Research

I recently participated in a roundtable for NetworkWorld, tackling the question of Who is responsible for cloud security?. First of all the picture is hilarious, especially because it shows my head photoshopped onto some dude with a tie. Like I’d wear a tie. But some of the discussion was interesting. As with any roundtable, you get a great deal of puffery and folks trying to make themselves sound smart by talking nonsense. Here are a couple good quotes from yours truly, who has never been known to talk nonsense. NW: Let’s start with a basic question. When companies are building hybrid clouds, who is responsible for what when it comes to security? What are the pain points as companies strive to address this? ROTHMAN: A lot of folks think having stuff in the cloud is the same as having it on-premises except you don’t see the data center. They think, “I’ve got remote data centers and that’s fine. I’m able to manage my stuff and get the data I need.” But at some point these folks are in for a rude awakening in terms of what the true impact of not having control over layer four and down is going to mean in terms of lack of visibility. NW: As Sutherland mentioned earlier, a lot of this has to be baked into the contract terms. Are there best practices that addresses how? ROTHMAN: A lot has to do with how much leverage you have with the provider. With the top two or three public cloud providers, there’s not going to be a lot of negotiation. Unless you have a whole mess of agencies coming along with you, as in [Kingsberry’s] case, you’re just a number to these guys. When you deal with smaller, more hungry cloud providers, and this applies to SaaS as well, then you’ll have the ability to negotiate some of these contract variables. NW: How about the maturity of the cloud security tools themselves? Are they where they need to be? ROTHMAN: You’ll walk around the RSA Conference and everybody will say their tools don’t need to change, everything works great and life is wonderful. And then after you’re done smoking the RSA hookah you get back to reality and see a lot of fundamental differences of how you manage when you don’t have visibility. Yes, I actually said RSA hookah and they printed it. Win! Check out the entire roundtable – they have some decent stuff in there. Photo credit: “THE BLAME GAME” originally uploaded by Lou Gold Share:

You read stories about badasses tracking down trolls and showing up at their houses, and you get fired up about attribution. The revenge gene is strong in humans and there is nothing like taking that Twitter gladiator out the woodshed for a little good old fashioned medieval treatment. Now, payback daydreams aside, Keith Gilbert asks a pretty important question about attribution. Do you really need to know exactly who the attacker is? The question: Do you or your organization need to know the PERSON sitting behind the keyboard at the other end of the attack? I still believe that the answer, in most situations, is no. The exceptions I see are localized (physical tampering, skimming, etc) types of crime, or for organizations that are serious about prosecuting (which usually means a financial motivation) the perpetrator. That’s right. It may make you feel better to know the perpetrator was brought to justice, but in most cases doing the work to pinpoint the person is well past the point of diminishing returns. That being said, though it’s not critical to identify the actual attacker, you need to understand the tactics and profile of the adversaries. The idea is that knowing the tactics that the adversary is likely to use can be immensely valuable in prioritizing defenses and focusing employees. While understanding tactics is part of knowing your adversary, it also helps to understand the motivations behind your attackers. Why are you a target? What data are they going after (or prevent others from reaching)? How will they attempt to reach their goal? This is really no different than any other business intelligence function. If you don’t have a clear profile of your adversaries, how can you figure out how to protect yourself? As long as you understand that the profile is dynamic (meaning the attackers are always changing) and that you’re using the intelligence to make educated guesses about the controls that will protect your environment, it’s all good. Photo credit: “Caught red handed?” originally uploaded by Will Cowan Share:

The next chapter in our Threat Intelligence arc, which started with Building an Early Warning System and then delved down to the network in Network-based Threat Intelligence, now moves on to the content layer. Or at least one layer. Email continues to be the predominant initial attack mechanism. Whether it is to deliver a link to a malware site or a highly targeted spear phishing email, many attacks begin in the inbox. So we thought it would be useful to look at how a large aggregation of email can be analyzed to identify attackers and prioritize action based on the adversaries’ mission. In Email-based Threat Intelligence we use phishing as the jumping-off point for a discussion of how email security analytics can be harnessed to continue shortening the window between attack and detection. This excerpt captures what we are doing with this paper: So this paper will dig into the seedy underbelly of the phishing trade, starting with an explanation of how large-scale phishers operate. Then we will jump into threat intelligence on phishing – basically determining what kinds of trails phishers leave – which provides data to pump into the Early Warning system. Finally we will cover how to get Quick Wins with email-based threat intelligence. If you can stop an attack, go after the attackers, and ultimately disrupt attempts to steal personal data you will, right? We wrote this paper to show you how. You can see the landing page in the research library or download Email-based Threat Intelligence (PDF) directly. We would like to thank Malcovery Security for licensing the content in this paper. Obviously we wouldn’t be able to do the research we do, or offer it to you folks for this most excellent price, without sponsors licensing our content. Share:

I try to read a variety of different non-security resources each week, to stay in touch with both technology and startup culture. Of course, we at Securosis are kind of a startup. We are small and we’re investing significantly in software (which is late and over budget, like all software projects). But we choose not to deal with outside investors and to have reasonable growth expectations, since ultimately we do this job because we love it. Not because we’re trying to retire any time soon. It is instructive to read stuff from former operating folks who find themselves advising other startups. Mark Suster, who is now a VC, has a good post on TechCrunch about One of the Biggest Mistakes Enterprise Startups Make. He’s talking about the hazards of trying to introduce an enterprise product without a professional services capability. Ultimately any startup must be focused on customer success, and drop shipping a box (or having them download software) may not be enough. The line of reasoning goes, “Services businesses are not scalable and the market won’t reward this revenue so make sure that third-parties do your implementation or clients do it themselves. We only want software revenue.” This is a huge mistake. If you’re an early-stage enterprise startup services revenue is exactly what you need. In the security business this is a pretty acute fear. Let’s call this ArcSight-itis. Customers can be very resistant to technology that requires more investment in services than in software. The old ERP model of paying X for software and 4X for services to make it work is pretty much dead. Thus the drive to make things easier to use, requiring less services. And they don’t want to revisit their experience with early SIEM offerings. But as with everything, there is nuance. Ultimately customers want to be successful which is why they bought the product in the first place. So if customers left to their own devices can’t get quick value from any technology investment, then who’s the loser? Everyone, that’s who. Mark’s point is that for startups in emerging markets, customers don’t know what to do with the technology. They haven’t done the integration to provide a whole product (yes, break out Crossing the Chasm if you don’t know what I’m talking about). And the channel doesn’t have the expertise to really support the customer. So the startup needs to provide that expertise. Even better, services can goose revenues to partially cover costs while the software business matures. Over time, license revenues (or increasingly services/SaaS revenues) are far more highly valued. But Mark’s point is that if smaller companies selling an enterprise product don’t have the capability to integrate and service the product, they may not be around long enough for the software to mature. Of course there are exceptions, and that is why he prefaced everything with the ‘enterprise’ term. If a mid-market focused offering requires significant services it’s a epic fail. But if the Global 2000 is the target market, recruit good services folks early and often. Share:

I read a profile of Spanx’s Sara Blakely in Forbes Billionaires issue, and the tip that really resonated was that at dinner each night, her father would ask each child what they failed that day. Wait, what? He would be disappointed if the kids didn’t fail something because it meant they weren’t stretching far enough out of their comfort zone. Damn, I wish I thought of that. There is an unnecessary stigma about failure and it’s counter-productive. This is programmed into our heads from a young age. “Winning isn’t everything, it’s the only thing.” Hyper-competitive helicopter parents screaming at their kids to win their 4-year-old T-ball game. I have to say the Boy competes in both lacrosse and tennis, but he doesn’t much care whether he wins or loses. He just moves on. He certainly didn’t get that trait from me – I was very competitive growing up and hated to lose at anything. But I admire it in him. As a result of my unwillingness to screw up, I didn’t really try enough new things. I would compete when I knew I had a very good chance to win. Looking back, it would have served me much better to have tried stuff and made mistakes and realized that I could fall down, and it would be okay. Think about it – we fail every day at all sorts of things, both little and big. Entrepreneurs talk about failing fast and pivoting to the next idea quickly. They fall down but reload and move on. I love the guys who breathe their own exhaust and think they are all who because they joined a company like Google or Facebook early enough to make some money, but not so early that they had much to do with the company’s success. These folks think it was them, while in reality they were lucky. To be fair, these lucky few do learn from being around success. Some can parlay that into success in their next venture. But most don’t. The folks who got blown out are more interesting. As one of them I can tell you that I learned a lot more from failing. In the security world a breach occurs when something fails. Some of the small-minded clean up the mess and move on. They don’t spend enough time trying to figure out what went wrong. They hope the problem will go away. It won’t. It never does. They should do a post-mortem. They need to identify what didn’t work and fix it. An organization’s culture must allow for mistakes, though it’s realistic to expect employees not to make the same mistake twice. I am pretty good about telling my kids that it’s okay to make mistakes. As long as they learn from them. So when they have a no good, horrible, very bad day, messing everything up, I always ask what they have learned. Usually they can tell me, but if not I’ll use it as a teaching moment to explain what they could do differently next time. Ultimately I try to make it clear to them that it’s okay to fail. Really, it’s okay. As long as they get back up and jump into the mix. –Mike Photo credits: Oops! “This Was NOT What I Intended!” originally uploaded by Bridget Coila Upcoming Cloud Security Training Interested in Cloud Security? Are you in EMEA (or do you have a ton of frequent flyer miles)? Mike will be teaching the CCSK Training class in Reading UK on April 8-10. Sign up now. Heavy Research We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, where you can get all our content in its unabridged glory. And you can get all our research papers too. Email-based Threat Intelligence Quick Wins Analyzing the Phishing Food Chain Industrial Phishing Tactics Understanding Identity Management for Cloud Services Buyers Guide Architecture and Design Integration Newly Published Papers Network-based Threat Intelligence: Searching for the Smoking Gun Understanding and Selecting a Key Management Solution Building an Early Warning System Implementing and Managing Patch and Configuration Management Defending Against Denial of Service Attacks Incite 4 U Vulnerability scoring snoring: I have to admit I have never been a fan of generic vulnerability scoring because it doesn’t take into account the context required to understand the impact of the issue on your network. It’s nice to see Tyler Reguly of nCircle make the same point. He says it pretty bluntly: “The current state of vulnerability scoring is useless. With the frequency of vulnerability disclosure and the number of vulnerabilities patched in products, a bucket consisting of High, Medium, and Low tells me nothing.” Back in Vulnerability Management Evolution I talked a lot about how prioritizing what to do is the key value of these platforms. Tyler then goes on to talk about risk scoring, which adds a few key attributes like exploit availability and access to the system. Right – if you can’t exploit the vulnerability or get to the system, your urgency score needs to drop. Period. – MR SCADA chum: Even today we still run into far too many Operational Technology (OT, as opposed to IT) people who like to pretend they are still safe behind their firewalls. Or that their systems are too specialized for Internet attackers to do anything with, even if they do get in. New research by Trend Micro shatters those misconceptions. The research team put up 3 honeypot networks designed to emulate real utility company networks, and watched as they were hit with 39 attacks from 14 nations (guess who came first?). This is merely one more in a series of wake-up calls, and you can bet that these sorts of results are driving more of the cybersecurity activity in DC than the more-public IP theft. – RM Right idea, wrong direction: This attacks to critical infrastructure story is making the rounds as news. But this is the same story we heard for years about SCADA; vulnerable – we know. But why is it an issue now, and why is it any

How will you know when you get there? That’s the point our pal Kevin Riggins made during his first RSA Conference talk. He wrote up the talk and allowed it to be posted on the Symantec blog. Kevin uses the metaphor of the Winchester Mystery House as a clear (and rather painful) analogy for how far too many people operate their security environments. In summary, someone with a lot of money decided to follow an unusual belief that led to 38 years of perpetual building… without a plan. Does that sound eerily familiar? Oh, but it does. Kevin then goes on to espouse the benefits of a security architecture as a way to structure security activities. I’ll take this one step further and say that the security architecture is an aspect of a broader security program. And if a security program isn’t well defined and accepted by senior management, the architecture isn’t going to help much. Kevin does talk a bit about some programatic aspects, but doesn’t quite say security program, and I think that’s an issue. Of all the things we can do as information security professionals to help the business, understanding their goals, drivers, and strategies will arguably gives us the biggest bang for the buck. If nothing else, it shows the business that we are engaged in what they want to achieve. He does talk about the need to understand the business and address business issues (which is what I call the “security business plan” aspect of the security program, and it is critical), but that’s not an architecture to me. Maybe I am just getting hung up on the words, but I believe an architecture is an aspect of the program, not vice-versa. So get your security program in place; then things like architectures, detailed designs, implementation plans, milestones, dashboards, and reports follow. But without a program, what you do every day will be a mystery to senior management. And you don’t have 38 years to try to tip the karmic forces back in your favor, like Sarah Winchester had. Photo credit: “Dome Plan Drawing” originally uploaded by Pat Joyce Share:

I am pretty upfront about my turbulent job history. Some of the issues were due to not doing enough homework up front before taking a job. But as I look back I am not sure I would have made different decisions about which jobs to take even if I had done more homework. A post at SCMagazine by Justin Somaini makes a couple good points about what questions to ask before taking a CISO job. Understanding a company’s standing is always important. Is the company losing revenue? Have executives and/or board members left? Is the company prime for a takeover? Are competitors dominating the industry? All of these questions help determine a company’s health: a factor that will be critical to know if you’re going to make the right move. While risks can pay off, you want to know what you are getting into. A company in turmoil will be more resistant to funding projects, hiring new staff, or making security a priority. Okay, that’s pretty obvious. You need a shot upside the head with a clue bat if you aren’t really scrutinizing the financials and market position of any potential employer. One of the worst aspects of security groups, let alone IT, is staff management. It is common to have to restructure a team based on skills gaps. So always try to determine how large the team is in relation to the overall company and IT staffing. Typical security groups for companies of 10,000 to 15,000 full-time employees will have 25 to 30 staff. This does not include IT operational teams that I usually leave in a separate group. Is last year’s attrition rate at the typical 10 to 15 percent? Is the staff located in key areas for the company? Are there cascading goals from corporate objectives? Are reviews done quarterly and historically attached to goals? What are the results of the latest employee survey? Has there been a layoff or hiring freeze in the past 18 months? As with financial assets, not having the right human capital will only make your job tougher, so ask the questions. I am not sure you will get real answers to these questions. If you are interviewing for the senior role on any team you should expect the senior management to tell you that you will be able to make the necessary changes to deliver results. Of course you can meet all the folks already on the team, but in my experience everyone is on their best behavior during the interview process. They will blow smoke in your hind section if they think they can salvage their jobs. So you won’t really know what folks can do and the internal douche quotient until you get boots on the ground and dig in. That’s why I highly recommend a rent-to-buy scenario. Take a 3-month consulting gig, with the expectation that things will work out and you’ll become permanent at the end of that probationary period. That mitigates risk on both sides and can prevent serious mistakes. I have a good friend who did exactly this prior to a relocation. Within a month he knew the situation wasn’t a good fit, and he exited gracefully after his contract was up. Let me throw one more point at you. There is no excuse for not making a few phone calls to learn what may not be obvious during interviews. Call some folks who will provide honest answers about culture and work environment. Yes, I’m taking about former employees. It still amazes me the number of folks who do not call me before taking a job I had – working for the same folks. I could have given them an informed perspective on some of the good and a lot of the bad. Of course it’s my opinion, but it’s another data point in a pretty important decision. But go in with your head up. Understand you won’t know everything you need to know. Things will be different. Sometimes you’ll be pleasantly surprised. Other times not so much. Which is part of the game. Photo credit: “Rent-A-Center store” originally uploaded by benchilada Share:

As a huge NFL fan with the DTs without a game to obsess about each week, I am constantly looking for parallels between football and my daily existence. Adrian talked a bit in one of his Incite snippets last week about how Facebook uses red team exercises to make sure they are prepared for the real thing. Luckily, the answer was yes, because the incident wasn’t real. It was the first of two large-scale red team exercises that Facebook has conducted in the last year. Red team exercises are certainly not a new concept–they’ve been around in the military world for decades and carried over into network security. But few of them are conducted in the way that this one, known internally as “Vampire”, was. McGeehan’s team kept the ruse going for more than 24 hours and kept close tabs on the way that the various participants reacted, communicated and disagreed. The idea, of course, is to prepare the teams for a real-life incident. And this comes back to something we hear in football circles every week. It’s all about the preparation. The teams put the work in (at least the ones that win), and they trust their preparation and just play on Sundays. They are ready and they give themselves a chance to compete. “We’re very well prepared now and I attribute that to the drills,” he said. “I’m not sure it would have worked as well otherwise. It felt like the second time we were responding to it and we were all ready for it. It was a much more calm, smooth response. [The exercises were] an incredible net positive.” The security world is no different. If you spend all day fighting fires and not preparing for incidents, how can you (and your team) expect to perform when the brown stuff hits the fan? You can’t. Which is fine. Though your management may have a different opinion. So you are best off making it very clear that based on staffing, expertise, funding, whatever, certain things aren’t getting done. Rather than Adrian’s call for the proverbial Security Chaos Monkey to be constantly testing your defenses, I prefer to focus on how to behave given the fact that you don’t have the resources to prepare properly for incidents. As I harp constantly, if you want to have any longevity as a CISO (or another senior security role), you had better get good at managing expectations. Of course that may not save you if (when) things go south. But at least you will have made it clear that you did not have the resources you needed, to the person responsible for getting you those resources. I underertand that many proud security folks would rather be caught dead than actually admit they can’t do their jobs. Which is too bad because excessive pride tends to be a major factor underlying high CISO turnover. Photo credit: “Untitled” originally uploaded by dabruins07 Share:

One of the things I miss least about doing marketing on a daily basis is product reviews. Of course when you win it’s awesome. You can then puff up your chest and take a victory lap as the sales folks use the review to beat down the competition. But when you lose it totally sucks. And depending on the culture of the company, unless it was a clear and decisive victory, it may be taken as a loss. Which requires damage control, forcing you to spin why the test was flawed. Then you need to question the integrity of the reviewer. That makes you many friends in the media community. Basically you have to figure out a way to make manure smell like roses. And no, it doesn’t usually work. So I wouldn’t want to be the folks responsible for running the NSS firewall test at WatchGuard. They got hammered. You can see the value map by registering on Dell SonicWALL’s site, but you can get the highlights and see WatchGuard’s beatdown in this CRN summary of the report. “Although WatchGuard demonstrated a good level of exploit protection, it was let down by its poor antievasion capabilities and a suboptimal price-performance ratio,” NSS Labs noted in its report. Frank Artes, director of research at NSS Labs, said the company also had some shortcomings to its system management capabilities. The company’s system manager was not as scalable and mature as other vendor products. WatchGuard was the only vendor tested by NSS Labs that was given a “caution” designation. The only vendor given a caution designation. Ouch. So their response is what? Dave Taylor, vice president of corporate strategy at Seattle-based WatchGuard, said the technology is tuned as a unified threat management appliance and not as a firewall. Really? It’s tuned as a UTM and not a NGFW? WTF? He is basically acknowledging that the product isn’t a modern device. Who doesn’t want to buy a modern device? Who wants to buy yesterday’s technology? Spin FAIL. But I am trying to understand why they participated in this test. Clearly, if every other vendor has a product with a modern architecture, and you don’t, the best thing to do is to not participate. But they did and it didn’t end well. Did I mention I don’t miss dealing with product reviews? Photo credit: “62:365 – Taster Testings” originally uploaded by Nomadic Lass Share:

The rhetoric about cyberattacks is nearly deafening. It seems like my Twitter timeline blows up every day about cyber-this or cyber-that. Makes me want to cyber-puke. Since Mandiant pointed the finger at China everyone seems to be jumping on the bandwagon of tough talk and posturing. Take example #1: The US is now fielding teams to play offense and respond to computer attacks on critical infrastructure. I would like to be clear that this team, this defend-the-nation team, is not a defensive team,” Gen. Keith Alexander, who runs both the National Security Agency and the new Cyber Command, told the House Armed Services Committee. “This is an offensive team that the Defense Department would use to defend the nation if it were attacked in cyberspace. Thirteen of the teams that we’re creating are for that mission alone. Uh, this is news? Maybe that there is finally acknowledgement that the US (along with every other first world nation) invests in building cyber-attack capability. I know it’s hard to remember, but a few short years ago there was an uproar when Anonymous documentated that HBGary was proposing to build weaponized exploits. Where’s the uproar now? Oh yeah, now it’s politically correct to defend ourselves. This is media-driven nonsense. I doubt the strategy has changed at all, except maybe accelerated a bit. Though it will be interesting to see if and how sequestration impacts these kinds of investments. Rich recently pointed out that China is fundamentally different because they use military hacking apparatus to help commercial Chinese entities gain intelligence that helps them win big contracts. Obviously Israel’s announcement that their cyber-defense capabilities will be used to protect private Israeli enterprises is different, but it is another clear indication that the line is blurring between the private and public sectors. As it should. The Defense Ministry will set up a new body to support local defense industries in coping with cyber threats, ministry director-general Maj.-Gen. (res.) Udi Shani announced Tuesday. And if you need another data point showing ‘cyber’ is the new hotness, the CEO of BP disclosed on CNBC that BP Fights Off Up to 50,000 Cyber-Attacks a Day. Cybersecurity is a growing issue around the world, not only with companies but with governments,” Dudley observed. “We see as many as 50,000 attempts a day like many big companies … to my knowledge we haven’t had an incident that’s taken away data from us, but we’re incredibly vigilant. Clearly someone is hiding something from the CEO here, but he pulled the plausible deniability card in the form of “to my knowledge…” But if he’s right and they haven’t lost any data that would make them only such company. And before you start bitching in the echo chamber about how the hype is getting in the way of you doing your job because you are being paraded in front of the board and up to the CEO’s office once a week, remember when no one gave a crap about security. It’s always good to be careful what you wish for. Share: