Research

Every year there seems to be a new shiny object that works security marketeers into a frenzy. The Advanced Persistent Threat hype continues to run amok 3 years in, and doesn’t seem to be abating at all. Of course there is still lot of confusion about what the APT is, and Rich’s post from early 2010 does a good job explaining our view. That said, most security vendors are predictable animals and they adhere to the classic maxim “If all you have is a hammer, everything looks like an APT.” So it makes no difference what the security product or service does – they are all positioned as the answer to APT. Of course this isn’t useful to security professionals who actually need to protect important things. And it’s definitely not helpful to Chief Information Security Officers (CISOs) who have to communicate their organization’s security program and set realistic objectives, and manage expectations accordingly. So, as usual, your friends at Securosis will help you focus on what’s important and enable you to wade through the hyperbole to understand what’s hype and what’s real, in our new series: The CISO’s Guide to Advanced Attackers. This series will provide a high-level view of these “advanced attacks”, designed to help a CISO-level audience understand what they need to know, and map out a clear 4-step process for dealing with advanced attackers and their techniques. Before we get started I want to thank Dell SecureWorks for agreeing to potentially license the content at the end of the project. As with all our research, we will produce The CISO’s Guide to Advanced Attackers independently and objectively, and tell you what you need to know. Not what any vendor wants you to hear. Defining Advanced Attacks First let’s dismiss the common belief that advanced attackers always use “advanced attacks”. That’s just not the case. Of course there are innovative attacks like Stuxnet, stealing the RSA token seeds to attack US Defense sector organizations, and compromising Windows Update using stolen Certificate Authority signing keys. But those attacks are exceptions, not the rule. These attackers are very business-like in their operations. They don’t waste a fancy advanced attack unless they need to. They would just as soon get an unsuspecting office worker to click a phishing email and subsequently use a known Adobe Reader exploit to provide the attacker with a presence in your environment. There is no award for unique attacks. This understanding necessarily changes the way you think about adversaries. The attacks you see will vary greatly depending on the attacker’s mission and their assessment of the most likely means to compromise your environment. A better way to get your arms around potential advanced attacks is to first understand the potential targets and missions. Then profile specific attackers, based on their likelihood of be interested in the target. This can give you a feel for the tactics you are likely to face, and enables you evaluate controls that may be able to deter them – or at least slow them down. The security industry would have you believe that implementing a magic malware detection box on your perimeter or locking down your endpoints will block advanced attackers. Of course you cannot afford to believe everything you hear at a security conference, so let’s break down exactly how to determine what kind of threat you are facing. Evaluate the Mission Having the senior security role in an organization (yes, Mr./Ms. CISO, we’re talking to you) means accepting that the job is less about doing stuff and more about defining the security program and evangelizing the need for security with senior management and peers. A key first part of this process is to learn what’s important in your environment, which would be an interesting target for an advanced attacker. Since you have neither unlimited resources nor the capabilities to protect against every attack, you need to prioritize your defenses. Prioritize by focusing on protecting your valuables. The first order of business in dealing with advanced attackers is to understand what they are likely to look for. That is most likely to your: Intellectual property Customer data (protected) Business operations (proposals, logistics, etc.) Everything else It is unlikely that you can really understand what’s important to your organization by sitting in your office. So a big part of this learning requires talking to senior management and your peers to get a feel for what’s important to them. After a few of these conversations it should be pretty clear what’s really important (meaning people will get fired if it’s compromised) and what’s less important. Once you understand what the likely targets of an advanced attacker (the important stuff), you can take a reasonably educated guess at the adversaries you’ll face. Profile the Adversary We know it seems a bit simplistic to make generic assumptions about the kinds of attackers you will face, depending on what you are trying to protect. And it is simplistic, but you need to start somewhere. So let’s quickly describe a very high-level view of the adversaries you could face. Keep in mind that many security researchers (and research organizations) have assembled dossiers on potential attackers, which we will discuss with threat intelligence in the next post. Unsophisticated: These folks tend to smash and grab attacks, where they use a publicly available exploit (perhaps leveraging tools like Metasploit) or some kind of packaged attack kit. They are opportunistic and will take what they can get. Organized Crime: A clear step up the food chain is organized crime attackers. They invest in security research, test their exploits, and have a plan to exfiltrate and monetize what they find. They are still opportunistic, but can be quite sophisticated in attacking payment processors and large-scale retailers. They tend to be most interested financial data, but have also been known to steal intellectual property if they can sell it and/or use brute force approaches like DDoS threats to extort victims. Competitor: At times competitors use unsavory means to gain advantages in product development, or when seeking information on competitive bids. These folks

How cool would it be if LMFAO (or a reasonable proximity – Beaker, anyone?) did a security version of “Sorry for Party Rocking,” because evidently the security job market is rocking. But it offers a great perspective on the mind of the security professional. Check out the following quotes to get a feel for how things seem, which I can anecdotally validate based on the number of calls I get from CISO types looking to grow and retain their teams. “What’s the unemployment rate for a good cybersecurity person? Zero,” Weatherford said, adding that government agencies and the private sector were stealing the best people from each other. “We are all familiar with the fratricide going on.” Salaries split in 2013, with the median staff salary declining $2,000 to $95,000 this year. Management salaries continued to rise, topping $120,000 in 2013, up $5,000 from the previous year. The trend in total compensation reflects the same split as salaries: Total compensation for staff declined in 2013 to a median of $98,000, down $5,000, while management saw a $2,000 increase, to $129,000. So salaries for staff are down marginally, but still considerably higher than general IT jobs. That’s good, right? Security folks should feel good about their job security and their place in the organization, right? Doesn’t scarcity mean companies need to be taking better care of their security folks? That would be a reasonable conclusion, no? In 2013, security practitioners showed a slight drop in how secure they feel in their jobs. While other IT disciplines continue to feel as secure in their positions as in 2012, IT security staff saw a seven-point drop, to 43%, in the number that feel very secure. It’s totally counterintuitive, or is it? The reality is that when something bad happens, and in security something bad always happens sooner or later, someone is going to take the fall. So I can kind of understand how in the Bizarro World of security, scarcity and higher salaries make folks less secure in their jobs. But here’s the real point: even if your organization throws you under the bus, there are a hundred companies waiting in line for you to chase their windmills and eventually end up under their buses. So rejoice, security professionals! You may not keep a business card for long, but you shouldn’t have to spend much time in the unemployment line. Photo credit: “Help Wanted” originally uploaded by James Share:

Sometimes seeing what you have known for years in print is helpful, even comforting. So Gartner’s Paul Proctor writing about killing compliance in cold blood is good. Paul has a bigger megaphone than the rest of us, so maybe folks will start getting on board with doing security (or risk, depending on your vernacular) and stop worrying so much about the checklists. Compliance is no longer the driver for IT risk and security. Compliance is just one of many risk domains to be addressed in a mature risk management program and approach. Recently the security hyperbole trifecta (APT/advanced malware, BYOD, and Big Data) has been sucking up all the oxygen in security marketing, so compliance is suffocating. Compliance as the primary driver of security/risk is already effectively dead, but many people haven’t noticed yet. More to the point, certain classes of organizations are not sophisticated enough to realize what has happened. That gets down to Paul’s use of the ‘M’ word: maturity. The problem is that the great unwashed are still in security/risk diapers, so they can’t see compliance as only one risk domain among many. Their list of audit deficiencies makes it the only domain they are aware of. But that’s okay – every organization needs to start somewhere, and checklists can be helpful for spurring action and establishing a very very low bar of protection. Then as organizations climb the curve of security and risk maturity, they can and should “stop being a rule following and become a risk leader” as Paul suggests. That’s the goal. Followers are buried in regulatory distraction that impedes their ability to innovate, perform, optimize and adapt their programs. Followers are busy covering their butts. Leaders are able to map risk and security dependencies into desired business outcomes and report these risks into the appropriate decision makers. For example, a modern risk and security program can support mergers and acquisitions through proactive due diligence that guides actual integration decisions by non-IT decision makers. That’s influencing the business! Actually, we’re all busy covering our butts – including leaders. The difference is that leaders proactively identify what will kill them, and tells non-IT decision-makers where they will be hit. And that may be enough to save them when the brown stuff hits the fan. Whereas followers never see it coming because it wasn’t on a checklist… Photo credit: “Murder” originally uploaded by AJ Cann Share:

The hype cycle for Threat Intelligence is just getting going. It will soon join advanced malware, BYOD, and Big Data as terms that mean nothing because they have been poked, prodded, manipulated, and otherwise killed by vendor hyperbole. We have done a bunch of research into how to use threat intelligence (Early Warning, Network-based Threat Intelligence, and Email-based Threat Intelligence), so we get the value of benefiting from other folks’ misfortune and learning from how they were attacked. But I also know that our papers run 15-20 pages and usually fall into the category of tl;dr. So let me point to a few posts Scott Crawford put out there. The first talks about integration and its importance for dealing with the kinds of attacks you face. The other post I want to highlight is next in that series, bringing up the sticky issue of actually integrating threat intelligence into your control sets. It is simply this: in order for intelligence to factor into effective response, proactive defense or environment hardening, security intelligence systems must be able to send data out as well as take it in. Intelligence has historically been positioned as a differentiator for a product and/or service, not as a stand-alone offering with its own value. That’s changing, but not quickly enough. Scott’s points are exactly right – whether you are talking about security intelligence (the new term for SIEM) or threat intelligence, the data needs to be available in a number of formats for import/export to make sure you can actually use it. Scott doesn’t sugarcoat the ongoing concerns of operations folks or their unwillingness to allow any kind of automation to reconfigure controls and defenses. And clearly a filter needs to be applied. The stuff you know is bad should be blocked. If you aren’t sure, your layers need to come into play. Sure, there are lots of reasons beyond the limitations of monitoring technology why we wouldn’t want to do this. Automating blocking at scale would do a little more than step on the toes of IT operations and irk our insect overlords, if what we effectively build is the Mother of All Denial of Service Vehicles that raises existing problems with false positives to an entirely new level. But the point is the point. All that time you have spent collecting data and doing some simple analysis has positioned you to take the next step toward Scott’s concept of data-driven security. Let me simplify the issue a bit more. Having great intelligence doesn’t help if you can’t use it. That would be, well, just dumb. Photo credit: “#dumb” originally uploaded by get directly down Share:

We have each probably worked for a CEO who we’d just as soon meet in a dark alley (without video surveillance), while carrying a nightstick and a taser. So when I saw Ed Moyle’s blog about Narcissistic CEOs, I was hoping it would end with “You’d better bring a mop. And a body bag.” Unfortunately Ed highlighted some research that these narcissistic douches adopt technology more aggressively (mostly due to their oversized egos) and are more likely to be successful. Humbug. … We find strong support when testing our hypotheses on a sample of 78 CEOs of 33 major pharmaceutical firms, examining their response to the emergence of biotechnology over the period 1980 to 2008… our results suggest that narcissism may be a key ingredient in overcoming organizational inertia. So the nice CEO, who isn’t a total prick usually can’t get the organization to move, and so is tossed out with yesterday’s garbage in favor of some objectionable human, who worries more about having cooler toys than the other CEOs in his or her golf group. Awesome. But aside from my CEO bitterness (you might think, after almost 4 years, the road rash would have healed just a bit), Ed actually draws a conclusion that could actually be helpful. As a pragmatist, my concern is mostly about how practitioners can leverage this. For example, rather than pitching a new technology on the basis of return to the organization, business enablement, cost savings, etc. – maybe harnessing executives competitiveness could be effective. So rather than saying, “this new cloud system will save us 50% over 10 years”, saying something like “Check out the attention our competitor is getting for being so innovative and forward thinking. I wonder if there’s a way for us to lead instead of them” might be more resonant if what these folks say is true. That’s why I think security benchmarking is a good idea. Having a benchmark to compare your organization to another gives you the data to appeal to these ego monsters. And if you have to deal with these folks, at least use their personalities to get what you want. Photo credit: “Hello My Name Is Narcissit” originally uploaded by One Way Stock Share:

My paternal grandmother passed away last week at 103. No, that is not a typo. One hundred and three. Ciento tres for you Spanish speakers out there. She would have been 104 in June. That’s a long time. To give you some perspective, per the infoplease site, William Taft was president in 1909. Robert Peary and Matthew Henson reached the North Pole that year. And the big news in the medical community was finding a cure for syphilis. I’m sure that caused much rejoicing around the world. I guess before 1909 you could actually have gone blind, though my folks somehow forgot to tell me about the cure… My Grandma Hilda was interesting, although I didn’t know her very well. She moved with my grandfather to Florida when I was 5. I’d see them for the occasional winter break trip to North Miami Beach, and they’d come north for some holidays. But they weren’t phone people and long distance calls were pretty expensive back then, so it wasn’t like we’d just chat on the phone. Our kids have it better – they can text, FaceTime, and email their grandparents and cousins. I didn’t have that option. She grew up in Baltimore and the way she met my grandfather was a great story. She was actually on a date with his brother Sam, but my grandfather had a car, so he drove Sam to Baltimore for the date. Evidently my grandfather liked her because when his brother went to get a pack of smokes, my grandfather took off and stood in on the date. I doubt they called it a ‘CB’ like my buddies would today, but they were married for almost 65 years, so it worked out. She couldn’t have been more different from my grandfather. The cantor who presided over the the memorial service called the two of them Ying and Yang. But it was really more like the tortoise and the hare. My Grandpa Harry was fast and explosive. He’s been gone for 16 years but we still talk about his tantrums. He talked fast. He walked fast. He did everything fast and had little tolerance for folks who didn’t keep up. Whereas my grandmother was slow and calm. In the face of a Mt. Vesuvius explosion from Harry, she just wouldn’t be bothered. No matter what happened she was calm. She’d make some snide comment and get back to whatever she was doing. She was the only one who could put him in his place. And she did. It was amazing to see. And when I say slow, I mean sloooooow. She wasn’t in a rush to do anything, not that I can remember anyway. She got there when she got there. She didn’t drive, so if she couldn’t get a ride or didn’t want to take the bus she wouldn’t go. One winter my grandparents took my brother and me to Walt Disney World when we were young. They had just opened EPCOT (yes, I’m dating myself) and I distinctly remember following my grandfather and visiting each ‘country’ in the park. We probably made 4 or 5 loops around the park, and every hour or so we’d pass by my grandmother strolling along at her own pace taking in the sites, not a care in the world. He got to the finish line first, and she took her time to get there. 103 years to be exact. On an interesting side note, my paternal great-grandfather (Hilda’s Dad) also lasted 103 years. Seriously. So we’re running a pool on my father’s side of the family on who of each generation will go for 103. I’m tempted to make a run for it. Why not? I’ve always said I want to stick around long enough to have my kids change my diapers, just to return the favor. And evidently I have the genetics to do it. Though if I do want to stick around that long I’ll need to learn to slow down and be calm, like my grandmother. Living until 103 isn’t for folks in a rush. –Mike Photo credits: 168/365 – President Taft Faces the Future originally uploaded by davidd Heavy Research We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, where you can get all our content in its unabridged glory. And you can get all our research papers too. Understanding Identity Management for Cloud Services Buyers Guide Architecture and Design Integration Newly Published Papers Email-based Threat Intelligence: To Catch a Phish Network-based Threat Intelligence: Searching for the Smoking Gun Understanding and Selecting a Key Management Solution Building an Early Warning System Implementing and Managing Patch and Configuration Management Defending Against Denial of Service Attacks Incite 4 U What’s $300K between friends? Very interesting research by our friend Wendy Nather of 451 Group (highlighted by Shimmy at NetworkWorld) on what to buy if you start a security program in a green field. Yeah, I know there are no green fields, but Wendy determined that a 1000 person company would need to spend $300,000-$400,000 for a bare bones security capability. If they wanted a little more they would at least double the cost. She tends to see 1 security person for 500 employees. This isn’t a low-cost scenario, is it? And it doesn’t really help a company sell more stuff, does it? Sure you can spin your wheels talking about enabling this or that, but security remains a significant cost center. But at least the stuff you buy stops the attackers, right? (No, not really.) So there’s that… – MR Two of these are nothing alike: You know big data is a threat to traditional big iron when entrenched providers start marketing off its coattails, as Alex Gorbachev attempts to do by comparing required IT management skills for Hadoop and Exadata. One of the many problems with this article is that the basic premise is not true: big data is not “a pre-integrated, engineered system with built-in management and automation

I like to see stuff that challenges common wisdom. The inimitable professor Gene Spafford of Purdue goes far against the grain in calling out the excitement of hacking competitions and red teams as counterproductive to training the next generation of security folks. Gene starts with an analogy for how security folks would deal with a bunch of barns on fire: We’re going to have a contest to find who can pass this pail of water the quickest. Yes, it is a small, leaky pail, but we have a lot of them, so that is what we’re going to use in the contest. The winners get to be closest to the flames and have a name tag that says “fire prevention specialist.” He goes through another couple analogies to make the same point, that security folks seem to be holding competitions to show proficiency in stopping yesterday’s problems, but not enough time thinking about how to solve the root cause of the security issues: poor systems design. First, in every case, a mix of short-sighted and ultimately stupid solutions are being undertaken. In each, there are large-scale efforts to address pressing problems that largely ignore fundamental, systemic weaknesses. Second, there are a set of efforts putatively being made to increase the population of experts, but only with those who know how to address a current, limited problem set. Fancy titles, certificates, and seminars are used to promote these technicians. Meanwhile, longer-term expertise and solutions are being ignored because of the perceived urgency of the immediate problems and a lack of understanding of cost and risk. Third, longer-term disaster is clearly coming in each case because of secondary problems and growth of the current threats. That’s uplifting, right? He does highlight a number of potential solutions, or at least things we should focus on to a greater degree, including: Nationally, we are investing heavily in training and recruiting “cyber warriors” but pitifully little towards security engineers, forensic responders, and more. It is an investment in technicians, not in educated expertise. We have a marketplace where we continue to buy poorly-constructed products then pay huge amounts for add-on security and managing response; meanwhile, we have knowledgeable users complaining that they can’t afford the up-front cost required to replace shoddy infrastructure with more robust items. Rather than listen to experts, we let business and military interests drive the dialog. We have well-meaning people who somehow think that “contests” are useful in resolving part of the problem And to put a bow on the issues with contests: Competitions require rapid response instead of careful design and deep thought – if anything, they discourage people who exhibit slow, considerate thinking – discourage them from the contests, and possibly from considering the field itself. If what is being promoted are competitions for the fastest hack on a WIntel platform, how is that going to encourage deep thinkers interested in architecture, algorithms, operating systems, cryptology, or more? But there’s more… So, the next time you hear some official talk about the need for “cyber warriors” or promoting some new “capture the flag” competition, ask yourself if you want to live in a world where the barns are always catching fire, the cars are always breaking down, nearly everyone eats fast food, and the major focus of “authorities” is attracting more young people to minimally skilled positions that perpetuate that situation…until everything falls apart. The next time you hear about some large government grant that happens to be within 100 miles of the granting agency’s headquarters or corporate support for a program of which the CEO is an alumnus but there is no history of excellence in the field, ask yourself why their support is skewed towards building more hot dog stands. I think Gene brings up a number of good points in a very clear manner. I can see the other side of the equation as well, given that red team exercises are fun and give folks a feel for what it’s like to be under fire. But clearly there is a need for both quick twitch security folks (who can respond quickly under fire) and architects who can think deeply about difficult problems. Share:

We ve talked a bit about the need to “be careful what we wish for,” in terms of making security a higher profile issue with senior management. Well, it’s no longer just vendors throwing FUD balloons that can splat at any time. I was perusing the Seeking Alpha investor site over the weekend when I found an article called Pandemic Cyber Security Failures Open An Historic Opportunity For Investors. Yes, I threw up a bit in my mouth when I read that headline. The first sentence doesn’t help: Cyber Security failures in the Western World have reached a pandemic stage. Oy. Then the author goes on to quote lots of different sources designed to scare the crap out of the uneducated. It’s awesome. Then he talks a bit about the reality of current defenses: From my discussions with top security professionals at leading security organizations, including Big 4 consulting and assurance companies, software such as Antivirus and Intrusion Detection and Prevention (IDS/IPS) are currently only marginally effective at catching security threats. Ugh. But it gets better. Of course when you throw this much FUD you need to have solutions, right? The partnership between VMWare and Cisco is going to integrate network defenses into the virtual computing used in cloud deployments, didn’t you know? That will definitely help address the pandemic. And get this beauty about HP’s innovation in the space: In addition, HP (HPQ) has developed software to link operational system logs with security event logging, enabling network operations and security to unite in common defense of corporate networks. Eliminating functional silos in network operations and security means more coordinated and efficient defenses against attackers. Hello! 2004 called and they want their functional silos back. This is when you really wish the uneducated wouldn’t do a few minutes of research and then think they understand security. I don’t feel bad that professional investors may see (and even act on) this kind of crap. But I do worry about unsuspecting individual investors who are most vulnerable to this drivel. Now please excuse me while I take some deep, cleansing breaths… Share:

Russell Thomas and a bunch of his friends recently posted a research paper called How Bad Is It? – A Branching Activity Model to Estimate the Impact of Information Security Breaches, which attempts to provide a structure for estimating the impact of a breach. This work is necessary – we have no benchmarks, or even consensus, about what breached organizations should even be counting. This is an academic research paper, and to be honest I am not a big fan of academic papers. I have pretty bad TL;DR syndrome. But I did check out the introduction, and noted some interesting tidbits. Empirical research on breach losses often use ad hoc taxonomies for “quantified” and “non-quantified” costs as part of surveys or interviews of subject matter experts. There is no theoretical basis for these taxonomies, which limits their generality and research significance. Finally, several consulting firms publish survey-based studies. Most notable is the “Cost of a Data Breach” reports by Ponemon Institute (Ponemon Institute 2012). These survey results are widely publicized and widely quoted, even in policy discussions, but they have no foundation in theoretical or empirical academic research, and they have very serious methodological flaws (Thomas 2011a) In summary, without some reliable and robust breach impact estimation methods, quantified information security will continue to be a “weak hypothesis” (Verendel 2009). This is true. It warms my cockles (can I say that out loud?) that these guys are calling out survey monkeys like Ponemon because the industry seems set on using those numbers to justify what we do. But I have to say I’m a little disappointed by Russell’s attempt to jump on the indicators of compromise bandwagon in his New School blog post on the paper. He unnecessarily concocts a meaningless description of this breach impact estimation model by mentioning Indicators of Impact. Huh? Total non-sequitur, though I do understand the desire to capitalize on the popularity and momentum of the phrase Indicators of XXX. But let’s call this what it is. An attempt to build an academically rigorous model to estimate the cost of a breach, based upon factors that can be reasonably estimated and quantified. It would be nice to see this kind of stuff added to GRC platforms and the like, to enable us to track and estimate these costs. Ultimately I believe that as we mature as a profession we will need this kind of research to help define a common vernacular for estimating loss. Photo credit: “Impact Hoodie Design for 2006” originally uploaded by Will Foster Share:

A lot of folks ask me how I work from home. My answer is simple: I don’t. I have a home office, but I do the bulk of my work from a variety of coffee shops in my local area. So I give a few minutes’ thought at night to where I want to work the following day. Sometimes I have a craving for a Willy’s Burrito Bowl, which means I drive 20 minutes to one of their coffee shops in Sandy Springs. Other times I just have to have the salad bar’s chocolate mousse at Jason’s Deli, which means there are three different places that I could work that day. Lunch drives office location. For me, anyway. Sometimes I don’t have the foggiest idea what I want to eat for lunch, so I get into the car and drive. Sooner or later I end up where I’m supposed to be and then I get to work. Assuming I can get a seat in the coffee shop, that is. Evidently I’m not the only guy who works like a nomad. Sometimes it’s a packed house and I need to move on to Plan B. There is always another coffee shop to carpet bag. I try not to go to the same coffee shops on the same days or to have any kind of predictable pattern. I usually shrug that off with the excuse that my randomized office location strategy is for operational security. You know, when they come to get me I want to make them work for it. But really it’s because I don’t want to overstay my welcome. I pay $2.50 a day for office space and all the coffee I can drink, because the places I hang out provide free refills. By showing up at a place no more than once a week, I can rationalize that I’m not taking advantage of their hospitality. And yes, analysts have the most highly-functioning rationalization engines of all known species. I also like to see other people. Notice I said see – not talk to. Big difference. I guess I have a little “I am Legend” fear of being the only person left on Earth, so seeing other folks in the coffee shop allays that fear. Sometimes I see someone I know, and they miss the social cues of me having my earbuds in and not making eye contact. I engage in a short chat because I’m not a total douche. Not always, anyway. As long as it’s not a long chat it’s okay, because I have to get back to my Twitter timeline and whatever drivel I need to write that day. The other reality of my office space is that I’m far more productive when I’m out of the house. And evidently I’m not alone. It seems that the ambient noise of a coffee shop can boost productivity, unlike the silence of sitting in my home office. There is even a new web site that can provide a soundtrack that sounds like a coffee shop to stir your creativity. Maybe that works for some night owls, who like to work on the graveyard shift when coffee shops are closed. For me, I’ll head out and find a real coffee shop. With real people for me not to talk to. Speaking of which, must be time for that refill… –Mike Photo credits: Busy Coffeeshop originally uploaded by Kevin Harbor Upcoming Cloud Security Training Interested in Cloud Security? Are you in EMEA (or have a ton of frequent flyer miles)? Mike will be teaching the CCSK Training class in Reading UK April 8-10. Sign up now. Heavy Research We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, where you can get all our content in its unabridged glory. And you can get all our research papers too. Understanding Identity Management for Cloud Services Buyers Guide Architecture and Design Integration Newly Published Papers Email-based Threat Intelligence: To Catch a Phish Network-based Threat Intelligence: Searching for the Smoking Gun Understanding and Selecting a Key Management Solution Building an Early Warning System Implementing and Managing Patch and Configuration Management Defending Against Denial of Service Attacks Incite 4 U Follow the money to DDoS mitigation: Marcus Carey brings up a couple good questions regarding the screwed-up process to defend against volume-based DDoS. You basically contract with a service provider to take the massive traffic hit. But he correctly observes that’s somewhat stupid, because everyone else upstream needs to accept and transmit the bogus traffic aimed at you. Wouldn’t it be smarter for the closest service provider (the first mile) to block clear DDoS attacks? It would be. But it won’t happen, mostly because there is no way to compensate the first-mile provider for blocking the attack. It would also require advanced signaling to identify attack nodes and tell the upstream provider to block the traffic. To be clear, some consumer ISPs do block devices streaming traffic, but that’s because it’s screwing up their network. Not because they care about the target. As always, follow the money to see whether something will happen or not. In this case, the answer is ‘not’. – MR Smash ‘em up old school: Our FNG (Gal Shpantzer) and I were talking about the recent malware attacks in South Korea the other day. Unlike most attacks we see these days, these didn’t target data (at least, on the surface), but instead left a trail of destruction. If you think about it, most of our security defenses over the past 10 years were oriented toward preventing data breaches. Before that it was all about stopping massive proliferation of malware and worms. So we have covered destructive attacks and then targeted attacks, but not necessarily both. I don’t expect this to be a big trend – the financial and political economics, meaning the risk of mutually assured destruction, self-limit the number of possible targeted destruction attacks, but I expect to hear more about this in the next couple years. It is a very tough