Research

Time is a funny thing. You don’t really think about it until it’s running out. Deadlines. Mortality. It’s all the same. Time just sneaks up on you, and then it’s gone. Yeah, I’m a little nostalgic this week because my birthday is Friday. And yes, there is some fodder for you social engineers out there. The kids get more excited about my birthday than I do. They want to know about cakes, parties, and the like. Personally, I’d take a day to sleep in, but who has time for that? There are things to do and places to be. We at Securosis hit a milestone this week, unveiling the Securosis Nexus on Monday night. Honestly, I’m both exhilarated and terrified. We (especially Rich) have spent many hours conceiving, building, and populating our new online research ‘product’. I joke that building the Nexus took twice as long and cost 3 times as much as we expected. I’m probably understating it. But all of us have built software before, so we knew what to expect. What’s a little different this time is that we funded the project out of cash flow. So every check we wrote to our developers and designers could have been used to pay my mortgage. That really makes the investment real. Rich, Adrian, and I aren’t really gamblers. We all go to Vegas a few times a year for conferences, and you’ll find us hanging out at a bar – not the tables. We live conservative lifestyles (even if Adrian drives a Corvette). On the other hand, we’re making a huge bet folks who don’t have the word Security in their titles will pay for impactful, actionable security research. And that even some folks who do have Security in their titles will find enough value to make a modest investment. But what if we are wrong? It’s not like anyone has ever successfully delivered a research product to this market segment. Are we nuts? Compound that with the fact that we have built a pretty good business. We’re very busy writing blog series, pontificating, and doing strategy work, all of which I love. So why take the risk? Why make the investment? Why not just sit on our hands, keep pontificating, and enjoy the lifestyle? I’ll tell you why. Because time waits for no one. Rich and I decided back in 2006 that this market opportunity was real, and we believe it. Just because no one has tried it before doesn’t mean we are wrong. We want to build leverage into our business and be bigger than just Rich, Mike, and Adrian showing up and waving our hands. Ultimately we want to make a difference and believe the Nexus provides a great opportunity to help folks who can’t afford Big IT research. But we aren’t kidding ourselves – it’s scary. Fear is no excuse. It won’t hold us back. The train has left the station and now we will see where it takes us. The only thing we can’t get is more time, so we plan to make the most of it. Check out the Nexus. Sign up for the beta. Help us make it great. –Mike Photo credits: “Time” originally uploaded by Jari Schroderus Share:

It must be SIEM acquisition Tuesday. McAfee hit first by announcing their expected deal with Nitro Security. But then IBM surprised pretty much everyone by acquiring Q1 Labs. Don’t blink or you may miss another 2-3 SIEM/Log Management vendor acquisitions. Obviously we have been talking about consolidation in the SIEM/Log Management space for quite a while – there are about 20 vendors left now – but it’s strange that deals involving the two most significant independent vendors happened on the same day. Coincidence? Our pal and contributor James Arlen doesn’t believe in it, and neither do we… Hot Tamales First let’s discuss why these SIEM/LM players are such hot commodities. As many of us have been whining, compliance drives security nowadays, and log management is a must-have technologies for compliance. So almost everyone has some kind of log aggregation capability to cover the basic requirements. Most customers are thinking about enterprise-class options, which is driving business in the SIEM/Log Management space, as they want to do stuff with the vast amounts of data they collect. At the same time, the products are maturing. They aren’t easy to use, but they are getting better, and vendors’ ability to support enterprise-class requirements has improved, especially for Q1 and Nitro. That’s it. Also consider that security management was always destined to become part of the IT management and operations stack. That’s what drove the EMC/RSA/Network Intelligence and HP/ArcSight deals of yore, and is driving today’s deals. In simplest terms, SIEM/LM was never destined to be an independent technology over the long term, so these deals are just the logical conclusion of a 3-4 year consolidation. Why Buy? Let’s look at the buyer profiles – why did both McAfee and IBM buy the leading (independent) players in this market? In McAfee’s case the answer is simple. They had NOTHING to address this client requirement. They needed something – not having either LM or SIEM was forcing their customers to buy other solutions, such as ArcSight and RSA – which is unacceptable if your goal is to own the entire security stack. McAfee had to buy something, and frankly they should have done this a long time ago. IBM, on the other hand, had a number of SIEM-type platforms, most buried within the Tivoli group. But none were competitive, and I can’t tell you the last time I heard an end-user organization taking an IBM SIEM offering seriously. They do a bit of security management as a managed service (using the former ISS platform), but that wasn’t an answer. The real kicker, and what forced IBM’s hand, was clearly HP. HP’s ownership of ArcSight as the cornerstone of its enterprise security strategy put IBM at a clear disadvantage. Eventually not having a competing offering would have hurt them. I’m sure they did the math and decided it was easier to buy Q1 now (even for a pretty big number), than to wait until Q1 went public. Clearly IBM was going to pay to get into this market, so they decided to pay now. Why Sell? You always have to wonder why companies with clear momentum in a growing market sell. But don’t worry about it too much – I suspect it just came down to economics. Every company has a price, and clearly since it took so long for McAfee to consummate the Nitro deal, they finally reached it. This is actually a great outcome for Nitro, given that they were a couple of years behind Q1 on pretty much every enterprise front (revenue/bookings, channel, enterprise deployment), so getting taken out was a better option. McAfee was the likely candidate in light of their successful coordination as part of SIA (Security Innovation Alliance), as well as Nitro’s more reasonable price tag. McAfee has never really broken the bank for technology acquisitions since DeWalt came to power. Based on technology, sales model, and price, Nitro was a better fit for McAfee. Likewise, Q1 is the best fit for IBM. IBM is a huge company, and when they buy, they need to move the needle. Or at least have a chance to move the needle. Q1 was clearly on a path to go public, with speculation that the IPO would happen in early 2012. But every company goes into a deal with stars in their eyes, and Q1 is no different. IBM is giving Q1 CEO Brendan Hannigan the keys to a new combined security group. So they hope IBM will have a big group like HP does, which obviously dramatically increases the Q1’s impact on the market. Speaking of HP, we really cannot overstate the impact of the HP/ARST deal on this week’s events. From everything we’ve heard, after a little integration heartburn, HP is now driving ARST into deals that none of the other players are seeing. IBM gets a similar benefit with Q1. Clearly Q1 needs IBM’s reach to accelerate their growth path and impact. Will it happen? Who knows? But IBM gives the Q1 team their best chance. What about the customers? As with every deal, customers will suffer. The question is how much and for how long. All things considered, HP actually did a decent job with their ARST integration, so if IBM leaves Q1 alone, they have a chance. But there will be disruption – there always is. Q1 is now selling to IBM’s field sales force, and less directly to end users. It will take some time for IBM to figure out what they have, and the Q1 team needs to focus on teaching them – which means something will fall through the cracks. If you are a Q1 customer, and your implementation is working well, you should see little impact. If your implementation isn’t working well, start pushing for additional services to fix it. That will push Q1 to train IBM’s services teams, which is a good thing. McAfee historically has bought technology and just plugged it into their channel. SIEM is not AV, nor is it vulnerability management,

Rich, Adrian, and I have been hinting about our sekret plans to launch a new research ‘product’ for a while. Today we are finally ready to let you guys in on our the scoop. We are very excited about this next step in the evolution of Securosis. We call it the Securosis Nexus, and it’s an online environment built to help security professionals get their jobs done better and faster. We leverage our blog and white paper content (since that’s kind of what we do), but there are a bunch of community features that make this more than just a file cabinet of our stuff. What problem are we trying to solve? There is no lack of security content out there. But figuring out what’s important is the challenge. Most security folks spend far too much time wading through irrelevant content, as opposed to doing stuff. We have built the Nexus user experience to accelerate the process of figuring out what you need to know to achieve project success. Who is our target? First, the folks who probably don’t know what they don’t know about security. Unfortunately there are a lot of these folks – struggling every day because they don’t eat, sleep, and breathe this stuff like we do. Our working theory is that the vast majority of people working in security today don’t have security in their title, or even a security department or CISO in their company. We want to make sure those folks have enough information to be educated buyers and implementers of whatever product/project they are tackling, without having to spend 10 years taking classes and falling asleep in conferences. The Nexus is also for people who are working their behinds off every day, but aren’t experts in every little area. None of us know everything (just ask Rich about “IAM” if you want to see a blank stare), and we all need a little help from day to day. I have been describing it as a continuum. Most folks know perhaps 20% of what they need to know to do something. We believe the Nexus can get folks to 60-70% of what they need to know, with a much better chance to accomplish their tasks and do their jobs. There are two main aspects of the Nexus: Pragmatic Research: We tend to write 20-30 page papers, each providing a deep dive into a specific security topic. They aren’t for the Nexus – where our intended users don’t have time to read 30 pages about anything. They don’t get any awards for knowing everything about a topic, so the focus is instead on actionable information, not fluff or overly detailed description. The content is very modular and easy to navigate. Short descriptions, video, audio, checklists, and templates will be the bulk of the material on any specific topic. More about what needs to be done than why. There are a bunch of ways to view the content, and topics of interest can be stored in a library. All the content can be rated as well, so over time we’ll know what works and what doesn’t, and we will make it better. Ask an Analyst: We also know not every situation fits into a clean bucket of checklists and templates, so we have included a way to ask direct questions to an analyst and get direct answers. Privately and confidentially. The interface is built to make it easy to find both answers to your specific questions, and other public answers that may be helpful in solving your problem. We believe the Nexus will provide excellent value for expert practitioners and departments of larger enterprises as well, but likely more due to the Nexus community features. And best of all, we built the Nexus with economics in mind. Other research firms charge tens of thousands of dollars to ask them questions. For the Nexus, think hundreds rather than tens of thousands. Check out the Nexus site to see more features and view a video demo Rich put together. It’ll give you a good feel for the user experience. It looks great, if I do say so myself. We will launch Nexus later this year with a full set of content around PCI and associated technologies. Over time we will be building modules, templates, checklists, videos, and audio content for our entire coverage universe. We are just about ready to open the beta to a limited set of folks, and we’ll be inviting more over the next couple weeks as we continue building out the content. You can sign up for the beta on the Nexus site. We’ll talk more about the Nexus in the coming weeks as we add more content, flesh out the functionality, and launch to the public. In the meantime we’re interested in your feedback on what you can see in the video, so please check it out and let us know. Share:

Tonight at sundown the holiday of Rosh Hashanah starts, and Jewish folks all over the world will celebrate the coming of the year 5772. Or so the story goes. But I know better than to discuss politics or religion on the blog. You believe what you believe and I believe what I believe, and it’s all good. But the coming of a new year is a time for reflection and renewal. At least for me. As most of you know from my weekly rants, I have a lot of balls in the air. Starting a business, managing a family, and all the other things that make life in the 21st century pretty complicated. I also have specifically stopped setting goals and I’m working on trying to enjoy the journey without worrying too much about where it leads. I am working on not being limited by what my peer group considers success. And I can say I’m much happier for it. Notice I didn’t say happy – I said happier. One of my other challenges is actually celebrating accomplishment. I’m trying to rewire my cranium, but it’s hard. I still don’t celebrate enough. So over the next few days, as opposed to focusing on what I’m going to get done over the next 12 months with my head in the future, and then building a list of all the things I want to accomplish, I’m going to spend some quiet time remembering what I got done over the last year. Yes, it takes me a conscious effort to look in the rearview mirror. But I need to take some time to smell the roses, or something like that. I hate to say it (for fear of some weird karmic jinx), but it’s been a good year. The kids are doing great, the Boss is in a good place, and so am I. The business is growing nicely (thank you very much), our side projects look very promising (yes, we’ll be unveiling our research product next week), and I can’t speak for Rich and Adrian, but I really enjoy being part of Securosis. I’m excited about the coming year. Mostly because I’m not sure what will happen. I’ve got a bunch of pretty cool research projects lined up. Stuff I’m looking forward to learning about and documenting. I’ll be getting my fitness regimen back on track and my eating plan has me feeling pretty good. What’s not to be excited about? I’ll spend Thursday and Friday getting my fill of dogma (that goes with the territory), spending time with friends and family, and taking a step back to enjoy what I’ve done the past 12 months. Then I’ll be back at it on Monday, renewed and focused. There is a lot to do, and some of it will actually get done. As one of my mentors always said, “It’s not a sprint, it’s a marathon.” He was right, but he missed an important nuance of that idea. If you don’t stop and check out the scenery every couple of miles, you miss out on most of the fun. -Mike Photo credits: “Renewal” originally uploaded by Auntie P Incite 4 U It’s all about expectations: Failure to manage expectations leads to unhappiness and angst. I’ve probably only written that about a zillion times. Augusto hits this point again, and reminds us that if your control set depends on a perfect scenario, there is a giant FAIL in your future. We can’t depend on executives to be rational (not from a security perspective, anyway), nor can we depend on projects to actually get to the finish line. These are bad assumptions. His points are right on the money. “It’s not just “design for failure”. It’s design around failure. Your network is a mess and it will always be like that, deal with it.” Yup. I’m looking forward to part 2, where he deflates policy and standards stupidity. – MR Selling security is doing it wrong: I’ve been on a couple vendor calls already this week where I had to explain that if you sell security to security, you can only grow so far, so fast. The real customer is never security, but development, operations, and plain old employees and executives. Cloudflare is an example of a company doing this right. Do they have security? Sure… but they also have analytics and, heck, now they have wiped some of your IPv6 problems off the table. They don’t care if something is security or not, so long as it brings value to their customers and fits their message. It’s a heck of a story and I think we’ll see a lot more of this approach: security as a byproduct – especially in SMB. – RM Trust at your own risk: I have gotten a couple email requests in the last couple days with dodgy looking PDF files attached. Given the recent OS X trojan, sending me a PDF file makes you suspect. Which is kind of funny, if you think about it, what with it being a universal document format. Supposedly the threat is considered low risk, but it’s really hard to tell what else it leaves behind that might open avenues for future attacks. What has really been worrying me is the Trojan Flash Player. You need to be careful where you get upgrades, and hope the big trusted site you get software from has not been hacked. Supposedly OS X will only install trusted and signed objects, but I don’t think there is any protection from having a pop-up ask for your administrator credentials – all with a nifty flash logo. Be careful what you click on, and be even more careful when you enter administrator credentials. – AL Wait. What? Security folks are pessimists? Shimmy tries to get us to think a bit more positively about security. He thinks because we have reasonably assured employment and challenging jobs, we should be happy. You know, more half full, less half empty. What if your

Evidently it’s time to rethink our business model at Securosis. All you need to do is role out a certification program and wait for money to roll in. Actually prove skills? Bah, humbug. Actually require some sort of test? Screw that. Basically all you need is a CISO job and $200, and I have a certification for you. My severe case of snark is directed at the new Certified CISO program, introduced last week by the EC-Council. Those are the folks who do the Ethical Hacker certification, which is actually a decent program. This Certified CISO program? Not so much. How do you qualify to be a Certified CISO? Basically you need to have a pulse and a job. For the next year, all you have to do is show that you have 10 years of experience with 6 years across the 5 CISO domains (Governance, Controls and Auditing Management, Management – Projects and Ops, Security Core Competencies, Strategic Planning & Finance). Not that there isn’t something to be said about someone who decides to remain a CISO for 10+ years (besides questionable judgement), but who needs a certification to prove that? Do you wonder why most certifications are less useful than toilet paper? At least you can wipe your backside with toilet paper. Wouldn’t your resume just suffice – since this just proves your experience? Even better is the price. You can get this critical certification for the low, low price of $350 to apply and another $200/year to renew. I’m sure Lee Kushner is quaking in his boots, as clearly Certified CISOs will now reduce the need for CISO recruiting services. Companies can now just add this term to their resume filtering machines and move on to the next position, right? It seems the EC-Council plans to have some kind of test in 2012, although you can exempt out of that if you bother to get high-impact certifications like the CISSP, PMP, and CISA. Although it’s not clear to me how you’d build a truly objective test to show what’s really important for a CISO: persuasion skills and a very high tolerance for pain and frustration. And don’t think that we are anti-certification out of hand. We built the curriculum for the CCSK certification training program. It’s just that the certification has to have some grounding in reality. Is that too much to ask? All I can hope is that self-respecting CISOs see through this haze and realize that more letters on their business card don’t prove anything. Or maybe I’ll just stop tilting at windmills and roll out a Certified Pragmatic CSO program. Maybe that’s the ticket. Photo credit: “Very Happy Toilet Paper” originally uploaded by kim’n’Cris Knight Share:

It was a bit of a shock to us over two years ago, when we learned the Boy has a lazy eye. We found out when he got evaluated prior to entering kindergarten, and they said he needed to get his eyes examined. The Boss and I have very good vision, especially when we were growing up, so it was unexpected. Ultimately it’s not a big deal. He needs to wear glasses and we have to patch his good eye for a few hours every day to force his weaker eye to get stronger. We got him some pretty snazzy looking glasses. Oval in shape, you know, right out of the metrosexual handbook. Thankfully when you are 8, it’s cute. A couple years later, the glasses are part of him. He kind of looks strange when he doesn’t have them on. He is a boy, so he’s pretty hard on the glasses, with them always getting bent or otherwise screwed up. And when they don’t fit well, he tends to look over them. It’s not a conscious decision – he just lets them slide down his nose and goes about his business because his strong eye compensates. Or he doesn’t turn his head up when he’s looking up. Either way, he’s not getting the benefit of the glasses and it’s not helping to strengthen his weaker eye. During his quarterly check-up, the ophthalmologist suggested a new pair with bigger lenses that he wouldn’t be able to look over. We’re fine with that, but the Boy is a bit change averse. His first thought was that he didn’t want Waldo glasses. Those big frame models that make him look like the character from “Where’s Waldo?” We set the expectation that he’ll get the best glasses to address the issue, even if they are Waldo glasses. The Boss and I had a sneaking suspicion it wouldn’t end well, but we had to deal. I took him to the eyeglass shop and he started trying out frames. We found a pair that seemed good, which had rounder lenses. Not Harry Potter round, but rounder than his current model. I asked what he thought, and his response: “Horrible, Dad.” But both the optometrist and I told him they were cool, even if he didn’t believe us. Then I spied a pair of the dreaded Waldo glasses. “Boy, try these on!” After a little resistance, he put on the Waldo glasses (which were actually a pair of very expensive Calvin Klein models). I actually thought they looked good, but he was locked into the No Waldo position. He was clearly getting upset at the idea of having to get the Waldo model. Then I took the first pair with the rounded lenses and had him try those on again. Evidently it wasn’t the optometrist’s first rodeo either – he played up the cool frames and told him all the chicks would dig them. The Boy had no idea what he was talking about, but I was entertained. I had him put the Waldo glasses back on (just for good measure) and then try the rounded ones again. Then I went for the close. “So what do you think, dude?” He said, “I like them, Dad. They are cool!” Just like it was his idea. Win! Maybe at some point he’ll realize the conspiracy. Maybe not. Either way, it’ll be a lot harder for him to look over his glasses, which ultimately is all that matters. Even if it took a little manipulation to get him there. –Mike Photo credits: “Where’s Waldo” originally uploaded by Carolyn Coles Incite 4 U AV dying? Just like spam was going to be gone by 2004: Now that Microsoft has unveiled Windows 8 (talk about pre-announcing) with enhanced security features, the security industry is bracing for yet another assault on the cash cow of all cash cows: anti-virus. Evidently Win8 will have enhanced ASLR and heap stack protection, which is good news because <sarcasm>the attackers continue to stand still.</sarcasm> But it seems Windows Defender will be able to handle AV signatures now. First, AV signatures aren’t the answer. Second, inertia is substantial in both the consumer and business markets. If Microsoft said they were bundling white listing in, or some other mitigation that actually made a difference, I would be interested. But they didn’t so I’m not. But I do like the new Metro(sexual) interface. Not enough to actually use Windows, like ever, but it is pretty. – MR Needle in a crapstack: Most of the surveys we see in the security industry are pretty bad. They are driven by vendors looking for FUD to sell products. And hey, it’s our own fault because none of us wants to pay for the good stuff. (Our stuff excepted, of course 😉 ). But we can often find interesting nuggets anyway. These two surveys came courtesy of Martin McKeay, as prep material for this week’s podcast. The first, from Trustwave and Cybersource, tells us that 70% of businesses care more about their brands than PCI fines. Well, I sure as hell hope so – otherwise their priorities would be seriously out of whack. Then, courtesy of PWC, we find that only 13% of companies surveyed have a security strategy, reviewed the effectiveness of said strategy, and knew the types of breaches they suffered in the past 12 months. Heck, I’d say 13% sounds good – maybe even a little high. A lot of the rest of these two surveys is too tuned for my tastes, but I’m happy any time I can get a nugget or two. – RM Right tool for the job: If you are reliant upon email security to address HIPAA, you’ve already lost. But eWeek is positioning DLP Lite in email security tools as front-line defense for HIPAA. It’s a little like closing the window and leaving the front door wide open. Content screening of email is a last line of defense – one you hope you don’t

This is a bit off topic, but indulge me. We had a little situation in our neighborhood last week, involving a home invasion. A couple masked (evidently armed) guys tied up a family and ransacked their house. The father was in the garage when the intruders made their entrance. The mother and a teenage child were also in the house. This happened in my sleepy suburban neighborhood, so it can happen anywhere. The good news is that no one got hurt. They lost some money and some jewelry and I’d imagine they got a pretty good scare, given they were tied up in their bedroom after opening the safe. I don’t know the family, but it was the best outcome they could have gotten. As you can imagine, our neighborhood is in a tizzy. There are discussions of putting gates at the entrances, as well as significantly increasing the private security patrols that we contract. Yup, there is plenty of opportunity for security theater here. But security theater isn’t interesting to me. I deal with that crap every time I fly. It got me thinking about what I’d do in a similar situation. I’m in the garage, the Boss and the kids are in the house. Multiple armed men enter the garage. It’s quite a quandary. Some of you Hong Kong Phooey types might try to fend off the attackers. Do you run? Do you attack? Do you sacrifice everything to keep them out of the house? Do you try to talk some sense into them? Even if you have a gun in the house, how often are you in your garage? If you have an alarm, will you be able to hit the panic button? Should you, given that it could cause an unstable attacker to do something rash? Remember, you have family members in the house, which are unlikely to be as equipped as you to deal with the situation. I think I know what I’d do. But I’m not sure what standard operating procedure would be, so I’m asking for some help. I know a bunch of you have law enforcement and/or military backgrounds, and many have advanced training in all sorts of self-defense tactics. In a similar situation, what do you do? The police are holding a meeting in our neighborhood next week, so we’ll find out what they suggest we do. But that’s just one opinion, right? This seems like a targeted situation. The family has money and drives fancy cars, lives at the edge of the neighborhood, and their culture is known to keep cash and valuables in the house. None of which is my situation. But I’m wary of being too optimistic and naive about the risks to my family. So I’m going to do the threat models. I need to take precautions. I need to train my family what to do in a similar situation. What should I teach them? Share:

You have made your decision and recommended it up the food chain, so now the fun part begins. Well, fun for some folks, anyway. For this post we’ll assume you have decided to move to a new platform. We understand some people decide not to move, but use the question of switching as a negotiating tactic. But it bears repeating that it is no bad thing to stay with your existing platform, so long as you have done the work to determine it can meet your requirements. We’re writing this paper for the people who keep telling us how unhappy they are, and how their evolving requirements have not been met. So after asking all the right questions, if the best answer is to stay put, that’s a less disruptive path anyway. Replacement Tactics For now, though, let’s just assume the current platform is not going to get there. Now the job is to get the best price for the new offering. Here are a few tips to leverage for the best deal: Time the buy: Yes, this is Negotiation 101. Wait until the end of the quarter and squeeze your sales rep for the best deal to get the PO in by the last day of the month. Sometimes it works, sometimes it doesn’t. But it’s worth trying. Tell the incumbent they have lost the deal: The next step is to get the incumbent involved. Once you put in a call letting them know you are going in a different direction, they usually respond. Not always, but most times the incumbent will try to save the deal. And then you can go back to the challenger and tell them they need to do a little better, because you got this great offer from their entrenched competition. And just like when buying a car, to use this tactic you must be willing to walk away. Look at non-cash add-ons: Sometimes the challenger can’t discount any more. But you can ask for additional professional services, modules, boxes, whatever. Remember, the incremental cost of software is zero, zilch, nada – so vendors can often bundle in a little more to get the deal. Revisit service levels: Another non-cash sweetner could be an enhanced level of service. Maybe it’s a dedicated project manager to get your migration done. Maybe it’s the Platinum level of support, even if you pay for Bronze. Given the amount of care and feeding required to keep any security management platform tuned and optimized, having a deeper service relationship could come in handy. Dealing with your boss’s boss: One last thing – be prepared for your recommendation to be challenged, especially if the incumbent sells a lot of other gear to your company. The entire process we have laid out prepares you for that call, so just go through the logic of your decision once more, making clear that your recommendation is the best direction for the organization. Tactics for the Status Quo But it would be pretty naive to not be prepared in case the decision goes the other way – due to pricing, politics, or any other reason beyond your control. So it you have to make the status quo work and keep the incumbent, here are some ideas flor making lemonade from the proverbial lemon. Tell the incumbent they’re losing the deal: If the incumbent doesn’t already know they are at risk, it can’t hurt to tell them. Some vendors (especially the big ones) don’t care, which is probably why you were looking for something new anyway. But others will get the wake-up call and try to make you happy. That’s the time to revisit your platform evaluation and figure out what needs to be fixed. Get services: If your issue is not getting proper value from the system, push to have the incumbent provide some professional services to improve the implementation. Maybe send your folks to training. Have their team set up a new set of rules and do knowledge transfer. There are many options, but if you have to make do with what you have, at least force the vendor’s hand to make the systems work better. Scale up (at lower prices): If scalability is the issue, confront that directly with the incumbent and request additional hardware and/or licenses to address the issue. Of course, this may not be enough, but every little bit helps, and if moving to a new platform isn’t an option, at least you can ease the problem a bit. Especially when the incumbent knows you were looking at new gear because of a scaling problem. Add use cases: Another way to get additional value is to request additional modules be thrown into a renewal or expansion deal. Maybe add the identity module or look at configuration auditing. Or work with the team to add database and/or application monitoring. Again, the more you use the tool, the more value you’ll get, so figure out what the incumbent will do to make you happy. Honestly, if you must stick with the existing system, you don’t have much flexibility. The incumbent doesn’t need to know that, though, so try to use the specter of migration as leverage. But at the end of the day, it is what it is. Throughout this process you have figured out what you need the tool to do, so now do your best to get there, within your constraints. Once the deal is done, it’s time to move to the new platform. We will wrap this series by discussing migration and helping structure a plan to get onto the new kit. It will be hard – it always is – but you can leverage everything you learned through your first go-round with the incumbent, as well as this process, to build a very clear map of where you need to go and how to get there. Stay tuned for that. Share:

I have been looking forward to this day… well, since the Falcons’ season was abruptly cut short by a rampaging Pack last January. We had a little teaser with that great game Thursday, and although both teams couldn’t lose, having the Saints drop a tough one was pretty okay. I weathered a tumultuous lockout during the offseason. Even a bumpy pre-season for both my teams (NY Giants and ATL Falcons) couldn’t deter my optimism. Pro football started Sunday and I was fired up. The weekend was going swimmingly. I was able to survive a weekend with the Boss away with her girlfriends. With a little help from our friends, I was able to successfully get the Boy to his football practice, XX2 to her softball game, and both girls to dance practice Saturday. I got to watch a bunch of college football (including that crazy Michigan/Notre Dame game). The kids woke Sunday in a good mood when I got them ready for Sunday school. I got some work done and then got ready to watch the games at a friend’s house. Perfect. Until they started playing the games, that is. The Falcons got crushed. Ouch. They looked horrible, and after all the build-up and expectations it was rather crushing. It was terrible for sure. I do this knock-out pool, where you pick one team a week and if they win, you move on. If they lose, you are out. You can’t pick the same team twice, and it’s a lot of fun. But I’ve shown my inability to get even the easiest games right – I have been knocked out in the first week 2 of the last 3 years. Of course, I picked Cleveland because Cincinnati is just terrible, with a new QB and all. Of course Cleveland lost and I’m out. Yeah, that’s horrible. Just horrible. But things couldn’t get worse, right? The Giants were in Washington and they’ve owned the Redskins for years. Until today. The Giants have a ton of injuries, especially on defense. And it showed. They couldn’t stop a high school team. Their offense wasn’t much better. Man, tough day. Looking at the schedule, both teams dropping their games this week will hurt. Yup, that’s a no good day. And to add insult to injury, as I’m mumbling to myself in the corner, the Boy comes downstairs with his Redskins jersey on. Just to screw with me. Seriously. I know I shouldn’t let an 8-year-old get under my skin, especially the day before his birthday, but I wasn’t happy. Maybe I’ll laugh about it by the time you read this on Wednesday, but while I’m writing this on Sunday night, not so much. I sent him upstairs with a simple choice. He can change his shirt or I could insert a few metatarsals into his posterior region. It’s very bad when I can’t even handle a little chiding from my kids. It was a terrible, horrible, no good, very bad day. But putting everything in context, it wasn’t that bad. I’ve got my health. I do what I love. My biggest problems are about getting everything done. Those are good problems to have. An embarrassment of good fortune, and I’ll take it. Especially given how many around the world were mourning the loss of not only loved ones, but their freedom, as we remember the 9/11 attacks. -Mike Photo credits: “bad day” originally uploaded by BillRhodesPhoto Incite 4 U Design for FAIL: Part of the mantra of most security folks is to think like an attacker. You need to understand your adversary’s mindset to be able to defend against their attacks. There is some truth to that. But do you wonder why more security folks and technology product vendors don’t do the same level of diligence when designing their products. Mostly because it’s expensive, and it’s hard to justify changing things (especially the user experience) based on an attack that may or may not happen. Lenny Z makes a good point in his post Design Information Security With Failure in Mind, where he advocates taking lessons from ship builders. I’d put airplane manufacturers in the same boat. They intentionally push the limits, because people die if a cascade of failures sinks a ship. Do your folks do that with IT systems? With security? If not, you probably should. It’s not about protecting against a Black Swan, but eliminating as much surprise as we can. That’s what we need to do. – MR Jackass punks: No, this isn’t a diatribe against Lulzsec. Imagine you’re sitting at home and you start getting weird emails from some self-proclaimed degenerate who starts talking about showing up at your house. And you get emails from motels this person stayed at, holding you responsible for damages. And the person was on the lam from the law. Heck, they even have their own MySpace page. MySpace? Okay, that’s probably the first clue this is a scam, or a Toyota marketing campaign gone horribly wrong. Toyota set up a site where people could enter the personal details of their friends (or… anyone), who would then be subject to a serious Ashton Kutcher-style punking. Talk about insanely stupid. As much as we bitch about security marketing, this definitely takes the cake. While I don’t think $10M in damages is reasonable, Toyota certainly earned the lawsuit. – RM Pay-nablement: It’s easy to do online payment. The trick is in doing it securely, and I am not so sure that the ‘Buyster’ payment system has done anything novel for security. Buyster links your phone number to a bank account. To use the service you need to enter your phone number and a password – what could go wrong? In return you get a payment token via a message, which you can then pass to a merchant. This model keeps the credit card number off the merchant site, but they would need to modify their systems to accept the token and link to the Buyster payment

As we wrap up our series on Fact-Based Network Security, let’s run through a simple scenario to illustrate the concepts. Remember, the idea is to figure out what on the list will provide the biggest impact for your organization, and then do it. We make trade-offs every day. Some things get done, others don’t. That’s the reality for everyone, so don’t feel bad that you can’t get everything done. Ever. But the difference between a successful security practitioner, and someone looking for a job, is that success is about consistently choosing the right things to get done. Some folks intuitively know what’s important and seem to focus on those things. They exist – I’ve met them. They are rock stars, but when you try to analyze what they do, there isn’t really a pattern. They just know. Sorry, but you probably aren’t one of those folks. So you need a system – you know, a replicable process – to make those decisions. You may not have finely tuned intuition, but you can overcome that by consistently and somewhat ruthlessly getting the most important things done. Scenario: WidgetCo and the Persistent Attacker In our little story, you work for a manufacturer and your company makes widgets. They are valuable widgets, and represent intellectual property that most nations of the world (friend and foe alike) would love to get their hands on. So you know that your organization is a target. Your management gets it – they have a well-segmented network, with firewalls blocking access to the perimeter and another series of enclaves protecting R&D and other sensitive areas. You have IPS on those sensitive segments, as well as some full packet capture gear. Yes, you have a SIEM as well, but you are revisiting that selection. That’s another story for another day. Your users are reasonably sophisticated, but human. You run the security operations team, meaning that your folks do most of the management and configuration of security devices. Knowing that you are a target means you need to assume attackers have compromised your network. But your tight egress filtering hasn’t shown any significant exfiltration. Your team’s task list seems infinite. There are a myriad of ports to open and close on the firewalls to support collaboration with specific business partners. Your company’s sales team needs access to a new logistical application so they can update customers on their shipments of widgets. And of course you are a large customer of a certain flavor of two-factor authentication token for all those reps. Your boss lights up your phone almost daily because she gets a lot of pressure to support those business partners. Your VP of Engineering is doing some cool stuff with a pretty famous research institution in the Northeast. The sales guys are on-site and don’t know what to tell the customer. And your egress filters just blocked an outbound attempt coming from the finance network, maybe due to the 2FA breach. What do you do? No one likes to be told no, but you can’t get everything done. How do you choose? Get back to the risks If you think back to how we define risk, it’s pretty straightforward. Which assets are most important? Clearly it’s the R&D information, which you know is the target of persistent attackers. Sure, customer information is important (to them) and finance information would make some hedge fund manager another billion or two, but it would be bad if the designs for the next-generation widget ended up in the hands of a certain nation-state. And when you think about the outcomes that are important to your business, protecting the company’s IP is the first and highest priority. It supports your billion-dollar valuation, and senior management doesn’t like to screw around with it. Thinking about the metrics that underlie various outcomes, you need to focus on indicators of compromise on those most sensitive networks. So gather configuration data and monitor the logs of those servers. Just to be sure (and to be ready if something goes south) you’ll also capture traffic on those networks, so you can React Faster and Better if and when an alert fires. It’s also a good idea to pay attention to the network topology and monitor for potential exposures, usually opened by a faulty firewall change or some other change error. Your operational system gathers this data on an ongoing basis, so when alerts fire you can jump into action. Saying No In our scenario, the R&D networks are most critical, pure and simple. So you task your operations team to provide access to the research institution as the top priority. Of course, not full unfettered access, but access to a new enclave where the researchers will collaborate. After your team makes the changes, you do a regression analysis, to make sure you didn’t open up any holes, using your network security configuration management tool. No alerts fired and the report came back clean. So you are done at that point, right? We don’t think so. Given the importance of this network, you keep a subset of the ops team with their eyes on the monitors collecting server logs, IDS, and full packet capture data. You have also tightened the egress filters just in case. Sure some folks get grumpy when they are blocked, but you can’t take any chances. Without a baseline of the new traffic dynamics, and without a better feel for the log data, it’s hard to know what is normal and what could be a problem. Admittedly this decision makes the VP of Sales unhappy because his folks can’t get access to the logistical information. They’re forced to have a support team in HQ pull a report and email it to the reps’ devices. It’s horribly inefficient, as the VP keeps telling you. But that’s not all. You also haven’t been able to fully investigate the potential issue on the financial network, although you did install a full packet capture device on that network to start