Research

There are a lot of things I love about working for myself, but I have to admit sometimes it’s hard to keep everything balanced. For a while there I was taking whatever work came in the door that aligned with my goals and didn’t violate my objectivity requirements. Needless to say, the past few months have been absolutely insane; deadline after deadline, 2-3 trips a month, and a heck of a lot of writing. The upside is I’m ahead on my goals for the year. The downside, other than a little stress, is that I haven’t been able to keep the content on the blog up as high as I’d like. How can I tell? This is part 3 of my series on Database Activity Monitoring, and I last posted part 2 in the beginning of November. Oops. With that mea culpa out of the way (assuming Jews are allowed to mea culpa), let’s jump back in to DAM. Part 1 Part 2 Today we’re going to start on the basic characteristics of the central management server, including aggregation and correlation and policy creation. Tomorrow (for real) we’ll cover alerting, workflow, and reporting. Aggregation and Correlation The one characteristic Database Activity Monitoring solutions share with log management or even Security Information and Event Management (SIEM) tools is the ability to collect disparate activity logs from a variety of database management systems. Where they tend to exceed the capabilities of these related technologies is their ability to not only aggregate, but to normalize and correlate events. By understanding the Structured Query Language (SQL) of each database platform, they can interpret queries and understand their meanings. While a simple SELECT statement might mean the same thing across different database platforms, each database management system (DBMS) is chock full of its own particular syntax. A DAM solution should understand the SQL for each covered platform and be able to normalize events so the user doesn’t necessarily need to know the ins and outs of each DBMS. For example, if you want to review all privilege escalations on all covered systems, the DAM solution will recognize those events regardless of platform and present you with a complete report without you having to understand the SQL. A more advanced feature is to then correlate activity across different transactions and platforms, rather than just looking at single events. For instance, smart DAM tools can recognize a higher than normal transaction volume by a particular user, or (as we’ll discuss in policies) tie in a privilege escalation event with a large SELECT query on sensitive data, which could indicate an attack. It also goes without saying (but I’ll say it anyway) that all activity is centrally collected in a secure repository to prevent tampering or a security incidents involving the repository itself. Since you’ll be collecting a massive volume of data, your DAM tool needs to support automatic archiving. Archiving should support separate backups of system activity, configuration, policies, alerts, and case management. Policy Creation One of the distinguishing characteristics of Database Activity Monitoring tools is that they don’t just collect and log activity, they analyze it in real time for policy violations. While still technically a detective control (we’ll talk about preventative deployments later), the ability to alert and respond in practically real time offers security capabilities far beyond simple log analysis. Successful, loss-bearing database attacks are rarely the result of a single malicious query- they involve a sequence of events leading to the eventual damage. Ideally, policies will be established to detect the activity early enough to prevent the final loss-bearing act. Even when an alert is triggered after the fact, it supports immediate incident response and investigation far sooner than analysis days or weeks later. Policies fall into two basic categories, and I’m sure some of the engineers working on these products will drop additional options down in the comments: Rules-based: Specific rules are set up and monitored for violations. They can include specific queries, result counts, administrative functions (new user creation, rights changes), signature-based SQL injection detection, UPDATE or other transactions by users of a certain level on certain tables/fields, or any other activity that can be specifically described. Advanced rules can correlate across different parts of a database or even different databases, adjusting for data sensitivity based on DBMS labels or through registration in the DAM tool. Heuristic: The DAM solution monitors database activity and builds a profile of “normal” activity. Deviations then generate policy alerts. Heuristics are complicated and take proper tuning to work effectively. They are a good way to build a base policy set, especially with complex systems where manually creating deterministic rules by hand isn’t realistic. Policies are then tuned over time to reduce false positives. For well-defined systems where activity is pretty standard, such as an application talking to a database using a limited set of queries, they are very useful. Heuristics, of course, fail if you profile malicious activity as known good activity. The more mature a solution, the more likely it is to come with sets of pre-packaged policies. For example, some tools come with pre-defined policies for standard deployments of databases behind major applications, like Oracle Financials or SAP. Yes, you’ll have to tune the policies, but it’s far better than starting from scratch. Pre-built policies for PCI, SOX, and other generic compliance requirements may need even more tuning, but will help you kick start the process and save many hours of custom policy building. Policies should include user/group, source/destination, and other important contextual options. Policies should also support advanced definitions, like complex, multi-level nesting and combinations. Ideally, the DAM solution will include policy creation tools that limit the need to write everything out in SQL or some other definition language. Yes, you can’t avoid having to do some things by hand, but basic policies should be as point-and-click easy as possible. For common kinds of policies, like detecting privileged user activity or count thresholds on sensitive data, policy wizards are extremely useful. Content-Based

Per requests from a few people, and no one has complained about the move yet. 6 PM at Furio in Old Town Scottsdale. Share:

A short piece I wrote for Network World just went up today. “Avoiding data-loss prevention pitfalls”. What are the barriers to DLP? I’ve heard it can take a lot of time and the costs add up. Is there a way to get around this? It’s always daunting to consider deployment of a new security technology, but with the proper preparation Data Loss Prevention (DLP) is less painful to deploy than many of our other tools. The keys to a successful DLP deployment are setting the right expectations, proper planning during the selection process, and a controlled roll-out. It’s pretty basic, and won’t be any surprise to anyone who has read my DLP whitepaper. Thanks to Reconnex for passing on the article slot… (and no, they didn’t pay me for it). < p style=”text-align:right;font-size:10px;”>Technorati Tags: Dat Loss Prevention Share:

It’s no surprise that I’m a big fan of Microsoft’s Trustworthy Computing Initiative- something I was skeptical of when it was first announced. MS proved me wrong, and years later we’ve seen a very positive impact. Vulnerabilities are down, response times are up, and products ship in more secure configurations. Yes, they still screw up every now and then, but it’s overall been a huge improvement. Just because I don’t like to use Vista doesn’t mean I don’t appreciate all the security work that went into it, and let’s not forget all the benefits across the rest of the product line. Go count SQL Server 2005 vulnerabilities if you want any proof. You’ll only need one hand, and you’ll have 4 fingers left over (5, if you really look where the vuln came from). If MS buys Yahoo! and implements TCI, the impact could be enormous. Google isn’t doing a very good job of managing security issues, and if these things hit a certain point they could affect user behavior. Realistically it will take 3-5 years for the full implications of TCI to affect any product line, but we’ll see incremental improvements fairly quickly. Yahoo!’s security track record isn’t all that bad to start with, and I much prefer their privacy policy over Google’s. Should Microsoft! use security for competitive advantage (and it work), we can expect Google to respond fairly quickly. They aren’t stupid, and if security affects business they will get on the ball immediately. None of this, of course, will come to pass if market forces don’t place a priority on security. It doesn’t even need to be a top priority, just somewhere moderately high on the list. There could also be peripheral benefits to a major Web 2.0 company building the tools, techniques, and education for secure coding. My guess? Nothing earth shattering, but if the deal goes through there will be a net security benefit substantial enough that we’ll all be referring back to it in our blog posts in 5 years. < p style=”text-align:right;font-size:10px;”>Technorati Tags: Application security, Microsoft, Yahoo! Share:

Securosis is in possession of damning documentation that proves, without a doubt, that John Moltz of Crazy Apple Rumors has taken control of all Macs through his ingenious use of the, “woe is me, I lost my funding, come to my site and cry your goodbyes” scam. We also possess genealogical evidence, provided by the Mormon church, proving that Motz is the bastard artificial child of John Gruber and Dave Maynor. During the infamous Black Hat Mac hacking incident, Maynor and Gruber were simultaneously drugged by Steve Ballmer and their genetic material was sampled. Ballmer then broke into a lab used by the Gates Foundation for malaria research and combined the genes to produce the ultimate Mac security threat. A snippet of a secret email sent by Ballmer reveals his evil plot: By combining the most hated OS X security researcher with the most beloved Mac enthusiast into a mindless creature under my control I will infiltrate the Apple community and use that trust to install a devastating trojan on all Macs, everywhere. We will final[sic][hic] wipe out Apple and control the hearts and minds of the world. BWAHAHAHAHAHAHA! Moltz, obeying the commands of his master in Redmond, used jokes blatantly stolen from Fake Steve Jobs (also a Ballmer creation) to draw humor-starved Mac enthusiasts to CARS. He then installed exploit code on CARS for an 0day Safari vulnerability and announced his so-called “break” to draw sufficient traffic to pass the critical threshold for his malicious software to achieve self-propagation. The code has since become self aware, joining with the Storm Worm and Facebook. It is expected to cross over into the mosquito population within weeks, overtaking bird flu as the greatest threat to humanity. Moltz is also responsible for global warming, and a kitten dies every time he laughs. … (For those who don’t know, CARS is going on hiatus and is a great loss to the tech community. It only linked to Securosis once, but that still drives more traffic than anything I write on enterprise security. We’ll miss ya John. Please start drinking heavily again so we get our daily laugh.) Share:

This week’s question in our Ask Securosis series moves past a technology question into the realm of management and statistical research. Scott asks: … It seems that the companies Jason identified in his study have become the most productive in their industry sectors by streamlining, removing wasteful process, empowering staff, etc. (scary prospects for security professionals). Obviously, there is a cross-over point, of sorts, where this starts to impact information security in a way that puts them at risk for a big set-back that was just hadn’t happened yet. I’d really like to find any references to studies regarding how “good security” positively or negatively impacts long term productivity. We security geeks have a gut feel that it has a positive effect, if done right. But we need data to prove it. In all your market research experience have you come across any such studies, and do you feel they provide solid evidence or arguments for the case of Security vs. Productivity? If you don’t know of any, then chances are that there aren’t any well documented ones. Since I don’t have the resources to do this kind of study myself, I’m thinking of approaching a university business school to see if they can do a follow-up study on the companies Jason found, and look at their records on security. Or I guess I could try to ask the author himself. I think this is a key issue for managers struggling to understand the trade-offs in security: how much productivity will they be foregoing if they commit to a real security initiative. I’d like to explore this idea more to help them understand the impacts. No, I’m not aware of any study linking security with productivity metrics. Or even correlating highly productive companies with their security postures. Since I can’t point you in the right direction to get the answer you’re looking for, I’ll focus on providing a few aspects to look at if you do decide to link up with a university and perform a proper study. My gut feeling is there is an empirical problem in attempting a study like this. While we can accurately measure the productivity impact of certain security controls, correlating that to the additional risk exposure would, by nature, involve introducing risk metrics that are neither as precise nor as accurate as those measuring productivity. Risk measurements in infosec involve the use of estimates that don’t accurately reflect the full financial exposure of insufficient controls. We can never fully measure losses or potential losses, thus the numbers will be oranges to the apples of productivity measurements. The result ensures it’s nearly impossible to use these measurements to balance security vs. productivity, and depending on how the numbers skew we will draw the wrong conclusions. For example, they may show that passwords hurt productivity by X dollars, and security risk drops by an estimated Y dollars, with said estimate being nearly impossible to calculate accurately. We might end up thinking that because we’ve never had a system compromised due to a weak password, we don’t need them at all. Okay, an extreme example, so here are a few ideas on how I’d look at the research. Ideally I would try and find two organizations with equally good productivity, but variable security. If we can normalize enough of the variables, and find a big enough sample set, that gives us a good macro view on any causality. We might also look at a very productive company vs. a very secure company that isn’t productive. Good luck finding that. But I think what you really want to do is devise a model to determine the productivity impact of potential security controls, not just security in general. You should be able to measure that for any specific security control as long as you have a corresponding measurement of productivity. You should then map in estimates of risk measurements to make a decision. Otherwise, nearly everything will reduce productivity, but the corresponding risk might exceed acceptable tolerance. Also, this should take into account any alternative controls that achieve the same goal, with a lower productivity impact. And that control impact varies over time. At this point we’ve just created enough complexity that measuring the performance impact of a security control is now greater than the performance impact of said control. My advice? We spend more time identifying the most efficient ways to be secure with the least performance impact. Share:

Websense posted a replay link for my webcast on DLP. Here ya go… Share:

Last week I gave a webinar on database security for ZDNet, sponsored by Oracle. We had an exceptionally good turnout and ran a couple of polls during the session. Oracle just posted the results on a new security blog they’ve set up. One of the questions was on data masking, something we’ve discussed here before. I asked the audience how many actively performed data masking within their organizations. We got a great response, with a sample size of 139. Not huge, but still somewhat statistically significant. Most organizations don’t data mask, and of those that do, only a combined 13% have a formalized program. No surprises, but it’s nice to see it in some real numbers. And don’t forget data masking law number 5. Here’s the obligatory pretty picture, and you can still replay the session over at ZDNet. < p style=”text-align:right;font-size:10px;”>Technorati Tags: Data, Data Masking, Database Security, Oracle, Survey Share:

I got a few emails from people asking to push SunSec up to next week due to upcoming travel, conferences, and training. Plan is for Wednesday night, the 6th, back at Furio. Email me at rmogull@securosis.com if that won’t work for you, and please spread the word… Share:

While I sometimes get annoyed with various security technologies, there are very few I consider to be complete snake oil. However, those remote “data destruction” tools or “Lojack for laptops” are complete crap when it comes to security. Absolute bullshit, and I don’t use language like that here very often. They might have some value in recovering the physical asset, but as this case shows they sure as hell won’t protect you from a data breach: Horizon Wednesday said it has notified about 300,000 of its members of the potential compromise of their personal information following the theft of a laptop containing the data on Jan 5. A security feature on the stolen laptop automatically deleted all of the confidential information on Jan. 23, a company spokesman said. But it is not clear whether the thief who stole the computer accessed the data on the system before then, he said. The data on the laptop was unencrypted but password-protected. I guarantee you’ll see some of these companies at the next security conference you go to. If you want to use them to help with physical recovery, that’s fine. But for data security? No fracking way. < p style=”text-align:right;font-size:10px;”>Technorati Tags: Data Breach, Laptop Encryption Share: