Securosis

Research

Network-based Malware Detection: Identifying Today’s Malware

As we discussed in the Introduction to the Network-based Malware Detection series, traditional approaches to detecting malware cannot protect us any more. With rapidly morphing executables, increasingly sophisticated targeting, zero-day attacks, and innovative cloaking techniques, matching a file to a known bad AV signature is simply inadequate as a detection mechanism. We need to think differently about how to detect these attacks, so our next step is to dig into each of these specific tactics to figure out exactly what a file is doing and determining whether it’s bad. Sandboxing and Evolving Heuristics We are talking about network-based malware detection, so we will assume you see all the streams coming into your network from the big bad Internet. Of course this depends on architecture, but let’s assume it for now. With visibility into all the ingress traffic, the perimeter device can re-assemble the files from these streams and analyze them. There are two main types of file-based analysis: static and dynamic. Static testing is basically taking a look at the file and looking for markers that indicate malware. This generally involves looking for a file hash which indicates a known bad file – effectively a signature – which may identify a file packer and function calls that indicate badness. Of course network-based static testing provides limited analysis (and we wouldn’t want to bet on its findings) – especially given that modern malware writers encrypt and otherwise obscure what their files do. Which means you really need dynamic analysis: actually executing the file to see what it does. Yes, this is playing with live ammo – you need proper precautions (or to make sure your device includes them). Dynamic analysis effectively spins up an isolated, vulnerable virtualized system (the proverbial sandbox) to host and execute the file; then you can observe its device and network impact. Clear indications of badness include configuration changes, registry tampering, installing other executables, buffer overflows, memory corruption, and a zillion other bad things malware can do. Based on this analysis, the perimeter gateway flags files as bad and blocks them. Given the real-time nature of network security, it not feasible to have a human review all dynamic analysis results, so you are dependent on the detection algorithms and heuristics to identify malware. The good news is that these capabilities are improving and reducing false positives. But innovative malware attacks (including zero-days) are not caught by perimeter gateways – at least not the first time – which is why multiple layers of defense still make a lot of sense. What’s the catch? Clearly sandbox analysis is less effective for advanced malware which is VM-aware. The malware writers aren’t dummies, so they now check whether the OS is running in a virtual environment and mask accordingly – typically going dormant. Obviously this isn’t the primary driver for virtualized desktops, but it is another upside to consider. Network analysis Another aspect of dynamic malware analysis is profiling how the malware leverages the network. Remember back to the Securosis data breach triangle: without exfiltration there is no breach. Any malware must rely on the network, both to get commands from the mother ship and to exfiltrate the data. So the sandbox analysis tracks what networks the malware communicates with as another indication of badness. But how can these network-based devices keep track of the millions of domains and billions of IP addresses which might be command and control targets? The good news is that we have seen this movie before. Reputation analysis has evolved to track these bad IP addresses and networks. The first incarnation of reputation data was URL blacklists maintained by web filtering gateways. That evolved to analysis of IP addresses, predominately to identify compromised mail relays for anti-spam purposes. Now that model been has extended to analyzing DNS traffic to isolate command and control (C&C) networks as they emerge. Malware writers constantly test malware and new obfuscation approaches for their C&C traffic. Similar heuristic approaches can identify emerging C&C targets by analyzing DNS requests, exfiltration attempts, and network traffic. For example, if an IP address is the target of traffic that looks an awful lot like C&C traffic, perhaps it’s an emerging bot master. It’s not brain surgery, and this type of analysis is increasingly common for network security gateway vendors. Obviously, to keep current, any vendor providing this kind of botnet tracking needs access to a huge amount of Internet traffic. So if your vendor claims to track botnets, be sure to investigate how they track C&C networks and substantiate their claims. Why is isolating C&C traffic important? It all gets back to the detection window. Even with network-based malware gateways, you will miss malware on the way in. So devices will still be compromised, but obfuscated communications to known C&C targets are a strong indication of pwned devices. This may not be definitive, but it’s an excellent place to start, and a strong signal to work from. Outside of C&C traffic, analyzing the network characteristics of malware also provides insight into proliferation. How does the malware perform reconnaissance and subsequently spread? What kind of devices does it target? We are discussing this analysis in great detail in our Malware Analysis Quant research, and of course network-based analysis is inherently limited, but it is worth mentioning (again) the wealth of information you can get from file-based malware analysis. Wherefore art thou, malware? The ultimate goal of any malware analysis is to be able to profile a malware file and then block it when it shows up again. That’s what AV did in the early days, and what your malware detection defense must continue to do. So that’s the what, but not necessarily the where. When designing your security architecture you need to determine the best place to look for these malware files. Is it on the devices, within content security gateways (web/email), on the network perimeter, or even in the cloud? Of course this isn’t an either/or question, but there are pros and cons to each

Share:
Read Post

Network-Based Malware Detection: Introduction [new blog series]

Evidently this is the month of anti-malware research for us – I’m adding to the Malware Analysis Quant project by starting a separate related series. We’re calling it Network-based Malware Detection: Filling the Gaps of AV because that’s what we need to do as an industry. Current State: FAIL It’s no secret that our existing malware defenses aren’t getting it done. Not by a long shot. Organizations large and small continue to be compromised by all sorts of issues. Application attacks. Drive-by downloads. Zero-day exploits. Phishing. But all these attack vectors have something in common: they are means to an end. That end is a hostile foothold in your organization, gained by installing some kind of malware on your devices. At that point – once the bad guys are in your house – they can steal data, compromise more devices, or launch other attacks. Or more likely all of the above. But most compromises nowadays start with an attack dropping some kind of malware on a device. And it’s going to get worse before it gets better – these cyber-fraud operations are increasingly sophisticated and scalable. They have software developers using cutting-edge development techniques. They test their code against services that run malware through many of the anti-malware engines to ensure they evade that low bar of defense. They use cutting-edge marketing to achieve broad distribution, and to reach as many devices as possible. All these tactics further their objective: getting a foothold in your organization. So it’s clear the status quo of anti-malware detection isn’t cutting it, and will not moving forward. The first generation of anti-malware was based on signatures. You know: the traditional negative security model that took a list of what’s bad and then looked for it on devices. Whether it was endpoint anti-virus, content perimeter (email, web filtering) AV, or network-based (IDS/IPS), the approach was largely the same. Look for bad and block it. Defense in depth meant using different lists of signatures and hoping that you’d catch the bad stuff. But hope is not a strategy. The value of pattern matching You may interpret the previous diatribe as an indictment of all sorts of approaches to pattern matching – the basis of the negative security model across all its applications. But that’s not our position. Our point is that these outdated approaches look for the wrong patterns, in the wrong data sources. We need to evolve our detection tactics beyond what you see on your endpoints or on your networks. We need to band together and get smarter. Leverage what we see collectively and do it now. It’s an arms race, but now your adversaries have bullets designed just to kill you. But a bullet can only kill you in so many ways. So if you can profile these proverbial ways to die you can look for them regardless of what the attack vector looks like. Here’s where we can start to turn the tide, because all this malware stuff leaves a trace of how it plans to kill you. Maybe it’s where the malware phones home. Maybe it’s the kind of network traffic that is sent, its frequency, or an encryption algorithm. Maybe it’s the type of files and/or the behavior of devices compromised by this malware. Maybe it’s how the malware was packed or how it proliferates. Most likely it’s all of the above. You may need to recognize several possible indicators for a solid match. The point (as we are making in the Malware Analysis Quant project) is that you can profile the malware and then look for those indicators in a number of places across your environment – including the network. We have been doing anti-virus on the perimeter, within email security gateways, for years. But that was just moving existing technology to the perimeter. This is different. This is about really understanding what the files are doing, and then determining whether something is bad. And by leveraging the power of the collective network, we can profile the bad stuff a lot faster. With the advancement of network security technology, we can start to analyze those files before they make their way to our devices. Can we actually prevent an attack? Under the right circumstances, yes. No panacea Of course we cannot detect every attack before it does anything bad. We have never believed in 100% security, nor do we think any technology can protect an organization from a targeted and persistent attacker. But we certainly can (and need to) leverage some of these new technologies to react faster to these attacks. In this series we will talk about the tactics needed to detect today’s malware attacks and the kinds of tools & analysis required, then we’ll critically assess the best place to perform that analysis – whether it’s on the endpoints, within the perimeter, or in the ‘cloud’ (whatever that means). As always, we will evaluate the pros and cons of each alternative with our standard brutal candor. Our goal is to make sure you understand the upside and downside of each approach and location for detecting malware, so you can make an informed decision about the best way to fight malware moving forward. But before we get going, let’s thank our sponsor for this research project: Palo Alto Networks. We can’t do what we do (and give it away to you folks) without the support of our clients. So stay tuned. We’ll be jumping into this blog series with both feet right after the Christmas holiday. Share:

Share:
Read Post

Incite 12/21/2011: Regret. Nothing.

Around the turn of the New Year, I always love to see the cartoon where the old guy of the current year gives way to the toddler of the upcoming year. Each new year becomes a logical breakpoint to take stock of where you’re at, and where you want to be 12 months from now. Some of us (like me) aren’t so worried about setting overly specific goals anymore, but it’s a good opportunity to make sure things are moving in the right direction. I recently met with a friend who knows change is coming. Being a bit older than me, with kids mostly out of the house, this person is somewhat critically evaluating daily activities and will likely come to the conclusion that the current gig isn’t how they’d like to spend the next 20 years. But you know, for a lot of people change is really hard. It’s scary and uncertain and you’ll always struggle with that pesky what-if question. So most folks just do nothing and stay the course. I try my best to not look backwards but sometimes it’s inevitable. I still get calls from headhunters every so often about some marketing job. About two minutes after I submit this post, I’m sure Rich will request that I change my phone number. But not to worry, fearless leader, most of the time the companies are absolute crap. To the point where I wouldn’t let any of my friends consider it. Every so often there is an interesting company, but all I have to do is recall how miserable I was doing marketing (and I was), and I decline. Sometimes politely. After 20+ years, I’ve figured out what I like to do, and I’m lucky enough to be able to do it every day. Why would I screw that up? But I fear I’m the exception, not the rule. You don’t want to have regret. Don’t look back in 2020 and wonder what happened to the past decade. Don’t let the fear of change stop you from chasing your dreams or from getting out of a miserable situation. I have probably harped on this specific topic far too often this year, but the reality is that I keep having the same conversations with people over and over again. So many folks feel trapped and won’t change because it’s scary, or for any of a million other excuses. So they meander through each year hoping it gets better. It doesn’t, and unfortunately many folks only figure that out at the bitter end. When I look back in 10 years, I’ll know I tried some new stuff in 2012. Some of it will have worked. Most of it won’t. But that’s this game we call life and I live mine without regret. -Mike Photo credits: “regret. nothing.” originally uploaded by Ed Yourdon Research Update: We’ve launched the latest Quant project, digging deeply into Malware Analysis. Given the depth of that research, we’ll be posting it on the Project Quant blog. Check it out, or follow our Heavy Feed via RSS. Incite 4 U In the beginning: My start in security was completely accidental. I was in Navy ROTC and as a fundraiser we all worked security for home football games. Technically I should have been pouring beer or cleaning floors, but since I was in color guard the guy in charge of security got confused and treated me like an upperclassman. With those haircuts we all looked the same anyway. Three years later I was the guy in charge, and weirdly enough that experience (plus some childhood hacking) kicked off my security career after I started in IT as an admin and (later) developer. So I have no direct experience of what it takes to get started in security today, but @fornalm is about to graduate with a degree in computer security and talks about the challenges and opportunities he faces. This is great reading even for old hands, as it gives us an idea of what it’s like to start today, and perhaps ways to help bring up some young blood. We can certainly use the help. – RM Silent, but deadly: I’m a bit surprised that there wasn’t more buzz and/or angst about Microsoft’s decision to silently update IE in 2012. That’s right, the software will update in the background and you (most likely) won’t know about it. Google does this already with Chrome, so it’s not unprecedented. Enterprise customers will still be able to control updates in accordance with their change management processes. On balance, this is likely a good thing for all those consumers who can’t be bothered to click the button on Windows Update. Obviously there is some risk here (ask McAfee about the challenges of a bad update), but given the hard unchanging reality that bad guys find the path of least resistance – which is usually an unpatched machine – this is good news. – MR Browser Bits: Interesting tidbits on Twitter this week. Joe Walker has a good idea to combat self-XSS to help protect against socially engineered cross site scripting attacks. In essence, the protection is built into the browser, and enabled with a configuration flag. With XSS a growing attack vector, this would be a welcome addition to protect the majority of users without major effort. And in case you missed it, here is a clever little frame script to detect whether the browser has NoScript enabled. Check the page source to see how it works. It goes to show that there are ways marketing organizations can learn about you and browser, as most protection leaves fingerprints. – AL Why compete in the field, when you can compete in the courts? It was inevitable, but Juniper is the first to sue Palo Alto based on patents relating to “firewall technology used to protect communications networks from intrusion.” Yeah, I’m sure they could have similar claims against other network security companies. You know, small companies like Cisco, Check Point, and

Share:
Read Post

Introducing the Malware Analysis Quant Project

Yep, we’re launching another Quant research project – this time on Malware Analysis. Consider it our little holiday present to all of you. Check out the introduction on the Quant blog. And you can follow along through our Heavy Research feed. We love these projects, where we can get so much deeper into how security can optimally work. Remember to check out the posts and contribute your opinions. That makes our research better. Share:

Share:
Read Post

New White Paper: Applied Network Security Analysis

We have been saying for years that you can’t assume your defenses are sufficient to stop a focused and targeted attacker. That’s what React Faster and Better is all about. But say you actually buy into this philosophy: what now? How do you figure out the bad guys are in your house? And more importantly how they got there and what they are doing? The network is your friend because it never lies. Attackers can do about a zillion different things to attack your network, and 99% of them depend on the network in some way. They can’t find another target without using the network to locate it. They can’t attack a target without connecting to it. Furthermore, even if they are able to compromise the ultimate target, the attackers must then exfiltrate the data. So they need the network to move the data. Attackers need the network, pure and simple. Which means they will leave tracks, but you will see them only if you are looking. We’re happy to post this paper based on our Applied Network Security Analysis series. We would like to thank Solera Networks for sponsoring it. Without our sponsors we couldn’t provide content on the blog for free or post these papers. Download Applied Network Security Analysis: Moving from Data to Information If you want to see the posts that we based the paper on, here are the links: Introduction Collection + Analysis = A Fighting Chance The Forensics Use Case The Advanced Security Use Case The Malware Analysis Use Case The Breach Confirmation Use Case and Summary Share:

Share:
Read Post

Incite 12/14/2011: Family Matters

There are a couple calls you just don’t want to get. Like from the FBI when you’ve had some kind of breach and your secret recipe is listed on eBay. Or from the local cops because your kids did something stupid and you can only hope your umbrella policy will cover it. But those are relatively trivial in the grand scheme of things. I got a call Friday morning that my Uncle Mac had passed away suddenly. I can’t say we were very close, but he met my aunt when I was a kid, and has been present at good times and bad over the past 35 years. Mac was a bear of a guy. Big and loud (okay, maybe it’s a family trait), but with a heart of gold and a liver of steel, given the crappy vodka he drank. He had the cleaning contract at West Point stadium for football games, so I grew up with a gas powered blower on my back, cleaning up football messes many Saturdays of my youth. He worked hard and got along with folks from all walks of life. He passed doing what he did most mornings, sitting in his big chair drinking his morning coffee. He made a peaceful transition to the next thing, and for that we’re all grateful. So my brother and I woke early on Sunday to travel to NY for the memorial service. A whole bunch of my family was there. Obviously my first cousins were there – Mac was their father figure. Most of my Dad’s first cousins (and he has a lot) represented, and a few of their kids showed as well. Even our own family Urkel showed up. Yes, you know every family has one and mine is no exception. It was great to see everyone (even Urkel), although it seems we only get together when something bad has happened. Soon enough there will be weddings and the like to celebrate and I look forward to convening on happier occasions. We even threatened to organize a family reunion. The logistics of pulling that off would be monumental, with family members spread across the country, but it’s worth trying. It reminded me that family matters, and as busy as life gets I shouldn’t forget that. Yet there are also family matters that a sudden death presents. Matters all too easy to sweep under the rug. You know, those economic discussions that rival a root canal. My aunt had little visibility into my uncle’s business dealings, and now she’s got to both find and figure out what needs to happen to wrap his business up. He also handled much of the bill paying. Now she has to figure out who is owed what and when. Your lawyer probably talks about estate planning (if you have an estate to plan) and tells you to make sure your stuff is properly documented, but this is a clear reminder that I have work to do. As much as you want to plan, you never know when your time is up. It’s hard enough for the survivors to deal with the emptiness and grief of the loss, especially a sudden loss. To add financial uncertainty due to poor documentation seems kind of ridiculous. Obviously no one wants to think or talk about their own mortality, but it’s not a bad idea to document the important stuff and let the folks know where to find what they need, and show your care for them. And remember to spend time remembering your lost family member. Tell stories about what a good person they were and funny stories about their quirks and crazy habits. Tell stories of their mistakes – no one is perfect. But most of all appreciate someone’s life in its entirety. The good, the bad, and the ugly. Then hold onto the good and let all the other stuff go. That’s what we did, and it was a great and fitting farewell to my Uncle Mac. -Mike Photo credits: “s. urkel jerk by alex pardee” originally uploaded by N0 Photoshop Incite 4 U Research timelines measured in decades, not zero days: In an instant gratification world, no one gets more instant gratification than computer attackers. Send phish, create botnet, do bad things quickly. Government can and should drive initiatives to address this gap, and help supplement private sector and university efforts. In the US those efforts are moving, as evidenced by the recent road map of cyber-security (that term still makes me throw up in my mouth a little) research priorities, as issued by the Office of Science and Technology Policy. But most security folks will ultimately be disappointed by any research efforts in our space. Why? Because we think in terms of zero days and reacting faster. Basic research doesn’t work like that. Those timelines are years, sometimes decades. Keep that in mind when assessing the success of any kind of basic research. – MR Worry when, on Android? Tom’s Hardware says Android Security: Worry, But Don’t Panic, Yet. So if not now, when? Google is in an apps arms race: They’re not slowing down to vet applications so we see a lot of malicious stuff. We know that anti-virus and anti-malware doesn’t work on mobile platforms. We’re not going to ride the same virus/patch merry-go-round we did with PCs – that’s clearly a failed security model. But so far we’re not doing much better – instead we have a “find malware/remove app” model. The only improvement is that users don’t pay for security bandaids. If Android does not fix security – both OS issues and app vetting – we’ll have Windows PC security all over again. But this will be on a much broader scale – there are far more mobile devices. The speed at which we install apps and share data means faster time to damage. So perhaps don’t worry today – but as a consumer you should be worried about using these devices for mobile payments,

Share:
Read Post

Pontification Alert: Upcoming webcast appearances

I figure our lack of blogging has created a vacuum of mostly-useless security snark and babble. Who else can put so little content in so many words? But all is not lost – we continue banging away building content for the Nexus. Thanks to a few of our excellent clients, you have the opportunity to hear me ramble on about two of my favorite topics this week. If you need some excuse to get out of your root canal appointment, need to postpone that audit findings meeting, or perhaps just choose not to grovel for 2012 budget on Wednesday or Thursday afternoon, do a little clicky-clicky and join me for the following webcasts… Log Data is Not Enough! How to Supplement Logs with Network Security Analytics: On Wednesday 12/14 @ 1 PM ET, I’ll be joined by Solera Networks as we discuss how to react faster and better to attackers. I’ll be covering a lot of the content in our Applied Network Security Analysis blog series. Register here. Network Security – Measuring the Immeasurable: On Thursday 12/15 @ 2 PM ET, I’ll be joining RedSeal Networks to talk about security metrics and how to prioritize your security efforts based on data, as opposed to making stuff up. This event will be a more interactive discussion of some of the concepts discussed in the Fact-based Network Security paper. Register for the event here. There will be plenty of time during both events to ask questions. So hopefully you’ll be able to dial in and virtually heckle me on Twitter during the event. Looking forward to seeing you all at both these events. Share:

Share:
Read Post

Incite 12/6/11: Stinky

I have a younger brother. It was just the two of us (and Mom) growing up, so I find myself ill suited to dealing with girl stuff. Thankfully the Boss is wonderful at working with the girls on how to deal with bullies/mean girls, and this physical maturation process that seems to happen to girls. One day they are all cute, young and innocent; the next day you’re shopping for bras. Thankfully the Boss handles that duty as well. I’d favor the model that is bolted onto their respective rib cages, and don’t get me started on chastity belts… But when it comes to the Boy, I’m all over that. He’s a pretty active kid. Most days he likes to head outside with his buddies in the cul-de-sac, and plays some kind of sport. For years he came back in, washed his hands and was good to go. Not so much any more. Over the summer we had a few situations where you could smell him way before he got back into the house. That’s when we realized our little boy is growing up, and after enough activity he smells like a locker room. So we had a little chat. I started with the importance of smelling good because the girls don’t like stinky boys. He blurted something out about cooties, so maybe that didn’t resonate as well as I hoped. Next I tried to explain about being considerate to the rest of his family, who shouldn’t be subjected to stink-o-rama. Yeah, that didn’t go over well either – he’s still enamored with the pull my finger game. Then I realized that most boys want to emulate their Dads. I took a quick run into my bathroom and emerged with the prize: a new stick of deodorant. He was very excited to use my deodorant and was pretty consistent about using it. In fact, the Boy was sitting next to the adult sister of one of our friends (no, this isn’t some Penn State story) and she noticed he smelled pretty OK, especially for an 8 year old. So she asked him why he smelled good, and he deadpanned, “Because I wear deodorant.” Then he went right back to his video game. Out of the mouths of babes. I thought he was in a good place regarding hygiene, until this past weekend. I took him over to a friend’s house to watch the football games on Sunday. He literally played football outside for about 4 hours, and by the time he got back inside he smelled like a compost pile. I was a little surprised, and asked whether he put his deodorant on. Of course, he gave me the 8-year old “oh well” shrug. I reminded him of the importance of not smelling like crap, and figured he was ready for the next step in his man training. Yup, I taught him the arm pit sniff. Now he should be able to tell, proactively, when it’s time for a deodorant refresh. But I’m not teaching him everything yet. I’ll wait a little while to introduce the underwear sniff test. That’s only for advanced students. -Mike Photo credits: “Warning: Politician Ahead!!!” originally uploaded by The Rocketeer Incite 4 U Security company does (some) good: As a skeptic it’s hard to find anything good in security, but let’s tip our hats to Barracuda. They are running a campaign to donate meals for children during the holiday season. Working with the United Nations World Food Programme to fight hunger, Barracuda will donate meals for every user that participates. How do you get involved? Follow @BarracudaLabs on Twitter, ‘Like’ them on Facebook, or just install their free Profile Protector, and they will donate a meal to the UN programme. It’s a no-cost way to donate food through the holidays! – AL The APT who shall not be named: Kudos to Bob Bragdon for slaying the sacred cow of political correctness and making (in print) the connection between the ‘APT’ and China. We have actually been saying for a while that many of the persistent attackers out there are state-sponsored, and that state is China, all while comparing them to Voldemort. What’s funny to me is the folks who use APT to justify a logical evolution of security. Like Jon Oltsik, who jumped on the APT hype train and did a survey. Magically enough, users told him existing tools aren’t working very well. And in terms of the future view, what end-user doing anything today wouldn’t say “Security tools need to be smart enough to detect and react to suspicious behavior, anomalous activities, and attacks in progress.” That’s ground-breaking! But here’s the newsflash: this evolution has nothing to do with APT. Simple detection has been ineffective for years. And even if we get to this so-called ‘smart’ security tool, I’ll take the Red Army every day of the week. All they have is time and money, so they will get in. Though maybe Bob B should try out this SkyNet contraption on his home network, since Voldemort is no doubt coming for a visit. – MR Coding conundrum: IBM is using a developer scorecard to measure the productivity of its developers. That’s good. And it sucks. As pointed out by Neil McAllister on his blog metrics typically devolve into measuring lines of code, which does more harm than good. But here’s the conundrum: all metrics suck, but you you need them regardless. Any individual metric only shows a fragment of the truth, and there is no ‘best’ metric. By themselves, most development metrics I have used were misleading to some degree, so I used different collections to show trends and warning flags. I used them as a cue to dig deeper and understand why some metrics were skewing in a certain direction. Use metrics, but don’t assume what they indicate without some digging. I applaud IBM for quantifying productivity, but warn users to be careful how they use any metrics in practice. – AL Don’t

Share:
Read Post

Incite 11/30/2011: An Introverted Thanks

As with most things, I have mixed feelings about the holidays. Who doesn’t enjoy a few days off to recharge for the end-of-year rush? But the holidays also mean family, and that’s a good thing in limited doses. I’m one of the lucky few who gets along with my in-laws. They have an inexplicably high opinion of me, and who am I to say they are wrong? But by the fifth day of being surrounded by family over Thanksgiving weekend I was fit to be tied. I spent most of Saturday grumbling on the couch, snapping at anyone who would listen. And even those who didn’t. Thankfully my family ignores me, and suggested I stay back when they went to the fitness center pool. I was much better when they got back. I was able to recharge my social batteries – I just needed a little solitary confinement. Why? Because I’m an introvert – like all introverts, the longer I’m around people the harder it is for me to deal. I found this great guide to dealing with introverts from The Atlantic, and it’s right on the money. I like to say I’m anti-social but that’s really not the case. But I only enjoy people in limited doses. I remember reading, a few years back, Never Eat Alone, a guide to networking. There is a lot of great stuff in that book, which I will never do. I actually like to eat alone, so most days I do. That’s really what I’m thankful for this year. I have a situation where I can be around people enough, but not too much. For me that’s essential. But that’s not all I’m thankful for. I’m thankful for all the folks who read our stuff, who have bought my book, and who show up to hear us pontificate. When I explain what I do for a living most folks say, “really?” For the record, nobody is more surprised than me that I can write and speak every day and pay my bills. It’s really a great gig. So thank you for supporting our efforts. And I’m also thankful that the important people in my life tolerate me. Obviously Rich and Adrian are getting used to my, uh, quirks. They haven’t voted me off the island. Yet. My kids are growing into wonderful people despite their genetically similarity to me. They continue to amaze me (almost) daily, and usually in a good way. But most of all, I have to thank the Boss. We just celebrated our 15th year of marriage, and although there have been a number of great days in my life, the day we met is in the Top 4. She holds it all together, keeps me grounded, and lets me, well… be me. She has never lost faith, no matter how bumpy things got. I can only hope my kids are lucky enough to find someone who supports them like The Boss supports me. Yes, I need my alone time, but without my partners (in business and life) I would be nowhere. Now is the time to remember that. So think about all those folks who allow you to do your thing, and thank them. Especially a week after Thanksgiving – after they thought you forgot. Got to keep them on their toes, after all. -Mike Photo credits: “Thank You Trash…” originally uploaded by Daniel Slaughter Incite 4 U Can we call this a false positive? The major media was buzzing over the short pre-holiday week with reports of a foreign cyber-attack that took down a water pump in Springfield IL. Too bad it didn’t happen – it was an authorized contractor trying to troubleshoot stuff over a connection from Russia (where the guy was traveling on business). What perplexes me is how such a volatile piece of news could get out without corroboration or investigation. Who’s at fault here? The Illinois Statewide Terrorism and Intelligence Center, or the so-called expert who alerted the media? Probably both, but this kind of Chicken Little crap doesn’t help anything. If a water pump goes down, what is the danger? It’s not like the water supply was tampered with. At some point, a cyber-attack will happen. Let’s hope there is more and better information next time – and that it turns out to be as harmless as this incident. – MR No app for that: Good on Chris DiBona for calling anti-virus vendors “charlatans and scammers”. Your average mobile phone user does not know – and does not want to know – the differences between viruses and malware. But developers know the risk vector is not viruses – it’s malicious apps that users willingly install because they don’t know any better. And these bad apps behave like every other app, so it’s not like signature-based detection can help! Of course that does not prevent AV vendors from spewing FUD and selling their wares to the unsuspecting public. It’s refreshing to see a developer sound off without being muzzled by the HR and legal teams, because he is right – AV will not provide any greater protection than what your platform provider offers by yanking malicious apps from their app store. – AL Burn the house down: Before I go any further, I do think the hack these researchers came up with attacking printers is interesting. They figured out that the firmware updates weren’t signed, and were merely sent over as part of a print job. There’s a lot of hyperbole on this one that I will ignore, but printers really are something you should be paying attention to – especially multifunction devices (MFDs). I co-authored a Gartner note about these risks back in the day – among other things they often have insecure web servers built in, keep copies of everything faxed or printed on local hard drives, etc. And a lot of you probably outsource your printer support – like the client who told me their vendor insisted on full VPN access

Share:
Read Post

Occupy Work

I don’t get this #occupy stuff. Maybe that’s an indication that I’m old. Maybe it means I’m selfish. It could be a sign that I have a lot of competing priorities and they don’t leave me a lot of time. But most of all, it’s because I don’t get it. Really. Should we be pissed off that parasites on the system always seem to walk away with millions of dollars for little added value? Yes. Could we be frustrated with a US governance model that spends more time bickering than getting anything done, while squandering trillions of dollars. Absolutely. But in my best NY accent: “Whaddya gonna do?” I plan to remain intentionally tone deaf regarding all this stuff. Again, maybe that makes me selfish. Maybe I’m more interested in my own comfort and lifestyle than the tens of millions of folks who are screwed by the system. But here is the difference: I have worked for everything I’ve achieved. Everything. Sure I graduated from an Ivy League engineering college. But I got in based on my achievements in high school with very little parental guidance or oversight. My Mom was too busy trying to put food on the table, working in a crappy retail pharmacy, to push me to do my homework. And at the end of the day, my education helped me get my first job. That’s it. Sure I could get pissed off that dumb guys I grew up with joined the right investment banks at the right time and make 7 figures a year now. I could get angry that kids right out of mediocre engineering programs (but with decent connections) end up at one of the Silicon Valley start-ups and win the Google lottery, pulling millions out as cogs in the wheel. Does that mean we should “Occupy Sand Hill Road” and get pissed at how high-tech financiers engineer value from the (at times) unholy alliance between big IT, storied entrepreneurs, and the puppet master VCs that seem to pull all the strings? What’s the use of that? I choose to get up and (as Chris Nickerson says) “do work.” The only thing I can control is how hard I work. I can’t control what anyone else does. I can’t control market swings. I can’t control whether the light of good fortune shines on me at some point. I can (and do) control what I do. And that’s how I’ll rail against the system. I’m totally on board with Larry Walsh’s thoughts on innovation and entrepreneurship. Larry’s quote here is exactly right: “I’m protesting today. I’m calling it “Occupy Work.” I pledge to sit at my desk, service my clients, be productive and innovative, and contribute to the economy. Oh, and I will do it with humility.” He makes a number of great points. Clearly the system(s) need reform. But what is the value of sitting in a park? How is that aiding the collective? How does taking a shot of pepper spray (however appalling) bring light to the issues the protesters want to discuss? It turns the story from corruption and greed to brutality. Obviously we all need to act in a dignified manner (especially law enforcement), but it seems the core message of fighting greed is lost. I saw an old friend last week, and we did get philosophical for a short time. He asked me whether I was scared for the world my children were growing up in. I answered with a resounding no. I still believe that I live in a country where hard work will be recognized. I believe that my kids can become whatever they want, and with enough effort can achieve their dreams. Lots of folks overcome long odds every day to prosper through the force of their own will, regardless of their circumstances. I’m teaching the kids to be self-sufficient and not hope a big company will support and provide for them. Pensions are not guaranteed by a bankruptcy court. Nor is healthcare coverage. I believe in entrepreneurship. I believe in creating your own opportunities, not waiting for someone to give something to you. I believe in the capitalist system and although clearly imperfect, it’s the best thing out there. Maybe I’m naive. Maybe I’m stupid. But I still believe that as long as I focus on what I need to get done every day, things will work out in the end. So rather than spending my time in a pup tent in some public park, like Larry I will occupy work. We all have choice about what we do on a daily basis. The folks Occupying whatever seem to think their approach will result in positive change. Maybe they are right. But either way, I figure the only great equalizer in a capitalist system is hard work. And on this week of Thanksgiving in the US, I’m thankful that I live in an area where I can control my own destiny, which is what I plan to do. Happy Thanksgiving everyone. If you celebrate, enjoy the holiday and be safe. Share:

Share:
Read Post

Totally Transparent Research is the embodiment of how we work at Securosis. It’s our core operating philosophy, our research policy, and a specific process. We initially developed it to help maintain objectivity while producing licensed research, but its benefits extend to all aspects of our business.

Going beyond Open Source Research, and a far cry from the traditional syndicated research model, we think it’s the best way to produce independent, objective, quality research.

Here’s how it works:

  • Content is developed ‘live’ on the blog. Primary research is generally released in pieces, as a series of posts, so we can digest and integrate feedback, making the end results much stronger than traditional “ivory tower” research.
  • Comments are enabled for posts. All comments are kept except for spam, personal insults of a clearly inflammatory nature, and completely off-topic content that distracts from the discussion. We welcome comments critical of the work, even if somewhat insulting to the authors. Really.
  • Anyone can comment, and no registration is required. Vendors or consultants with a relevant product or offering must properly identify themselves. While their comments won’t be deleted, the writer/moderator will “call out”, identify, and possibly ridicule vendors who fail to do so.
  • Vendors considering licensing the content are welcome to provide feedback, but it must be posted in the comments - just like everyone else. There is no back channel influence on the research findings or posts.
    Analysts must reply to comments and defend the research position, or agree to modify the content.
  • At the end of the post series, the analyst compiles the posts into a paper, presentation, or other delivery vehicle. Public comments/input factors into the research, where appropriate.
  • If the research is distributed as a paper, significant commenters/contributors are acknowledged in the opening of the report. If they did not post their real names, handles used for comments are listed. Commenters do not retain any rights to the report, but their contributions will be recognized.
  • All primary research will be released under a Creative Commons license. The current license is Non-Commercial, Attribution. The analyst, at their discretion, may add a Derivative Works or Share Alike condition.
  • Securosis primary research does not discuss specific vendors or specific products/offerings, unless used to provide context, contrast or to make a point (which is very very rare).
    Although quotes from published primary research (and published primary research only) may be used in press releases, said quotes may never mention a specific vendor, even if the vendor is mentioned in the source report. Securosis must approve any quote to appear in any vendor marketing collateral.
  • Final primary research will be posted on the blog with open comments.
  • Research will be updated periodically to reflect market realities, based on the discretion of the primary analyst. Updated research will be dated and given a version number.
    For research that cannot be developed using this model, such as complex principles or models that are unsuited for a series of blog posts, the content will be chunked up and posted at or before release of the paper to solicit public feedback, and provide an open venue for comments and criticisms.
  • In rare cases Securosis may write papers outside of the primary research agenda, but only if the end result can be non-biased and valuable to the user community to supplement industry-wide efforts or advances. A “Radically Transparent Research” process will be followed in developing these papers, where absolutely all materials are public at all stages of development, including communications (email, call notes).
    Only the free primary research released on our site can be licensed. We will not accept licensing fees on research we charge users to access.
  • All licensed research will be clearly labeled with the licensees. No licensed research will be released without indicating the sources of licensing fees. Again, there will be no back channel influence. We’re open and transparent about our revenue sources.

In essence, we develop all of our research out in the open, and not only seek public comments, but keep those comments indefinitely as a record of the research creation process. If you believe we are biased or not doing our homework, you can call us out on it and it will be there in the record. Our philosophy involves cracking open the research process, and using our readers to eliminate bias and enhance the quality of the work.

On the back end, here’s how we handle this approach with licensees:

  • Licensees may propose paper topics. The topic may be accepted if it is consistent with the Securosis research agenda and goals, but only if it can be covered without bias and will be valuable to the end user community.
  • Analysts produce research according to their own research agendas, and may offer licensing under the same objectivity requirements.
  • The potential licensee will be provided an outline of our research positions and the potential research product so they can determine if it is likely to meet their objectives.
  • Once the licensee agrees, development of the primary research content begins, following the Totally Transparent Research process as outlined above. At this point, there is no money exchanged.
  • Upon completion of the paper, the licensee will receive a release candidate to determine whether the final result still meets their needs.
  • If the content does not meet their needs, the licensee is not required to pay, and the research will be released without licensing or with alternate licensees.
  • Licensees may host and reuse the content for the length of the license (typically one year). This includes placing the content behind a registration process, posting on white paper networks, or translation into other languages. The research will always be hosted at Securosis for free without registration.

Here is the language we currently place in our research project agreements:

Content will be created independently of LICENSEE with no obligations for payment. Once content is complete, LICENSEE will have a 3 day review period to determine if the content meets corporate objectives. If the content is unsuitable, LICENSEE will not be obligated for any payment and Securosis is free to distribute the whitepaper without branding or with alternate licensees, and will not complete any associated webcasts for the declining LICENSEE. Content licensing, webcasts and payment are contingent on the content being acceptable to LICENSEE. This maintains objectivity while limiting the risk to LICENSEE. Securosis maintains all rights to the content and to include Securosis branding in addition to any licensee branding.

Even this process itself is open to criticism. If you have questions or comments, you can email us or comment on the blog.