Research

What is normal? It changes most every day, especially when you are 8. We picked up the Boy from a month away at camp last weekend and we weren’t sure how he’d respond to, uh, real life. After seeing him on Visiting Day the week before, we knew he was having a great time. Maybe too great a time, as the downside is the inevitable adjustment period when times aren’t as fun or active or exciting or anything besides 16 hours of non-stop playtime. To give you some context, we had him explain a typical day at camp. They’d rise at 7, line up to raise the flag, clean up their bunk for inspection, have breakfast, do an elective, then move on to a bunk activity before instructional swim. Then they’d eat lunch. Right, that was just the morning. After lunch they’d have another bunk activity, free swim, rest time, then dinner. After dinner, they’d chill out at the canteen and have an evening activity. Then it was bed time, finally. I get tired just typing up this list. Think about it — non-stop activity every day for a month. Of course it would take some time to get back into the swing of being home. Let’s just say his activity level at home is not. like. that. He was fine the first day, as he got fawned over by his parents, grandma and cousins. On the second day we drove back to GA. It didn’t go well. Not well at all. He got a bit car sick and thus the iPad was out of play. That was a problem. So he proceeded to make us miserable for the first four hours of the drive. As much activity as he had at camp, he had none on this day. The 180 degree turn gave him some whiplash. And he let us know it wasn’t fun. As if driving 10 hours was just a load of laughs for me. Then it hit me — he had the DTs. Thankfully without the vomiting or convulsions, as that would have made a mess in my new car. So we just had to ride it out and let him detox from his activity addiction. He slept, a lot, I listened to a lot of Pandora, and the Boss watched some movies. When we finally got home, he was genuinely happy to be home. He liked the changes we made in the house when he was away. He couldn’t wait to see his buddies. We still have to manage his expectations a bit by providing a minute by minute description of what he’ll be doing each day. And he’ll have fun, but not as much fun as when he was at camp. Then he’ll be back in school, and fun will be a distant memory. I wonder if they have methadone treatments for that? -Mike Photo credits: Novus Medical Detox Center 01 originally uploaded by thetawarrior Securosis at Black Hat As Adrian posted on Monday, the extended team is descending on Vegas this week for the madness that is Black Hat and DEFCON. That means not just Rich, Adrian and I, but Mort, Jamie and Dave will be there also. Seems that only Gunnar has the sense to stay off the surface of the sun in August. I can only speak for myself and my schedule’s been locked down for weeks. But I’ll look forward to seeing some of you on the party circuit through Thursday night. Follow us on the Tweeter and you’ll sure to get some idea of where we’re milling around. Incite 4 U Beware the PDoS: I’m not sure if Krebs should be flattered or horrified that he’s the unknowing beta tester of all sorts of bad stuff in development. He details his experience as the target of a PDoS (personal denial of service), getting flooded by emails, texts and calls one day. It was a crippling attack, even for someone knowing what they are doing. Amazingly enough shortly thereafter, Brian saw a commercial offering hit to provide the same kind of attack. As you can imagine, if a bad guy was trying to prevent some kind of notification of bad stuff happening (like a huge bank transfer, etc.), shutting down someone’s methods of communication could be pretty effective. So the question for all of us (assuming you require notification and authorization of some types of transactions) is whether your institution fails open (allows the transaction) or fails closed (doesn’t). I’m not going to assume anything, and will be checking all of my accounts ASAP. — MR Mah SIEM sux: Mark Runals’ discusses some of the limitations with misuse detection, examining both statistical analysis and rule based policies, as they relate to SIEM and Log Management platforms. I agree with his conclusion about the value of starting with statistical analysis (you know, baselines) as an easier first step, but keep in mind that threat-model based rules is a great way to isolate specific actions and alert/report on unwanted behavior. Most firms have a handful of very specific actions/attacks they want to detect. But some of the reasons people say ‘Mah SIEM sux’ is that the logs lack enough context and/or some of the necessary attributes, to provide truly effective rules. And the log data is often normalized into uselessness along the way, with correlation focused on network-based attributes that don’t really help you understand the impact of application or system events. Enrichment is supposed to help fill this deficiency, but then rules need to evolve to take advantage of the enriched logs, increasing the amount of work it takes to write rules. This, and the fact that we can’t predict – and subsequently write policies – for all possible conditions we need to watch for. Policies are limited only by the imagination of the policy manager, the time it takes to write/tune the policies, and the processing power available to analyze the ruleset. Not to mention the more granular the policies

21 days. It doesn’t seem like a long time. In the day to day grind of my routine, 3 weeks is nothing. I basically blink and that much time passes. But when your kids are away at camp it is a long time. For us day 21 is a lifesaver because it’s the first visiting day. So last weekend we packed up the car and made the trek to Pennsylvania to see the kids. For 21 days, we were in parental purgatory. We wait and we worry and we look at pictures and we make up all sorts of stories about what the kids are doing, based on thos pictures and a couple 2-sentence letters. That’s what parents do. So after 21 days, we finally get to compare reality to our made-up vision of what they are doing. Just to give you a little flavor for the kinds of letters we receive, XX2 wrote this missive to her Grandma (slightly edited for readability, but not much): Grandma, Please send make-up. I need lipstick and eyeshadow and hairspray. I’ve had to borrow from the other girls. I’m helpless without makeup. Love, XX2 Helpless?!? What a character. Though we had a decision to make – to send the make-up or not. Of course we sent her make-up. Actually, the Boss was very surprised because at home I’m very anti-makeup. My kids are beautiful without needing to look like street walkers. But they are at camp to find themselves. To do the things they want to do, without their parents micromanaging every move. Even if it involves wearing make-up – so be it. The good news is the kids are doing great. Really great. Even the Boy, who is away for the first time. His counselors said he was quiet for the first two weeks, while he figured out which end was up. But now that he’s comfortable with everyone, he’s pretty talkative. The girls are camp pros by now, and they are having the time of their lives. XX2 got a big part in the play, and XX1 has made the Boss very happy by being in the middle of every picture she’s in and flashing a huge smile. In another 21 days, we’ll return to camp for the second visiting day and to pick up the girls. Then we’ll do the long drive back to GA and get back into the routine of school and activities. For us, the next 21 days will be agonizingly slow. For them, they will pass in the blink of an eye. And they’ll enjoy every second of it. –Mike Photo credits: Welcome to Camp originally uploaded by Altus Wilder Incite 4 U Security vs. Convenience: This post on scaling by one of the Dropbox ops guys was very interesting. Counter-intuitively adding “fake” load prematurely only to remove the extra load when you run out of capacity is an interesting tactic to buy some time. Also the ideas of actually testing the edge cases and logging all sorts of stuff (even if you don’t know how you’ll use the data) will help to put our scaling efforts in perspective when we have Nexus scaling problems, that is. But it’s the last paragraph that is pretty problematic (and explains how privacy issues and obfuscation happen). He says that “security is really important for Dropbox,” but then goes into a riff on making trade-offs based on how important security is to the service. Let’s be clear, security isn’t important to any emerging service until they screw something up. Then security is very important. Which is why trying to build a security program in an organization that’s never had a security problem can be the Impossible Dream (h/t to Don Quixote). – MR Cry havoc and let slip the honeypots of war:: Playing defense all the time is a real pain in the behind. No one enjoys just sitting there until some dumb ass wielding Metasploit comes by and owns you. At the same time, never underestimate the marketing power of the latest security meme. One of these hot topics is the concept of active defense, which can technically mean a whole host of things as described by Chris Hoff in his latest post (that also references one of my posts). As this conversation picks up I think it’s important to remember that these principles, and even sometimes technologies, have been around for a while. The problem has often been they lack the automation to make them truly useful. Too complex, too manual. That’s starting to change, and I think most organizations will adopt active defenses fairly soon. As for Chris’ OODA loop reference… well let’s just say I have more to write on that. – RM Browser Security is more than sandboxing: Reading the Which Browser is Safest on nakedsecurity I was non-plussed as there are several important ways to judge browser security not even discussed in the post. Sandboxing is certainly one element, but there is no discussion of XSS or CSRF. And there are the reputation based protections, to detect things like malware and bad certificates. Perhaps more importantly, there is still no real equivalent to NoScript on Chrome or IE, which is the last reason I continue to cling to Firefox while most people I know have long since moved to Chrome. Then there is the rest of the privacy side of the equation. Ironic that someone on nakedsecurity is discussing browser security when their site source cross-links to eight or so other sites and feeds your browser with another 8 ghost cookies. As bad as Firefox is, at least my add-ons allow me to block most of the data I don’t want sites having on me and my browser. – AL The challenge of asymmetry: Greg Ferro summarize the issues of doing security pretty effectively in Basics:Threat Asymmetry and Security Posture. Yes, it’s a pretty simple concept, but when you spend all day in your reversing tool or knee deep in PCAP files, sometimes

Our friend Richard Stiennon put his promotional engine in gear this week to push his new book, UP and to the RIGHT. So my Twitter stream has been blown up by all sorts of folks praising Richard’s work. Which is great for Richard. I know what kind of commitment is required to write a book and what’s involved in self-publishing one. Including the Herculean task of getting your buddies to write glowing reviews and generating buzz in the echo chamber. Richard is a good analyst. He has seen the process of vendor ranking from both sides, as both the analyst and the vendor. If someone is going to write a book about optimizing a vendor’s position on the Magic Quadrant, it should be Richard. If you just fell off the turnip truck and have no idea how analyst relations works, then maybe you need a book to teach you what to do. But it has been a long time since I’ve talked to someone at a high level within a enterprise class security vendor who doesn’t understand how the process works. In terms of disclosure, I haven’t read Richard’s book and I’m not going to. I’ve lived Richard’s book. So has Rich (from the analyst side) and Adrian (from the vendor side). So maybe Richard has new nuggets of wisdom for all of us. But let me save you all a little time and tell you vendor folks the two steps to a better ranking on any of the analyst charts. Step 1: SELL. MORE. STUFF. TO. ENTERPRISE. CUSTOMERS. Step 2: Go back to Step 1. It’s not really any more complicated than that. Of course you can spend a zillion dollars on subscription services and analyst days and conference sponsorships. That may move your dot a little bit. But it won’t move your dot a lot. The only thing that will truly shift your ranking is customer success. That’s what most folks don’t understand. Or don’t want to understand. Lots of vendors (strangely correlated with those in the ‘loser’ quadrant) continue to hide behind the pay for play bogeyman, figuring they aren’t ranked better because the big competitor spends a bunch more money on analyst services. That’s rubbish. In my experience, it doesn’t work that way. And by the way, marketing professionals can’t fix a busted product or a company and finagle a better ranking. Analysts (even the bad ones) involved in an MQ or Wave project talk to a lot of people. They hear the good and the bad. Calling in favors to get your good customers to call the analyst (‘unprompted’) and tell them good things may help. But not if the ratio of calls talking about replacing your gear to those good calls is 4:1. Believe me, I’ve tried. I’m not going to minimize the importance of spending time building rapport with the analyst who covers your company. Oh, by the way, you may actually learn something if you spend half a second listening to what the analyst says about what’s happening in your market. As opposed to spinning like a nuclear centrifuge for the entire meeting. Talk to them quarterly. Keep them updated on what’s going on with your company. On your success and your failures. They are going to hear about your failures anyway, so you may as well be honest. If you have a compelling vision that aligns with how they see the world, then these briefings may move your dot a little to the right. But not a lot. I’m sure there is a lot of great stuff in Richard’s book. But nothing in a book is going to help you sell more stuff to the end users who Gartner and Forrester are talking to every day. If those folks aren’t looking at your product or service, and if they aren’t deploying it, you have no shot. You deserve to be in the loser quadrant. And no number of strategy days is going to change that. Photo credit: “Magic Quadrant Fruits White” originally uploaded by Jinho Jung Share:

As long last (OK, maybe not that long), we have assembled the Evolving Endpoint Malware Detection series and packaged it as a paper. You can check out the landing page to find out more, but this description sum it up: The good news is that endpoint security vendors recognized their traditional approaches were about as viable as dodo birds a few years back. They have been developing improved approaches – the resulting products have reduced footprints requiring far less computing resources on the device, and are generally decent at detecting simple attacks. But as we have described, simple attacks aren’t the ones to worry about. So we will investigate how endpoint protection will evolve to better detect and hopefully block the current wave of attacks. We would like to thank Trusteer for licensing the content in this paper, and keep in mind that your work is never done. The bad guys (and gals) will continue innovating to steal your data, so your detection techniques need to evolve as well. Direct Download: Evolving Endpoint Malware Detection (PDF) For those of you interested in the raw material, here are the posts that made up the series: Control Lost Behavioral Indicators Providing Context Controls, Trade-offs and Compromises Share:

Last week we celebrated Independence Day in the US. It’s a day when we reflect on the struggles of our forefathers establishing the country, the sacrifices of the Revolutionary War, and what Freedom means to us all. Actually, most folks gorge on BBQ, drink a ton of beer, and light fireworks imported from China. Which I guess is another interpretation of freedom. I thought it would be great for each of us Securosis guys to describe what Freedom means to us for last week’s Incite. Alas, the best laid plans got derailed when it got to be late on Tuesday and I wanted to start my holiday. No Incite for you. Adrian put everything in context by remarking, “You are free not to do it.” Nice. But here’s the deal – I take freedom for granted, and if you live in a free society, you probably do too. I don’t think about the struggles involved in maintaining a free society. A couple times a year (you know, Memorial Day), I remember the brave military folks away from their families making sure my biggest issue is which Starbucks I choose to write at that day. The Boss and I try to impress upon the kids how lucky they are to live in a free environment. They learn about the Holocaust to see the worst in people. They’ll also read and hear about other oppressive regimes, and be thankful for where they were born. But if I’m being honest with myself, I haven’t felt free for most of my life. A conversation I had recently with Mike Dahn reinforced that. I was captive to my own expectations. Regardless of the fact that I could do anything (besides break the law, I guess), I always felt a responsibility to do what was expected of me. I compared myself to some vision of what I should be. What I should achieve. But that vision was only in my head. It wasn’t like my folks told me what to do. All those expectations made me feel like a failure, even though I achieved quite a lot. That epiphany became the impetus for my Happyness talk. I wasn’t until I let go of those self-inflicted expectations that I’ve been able to make strides toward being happy. Of course, I have good days and not so good days, like everyone else. But tossing my own expectations has given me the freedom to live my life – not anyone else’s. Not setting specific goals means I can enjoy the journey, not fixate on how far I have left to go. The US celebrates Independence once a year. But I get to celebrate my own Independence every day. And I don’t plan on taking it for granted. –Mike Photo credits: Independence, Oregon originally uploaded by Doug Kerr Incite 4 U It’s not the message, it’s how you say it: Sometimes you read something that hits very close to home. Bejtlich’s perspective on the importance of how you deliver the message resonated. The Boss chides me all the time about the fact that no matter what I’m saying, the kids shut down because I’m barking at them. “But they don’t listen! I need to get their attention,” I respond. And she just laughs. No matter what I say, they only hear more yelling. So when Rob Westervelt said a panel at an April security conference got contentious, clearly the folks in the audience didn’t get the message. It’s not that any of the panelists were wrong, but if you don’t package the message in a way that will get through to the other party, there is no wrong or right. Only wrong. So keep that in mind next time you present to business folks or chastise a user for doing something stupid. – MR The cloud is down. No it isn’t. Yes it is: Last week there was another cloudastrophe when Amazon AWS had an outage in their main US data center. The root cause was a combination of weather and a failure in their emergency power procedures. I don’t overly blame them, since it’s really hard to effectively test every scenario like that. But it’s a reminder that not only can the cloud go down, but it can be difficult to architect availability for such a complex system. Extremely difficult, as Netflix shared in a killer post discussing why they went down. Now, for the record, this was a major personal disaster because my 3 year old couldn’t watch “the Apple TV” (which also had a “rough morning” Tuesday due to low bandwidth). This isn’t a security failure but it does highlight the complexity of fully moving to cloud and how that impacts fundamental design and DR/BC scenario planning. Security is no different than availability and we are all going to learn some of these lessons together the hard way. – RM No access, no problem: Brandon Williams asks how do we arm small and medium businesses (SMB) for the change in threat landscape with the switch to EMV cards? His premise is that if the EMV credit card format comes to the US, we expect to see a shift from “card present” to “card not present” (i.e., Internet sales) fraud, mirroring the trend in Europe. The cards are harder to forge, the terminals perform some validation, and the infrastructure supports real point to point encryption instead of the mockery we’ve seen for the last decade or so. But does that mean SMB is at a disadvantage? I don’t think that’s the case. The terminals are expensive, but SMBs have lower overall switching costs to EMV. By combining it with tokenization, they have removed sensitive data from their environments, and pushed much of the liability back on payment processors by not being privy to payment data. Logically there is little difference between an Internet sale and an EMV transaction – payment gateways offer plug-ins and edge tokenization services perform equivalently to EMV without a card reader. As the merchant

We send a quarterly newsletter out to vendor clients as part of our retainer program. Here’s the introduction, which describes how we view the newsletter: Welcome to our inaugural vendor newsletter. This is where we talk about all the things we see during the course of our daily research. Trends, analysis, data, and whatever we think will help you – at least the stuff we can share! As industry analysts we see the good, bad, and ugly of everything from pitches, collateral, and messaging, to how products are used and abused in the field. Our goal for these pages is to highlight what works, what doesn’t, and give you insight into what we’re seeing out there, including the latest trends and data. Sometimes we will use this space to call out folks, but all in good fun – and always with the goal of educating everyone about what we think works. We’ll also highlight good stuff when we see it – don’t worry… this won’t be all snark. Yup, it’s the newsletter you’d expect us to write. We sent out the first version at the end of Q1, so we figure enough time has lapsed that we can share it with everyone. You can download the full newsletter (PDF) and check it out. As if you needed another reason to become a retainer client… Share:

The question of stopping targeted attacks has been on my mind for a while. Of course my partners and I have to suffer through far too many vendor briefings where they claim to stop an APT with fairy dust and assorted other black magic. But honestly, it is a legitimate and necessary question. Ever since Google came clean a few years back about Aurora, and everyone then acknowledged the persistent, likely state-sponsored attacker as a class of adversaries, vendors have been APT-washing their stuff trying to convince anyone who would sit still that their run-of-the-mill IPS or endpoint protection product had a chance. Basically this rash act was necessary to keep the cash cow hemorrhaging money, even in the face of mediocre (or worse) efficacy of existing controls. But here is the thing these vendors missed. Very few of the adversaries most organizations face are advanced or persistent. Most are today’s version of script kiddies trying to smash and grab their way out of the despondency of their existence. It’s much easier and more lucrative than robbing a bank, after all. So most existing controls still have some role to play in tomorrow’s defense. But we all know existing controls are not sufficient. Yet targeted attacks do exist, and the legitimately advanced attackers are now targeting further afield to achieve their objectives. They are attacking the supply chains of their targets to gain deeper footholds, earlier. And now that we have a better idea of the tactics they are using, we start to see offerings built very specifically for these kinds of attacks. I won’t say we’re seeing real innovation yet, but lots of vendors are learning and evolving their offerings to factor in this new class of attacker. Unfortunately it’s still way too early to get a feel for whether real innovation is happening (or will happen), or whether this is just a classier version of APT-washing. Regardless of what happens on the prevention side, you still need to monitor the hell out of your stuff. As Mandiant described in a blog post that has since disappeared from their site (wonder if they’re now doing work for Global Payments, hmmmm), the folks at Global Payments evidently found the first breach themselves by monitoring their egress traffic and seeing stuff they didn’t like leaving their network. Was it too late? Of course. But it’s a hell of a lot better to catch it yourself than to hear from your payment processor or the FBI that you have a ‘problem’. We will see a lot of new stuff, as everybody tries to get ahead of attacks – even targeted ones. But it’s career-limiting to plan on stopping them; so we still push investment in monitoring, forensics, and response – even in the presence of new and innovative protections. Or is “Can you stop a targeted attack?” the wrong question to even ask? Photo credit: “Bullseye” originally uploaded by bitsofreality Share:

Be quiet. Be vewy vewy quiet. Now listen. What do you hear? Listen very closely. Do you hear anything? No? That’s exactly the point. The Boss and I woke up yesterday morning to the sound of nothing. No grumbling about having to get ready for school. No kvetching about ill-fitting bathing suits, and no asking for this play date or that activity. No crappy Disney Tween shows blaring from the TV. No nothing. The house is quiet. On Sunday we put the kids on the bus for sleepaway camp. Barbarians that we are, we ship the kids off to Pennsylvania every summer. The girls go for 6 weeks. The Boy is going for 4 weeks, as it’s his first summer away. So for the first time since XX1 was born, we will have the house to ourselves for longer than a day. Will we miss the kids? Of course. We huddle around the laptop every night and look for pictures posted on the camp website. We dutifully write them letters every day. Well actually, we type the letters into a website, which then prints a copy for delivery to them. We’ll trudge off to the mailbox every day, hoping we got a letter. But we will also enjoy the time they are away. We’re going to see Earth, Wind and Fire tonight – and we don’t have to worry about arranging for a baby sitter. We may take a long weekend at a nearby resort. Or we might not. We can sleep late. We can work late. We can go to the pool at 2pm if we feel like it. We can BBQ on Wednesday, and I could party on Friday night, knowing that I don’t have to wake up early to take a kid to a game or activity. Best of all, I can spend quality time with the Boss without the constant crushing pressure of being the involved parents of active kids. We don’t have to worry about who’s making lunches, or picking up from the dance studio, or folding the laundry. Two adults don’t really generate that much laundry. These quiet times also prepare us for the inevitable, when the kids leave the nest. Lots of parents forget to have their own relationship because they are too busy managing the kids. Not us – for here on, our nest will be empty every summer. We are painfully aware that the kids are with us for a short time, and then they will live their own lives. And 6 weeks every summer is a big chunk of their summer vacation. Like everything, it’s a trade-off. Ultimately the decision is easy for us. They learn independence and how to function as part of a group, without their parents telling them what to do. We take very seriously our responsibility to prepare our kids to prosper in the wide world, and I don’t think there is a better place to apply the skills we teach them than at summer camp. It’s also great for the kids. On the first day we have seen the boy at the pool, at the lake doing paddle boats, at the firing range, playing basketball, and watching some kind of show put on by the counselors. That was one day. So as barbaric as it may seem to send our kids away for that long, there is no other place they’d rather be every summer. And that’s a win/win in my book. –Mike Photo credits: Empty Nest originally uploaded by Kristine Paulus Heavy Research We’re back at work on a variety of blog series, so here is a list of the research currently under way. Remember you can get our Heavy Feed via RSS, with all our content in its unabridged glory. And you can get all our research papers too. Understanding and Selecting Data Masking Buyer’s Guide Use Cases Pragmatic Key Management Choosing Your Key Management Strategy The Four Enterprise Key Management Strategies Evolving Endpoint Malware Detection Controls, Trade-offs and Compromises Providing Context Incite 4 U Blue Horseshoe loves threat intelligence: For a long time, the reactive approach to doing security worked well enough. But the past few years, not so much. So large organizations, with significant security infrastructure, have started to try to learn a bit about attackers before they attack. Wait, what? You mean an intel type function, which requires investment? Yup. So not only are we seeing a re-emergence of vulnerability trackers like iDefense, but also some new business models based on using intelligence to deceive attackers (as described in Dark Reading), or buying up zero-days to share with the good guys (Aaron Portnoy’s new shop, Exodus Intelligence). We love content, and cannot be happier that we’re finally seeing security content valued on its own merits – not just as part of a widget. – MR The future of software: We see continuing evidence in support of the assertion made by Red Monk’s founder Stephen O’Grady: Large software firms will be making money with software rather than from software. And I totally agree with that statement! While the main thrust of the post is to argue that Microsoft’s share price has suffered from poor choices in direction and lack of innovation, the really interesting aspects highlight the competitive forces within the software industry. In part it’s the transition from desktop, to web app, to mobile app, but it’s also about growing adoption of Software as a Service (SaaS) and what I consider the real long-term direction for back office applications: Platform as a Service (PaaS). Many of his observations are solid, but the dim picture he paints for Microsoft and other software vendors fails to account for their mobile and PaaS efforts, or the pricing pressures these larger software vendors will inflict on the rest of the market when they start offering the entire back office stack – including hardware and service – for a single price. Apple’s – and to a lesser extent Google’s – more consumer-oriented cloud service models

Most folks have sights, sounds, and smells that remind them of positive experiences. Maybe from happy childhood days or a great time of life. For me, it’s the smell of the ocean. My Dad always had a boat and I remember some great times sailing on his catamaran as I was growing up. I didn’t spend a lot of time with my Dad growing up, so I loved being out on the water. And we’d bring a bucket of KFC with us, which was also a highlight. Strange, the things you remember 35 years later, eh? But that’s not all. I met the Boss at the beach and spent many a great summer on the Delaware beaches. What I remember of those summers anyway. So when we arrive at the beach for our annual family vacation, one of the first things I do is walk down to the beach, sit on a bench, and just breathe in the air. I’m instantly relaxed. In fact, when I travel I use a sound machine to eliminate the noise of strange hotels and weirdos in adjoining rooms. Surprised that I sleep to Ocean Waves Crashing? Yeah, me neither. Of course I am surrounded by family for an entire week, so that feeling is fleeting, but the beach calms me. It’s one of the things I really miss about living in Atlanta – the lack of easily accessible beaches. But before you conclude that I don’t like my family, that’s not true. As I was explaining to some folks at last week’s Atlanta NAISG meeting, it’s hard for me to be surrounded by people for an extended period of time. I’m pretty much a textbook introvert, and that means if I don’t get my private time, it can get messy. So even if I like the people I’m around (and I do like my family, well, most of them…), I still need some time to myself. So I have set expectations over 15+ years of marriage, that I usually peel off each morning for a cup of coffee and to catch up on some work. Yes, I’m one of those guys who works on vacation. Not a lot, maybe a couple hours a day. But enough to not fall terribly behind and to get my private time. And before you start thinking about my workaholic issues, remember that I actually enjoy what I do. Most of the time it doesn’t feel like work to me. As I sit in a coffee shop, about to head down to the boardwalk with the family this afternoon, I bang out the Incite and everything is perfect. Perfect doesn’t last and it doesn’t scale, so I’ll enjoy it while it’s here. Now where’s that sunscreen again? –Mike Photo credits: What’s That Smell? originally uploaded by ambergris Heavy Research We’re back at work on a variety of series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, where you can get all our content in its unabridged glory. And you can get all our research papers too. Understanding and Selecting Data Masking Use Cases Management and Advanced Features Pragmatic Key Management The Four Enterprise Key Management Strategies Understanding Data Encryption Systems Evolving Endpoint Malware Detection Providing Context Behavioral Indicators Defending Data on iOS New Paper Malware Analysis Quant Final Paper Incite 4 U Or maybe build a cyber-guillotine: It seems the folks over in the UK did a study that concluded too much is spent on AV and not enough on prosecuting online criminals. Obviously no one is going to argue that spending more on controls with limited effectiveness is a plan for success. But will going after perpetrators with more urgency help? Will a few more midnight raids on high-profile hackers prevent the next generation of malcontents from joining fraud networks? I say it’s worth a try, though in an instant gratification environment it’ll be hard to prove the success of that approach in the average politician’s term of office. But even in places with severe consequences such as losing limbs, we still have desperate folks and bad apples committing crimes, consequences be damned. But I do think folks who could go either way might make the right decision if they have a better (and more tangible) understanding of what the wrong decision may mean. – MR Moley moley moley mole MOLE! (Apologies for the only slightly-obscure reference in the title). I hate debunking hyperbole that’s probably also true. Such as Mikko Hypponen’s assertion that the US government probably has moles in Microsoft. He doesn’t have a single shred of evidence to support his logical conclusion. Then again, I’d be shocked if various agencies from various countries haven’t placed people in all sorts of companies. Is there backdoor code hidden in products? Who knows… although places like Microsoft with strong software assurance programs are much less likely to let something get through unknowingly. This is a complex issue, and pure supposition doesn’t really advance the discussion. Let’s admit that none of us really know what we are talking about, and the people who do aren’t talking. – RM Attacks come and go, but the monoculture is eternal: Great analysis by Augusto (finally able to dig through my Instapaper archives on ‘vacation’) on the impact of Chrome becoming the most popular browser. Basically, like mobile operating systems, browsers are being built with better protection, and with 4-5 main players there is huge fragmentation. So attackers (wisely) continue to focusing on the lowest hanging fruit: widely deployed apps with huge market penetration. Right, like Adobe Flash and Reader. Augusto references Dan Geer’s seminal monoculture essay, and the point is exactly right. There will always be high market share products/devices/widgets which represent the most attractive targets. HTML 5 will provide standards and get rid of things like Flash, but to think you can’t attack the successors (including HTML5 in browsers) is naive. So the attacks will change. The motivations of attackers

As we wrap up our Evolving Endpoint Malware Detection series, it’s time to take it to the next level. We spent the first three posts on why detection is challenging, the types of behavioral indicators you should look for, and some additional data sources for added context to improve effectiveness and reduce false positives. Now we need to do something with the information we have gathered – basically to provide a verdict on whether something is malware or not, and if it is to block it. Alas, this is where you need to understand the trade-offs between different controls and decide what is best for your environment. The Malware Detection ‘Cocktail’ Let’s jump back in the time machine, to the good old days on the cutting edge of spam detection. Spammers got pretty good and evolved their techniques to evade every new defense the email security folks came up with. 3-4 years in, around 2004-2005, the vendors used 15-20 different tactics to determine whether any particular email message was unsolicited. Sound familiar? Malware detection has reached a similar point. Lots of techniques, none foolproof, and severe consequences for false positives. What can we learn from how the anti-spam vendors evolved? Aside from the fact that over time the effectiveness you can achieve and maintain is limited? The best approach for dealing with a number of different detection techniques is to use a cocktail approach. This involves scoring each technique (possibly quite coarsely), feeding it into an algorithm with appropriate weighting for each technique, and then determining a threshold that indicates something bad. Obviously the secret sauce is in the algorithm, and it’s the vendor’s responsibility to handle it. Yes, a lot of this happens (and should remain) behind the curtain, but we are trying to explain how the process works so you can be an educated shopper for new devices and products that claim to detect advanced malware. But we have also learned from the anti-spam folks that you cannot be right every time. So we need to plug our research on incident response and forensics, including Incident Response Fundamentals, React Faster and Better, and Network Security Analysis, to ensure you are prepared for the inevitable failures of even the best malware detection. Let’s take a look at the components and controls you will rely on: Traditional Endpoint Protection Thanks to your friendly compliance mandate and check-box-centric auditors, you still need endpoint protection – often called anti-virus. But most endpoint security suites encompass much more than traditional anti-virus signatures, including some of the tactics we have discussed in this series. Obviously with 15-20 players remaining in this market, the quality of detection is all over the map and quite dynamic. Each vendor goes through ups and downs in detection effectiveness. So how do we recommend choosing an endpoint suite? That could be an entire series itself, but suffice it to say that the effectiveness of detection probably shouldn’t be the most important selection criteria. It is too hard to verify, and they each do a decent job of finding known malware, and a mediocre job of finding the advanced attacks we have focused this series on. You need endpoint protection for compliance; so you should minimize price, ensure that agents can be effectively managed (especially if you have thousands of endpoints), and make sure that the agents are as thin as possible. It’s bad enough having to use a control that doesn’t work as well as it needs to, but crushing device performance adds insult to injury. By all means, check the latest comparative effectiveness rankings, but understand they go out of date pretty quickly. Network-based Malware Detection We believe that the earlier you can detect malware and block it, the less mess you will inevitably have to clean up. That means working to eliminate attacks at the perimeter or even in the cloud before an attack ever gets near your desktop. How can you do this? A new type of network security device scrutinizes ingress traffic to detect malware files before they enter your corporate network. We expect this capability to become a feature of pretty much every perimeter device over time, but for now you will need to deal with specialist companies and separate devices. We published some research on this earlier in 2012; so check out Network-based Malware Detection for details on the approaches, limitations, and roles of these devices in your network security strategy. Advanced Endpoint Controls We all understand that traditional endpoint security suites leave too much attack surface exposed to advanced attackers, depending on your pain threshold (how likely you are to be targeted by an advanced attacker). An additional level of endpoint protection may be necessary. So let’s discuss some of these alternatives – which detect and block based on behavioral indicators, track file trajectories and proliferation, and/or allow authorized executables. The first category of advanced endpoint control is really next-generation host intrusion prevention (HIPS) technology. As we have mentioned, HIPS looks for funky behavior within the endpoint, but has lacked sufficient context to be truly effective. A few technologies have emerged to address these concerns, leveraging the kind of malware detection cocktail discussed above. This analytical approach to what’s happening on the endpoint, and applying proper context based on application and specific behavior can reduce false positives and improve effectiveness. These tools impact user experience by blocking things (which is usually a good thing), but need to be put through proper diligence before broad deployment. But you do that with all new technologies anyway, right? As we talked about in Providing Context, malware proliferation analytics can be very useful for tracking the spread of malware within your environment, securing the origin point, and reducing the possibility of constant reinfection. So we are fans of this kind of analysis as another layer of defense. You have two main options for gathering the information for this kind of analysis: either on the endpoint or within the network. Endpoint solutions provide a thin agent which