Securosis

Research

RSA Guide 2011: Security Management and Compliance

Security Management Compliance is still driving most of what happens from a management standpoint, which is why have a specific compliance section below. On the security management front, there was still plenty of activity in 2010. But most customers continued to feel the same way: underwhelmed. It’s still very hard to keep control of much of anything, which is problematic as the number of devices and amount of sensitive data grow exponentially. Good times. Good times. What We Expect to See There are a couple areas of interest at the show for security management: The (Not) Easy Button: Given the absolutely correct perspective of customers that security management is too complex, difficult, ponderous, and lots of other negative descriptors, we expect vendors to focus on ease of use for many of these security management tools (especially SIEM/Log Management). Don’t believe them. They continue to sell false hope. To be fair, the tools are much improved. Interfaces are better. User experience is tolerable. But it’s still not easy. 
So spend some time in the booth checking out interfaces. How you set up rules, analyze data, and generate reports. Make the demo dude go into excruciating detail on how things really get done with the tool. Remember, anything you select, you will need to live with. So do your homework and choose wisely. The next act for scanners: Vulnerability management is so 2005. But tack on some kind of cloud stuff and it’s, uh, 2007? The new new shiny object is configuration auditing/policy compliance. Which actually makes sense because you need to scrutinize the device to check for vulnerabilities, so why not just assess the configuration while you are at it. And just as with vulnerability scanning, the question will be whether you do it on-site or via a cloud service. Or both, because we expect most vendors to offer both. MSS comes of age: The good news is that folks finally realize it’s not novel to monitor firewalls or IPS themselves, and combined with consolidation of pretty much all the big players, this means MSS isn’t a big deal anymore. So the big vendors with big booths will be talking about their monitoring (and even management) services. If you still have 5 folks parsing firewall alerts, check out these offerings. At minimum it will be interesting to get a sense of how efficiently you do things internally. Just make sure you understand exactly what the service and support model is, because when alerts start firing you don’t want to be dialing the main number of a $100 billion telco. Start-up X, a Big IT company: Big IT, with its big management stacks and big professional services teams, will be at RSAC in force. Maybe they’ll even have a story for how all the crap they’ve bought over the past year makes Big IT finally relevant in the security space. You’ll see HP and IBM (and EMC and Cisco and Juniper) in 5-6 different booths each, because companies they acquired had already committed to exhibit in this year’s show. They should have one of those passport programs, just to make sure you visit all their booths to win an iPad or something like that. Compliance Compliance isn’t merely a major theme for the show, it’s also likely the biggest driver of your security spending. But that doesn’t mean folks don’t want to minimize the cost and hassle of compliance, so scope reduction will be a major theme that we hear throughout the show. While there’s no such thing as a compliance solution, many security technologies play major roles in helping achieve and maintain compliance. What We Expect to See With compliance we will see a mix of regulation-focused messages and compliance-specific technologies: PCI & Tokenization: The Payment Card Industry Data Security Standard (PCI-DSS) is the single regulation that generates the most attention, and a lot of the growth for security and compliance spending. And frankly, especially within the retail and finance verticals, companies are looking to reduce costs and minimize PCI audits. It’s viewed as little more than a tax on the business so they want to at least reduce — if not eliminate — the expense. At the show this year, we expect you’ll hear and see a lot about tokenization. This approach substitutes credit card numbers stored at a merchant site with a harmless, well, token. It only represents the credit card transaction, so a stolen token cannot be used to commit fraud. At the show, focus on the sessions where savvy users talk about how they reduce the scope of PCI audits along with the associated costs of securing credit card data using this approach. While only a handful of tokenization vendors will be at the show, many of the payment processors have partnered with technology providers to offer tokenization as a managed service. Expect to see plenty of interest and discussion on this topic, and long lines at select vendor booths. There’s an App for That: Expect to see vendors offer neat iPhone and iPad apps for their management and reporting products. Sure, reports and dashboards are popular with vendors because they bring the eye candy sales teams want to demonstrate product value. But what’s cooler than a fancy dashboard? A fancy new iPhone. Put the two together and it’s like two great eye-candies that go great together! It’s going to be a big hit. Not just because anyone really wants to take that FISMA report with them in their pocket; it’s because IT, sales, and marketing all secretly lust after the new toy. It’s the thought of catching a spring training game while configuring SIEM policies. Does it make you more productive? Maybe. But having your IT products running on the toy justifies the purchase of both. Yeah, anywhere, anytime access is pretty cool too, but it’s like getting two for one. Expect to see this everywhere! GRC Oopsie: Last year we expected to see a lot of collateral about GRC: Governance, Risk, and Compliance. And we

Share:
Read Post

See Securosis @ RSA Conference 2011

We keep pretty busy schedules at RSA every year. But the good news is we do a number of speaking sessions and make other appearances throughout the week. Here is where you can find us: Speaking Sessions DAS-106: Everything You Ever Wanted to Know about DLP – Rich (Tuesday, Feb 15, 1pm) CLD-108: Private and Government Sectors: Why are Agencies Hesitant to Adopt Cloud? – Rich moderates (Tuesday, Feb 15, 3:40pm) DAS-203: Cutting through the Data Loss Prevention Confusion: DLP Myths Busted – Rich (Wednesday, Feb 16, 11:10am) P2P-203A: Evolving Perimeter(s): Protecting the Stuff That’s Really Important – Mike (Wednesday, Feb 16, 11:10am) BUS-303: Putting the Fun in Dysfunctional – How the Security Industry Really Works – Rich and Mike (Thursday, Feb 17, 11:10am) AND-304: Agile Development, Security Fail – Adrian (Thursday, Feb 17, 1pm) EXP-402: Cloudiquantanomidatumcon: The Infra/Info-Centric Debate in the Cloud – Rich and Chris Hoff (Friday, Feb 18, 10:10am) Other Events e10+: Rich and Mike are the hosts and facilitators for the RSA Conference’s e10+ program targeting CISO types. That’s Monday morning from 8:30 to noon. America’s Growth Capital Conference: Mike will be moderating a panel on the future of network security at the AGC Conference with folks from Cisco, Juniper, Palo Alto, Packet Motion, and Fidelis. This session is Monday at 2:15pm. Security Blogger Meet up: Securosis will be at the 4th annual Security Blogger Meet up at the classified location. You need to have a blog and be pre-registered to get in. Disaster Recovery Breakfast: Once again this year Securosis will be hosting the Disaster Recovery Breakfast on Thursday, Feb 17 between 8 and 11 with help from our friends at Threatpost and Schwartz Communications. RSVP and enjoy a nice quiet breakfast with plenty of food, coffee, recovery items (aspirin & Tums), and even the hair of the dog for those of you not quite ready to sober up. Holding court at the W: If you are up for late night hijinx – and like to laugh at stumbling, bumbling security industry folks – show up at the W’s lobby bar after the parties break up. It’s always a good time and you are very likely to see one or all of us Securosis folks there getting into trouble. And accepting drink donations. Fortinet Panels: Mike will also be moderating the Security Mythbusting: Blowing up the Security Hype panels at Fortinet’s booth (#923) Tuesday and Wednesday from 1:30-2pm. Travel safe and we’ll see you at RSA… Share:

Share:
Read Post

Incite 2/9/2011: Loose Lips Sink Ships

I think we’ve taken this instant gratification thing a bit too far. Do you remember in the olden days, when you didn’t know what you were getting for your birthday? Now we get no surprises, pretty much as a society. The combination of a 24-hour media cycle, increasingly outsourced manufacturing, and loose lips ensures that nothing remains a secret for long. I remember the day IBM announced the hostile acquisition of Lotus back in 1994. I was at META at the time, and we were hosting a big conference of our clients. No one knew the deal was coming down and there was genuine surprise. We had a lot to talk about at that conference. Nowadays we hear about every big deal weeks before it hits. Every layoff. Every divestiture. It’s like these companies have their board rooms bugged. Or some folks in these shops have loose lips. And what about our favorite consumer gadgets? We already know the iPad 2 isn’t going to be much of an evolution. It’ll have a camera. And maybe a faster processor and more memory. How do we know? Because Apple has to make millions of these things in China ahead of the launch. Of the 200,000 people who work in that factory, someone is going to talk. And they do. Probably for $20. Not to mention all the companies showing off cases they needed a head-start on. So there is no surprise about anything in consumer electronics anymore. But this weekend I hit my limit. You see, I love the Super Bowl. It’s my favorite day of the year. I host a huge party for my friends and I like the commercials. You always get a chuckle when you see a great commercial. It’s a surprise. Remember the Bud Bowl? Or Jordan and Bird’s shooting contest? Awesome. But no more surprises. I saw a bunch of the commercials on YouTube last week. You have to love VW’s Darth Vader commercial, but the novelty had worn off by the time the game started. I know you try to create buzz by moving up your big reveal (it’s been happening at the RSA Conference for years), but enough is enough. We try to teach the kids the importance of keeping secrets. We talk freely in our house (probably a bit too freely) and we’ve gotten bitten a few times when one of the kids spill the beans. But they are kids and we used those experiences to reinforce the need to keep what someone tells you in confidence. But they are in the middle of a world where no one can keep a secret. Which once again forces us to hammer home the age-old refrain: “Do as we say, not as they do…” And no, I’m not telling you about our super sekret project. Unless you are from the WSJ, that is. -Mike Photo credits: “Loose Lips” originally uploaded by fixedgear Big Head Alert Well, it wasn’t enough for me to offer up free refreshments to those meeting up at the Security Blogger’s Party at RSA, in exchange for a vote for most entertaining blog. But the accolades keep rolling in. Yours truly has been nominated for the Best Security Blogger award by the fine folks at SC Magazine. I’m listed with folks like Hoff (does he even blog anymore?) and Bruce Schneier, so I can’t complain. Although the Boss did call the handyman this morning – it seems we need a few doors expanded in the house for my expanding head. Yes, I’m kidding. I’m fortunate to surround myself with people who remind me of my place on the totem pole every day. Yeah, the bottom. I’ll be the last guy to say I’m the best at anything, but I certainly do appreciate being noticed for doing what I love. You can vote. And no, I haven’t contracted with RSnake to game the vote. Not yet, anyway. Incite 4 U PR writing a check your defenses can’t cash: That title came from a Twitter exchange I had earlier this week about the HBGary Federal hack. Basically the CEO of this company talked smack about penetrating and exposing a hacker group and… wait for it… lo and behold they eviscerated him. As Krebs describes, it was a good hack. These Anonymous guys don’t screw around. And that’s the point. Just like our friend the World’s #1 Hacker, if you talk smack you will get hurt. The folks from HBGary are very smart. And even if they could detonate malware (using their own damn device), a determined attacker will find your weak spot. And more often than not it’s the human capital who drinks your coffee, uses your toilet paper, and maybe even gets something done, sometimes. So basically here is a message to everyone out there: STFU. These stupid PR games and testosterone-laden boasts of hacking this or hacking that show you as nothing more than a “big hat, no cattle” hacker. The folks who really can don’t have to talk about it. And odds are they’ll stay anonymous. – MR The Endpoint Is the Network: One of the wacky things about cloud computing is that it royally screws up so many of the existing security controls. Network monitors, firewalls, vulnerability assessment, and even endpoint agent management all sort of go nuts when you start moving machines around randomly in the fluff of the cloud. To work consistently your security controls need to track the virtual machines, no matter where they pop up. I’m just getting caught up, but CloudPassage looks interesting. It uses an agent and security management plane to consistently apply controls as machine instances move around, even in hybrid models. Yes, we now have to dump everything back into the endpoint we built all that ASIC-based hardware for. Sorry. – RM Looking in the Mirror: Rocky DeStefano posted a nice table of common SIEM evaluation criteria on the visiblerisk blog. This is a handy set of RFI questions that companies looking to

Share:
Read Post

RSA Guide 2011: Endpoint Security

In 2010, there was broad acknowledgement that most of the endpoint protection deployed was more about passing PCI (yes, it’s still a requirement) than actually stopping attacks. Unfortunately, at the show we’ll continue to hear about all the advances happening in malware detection, and we’ll laugh again. The traditional signature-based model is broken, no matter how many clouds we see inserted into the mix. But with the AV cash cow continuing to moo uncontrollably, the industry will continue trying to convince customers to maintain their investments. So the real question is: who will show some type of innovation in terms of endpoint malware detection. Anyone? Anyone? Bueller? Bueller? What We Expect to See There are some areas of interest at the show for endpoint security: You get what you pay for (or do you?): Given the clear issues around endpoint malware detection, we’ll be hearing a lot from the Free AV crowd. They’ll be talking about the hundreds of millions of folks who use the free engines, just before they try to upsell you to their paid offerings. The reality is that you need management, because these tools involve deploying software agents to many endpoints. But you should pay the least amount possible. So see who seems the hungriest on the show floor. If they aren’t foaming at the mouth, they likely aren’t hungry enough to win your business. Cloudy with a chance of hyperbole: You will also hear a lot about cloud signatures and crowd sourcing to address the limitations of the traditional AV signature model. To be clear, moving a lot of signatures to the cloud is a good thing. But it’s not an answer. The model of matching bad stuff is still broken, and no amount of cloudy stuff will change that. The idea of crowd sourcing is interesting so check out the folks, like Sourcefire/Immunet and Webroot/PrevX, who are doing this in practice. Ask them how they shorten the window from the time an issue is discovered to distributing an update to the rest of the network. This is yet another option to keep the broken AV model running a bit longer. AWL MIA: What you probably won’t see a lot of is application white listing (AWL). Why? Because the technology remains a niche. It is a core aspect of our Positivity security model, but both perception and reality are still slowing deployment of AWL. Not that the handful of vendors offering these solutions won’t be trying to make some noise. But they have no chance to stand out against the status quo, which represents billions in revenue and spends like drunken sailors at RSA. But this remains an important technology, so you should search out the vendors who offer it and learn how they are working to address the deployment and scaling issues. Signs of the iPocalypse: You will see a lot of vendors giving away iPads and iPhones. Why not? If you don’t have one, you want one. If you already have one, you want another one. Or ten. But the reality is these devices are big, and consumerization is taking root. That means you need to figure out how to control them. OK, maybe not control, but at least manage. So check out the configuration management folks and those with specific mobile technologies to reign in the chaos. OK, maybe not reign in, but at least ensure that when they get lost (and they will), you won’t be in career jeopardy. Man(ning) up: One of the other major stories in 2010 was WikiLeaks, spearheading by Bradley Manning, your friendly neighborhood data leaker. So you’ll hear a lot of vendors talking about the importance of controlling USB ports and doing content control/analysis on the endpoint. Try to figure out how they scale. Try to understand how they classify sensitive data and actually do anything without killing the performance of the endpoint. Yeah, it would be good to figure out whether and how they can play nice with any DLP/device control technologies you already have implemented. We’ve hit the halfway point in our RSA Guide posts. I know you are waiting with baited breath for the Virtualization and Cloud section, but patience is a virtue. That post will be up later today. Share:

Share:
Read Post

RSA Guide 2011: Key Themes

OMG, it’s 6 days and counting to the 2011 RSA Conference. Yes, they moved the schedule up a few months, so you now can look forward to spending Valentine’s Day with cretins like us, as opposed to your loved ones. Send thank-you notes to… But on to more serious business. Last year we produced a pretty detailed Guide to the Conference and it was well received, so – gluttons for punishment that we are – we’re doing it again. This week we’ll be posting the Guide in pieces, and we will distribute the final assembled version on Friday so you can download it and get ready for the show. Without further ado, here is the key themes part of our Guide to RSA Conference 2011. RSA Conference 2011: Key Themes How many times have you shown up at the RSA Conference to see the hype machine fully engaged on a topic or two? Remember how 1999 was going to be the Year of PKI? And 2000. And 2001. And 2002. So what’s going to be news of the show this year? Here is a quick list of some key topics that will likely be top of mind at RSA, and why you should care. Cloud Security – From Pre-K to Kindergarten Last year you could count real cloud security experts on one hand… with a few fingers left over. This year you’ll see some real, practical solutions, but even more marketing abuse than last year. Cloud computing is clearly one of the major trends in enterprise technology, and woe unto the vendor that misses that boat. But we are only on the earliest edge of a change that will reshape our data centers, operations, and application design over the next 10 years. The number of people who truly understand cloud computing is small. And folks who really understand cloud computing security are almost as common as unicorns. Even fewer of them have actually implemented anything in production environments (something only one of our Securosis Contributors has done). The big focus in cloud security these days is public Infrastructure as a Service offerings such as Amazon EC2 and Rackspace, due to increasing enterprise interest and the complexity of the models. But don’t think everyone is deploying all their sensitive applications in the cloud. Most of the bigger enterprises we talk with are only at the earliest stages of public Infrastructure as a Service (IaaS) projects, while a lot more use of “private clouds”. Medium-size and small organizations are actually more likely to jump into public cloud because they have less legacy infrastructure and complexity to deal with, and can realize the benefits more immediately (we’re sure glad we don’t need our own data center). It’s important to separate a trend from its current position on the maturity curve – cloud computing is far from being all hype, but we’re still early in the process. Before hitting the show, we suggest you get a sense of what cloud projects your organization is looking at. We also recommend taking a look at the architectural section of the Cloud Security Alliance Security Guidance for Critical Areas of Focus in Cloud Computing and the Editorial Note on Risk on pages 9-11 (yes, Rich wrote this, and we still recommend you read it). On the security front, remember that design and architecture are your friends, and no tool can simply “make you secure” in the cloud, no matter what anyone claims. For picking cloud sessions, we suggest you filter out the FUD from the meat. Skip over session descriptions that say things like, “will identify the risks of cloud computing” and look for those advertising reference architectures, case studies, and practical techniques (don’t worry, despite the weird titles, Rich includes those in his cloud presentation with Chris Hoff). With the lack of standardization among cloud providers, and even conflicting definitions among organizations as to what constitutes “the cloud”, it’s all too easy to avoid specifics and stick to generalities on stage and in marketing materials. Cloud security is one of our technology areas, so we’ll cover specific things we think you’ll see later in this guide. We are also running the (sold-out) inaugural Cloud Security Alliance training class the Sunday before RSA, and Rich is moderating a panel on government cloud and speaking with the always-entertaining Chris Hoff on cloud security Friday. The Economy Sucks Less – What now? The last few years have been challenging. For one, success has involved keeping yourself and your team employed. It’s not like you had a lot of extra funds lying around, so many projects kept falling off the list. So you tried your best to do the minimum and sometimes didn’t even reach that low bar. Nice-to-have became not-gonna-happen. But now it looks like things are starting to recover a bit. Global stock markets, which tend to look 6 months ahead, are expecting strong growth, and many of our conversations with end users (both large and small) tend to indicate a general optimism we haven’t seen in quite a while. To be clear, no one (certainly not us) expects the go-go days of the Internet bubble to return any time soon – unless you run a mobile games company. But we do think the economy will suck less in 2011, and that means you’ll need to start thinking about projects that have fallen off the plate. Such as: Perimeter renewal: Many organizations let the perimeter go a bit. So it’s overgrown, suboptimal, and not well positioned to do much against the next wave of application and targeted attacks. One project to consider might be an overhaul of your perimeter. Or at minimum, start moving to a different, more application-aware architecture to more effectively defend your networks. At RSAC, you’ll hear a lot about next generation firewalls, which really involve building rules based on application behavior rather than just ports and protocols. At the show, your job will be to determine what is real and what is marketing hyperbole.

Share:
Read Post

RSA Guide 2011: Network Security

2010 was an interesting year for the network security space. There has been a resurgence in interest and budget projections for spending, largely for perimeter security. Part of this is a loosening of the budget purse strings, which is allowing frustrated network security folks to actually start dreaming about upgrading their perimeters. So there will be plenty of vendors positioning to benefit from the wave of 2011 spending. What We Expect to See There are four areas of interest at the show for network security: Next Generation Firewall: Last year we talked about application awareness as absolutely critical to the next wave of network security devices. That capability — to build policies based on applications and users, rather than just ports and protocols — has taken the name next generation firewall. Unless a vendor has no interest in the enterprise market, they will be touting their next generation wares. Some of these will be available exclusively on slide decks in the booth, while other vendors will be able to show varying levels of implementation. While you’ve got an SE at your disposal at the show, ask them some pointed questions about how their application categorization happens and what the effective throughput is for their content oriented functions. It should be pretty clear to what degree their gear is next-generation, or if it’s really just an IPS bolt-on. More marketecture: As these new generation capabilities start to hit, they present the opportunity for a fairly severe disruption in the status quo of vendor leadership. So what do the incumbents do when under attack, without a technical response? Right, they try to freeze the market with some broad statement of direction that is light on detail and heavy on hyperbole. It wouldn’t surprise us to see at least one of the RSA keynoters (yeah, those who pay EMC $250K for the right to pontificate for an hour) talk about a new initiative to address all ills of everything. Virt suck: The good news is that a bunch of the start-ups talking about virtualization security hit the wall and got acquired by big network security. So you probably won’t see many folks talking about their new widget to protect inter-VM network traffic. What you will hear is every vendor on the floor playing up the advantages of their shiny new virtual appliances. It’s just like the box you pay $50K for, but you get to use your own computing power in a horribly wasteful fashion. You know how attractive it is to slice out a chunk of your computers to run IPS signatures. It’s like these folks want to bring us back to 1995 and because it runs on ESX, it’s all good. Not so much. Full packet capture maturing: Yes, this is a carry-over from last year. The fact remains that we still have a lot of work to do in order to streamline our incident response processes and make them useful. So you’ll see folks stacked up to learn about the latest and greatest packet capture and the associated analysis. These tools are now starting to bring some cool visualization and even malware analysis to the table. Check them out because as the market matures (and prices come down), this is a technology you should be looking at. Later today we’ll be posting the sections on Email/Web Content Security, as well as Data Security. So stay tuned for that… Share:

Share:
Read Post

You Made Your Bed, Now Sleep in It

Twitter exploded last night with news that the self-proclaimed world’s #1 hacker’s email and Twitter accounts were compromised. Personally, the amount of time that good people spend feeding that troll annoys me. Which is why I’m not mentioning his name. Why give him any more SEO points for acting poorly? Since the beginning of time there have been charlatans, shysters, and frauds; this guy is no different. Major media outlets are too dumb and lazy to do the work required to vet their experts, so they respond to his consistent PR efforts. Whatever. But let’s deal with the situation at hand because it’s important. First off, if you bait a lion, you shouldn’t be surprised when you get eaten. Tell me you were surprised when Roy got mauled by his white tiger. I was more surprised it took that long. In other words, live by the sword, die by the sword. And clearly that is the case here. Now there are 4gb of email and other sensitive files in the wild, and this guy’s closet will be opened for all to see. And there are skeletons in there. To be clear, this is wrong. The attackers are breaking the law, but it’s hard to feel bad for the victim. His sophomoric threats, frivolous lawsuits, and intimidation games probably worked OK in the schoolyard, but in the real world – not so much. It’s your bed, now you get to sleep in it. Second, if you know you are a target, why would you leave a huge amount of sensitive documents in an email store on a publicly accessible server? I read a Tweet that said his email was at GoDaddy. Really? And isn’t the first rule of email that it’s not a file store? I know we all probably violate that dictum from time to time, but to have financial records, account numbers, and legal filings in your email box? Come on, now! Basically, I suspect there is stuff there that could put our victim in the big house for a long time. Again, you made the bed, now sleep in it. We take ridiculous security precautions for a 3-person company. It’s actually a huge pain in the ass. And we are fully cognizant that at some point we will likely be breached. Crap, if it can happen to Kaminsky it can happen to us. So we don’t do stupid things. Too often. And that really is the lesson here. Everyone can be breached, even the world’s #1 hacker. Share:

Share:
Read Post

Incite 2/2/2011: The End of Anonymity

“Hi Mike, how are you this morning?” When I heard those words I instinctively checked over my shoulder, since no one really calls me by name in any of the coffee and bagel shops I frequent. And that is intentional. I like to be the nondescript guy who may look familiar, but you don’t know from where. I don’t do small talk, and if I’m in a very good mood, maybe you’ll get a smirk. Other than that, I’m just the guy with his head down, inhaling coffee, and banging away at his Mac. Part of this is the security mindset. I vary my patterns and try to blend in. You never know when that hit team will be after you, so I don’t want to be a soft target. I’m also mostly anti-social. Sure, I turn it on for a few events a year, but truth be told, I’m like most of you. Introverted and happy to do my thing and not engage in small talk about stuff I mostly don’t care about. Unless I’m talking to you, then I’m very interested. Really. So once I realize the gig is up and they know who I am, my mind goes into response mode. I start thinking about extraction of the threat and how to eliminate any forensics trail. I’m sure the CSI team in my city is top notch. I’m evaluating locations for my Dexter-style kill room. I’m thinking of where I can get those rolls of plastic, and it’s time for a new reciprocating saw anyway, so my old trusty saw will do just fine. But then I realize being friendly isn’t a capital offense, so I’ll have to let it slide. This time. It turns out the staff at the bagel shop aren’t the only folks recognizing me. I had a guy come up to me in Starbucks and basically introduce himself because he’s seen me a number of times over the past few weeks. Another one who has to disappear? Of course, I recognized him too, since I pay attention to stuff like that. He rotates the stores he goes to as well. Not because he’s a paranoid security guy or socially inept, he just has various meetings around town and it’s convenient. So I guess the gig is up. I guess after living in ATL over six years and being in coffee shops 3-4 times per week, I can no longer slip entirely under the rader. Is it time for a change in behavior? Maybe smile a bit and even make conversation? Yeah, not so much. I can get comfortable with some level of recognition, but being friendly? Homey don’t play that. Mike Photo credits: “Anonymous is Friendly?” originally uploaded by liryon CCSK Training @ RSA Going to RSA? Interested in proving your cloud competency? Then you may be interested in the CCSK (Certificate of Cloud Security Knowledge), offered by the Cloud Security Alliance. We have partnered with the CSA to build a full-day training session to make sure you are ready to pass the test. The maiden voyage of this course will be Feb 13, the day before RSA. The training program costs $400, which includes a token to take the test (which costs $295 otherwise). So basically, you can spend a day with the Securosis team for $100. Let’s just say that’s a fair bit below our normal rates. And we are cutting off registration at 30, so you’ll get personal attention, whether you want it or not. We have a handful of slots left, so sign up now. Incite 4 U Groundhog Security Day: Love this obvious observation from Julie Starr on the reality that the more things change, the more they stay the same. Wait, a persistent attacker? Yes, we’ve seen this movie before and as Rich says, we aren’t going to change human behavior. Bad guys will find ways to do bad things. N00bs will continue to think they can win. One step above n00bs, folks will think they can protect something a persistent attacker wants. And the rest of us need to continue reminding these folks of the reality of our predicament. To answer Julie’s question on whether we’ve made progress, I’d say we have. Security is top of mind for most. That doesn’t mean it’s easy, or that we get what we want, or all our users any smarter. It just means organizations are now making conscious decisions to ignore security. And most are no longer blissfully unaware. No, it’s not where we want to be, but it’s still progress from where we were. – MR Open sourced: Apparently the source code of the KLAVA AV engine created by Kaspersky Labs was leaked to the Internet. Kaspersky is downplaying the report, saying it’s only a fragment of code, and it’s from 2008. But when you are talking about the core of a processing engine, 2,000 lines of C++ code is a lot and it’s pretty important. It’s very unlikely, given Big AV’s focus on adding features and researching new signatures, that the current engine has been fundamentally altered from the leaked version. To say it another way, there is a reasonable likelihood this is close to current production code. Will it affect the business? No. Existing customers pay for the signatures and all the other crap that goes along with an endpoint suite nowadays. The bulk of development costs go into research, so this is likely to have no effect on the business. Knowing how the processing engine works shouldn’t help attackers circumvent AV, so it’s pretty much “no harm, no foul”. – AL Getting real doesn’t make crap products work: I’m a big fan of MacGyver, so when I saw an article on a MacGuyer approach to security, I was intrigued. Some aspects of Richard Rushing’s approach are good. Especially the idea of “faster ways to detect and seal the vulnerabilities”, say the React Faster and Better guys. But the idea of “real” AV, IDS/IPS, and firewalls

Share:
Read Post

Intel’s Red Herring

It’s time for a good old fashion beatdown. Personally I’m working hard on not overreacting to stuff and letting most annoyances (which would normally set me off) pass on by. But sometimes, you know, a purge is required. It kind of reminds me of that great scene in 48 Hours, where Nick Nolte tells Eddie Murphy to be cool when they enter a bar to question someone. Nolte then proceeds to tear the place apart and when Murphy says “I thought you said to be cool,” the response is “That was cool.” Sometimes it’s cool to swing the clue bat. The target of my Louisville Slugger is this nonsense from Justin Rattner of Intel about a new technology that will be able to stop 0-day attacks. There are lots of smart people at Intel, who very well may have come up with something novel. But don’t waste our time until you can talk about it. Why? Because it’s useless to dangle yet another carrot in front of a disillusioned and frustrated security community. You don’t look smart – you look like an ass to us security folks. You read the article and thought the same thing: Another damn vendor is going to ride in on yet another horse and make our problems go away. Let’s just say security folks have heard this story before. Pretty much every year there is a new shiny object positioned as the answer to all our problems. There is a whole lot of security technology roadkill, now swept under the carpets, that made the same claim. Sorry, Intel. Your technology is not the answer. Unless it involves disconnecting all those PCs or phones or tablets or smart TVs from the network. Your suppositions and empty claims are insulting to all the folks who work their asses off every day to keep the attackers out of the crap that you and Microsoft have been shoving up our asses for the last twenty years. And one other thing, Intel: you are in the process of trying to acquire McAfee. One widespread concern is that an Intel + McAfee combination would provide an unfair advantage in the security market by bundling security into chips. So to go out and say you’ve got some new technology that you can’t talk about, which may or may not involve McAfee’s stuff, a few months before the deal closes, seems pretty stupid to me. Good thing I’m not an EU anti-trust official, eh? Let’s just say that if the deal closes, I hope our friends at McAfee teach you Intel folks a little bit about the security mindset. We security folks don’t believe you. Show us, don’t tell us. Prove that it can stop 0-day attacks. Let smart folks try to break it. Until then, you are just the latest in a long line of posers that have promised the world and ultimately delivered nothing. Share:

Share:
Read Post

Incite 1/25/2011: The Real-Time Peanut Gallery

For those of you who are not American Football fans, we’re in the middle of the playoffs over here. Teams work all year to get into the tournament and secure a high seeding. And of course the best laid plans sometimes end up at the wrong end of a blowout (yes, ATL Falcons, I’m talking about you). This past week’s NFC Championship provided a lot more drama than in the past, and not because it was a competitive, exciting game. Instead it was the reaction from all sorts of folks when Chicago’s QB, Jay Cutler, was taken out the game with an alleged knee injury. It did seem kind of strange, with Cutler walking around on the sideline. How hurt could he be? In years past, the commentators and analysts would weigh in and focus on the game. But the game has clearly changed. Lots of folks chimed in on Twitter and in blogs about how hurt (or not) Cutler was. Some NFL players called him a wimp. Some questioned his heart. All in real time. And even better, without any real information from which to judge. You don’t need no stinking proof. Guys in testosterone overload talked smack about needing to be taken off the field on a stretcher before they’d leave a championship game. The chatter around the news has actually become the news, which is rather weird. The past 48 hours haven’t been about how Chicago played the game or even the Packers trip to the Super Bowl after sliding into the tournament as #6 seed. It was about Cutler. Now he’s got to defend whether he should have been playing on a Level 2 MCL sprain (which is really a tear). Welcome to the Real Time generation. Who needs proof? There’s tweeting to do! We see this in security as well. You have folks live tweeting conference presentations, and half the time in meetings during their work days. I hear about stupid clients and funny jokes, in real time. This is both good and bad. I used to judge my pitches based on heads nodding and how many folks came up after the session and chatted. At least now I know where I stand. If I suck, someone in the crowd has tweeted it. Why have an off-day with 100 folks, when you can be laid bare to the entire Twitterverse? Likewise, if I’m killing it, I get that feedback right when I step off the stage. Fortunately I haven’t gotten so wrapped up around this real time feedback that once I’m done I defer real life conversation to re-tweet flattering comments. Though Rich has been known to use Twitter for Q&A when he moderates panels. I’m still trying to calibrate the true effect of this real-time communication, but I have time. Real time isn’t going away anytime soon. -Mike Photo credits: “Pile of Peanuts” originally uploaded by falcon1961 Last Call. Vote for Me. Is it too late to grovel? I think you can still vote for the Social Security Blogger Awards. The Incite has been nominated in the Most Entertaining Security Blog Category. My fellow nominees are Jack Daniel’s Uncommon Sense, the Naked Sophos folks, and some Symantec bunker dwellers from the UK. All very entertaining and worthy competition. Help a brother out with a vote. If I win, Swedish pumps for all! Yeah, baby! Incite 4 U Trojan opens the malware umbrella: It seems the Trojan man has upped the ante in the latest round of malware punch/counter-punch. Cloud AV helps leverage reputation and a much broader library of bad stuff to detect, and dramatically improves effectiveness to still pretty crappy. So it’s not surprising that bad guys would just block calls to any external service from the AV client. It’s no different than when some malware uninstalled other root kits. Once a machine is owned, why wouldn’t they install the software they want and disable stuff they don’t? Even worse, it’s not clear how the AV vendors can block this behavior. Any ideas? – MR A little security theater on the way out: Back in 2005 when the FFIEC told banks they had to start using two-factor authentication, the industry responded with one of the most impressive acts of security theater I’ve ever seen. Instead of giving us all tokens or linking our accounts to text messages on our phone, they used these idiotic browser/system detection technologies that are effectively worthless. But according to my former colleague Avivah Litan in this NetworkWorld article, the FFIEC might be correcting their mistake. Get ready for the screaming from both banks and consumers, but this one could tighten the window the bad guys have to drain your account once they grab your credentials. – RM Scratching Bottom: When I used to develop software, prior to release I would do a sanity check of the publicly exposed methods in my code to determine my “threat surface”. More to the point, what interfaces would attackers target, and which methods in particular could expose functions or data critical to the system? It’s a rather myopic programmer’s view of attack surface, but addressed the parts I was most interested in and the components under my control. When Microsoft announced the Attack Surface Analyzer last week I was somewhat non-plussed, as their tool focuses on “classes of security weaknesses as applications are installed on the Windows operating system”. As a developer my responsibility was the top of the stack, not the bottom. Sure, I might be responsible for Apache `httpd` and the database, but not the platform nor other supporting applications. But security of the platform matters – even if attack surface analysis of the OS is not part of your SDL/release management process. Tools like Threat Surface Analyzer would be handy to `diff` revisions over time so you could confirm applications and OS configurations are what you expect. Most IT admins have tools that verify application sets, and others to verify configuration and patch settings, but this is a different

Share:
Read Post

Totally Transparent Research is the embodiment of how we work at Securosis. It’s our core operating philosophy, our research policy, and a specific process. We initially developed it to help maintain objectivity while producing licensed research, but its benefits extend to all aspects of our business.

Going beyond Open Source Research, and a far cry from the traditional syndicated research model, we think it’s the best way to produce independent, objective, quality research.

Here’s how it works:

  • Content is developed ‘live’ on the blog. Primary research is generally released in pieces, as a series of posts, so we can digest and integrate feedback, making the end results much stronger than traditional “ivory tower” research.
  • Comments are enabled for posts. All comments are kept except for spam, personal insults of a clearly inflammatory nature, and completely off-topic content that distracts from the discussion. We welcome comments critical of the work, even if somewhat insulting to the authors. Really.
  • Anyone can comment, and no registration is required. Vendors or consultants with a relevant product or offering must properly identify themselves. While their comments won’t be deleted, the writer/moderator will “call out”, identify, and possibly ridicule vendors who fail to do so.
  • Vendors considering licensing the content are welcome to provide feedback, but it must be posted in the comments - just like everyone else. There is no back channel influence on the research findings or posts.
    Analysts must reply to comments and defend the research position, or agree to modify the content.
  • At the end of the post series, the analyst compiles the posts into a paper, presentation, or other delivery vehicle. Public comments/input factors into the research, where appropriate.
  • If the research is distributed as a paper, significant commenters/contributors are acknowledged in the opening of the report. If they did not post their real names, handles used for comments are listed. Commenters do not retain any rights to the report, but their contributions will be recognized.
  • All primary research will be released under a Creative Commons license. The current license is Non-Commercial, Attribution. The analyst, at their discretion, may add a Derivative Works or Share Alike condition.
  • Securosis primary research does not discuss specific vendors or specific products/offerings, unless used to provide context, contrast or to make a point (which is very very rare).
    Although quotes from published primary research (and published primary research only) may be used in press releases, said quotes may never mention a specific vendor, even if the vendor is mentioned in the source report. Securosis must approve any quote to appear in any vendor marketing collateral.
  • Final primary research will be posted on the blog with open comments.
  • Research will be updated periodically to reflect market realities, based on the discretion of the primary analyst. Updated research will be dated and given a version number.
    For research that cannot be developed using this model, such as complex principles or models that are unsuited for a series of blog posts, the content will be chunked up and posted at or before release of the paper to solicit public feedback, and provide an open venue for comments and criticisms.
  • In rare cases Securosis may write papers outside of the primary research agenda, but only if the end result can be non-biased and valuable to the user community to supplement industry-wide efforts or advances. A “Radically Transparent Research” process will be followed in developing these papers, where absolutely all materials are public at all stages of development, including communications (email, call notes).
    Only the free primary research released on our site can be licensed. We will not accept licensing fees on research we charge users to access.
  • All licensed research will be clearly labeled with the licensees. No licensed research will be released without indicating the sources of licensing fees. Again, there will be no back channel influence. We’re open and transparent about our revenue sources.

In essence, we develop all of our research out in the open, and not only seek public comments, but keep those comments indefinitely as a record of the research creation process. If you believe we are biased or not doing our homework, you can call us out on it and it will be there in the record. Our philosophy involves cracking open the research process, and using our readers to eliminate bias and enhance the quality of the work.

On the back end, here’s how we handle this approach with licensees:

  • Licensees may propose paper topics. The topic may be accepted if it is consistent with the Securosis research agenda and goals, but only if it can be covered without bias and will be valuable to the end user community.
  • Analysts produce research according to their own research agendas, and may offer licensing under the same objectivity requirements.
  • The potential licensee will be provided an outline of our research positions and the potential research product so they can determine if it is likely to meet their objectives.
  • Once the licensee agrees, development of the primary research content begins, following the Totally Transparent Research process as outlined above. At this point, there is no money exchanged.
  • Upon completion of the paper, the licensee will receive a release candidate to determine whether the final result still meets their needs.
  • If the content does not meet their needs, the licensee is not required to pay, and the research will be released without licensing or with alternate licensees.
  • Licensees may host and reuse the content for the length of the license (typically one year). This includes placing the content behind a registration process, posting on white paper networks, or translation into other languages. The research will always be hosted at Securosis for free without registration.

Here is the language we currently place in our research project agreements:

Content will be created independently of LICENSEE with no obligations for payment. Once content is complete, LICENSEE will have a 3 day review period to determine if the content meets corporate objectives. If the content is unsuitable, LICENSEE will not be obligated for any payment and Securosis is free to distribute the whitepaper without branding or with alternate licensees, and will not complete any associated webcasts for the declining LICENSEE. Content licensing, webcasts and payment are contingent on the content being acceptable to LICENSEE. This maintains objectivity while limiting the risk to LICENSEE. Securosis maintains all rights to the content and to include Securosis branding in addition to any licensee branding.

Even this process itself is open to criticism. If you have questions or comments, you can email us or comment on the blog.