Research

Based on the comments in my last post on DAM, especially the one from Mike Spiers, I want to make it clear that if you are performing Database Activity Monitoring it should be owned and managed by security. It’s fine for DBAs to manage regular database auditing (unless they’re the auditing target), but DAM is a security-specific tool whose primary benefits are to create separation of duties (from the DBAs) and to give security insight into the database. You might need DBAs to get it integrated with the database and confirm performance, but that’s where their involvement stops. Share:

I’m heading out to San Mateo and possibly Palo Alto next week, with a couple openings Thursday afternoon if anyone is around. Share:

Back in the comments to one of my posts on Database Activity Monitoring, Rani asked the question of who should own DAM? I’m going to expand the question to cover all of database security. This is a pretty tough question we can take in a couple of directions. Out at Oracle OpenWorld last week it was pretty clear that database professionals and security professionals don’t overlap nearly as much as we really need for efficient database security. It’s not a failing of any particular group, just the reality that people who do different jobs have different skill sets, even when they come from the same background. Come January I’ll be having an orthopedic surgeon fixing my bum shoulder, not my dermatologist. Security experts don’t necessarily know the difference between DML or DDL, or how to write an outside join, just as DBAs don’t necessarily know the difference between AES and 3DES. Eventually we’ll have a growing cadre of security-aware DBAs and database-aware security professionals. Until then we need to slice up the functions a bit and I highly recommend cross-training when you can. I’m not saying that long term we’ll have some uber-DBA/security experts running all database security without outside influence, but some of the functions might consolidate a bit once those skills are easier to find. Here’s how I slice it: DBAs are responsible for secure design and configuration of the database management system. A security architect can assist with security design review, but this is an ideal area to increase the security knowledge of the DBA. IT Security performs configuration and vulenrability scanning of the database. Results are passed to the database team for remediation, and if a policy violation can’t be fixed for some operational reason, security and the database team need to come up with a joint risk remediation plan that’s documented as an exception. Native database auditing is the responsibility of the DBAs. Management of those logs can be either security or the database team, depending on the purpose of the logs. If separation of duties is required, security becomes responsible for log aggregation and maintenance. Database Activity Monitoring is another joint process. DBAs are involved with the installation, database-side configuration, and maintenance of any database-resident components. Security owns the DAM tool and its ongoing operation. For this to work well, someone on the security team needs basic database training. In summary, DBAs are responsible for securely designing and configuring their systems, and installing and locally managing (just to keep them running) any database-resident security components that affect the database. Security is responsible for external monitoring and ongoing scanning of deployed systems. This creates a good separation of duties and allows each side to do what they’re best at. It relies on any DBA-installed components sending regular health checks/heartbeats back to security to make sure they aren’t disabled. I realize cross-team responsibilities like this can be difficult, but I don’t see any other better approach. In some cases I’ve seen someone on the database team be designated as being responsible for database security, but just remember you’ll lose separation of duties if that individual also has operational database duties. Share:

As most of you have probably figured out by now I tend to expend a lot of hot air trying to define DLP/CMF/CMP (Data Loss Prevention, Content Monitoring and Filtering, or Content Monitoring and Protection). I often take vendors to task for abusing the terms, since they are just increasing market confusion. As Rothman points out it won’t be me, or any particular vendor, that really defines DLP. Only the market defines the market, although some of us influential types occasionally get to nudge it in our preferred direction. While I took Postini/Google to task for calling regular expressions on a single channel (email) DLP, the dirty little secret of DLP is that probably 80-90% of deployments today rely mostly, or totally, on regex for content analysis. Barely anyone deploys the fancy advanced features that I spend so much time talking about, and that the vendors spend so much time developing. So why do I spend so much time fighting for the purity of DLP? It’s because most organizations, in the long run, will only get a fraction of the value of their investment in terms of risk reduction and operational efficiencies without us pushing the products forward with new features and more advanced analysis. But if all you want to do is detect on credit card and Social Security Numbers, and you find that the false positives are manageable, something with a regex engine is probably good enough for you. At least for now. Share:

Apple just released an update to Leopard, version 10.5.1. The support document says the following: Addresses a code signing issue; third-party applications can now run when included in the Application Firewall or when whitelisted in Parental Controls. In Security preferences’ Firewall tab, the “Block All” option is now called “Allow Only essential services” Well, I suppose that’s some kind of progress. At least it’s labelled accurately. I’ve been really slammed this week, but Chris and I should have the instructions for using WaterRoof in combination with our template ipfw rule set and the Application Firewall soon (hopefully today). I’ve tested the update and the application firewall still signs applications, but instead of just failing to launch modified applications, we’re now prompted to allow access manually again if they change. Code signing can be rough because of issues like this, and I think the prompt is a reasonable solution. However, I would prefer it to say, “This application has been modified since its last use; please click to allow network access” so we know that it’s a real change to the application and not just a random prompt to approve again. In a separate document, Apple details some additional security updates to the application firewall. Most notably, the firewall will now block processes running as root if you specify them in the application firewall. Based on these updates I’m now running the application firewall with ipfw, and will try and get those instructions posted soon. Not that any of this matters much since there are no network attacks on Macs in the wild right now, but we all know that can’t last… Share:

While I was off traveling, Martin posted the latest episode of the Network Security Podcast. Rather than posting the show notes here, I’d like to redirect you to our new site: NetSecPodcast.com. This is where we’ll be posting all the show notes, taking feedback on episodes, and posting any content and updates directly related to the show. This week we covered a few quick issues, then we spent 10 minutes playing Mystery Science Theater on Martin’s very first episode. Oh, I didn’t mention this is the 2 year anniversary of the show? Congrats Martin, and thanks for bringing me on- hopefully I’m not dragging the show down too fast… Share:

I’ve been invited to give the keynotes at both the SANS Data Leakage Summit and the Mobile Encryption Summit. Both are at the Dolphin hotel at Disney in Orlando. The DLP event is on December 3rd and 4th, and the encryption event on the 5th and 6th. Here’s my affiliate link to SANS if you’re interested in the events. At the DLP event I’ll be presenting Three Steps To Selecting A DLP Product And The Top Five Features To Look For. I’ll also be releasing Understanding And Selecting A Data Loss Prevention Solution as a white paper, which will also be distributed online by SANS and sponsored by Websense. Over at the encryption event I’m presenting Understanding and Preventing Data Breaches. It’s a general presentation, not specific to just encryption. These conferences are designed for those in the planning or implementation phases for DLP or mobile encryption. There are a couple of presentations like mine, but most of the event is panels with users with real experience using the products. As a preview, here’s a QuickTime movie of the DLP pitch’s opening. I hope to see you there… Share:

I was quite bemused today to read this article in NetworkWorld that Google’s Postini is jumping into DLP. Google”s Postini division today announced that its e-mail-content-filtering service has been enhanced to detect “logical expressions,” such as credit-card data and Social Security numbers. … Adam Swidler, Postini senior product manager, says the e-mail security service includes filtering of more “sophisticated expressions” that extend beyond Postini”s earlier limits to keywords. “This is for compliance and content-policy management, with content-based inspection for inbound and outbound traffic,” he says. “Today it’s for companies using Gmail, but we expect to extend this to instant messaging, the Web and the rest of Google Apps, like Google Spreadsheets.” I don’t see why they can’t just call it regular expressions like everyone else. This is a great example of a vendor hopping on the bandwagon by adding a small part of DLP functionality to a product line. Knowing the problems even established, dedicated DLP vendors have with false positives I suspect this will be a bit more challenging than Google/Postini realizes. Not that a basic DLP feature or two don’t have value in lower-risk environments; something as basic as this might work for some of you out there, as long as you manage your expectations. If anything, I think this, combined with the Vontu acquisition, might finally nudge DLP to the peak of the Hype Cycle. Share:

I’ll be on the “Threats Jeopardy” panel at 11:15 over in Yerba Buena Theater. Meetings are booked up for the day, but I’ll be back in the area on the 29th. Share:

Amrit Williams dropped a post on some of the new cases, and new penalties, for certain kinds of cybercrime. In it he states: The risk/reward for committing cybercrime is shifting, which will not result in less cybercrime only more sophisticated criminal activity. So more evidence that hostile actors will become more organized, more sophisticated, and much harder to detect with traditional security measures. I tend to agree slightly- as you raise the stakes the potential reward needs to increase at least proportionally to the risk, but Amrit’s missing the main point. Mike Rothman gets us closer: … but I’m not sure they are going to behave differently whether they are subject to 10 years or 3 years in the pokey. Whether the fine is $250,000 or $10 million. I don’t know much, but I suspect that most bad guys don’t want to get caught. … The folks know what’s at stake, but they don’t think they’ll be caught. And there’s the rub. The biggest penalties in the world are totally ineffective as a deterrent if they aren’t enforced. From compliance, like PCI, HIPAA, and SOX, to cybercrime, a law isn’t a law until someone goes to jail for it. Rothman nails it- right now the bad guys act with near impunity because they know the odds of getting caught are low. If all we do is improve enforcement of existing laws, and learn how to better enforce cybercrime laws across international boundaries (that’s a biggie) we’ll do FAR more to reduce cybercrime than increasing the penalties. Share: