Securosis

Research

Don’t Mess with Pen Test(ers)

Almost everyone you know is blissfully unaware of the digital footprints we all leave, and how that information can be used against us. The problem is that you understand, and if you spent much time thinking about it you’d probably lose your mind. So as a coping mechanism you choose not to think of how you could be attacked or how your finances could be wrecked, if targeted by the wrong person. Just in case you didn’t have enough to worry about today, you can check out this great first-person account of a personal pen test on Pando Daily. A NYU professor challenged the folks at Spider Labs to take a week and find out what they could about him. It wasn’t pretty. But then again, you knew that’s how the story would end. What I learned is that virtually all of us are vulnerable to electronic eavesdropping and are easy hack targets. Most of us have adopted the credo “security by obscurity,” but all it takes is a person or persons with enough patience and know-how to pierce anyone’s privacy – and, if they choose, to wreak havoc on your finances and destroy your reputation. The story details the team’s attempts to gain presence on his network and then devices. They finally went through the path of least resistance: his wife. The tactics weren’t overly sophisticated. But once armed with some basic information it was game over. The pen testers gained access to his bank accounts, brokerage information, phone records, and the like. What do we accomplish by reminding ourselves of the risks of today’s online life? Nothing. You know the risks. You take the risks. The benefits outweigh the risks. And now I’ll crawl back into my fog to become once again blissfully unaware. Share:

Share:
Read Post

Incite 10/30/2013: Managing the Details

  As I wrote a few weeks ago, everyone has their strengths. I know that managing the details is not one of mine. In fact I can’t stand it, which is very clear as we prepare for our oldest daughter’s Bat Mitzvah this weekend. It’s a right of passage signaling the beginning of adulthood. I actually view it as the beginning of the transformation to adulthood, which is a good way to look at it because many folks never complete that transition – at least judging from the way they behave. Coming back to the topic at hand, the sheer number of details to manage between the Friday night dinner, refreshments after the Friday service, the luncheon after the Saturday ceremony, the big party we’re throwing Saturday night, and the brunch on Sunday, are crazy. The Boss has mostly done nothing besides manage all those details for the past 6 months, and was immersed in the process for the year before that. I am thankful she shielded me from having to do much, besides lug some things from place to place and write a few (okay – a lot) of checks. We have many great friends who have helped out, and without them we would have been sunk. So many things have to be decided that you don’t even think about. Take lighting, for instance. Who cares about the lights? No one, unless the place is either too dark or too light. The proximity of the tables to the speakers? Yup, that needs to be managed because some folks have sensitive ears and can’t be too close to the dance floor. Who knew? The color of the tablecloths is important – it needs to match the seat covers and napkins. The one detail I did get involved in was the liquor. You can bet I was going to have a say in what kind of booze we had for the party. That’s a detail I can get my arms around. And I did. There will be Guinness. And it will be good. When we first went through the plans and the budget I was resistant. It’s hard to fathom spending the GNP of a small nation in one night. But as we get closer, I’m glad we are making a huge event. It’s very very rare that we get together with most of the people we care about to celebrate such a happy occasion. I can (and will) make more money, but I don’t know how many more opportunities I’ll have to share such happiness with my parents and in-laws. So I will enjoy this weekend. I’m not going to think about what it costs or how many webcasts I had to do to pay for it. I will be thankful that we are in a position where we can throw a big party to celebrate the fact that XX1 is growing up. I am going to appreciate all the work she put in to get ready to lead the services on Friday and Saturday. She has probably put in another 10-15 hours a week in preparation, on top of her schoolwork and rigorous dance schedule. She hasn’t slept much the past few weeks. It’s important that I savor the experience. I have been bad at that in the past. I will talk to all the people who traveled great distances to celebrate with us, and who I don’t get to see often. I’m going to smile. A lot. And lastly, I will follow Alan Shimel’s advice to not get so drunk I need to watch the video to remember what happened at the party. That’s probably the best piece of advice anyone could have given me. You don’t get many chances to see your baby girl in the spotlight. You might as well remember it. –Mike Photo credit: “Whiteboard of the now: The To-Do list” originally uploaded by Jenica Heavy Research We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, where you can get all our content in its unabridged glory. And you can get all our research papers too. Security Awareness Training Evolution Quick Wins Focus on Great Content Why Bother? Executive Guide to Network Security Management New Series: The Executive Guide to Pragmatic Network Security Management Defending Against Application Denial of Service Introduction Newly Published Papers Firewall Management Essentials Continuous Security Monitoring API Gateways Threat Intelligence for Ecosystem Risk Management Dealing with Database Denial of Service Identity and Access Management for Cloud Services The 2014 Endpoint Security Buyer’s Guide The CISO’s Guide to Advanced Attackers Incite 4 U Stories make the point: Any effective communicator is a storyteller. People understand stories. Folks can find applicability to whatever situation they are in through a carefully crafted fable or analogy. When trying to create urgency for something as obscure as a malware attack (It does what? Why do I care about that?), it helps to have a way to relate it to non-security folks. The Analogies Project is a new initiative aiming to assemble a library of analogies about security that anyone can use to make specific points. I haven’t read them all, but a few were pretty good. Those of us in the business for a long time, and who communicate for a living, have a ton of stories from our travels through over years. But for those of you who don’t, there is bound to be an analogy that will resonate with the person you are trying to persuade. Check it out. – MR Who are you? Adrian and I have both been talking about different aspects of identity management in the cloud lately. Why should you care? Because if you don’t adopt some sort of federated identity option your life will be a screaming poopstorm of pain until the end of time. No, I’m not exaggerating. I can barely manage a dozen employee accounts on

