Research

It seems we messed up, and last week’s Summary never made it out of draft. So I doubled up and apologize for the spam, but since I already put in all the time, here you go… Rich here, As you can tell we are deep in the post-RSA Conference/pre-Summer marsh. I always think I’ll get a little time off, but it never really works out. All of us here at Securosis have been traveling a ton and are swamped with projects. Although some of them are home-related, as we batten down the hatches for the impending summer heat wave here in Phoenix. Two things really struck me recently as I looked at the portfolio of projects in front of me. First, that large enterprises continue to adopt public cloud computing faster than even my optimistic expectations. Second, they are adopting DevOps almost as quickly. In both cases adoption is primarily project-based for companies that have been around a while. That makes excellent sense once you spend time with the technologies and processes, because retrofitting existing systems often requires a complete redesign to get the full benefit. You can do it, but preferably as a planned transition. It looks like even big, slow movers see the potential benefits of agility, resiliency, and economics to be gained by these moves. In my book it all comes down to competitiveness: you simply can’t compete without cloud and DevOps anymore. Not for long. Nearly all my work these days is focused on them, and they are keeping me busier than any other coverage area in my career (which might say something about my career which I don’t want to think about). Most of it is either end-user focused, or working with vendors and service providers on internal stuff – not the normal analyst product and marketing advice. I am finding that while it’s intimidating on the surface, there really are only so many ways to skin a cat. I see consistent design patterns emerging among those seeing successes, and a big chunk of what I spend time on these days is adapting them for others who are wandering through the same wilderness. The patterns change and evolve, but once you get them down it’s like that first time you make it from top to bottom on your snowboard. You’re over the learning curve, and get to start having fun. Although it sure helps if you actually like snowboarding. Or just snow. I meet plenty of people in tech who are just in it for the paycheck, and don’t actually like technology. That’s like being a chef who only drinks Soylent at home. Odds are they won’t get the Michelin Star any time soon. And they probably need to medicate themselves to sleep. But if you love technology? Oh, man – there’s never been a better time to roll up our sleeves, have some fun, and make a little cash in the process. On that note, I need to go reset some demos, evaluate a client’s new cloud security controls, and finish off a proposal to help someone else integrate security testing into their DevOps process. There are, most definitely, worse ways to spend my day. On to the Summary: Webcasts, Podcasts, Outside Writing, and Conferences Rich is presenting a webcast May 19 on Managing Your SaaS Mort quoted in an article on DevOps about his RSA Conference presentation Favorite Securosis Posts Mike Rothman: Network-based Threat Detection: Prioritizing with Context: Prioritization is still the bane of most security folks’ existence. We’re making slow but steady progress. Rich: Incite 5/6/2015: Just Be. I keep picking on Mike because I’m the one from Hippieville (Boulder), but figuring out what grounds you is insanely important, and the only way to really enjoy life. For me it’s moving meditation (crashing my bike or getting my face smashed by a friend). Mike is on a much healthier path. Other Securosis Posts Network-based Threat Detection: Operationalizing Detection. Network-based Threat Detection: Looking for Indicators. RSA Conference Guide 2015 Deep Dives: Security Management. RSA Conference Guide 2015 Deep Dives: Identity and Access Management. RSA Conference Guide 2015 Deep Dives: Endpoint Security. RSA Conference Guide 2015 Deep Dives: Network Security. Favorite Outside Posts Mike Rothman: Google moves its corporate applications to the Internet: This is big. Not the first time we’re seeing it, but the first at this scale. Editor’s note: one of my recent cloud clients has done the same thing. They assume the LAN is completely hostile. Rich: CrowdStrike’s VENOM vulnerability writeup. It’s pretty clear and at the right tech level for most people (unless you are a vulnerability researcher working on a PoC). Although I am really tired of everyone naming vulnerabilities – eventually we’ll need to ask George Lucas’ kids to make up names for us. Research Reports and Presentations Endpoint Defense: Essential Practices. Cracking the Confusion: Encryption and Tokenization for Data Centers, Servers, and Applications. Security and Privacy on the Encrypted Network. Monitoring the Hybrid Cloud: Evolving to the CloudSOC. Security Best Practices for Amazon Web Services. Securing Enterprise Applications. Secure Agile Development. Trends in Data Centric Security White Paper. Leveraging Threat Intelligence in Incident Response/Management. Pragmatic WAF Management: Giving Web Apps a Fighting Chance. Top News and Posts Rob Graham on VENOM Cybersecurity suffers from a talent shortage AWS releases an endpoint for S3 in VPCs. This actually solves a tough security problem. Hopefully it will extend to SQS, SNS, and some of their other services. For containers, security is problem #1 Ex-NSA security bod fanboi: Apple Macs are wide open to malware Against DNSSEC Share:

