Research

You know those overnight successes who toiled in the background for 10 years before they finally broke through? How did they get there? How did they work through the Dip to reach the other side? I am fascinated by organizations which have success year after year. They seem to take the long view, set up the foundation, and stay committed to the plan. Even when other folks push for (and get) faster results, opting for short-term fixes. These band-aids may provide a short-term pop, but rarely result in longer-term results. Sure that’s part of my rationalization for why the Falcons lost at the precipice of the Super Bowl. That they have built the organization the right way over the past 5 years, and will be back. You see those attributes in all the NFL organizations that seem to be competitive year after year. They work the plan. They build through the draft. They don’t react to a bad season or two. It’s unlikely Pittsburgh or the NY Giants will blow up their environment because they missed the playoffs this year. They have stability. And that stability leads to sustained success. By the way, it’s not just my football obsession that cause me to fixate on this. As Rich said, we had a good 2012. But my paranoid self (I am a security guy, after all) continues to look for our Achilles heel. One good year – hell, even two good years – doesn’t mean the foundation for sustainable success is there. And as you see with all our new linky posts, even when things are going well, we need to adapt and change based on market realities. As Deming so famously said, “It is not necessary to change. Survival is not mandatory.” So I spent a good deal of time over the holidays digging into our good year. Partly because I was curious, but mostly trying to determine whether our results are sustainable. The honest answer is that I don’t know. I know what we did from an activity standpoint and we are still doing that. But past success is no guarantee of future results. So I will keep looking for holes in the story. We all keep looking for holes. We’ll keep trying new things to see what works, and more importantly what doesn’t. But most of all, we will continue to grind. We may not achieve sustained success, but it won’t be due to lack of effort. That I can guarantee. –Mike Photo credits: Sustainable Food Poster originally uploaded by Steven-L-Johnson Heavy Research We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, where you can get all our content in its unabridged glory. And you can get all our research papers too. Understanding Identity Management for Cloud Services Integration The Solution Space Introduction Newly Published Papers Building an Early Warning System Implementing and Managing Patch and Configuration Management Defending Against Denial of Service Attacks Securing Big Data: Security Recommendations for Hadoop and NoSQL Environments Pragmatic WAF Management: Giving Web Apps a Fighting Chance Incite 4 U The Hunt for Red October: Not that you had any doubts as to the sophistication of today’s attackers, but Kaspersky’s description of the Red October attack drives it home loudly and clearly. This is a multi-faceted effort undertaken over the past 5 years using sophisticated malware and tactics to infiltrate lots of places where information can be stolen and monetized. AlienVault worked with the Kaspersky folks to isolate the indicators of compromise (IoC) shown by Red October, and this is an example of Early Warning, but not early enough. You can now use the IoC information to see if you have devices already compromised. We will also see lots of hand wringing about who was behind the attacks. The stolen data is sensitive nation-state stuff, but that doesn’t mean nation-states are actually behind the attacks. Kaspersky says it’s Russian crime syndicates, adding a lot of news value to the research, but RSA says there isn’t enough information to draw a conclusion one way or the other. And at the end of the day, I’m not sure identifying the actor really makes a difference. It’s not like you can send them a cease and desist letter. – MR PCI drops pants, doesn’t care: Oh, PCI Standards Council, there you go again. The same people who claim, “no PCI compliant organization has ever been breached” apparently can’t even decide what their own standards are. Approved Scanning Vendors (ASVs) are the companies authorized to perform scans on Internet-facing applications. If you run so much as the smallest doggie donut web store, and you take credit cards, you need to be scanned. There’s an annual review process for ASVs, which costs $10K a shot, and according to Brett Hardin not only does everyone fail the first time, but the same report submitted twice under different letterhead gets graded differently. In the words of the grader, “Well, security and PCI-DSS aren’t exact sciences.” Uh huh, then how about some free passes? – RM Eyes on the prize: Every large retail firm I have spoken with has a VP or Director of Data Analytics. Macy’s foray into big data in the cloud is one example, and Target’s recent ‘success’ has been highlighted as well. Many other verticals have similar positions within marketing or IT. These people are popping up everywhere as data analysis becomes a core function of business. Make no mistake – big data is a huge trend and it is changing the way companies market and sell products. And assess risk. And evaluate investments. But every firm also has Identity and Access management, both for customers and employees. Ever hear about a VP of access and identity? Director? Me either. Every employee uses IAM every day, and it gates access to every electronic service. Think about that the next time you wonder where security ranks

From Ben Kepes’ post: Sure Dropbox is Potentially Insecure, but Does it Matter? First, why do people go around IT to use Dropbox? In the majority of cases these are good, solid, hardworking employees that don’t want to introduce risk to their organization but that do want to get stuff done. For whatever reason (inflexible legacy systems, stubborn IT departments, need to be agile) they’ve decided that for a particular project, they want to introduce Dropbox into their workflow to quickly and easily share some content. Evidently folks are storing important stuff in Dropbox, even though many of them know if violates their corporate policy. Duh. We have seen this over and over and over again through the years. Either IT and security helps employees get their jobs done, or employees find ways around the policies. Period. Then Ben gets into a discussion of risk, and trying to understand how bad all this file sharing is. He is trying to gauge the real risk of these folks storing that stuff on Dropbox. He uses a firefighter analogy too, so Rich must love this guy. It gets back to remembering the role of security, which is to ensure business operates safely. It would be great to just implement a blanket policy preventing Dropbox or any application you don’t like. Spend a zillion dollars on a whole mess of NGFW to enforce the policies, and everyone wins, no? It always comes back to making the right decision for your business. Don’t ever forget who you work for and why you are there. Ben sums up pretty well to close his post. Now of course my infosec friends are paid to be eternally suspicious. These guys are (professionally at least) glass half empty – their concerns are valid and they bring an important balance to the picture. But it’s just that, balance, at the same time we need to look long and hard at the benefits that “rogue IT” can bring and ask ourselves whether we shouldn’t in fact lighten up a little. There shouldn’t be absolutes, which irks me. I like clear black & white decisions. But that’s not the real world. If you are Dr. No, let me remind you of the immortal words of Sgt Hulka. Lighten up, Francis. I made my Stripes reference for the day, so I’m done. [drops mic] Share:

One topic that has resonated with the industry has been Early Warning. Clearly looking through the rearview mirror and trying to contain the damage from attacks already in process hasn’t been good enough, so figuring out a way to continue shortening the window between attack and detection continues to be a major objective for fairly mature security programs. Early Warning is all about turning security management on its head, using threat intelligence on attacks against others to improve your own defenses. This excerpt from the paper’s introduction should give you a feel for the concept: Getting ahead of the attackers is the holy grail to security folks. A few years back some vendors sold their customers a bill of goods, claiming they could “get ahead of the threat.” That didn’t work out very well, and most of the world appreciates that security is inherently reactive. The realistic objective is to reduce the time it takes to react under attack, in order to contain the eventual damage. We call this Reacting Faster and Better. Under this philosophy, the most important thing is to build an effective incident response process. But that’s not the end of the game. You can shrink the window of exploitation by leveraging cutting-edge research to help focus your efforts more effectively, by looking in the places attackers are most likely to strike. You need an Early Warning System (EWS) for perspective on what is coming at you. These days proprietary security research is table stakes for any security vendor, and the industry has gotten much better at publicizing its findings via researcher blogs and other media. Much more information is available than ever before, but what does this mean for you? How can you leverage threat intelligence to provide that elusive Early Warning System? That’s what this paper is all about. We will define a process for integrating threat intelligence into your security program, and then dig into each aspect of the process. This includes baselining internal data sources, leveraging external threat feeds, performing the analysis to put all this information into the context of your business, and finally building a scenario so you can see how the Early Warning system works in practice. Direct Download (PDF): Building an Early Warning System We would like to thank Lookingglass Cyber Solutions for licensing the content in this paper. Obviously we wouldn’t be able to do the research we do, or offer it to you folks for this most excellent price, without clients licensing our content. Share:

From NATHER’S LAW OF POLICY MANAGEMENT on the Tufin blog: That last one is of particular interest to me today, as I saw a client recently with a rule base for his firewall that was around 1000 rules long. When looking at his compliance results for policy and risk he was showing me hundreds of rules he wanted to mark as exceptions. I was puzzled – almost two thirds of his rule base consisted of exceptions to the compliance policies they were trying to enforce. Bottom line: if your exceptions are out of hand, it’s time to rethink your compliance plans or realign operations with compliance. It is one thing to lose track of how policy aligns with reality, another to not do anything about it. With any kind of positive security policy (defining what is allowed, rather than looking for what is not), you always need to manage exceptions. Michael Hamelin refers to Wendy’s point that “For every configuration there is an equal and opposite exception.” posited in a Dark Reading column back in October. Wendy is exactly right, and the reality is that firewall operational platforms – which the likes of Tufin, AlgoSec and Firemon provide – are more and more prevalent because firewall policies have become unmanageable. And it will get worse as folks continue migrating to the NGFW with application-centric policies. So it’s time to get on top of your rule bases, before things really get ugly. I will be doing some research on this later in Q1. Share:

In the anger and sorrow following Aaron Swartz’s suicide, Rob Graham makes an excellent point in I conceal my identity the same way Aaron was indicted for According to his indictment, Aaron Swartz was charged with wirefraud for concealing/changing his “true identity”. It sent chills down my back, because I do everything on that list (and more). Why do I do all this? That’s none of your business! I mean, all this has perfectly rational explanations in terms of cybersecurity, privacy, and anti-spam. You can probably guess most of the reasons. But explaining myself defeats the purpose. I shouldn’t have to explain myself to you, to prosecutors, or to a jury. I have a human right to privacy, and guarding that right should not be cause for prosecution. In the course of indulging our job-related paranoia, most of us use one or many of these techniques. In the wrong context, these tactics can be used to show an intent to commit fraud or other such behavior. Even if that isn’t your intent. Remember, the Internet and a lot of these technologies have emerged over the past 10 years. Legislation, case law, and legal precedent lag far behind, so it will be at least several years before legal standards of maintaining Internet privacy can be established. Until then there will be a lot of collateral damage. Like Aaron Swartz. Share:

What happens when you work for a US critical infrastructure company and see strange connections coming into your network from China? Using the real credentials of your top programmer? You crap your pants, that’s what you do. And you figure you have been compromised by the APT and pull the alarms. But what happens when it’s actually something else. Security audit finds dev OUTSOURCED his JOB to China to goof off at work After getting permission to study Bob’s computer habits, Verizon investigators found that he had hired a software consultancy in Shenyang to do his programming work for him, and had FedExed them his two-factor authentication token so they could log into his account. He was paying them a fifth of his six-figure salary to do the work and spent the rest of his time on other activities. In retrospect, this is hilarious. Unless it was your firm. The guy paid a group in China 20% of his salary to do all his work, while he spent all day surfing the web and watching a bunch of cat videos. Evidently no one thought to look at the logs from the outbound web filter, which likely would have identified this issue much sooner. Though it makes you wonder how much of this kind of arbitrage is going on, doesn’t it? Share:

Let’s take a look at Adam Shostack’s recent post, “The Phoenix Project may be uncomfortable”. First of all, I haven’t gotten a chance to read Gene Kim’s new book “The Phoenix Project,” but they were kind enough to send me an electronic copy and I will get to it soon. I love the idea of teaching important lessons via a fictional story, even for technology stuff. As much as I like technical books, I don’t read them. I consult them when I have a technical question. But I read stories, and learn by osmosis when plowing through a story I enjoy. In fact I wrote one a while ago using a similar tactic. Now onto one of the characters in the book, the CISO of the fictional company in Gene’s book. So let’s talk frankly about John. John is a shrill jerk who thinks it’s a good idea to hold up business because he sees risk. He thinks of his job as risk prevention and compliance, and damn the cost to the business. If this isn’t the stereotypical security person, I don’t know what is. Of course, there is a reason for that. It seems this whole good guy/bad guy thing is taken too far by too many senior security folks. They get drunk on the power, abuse it, make a mistake, and sooner rather than later are looking for their next gig. Understanding where security fits in a business proposition gives me not only understanding but even sympathy for business leaders who listen to someone claim that if only the CSO reported to the CEO, they’d have a voice. That’s backwards. If the CSO has an understanding of the business, they’ll have a voice, and won’t need to report to the CEO. Also, the CEO is not the person with cycles to mentor a CSO to that understanding. Here Adam hits the nail on the head. Playing in the C-suite is all about business, not technology. If you don’t understand your business, you can’t do the CISO job. It’s as simple as that. The Pragmatic CSO is all about understanding that game, also discussed in this recent SC Mag interview. But first and foremost, to be successful as a CISO you need to be a team player. And you need to understand who your customers are. Share:

It started out great. Fantastic even. The Dome was fired up. The team started fast. Field goal. Forced punt. Matty Ice throws a pick. Then the Falcons force a fumble and get the ball back. Touchdown. Forced punt. Field goal. 13-0. Red zone stop on a huge 4th and 1. Touchdown on a bomb. Huge sack to end the half. The Falcons were up 20-0. This was it. The year they finally exorcise the playoff demons. We all cheered for the kids showing off their football prowess during halftime as national Punt, Pass & Kick finalists. Then the second half started. Seattle drives down and scores. Then the Falcons respond with a 7+ minute drive to go up 27-7 when the 3rd quarter ends. The crowd goes bonkers. Only one team has blown a 20+ point lead in the playoffs at this point in the game. Elation sets in. It’s over. Until it’s not. Bad tackling. Mental lapses. A tight end playing on a ripped-up foot keeps making huge catches over the middle. Seattle scores. 27-14. Matt Ryan throws a pick. Seahawks drive down the field again. Touchdown Seattle. Cover that guy! 27-21. Oh crap. Now is the time. Make a play, offense. Get some first downs, burn up some clock and get this done. Come on, man! 3 and out. Falcons punt. This is not good. You can feel the tension in the Dome. All the negative thoughts creep in. All the playoff failures. How could they choke? How could they?!?!? Falcons force a punt. OK. It’s under control now. Just a few first downs and it’s over. 3 and out. Again. Seahawks have the ball back. 5:32 left. Seahawks driving again. They are on the Falcons 3. They score. Falcons are down 28-27. WTF? This would be the choke to end all chokes. We were stunned. The Dome was in shock. 31 seconds left. How could it end like this? Again? So disappointed. So so disappointed. Sure it was a good season, but another one and done in the playoffs and it’s going to set this franchise back years. Unbelievable. It’s only a football game, but it sure doesn’t feel that way. The Falcons get the ball back with 31 seconds on the clock. They need 40 yards to get into field goal range. First pass goes for 22 to a receiver named Harry D. Could they? Dare we have hope? The odds are long and they’ve done it before, but not with a berth in the NFC Championship at stake. 19 seconds. Another pass goes for 19 more yards to 36 year old Tony Gonzalez, a sure fire first ballot Hall of Famer who has never won a playoff game. Ever. They’re in field goal range. They set up the kick. I can’t breathe. Literally. No one can. This is it. The Boss squeezes my hand. The kick is up. The kick is good. HOLY CRAP. We scream. We hug. We embrace people we don’t even know. We scream some more. We jump up and down. You can’t hear anything because everyone is screaming. I give the Boss a huge hug. I mean huge. Instant elation emerges out of the depths of despair. It doesn’t get better than this. But it’s not over. There are still 8 seconds left. Seattle gets the ball back in good field position due to a muffed squib kick. A short pass. 2 seconds. Seattle is on the 50. Hail Mary time. The pass is in the air. The Dome holds its breath some more. The Falcons’ Julio Jones comes down with the ball. It’s finally over. Playoff demons vanquished. We just rode a 3.5 hour emotional roller coaster. A pretty high high. Then a very low low. Then the best moment in any football game I’ve ever experienced. I had emotional whiplash. I was nauseous. I was exhausted. My whole body hurt. My voice was gone. And I can’t wait until next Sunday to do it again. Rise up Falcons. It’s time. –Mike Photo credits: Buddha in Neck Brace originally uploaded by bixentro Heavy Research We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, where you can get all our content in its unabridged glory. And you can get all our research papers too. Understanding Identity Management for Cloud Services The Solution Space Introduction Newly Published Papers Implementing and Managing Patch and Configuration Management Defending Against Denial of Service Attacks Securing Big Data: Security Recommendations for Hadoop and NoSQL Environments Pragmatic WAF Management: Giving Web Apps a Fighting Chance Incite 4 U Control via cloud: A lot of people focus on cloud computing as a security risk, but few look upon it as a security control. I suspect this is due to its newness – anything that disrupts our current models is nearly always seen as a risk to defenders at first. But as this article at cloudave.com points out, the cloud can play an awesome role in improving security. Specifically, if you adopt Platform as a Service for your application environment, you expand your security control scope, gaining the ability to enforce development standards be eliminating the variability of platform configurations. All the apps now run on a pre-configured platform, and there just isn’t much opportunity to screw it up. Plus you can enforce other code standards and practices based on the interfaces exposed via centralized platform management. Since it is faster and easier to use the PaaS, you aren’t fighting the developers. Sweet, eh? – RM Guessing for dollars: Does anyone really believe that the market for financial critical infrastructure security will reach $17 BILLION by 2017? Even if you could pin down what “financial critical infrastructure” even meant, and thought that you could estimate the portion of those dollars going to security products or services, do you really think you could extrapolate the amount 5 years out?

“Experts” who tell you to do dumb things… are not experts Dump anything you don’t use. Dump anything with a proven track record of failure which you don’t need (for example, if you don’t need Java, uninstall it). That’s the easy bit, the rest requires thought and effort. If you need Java for desktop apps, but don’t need Java in your browser – disable the browser plugins. You might find it a bit strange when we tell you to beware of experts – especially because we are often hyped as experts. But it’s not. The day we start believing our hype and calling ourselves experts in anything beside pontificating and drinking coffee, we’re done in this business. We’re fortunate to know a lot of experts, but knowing and being are very different things. Jack’s point is exactly right. Anyone can talk to the press and that supposedly makes them an expert. It would be funny except that many of these folks say stupid and wrong things, and because they show up in reputable publications they must be right. Not so much. It’s easy to say things. It’s hard to do things, especially restrictive things like eliminating Java and IE from your environment. Is almost impossible to do these resrictive things on an enterprise scale. And that triggers Jack’s point about dumping software you don’t use. It’s convenient to have a standard desktop image, but that will involve basically allowing everything on it. That’s not a path to security success. And how to deal with experts providing bad advice? Triangulate everything. Everyone has an opinion. Solicit a variety of different folks and see what they have to say. The more weighty the decision, the more folks you should talk to. Sometimes the opinions will be consistent and that makes the decision easy. Sometimes they aren’t, and then you have to figure out what’s right in the context of that decision. Which is why you make the big bucks. Share:

Microsoft to release emergency Internet Explorer patch on Monday The vulnerability, which is present in IE 6, 7 and 8, is a memory corruption issue. It can be exploited by an attacker via a drive-by download, a term for loading a website with attack code that delivers malware to a victim’s computer if the person merely visits the website. Microsoft released a quick fix for the issue earlier this month, but did not have a more permanent patch ready when it released its monthly batch of patches last Tuesday. The company will occasionally release an emergency patch if the software vulnerability is considered a high risk. So if Mondays weren’t bad enough, have fun applying this out of cycle patch because Microsoft couldn’t get it done in time for the regular patch cycle. Of course you need to be running an older version of IE for this to be an issue, so there’s that. Share: