a first world problem. I did work a bit at the beach, but that was mostly to make sure I didn’t drown when I resurfaced today. I also had some calls to do since I wasn’t able to do them earlier in the month, and given that I commit to family time by noon, there wasn’t a lot of time to write. There never is in June. Then last Sunday we dropped the kids off for their 6+ weeks of camp and I spent another couple days meeting friends and clients in DC around a certain other analyst firm’s annual security conference. So by the time we packed up the van and headed back to ATL yesterday, I have basically been gone the entire month. Now I have a few days in ATL to dig out and then it’s another quick trip next week. Yes, this is the life I chose. Yes, I really enjoy the work. And yes, I’m in a daze and it won’t slow down until the middle of July. Then I’ll get to bang through the backlog and start work on summer projects. I could make myself crazy about what’s not getting done, or I can take a step back and remember things are great. I choose the latter, so I’ll get done what I can and smile about it. I will be sure to be a bit more realistic about what will get done next June. Until I’m not. –Mike Photo credit: “Daze” originally uploaded by Clifford Horn The fine folks at the RSA Conference posted the talk Jennifer Minella and I gave on mindfulness at the conference this year. You can check it out on YouTube. Take an hour and check it out. Your emails, alerts, and Twitter timeline will be there when you get back. Securosis Firestarter Have you checked out our new video podcast? Rich, Adrian, and Mike get into a Google Hangout and.. hang out. We talk a bit about security as well. We try to keep these to 15 minutes or less, and usually fail. June 17 – Apple and Privacy May 19 – Wanted Posters and SleepyCon May 12 – Another 3 for 5: McAfee/OSVDB, XP Not Dead, CEO head rolling May 5 – There Is No SecDevOps April 28 – The Verizon DBIR April 14 – Three for Five March 24 – The End of Full Disclosure March 19 – An Irish Wake March 11 – RSA Postmortem Feb 21 – Happy Hour – RSA 2014 Heavy Research We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, with our content in all its unabridged glory. And you can get all our research papers too. Trends in Data Centric Security Introduction Open Source Development and Application Security Analysis Development Trends Application Security Introduction Understanding Role-based Access Control Advanced Concepts Introduction NoSQL Security 2.0 Understanding NoSQL Platforms Introduction Newly Published Papers Advanced Endpoint and Server Protection Defending Against Network-based DDoS Attacks Reducing Attack Surface with Application Control Leveraging Threat Intelligence in Security Monitoring The Future of Security Security Management 2.5: Replacing Your SIEM Yet? Defending Data on iOS 7 Eliminating Surprises with Security Assurance and Testing Incite 4 U Problem fixed. Now clean up your mess. Yes, some 300k sites have yet to patch the OpenSSL ‘Heartbleed’ vulnerability, but a more troubling issue is that residual leaked data will cause ongoing problems, as Robert Hansen illustrated in The Ghost of Information Disclosure Past. Many vulnerable sites had credentials scraped, and while they asked their users to reset their passwords, they did not force resets. Attackers now have accumulated credentials which can provide fun and mayhem for anyone with 5 Bitcoins. The Heartbleed cleanup is messy, and in cases where (potentially) all user passwords could be compromised, it is best to “nuke from orbit” and require resets for all registered users. No one said it was easy, right? – AL You too can be a security person: There is no doubting the skills shortage in security. We routinely talk to folks who have open positions for 6-12 months and they are significantly compromising on the skills & capabilities of candidates.

Share:
Read Post

Mobile Malware Supply and Demand

Just in case you thought supply and demand don’t apply to our little area of the world, think again. It is interesting to read about a $5,000 malware kit targeting Android. Dan Goodin digs into the specifics of the iBanking malware kit, the breadth of its capabilities, and how it proliferates (typically against users already infected with financial malware on their PCs); and resists whitelists to evade detection and prevention. But why does this particular package warrant such a high price? Market opportunity, of course. With the number of Android phones out there, the math indicates it is probably a worthwhile investment, especially given the number of folks doing mobile banking and commerce. See? Supply and demand. Econ 101, folks. Not long ago, the so-called iBanking malware package offered little more than a way for traditional PC trojans that target online bank accounts to bypass two-factor authentication protections. While the interception of incoming and outgoing SMS messages remains the main selling point, iBanking has morphed into the Swiss Army knife of Android malware. Included in the $5,000 fee is the ability to redirect incoming voice calls, covertly capture sounds within range of the device’s microphone, track geolocation, access the file system, and remotely corral the device into sprawling mobile botnets that use either HTTP or SMS to communicate, depending on the current network status of the infected handset. There is also a free version of iBanking available, but many attackers opt for the paid version which includes updates and support. That’s awesome, and nicely illustrates that software is software and freemium is a great market-building strategy. Whatever your product does… Photo credit: “excellent visual aid” originally uploaded by arianne Share:

Share:
Read Post

Totally Transparent Research is the embodiment of how we work at Securosis. It’s our core operating philosophy, our research policy, and a specific process. We initially developed it to help maintain objectivity while producing licensed research, but its benefits extend to all aspects of our business.

Going beyond Open Source Research, and a far cry from the traditional syndicated research model, we think it’s the best way to produce independent, objective, quality research.

Here’s how it works:

  • Content is developed ‘live’ on the blog. Primary research is generally released in pieces, as a series of posts, so we can digest and integrate feedback, making the end results much stronger than traditional “ivory tower” research.
  • Comments are enabled for posts. All comments are kept except for spam, personal insults of a clearly inflammatory nature, and completely off-topic content that distracts from the discussion. We welcome comments critical of the work, even if somewhat insulting to the authors. Really.
  • Anyone can comment, and no registration is required. Vendors or consultants with a relevant product or offering must properly identify themselves. While their comments won’t be deleted, the writer/moderator will “call out”, identify, and possibly ridicule vendors who fail to do so.
  • Vendors considering licensing the content are welcome to provide feedback, but it must be posted in the comments - just like everyone else. There is no back channel influence on the research findings or posts.
    Analysts must reply to comments and defend the research position, or agree to modify the content.
  • At the end of the post series, the analyst compiles the posts into a paper, presentation, or other delivery vehicle. Public comments/input factors into the research, where appropriate.
  • If the research is distributed as a paper, significant commenters/contributors are acknowledged in the opening of the report. If they did not post their real names, handles used for comments are listed. Commenters do not retain any rights to the report, but their contributions will be recognized.
  • All primary research will be released under a Creative Commons license. The current license is Non-Commercial, Attribution. The analyst, at their discretion, may add a Derivative Works or Share Alike condition.
  • Securosis primary research does not discuss specific vendors or specific products/offerings, unless used to provide context, contrast or to make a point (which is very very rare).
    Although quotes from published primary research (and published primary research only) may be used in press releases, said quotes may never mention a specific vendor, even if the vendor is mentioned in the source report. Securosis must approve any quote to appear in any vendor marketing collateral.
  • Final primary research will be posted on the blog with open comments.
  • Research will be updated periodically to reflect market realities, based on the discretion of the primary analyst. Updated research will be dated and given a version number.
    For research that cannot be developed using this model, such as complex principles or models that are unsuited for a series of blog posts, the content will be chunked up and posted at or before release of the paper to solicit public feedback, and provide an open venue for comments and criticisms.
  • In rare cases Securosis may write papers outside of the primary research agenda, but only if the end result can be non-biased and valuable to the user community to supplement industry-wide efforts or advances. A “Radically Transparent Research” process will be followed in developing these papers, where absolutely all materials are public at all stages of development, including communications (email, call notes).
    Only the free primary research released on our site can be licensed. We will not accept licensing fees on research we charge users to access.
  • All licensed research will be clearly labeled with the licensees. No licensed research will be released without indicating the sources of licensing fees. Again, there will be no back channel influence. We’re open and transparent about our revenue sources.

In essence, we develop all of our research out in the open, and not only seek public comments, but keep those comments indefinitely as a record of the research creation process. If you believe we are biased or not doing our homework, you can call us out on it and it will be there in the record. Our philosophy involves cracking open the research process, and using our readers to eliminate bias and enhance the quality of the work.

On the back end, here’s how we handle this approach with licensees:

  • Licensees may propose paper topics. The topic may be accepted if it is consistent with the Securosis research agenda and goals, but only if it can be covered without bias and will be valuable to the end user community.
  • Analysts produce research according to their own research agendas, and may offer licensing under the same objectivity requirements.
  • The potential licensee will be provided an outline of our research positions and the potential research product so they can determine if it is likely to meet their objectives.
  • Once the licensee agrees, development of the primary research content begins, following the Totally Transparent Research process as outlined above. At this point, there is no money exchanged.
  • Upon completion of the paper, the licensee will receive a release candidate to determine whether the final result still meets their needs.
  • If the content does not meet their needs, the licensee is not required to pay, and the research will be released without licensing or with alternate licensees.
  • Licensees may host and reuse the content for the length of the license (typically one year). This includes placing the content behind a registration process, posting on white paper networks, or translation into other languages. The research will always be hosted at Securosis for free without registration.

Here is the language we currently place in our research project agreements:

Content will be created independently of LICENSEE with no obligations for payment. Once content is complete, LICENSEE will have a 3 day review period to determine if the content meets corporate objectives. If the content is unsuitable, LICENSEE will not be obligated for any payment and Securosis is free to distribute the whitepaper without branding or with alternate licensees, and will not complete any associated webcasts for the declining LICENSEE. Content licensing, webcasts and payment are contingent on the content being acceptable to LICENSEE. This maintains objectivity while limiting the risk to LICENSEE. Securosis maintains all rights to the content and to include Securosis branding in addition to any licensee branding.

Even this process itself is open to criticism. If you have questions or comments, you can email us or comment on the blog.