Share:
Read Post

Thinking Small and Not Leading

Dave Elfering had a good post, making clear the difference between managing and leading. I thought my job as a security leader was to produce detailed policies that might as well have been detailed pseudo code executed by robots. If you are tasked with truly leading the security program for a company or organization then lead; quit trying to be a combination of the thought police and baby sitter. Detailed policies are necessary in some circumstances but overall they are unsustainable. Let’s dive back into the Army manual [Army Planning and Orders Production FM 5-0] for a moment. “Effective planning incorporates the concept of mission command
 concentrates on the objective of an operation and not on every detail of how to achieve that objective.” I always talked about managing to outcomes when I had corporate jobs. I didn’t want to tell folks how to get things done. I just told them what needed to be done and figured they could figure it out. Mostly because half the time I wasn’t sure what to do, and the other half of the time I was too lazy to do it for them. Kidding aside, that’s how I learned the most. It’s not much different in security. You need to lead your security program with a light touch. Think big picture objectives, and as Dave says, managing intent. Not task lists, which is small thinking. You can’t make folks within the business do things – not over the long term, anyway. Hell, most of the time you can’t even make your own team do things. So you need to persuade them that it’s in their best interests to do so. So you need to lead, not just manage to the details, expecting your employee base to just get it. This is not easy. It’s usually easier to write the policy and become Dr. No. But that approach also means you’ll be looking for another job in the near term. More stuff they don’t teach you in any of those security certification classes, eh? Photo credit: “If you are not the lead dog your view never changes #grommet” originally uploaded by Nic Wise Share:

Share:
Read Post

Don’t Cry over Spilt Metrics

Our man Gunnar starts a recent post with: Security Metrics crying need is for metrics that serve others, outside of info sec. Then he proceeds to talk about the need to develop appropriate metrics for constituencies outside of security – including developers, DBAs, Q/A folks, and Operations. Given his application-centric view of the world, those folks clearly need to understand security and have metrics to evaluate effectiveness, posture, etc. I have lots of conversation with senior security folks who are similarly perplexed about how to communicate value via metrics to another reasonably important set of influencers: Senior Management. It’s not an easy problem to solve, and there are no generic answers. I can’t just give you a list of metrics and send you on your way, because the metrics need to be meaningful to your business. Not another person’s business, but yours. And that means you need to understand your business and its critical success factors, and communicate your value through the PRISM (no pun intended
) of that view. Photo credit: “don’t cry over spilled milk” originally uploaded by Joel Montes Share:

Share:
Read Post

Incite 10/23/2013: What goes up


  Every so often I realize how spoiled I am. Sure, I am more aware of my good fortune than many, but I definitely take way too much stuff for granted. My health is good. I do what I like (most days). My family still seems to like me. I provide enough to live a pretty good lifestyle. It’s all good. I don’t have much to complain about. The fact that one of my biggest problems is that my favorite NFL teams are a combined 3-10 is a good thing, right? You get spoiled when your favorite teams are competitive at the end of the season and usually make the playoffs. New England fans know what I mean. So do Pittsburgh and Baltimore fans. When the team doesn’t perform up to expectations (like this year’s Falcons), it’s jarring. You dream of Super Bowl fairies in August, then lose half your starting team to injuries, and by October you are making alternative plans for Divisional weekend. So when the NY football Giants got their first win on Monday night, I heaved a major sigh of relief. Having watched a bunch of their games, I had legitimate concerns that they wouldn’t win a game all season. Seeing them beat up hapless Minnesota didn’t really allay my fears too much. The G-men aren’t a very good football team right now, and face a significant rebuild over the next few years. Oh well, that’s the way it goes in the NFL. In baseball and basketball, the soft salary cap just means owners have to pay a tax to buy a competitive team. And that’s what some owners do year in and year out. But that’s not an option in the NFL. The cap is the cap, and that means tough decisions are made. Great players are let go. And what goes up for a little while (usually on the shoulders of a franchise QB) inevitably comes down. Parity is great, until your team is on the wrong side. It will be interesting to see how teams with younger QBs – like the 49ers, Seahawks, Redskins, and Colts – manage their salary caps once their QBs start getting $20MM a year and eating up 15-20% of the cap. These teams can stock up now on expensive players while their QBs are cheap, but won’t be able to in 2-3 years. They will need to make tough decisions. What goes up, eventually comes down. At least in the NFL. Then there are teams that don’t seem to ever come up. Jacksonville hasn’t been competitive for a decade. Detroit has been to the playoffs once in like 20 years. St. Louis is in the same boat. And I won’t even mention Cleveland. These long-suffering fans should be applauded for showing up and being passionate, even where there isn’t much to cheer about. So I’ll keep the faith. I know all NFL teams have off years, and my teams do things the right way to produce winning seasons more often than losing ones. I’ll let go of the Super Bowl fairy this year, and I’ll be able to enjoy the rest of the season with reasonable expectations. Which is probably how I should be treating each new season anyway. Nah, forget that. Without chasing the Super Bowl fairy, what fun is it? –Mike Photo credit: “IZ NOT AKKCIDENT” originally uploaded by Aaron Muszalski Heavy Research We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, where you can get all our content in its unabridged glory. And you can get all our research papers too. Security Awareness Training Evolution Quick Wins Focus on Great Content Why Bother? Defending Against Application Denial of Service Introduction Newly Published Papers Firewall Management Essentials Continuous Security Monitoring API Gateways Threat Intelligence for Ecosystem Risk Management Dealing with Database Denial of Service Identity and Access Management for Cloud Services The 2014 Endpoint Security Buyer’s Guide The CISO’s Guide to Advanced Attackers Incite 4 U If business users don’t care
 We are screwed as an industry. Daniel Miessler works through a thought experiment, wondering what would happen if business users realized that getting hacked doesn’t necessarily affect company value. Wouldn’t it be logical from a shareholder perspective to minimize security spend and maximize profit? To be clear, lots of organizations already do this, but I doubt it as a conscious decision not to be secure. Daniel evaluates Apple, Adobe, and the granddaddy of high-profile breaches, TJX – and finds no negative impact from those breaches. Awesome, but we already knew that in a recession people choose cheap underwear over security. It is an interesting concept, and over the long term I believe the impact of breaches is far overblown. But what about in the short term? I’m not sure market value is the best determinant of short-term value – it’s a long-term metric. Instead I would rather try to understand the impact on short-term revenue. Do customers defer deals or reduce spending in the immediate aftermath of a breach? That would be a much more interesting analysis. And I guess we should say a few thank-yous to China and compliance, which are still the engines driving security. – MR Techno two-fer: I have taken to calling big data the new normal for databases. One architectural theme I see over and over again for security analysis is the two-headed cluster: Hadoop for analytics and Cassandra/Splunk/Mongo for fast references or lookup. Consider this today’s take on normalization and correlation. Rajat Jain has a very good illustration of this concept with Lambda Architecture for batch data, which balances fast lookup against historic views of data. A batch layer – often Hadoop – computes views on your data as it comes in, and a second parallel high-speed processing layer – in this case Storm – constantly processes the most recent data in near-real-time. This enables the system to

Share:
Read Post

Security Awareness Training Evolution: Quick Wins

In the first two posts of this series we suggested that any security awareness training program needs to be focused on the proper outcomes and driven by great content. Let’s not forget the unassailable truth that the success of any security initiative is based on building momentum and making demonstrable progress early in the deployment cycle. This is not only the case for projects that involve implementing shiny boxes to block things. With a program as visible as security awareness training, with success criteria not necessarily directly attributed to training efforts, the need for a Quick Win is more acute. Especially given the likely pushback from employees duped by attack simulations. But let’s not put the cart before the horse. Buy in You don’t get to roll out new and updated content without getting the organization to buy into the need to revamp any security awareness training initiatives. Selling the training program internally involves making a case for the payback of the investment in training curriculum, services, and employee time. The best way we have found to make this case involves leveraging attack and breach data that is reasonably plentiful. Start with data on the types of attacks that result in compromised devices (available from the myriad of breach reports hitting the wires weekly), and position the value of the training around the reality that the majority of delivery methods for weaponized exploits involve social engineering. From there you can look at the potential economic impact of those attacks – in terms of lost data, compliance fines, and direct incident response and/or disclosure costs. Compare to the costs of improving training, and the case for investing in training should come clear. Don’t stop justifying with direct cost savings from reducing successful attacks – point to operational benefits as well. These include an improved malware detection as well as accelerated incident response from having employees versed in security and attack vernacular. Security-savvy employees can tell you what they clicked on, which websites they visited, and why they believe they have been compromised – facilitating triage and root cause analysis. And don’t be bashful about using information from your own organization. If any of your employees have been compromised due to tactics directly taught in the awareness training (such as phishing messages), you can make the case that the impact of attacks (including clean-up costs) could be reduced by more effectively training employees. Baseline Once the organization is on board you should be able to demonstrate the ongoing value of the program. So you need to figure out where you are right now. You should run a relevant sample of your employees through the qualification tests and/or simulations to gauge where they are before the training starts. This will provide a baseline for comparing future results and tracking metrics against. Of course there is always the fortuitous happenstance that your sample of employees could perform exceptionally well in the baseline tests, reducing the urgency for better security awareness training content. This would be a good problem to have. But we have been doing this a long time, and we cannot pinpoint many (or any) examples of being pleasantly surprised by employee security knowledge, but there is always a first time, right? More likely you will see the seriousness of your situation, and get a renewed understanding of the importance of moving the training program forward decisively and quickly. Low Hanging Fruit The good news is that in the absence of a formal (or effective) security awareness training program, initial improvement is likely to be obvious and significant. You can pretty much count on employees starting with very little security knowledge, so a little training normally makes a big difference. Getting the quick win is about making sure you take the baseline and improve upon it right away. That’s not a particularly high bar, by the way. But it builds momentum and gives you some leeway to expand the program and try new techniques. Be careful not to squander that momentum, or leave ongoing improvement up to chance. You know the old adage: failing to plan means you are planning to fail. So you should think about a broader and more strategic program to deliver on your security awareness training program. The Virtuous Cycle of Training Success Your program needs to acknowledge and address the fact that most students (of anything) rarely understand and retain key concepts during initial training. Don’t simply assume that security awareness will be any different. So let’s consider a logical process which provides a number of opportunities to expose employees to the material, to increase the likelihood of retention. Initial Training: As we described in the last post on content you are looking for great content that will be current, compelling, comprehensive and fun, while providing a catalyst for behavior modification. Competition: A good way to get the most value from the initial training and ongoing efforts is to establish contests and other means to get your employees’ competitive juices flowing. Awarding prizes, using incentives to reward employees for doing the right thing and competing effectively, gives them a reason to practice their new security skills and awareness. Reinforcement: Whether it is a matter of additional training based on the results of a periodic simulation or test, re-qualification required every quarter or bi-annually forcing re-engagement with the content, a monthly newsletter, or all of the above, you want security to be top-of-mind (at least not out-of-mind), which requires a number of opportunities to reinforce the training content with employees. Updates: The dynamic nature of security, with its constantly changing attack vectors, isn’t normally viewed as a positive, but when looking for opportunities to reinforce the messages of security training that dynamism provides an important opportunity. You need to retrain employees on new attack vectors as they develop. This provides another opportunity to go back to the fundamentals and hammer again on security basics. Lather, rinse, repeat: We pointed out in the Introduction that the only way to fail

Share:
Read Post

Security Awareness Training Evolution: Focus on Great Content

  As we come back to the Security Awareness Training Evolution series after our two-week hiatus, let’s revisit some of the key issues described in the introduction. We made the case that for liability, compliance, and even security reasons you can’t really decide not to train your users about security. Of course you could, but it would be counterproductive – you need to be realistic, and accept that you cannot reach every employee and employees do stupid things. But you can reach some, if not most, and reaching those folks will minimize the number of issues you have to clean up. Of course balancing how much to time and effort to spend on security awareness training is a company-specific decision which depends on the sophistication of your employee base, the kinds of adversaries you face, and your organizational culture. Regardless of how much time and effort you spend and which techniques you use, if your security awareness training content is poor it will be wasted effort. This post will tackle the issues around developing (or buying) great content – as they say, “Content is king!” Let’s start by defining great content. Here is a list of some key requirements: Behavioral modification: The training content needs to work. You should be managing to outcomes, and your desired outcome for training is that employees learn what not to do (and subsequently don’t do it), so if behavior doesn’t change for a reasonable percentage of employees, the content is ineffective. Current: Security is a dynamic environment, so the training materials need to be kept up to date. Yes, you still need to tell the employees about vintage 2009 attacks because you will still see those. But you also need to train them to defend against the latest and greatest attacks, because those are what they are most likely to see. Comprehensive: Captain Cliche reminds you that security is only as strong as the weakest link. Employees need to be prepared for most everything that will be thrown at them. It is neither realistic nor feasible to turn normal employees into security professionals, but they can understand the major attack vectors and develop a ‘Spider-Sense’ so they are aware of attacks as they happen. They won’t be able to defend against attacks you don’t train them on. Compelling: Most employees don’t really know what’s at stake, so they don’t take the training seriously. We are not fans of trying to scare employees or playing Chicken Little, but they need to understand the consequences of data breaches. It’s really just a matter of integrating a few stories and anecdotes into the training materials to make the attacks a bit more real, humanizing attacks and taking them from theory to reality. Fun: Boring content is boring. If employees don’t enjoy the training materials they will shut down and do just enough to pass whatever meaningless test you put them through. They will forget what they learned as soon as they leave the room. As corny as it may seem, no fun usually means no (or little) learning. Most folks have short attention spans. Optimize your content in small chunks, typically 3-5 minutes for some kind of lecture, or an exercise that can be completed in that kind of timeframe. The gluttons for punishment in your employee base may want to blast through 5-10 chunks at a time, but give folks the option to get through a lesson during a quick break. That way they don’t have to totally disrupt the flow of their day to get training. Weigh the effectiveness of video compared to a presentation deck with a talking head. Stories are more effectively told through video, and your training materials need to tell a story about the importance of security and how to defend against attacks. Gamification Two of the key requirements for better content are compelling and fun, so the shiny new concept of ‘gamification’ should come into play. Maybe it’s not actually new – many of your younger employees were probably taught to type by Mavis Beacon. Now academia is catching on, and a number of studies show that adding competition and gaming concepts to learning dramatically increases retention and value. One organization we have worked with pits its business units against each other for the fewest infections per quarter. The BU with the lowest number each quarter gets possession of a $100 trophy, and the company takes the contest very seriously. It turns out business leaders want to win, whatever the game is. To be clear, this isn’t really an educational ‘game,’ but it is competition to get the right outcome for the organization, thus minimizing infections. And nothing gets everyone on board faster than senior management making it clear they want to win. In terms of structuring content within the context of a game, here are a couple ideas to ponder: Levels: Humans love to achieve things and to feel that sense of accomplishment. If your training involves multiple levels of content within the materials, and employees need to qualify to proceed to the more advanced lessons, they will be pushed to advance their skills to attain the next level. Points: Depending on the nature of the training you can award points for better or faster results/performance. Again, human nature is to collect an increasing amount of things for that sense of accomplishment. Scoreboard: If you will award points for proper outcomes, you might as well highlight the best performers to recognize employees doing exceptionally well, and to drive others to compete. Penalties: No one likes to lose what they have gained, so you could take points away from an employee if they don’t complete the next level (or at least go through the next lesson) within a certain amount of time. Knowledge erodes over time, so you want to have the employees complete the materials as quickly as possible and then reinforce the material soon after. And that’s just the tip of the iceberg. You could design (or license)

Share:
Read Post

Reality Check for Millennials Looking at Security

Evidently security as an industry does a crappy job at generating interest within kids today. How are we going to fill the massive skills gap we face, if we can’t get students interested in security from an early age. Right? RIGHT? No. Wrong. Incorrect. False. And every other negative word I can think of to describe how bad an idea it is to try to get kids excited about security early on. Not that we don’t have a massive skills gap. We do. Not that we shouldn’t be doing more to educate kids about security. We need to do that too. But I have seen far too many young people flock to security because of the sheer number of job opportunities. They aren’t with us long. In fact they hate it. They get seduced by the siren call of good vs. bad. Of fighting attackers and outsmarting adversaries. And then they learn what security is really about. How most of the time the bad guys are long gone by the time you find out and this happened. About the joys of making firewall changes and patching systems in the middle of the night. As they advance, maybe they learn the fandango you need to dance with senior management and the auditors. Selling young people an idealized vision of security doesn’t do anyone any good. It sets a false expectation and creates disappointment. That doesn’t mean I think we can just hope young people of the right personality type and talent magically end up in security. Hope is not a strategy. We should be espousing the cool things young people can do in technology. Especially young girls – the gender gap is obvious and needs to be addressed. In order to do security effectively, you need a deep understanding of technology anyway. Let them start there. And then, if they have the competence and personality to do security, grab them. I was facilitating a roundtable of CISOs earlier this week, and one of them talked about how much success he has had with interns. We all wondered where he found them and which program produced the most capable candidates. He said he doesn’t deal with the interns initially. He gets to know them once they start their internship. He spends time with the high potential folks and tells them the real deal about security. And a portion of them are interested and he hires them when he can. It works. But glamorizing an unglamorous job will not help us. It just puts you in a position where you have to train a bunch of folks, only to have them later realize security isn’t for them. Photo credit: “I hate my job” originally uploaded by Mike Monteiro Share:

Share:
Read Post

Incite 10/16/2013: Building Strengths

Back when I managed people (and yes, it seems like a lifetime ago), I subscribed to the Gallup management concepts. Productivity is based on employee engagement, and employees are much more engaged when they are doing things they are good at. The book First, Break All the Rules was eye-opening – I have spent my entire career to date trying to make my weaknesses less weak, and not trying to improve my strengths. So I took Gallup’s original StrengthsFinder test and discovered back in 2002 that my top 5 strengths were Strategic, Input, Achiever, Command, and Focus. So my attempts to start a technology company at that point made a lot of sense. Those are the skills you’d like an early stage CEO to be strong int. But looking back at my subsequent experiences as VP Marketing for a number of companies, it is not surprising I wasn’t happy or particularly successful, given the different skills required for that position. The initial data gathering/learning phase of my VP Marketing jobs played to my ‘input’ strength. And building communications and product plans were great for my ‘strategic’ capabilities. But everything else about the job, including the day to day grind, the whac-a-mole of managing PR and lead generation programs, and the challenge of keeping high-strung sales folks happy, didn’t play to my strengths. Not at all. As I mentioned last week, recently hitting the likely halfway point of my life got me thinking. I believe I am a different person than I was back in 2002. Life and the inevitable road rash you acquire do that to you. I wondered how much my strengths had changed. So I took the new version of StrengthsFinder – and lo and behold, 3 out the 5 were different. Now my top 5 strengths are Strategic, Relator, Achiever, Activator, and Ideation. Keeping strategic and achiever weren’t surprising – I have always been like that. Nor was being an activator, which is someone who starts projects and gets things moving. Likewise ideation goes hand in hand with my strategic bent and allows me to come up with a number of different ideas for how to solve problems. All these fit well with my chosen occupation as an independent analyst. Without a firm grasp of strategy and a bunch of creative ideas, my value is limited. My activator and achiever talents make sure things get done, especially powered by a lot of coffee. But the relator talent surprised me. The description of this talent is: “People who are especially talented in the Relator theme enjoy close relationships with others. They find deep satisfaction in working hard with friends to achieve a goal.” Huh. Close relationships? Really? My internal perception of myself has always been as a standoffish introvert who doesn’t really care about people. In fact, I tell stories about how I shouldn’t be working with people, which is why having partners on the other side of the country is perfect. But now that I think about it, I enjoy nothing more than rolling up my sleeves and getting to work with people I respect and like. One of the key criteria for anyone wanting to become a Securosis contributor is whether we like to drink beer with them. These folks aren’t just my colleagues – they are my friends. I can see why this makes sense (for me) now, and how it makes me better at what I do. Best of all, I have a gig which allows me to play to my strengths. It’s not like I had an evil plan to find a career that highlights my talents. I stumbled into research when I was in my early 20’s. But 20+ years later, I can appreciate my good fortune. –Mike Photo credit: “Lifting heavy weight, I am the power man. originally uploaded by snow Heavy Research We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, where you can get all our content in its unabridged glory. And you can get all our research papers too. Security Awareness Training Evolution Why Bother? Defending Against Application Denial of Service Introduction Newly Published Papers Firewall Management Essentials Continuous Security Monitoring API Gateways Threat Intelligence for Ecosystem Risk Management Dealing with Database Denial of Service Identity and Access Management for Cloud Services The 2014 Endpoint Security Buyer’s Guide The CISO’s Guide to Advanced Attackers Incite 4 U The limo job: If you can’t get in through the front door, you might as well come in through the limo service. At least that’s the tactic taken by the APT to get into Kevin Mandia’s stuff. It turns out they probably used real intelligence officers to discover Kevin’s preferred limo company, broke in, then sent him a fake receipt with a malicious payload. That’s some ingenious hacking and requires some boots on the ground. Obviously a guy as well-trained as Kevin will smell something fishy when he gets a receipt for a trip he didn’t take. But you have to wonder what else are they looking at? He knew becoming the public face of exposing Chinese hacking activity would have repercussions, and now I guess we are seeing them. – MR Not all leaks sink the boat: A while ago we did some work with a client who was worried about an impending source code leak (no, you don’t know about it – it’s not that one in the news). They were trying to figure out the best way to handle it from both a PR and IR standpoint. These guys had their stuff together, and went through an intense process to protect both customers and their brand. (No, it wasn’t Symantec – they flubbed it). Adobe is living that nightmare right now, and boy did the Wall Street Journal miss the mark in their trolling for clicks. Losing source code doesn’t necessarily correlate to increased customer risk. To

Share:
Read Post

Firewall Management Essentials [New Paper]

  We all know and love the firewall. The cornerstone of every organization’s network security defense, firewalls enforce access control policies and determine what can and cannot enter your network. But, like almost every device you have had for a while, you take them for granted and perhaps don’t pay as much attention as you need to. Until a faulty rule change opens up a hole in your perimeter large enough to drive a tanker through. Then you get some religion about more effectively managing these devices. Things are getting more complicated as next-generation functionality brings a need to define and manage application policies; new devices and infrastructure evolution make it difficult to know what is allowed and what isn’t. The issues around managing firewalls can be summed up in an excerpt from our newest paper: Like a closet in your house, if you don’t spend time sorting through old stuff it can become a disorganized mess, with a bunch of things you haven’t used in years and no longer need. This metaphor fits the firewall like a glove, so we decided to get back to our network security roots to document the essentials to automating management of firewalls. We explain the need for a strong automated change management process, the importance of optimizing the rule base, and the benefits of managing access risk. It should serve as a good primer on how to improve the operational excellence of your network security controls. We would like to thank Firemon for licensing the research and supporting what we do. You cannot get rid of firewalls, and if anything their importance is increasing daily. So you might as well get better at managing them, and that’s what this research is all about. Check out the FME landing page in our research library, or download the Firewall Management Essentials paper directly. Share:

Share:
Read Post

Totally Transparent Research is the embodiment of how we work at Securosis. It’s our core operating philosophy, our research policy, and a specific process. We initially developed it to help maintain objectivity while producing licensed research, but its benefits extend to all aspects of our business.

Going beyond Open Source Research, and a far cry from the traditional syndicated research model, we think it’s the best way to produce independent, objective, quality research.

Here’s how it works:

  • Content is developed ‘live’ on the blog. Primary research is generally released in pieces, as a series of posts, so we can digest and integrate feedback, making the end results much stronger than traditional “ivory tower” research.
  • Comments are enabled for posts. All comments are kept except for spam, personal insults of a clearly inflammatory nature, and completely off-topic content that distracts from the discussion. We welcome comments critical of the work, even if somewhat insulting to the authors. Really.
  • Anyone can comment, and no registration is required. Vendors or consultants with a relevant product or offering must properly identify themselves. While their comments won’t be deleted, the writer/moderator will “call out”, identify, and possibly ridicule vendors who fail to do so.
  • Vendors considering licensing the content are welcome to provide feedback, but it must be posted in the comments - just like everyone else. There is no back channel influence on the research findings or posts.
    Analysts must reply to comments and defend the research position, or agree to modify the content.
  • At the end of the post series, the analyst compiles the posts into a paper, presentation, or other delivery vehicle. Public comments/input factors into the research, where appropriate.
  • If the research is distributed as a paper, significant commenters/contributors are acknowledged in the opening of the report. If they did not post their real names, handles used for comments are listed. Commenters do not retain any rights to the report, but their contributions will be recognized.
  • All primary research will be released under a Creative Commons license. The current license is Non-Commercial, Attribution. The analyst, at their discretion, may add a Derivative Works or Share Alike condition.
  • Securosis primary research does not discuss specific vendors or specific products/offerings, unless used to provide context, contrast or to make a point (which is very very rare).
    Although quotes from published primary research (and published primary research only) may be used in press releases, said quotes may never mention a specific vendor, even if the vendor is mentioned in the source report. Securosis must approve any quote to appear in any vendor marketing collateral.
  • Final primary research will be posted on the blog with open comments.
  • Research will be updated periodically to reflect market realities, based on the discretion of the primary analyst. Updated research will be dated and given a version number.
    For research that cannot be developed using this model, such as complex principles or models that are unsuited for a series of blog posts, the content will be chunked up and posted at or before release of the paper to solicit public feedback, and provide an open venue for comments and criticisms.
  • In rare cases Securosis may write papers outside of the primary research agenda, but only if the end result can be non-biased and valuable to the user community to supplement industry-wide efforts or advances. A “Radically Transparent Research” process will be followed in developing these papers, where absolutely all materials are public at all stages of development, including communications (email, call notes).
    Only the free primary research released on our site can be licensed. We will not accept licensing fees on research we charge users to access.
  • All licensed research will be clearly labeled with the licensees. No licensed research will be released without indicating the sources of licensing fees. Again, there will be no back channel influence. We’re open and transparent about our revenue sources.

In essence, we develop all of our research out in the open, and not only seek public comments, but keep those comments indefinitely as a record of the research creation process. If you believe we are biased or not doing our homework, you can call us out on it and it will be there in the record. Our philosophy involves cracking open the research process, and using our readers to eliminate bias and enhance the quality of the work.

On the back end, here’s how we handle this approach with licensees:

  • Licensees may propose paper topics. The topic may be accepted if it is consistent with the Securosis research agenda and goals, but only if it can be covered without bias and will be valuable to the end user community.
  • Analysts produce research according to their own research agendas, and may offer licensing under the same objectivity requirements.
  • The potential licensee will be provided an outline of our research positions and the potential research product so they can determine if it is likely to meet their objectives.
  • Once the licensee agrees, development of the primary research content begins, following the Totally Transparent Research process as outlined above. At this point, there is no money exchanged.
  • Upon completion of the paper, the licensee will receive a release candidate to determine whether the final result still meets their needs.
  • If the content does not meet their needs, the licensee is not required to pay, and the research will be released without licensing or with alternate licensees.
  • Licensees may host and reuse the content for the length of the license (typically one year). This includes placing the content behind a registration process, posting on white paper networks, or translation into other languages. The research will always be hosted at Securosis for free without registration.

Here is the language we currently place in our research project agreements:

“Content will be created independently of LICENSEE with no obligations for payment. Once content is complete, LICENSEE will have a 3 day review period to determine if the content meets corporate objectives. If the content is unsuitable, LICENSEE will not be obligated for any payment and Securosis is free to distribute the whitepaper without branding or with alternate licensees, and will not complete any associated webcasts for the declining LICENSEE. Content licensing, webcasts and payment are contingent on the content being acceptable to LICENSEE. This maintains objectivity while limiting the risk to LICENSEE. Securosis maintains all rights to the content and to include Securosis branding in addition to any licensee branding.”

Even this process itself is open to criticism. If you have questions or comments, you can email us or comment on the blog.