Securosis

Research

Security Management 2.0: Revisiting Requirements

Given the evolution of both the technology and the attacks, it’s time to revisit your specific requirements and use cases – both current and evolving. You also need to be brutally honest about what your existing product or service does and does not do, as well as your team’s ability to support and maintain it. This is essential – you need a fresh look at the environment to understand what you need today and tomorrow, and what kind of resources and expertise you can bring to bear, unconstrained by what you need and do today. Many of you have laundry lists of things you would like to be able to do with current systems, but can’t. Those are a good place to start, but you also need to consider the trends for your industry and look at what’s coming down the road in terms of security and business challenges that will emerge over the next couple years. Capturing the current and foreseeable needs is what our Security Management 2.0 process is all about. Blank Slate In order to figure out the best path forward for security management, start with the proverbial blank slate. That means revisiting why you need a security management platform with fresh eyes. It means taking a critical look at use cases and figuring out their relative importance. As we described in our Understanding and Selecting a SIEM/Log Management Platform paper, the main use cases for security management really break down into 3 buckets: Improving security, increasing efficiency, and automating compliance. When you think about it, security success in today’s environment comes down to a handful of key imperatives. First we need to improve the security of our environment. We are losing ground to the bad guys, and we need to make some inroads on figuring out what’s being attacked more quickly and protecting it. Unfortunately nobody’s selling (working) crystal balls that tell you how and when you will be attacked, so the blank slate strategy entail monitoring more and determining how your detection and response systems will react more quickly. Next we need to do more with less. It does look like the global economy is improving but we can’t expect to get back to the halcyon days of spend first, ask questions later – ever. And while that may sound like “work smarter, not harder” management double-speak, there are specific automation and divide & conquer strategies that help reduce the burden. With more systems under management, we have more to worry about and less time to spend poring over reports, looking for the proverbial needle in the haystack. Given the number of new attacks – counted by any metric you like – we need to increase the efficiency of resource utilization. Finally, auditors show up a few times a year, and they want their reports. Summary reports, detail reports, and reports that validate other reports. The entire auditor dance focuses on convincing the audit team that you have the proper security controls implemented and effective. That involves a tremendous amount of data gathering, analysis, and reporting to set up – with continued tweaking required over time. It’s basically a full time job to get ready for the audit, dropped on folks who already have full time jobs. So we must automate those compliance functions to the greatest degree possible. Increasingly technologies that monitor up the stack are helping in all three areas by collecting additional data types like identity, database activity monitoring, application support, and configuration management – along with different ways of addressing the problems. As attacks target these higher-level functions and require visibility beyond just the core infrastructure, the security management platform needs to detect attacks in the context of the business threat. Don’t forget about the need for advanced forensics, given the folly of thinking you can block every attack. So a security management platform to help React Faster and Better within an incident response context may also be a key requirement moving forward. You might also be looking for a more integrated user experience across a number of security functions. For example, you may have separate vendors for change detection, vulnerability management, firewall and IDS monitoring, and database activity monitoring. You may be wearing out your swivel chair switching between all the consoles, and simplification via vendor consolidation can be a key driver. Understand that your general requirements may not have changed dramatically, although you may prioritize the use cases a little differently now. For example, perhaps you first implemented Log Management to crank out some compliance reports. It wouldn’t be the first time we’ve seen that as the primary driver. But you just finished cleaning up a messy security incident your existing SIEM missed. If so, you probably now put a pretty high value on making sure correlation works better. Once you are pretty clear within your team about the requirements for a security management team, start to discuss the topic a bit with external influencers. You can consult the ops teams, business users, and perhaps the general counsel about their requirements. Doing this confirms the priorities you already know and sets the stage to provide you support if the decision involves moving to a new platform. Critical Evaluation Now it’s time to check your ego at the door. Unless you weren’t part of the original selection team – then you can blame the old regime. Okay, we’re kidding. Either way the key to this step involves a brutally honest assessment of how your existing platform meets the needs that drove the initial implementation. This post-mortem type analysis evaluates the platform in terms of each of the main use cases (security, efficiency, compliance automation), as well as some other aspects of real world use. Even better, you’ll need to determine why the product/service isn’t measuring up. Common reasons we see include: Ease of use: Are there issues getting the product/service up and running? Did it require tons of professional services? Were you able to set up sufficiently granular rule sets

Share:
Read Post

Incite 8/24/2011: Living Binary

The Boss constantly reminds me I have no middle ground. On/Off. Black/White. No dimmer. No gray (besides on my head). Moderation is non-existent, which is why I never tried hard drugs. I knew myself well enough (even at a young age) to know it wouldn’t end well. Sure I’d be the best presenter in the crack den, but that would have impeded my plans for world domination. It’s not just the mind altering stuff where I don’t do moderation. Let’s talk food. I became a vegetarian about 3 years ago, mostly because I couldn’t eat just five chicken wings. I’d eat 20 and then feel like crap. As much as my logical brain would say ‘STOP’, my monkey brain would plow through the tray of wings. I want to live to be 90, so then my kids can change my diapers. So I needed to figure out a method to deal with this lack of control. I figured it would be easier to go cold turkey. No red meat, no chicken (or turkey), no pork. Done. I can shut it off. I just can’t moderate. A few weeks ago I needed to take some action. My weight was creeping up, mostly because I couldn’t work out with the intensity that used to keep things under control, because of injuries. I don’t eat terribly, but when we run out of veggies and fruit, I’ve been known to knock back some chips. OK, a bag of chips. Or a couple bowls of cereal. Or a few mini-bagels. It’s that moderation thing again. I’ve been hearing many of my friends talk about this Primal thing for a while. Stories of how they feel a lot better. They certainly look better. I’m used to eating a big ass salad most days, and a lot of fruit/veggies. It can’t be that hard, right? Best of all, it plays into my binary nature. If I just stop eating bread and most starchy carbs, that can work. Now I don’t have to worry about digging into the bag of chips or grabbing 3-4 mini-bagels. That switch is off. Binary. It’s actually gone pretty well. I haven’t dropped a ton of weight, but I adjusted pretty well. No headaches, no severe hunger pains. I’m not as draconian as I am with the meat. I don’t go nuts (no pun intended) if there are breaded do-dads on a salad. And I’ll eat potatoes, just not frequently. Maybe twice a week. Mostly with an omelet when I’m on the road (instead of 3 bagels). Living binary may not be for everyone, but it works for me. I know I have got little control. Rather than trying to figure out how to gain control, I put myself in situations where I can be successful. Is this forever? Who knows? But it’s OK for now, so I’ll go with it. -Mike Photo credits: “Binary cupcakes” originally uploaded by alicetragedy Incite 4 U Slowing down your denial: I’m not sure where it came from, but I love the idea of slowing down to speed up. Many times when things feel out of control, if I just take a step back and focus, I start moving things forward. Seems the denial of service attackers take a similar approach. Kick ass post here from Rybolov about slow denial of service (SDoS). Of course, our friend RSnake was one of the first (if not the first) guys to talk about slow HTTP attacks, so I’m glad he’s on our side. The post tells you what you need to know about this attack, delving into its devastating nature, the challenges of detecting it, and how to defend against it. It’s much harder to track, compared to brute force DDoS, so it seems likely we’ll see a lot more SDoS. Good thing Rybolov doesn’t miss the opportunity to reiterate that throwing a bunch of servers and bandwidth at SDoS may be one of the only mitigations we have. And good thing Akamai has a lot of both, eh? – MR Blood Donation: Having been to China a few times I’m pretty sure they have some of my biometric information. Just like in the US, they take a photo and fingerprint on entry to the country. While I don’t consider China evil by any means, they are definitely a bit more of a rival to most Western nations (and pretty much any democracy). So I’m amused at this project to collect DNA sequences for people with high intelligence. Now I think this is a real research project, but they do report to the government in the end. Is anything at risk? Probably not for any of us. Is it amusing, in light of everything else going on these days? Certainly! – RM You get the check… Cellarix is creating a mobile payment system. All you have to do is provide Cellarix (or more likely their credit card processing partner) with your credit card number – the merchant’s POS system essentially calls your phone to confirm payment. Think of it as a reverse Point-of-Sale system. I saw something almost identical to this demonstrated by Ericsson in 1997 – payment was handled simply by dialing the phone number on the front of a vending machine, in order to get train tickets or a pack of cigarettes. The idea was that you could leverage your phone provider’s existing payment relationships – at the end of the month, your phone bill would include your purchases. The obvious vulnerability is the device itself. If you lose your phone, you could have your bank account or credit card drained almost instantly, which is awesome. The Cellarix model is not much different, with the merchant calling you for verification. But nowdays losing the phone is just one of many threats – MITM and rogue apps could just as easily fake authorization by controlling that second factor. Most people can’t help leaking email credentials at Starbucks – is there any reason to believe your payment data would

Share:
Read Post

Fact-based Network Security: Outcomes and Operational Data

In our first post on Fact-based Network Security, we talked about the need to make decisions based on data, as opposed to instinct. Then we went in search of the context to know what’s important, because in order to prioritize effectively you need to know what presents the most value to your organization. Now let’s dig a little deeper into the next step, which is determining the operational metrics on which to base decisions. But security metrics can be a slippery slope. First let’s draw a distinction between outcome-based metrics and operational metrics. Outcomes are the issues central to business performance, and as such are both visible and important to senior management. Examples may include uptime/availability, incidents, disclosures, etc. Basically, outcomes are the end results of your efforts. Where you are trying to get to, or stay away from (for negative outcomes). We recommend you start by establishing some goals for improvement of these outcomes. This gives you an idea of what you are trying to achieve and defines success. To illustrate this we can examine availability as an outcome – it’s never bad to improve availability of key business systems. Of course we are simplifying a bit – availability consists of more than just security. But we can think about availability in the context of security, and count issues/downtimes due to security problems. Obviously many types of activities impact availability. Device configuration changes can cause downtime. So can vulnerabilities that result in successful attacks. Don’t forget application problems that may cause performance anomalies. Traffic spikes (perhaps resulting from a DDoS) can also take down business systems. Even seemingly harmless changes to a routing table can open up an attack path from external networks. That’s just scratching the surface. The good news is that you can leverage operational data to isolate the root causes of these issues. What kinds of operational data do we need? Configuration data: Tracking configurations of network and security devices can yield important information about attack paths through your network and/or exploitable services running on these devices. Change information: Understanding when changes and/or patches take place helps isolate when devices need to be checked or scanned again to ensure new issues have not been not introduced. Vulnerabilities: Figuring out the soft spots of any device can yield valuable information about possible attacks. Network traffic: Keeping track of who is communicating with whom can help baseline an environment, which is important for detecting anomalous traffic and deciding whether it requires investigation. Obviously as you go deeper into the data center, applications, and even endpoints, there is much more operational data that can be gathered and analyzed. But remember the goal. You need to answer the core question of “what to do first,” establishing priorities among a infinite number of possible activities. We want to focus efforts on the activities that will yield the biggest favorable impact on security posture. A simple structure for this comes from the Securosis Data Breach Triangle. In order to have a breach, you need data that someone wants, an exploit to expose that data, and an egress path to exfiltrate it. If you break any leg of the triangle, you prevent a successful breach. Data (Attack Path) If the attacker can’t see the data, they can’t steal it, right? So we can focus some of our efforts on ensuring direct attack paths don’t make it easy for an attacker to access the data they want. Since you know your most critical business systems and their associated assets, you can watch to make sure attack paths don’t develop which expose this data. How? Start with proper network segmentation to separate important data from unauthorized people, systems, and applications. Then constantly monitor your network and security devices to ensure attack paths don’t put your systems at risk. Operational data such as router and firewall configurations is a key source for this analysis. You can also leverage network maps and ongoing discovery activities to check for new paths. Any time there is a change to a firewall setting or a network device, revisit your attack path analysis. That way you ensure there’s no ripple effect from a change that opens an exposure. Think of it as regression testing for network changes. Given the complexity of most enterprise-class networks, this isn’t something you can do manually, and it’s most effective in a visual context. Yes, in this case a picture is worth a million log records. A class of analysis tools has emerged to address this. Some look at firewall and network configurations to build and display a topology of your network. These tools constantly discover new devices and keep the topology up to date. We also see evolution of automated penetration testing tools, which focus on continuously trying to find attack paths to critical data, without requiring a human operator. There is no lack of technology to help model and track attack paths. Regardless of the technology you select to analyze the attack paths, this is key to understanding what to fix first. If a direct path to important data results from a configuration change, you know what to do (roll it back!). Likewise, if a rogue access point emerges on a critical network (with a direct path to important data), you need to get rid of it. These are the kind of activities that make an impact and need to be prioritized. Exploit Even if an attack path exists, it may not be practical to exploit the target device. This is where server configuration, as well as patch and vulnerability monitoring, are very useful. Changes that happen outside of authorized maintenance windows tend to be suspicious, especially on devices either containing or providing access to important data. Likewise, the presence of an exploitable critical vulnerability should bubble to the top of the priority list. Again, if there is no attack path to the vulnerable device, the priority of fixing the issue is reduced. But overall you must track what needs to be fixed on

Share:
Read Post

Beware Anti-Malware Snake Oil

It’s hard to believe, but over the past 24 hours I’ve had 3 separate briefings with companies innovating in the area of anti-malware. Just ask them. Each started the discussion with the self-evident point that the existing malware detection model is broken. Then they each proceeded to describe (at a high level) how what they are doing isn’t anti-virus per se, but something different. Something that detects the new malware we are seeing. They didn’t want to replace the anti-malware engine. They just think they address the areas where traditional anti-malware sucks. Yeah, that’s a big job. These vendors are not wrong. The existing approach of largely signature-based engines, recently leveraging a cloud extension, is broken. Clearly we need a new approach. True innovation, as opposed to marketing innovation. It’s easy to shoot holes in AV, with its sub-50% detection rate. It’s hard to actually do something sustainably different. We don’t need to poke more holes in AV, we need something that works better. Having been in this business for 20 years or so, this isn’t the first time attacks have gotten ahead of detection. You could make the case that detection has never caught up. Each time, a new set of innovators emerges with new models and products and capabilities, seemingly built to address the latest and greatest attack. Right, solving yesterday’s problems tomorrow. But that’s nothing new. It’s the security business as we know it. The problem is separating the wheat from the chaff. One of the companies I spoke with seems to have a better mousetrap. Maybe it is. Maybe it isn’t. The point is that it’s not the same mousetrap. But it will be an uphill battle for these folks to get a hearing, because endpoint security vendors have been lying to customers for years, saying their products actually stop new attacks. Now customers are highly skeptical, and are not very open to trying something different. Customers have heard it all before. This is just another cycle, compounded by the incumbents trying to sound different, while entirely focused on milking their cash cows. They will pay lip service to innovation, they always do. In reality they are more focused on reducing their agents’ footprints and improving performance, because those are costing them deals – not on the fact that they can’t detect an eskimo in Alaska. Another factor is the total farce of anti-malware testing labs. It seems like another pops up every week, commissioned to say one vendor performs better than the others. Awesome. Granted I was born skeptical, but these guys are not helping me believe in anything. So what to do? Same as it ever was. Endpoint protection is one of many tactics that can help identify and eventually contain malware. Layers are still good. Though we do expect innovation over the next year, so keep your eyes open. There is a pony somewhere in there, it’s just not clear which one is it. The rest will go down in the annals of security history as snake oil. Same as it ever was. There is very little benefit in being early with these new products/companies right now, spending time figuring out what really works. In other words, if I have an incremental $10, I’m spending it on monitoring and incident response technologies. But you already knew that. Prevention has (mostly) failed us. You know that too. Until some new anti-malware widget is vetted as making a difference (by people you trust), spend your time figuring out what went wrong. There is no lack of material there. Share:

Share:
Read Post

Incite 8/17/2011: Back to School

What would you do if you could go back to school? Seriously. If you could turn back the clock and go back to grade school or even high school? No real responsibility. No one depending on you for food and/or shelter. Gosh, I’d do so many things differently. I’d buy a few shares of Microsoft when they went public (and I’d also send a note to my 1999 self to sell it). Ah, the magic of hindsight. What I wouldn’t do is bitch about it. It’s funny that my kids were actually excited to go back to school. We figured they’d be bitching a lot more, especially given how much fun they have over the summer. Thankfully, they aren’t at the stage where they dread the end of summer vacation and the return to the structure and routine of the school year. The Boss is clearly doing something right because the girls jumped right in. The Boy not so much. Not because he doesn’t like school, but more because time he’s working is time he’s not outside playing ball with his buddies. The biggest thing we try to get across every year is the importance of a strong work ethic. Unless there is an activity right after school, the kids grab a snack and jump right into their homework, which must be done, to The Boss’s satisfaction, before they can do anything else. We’re constantly harping on the fact that hard work can overcome a lot of mistakes and issues. Also that it’s okay to get something wrong and to make mistakes. But it’s not okay not to give it proper effort. The most gratifying thing about it all? Seeing one of the kids “get it.” Last year XX1 spent countless hours preparing for a big test, and she aced it. She saw the direct correlation between hard work and positive results. Rich and I were joking the other day that we both did the bare minimum as long as we could throughout public school. We got by on our charming personalities. Okay, maybe not… All the same, if we applied our current work ethic to our school endeavors? Who knows what we’d accomplish. But we would also miss out on a number of great parties and save some liver damage. Okay, a lot of liver damage. Oh yeah, the balance discussion. That’s one secret we won’t share until the kids graduate from college. So don’t ruin it for us, okay? -Mike Note: Yes, I’m kidding. All work and no play is not the way to go through childhood. Photo credits: “Back to School Bong Sale” originally uploaded by designwallah Incite 4 U Fixing is the hard part: I’m kind of surprised at the tepid response to Microsoft’s $250k prize for advancement of exploit mitigation. Imagine that, folks get paid a bit for finding a bug and being able to exploit it, but now can get paid a lot for actually fixing the issue. I think this is great and we should all applaud Microsoft. First for finally understanding that for the price of one engineer (fully loaded), they could put in place a meaningful economic incentive for a researcher. But also to start driving toward a culture of fixing things instead of just breaking them. Stormy did a great job of making that case as well. – MR And you thought your network was tough…: We often call the DefCon network “The World’s Most Hostile Network” since you can assume at least a few hundred – possibly thousands – of hackers are on it eating their latest software toys. What not everyone knows is that there are actually multiple networks at DefCon, some of which are probably reasonably secure, but that isn’t what I’m going to talk about today. Ryan Barnett over at Tactical Web Application Security wrote a great post on what web apps can learn from casino surveillance. I’m a huge fan of monitoring at all levels, and when it comes to web apps we definitely aren’t doing enough (in most cases). Ryan’s post does a good job of keying in on the main difference between apps and networks (spoiler – is has to do with who is allowed in). As a side note, back in Gartner days Ray Wagner (still there) and myself were proponents of using slot machine security standards for voting machines. But it seems the price of democracy doesn’t won’t cover the same security used for nickel slots. Then again the payout of the voting machines usually isn’t 97% either. – RM DAM market maturing: The Database Activity Monitoring market continues to see activity, with GreenSQL receiving another $2.2 million in venture funding from Atlantic Capital partners. Like children, most startups are not very interesting until they are a couple years old. Companies need to mature both product functionality and vision. GreenSQL is reaching that point: their first product was an open source reverse proxy for SQL statements. Now they offer core SQL statement blocking function like other DAM vendors, but they also offer a performance boost through a database caching service as well. Like the rest of the DAM players, they are morphing into something else – with the addition of masking, usage profiles, and application specific rule sets. Integrating a number of previously separate functions into a more integrated offering. Yet another sign of an increasingly mature market. DAM(n) funny how that happens. With Imperva slated for IPO and lots of interest in the basic monitoring capabilities, expect continued M&A activity. I expect we’ll need to change the way we think about DAM into a larger database security context by this time next year. – AL A different kind of hacking: Most of us were taught that two wrongs don’t make a right. The consistent attacks on law enforcement do nothing but endanger folks who make significant sacrifices. Our own Adrian provided some context about the situation in Arizona for this story about the continued posting of personal information about law

Share:
Read Post

Incite 8/10/2011: Back to the Future

Getting old just sucks. OK, I’m not really old, but I feel that way. I think I’m suffering from the fundamental problem Rich described a few weeks ago. I think I’m 20, so I do these intense exercise programs and athletic pursuits. Lo and behold, I get hurt. First it was the knees. My right knee has bothered me for years. And I was looking at the end of my COBRA health benefits from my last employer, so I figured I’d get it checked out before my crap insurance kicked in (don’t get me started on health insurance). Sure enough there was some inflammation. Technically they called it patellar tendinitis. My trusty doctor proscribed some anti-inflammatories and suggested a few weeks of physical therapy to strengthen my quads to alleviate the issue. But that took me out of my pretty intense routines for a few months. That wouldn’t normally be a huge problem, but softball season was starting, and I had lost some of my fitness. OK, a lot of my fitness. I was probably still ahead of most of the old dudes I play with, but all the same – when you aren’t in shape, you are more open to injury. You know how this ends. I plant the wrong way crossing home and I can feel the jolt through my entire body. My middle back and shoulder tighten up right away. It wouldn’t be the first time I’ve pinched a nerve, so I figure within a day or two with some good stretching it’ll be fine. I take a trip and three days later try some yoga. Yeah, that didn’t work out too well. I made it through 10 minutes of that workout before saying No Mas. Since when did I become Roberto Duran? Oh crap, this may be a bit more serious than I figured. It probably didn’t help that the next day we loaded up the family truckster and drove 7 hours to see the girls at camp. When I woke up the next day I could hardly move. I’m not one to complain, but I was pretty well immobile. Once we got to Maryland, I got a deep tissue massage. No change. My doctor called in some relaxants. I tried to persevere. No dice. I flew home to see my doc, who thought there was a disc problem. An MRI would confirm. And confirm it did. I have a degenerative disk (C5-6 for those orthopedists out there). It took about two weeks but finally settled down. I’m going to try to rehab it with more PT and more stretching and less impact. I don’t want to do shots. I definitely don’t want to do surgery. So I’ve got to adapt. P90X may not be the best idea. Not 6 days a week, anyway. I can build up a good sweat doing yoga, and maybe I’ll even buy that bike the Boss has been pushing for. Or perhaps take a walk. How novel! I’m not going to settle for a sedentary existence. I like beer and food too much for that to end well. But I don’t need to kill myself either. So I’m searching for the middle ground. I know, for most of my life I didn’t even know there was a thing called middle ground. But as I get older I need to find it. Because life is a marathon, not a sprint. I can’t go back to the future in a broken down DeLorean, now can I? -Mike Photo credits: “Lateral X-Ray of Neck Showing Flexion | Donald Corenman, MD | Spine Surgery Colorado” originally uploaded by neckandback Incite 4 U Long live speeds and feeds: Coming from a networking background, I have a serious disdain for vendors differentiating based on speed. Or how many signatures something ships with. Or any other aspect of the device with little bearing on real world performance. After the 40gbps IPS rhetoric died down a few years ago, I hoped we were past the “my tool is bigger than yours” marketing. Yeah, not so much. Our pals at Check Point dive back into the speeds/feeds muck with their new big box, and NetworkWorld needs a visit from the clue bat for buying into the 1Tbps firewall. Check Point did map out a path to 1tbps, but it’ll take them 4 years to get there. But hey, a 1tbps firewall generates some page views. By the way, there are a handful of customers that even need 100gbps of perimeter throughput. But long live the speeds and feeds! – MR I guess the parents were also in the room: When I worked for the State of Colorado, my first real IT job was as a systems and network administrator at the University of Colorado in Boulder. I had a wacky boss who wasn’t the most stable of individuals. When I got my Classified Staff status he informed me that I now didn’t have to worry about being fired. I quote, “even if you have sex with a student on a desk in front of the class, they’ll just suspend you with pay”. (When he finally went off the deep end it took them years of demotions to finally get him to quit). I’ve always thought of PCI QSA (assessment) companies that way. It has always seemed that no matter what they did, there weren’t any consequences. I wouldn’t say that’s changing, but a company called Chief Security Officers is the first to have its QSA status revoked. No one is saying why, but I suspect less than satisfactory performance, with consistency. – RM CSA Vendor Guide: CSA is offering a Security Registry for Cloud providers in order to help customers compare cloud security offerings across vendors. The CSA has a questionnaire for each provider – basically an RFP/RFI – and will publish the results for customers. The good news is that this will provide some of the high-level information that is really hard to find – or entirely absent

Share:
Read Post

Use THEIR data to tell YOUR story

I’m in the air (literally) on the way to Metricon 6; so I’m thinking a lot about metrics, quantification, and the like. Of course most of the discussion at Metricon will focus on how practitioners can build metrics programs to make their security programs more efficient, maybe more effective, and certainly more substantiated (with data, as opposed to faith). Justifiably so – to mature the practice of security we need to quantify it better. But I can’t pass up the opportunity to poke a bit at the type of quantification that comes from the vendor community. Surveys and analyses which always end up building a business case for security products and services. The latest masterpiece from the king of vendor-sponsored quantification, Larry Ponemon, is the 2nd annual cost of cyber-crime survey – sponsored by HP/ArcSight. To be clear, I’m not picking (too much) on Dr. Larry, but I wanted to put the data he presents in the report (PDF) in the proper context and talk briefly about how a typical end user should use reports like this. First of all, Ponemon interviewed 50 end users to derive his data. It’s been a long time since I’ve done the math to determine statistical significance, but I can’t imagine that a sample size of 50 qualifies. When you look at some of the results, his findings are all over the map. The high level sound bites include a median annualized cost of $5.9 million from “cyber crime,” whatever that means. The range of annualized losses goes from $1.5 to $36.5 million. That’s a pretty wide range, eh? His numbers are up fairly dramatically from last year, which plays into the story that things are bad and getting worse. Unsurprisingly, that’s good for generating FUD (Fear, Uncertainty, and Doubt). And that’s what we need to keep in mind about these surveys. Being right is less important than telling a good story, but we’ll get to that. Let’s contrast that against Verizon Business’s 2011 DBIR, which used 761 data points from their own data, data from the US Secret Service, and additional data from Dutch law enforcement as a supplement. 761 vs 50. I’m no mathematician, but which data set sounds more robust and representative of the overall population to you? Even better is one of Larry’s other findings, which I include in its entirety because it must be seen to be believed. The most costly cyber crimes are those caused by malicious code, denial of service, stolen or hijacked devices and malicious insiders. These account for more than 90 percent of all cyber crime costs per organization on an annual basis. Mitigation of such attacks requires enabling technologies such as SIEM and enterprise GRC solutions. Really? Mitigation of malicious code attacks requires SIEM and GRC? Maybe I’m splitting hairs here, but this kind of absolute statement make me nuts. The words matter. I understand the game. Ponemon needs to create some urgency for ArcSight’s prospects to justify the report, so throw a little love at SIEM and GRC. Rock on. Yeah, the cynic is in the house. This statement is then justified by some data that says surveyed customers using SIEM lost on average 25% less than those without SIEM. Those folks with SIEM were able to detect faster and contain more effectively. Which is true in my experience. But only if the company makes a significant and ongoing investment. Right – to the tune of millions of dollars. I wonder if any of those 50 companies had, let’s say, a failed SIEM implementation? Were they counted in the SIEM bucket? Again, let’s not confuse correctness of the data with the story you need to tell to do your job. That’s the value of these reports. They provide data, that is not your own, allowing you to tell a story internally. Lord knows our organizations want to see hard costs, showing real losses, to justify continued spending on security. This is the same message I deliver with our Data Breaches presentation. The data doesn’t matter – the story does. A key skill for any management position is the ability to tell a story. In the security business, our stories must paint a picture of what can happen if the organization takes its eyes off the ball. If the money is spent elsewhere and the flanks are left unprotected. Understand that your VP of Sales is telling his/her story, about how further investment in sales is important. VPs of manufacturing tell stories about the need to upgrade equipment in the factories, and so on and so forth. So your story needs to be good. Not all of us are graced with a breach to create instant urgency for continued security investment. Though if you believe Ponemon’s data, fewer and fewer escape unscathed each year. So you need to create your own story – preferably leveraging another organization’s pain rather than your own. In this case, the empirical correctness of the data isn’t important. It’s how the data allows you to make the points you need. Share:

Share:
Read Post

Fact-Based Network Security: Defining ‘Risk’

As we mentioned when introducing this series on fact-based network security, we increasingly need to use data to determine our priorities. This enables us to focus on activities that will have the greatest business impact. But that begs the question: how you determine what’s important? The place to start is with your organization’s assets. Truth be told, importance and beauty are both in the eye of the beholder, so this process challenges even the most-clued in security professionals. You will need to deal with subjectivity and the misery of building consensus (about what’s important), and ultimately the answer will continue to evolve in light of the dynamic nature of business. But you still need to do it. You can’t spend a bunch of time protecting devices no one cares about. But it’s always good to start conversations with a good idea of the answer, so we recommend you start by defining relative asset value. We have long held that estimating (value = purchase price + some number you make up – depreciation) is ridiculous. We haven’t stopped many folks from doing it, but we’ll just say there isn’t a lot of precision in that approach, and leave it at that. So what to do? Let’s get back to the concept of relative, which is the key. A reasonable approach would be to categorize assets into a handful of buckets (think 3-4) by their importance to the business. For argument’s sake we’ll call them: critical, important, and not so important. Then spend time looking through the assets and sorting them into those categories. You can use a quick and dirty method of defining relative value which I first proposed in the Pragmatic CSO. Ask a few simple questions of both yourself and business leadership about the assets… What does it cost us if this system goes down? This is the key question, and it’s very hard to get a precise answer, but try. Whether it’s lost revenue, or brand impact, or customer satisfaction, or whatever – push executives to really help you understand what happens to the business if that system is not available. Who uses this system? This is linked to the first question, but can yield different and interesting perspectives. If five people in Accounting use the system, that’s one thing. If every employee on the shop floor does, that’s another. And if every customer you have uses the system, that would be a much different thing. So a feel for the user community can give you an idea of the system’s criticality. How easy are the assets to replace? Of course, having a system fail is a bad thing, but how bad depends on replacement cost. If your CRM system goes down, you can go online to something like Salesforce.com and be up and running in an hour or two. Obviously that doesn’t include data migration, etc. But some systems are literally irreplaceable – or would require so much customization as to be effectively irreplaceable – and you need to know which are which. Understand you will to need to abstract assets into something bigger. Your business leadership doesn’t have an opinion about server #3254 in the data center. But if you discuss things like the order management system or the logistics system, they’ll be able to help you figure out (or at least confirm) relative importance of assets. With answers to those questions, you should be able to dump each group of assets into an importance bucket. The next step involves evaluating the ease of attacking these critical assets. We do this to understand the negative side of the equation – asset value to the business is the positive. If the asset has few security controls or resides in an area that is easy to get to (such as Internet-facing servers), the criticality of its issues increases. So when we prioritize efforts, we can factor in not just the value to the business, but also the likelihood of something bad happening if you don’t address an issue. By the way, try to keep delusion our of this calculation. It’s no secret that some parts of your infrastructure receive a lot of attention and protection and some don’t. Be brutally honest about that, because it will enable you to focus on brittle areas as needed. Like the asset side, focus on relative ease of attack and the associated threat models. You can use categories like: Swiss cheese, home safe, bank vault, and Fort Knox. And yes, we are joking about the category names. You should be left with a basic understanding of your ‘risk’. But don’t confuse this idea of risk with an economic quantification, which is how most organizations define risk. Instead this understanding provides an idea of where to find the biggest steaming pile of security FAIL. This is helpful as you weigh the inflow of events, alerts, and change requests in terms of their importance to your organization. And keep in mind that these mostly subjective assessments of value and ease of attack change – frequently. That’s why it’s so important to keep things simple. If you need to go back and revisit the priorities list every time you install a new server, the list won’t be useful for more than a day. So keep it high level, and plan to revisit these ratings every month or so. At this point, we need to start thinking about operational metrics we can/should gather to guide operations based on outcomes important to your business. That’s the subject of our next post. Share:

Share:
Read Post

Incite 8/3/2011: The Kids Are Our Future

The Boss and I have been getting into Fallen Skies lately. Yeah, it’s another sci-fi show with aliens trying to take down the human race and loot our planet for our resources. They’d better hurry up, since there may not be much left when the real aliens show up, but that’s another story. In the last episode we saw, the main guy (Noah Wyle of ER) made the point that our kids are our future, and we need to keep them safe. That thought resonates with me, and thankfully I’m not dealing with aliens trying to make them into drugged-out slaves. We are dealing with a lot of bad stuff that can happen online. The severity of the issue became very apparent to me in the spring, when XX1 made a comment about playing some online card game. My spidey sense started tingling, and I went into full interrogation mode. Turns out she clicked on some ad on one of her approved websites, which then took her to some kind of card game. So she clicked on that and started playing. And so on, and so on. Instantly I checked out the machine. Thankfully it’s a Mac and she can’t install software. I did a full cleaning of the stuff that could be problematic and then had to have that talk about why it’s bad to click ads on the Internet. We then talked a bit about Google searches, checking out images, and the like. But in reality, I didn’t have much clue of where to start and what to teach her. So I asked a few friends what they’ve done to prepare their kids for the online world. Yep – I got the same quizzical stare I saw in the mirror. That’s why I’m getting involved in the HacKid conference. Chris Hoff (yes, @beaker himself) started the conference in Boston last October, and there will be conferences in San Jose (Sept 17/18) and Atlanta (Oct 1/2) this year. HacKid is not just about security, by the way. It’s about getting our kids (ages 5-17) excited about technology, with lots of intro material on things like programming and robotics and soldering and a bunch of other stuff. Truth be told, orchestrating HacKid is a huge amount of work. Thankfully we’ve got a great board of advisors in ATL to help out, and I know it will be time well spent. I’m confident all the kids will gain some appreciation for technology, beyond the latest game for them to play on the iPad. I also have no doubt they’ll learn about about how to protect themselves online, which is near and dear to my heart. But most of all, I can’t wait to see that look of wonder. You know, when you think you’ve just seen the coolest, most amazing thing in the world. Hoff said there was a lot of that look in Boston, and I can’t wait to see it in Atlanta. Remember, the kids are our future and this is a great place to start teaching them about the role technology will play in their future. Registration is open for the Atlanta conference, so check it out, bring your kids, get involved, and reap the benefits. See you there. -Mike Photo credits: “Play, kids, learn, Mill Park Library, Yarra Plenty Library service” originally uploaded by Kathyrn Greenhill Incite 4 U Shopping list next: I can imagine it now. I’ll get the grocery list via text from the Boss, and then the follow up. “Don’t forget the DDoS, that neighbor is pissing me off again.” According to Krebs, it’s getting easier to buy all sorts of cyber attacks. Even down to a kit to build your own bot army. Can you imagine the horse trading that will happen on the playground with our kids? It’ll be like real-life Risk, with the kids trading 10,000 bots in India for 300 credit card numbers. Law enforcement seems to be getting better at finding and stopping these perps, but it’s still amazing how rapidly the cybercrime ecosystem evolves. – MR Don’t call it a comeback. Call it Back to FUD: Stuxnet is making a comeback?. Seriously Mr. McGurk? Does this mean we need to disconnect our uranium centrifuges from that Windows 98 machine I use to fuel my personal reactor? So if I see you at Black Hat, don’t hesitate to tell me I’m glowing. Does this mean we patch our OS and update our AV signatures? Or are you predicting 4 new 0-days we need to prepare for? Does it mean pissed-off US government employees foreign governments are going to attack the US infrastructure? Or are you asking for all public infrastructure to be rearchitected and redeployed? Oh, wait, it’s budget time – we need to get our FUD on. – AL Do they offer gardening in the big house? Looks like the good guys bagged one of anonymous/LulzSec’s top dogs, Topiary. This 18-year-old plant was hiding out in his folks’ basement in rural Scotland. Of course the spin unit of anon has jumped into gear and is talking about the inability to arrest an idea. That’s true, but a few more high-profile arrests (and they are coming) and we’ll see how willing these cloistered kids will be to give up their freedom. Rich tweeted what a lot of us think. These are a bunch of angry kids, who probably got bullied in schools and are now turning the tables. But they barked up the wrong tree by antagonizing governments and law enforcement. We’ll see how well they do in jail, where the bullies are much different. – MR Who’s afraid of the big, bad (cloud security) wolf?: Vivek Kundra is saying that cloud security fears are overblown and that the US government is not afraid of public cloud infrastructure. From our research I believe both these statements are absolutely correct! Cloud infrastructure is neither more nor less secure that traditional IT infrastructure – it all depends upon how you deploy,

Share:
Read Post

Words matter: You stop attacks, not breaches

Every so often, the way security marketeers manipulate words to mislead customers makes me cringe. I’m not going into specifics because that isn’t the point. I just want to clear up some terminology that many security companies misuse, which really makes them look silly. For example, security companies (who will remain nameless) have talked about how they could have stopped the RSA breach, if only you used their widget, device, god-box and/or holy grail. But this seems to require violation of the space/time continuum. Either that or Dr. Brown is at it again and the DeLorean hit 88 mph. Breaches happen only when data is actually lost. At least that’s how I define a breach. If the attack is not successful, it’s not a breach. It’s just an attack. Yes, I’m splitting hairs, and maybe these are my own definitions. Maybe we can come up with a standard definition for the term. A breach involves data loss, not the potential for data loss, right? The words matter. I’m a writer, and a big part of the Securosis value proposition is cutting through the crap and telling you what’s real and important. We pride ourselves on vilifying marketing buffoonery, mostly because we all deserve better. Come to think of it, I also object to the idea that any technology is going to “render the APT useless.” Yes, I took that right off a vendor’s invitation to a webcast. I have to wonder how they do that. Given that persistent attackers are, well, persistent. Maybe the vendor in question could have stopped the specific attack launched against RSA. But I assure you they cannot stop every attack. Therefore, they are not rendering much of anything useless. Except maybe their own credibility. Having spent quite a while in a VP Marketing role, I understand the game. The vendors need to rise above the noise and create a reason for a prospect to engage. So they manipulate words and don’t say anything that is provably incorrect, but the words sure are misleading. They count on the great unwashed not understanding the difference, and cash the check long before the customer has a chance to realize they just installed modern-day snake oil in their networks, on their endpoints, and in their data centers. We deserve better. Where is the Straight Talk Security Express when you need it? Oh yeah, that didn’t work out to well for Senator McCain either, did it? Yes I know. I’m tilting at windmills again. Dreaming the impossible dream. Sancho just gave me that “you’re an idiot” look again because this won’t change anything. The marketers will make their technology seem much bigger than it is. The sales folks will promise users that their products will actually solve whatever problem you have today. The customers will smile, write more checks, and wonder why their customer database keeps showing up on grey market sites in Estonia. It’s the game. I get it. But some days it’s harder to accept than others. This is one of those days. Guess it’s time to get back on my meds. Photo credit: [Don Quixote and Sancho Panza] originally uploaded by M Kuhn Share:

Share:
Read Post

Totally Transparent Research is the embodiment of how we work at Securosis. It’s our core operating philosophy, our research policy, and a specific process. We initially developed it to help maintain objectivity while producing licensed research, but its benefits extend to all aspects of our business.

Going beyond Open Source Research, and a far cry from the traditional syndicated research model, we think it’s the best way to produce independent, objective, quality research.

Here’s how it works:

  • Content is developed ‘live’ on the blog. Primary research is generally released in pieces, as a series of posts, so we can digest and integrate feedback, making the end results much stronger than traditional “ivory tower” research.
  • Comments are enabled for posts. All comments are kept except for spam, personal insults of a clearly inflammatory nature, and completely off-topic content that distracts from the discussion. We welcome comments critical of the work, even if somewhat insulting to the authors. Really.
  • Anyone can comment, and no registration is required. Vendors or consultants with a relevant product or offering must properly identify themselves. While their comments won’t be deleted, the writer/moderator will “call out”, identify, and possibly ridicule vendors who fail to do so.
  • Vendors considering licensing the content are welcome to provide feedback, but it must be posted in the comments - just like everyone else. There is no back channel influence on the research findings or posts.
    Analysts must reply to comments and defend the research position, or agree to modify the content.
  • At the end of the post series, the analyst compiles the posts into a paper, presentation, or other delivery vehicle. Public comments/input factors into the research, where appropriate.
  • If the research is distributed as a paper, significant commenters/contributors are acknowledged in the opening of the report. If they did not post their real names, handles used for comments are listed. Commenters do not retain any rights to the report, but their contributions will be recognized.
  • All primary research will be released under a Creative Commons license. The current license is Non-Commercial, Attribution. The analyst, at their discretion, may add a Derivative Works or Share Alike condition.
  • Securosis primary research does not discuss specific vendors or specific products/offerings, unless used to provide context, contrast or to make a point (which is very very rare).
    Although quotes from published primary research (and published primary research only) may be used in press releases, said quotes may never mention a specific vendor, even if the vendor is mentioned in the source report. Securosis must approve any quote to appear in any vendor marketing collateral.
  • Final primary research will be posted on the blog with open comments.
  • Research will be updated periodically to reflect market realities, based on the discretion of the primary analyst. Updated research will be dated and given a version number.
    For research that cannot be developed using this model, such as complex principles or models that are unsuited for a series of blog posts, the content will be chunked up and posted at or before release of the paper to solicit public feedback, and provide an open venue for comments and criticisms.
  • In rare cases Securosis may write papers outside of the primary research agenda, but only if the end result can be non-biased and valuable to the user community to supplement industry-wide efforts or advances. A “Radically Transparent Research” process will be followed in developing these papers, where absolutely all materials are public at all stages of development, including communications (email, call notes).
    Only the free primary research released on our site can be licensed. We will not accept licensing fees on research we charge users to access.
  • All licensed research will be clearly labeled with the licensees. No licensed research will be released without indicating the sources of licensing fees. Again, there will be no back channel influence. We’re open and transparent about our revenue sources.

In essence, we develop all of our research out in the open, and not only seek public comments, but keep those comments indefinitely as a record of the research creation process. If you believe we are biased or not doing our homework, you can call us out on it and it will be there in the record. Our philosophy involves cracking open the research process, and using our readers to eliminate bias and enhance the quality of the work.

On the back end, here’s how we handle this approach with licensees:

  • Licensees may propose paper topics. The topic may be accepted if it is consistent with the Securosis research agenda and goals, but only if it can be covered without bias and will be valuable to the end user community.
  • Analysts produce research according to their own research agendas, and may offer licensing under the same objectivity requirements.
  • The potential licensee will be provided an outline of our research positions and the potential research product so they can determine if it is likely to meet their objectives.
  • Once the licensee agrees, development of the primary research content begins, following the Totally Transparent Research process as outlined above. At this point, there is no money exchanged.
  • Upon completion of the paper, the licensee will receive a release candidate to determine whether the final result still meets their needs.
  • If the content does not meet their needs, the licensee is not required to pay, and the research will be released without licensing or with alternate licensees.
  • Licensees may host and reuse the content for the length of the license (typically one year). This includes placing the content behind a registration process, posting on white paper networks, or translation into other languages. The research will always be hosted at Securosis for free without registration.

Here is the language we currently place in our research project agreements:

Content will be created independently of LICENSEE with no obligations for payment. Once content is complete, LICENSEE will have a 3 day review period to determine if the content meets corporate objectives. If the content is unsuitable, LICENSEE will not be obligated for any payment and Securosis is free to distribute the whitepaper without branding or with alternate licensees, and will not complete any associated webcasts for the declining LICENSEE. Content licensing, webcasts and payment are contingent on the content being acceptable to LICENSEE. This maintains objectivity while limiting the risk to LICENSEE. Securosis maintains all rights to the content and to include Securosis branding in addition to any licensee branding.

Even this process itself is open to criticism. If you have questions or comments, you can email us or comment on the blog.