The RSA conference is over and put up some massive numbers (for security). But what does it all mean? Can all those 450 vendors on the show floor possibly survive? Do any of them add value? Do bigger numbers mean we are any better than last year? And how can we possibly balance being an industry, community, and profession simultaneously? Not that we answer any of that, but we can at least keep you entertained for 13 minutes. Watch or listen: Share:

DevOps is one of the hottest trends in all of IT – sailing over every barrier in front of it like a boardercross racer catching big air on the last roller before the drop to the finish. (We’d translate that, but don’t want to make you feel too old and out of touch). We here at Securosis are major fans of DevOps. We think it provides opportunities for security and resiliency our profession has long dreamed of. DevOps has been a major focus of our research, and even driven some of us back to writing code, because that’s really the only way to fully understand the implications. But just because we like something doesn’t mean it won’t get distorted. Part of the problem comes from DevOps itself: there is no single definition (as with the closely related Agile development methodology), and it is as much as a cultural approach as a collection of technical tools and techniques. The name alone conveys a sense of de-segregation of duties – the sort of thing that rings security alarm bells. We now see DevOps discussed and used in nearly every major enterprise and startup we talk with, to varying degrees. DevOps is a bit like extreme sports. It pushes the envelope, creating incredible outcomes that seem nearly magical from the outside. But when it crashes and burns it happens faster than that ski jumper suffering the agony of defeat (for those who remember NBC’s Wide World of Sports… it’s on YouTube now – look it up, young’ns). Extreme sports (if that term even applies anymore) is all about your ability to execute, just like DevOps. It’s about getting the job done better and faster to improve agility, resiliency, and economics. You can’t really fake your way through building a continuous deployment pipeline, any more than you can to backflip a snowmobile (really, we can’t make this stuff up – YouTube, people). We believe DevOps isn’t merely trendy, it’s our future – but that doesn’t mean people who don’t fully understand it won’t try to ride the wave. This year expect to see a lot more DevOps. Some will be good, like the DevOps.com pre-RSA day the Monday before the conference starts. And vendors updating products to integrate security assessment into that continuous deployment pipeline. But expect plenty bad too, especially presentations on the ‘risks’ of DevOps that show someone doesn’t understand it doesn’t actually allow developers to modify production environments despite policy. As for the expo floor? We look forward to seeing that ourselves… and as with anything new, we expect to see plenty of banners proclaiming their antivirus is “DevOps ready”. Posers. Share:

Every year we like to start the RSA Guide with review of major themes you will most likely see woven through presentations and marketing materials on the show floor. These themes are a bit like channel-surfing late-night TV – the words and images themselves illustrate our collective psychology more than any particular needs. It is easy to get excited about the latest diet supplement or workout DVD, and all too easy to be pulled along by the constant onslaught of finely-crafted messaging, but in the end what matters to you? What is the reality behind the theme? Which works? Is it low-carb, slow-carb, or all carb? Is it all nonsense designed to extract your limited financial resources? How can you extract the useful nuggets from the noise? This year we went a little nutty, and decided to theme our coverage with a sports and fitness flavor. It seemed fitting, considering the growth of security – and the massive muscle behind the sports, diet, and fitness markets. This year Jennifer Minella leads off with our meta theme, which is also the conference theme: change. –Rich Share:

The RSA Conference is the biggest annual event in our industry (really – there are tens of thousands of people there). But bigger doesn’t mean everything is better, and it can be all too easy to get lost in the event and fail to get value out of it. Even if you don’t attend, this is the time of year a lot of security companies focus on, which affects everything you see and read – for better and worse. This week we discuss how we get value out of the event, and how to find useful nuggets in the noise. From skipping panels (except Mike’s, of course) to hitting some of the less-known opportunities like Learning Labs and the Monday events, RSA can be very useful for any security pro, but only if you plan. Watch or listen: Share:

Woo Hoo! It’s New Paper Friday! Over the past month or so you have seen Adrian and myself put together our latest work on encryption. This one is a top-level overview designed to help people decide which approach should work best for datacenter projects (including servers, storage, applications, cloud infrastructure, and databases). Now we have pieced it together into a full paper. We’d like to thank Vormetric for licensing this content. As always we wrote it using our Totally Transparent Research process, and the content is independent and objective. Download the full paper. Here’s an excerpt from the opening: Today we see encryption growing at an accelerating rate in data centers, for a confluence of reasons. A trite way to summarize them is “compliance, cloud, and covert affairs”. Organizations need to keep auditors off their backs; keep control over data in the cloud; and stop the flood of data breaches, state-sponsored espionage, and government snooping (even by their own governments). Thanks to increasing demand we have a growing range of options, as vendors and even free and Open Source tools address this opportunity. We have never had more choice, but with choice comes complexity – and outside your friendly local sales representative, guidance can be hard to come by. For example, given a single application collecting an account number from each customer, you could encrypt it in any of several different places: the application, the database, or storage – or use tokenization instead. The data is encrypted (or substituted), but each place you might encrypt raises different concerns. What threats are you protecting against? What is the performance overhead? How are keys managed? Does it all meet compliance requirements? This paper cuts through the confusion to help you pick the best encryption options for your projects. In case you couldn’t guess from the title, our focus is on encrypting in the data center: applications, servers, databases, and storage. Heck, we will even cover cloud computing (IaaS: Infrastructure as a Service), although we covered it in depth in another paper. We will also cover tokenization and discuss its relationship with encryption. We would like to thank Vormetric for licensing this paper, which enables us to release it for free. As always, the content is completely independent and was created in a series of blog posts (and posted on GitHub) for public comment. Share:

I’ve had one conversation about 8 times this week: “Ready for RSA?” “Not even close.” “Yeah, figured it would be better since they pushed it out an extra month, but not so much.” For those who don’t know, the RSA conference is the biggest event in our industry. Usually it’s in February or March, but this year it’s in April. A full extra month to prep presentations, or marketing material for vendors (my end-user friends who aren’t presenting don’t worry about any of this). Plus there are all the community things, like the Security Blogger’s Meetup, our Disaster Recovery Breakfast, and so on. Seems like we all just pushed everything back a month, and if anything are even further behind than usual. Or maybe that’s just me, a pathological procrastinator. So I don’t have time for the usual Summary this week. Especially because we have a ton of projects going on concurrently, and I’m about to start bouncing around the country again for client projects. The travel itself isn’t exciting but the projects themselves are. Most of my trips are to help end-user orgs build out their cloud security strategy and tactics. It’s a big change from Gartner, when I never got to roll up my sleeves and dig in deep. The fascinating bit is the kinds of organizations who are moving to cloud (mostly AWS, because that’s where I’m deepest technically). Instead of being startups these are established companies, some quite large, and a few heavily regulated. I knew we’d get here someday, but I didn’t expect cloud adoption to hit these segments so soon. Mike and Adrian are just as busy as I am, which is why the blog is so slow, but some new projects are about to hit. We’ve also been working on our annual RSA Guide, which you will start seeing pieces of soon. This year our Contributing Analysts wrote a lot of the content. But hey, we’ve been around 8+ years and still put up multiple blog posts a week, even when things are ugly. So we have that going for us. Which is nice. On to the Summary: Webcasts, Podcasts, Outside Writing, and Conferences Rich at TidBITS on Apple Pay Rich also contributed to a piece on BadUSB and Macs at TidBITS Favorite Securosis Posts Mike: Disaster Recovery Breakfast 2015 – It’s that time of the year. The best breakfast at RSA. RSVP (please) to rsvp (at) securosis (dot) com. Other Securosis Posts Incite 3/18/2015: Pause. Firestarter: Cyber Cash Cow. Take Control of Security for Mac Users. Be Careful What You Wish For, It’s the SEVENTH Annual Disaster Recovery Breakfast. SecDevOps Learning Lab at RSA. Favorite Outside Posts Mortman: Conway’s law revisited – Architectures for an effective IT Mike: NCAA Men’s Tournament Forecast: The Parity Is Over. It’s March Madness time. Check out Nate Silver’s thoughts. Because math. Mike: Richard Branson shares his 10 favorite quotes about embracing change. Change is constant, which is uncomfortable for many. There are some good tips here to help deal with it. Rich: Panda Antivirus Flags Itself As Malware. The title says it all. Can’t make this stuff up. Research Reports and Presentations Security and Privacy on the Encrypted Network. Monitoring the Hybrid Cloud: Evolving to the CloudSOC. Security Best Practices for Amazon Web Services. Securing Enterprise Applications. Secure Agile Development. Trends in Data Centric Security White Paper. Leveraging Threat Intelligence in Incident Response/Management. Pragmatic WAF Management: Giving Web Apps a Fighting Chance. The Security Pro’s Guide to Cloud File Storage and Collaboration. The 2015 Endpoint and Mobile Security Buyer’s Guide. Top News and Posts To prevent another Heartbleed, severe OpenSSL flaw to be patched Stealthy, Persistent DLL Hijacking Works Against OS X Android apps are now reviewed by Google before you can download them Yahoo Previews End-To-End Email Encryption Plug-In Responding to Sony Hack, Senate Advances Major Cybersecurity Bill Some notes on DRAM (#rowhammer) Blog Comment of the Week This week’s best comment goes to Tom, in response to My $500 Cloud Security Screwup–UPDATED. Great writeup – being able to admit you made a mistake is very hard for some, but we all do, bravo for being up front about it. AWS (Amazon, in general) has always been really super super reasonable about charges with me – I too have had them reverse a charge (in my case, for Amazon prime that I didn’t really use) that was totally on my own shoulders, without me asking – good on them, it makes me feel very, very comfortable with trusting them to do the right thing. I like to think a big part of it was you posting about this and owning the issue – this is an awesome example of how to handle this sort of situation with integrity and competence. I suggest the VERY first thing you do with a new AWS account is turn on MFA, make an IAM account, and put the master credentials on a thumb drive in a desk drawer (locked, ideally). Then, use that IAM account to make less-privileged ones, and use those in practice. It is a pain, to be sure, but it is important to lay a good foundation. (I actually have gone further and worked out federated access for our team at work, and ALL credentials that could reasonably be exposed have a very short lifespan – accidentally checked-in creds in code are to our internal auth server, unusable to the real world. It was a pain, but it lets me sleep better.) You inspire me; I should clean up the federation server and put it out there for others to use. Share:

Last week we saw a security company hit the $2.4B valuation level. Yes, that’s a ‘B’, as in billion. This week we dig into the changing role of money and investment in our industry, and what it might mean. We like to pretend keeping our heads down and focusing on defense and tech is all that matters, but practically speaking we need to keep half an eye on the market around us. It not only affects the tools at our disposal, but influences the entire course of our profession. Watch or listen: Share:

I spend a lot of time on Apple security, more for personal reasons than anything else. They are the tools I use every day, and where I send most of my friends and family to manage their digital lives, so my investment runs deeper than anything financial. I have been the Security Editor over at TidBITS since about the time I founded Securosis, but I am not the only security expert over there. Joe Kissell has himself written books on the topic, and plenty of articles (mostly at TidBITS and Macworld). Joe is currently writing a Take Control book on Mac security. The Take Control series of books are my favorite hands-on instructional guides, and I have used a fair few myself (Take Control is distinct from TidBITS, but closely related and run by the same team). The first two chapters are available free online at TidBITS. The rest of the chapters become available to TidBITS members as Joe writes them. These books run much deeper than the white papers and articles we post on Securosis. The book a soup-to-nuts hands-on guide for nearly everything you need to know to secure your own Mac. Joe and I have talked about combining efforts for a Securosis/Take Control cross-branded version of the content if we can line up a licensee/sponsorship. If you are interested drop me a line. Share:

We were invited to run a two-hour learning lab on a topic of our choice this year at the RSA Conference. I suspect it will surprise… no one… that we chose Pragmatic SecDevOps as our topic. This is a cool opportunity – it gives us a double-length session to mix in presentation, hands-on labs, demonstrations, and group activities. I realize some people roll their eyes when they see these buzzwords, but everything we will present is being used in the real world, often at leading-edge organizations. DevOps really is a thing, it really does affect security, and you really can use it to your advantage in super interesting ways. Here is the official description. Pragmatic SecDevOps Date & Time: Wednesday, April 22, 2015, 10:20am-12:20pm Abstract: As cloud and DevOps disrupt traditional approaches to security, new capabilities emerge to automate and enhance security operations. In this hands-on session attendees will learn pragmatic techniques for leveraging cloud computing and DevOps for improving security. Through a combination of demonstrations and exercises we will work through a string of real-world security automations. We are still finalizing what will make the cut but here are some components we are considering including: An updated (and concise) Pragmatic SecDevOps presentation to start the conversation. A lab to automate embedding host security agents in cloud deployments (e.g., Chef/Puppet) and then use them to enforce security policies. A lab to monitor your cloud security management plane. A group exercise to adapt and embed security architectures to leverage new cloud capabilities. This one is interesting because we will be showing off some leading-edge architectures we are starting to see for DevOps and cloud deployments, which not many security people have been exposed to. A security automation group exercise/hands-on lab where we will give you a library of Ruby methods to mix and match for different security functions. That is a ton of content, and we may not get to all of it. I will streamline some of the labs that I normally have people work through manually in training, but we need to push through more quickly. You need to pre-register to attend, and we will run a webcast in the beginning of April so people can prepare and be ready to participate in the hands-on sections. One nice thing about the Learning Labs is that they happen during the main conference – not the day before or at the end of the week. Please feel free to drop us ideas, preferences, or comments below. We already have a lot of the content, but how we piece it together is still very much open to suggestion. Share: