Securosis

Research

Incid#*%$ Happen: Manage Them

We all fall into the trap of adopting industry lingo to describe various functions. But when you take a step back, and think about mental cues we need to perform our best, sometimes it makes sense to look at things a bit differently. We all call the function of dealing with an attack incident response now. To be clear, respond is a better word than react because it at least implies logical thought about how to respond. But the next step is to manage incidents. Integriography has a good post about this distinction, with an analogy that will warm Rich’s heart – comparing processes to Emergency Management. I knew I have heard that before somewhere… Tornados, earthquakes, fires, automobile accidents, heart attacks, and many more emergencies happen daily. Rather than treating these as one off incidents that require all hands on deck, emergency services plan, recruit, train, and respond in a very calm, business like manner because it is their normal business. Right. Dealing with attacks is our normal business. So it’s time we start managing to that. It is probably time to update our terminology to reflect this. (h/t to grecs, who pointed me to this post.) Photo credit: “Emergency” originally uploaded by michaelgoodin Share:

Share:
Read Post

Incite 6/11/2014: Dizney

This week I will take a page from Adrian’s Friday Summary approach, and just offer a stream of consciousness about the recent trip the family and I took to DisneyWorld. We went down there to watch the girls dance in Downtown Disney. Their dance company does this every other year, which means we are down in Orlando doing the Disney thing every two years. Trying to be more present and aware in my daily life was interesting in a place like Disney. So let me start with a few observations. First of all, it’s expensive to hang out with the Mouse. We get a great deal on tickets to the parks and it still costs a metric crap ton of coin to be there for a couple days. Then you throw in food, bottled water, and the bargain $8 ponchos (which are a bargain during the 20 minute daily downpours) – and it’s not a cheap vacation. Next you have people of all shapes, sizes, nationalities, languages, cultures, etc. If you think America in general is a great melting pot, spend a little time at Disney. You see young and old. Extended families. Those from the US and those not. Newlyweds. Bachelorette parties and all sorts of other groups. Most of these families have group t-shirts on. I just don’t get that. Do you think they wear that T-shirt any other time? Okay, don’t answer that. Actually the best shirts we saw all week were on a family that said, “We don’t believe in family trip t-shirts.” On all 20 of them. Hilarious. The diversity you see is really cool. The downside for me is varying levels of hygiene. I have a pretty sensitive nose and it can get a little steamy in June in Orlando. So standing on line for 40 minutes to ride Peter Pan (I’m still peeved at XX1 about that) next to a group that don’t get deodorant is unpleasant to say the least. You can also see the impact of mobile technology. We let XX1 roam around EPCOT with her dance friends one of the days. We always knew how to get in touch with her. The expectation was that she would check in every hour or so. And worst case we could always use Find My Friends to see where she was. I noticed loads of people with heads down on mobile devices as they walked the park. They were missing the experience, but that’s the culture today. Same goes for folks who watch rides or their kids dancing through the viewfinder of a camera. That doesn’t work for me but it’s common. One dude got it right and had a GoPro camera affixed to his kid’s stroller. I guess to record the reactions to seeing Mickey and the like. That was pretty cool – like a second set of eyes. I didn’t see anyone with Google Glasses on, so there’s that. Last summer I rued missing XX1’s first experience riding a big roller coaster. I did make amends by doing the Rock and Roller Coaster with both the girls and then the Tower of Terror. The girls couldn’t be more different. XX1 was cursing up a storm on both rides (though she did ask before spewing profanity – manners first). I wonder where she got that from? The Daredevil (XX2) was laughing throughout both rides. And best of all, I was right next to the Boy as we rode the Everest coaster in Animal Kingdom. He was scared, like I was the first time I rode a coaster. Which was a little curious given he has no issue doing a 5-story drop at the water park. He cried a little as we boarded the car, much to the chagrin of the family behind us – who thought I was a monster forcing my son onto the ride. I was in his ear the whole time assuring him it was going to be great. As we made the first climb, he ducked a little to not see much of anything. Then we were off, and as he squeezed my hand through the backwards drop and as we pulled a G or 2 through the curves and drops. You know what? He survived. And he loved it! I loved being there right next to him as he experienced it. That’s what being a Dad is all about. The reason we went to Orlando also worked out marvelously. Despite raining pretty much all day, the sun came out and shined during their performance. And the girls shined as well. I have mentioned there are few things more gratifying than seeing your kids excel at something they are passionate about. So as long as they want to dance in Disney, I’ll be down there every two years, contributing to the Mouse economy and riding roller coasters with all my kids. And loving every minute of it. –Mike Photo credit: “Mickey Mouse Magician” originally uploaded by Alain The fine folks at the RSA Conference posted the talk Jennifer Minella and I did on mindfulness at the conference this year. You can check it out on YouTube. Take an hour and check it out. Your emails, alerts and Twitter timeline will be there when you get back. Securosis Firestarter Have you checked out our new video podcast? Rich, Adrian, and Mike get into a Google Hangout and.. hang out. We talk a bit about security as well. We try to keep these to 15 minutes or less, and usually fail. June 2 – Sputnik or Sputnot May 19 – Wanted Posters and SleepyCon May 12 – Another 3 for 5: McAfee/OSVDB, XP Not Dead, CEO head rolling May 5 – There Is No SecDevOps April 28 – The Verizon DBIR April 14 – Three for Five March 24 – The End of Full Disclosure March 19 – An Irish Wake March 11 – RSA Postmortem Feb 21 – Happy Hour – RSA 2014 Heavy Research We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed

Share:
Read Post

Incite 5/28/2014: Auditory Dissonance

I didn’t want to become that Dad. The one who says, “Turn that crap down.” Or “What is this music?” Or “Get off my lawn!” I didn’t want that to be me. I wanted to be the cool Dad, who would listen to the new music with my kids and appreciate it. Maybe even like it. For a while, I was able to do that. Let’s backtrack a bit. I control the iTunes account in the house. That allows me to centralize apps for all the kids and their devices, and more importantly make sure we keep spending within reason. Even better, it gives me the ability to give the kids a hard time about buying an app or song. They love being scrutinized over a $1.99 app. Don’t tell them I spend more than that on coffee every day. To be clear, it’s not worth my time to even think for a minute about an app, but I still get enjoyment out of making them present a case for why they need the latest version of Clash of Clans or Subway Surfer. That also means that when XX1 wants to buy new music, she has to come through me. So about 3 or 4 times a year I get a list of 40-50 songs she wants to buy. She has her own money, so it’s not a money thing. But I won’t give her access to the account (since that would end very badly), so I have to buy the songs myself. Which means I have to listen to some of them. For quite a while, I was fine with that. I like some of the stuff XX1 listens to – statistically about half the pop music she listens to is tolerable with a decent groove and melody. But over the weekend I hit my limit. I was checking her song list before camp, and 90% of the music was just awful. And at that moment, I became that guy. The guy who just doesn’t understand the noise kids are listening to today. Of course I couldn’t let it go. I had to ask, “What the hell is this stuff?” She just shrugged. It’s her money, so I couldn’t tell her not to waste it on crap music. And I think I saw her chuckle the “you just don’t understand, old dude” chuckle. You know that chuckle because it’s how you reacted when your folks wondered about Elvis or the Beatles or Pink Floyd or Springsteen when you were growing up. I guess I am that old dude. And I just don’t understand. Though that doesn’t make it any easier to explain to my friends why I have Bieber songs in my iTunes library. Those songs are for XX1, really! That’s my story and I’m sticking to it. –Mike Photo credit: “Noise” originally uploaded by richardoyork The fine folks at the RSA Conference posted the talk Jennifer Minella and I did on mindfulness at the conference this year. You can check it out on YouTube. Take an hour and check it out. Your emails, alerts and Twitter timeline will be there when you get back. Securosis Firestarter Have you checked out our new video podcast? Rich, Adrian, and Mike get into a Google Hangout and.. hang out. We talk a bit about security as well. We try to keep these to 15 minutes or less, and usually fail. May 19 – Wanted Posters and SleepyCon May 12 – Another 3 for 5: McAfee/OSVDB, XP Not Dead, CEO head rolling May 5 – There Is No SecDevOps April 28 – The Verizon DBIR April 14 – Three for Five March 24 – The End of Full Disclosure March 19 – An Irish Wake March 11 – RSA Postmortem Feb 21 – Happy Hour – RSA 2014 Feb 17 – Payment Madness 2014 RSA Conference Guide In case any of you missed it, we published our fifth RSA Conference Guide back in February. Yes, we do mention the conference a bit, but it’s really our ideas about how security will shake out in 2014. You can get the full guide with all the memes you can eat. Heavy Research We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, with our content in all its unabridged glory. And you can get all our research papers too. Understanding Role-based Access Control Advanced Concepts Introduction NoSQL Security 2.0 Understanding NoSQL Platforms Introduction Newly Published Papers Advanced Endpoint and Server Protection Defending Against Network-based DDoS Attacks Reducing Attack Surface with Application Control Leveraging Threat Intelligence in Security Monitoring The Future of Security Security Management 2.5: Replacing Your SIEM Yet? Defending Data on iOS 7 Eliminating Surprises with Security Assurance and Testing Incite 4 U At least there is consistency: Love those survey-based media campaigns, where a company sponsors a survey to determine that a certain industry is vulnerable. Just like every other industry. It’s awesome. So I enjoyed the FUD-tastic writeup of a survey paid for by ThreatTrack, which showed (through a whopping 200 person survey) that energy companies are vulnerable to attack. 61% said the biggest threat comes from email. Shocker. Web is next at 25% and mobile at 3%. Yup, that sounds about right. Even better, 40% thought they’d be targeted by advanced attacks. The other 60% have an appointment on Thursday to see their therapist to deal with the self-esteem issues. – MR That’s WEAK: eBay users are noticing for the first time – post breach of password hashes – that eBay does not allow long passwords. eBay sent email instructing users to reset passwords this week; one week after we heard about the data loss. But those are pesky details, right? Those who took it seriously enough to create strong passphrases to resist brute-force password cracking noticed their long passwords were not allowed. Worse, passwords longer than 20 characters were labelled ‘weak’. Not cool, but remember that eBay – like many firms – only uses passwords as one hurdle; they rely on fraud analytics and monitoring

Share:
Read Post

Translation Machine: Responding to (Uninformed) Bloggers

One of the things I don’t miss about running a marketing team is worrying about responding to negative press. It’s a lot worse today, now that you not only have to spin less informed beat reporters who frequently troll for page views by misrepresenting competitive nonsense. But also bloggers and Tweeters who make things up say things about the product. So I thought I’d do everyone a service and translate this response from Palo Alto Networks’ Scott Gainey to Stiennon’s public supposition that PANW and FireEye violate Microsoft’s license agreement by running instances of Windows in their sandbox environment. I’ll excerpt from Scott’s blog post and provide my translation. Let’s be clear – Scott may or may not have been thinking these things as he was cobbling together his politically correct response. This is what I would be thinking if I were in his shoes. “Richard Stiennon recently wrote an informative article in Forbes…” Translation: Oh crap, what is he pronouncing dead this time? Informative? What I meant to say is “…wrote a speculative, click baiting, ambulance chasing pile of nonsense.” But I’m not Nir, so I can’t say stuff like that in public. Instead, I’ll just anonymously send him this eye chart. “Our solution was simple. Palo Alto Networks licenses every instance of Microsoft software on each WildFire WF-500. There were no shortcuts taken.” Translation: But clearly he took some shortcuts in his research. Boy, if that guy had done any work, he would have figured out that we have to charge a crapton of money for the on-prem version of the sandbox for this very reason. Those friggin’ pirates at Microsoft. They get paid coming and going. But I understand – how is he supposed to generate page views without poking high-flying public companies? “Recently, Microsoft notified us of a new licensing model designed for embedded security devices that use virtual instances of Windows. From our perspective, this decision will not impact our existing customers. We are actively engaged with Microsoft to take advantage of this new licensing model that we’ll transition to as soon as agreements are set.” Translation: I’m not sure if this guy is short our stock or something, but if anything the new licenses will make things more efficient for us from a cost of goods sold standpoint. Win! I’ll tip my hat to Scott. He presented a well-reasoned case, and didn’t get defensive or emotional about it. I probably would have had to write 10 versions of this thing before I could wring all the venom out. On the other hand, he could have just ignored Stiennon… like FireEye did. Photo credit: “Tablica do badania wzroku z reklamy Vision Express” originally uploaded by trochim Share:

Share:
Read Post

Incite 5/21/2014: Recitals

As we get into late May it is getting to be summer in the ATL. The kids finish up school this week, the pools open, and my standard work attire consists of shorts, a T-shirt, and flip flops. The Boss is frantically getting the kids ready for camp, and we have a few family trips planned before they leave. But first things first – this is the one week a year I won’t travel. It’s dance recital week. I used to be very diligent about not missing well check-ups with the pediatrician. But as the kids get older, especially the girls, it has become a bit awkward for me to be in the room. That’s a bit of a bummer, but I understand. Recitals are something else. I’m sure I have mentioned it before, but the girls don’t dance in the most competitive studio. There is no Black Swan action here. No anorexic high schoolers trying to audition for the Bolshoi. It’s a bunch of girls (and a few brave boys) with a passion for dance, which shows during recitals. So I gladly reserve a week at home, regardless of how loudly duty calls, and I’ll be watching recitals on Monday, Tuesday, and Wednesday nights. This has been an annual ritual for at least 8 years, and they all blur together. Lots of sparkles, sequins, and hair buns. Some ballet, modern, contemporary, tap, and even hip-hop. Each night they do maybe 25 routines. Seeing the 4 and 5 years olds go on stage brings back great memories. Seeing the seniors do their solos is a glimpse into the future. The studio just started a program with special needs kids, and it’s uplifting to see them get up on stage and dance as well. Limitations only exist in our minds, so it’s great to see kids up there held back by nothing but their own courage. Monday night’s show featured XX2 in 6 routines. She’s in a very large group, so sometimes it’s hard to see her. But she shines up on the stage like a supernova. With a featured spot in one of the routines, you could see the performer in her. The artist. I have no idea what her future holds but she’ll be in front of people in some way, shape, or form. She’s just too comfortable on stage to not pursue that path. Having gone for so many years, I have gained perspective into how the dancers grow – both physically and skills. The munchies (little girls) have no idea what’s going on. They wave to the crowd and muddle through the routine, and they just have a lot of fun. At some point when they are no longer little girls, we watch the routines and go holy crap, these kids can dance. That moment happened for me this year when I got to the studio a little early a few weeks back and saw XX1 practicing her modern dance routine. The last third of the routine I saw was beautiful. Their movements were graceful and fluid. They were in their element. It was all I could do not to tear up right there, seeing my girl and her friends blossom into dancers right in front of my eyes. I won’t see that routine live until Tuesday night (I write the Incite during the day Tuesday). I can’t wait. They say parents enjoy the accomplishments of their kids a lot more than their own. I’m working on recognizing my achievements, but there is nothing like seeing your kids having fun, doing something they are passionate about. So I’ll keep going to the recitals (and tennis matches and lax games) as long as they play and perform. And for those couple hours time will stop. As it should. –Mike Photo credit: “Melbourne Recital Centre” originally uploaded by Wojtek Gurak The fine folks at the RSA Conference posted the talk Jennifer Minella and I did on mindfulness at the conference this year. You can check it out on YouTube. Take an hour and check it out. Your emails, alerts, and Twitter timeline will all be there when you get back. Securosis Firestarter Have you checked out our new video podcast? Rich, Adrian, and Mike get into a Google Hangout and.. hang out. We talk a bit about security as well. We try to keep these to 15 minutes or less, and usually fail. May 19 – Wanted Posters and SleepyCon May 12 – Another 3 for 5: McAfee/OSVDB, XP Not Dead, CEO head rolling May 5 – There Is No SecDevOps April 28 – The Verizon DBIR April 14 – Three for Five March 24 – The End of Full Disclosure March 19 – An Irish Wake March 11 – RSA Postmortem Feb 21 – Happy Hour – RSA 2014 Feb 17 – Payment Madness 2014 RSA Conference Guide In case any of you missed it, we published our fifth RSA Conference Guide back in February. Yes, we do mention the conference a bit, but it’s really our ideas about how security will shake out in 2014. You can get the full guide with all the memes you can eat. Heavy Research We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, with our content in all its unabridged glory. And you can get all our research papers too. Understanding Role-based Access Control Advanced Concepts Introduction NoSQL Security 2.0 Understanding NoSQL Platforms Introduction Newly Published Papers Advanced Endpoint and Server Protection Defending Against Network-based DDoS Attacks Reducing Attack Surface with Application Control Leveraging Threat Intelligence in Security Monitoring The Future of Security Security Management 2.5: Replacing Your SIEM Yet? Defending Data on iOS 7 Eliminating Surprises with Security Assurance and Testing Incite 4 U It didn’t take long to commoditize threat intelligence: We have been writing for a while about threat intelligence – most recently about how TI fits into the security monitoring process. Next up on our research plans is a look at how TI can be leveraged in incident response

Share:
Read Post

When Security Services Attack

In the unintended consequences file, it’s awesome when big honking devices to stop attacks get owned and blast other sites. Yup, the folks at Incapsula found a huge DDoS that was leveraging equipment from two (not one, but two!) DDoS protection services. The perpetrators hijacked and leveraged the power of two separate high-capacity servers belonging to unnamed DDoS protection services providers, Zeifman said. He explained that this type of strong network infrastructure, built to defend against volumetric attacks, offers attackers a way to “fight fire with fire.” What’s great is that DDoS mitigation service providers are justifiably more focused on ingress traffic and getting rid of crap. Outbound stuff gets less scrutiny. So it was easy for attackers to hide in the flood of other traffic. This is just a reminder that if it can be used against you, it will. And ‘it’ is anything. Share:

Share:
Read Post

CEO on Line 2

It has been a couple weeks since Target’s CEO was fired. Maybe not officially fired, but for all intents and purposes that’s what happened. The data breach was the most visible reason, though as George Hulme points out that was really a red herring. It’s easy to peg all of these changes at the feet of the data breach, and I think the breach is certainly part of the mix for these recent shake-ups. But Target was having execution troubles prior to the breach. Most notably its huge misstep into the Canadian market… The Slant blog, at InvestorPlace, advised its readers to sell Target stock, not because of the breach, but because of weak sales and profits that had nothing to do with the data breach… That said, any time a CEO’s head rolls down the hall, every other CEO with their head still attached wants to make sure that won’t happen to them. So they make a couple calls. The first is likely to the CFO, and then the CIO. They will offer up some platitudes, and tell how much work has been done on security, and what the amount of investment looks like. Then they will talk about how the CISO has been driving that program. So if you are the CISO (or the senior security professional), you get the call after those. In fact I would be pretty surprised if many CISOs in enterprise-class companies weren’t having little sit-downs with their CEOs, and maybe even the audit committees, to revisit program and address gaps. Obviously this should be happening on an ongoing basis (and probably does), but these out-of-cycle meetings will happen as well. Which brings up the question: what do you say? Are you honest when the CEO asks whether that kind of breach can happen to your organization? Do you tell him/her that despite continued (significant) investment, your answer is the same: you have no idea? Actually, that’s exactly what you do. You stay consistent, which (should be) brutally honest about your security posture and your risks. Some CEOs want you to blow smoke up their backside, and if that’s the case dust off your resume. If the CEO wants to hear the truth, tell him/her. They should know what’s at stake. As Dave Lewis says: But, the reality in a large corporation such as this there is often a need for a significant event in order to affect change. Though hopefully you don’t need to parade into your CEO’s office with another CEO’s head on a pike to make your point. All the same, it’s an opportunity, so don’t squander it. Photo credit: “Head on a pike” originally uploaded by Newtown graffit Share:

Share:
Read Post

Incite 5/14/2014: Solo Exploration

Is it possible to like interacting with people, yet need time alone? To really enjoy working in a team, yet cherish a night of solitude? I have always defined myself as an introvert. It provided a convenient excuse when I just didn’t want to deal with people. Though I do need my solo time to recharge, that’s for sure. But I also need to be social. Not all the time and not for extended periods of time, but a life of solitude doesn’t really appeal to me either. It’s an interesting contrast. I am on the road this week. Again. I’m not going to complain because I really enjoy working with clients, attending conferences, and seeing friends. It also means I’m busy, which is key in a small shop. But Monday night I didn’t want to mingle. In a conference situation I’m always on. It’s exhausting. By the end of the day Monday I was done. Normally I’d just get room service and stare at my computer, pretending to be ‘productive’. But Monday night the idea of another night in a nondescript hotel room wasn’t interesting. I needed to do something, but there were no major sports in town. And the local ballet and shows were dark since it was Monday night. Thankfully a quick search of the Google showed me the answer. It was time for some solo exploration. I found a show staged by a local theater company, only a short cab ride away. So I went to see it – by myself. I didn’t have a ticket. I didn’t take a map. I was in Canada, and being a cheap ass I didn’t even have Internet service on my phone. So no ability to have my magic device tell me things. I didn’t care. I was exploring. Not like Edmund Hillary or anything. But like a middle aged business guy in a city. The show was great. The experience was great. It was about how the decisions we make influenced by our fears and perceptions can get us in trouble. But it had a good ending and a better message about kindness and perseverance. Better yet, I got my time to recharge. I woke up Tuesday morning ready to go. Not long ago I would have been content to just sit in my room and maybe watch some sports. No longer. If I’m going to travel I may as well explore a bit. It’s a big world – I’m going to check it out. One city at a time. –Mike Photo credit: “Solo” originally uploaded by Ruth Flickr Securosis Firestarter Have you checked out our new video podcast? Rich, Adrian, and Mike get into a Google Hangout and.. hang out. We talk a bit about security as well. We try to keep these to 15 minutes or less, and usually fail. May 12 – Another 3 for 5: McAfee/OSVDB, XP Not Dead, CEO head rolling May 5 – There Is No SecDevOps April 28 – The Verizon DBIR April 14 – Three for Five March 24 – The End of Full Disclosure March 19 – An Irish Wake March 11 – RSA Postmortem Feb 21 – Happy Hour – RSA 2014 Feb 17 – Payment Madness Feb 10 – Mass Media Abuse 2014 RSA Conference Guide In case any of you missed it, we published our fifth RSA Conference Guide back in February. Yes, we do mention the conference a bit, but it’s really our ideas about how security will shake out in 2014. You can get the full guide with all the memes you can eat. Heavy Research We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, with our content in all its unabridged glory. And you can get all our research papers too. Understanding Role-based Access Control Advanced Concepts Introduction NoSQL Security 2.0 Understanding NoSQL Platforms Introduction Newly Published Papers Advanced Endpoint and Server Protection Defending Against Network-based DDoS Attacks Reducing Attack Surface with Application Control Leveraging Threat Intelligence in Security Monitoring The Future of Security Security Management 2.5: Replacing Your SIEM Yet? Defending Data on iOS 7 Eliminating Surprises with Security Assurance and Testing Incite 4 U Rich and Adrian are traveling this week, so no Incite from them. I do not judge. Though I point out that I’m on the road as well… First they’ll come for AV… Wendy makes a great point about how all these new-fangled advanced and next-generation security technologies don’t claim to replace the existing stuff. At least not on endpoints. Why? I am stumped, and I have been advising all these advanced endpoint folks to bundle in an AV engine to take that issue off the table. Why position a complimentary product, forcing customers to buy and run the old AV stuff as well, when they could go for the whole enchilada? Oh, it’s scary. Customers have inertia. Assessors may squeal like stuck pigs. But here’s the dirty little secret. Customers want to buy one solution. They want simplicity. They want bundling. Most of all they want something that works. I agree that bundling will continue among security products, and the traditional endpoint protection product will be first on the extinction list. – MR Time is your enemy: I didn’t mention anything specifically related to Mandiant/FireEye’s M-Trends report when it hit back in mid-April, but I should have. It is another great report providing useful perspective on attack trends. Richard Bejtlich does all of us a favor and highlights a key finding: time. His point, in referring to the Syrian Electronic Army’s attack on a media company, is that within a day an adversary will update malware to make it even harder to find. So once a device has been compromised the clock starts to tick. The good news is that Mandiant saw a general decrease in dwell time in 2013 (compared to 2012), but a decrease in the percentage of attacks discovered by the victim. Two steps forward, one step back – while we’re playing beat the clock. Progress

Share:
Read Post

Incite 5/7/2014: Accomplishments

Yesterday I was in Winnipeg. By choice! I was invited to speak at the Western Canada Information Security Conference, and there isn’t much I like better than giving talks in Canada. Folks are nice. They appreciate when you come up to their towns to talk. They don’t say much during the pitch, but they come up after the session or in the coffee line and make it clear that they were listening. Just like in the Northeast. OK, not so much. I was doubly excited to do yesterday’s talk because they asked me to do my Happyness talk. It is my favorite talk to do – not because I think it provides a good message for the audience… even though it does. Not because it gives people tools to deal with the despondency that is part of the security profession… although it does that too. I love giving the Happyness talk because it forces me to take a look at where I’ve been and what I’ve done to improve myself over the past 7 years. When I first put the pitch together, I had a picture of Grumpy with the caption: “My alter ego.” When I updated the pitch last year, I changed that caption to be: “I used to be this guy.” That’s right, I’m no longer grumpy. Really. If you perceive me being grumpy, you bought into my persona. That’s not me anymore. If you met me today and didn’t know me, you wouldn’t think I’m grumpy or even curmudgeonly. I didn’t really appreciate that fact until I was going through the deck this week to do some minor tuning. I realized I have spent a long time trying to improve my mental game. To deal with my impatience and anger. To do this I embraced mindfulness practices (see the Neuro-hacking talks I do with JJ) and it has made a huge difference in my mental health. I need to celebrate that accomplishment. So I think I will. Of course that doesn’t mean I don’t get frustrated or impatient anymore. I’m human, contrary to popular belief. But I don’t hold onto the frustration, and the impatience passes quickly. Which, given where I started, is pretty cool. While I’m celebrating I should probably acknowledge how I have transformed my physical self as well. Back in 2006 I was 70 pounds heavier with high blood pressure and all sorts of other issues starting to manifest. So I decided I was tired of being fat and out of shape and dedicated myself to change. It has been a long process and it is still a daily battle, but at this point I am in the best shape of my life – in my mid-40s. Go figure. That warrants a celebration, no? I was on the express train to the grave and now I have a chance to live long enough for my kids to have to change my diapers. I don’t know how long I’ll be here, but when I go it won’t be because I didn’t take care of myself. So today I will celebrate my accomplishments, both mind and body. I don’t really ever pat myself on the back, so this is both new and uncomfortable. But I’ll do it because I should. Because hard work should be acknowledged – even if it is only acknowledging yourself. [5 minutes pass] OK, I’m done celebrating. There is work to do. Windmills to chase. Things to accomplish. But this is progress for me. I usually don’t celebrate accomplishments for even 5 minutes. It actually feels pretty good. Come to think of it, I highly recommend it. There may be something to this celebration thing… –Mike Photo credit: “Destination: Goal” originally uploaded by Jay Cox Securosis Firestarter Have you checked out our new video podcast? Rich, Adrian, and Mike get into a Google Hangout and.. hang out. We talk a bit about security as well. We try to keep these to 15 minutes or less, and usually fail. May 5 – There Is No SecDevOps April 28 – The Verizon DBIR April 14 – Three for Five March 24 – The End of Full Disclosure March 19 – An Irish Wake March 11 – RSA Postmortem Feb 21 – Happy Hour – RSA 2014 Feb 17 – Payment Madness Feb 10 – Mass Media Abuse Feb 03 – Inevitable Doom 2014 RSA Conference Guide In case any of you missed it, we published our fifth RSA Conference Guide back in February. Yes, we do mention the conference a bit, but it’s really our ideas about how security will shake out in 2014. You can get the full guide with all the memes you can eat. Heavy Research We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, with our content in all its unabridged glory. And you can get all our research papers too. Understanding Role-based Access Control Advanced Concepts Introduction NoSQL Security 2.0 Understanding NoSQL Platforms Introduction Newly Published Papers Advanced Endpoint and Server Protection Defending Against Network-based DDoS Attacks Reducing Attack Surface with Application Control Leveraging Threat Intelligence in Security Monitoring The Future of Security Security Management 2.5: Replacing Your SIEM Yet? Defending Data on iOS 7 Eliminating Surprises with Security Assurance and Testing Incite 4 U Dropping your stuff: The Intralinks folks just published some interesting research, highlighted on Graham Cluley’s blog, showing how Dropbox and Box leak links to private files through Google searches. They prove their point by showing a 2012 tax return and a mortgage application. That’s awesome. It turns out anyone with a link for private sharing can see the file. No authentication needed. More awesome. The issue can also manifest if someone clicks a link embedded within a document viewed using Dropbox’s web preview function, because that link is included in the referrer information. So how do you solve the problem? Don’t share links. Duh. Oh, not an issue? Use business cloud storage services, which allow you to restrict access to shared links. We are only beginning to scratch the surface

Share:
Read Post

New Paper: Advanced Endpoint and Server Protection

Anti-virus is basically dead, at least according to the biggest anti-virus vendor. The good news is that signature-based AV has actually been dead for a long time; even the big players have been broadening their capabilities to assess, prevent, detect, and investigate advanced malware on endpoints and servers. There has been a tremendous amount of activity and innovation in protecting endpoint and servers, driven by necessity: Endpoint protection has become the punching bag of security. For every successful attack, the blame seems to point directly to a failure of endpoint protection. Not that this is totally unjustified — most solutions for endpoint protection have failed to keep pace with attackers. But hygiene and awareness alone will not deter advanced attackers very long. We frequently say advanced attackers are only as advanced as they need to be: they take the path of least resistance. But the converse is also true. When these adversaries need advanced techniques, they use them. Traditional malware defenses such as antivirus don’t stand much chance against a zero-day attack. Our Advanced Endpoint and Server Protection paper highlights the changes in threat management resulting from these advanced attackers using advanced tactics. We discuss changes in prevention, as well as advances in both detection and investigation. This is really a call to action to rethink how you deal with advanced adversaries, and ultimately how you protect your devices. Advanced adversaries require organizations to rethink how they manage threats. The idea that targeted attacks can be prevented consistently is a pipe dream, so organizations need to shift away from largely ineffective legacy technologies for protecting endpoints and servers. More specifically this means devoting more resources and investing in innovative approaches to blocking attacks in the first place, including advanced heuristics, application control, and isolation technologies. But even with significant investment in innovative prevention, a persistent attacker will still compromise your devices. This highlights the necessity of shifting security investment toward detecting and investigating attacks. We would like to thank the companies who have licensed this content (in alphabetical order): Bit9 + Carbon Black; Cisco/Sourcefire; and Trusteer, an IBM Company. We make this point frequently, but without security companies understanding and getting behind our Totally Transparent Research model, you wouldn’t be able to enjoy our research. Share:

Share:
Read Post

Totally Transparent Research is the embodiment of how we work at Securosis. It’s our core operating philosophy, our research policy, and a specific process. We initially developed it to help maintain objectivity while producing licensed research, but its benefits extend to all aspects of our business.

Going beyond Open Source Research, and a far cry from the traditional syndicated research model, we think it’s the best way to produce independent, objective, quality research.

Here’s how it works:

  • Content is developed ‘live’ on the blog. Primary research is generally released in pieces, as a series of posts, so we can digest and integrate feedback, making the end results much stronger than traditional “ivory tower” research.
  • Comments are enabled for posts. All comments are kept except for spam, personal insults of a clearly inflammatory nature, and completely off-topic content that distracts from the discussion. We welcome comments critical of the work, even if somewhat insulting to the authors. Really.
  • Anyone can comment, and no registration is required. Vendors or consultants with a relevant product or offering must properly identify themselves. While their comments won’t be deleted, the writer/moderator will “call out”, identify, and possibly ridicule vendors who fail to do so.
  • Vendors considering licensing the content are welcome to provide feedback, but it must be posted in the comments - just like everyone else. There is no back channel influence on the research findings or posts.
    Analysts must reply to comments and defend the research position, or agree to modify the content.
  • At the end of the post series, the analyst compiles the posts into a paper, presentation, or other delivery vehicle. Public comments/input factors into the research, where appropriate.
  • If the research is distributed as a paper, significant commenters/contributors are acknowledged in the opening of the report. If they did not post their real names, handles used for comments are listed. Commenters do not retain any rights to the report, but their contributions will be recognized.
  • All primary research will be released under a Creative Commons license. The current license is Non-Commercial, Attribution. The analyst, at their discretion, may add a Derivative Works or Share Alike condition.
  • Securosis primary research does not discuss specific vendors or specific products/offerings, unless used to provide context, contrast or to make a point (which is very very rare).
    Although quotes from published primary research (and published primary research only) may be used in press releases, said quotes may never mention a specific vendor, even if the vendor is mentioned in the source report. Securosis must approve any quote to appear in any vendor marketing collateral.
  • Final primary research will be posted on the blog with open comments.
  • Research will be updated periodically to reflect market realities, based on the discretion of the primary analyst. Updated research will be dated and given a version number.
    For research that cannot be developed using this model, such as complex principles or models that are unsuited for a series of blog posts, the content will be chunked up and posted at or before release of the paper to solicit public feedback, and provide an open venue for comments and criticisms.
  • In rare cases Securosis may write papers outside of the primary research agenda, but only if the end result can be non-biased and valuable to the user community to supplement industry-wide efforts or advances. A “Radically Transparent Research” process will be followed in developing these papers, where absolutely all materials are public at all stages of development, including communications (email, call notes).
    Only the free primary research released on our site can be licensed. We will not accept licensing fees on research we charge users to access.
  • All licensed research will be clearly labeled with the licensees. No licensed research will be released without indicating the sources of licensing fees. Again, there will be no back channel influence. We’re open and transparent about our revenue sources.

In essence, we develop all of our research out in the open, and not only seek public comments, but keep those comments indefinitely as a record of the research creation process. If you believe we are biased or not doing our homework, you can call us out on it and it will be there in the record. Our philosophy involves cracking open the research process, and using our readers to eliminate bias and enhance the quality of the work.

On the back end, here’s how we handle this approach with licensees:

  • Licensees may propose paper topics. The topic may be accepted if it is consistent with the Securosis research agenda and goals, but only if it can be covered without bias and will be valuable to the end user community.
  • Analysts produce research according to their own research agendas, and may offer licensing under the same objectivity requirements.
  • The potential licensee will be provided an outline of our research positions and the potential research product so they can determine if it is likely to meet their objectives.
  • Once the licensee agrees, development of the primary research content begins, following the Totally Transparent Research process as outlined above. At this point, there is no money exchanged.
  • Upon completion of the paper, the licensee will receive a release candidate to determine whether the final result still meets their needs.
  • If the content does not meet their needs, the licensee is not required to pay, and the research will be released without licensing or with alternate licensees.
  • Licensees may host and reuse the content for the length of the license (typically one year). This includes placing the content behind a registration process, posting on white paper networks, or translation into other languages. The research will always be hosted at Securosis for free without registration.

Here is the language we currently place in our research project agreements:

Content will be created independently of LICENSEE with no obligations for payment. Once content is complete, LICENSEE will have a 3 day review period to determine if the content meets corporate objectives. If the content is unsuitable, LICENSEE will not be obligated for any payment and Securosis is free to distribute the whitepaper without branding or with alternate licensees, and will not complete any associated webcasts for the declining LICENSEE. Content licensing, webcasts and payment are contingent on the content being acceptable to LICENSEE. This maintains objectivity while limiting the risk to LICENSEE. Securosis maintains all rights to the content and to include Securosis branding in addition to any licensee branding.

Even this process itself is open to criticism. If you have questions or comments, you can email us or comment on the blog.