Research

Rich here, Yep, it looks very likely my personal data is now in the hands of China, or someone pretending to be China, or someone who wants it to look like China. While I can’t go into details, as many of you know I’ve done things with the federal government related to my rescue work. It isn’t secret or anything, but I never feel comfortable talking specifics because it’s part-time and I’m not authorized to represent any agency. I haven’t been directly notified, but I have to assume that any of my records OPM had, someone… else… has. To be honest, based on what details have come out, I’d be surprised if it wasn’t multiple someone elses – this level of nation-state espionage certainly isn’t limited to any one country. Now, on the upside, if I lose my SSN, I have it backed up overseas. Heck, I’m really bad at keeping copies of all my forms, which I seem to have to resubmit every few years, so hopefully whoever took them will set up a help desk I can call to request copies. I’d pay not to have to redo that stuff all over. Like many of you, my data has been breached multiple times. The worst so far was the student health service at the University of Colorado, because I know my SSN and student medical records were in that one (mostly sprained ankles and a bad knee, if you were wondering – nothing exciting). That one didn’t seem to go anywhere but the OPM breach is more serious. There is a lot more info than my SSN in there, Including things like my mother’s maiden name. This will hang over my head for the rest of my life. Long beyond the 18 months of credit monitoring I may or may not receive. I’m not worried about a foreign nation mucking with my credit, but they may well have enough to compromise my credentials for a host of services. Not by phishing me, but by walking up the long chain of identity and interconnected services until they can line up the one they want. I am now officially a security risk for any organization I work with. Even mine. And now on to the Summary… We are deep into the summer, with large amounts of personal and professional travel, so this week’s will be a little short – and you probably already noticed we’ve been a bit inconsistent. Hey, we have lives, ya know! Webcasts, Podcasts, Outside Writing, and Conferences Rich’s webinar for Adallom on managing SaaS There might be more, but GoGo on this flight is terrible, and I can’t perform a news search. Securosis Posts My 2015 Personal Security Guiding Principles and the New Rand Report. Incite 6/10/2015: Twenty Five. Threat Detection Evolution: Why Evolve? [New Series]. Contribute to the Cloud Security Alliance Guidance: Community Drives, Securosis Writes. Network Security Gateway Evolution [New Series]. We Don’t Know Sh–. You Don’t Know Sh–.. Research Reports and Presentations Endpoint Defense: Essential Practices. Cracking the Confusion: Encryption and Tokenization for Data Centers, Servers, and Applications. Security and Privacy on the Encrypted Network. Monitoring the Hybrid Cloud: Evolving to the CloudSOC. Security Best Practices for Amazon Web Services. Securing Enterprise Applications. Secure Agile Development. Trends in Data Centric Security White Paper. Leveraging Threat Intelligence in Incident Response/Management. Pragmatic WAF Management: Giving Web Apps a Fighting Chance. Top News and Posts Major zero-day security flaws in iOS & OS X allow theft of both Keychain and app passwords Hard to Sprint When You Have Two Broken Legs Second OPM Hack Revealed: Even Worse Than The First Report: Hack of government employee records discovered by product demo How I Learned to Stop Worrying and Embrace the Security Freeze Stepson of Stuxnet stalked Kaspersky for months, tapped Iran nuke talks Courts docs show how Google slices users into “millions of buckets” Factory Reset On Millions of Android Devices Doesn’t Wipe Storage Share:

In 2009, I published My Personal Security Guiding Principles. They hold up well, but my thinking has evolved over six years. Some due to personal maturing, and a lot due to massive changes in our industry. It’s time for an update. The motivation today comes thanks to Juniper and Rand. I want to start with my update, so I will cover the report afterwards. Here is my 2015 version: Don’t expect human behavior to change. Ever. Simple doesn’t scale. Only economics really changes security. You cannot eliminate all vulnerabilities. You are breached. Right now. In 2009 they were: Don’t expect human behavior to change. Ever. You cannot survive with defense alone. Not all threats are equal, and all checklists are wrong. You cannot eliminate all vulnerabilities. You will be breached. The big changes are dropping numbers 2 and 3. I think they still hold true, and they would now come in at 6 and 7 if I wasn’t trying to keep to 5 total. The other big change is #5, which was You will be breached. and is now You are breached. Why the changes? I have always felt economics is what really matters in inciting security change, and we have more real-world examples showing that it’s actually possible. Take a look at Apple’s iOS security, Amazon Web Services, Google, and Microsoft (especially Windows). In each case we see economic drivers creating very secure platforms and services, and keeping them there. Want to fix security in your organization? Make business units and developers pay the costs of breaches – don’t pay for them out of central budget. Or at least share some liability. As for simple… I’m beyond tired of hearing how “If company X just did Y basic security thing, they wouldn’t get breached that particular way this particular time.” Nothing is simple at scale; not even the most basic security controls. You want secure? Lock things down and compartmentalize to the nth degree, and treat each segment like its own little criminal cell. It’s expensive, but it keeps groups of small things manageable. For a while. Lastly, let’s face it, you are breached. Assume the bad guys are already behind your defenses and then get to work. Like one client I have, who treats their entire employee network as hostile, and makes them all VPN in with MFA to connect to anything. Motivated by Rand The impetus for finally writing this up is a Rand report sponsored by Juniper. I still haven’t gotten through the entire thing, but it reads like a legitimate critical analysis of our entire industry and profession from the outside, not the usual introspection or vendor-driven nonsense FUD. Some choice quotes from the summary: Customers look to extant tools for solutions even though they do not necessarily know what they need and are certain no magic wand exists. When given more money for cybersecurity, a majority of CISOs choose human-centric solutions. CISOs want information on the motives and methods of specific attackers, but there is no consensus on how such information could be used. Current cyberinsurance offerings are often seen as more hassle than benefit, useful in only specific scenarios, and providing little return. The concept of active defense has multiple meanings, no standard definition, and evokes little enthusiasm. A cyberattack’s effect on reputation (rather than more-direct costs) is the biggest cause of concern for CISOs. The actual intellectual property or data that might be affected matters less than the fact that any intellectual property or data are at risk. In general, loss estimation processes are not particularly comprehensive. The ability to understand and articulate an organization’s risk arising from network penetrations in a standard and consistent matter does not exist and will not exist for a long time. Most metrics? Crap. Loss metrics? Crap. Risk-based approaches? All talk. Tools? No one knows if they work. Cyberinsurance? Scam. Overall conclusion? A marginally functional shitshow. Those are my words. I’ve used them a lot over the years, but this report lays it out cleanly and clearly. It isn’t that we are doing everything wrong – far from it – but we are stuck in an endless cycle of blocking and tackling, and nothing will really change until we take a step back. Personally I am quite hopeful. We have seen significant progress over the past decade, and I fell like we are at an inflection point for change and improvement. No Related Posts Share:

This week we start one of the cooler projects in the history of Securosis. The Cloud Security Alliance contracted Securosis to write the next version of the CSA Guidance. (Okay, the full title is “Guidance for Critical Areas of Focus in Cloud Computing”). The Guidance is a foundational document at the CSA, used by a ton of organizations to define security programs when they start jumping into the world of cloud. It’s currently on version 3, which is long in the tooth, so we are starting version 4. One of the problems with the previous version is that it was compiled from materials developed by over a dozen working groups. The editors did their best, but there are overlaps, gaps, and readability issues. To address those the CSA hired us to come in and write the new version. But a cornerstone of the CSA is community involvement, so we have come up with a hybrid approach for the next version. During each major stage we will combine our Totally Transparent Research process with community involvement. Here are the details: Right now the CSA is collecting feedback on the existing Guidance. The landing page is here, and it directs you to a Google document of the current version where anyone can make suggestions. This is the only phase of the project in Google Docs, because we only have a Word version of the existing Guidance. We (Securosis) will take the public feedback and outline each domain for the new version. These will be posted for feedback on GitHub (exact project address TBD). After we get input on the outlines we will write first drafts, also on GitHub. Then the CSA will collect another round of feedback and suggestions. Based on those, we will write a “near final” version and put that out for final review. GitHub not only allows us to collect input, but also to keep the entire writing and editing process public. In terms of writing, most of the Securosis team is involved. We have also contracted two highly experienced professional tech writers and editors to maintain voice and consistency. Pure community projects are often hard to manage, keep on schedule, and keep consistent… so we hope this open, transparent approach, backed by professional analysts and writers with cloud security experience, will help keep things on track, while still fully engaging the community. We won’t be blogging this content, but we will post notes here as we move between major phases of the project. For now, take a look at the current version and let the CSA know about what major changes you would like to see. Share:

Once again we have a major security story slumming in the headlines. This time it’s Hackers on a Plane, but without all that Samuel L goodness. But what’s the real story? It’s time to face the fact that the only people who know are the ones who aren’t talking, and everything you hear is most certainly wrong. Watch or listen: Share:

Rich here. As a redhead (what little is left) I have spent a large portion of my life answering questions about red hair. Sometimes it’s about pain tolerance/wound healing (yes, there are genetic differences), but most commonly I get asked if the attitude is genetic or environmental. You know, the short temper/bad attitude. Well, here’s a little insight for those of you that lack the double recessive genes. Yesterday I was out with my 4-year-old daughter. The one with the super red, super curly hair. You ever see Pixar’s Brave? Yeah, they would need bigger computers to model my daughter’s hair, and a movie projector with double the normal color gamut. In a 2-hour shopping trip, at least 4 people commented on it (quite loudly and directly), and many more stared. I was warned by no less than two probable-grandmothers that I should “watch out for that one… you’ll have your hands full”. There was one “oh my god, what wonderful hair!” and another “how do you like your hair”. At REI and Costco. This happens everywhere we go, all the time. My son also has red hair, and we get nearly the same thing, but without the curls it’s not quite as bad. I also have an older daughter without red hair. She gets the “oh, your hair is nice too… please don’t grow up to be a serial killer because random strangers like your sister more”. At least that’s what I hear. Strangers even come up and start combing their hands through her hair. Strangers. In public. Usually older women. Without asking. I went through a lot of this myself growing up, but it’s only as an adult, with red-haired kids, that I see how bad it is. I thought I was a bit of an a-hole because, as a boy, I had more than my fair share of fights due to teasing over the hair. Trust me, I’ve heard it all. Yeah, fireball, very funny you —-wad, never heard that one before. I suppose I blocked out how adults react when I tried to buy a camping flashlight with my dad. Maybe there is a genetic component, but I don’t think scientists could possible come up with a deterministic ethical study to figure it out. And if my oldest, non-red daughter ever shivs you in a Costco, now you’ll know why. We have been so busy the past few weeks that this week’s Summary is a bit truncated. Travel has really impacted our publishing, sorry. Securosis Posts Incite 5/20/2015: Slow down to speed up. Incite 5/6/2015: Just Be. Network-based Threat Detection: Operationalizing Detection. Network-based Threat Detection: Prioritizing with Context. Network-based Threat Detection: Looking for Indicators. RSAC wrap-up. Same as it ever was. RSA Conference Guide 2015 Deep Dives: Security Management. Favorite Outside Posts Mike: Advanced Threat Detection: Not so SIEMple: Aside from the pithy title, Arbor’s blog post does a good job highlighting differences between the kind of analysis SIEM offers and the function of security analytics… Rich: Cloudefigo. This is pretty cool: it’s a cloud security automation project based on some of my previous work. One of the people behind it, Moshe, is one of our better Cloud Security Alliance CCSK instructors. Research Reports and Presentations Endpoint Defense: Essential Practices. Cracking the Confusion: Encryption and Tokenization for Data Centers, Servers, and Applications. Security and Privacy on the Encrypted Network. Monitoring the Hybrid Cloud: Evolving to the CloudSOC. Security Best Practices for Amazon Web Services. Securing Enterprise Applications. Secure Agile Development. Trends in Data Centric Security White Paper. Leveraging Threat Intelligence in Incident Response/Management. Pragmatic WAF Management: Giving Web Apps a Fighting Chance. Top News and Posts U.S. aims to limit exports of undisclosed software flaws. I’m sure this will work out just fine. Unfortunately, we have renewed our ICANN Accreditation. Holy. Crap. ICANN opened us all up to some nasty phishing. President Urged to Reject Mandatory Backdoors St. Louis Federal Reserve Suffers DNS Breach Several Factors Mitigate VENOM’s Utility for Attackers Logjam attack affects nearly all browsers Share:

It seems we messed up, and last week’s Summary never made it out of draft. So I doubled up and apologize for the spam, but since I already put in all the time, here you go… Rich here, As you can tell we are deep in the post-RSA Conference/pre-Summer marsh. I always think I’ll get a little time off, but it never really works out. All of us here at Securosis have been traveling a ton and are swamped with projects. Although some of them are home-related, as we batten down the hatches for the impending summer heat wave here in Phoenix. Two things really struck me recently as I looked at the portfolio of projects in front of me. First, that large enterprises continue to adopt public cloud computing faster than even my optimistic expectations. Second, they are adopting DevOps almost as quickly. In both cases adoption is primarily project-based for companies that have been around a while. That makes excellent sense once you spend time with the technologies and processes, because retrofitting existing systems often requires a complete redesign to get the full benefit. You can do it, but preferably as a planned transition. It looks like even big, slow movers see the potential benefits of agility, resiliency, and economics to be gained by these moves. In my book it all comes down to competitiveness: you simply can’t compete without cloud and DevOps anymore. Not for long. Nearly all my work these days is focused on them, and they are keeping me busier than any other coverage area in my career (which might say something about my career which I don’t want to think about). Most of it is either end-user focused, or working with vendors and service providers on internal stuff – not the normal analyst product and marketing advice. I am finding that while it’s intimidating on the surface, there really are only so many ways to skin a cat. I see consistent design patterns emerging among those seeing successes, and a big chunk of what I spend time on these days is adapting them for others who are wandering through the same wilderness. The patterns change and evolve, but once you get them down it’s like that first time you make it from top to bottom on your snowboard. You’re over the learning curve, and get to start having fun. Although it sure helps if you actually like snowboarding. Or just snow. I meet plenty of people in tech who are just in it for the paycheck, and don’t actually like technology. That’s like being a chef who only drinks Soylent at home. Odds are they won’t get the Michelin Star any time soon. And they probably need to medicate themselves to sleep. But if you love technology? Oh, man – there’s never been a better time to roll up our sleeves, have some fun, and make a little cash in the process. On that note, I need to go reset some demos, evaluate a client’s new cloud security controls, and finish off a proposal to help someone else integrate security testing into their DevOps process. There are, most definitely, worse ways to spend my day. On to the Summary: Webcasts, Podcasts, Outside Writing, and Conferences Rich is presenting a webcast May 19 on Managing Your SaaS Mort quoted in an article on DevOps about his RSA Conference presentation Favorite Securosis Posts Mike Rothman: Network-based Threat Detection: Prioritizing with Context: Prioritization is still the bane of most security folks’ existence. We’re making slow but steady progress. Rich: Incite 5/6/2015: Just Be. I keep picking on Mike because I’m the one from Hippieville (Boulder), but figuring out what grounds you is insanely important, and the only way to really enjoy life. For me it’s moving meditation (crashing my bike or getting my face smashed by a friend). Mike is on a much healthier path. Other Securosis Posts Network-based Threat Detection: Operationalizing Detection. Network-based Threat Detection: Looking for Indicators. RSA Conference Guide 2015 Deep Dives: Security Management. RSA Conference Guide 2015 Deep Dives: Identity and Access Management. RSA Conference Guide 2015 Deep Dives: Endpoint Security. RSA Conference Guide 2015 Deep Dives: Network Security. Favorite Outside Posts Mike Rothman: Google moves its corporate applications to the Internet: This is big. Not the first time we’re seeing it, but the first at this scale. Editor’s note: one of my recent cloud clients has done the same thing. They assume the LAN is completely hostile. Rich: CrowdStrike’s VENOM vulnerability writeup. It’s pretty clear and at the right tech level for most people (unless you are a vulnerability researcher working on a PoC). Although I am really tired of everyone naming vulnerabilities – eventually we’ll need to ask George Lucas’ kids to make up names for us. Research Reports and Presentations Endpoint Defense: Essential Practices. Cracking the Confusion: Encryption and Tokenization for Data Centers, Servers, and Applications. Security and Privacy on the Encrypted Network. Monitoring the Hybrid Cloud: Evolving to the CloudSOC. Security Best Practices for Amazon Web Services. Securing Enterprise Applications. Secure Agile Development. Trends in Data Centric Security White Paper. Leveraging Threat Intelligence in Incident Response/Management. Pragmatic WAF Management: Giving Web Apps a Fighting Chance. Top News and Posts Rob Graham on VENOM Cybersecurity suffers from a talent shortage AWS releases an endpoint for S3 in VPCs. This actually solves a tough security problem. Hopefully it will extend to SQS, SNS, and some of their other services. For containers, security is problem #1 Ex-NSA security bod fanboi: Apple Macs are wide open to malware Against DNSSEC Share:

The RSA conference is over and put up some massive numbers (for security). But what does it all mean? Can all those 450 vendors on the show floor possibly survive? Do any of them add value? Do bigger numbers mean we are any better than last year? And how can we possibly balance being an industry, community, and profession simultaneously? Not that we answer any of that, but we can at least keep you entertained for 13 minutes. Watch or listen: Share:

DevOps is one of the hottest trends in all of IT – sailing over every barrier in front of it like a boardercross racer catching big air on the last roller before the drop to the finish. (We’d translate that, but don’t want to make you feel too old and out of touch). We here at Securosis are major fans of DevOps. We think it provides opportunities for security and resiliency our profession has long dreamed of. DevOps has been a major focus of our research, and even driven some of us back to writing code, because that’s really the only way to fully understand the implications. But just because we like something doesn’t mean it won’t get distorted. Part of the problem comes from DevOps itself: there is no single definition (as with the closely related Agile development methodology), and it is as much as a cultural approach as a collection of technical tools and techniques. The name alone conveys a sense of de-segregation of duties – the sort of thing that rings security alarm bells. We now see DevOps discussed and used in nearly every major enterprise and startup we talk with, to varying degrees. DevOps is a bit like extreme sports. It pushes the envelope, creating incredible outcomes that seem nearly magical from the outside. But when it crashes and burns it happens faster than that ski jumper suffering the agony of defeat (for those who remember NBC’s Wide World of Sports… it’s on YouTube now – look it up, young’ns). Extreme sports (if that term even applies anymore) is all about your ability to execute, just like DevOps. It’s about getting the job done better and faster to improve agility, resiliency, and economics. You can’t really fake your way through building a continuous deployment pipeline, any more than you can to backflip a snowmobile (really, we can’t make this stuff up – YouTube, people). We believe DevOps isn’t merely trendy, it’s our future – but that doesn’t mean people who don’t fully understand it won’t try to ride the wave. This year expect to see a lot more DevOps. Some will be good, like the DevOps.com pre-RSA day the Monday before the conference starts. And vendors updating products to integrate security assessment into that continuous deployment pipeline. But expect plenty bad too, especially presentations on the ‘risks’ of DevOps that show someone doesn’t understand it doesn’t actually allow developers to modify production environments despite policy. As for the expo floor? We look forward to seeing that ourselves… and as with anything new, we expect to see plenty of banners proclaiming their antivirus is “DevOps ready”. Posers. Share:

Every year we like to start the RSA Guide with review of major themes you will most likely see woven through presentations and marketing materials on the show floor. These themes are a bit like channel-surfing late-night TV – the words and images themselves illustrate our collective psychology more than any particular needs. It is easy to get excited about the latest diet supplement or workout DVD, and all too easy to be pulled along by the constant onslaught of finely-crafted messaging, but in the end what matters to you? What is the reality behind the theme? Which works? Is it low-carb, slow-carb, or all carb? Is it all nonsense designed to extract your limited financial resources? How can you extract the useful nuggets from the noise? This year we went a little nutty, and decided to theme our coverage with a sports and fitness flavor. It seemed fitting, considering the growth of security – and the massive muscle behind the sports, diet, and fitness markets. This year Jennifer Minella leads off with our meta theme, which is also the conference theme: change. –Rich Share:

The RSA Conference is the biggest annual event in our industry (really – there are tens of thousands of people there). But bigger doesn’t mean everything is better, and it can be all too easy to get lost in the event and fail to get value out of it. Even if you don’t attend, this is the time of year a lot of security companies focus on, which affects everything you see and read – for better and worse. This week we discuss how we get value out of the event, and how to find useful nuggets in the noise. From skipping panels (except Mike’s, of course) to hitting some of the less-known opportunities like Learning Labs and the Monday events, RSA can be very useful for any security pro, but only if you plan. Watch or listen: Share: