Research

Rich here. Something went wonky so most of the Summary didn’t load properly on Friday. So I am reposting with the lost content… The Securosis blog has been around since 2006, with pretty much constant posts over that entire time (multiple posts a week, with a few exceptions). That is a lot of words, a large percentage of which came through my keyboard. We have always used the Summary (and when Mike joined, the Incite) to add some color to our security coverage, and give glimpses into our personal lives, or random thoughts that don’t really fit in a security-oriented blog post. I will expand on that in some posts this year, starting today with a post on my favorite films of 2014. Yep, you heard me, and you can skip to the Summary itself below if you just want the top links and news of the week. Favorite Films of 2014 These aren’t necessarily the best movies of the year – not even close – but the ones I most enjoyed. My wife and I are huge film buffs, but since having (3 young) kids we dropped from seeing movies near weekly, to monthly if we are lucky. This changed our tastes because due to constant exhaustion we are more likely to pick something light and fun than arty and independent (we still watch those, usually over 2 nights, at home). Top Films I Saw in a Theater Guardians of the Galaxy: Flat out, the most fun I had in a theater all year. I saw it twice, then bought the Blu-Ray (3D with digital copy) for home. Some consider comic book films the death of ‘serious’ movies, but as we transition deeper into the digital age spectacles like this will sustain movie theaters and allow more serious films to still show in the smaller rooms at the back of the megaplex. Captain America: The Winter Soldier: Almost my #1 pick because this one elevated the ‘classic’ comic-book genre film. Its comments on society were heavy-handed but the timing was perfect – especially if you know what’s coming in the Civil War storyline. But what really hooked me were the effects and character of Cap himself. His movements, style, and pure kinesis made even the Avengers action scenes look pedestrian. Gravity: I love space. I went to Space Camp three times as a kid (and considering our limited household income, that was more than a big deal). The science may have been way off in parts, but the immersive 3D IMAX experience was incredible. And the tension? Oh, the tension! It makes me almost want to cry that I missed seeing Interstellar on an IMAX screen. Favorite Film Most of You Skipped Edge of Tomorrow: This did poorly in the theaters, and we only watched it on an iPad at 35,000 feet ourselves, but I immediately bought the book on my Kindle when we landed. If you have ever ground out a level in a video game this is the movie for you. If you want to see Tom Cruise die, a lot, this is the movie for you. If you want to see the best time-travel film since Looper… you know the rest. And definitely read the book. The One We Loved Until Our iTunes Rental Expired The Grand Budapest Hotel: I have the Blu-Ray from Netflix sitting here so we can watch the last 20 minutes. But unless they completely suck this was Wes Anderson at his best. Amazing style, characters with panache, and his usual visual splendor. The One I Enjoyed, but Really Didn’t Get As Much As Anyone Else Snowpiercer: I get it, Bong Joon-Ho is awesome and Tilda Swinton just nailed it, but I still don’t understand why this made so many Top 10 lists. It was good, but not that good. My Favorites with the Kids Our girls are finally old enough to sit through and enjoy a movie with, and this was an awesome year to bond in a theater (or with a rental). The Lego Movie: I really really really wish we had seb this in the theater, instead of on video, but we all loved it. Our dining room table has been covered in Legos for months, and I don’t expect that to change anytime soon. The message hit the perfect tone of “be creative, but sometimes you still need to listen to your damn parents so you don’t die a tragic death!” Maybe I’m projecting, a little. How to Train Your Dragon 2: Oh, wow. Even on a smaller 3D TV at home this is still amazing (we did see it in a theater first). It goes where few kids films have the balls for any more, putting you on an emotional roller coaster with plenty of spectacle. I really love this series, and will be sad when it ends with the next one. Big Hero 6: Another one full of emotion, evoking classic Disney themes in a fully modern, comic-book tale. It could have gone horribly wrong and is far from perfect, but the kids loved it, we enjoyed it, and the visual design is truly special. I wouldn’t place this up there with The Incredibles, but it really shines is creating bonds between the audience and the main characters. Favorite Comedy Neighbors: I enjoyed 22 Jump Street, but Neighbors had a few scenes that floored me. Let’s be honest – I am at a stage of life where I can appreciate a hangover + full boobs joke more than when I was 20 or 30. The One I Will Only See in Private Boyhood: I have kids. I’m going to cry. Screw you if you think I’m doing that in a theater. The Best Movie to See While Hopped up on Painkillers after… Guy Surgery G.I. Joe: Retaliation: Not much else to say. I dare you to refute. There are a lot of other films I enjoyed, especially Dawn of the Planet of the Apes, but these

Rich here, Holy crap, what a year! I have been in the security business for a while now. I wouldn’t say I am necessarily jaded, but… yeah. Wow. First, the news. This was the year of Target and Sony. Symantec finally breaking up. All sorts of wacky M&A. The year family members checked in for the first time in decades, after reading my quotes in articles with “celebrity nudes” in the headlines. Apple getting into payments. My guidance counselor totally left that out when we discussed infosec as a career option. Not that infosec was a career option in the late 80’s, but I digress. As I have often said, life doesn’t demarcate itself cleanly into 365 day cycles. There is no “year of X” because time is a continuum, and events have tendrils which extend long before and after any arbitrary block of time. That said, we will sure as hell remember 2014 as a year of breaches. Just like 2007/2008, for those who remember those ancient days. It was also a most excellent year for general security nonsense. Then there was the business side. 2014 was an epic year for Securosis on every possible level. And thanks to the IRS and our fiscal year being the calendar year, we really do get to attribute it to 2014. We cranked out a bunch of papers (mostly Mike) and engaged in some insanely fun projects (mostly me). A year or so ago I wasn’t sure there was enough of a market for me to focus so much of my research on cloud and DevOps. Now I wonder if there’s enough of me to support all the work. We were so busy we didn’t even get around to announcing a new research product: Securosis Project Accelerators. Focused workshops for end users and (for now) SaaS providers tied to specific project initiatives (like our Cloud Security for SaaS Providers package). On the upside, we sold a bunch of them anyway. The main thing that suffered was this blog. We mostly kept up with our scheduled posts and open research, but did drop a lot of the random posts and commentary because we were all so busy. I wish I could say that’s going to change, but the truth is 2015 looks to be even busier. Personally this has been my favorite work year yet, due to the amount of primary research I have been able to focus on (including getting back to programming), working more with end-user organizations on projects, and even getting to advise some brand-name cloud providers on technical aspects of their security. I am not sure whether I mentioned it on the site, but my wife stopped working after RSA due to an acute onset of “too many children”. We decided it was no longer worthwhile for both of us to work full time. And changes in the healthcare system meant we were no longer so reliant on her employee benefits. That reduced a lot of home scheduling stress, but also meant I was short on excuses to stay off airplanes. I was definitely away from home a lot more than I liked, but when I am home, I get to be far more engaged than a lot of parents. On the non-work front it was also an awesome year. We are done with babies (but not diapers), which means we are slowly clawing back some semblance of a life outside being parents. Our older two started in public school, which is like some kind of fantasy after years of paying a prison company to keep our children mostly alive and intact (daycare… shudder). We spent a month in Boulder, a week in Amsterdam, and a weekend in Legoland. I am running as fast as I was in my 20’s, over longer distances, and I am almost not embarrassed on the bike. (Remember, triathlon is latin for “sucks at three sports”). So on the overall good/bad scale I would mark 2014 as “awesome”. Mostly because I don’t work for a retailer or a film studio. And, without going into details, 2015 has some serious potential for epic. As I like to do every year before we close down for the holidays, I would really like to thank all of you for supporting us. Seriously, we are 3 guys and a half-dozen friends with a blog, some papers, and a propensity to sit in front of webcams with our clothes on. Not that many people get to make a living like this, and we can only pull it off due to the tremendous support you have all given us for over 7 years. I may not be religious but I sure am thankful. On to the Summary (our last this year): Webcasts, Podcasts, Outside Writing, and Conferences Rich quoted in the Guardian on the Sony breach Favorite Securosis Posts Mike Rothman: Firestarter: Predicting the Past. I can only hope you had half as much fun watching as we had recording the year-end FS. That’s right vendors – think twice before making those predictions. Even if you’re our friends, we will still call you out! Rich: Ditto. Natch. Other Securosis Posts Security Best Practices for Amazon Web Services: Third Party Tools. Security Best Practices for Amazon Web Services: Built-In Features. Security and Privacy on the Encrypted Network: Selection Criteria and Deployment. Firestarter: Predicting the Past. Summary: Nantucket. Favorite Outside Posts Adrian Lane: Analyzing Ponemon Cost of Data Breach. Jay Jacobs does an excellent job analyzing Ponemon’s breach cost calculation model. And I even learned a new word: heteroskedasticity. Mike Rothman: Analyzing Ponemon Cost of Data Breach. Don’t screw with Jay Jacobs on data stuff. Just don’t do it. This is a gem: “And in this analysis I will not only show that the approach used by Ponemon is not just overly simple, but also misleading and even may be harmful to organizations using the Ponemon research in their risk analyses.” Damn. Jay wins. Rich: I suppose I should choose something else.

This is our third post on AWS security best practices, to be compiled into a short paper. See also our first post, on defending the management plane and our second post, on using built-in AWS tools. Finish with Additional Security Tools AWS provides an excellent security foundation but most deployments require a common set of additional tools: Amazon’s monitoring tools (CloudTrail, CloudWatch, and Config) offer incomplete coverage, and no correlation or analysis. Integrate their feeds into existing log management, SIEM, monitoring, and alerting tools that natively support and correlate AWS logs and feeds, so they can fill gaps by tracking activity AWS currently misses. Use a host configuration management tool designed to work in the cloud to automatically configure and update instances. Embed agents into approved AMIs or bootstrap through installation scripts. Insert baseline security policies so all instances meet security configuration requirements. This is also a good way to insert security agents. Enhance host security in key areas using tools and packages designed to work in highly dynamic cloud deployments: Agents should be lightweight, communicate with the AWS metadata service for important information, and configure themselves on installation. Host Integrity Monitoring can detect unauthorized changes to instances. Logging and alerting collect local audit activity and alerts on policy violations. Host firewalls fill gaps left by security group limitations, such as rule set sizes. Some tools can additionally secure administrator access to hosts without relying solely on ssh keys. For web applications use a cloud-based Web Application Firewall. Some services also provide DDoS protection. Although AWS can support high levels of traffic, DDoS protection stops traffic before it hits your instances… and your AWS bill. Choose security assessments and scanning tools that tie into AWS APIs and comply with Amazon’s scanning requirements. Look for tools that not only scan instances, but can assess the AWS environment. Where to Go from Here These fundamentals are just the surface of what is possible with cloud security. Explore advanced techniques like Software Defined Security, DevOps integration, and secure cloud architectures. Share:

In our last Firestarter for this year, Mike, Adrian, and I take on some of the latest security predictions for 2015. Needless to say, we aren’t impressed. We do, however, close out with some trends we are seeing which are likely to play out next year, and are MOST DEFINITELY NOT PREDICTIONS. One warning: despite a lack of Guinness, we use some bad words, so let’s just brand this NSFW. Unless your workplace is like ours – then go for it. Lastly, here are links to the predictions we called out (the only ones we found – feel free to mention more in the comments): Websense. Which we didn’t read because you need to register to see them. Trend Micro. Home of the legal disclaimer in case you get hacked after believing their predictions. Kaspersky. A hard one to rip because we have friends there. Netwrix. Yeah, we don’t know who they are either. Vormetric. Another company we like, but we haz to play fair. My 2011 security predictions. I keep renewing them every year, without change. Still mostly holding up – I estimate I hit 70-80% accuracy for 2014. The audio-only version is up too. Share:

This is our second post on AWS security best practices, to be compiled into a short paper. The first post on defending the management plane is here. Implement Built-in AWS Infrastructure Security Features Once you lock down and establish monitoring for your Amazon Web Services management plane, it’s time to move on to protecting the virtual infrastructure. Start with these tools that Amazon provides: Use Security Groups and VPCs for network defense AWS uses a proprietary Software Defined Network with more security than physical networks. All new accounts on AWS use Virtual Private Clouds for underlying networking, giving you extensive control over network configurations, allowing you to run dozens or hundreds of separate virtual networks. Security Groups combine features of network and host firewalls. They apply to groups of instances like a network firewall, but protect instances from each other like a host firewall. These are the basis of AWS network security: By default, instances in the same security group can’t talk to each other. This prevents attackers from spreading horizontally. Separate application components across security groups, with only required ports open between them. External administrative access (ssh or RDP) should be restricted to the IP addresses and subnets used by your administrators. Minimize the number of public subnets, and use NAT gateways to connect private subnets to the Internet as needed, just like most enterprise networks. Establish Access Control Lists to isolate subnets. They aren’t a substitute for security groups, but a complementary tool. Require administrators to connect through a VPN or ssh “jump box” before connecting to instances. This can be an existing Privileged User Management tool. Defend hosts and data AWS is a mixture of Infrastructure as a Service (IaaS) and Platform as a Service (PaaS). Amazon bears most responsibility for keeping back-end components secure, but you are still responsible for properly configuring each service and your own instances. IAM is, again, your main tool for defense, but Amazon also offers features which can help you secure instances and protect data. Establish an incident response process for compromised instances and other AWS services. Use the AWS API or command line to collect all metadata, snapshot storage volumes, quarantine with IAM, and quarantine network connections. Design applications to use Autoscaling Groups. Instead of patching running or compromised servers, you can terminate them and replace them with clean up-to-date copies without downtime. AWS supports encryption for several data storage tools – including S3, EBS, and RedShift. You can manage the keys yourself with their Key Management Service (located in the IAM console). Amazon can access keys in the Key Management Service. If you need extra security consider using CloudHSM instead, although service integration isn’t as simple. If you use CloudHSM make sure you have at least two redundant instances so you don’t lose your keys. Amazon cannot view or recover them. Share:

Rich here. There once was a boy from Securosis. Who had an enormous… to do list. With papers to write… And much coding in sight… It’s time to bag out and just post this. Okay, not my best work, but the day got away from me after spending all week out in the DC area teaching cloud security for Black Hat. Thanks to a plane change I didn’t have WiFi on the way home, and lost an unexpected day of work. Next week will likely be our last Firestarter, Summary, and Incite for the year. We will still have some posts after that, then kick back into high gear come January. 2014 was our most insane year yet, with some of the best work of our careers (okay, mine, but I think Mike and Adrian are also pretty pleased.) 2015 is already looking to give ‘14 a run for the money. And when you run your own small business, “run for the money” is a most excellent problem to have. Unless it involves cops. That gets awkward. On to the Summary: Webcasts, Podcasts, Outside Writing, and Conferences Another quiet week. We promise to return to our media whoring soon. Favorite Securosis Posts Mike Rothman: Summary: 88 Seconds. Rich + tears. I’d need to see that to believe it. But I get it. Very emotional to share such huge parts of your own childhood with your children. Rich: 3 Envelopes. Other Securosis Posts Security and Privacy on the Encrypted Network: Use Cases. Incite 12/10/2014: Troll off the old block. Monitoring the Hybrid Cloud: Migration Planning. Favorite Outside Posts Mike Rothman: Sagan’s Baloney Detection Kit. As an analyst, I make a living deciphering other folks’ baloney. Carl Sagan wrote a lot about balancing skepticism with openness, and this post on brainpickings.org is a great summary. Though I will say sometimes I choose to believe in stuff that can’t be proven. So your baloney may be my belief system, and we shouldn’t judge either way. Rich: Analyzing Ponemon Cost of Data Breach. Jay Jacobs is a true data analyst. The kind of person who deeply understands numbers and models. He basically rips the Ponemon cost of a breach number to shreds. Ponemon can do good work, but that number has always been clearly flawed, and Jay clearly illustrates why. Using numbers. Research Reports and Presentations Securing Enterprise Applications. Secure Agile Development. Trends in Data Centric Security White Paper. Leveraging Threat Intelligence in Incident Response/Management. Pragmatic WAF Management: Giving Web Apps a Fighting Chance. The Security Pro’s Guide to Cloud File Storage and Collaboration. The 2015 Endpoint and Mobile Security Buyer’s Guide. Analysis of the 2014 Open Source Development and Application Security Survey. Defending Against Network-based Distributed Denial of Service Attacks. Reducing Attack Surface with Application Control. Top News and Posts Due to all the lost time this week I’m a bit low on stories, but here are some of the bigger ones. Iran hacked the Sands Hotel earlier this year, causing over $40 million in damage. Tripwire acquired by Belden. Didn’t see that one coming. $710M. Adobe Patches Flash Player Vulnerability Under Attack. Treasury Dept: Tor a Big Source of Bank Fraud. No surprise, and that’s one Tor vector that should be blocked. Blog Comment of the Week This week’s best comment goes to Ke, in response to My $500 Cloud Security Screwup. This is happening to me… Somehow the credential file was committed in git, which is strange because it is in the .gitignore file. I saw the email from AWS and deleted the key in 30 minutes and I found my account restricted at that time. One day after, however, I found a $1k bill in my account. It is also odd that I did not receive the alert email even though I enabled an alert. I am a student and I cannot afford this money 🙁 Share:

This is a short series on where to start with AWS security. We plan to release it as a concise white paper soon. It doesn’t cover everything but is designed to kickstart and prioritize your cloud security program on Amazon. We do plan to write a much deeper paper next year, but we received several requests for something covering the fundamentals, so here you go… Building on a Secure Foundation Amazon Web Services is one of the most secure public cloud platforms available, with deep datacenter security and many user-accessible security features. Building your own secure services on AWS requires properly using what AWS offers, and adding additional controls to fill the gaps. Amazon’s datacenter security is extensive – better than many organizations achieve for their in-house datacenters. Do your homework, but unless you have special requirements you can feel comfortable with their physical, network, server, and services security. AWS datacenters currently hold over a dozen security and compliance certifications, including SOC 1/2/3, PCI-DSS, HIPAA, FedRAMP, ISO 27001, and ISO 9001. Never forget that you are still responsible for everything you deploy on top of AWS, and for properly configuring AWS security features. AWS is fundamentally different than even a classical-style virtual datacenter, and understanding these differences is key for effective cloud security. This paper covers the foundational best practices to get you started and help focus your efforts, but these are just the beginning of comprehensive cloud security. Defend the Management Plane One of the biggest risks in cloud computing is an attacker gaining access to the cloud management plane: the web interface and APIs to configure and control your cloud. Fail to lock down this access and you might as well just hand over your datacenter to the bad guys. Fortunately Amazon provides an extensive suite of capabilities to protect the management plane at multiple levels, including both preventative and monitoring controls. Unfortunately the best way to integrate these into existing security operations isn’t always clear; it can also be difficult to identify any gaps. Here are our start-to-finish recommendations. Control access and compartmentalize The most important step is to enable Multifactor Authentication (MFA) for your root account. For root accounts we recommend using a hardware token which is physically secured in a known location which key administrators can access in case of emergency. Also configure your Security Challenge Questions with random answers which aren’t specific to any individual. Write down the answers and also store them in a secure but accessible location. Then create separate administrator accounts using Amazon’s Identity and Access Management (IAM) for super-admins, and also turn on MFA for each of those accounts. These are the admin accounts you will use from day to day, saving your root account for emergencies. Create separate AWS accounts for development, testing, and production, and other cases where you need separation of duties. Then tie the accounts together using Amazon’s consolidated billing. This is a very common best practice. Locking down your root account means you always keep control of your AWS management, even in case an administrator account is compromised. Using MFA on all administrator accounts means you won’t be compromised even if an attacker manages to steal a password. Using different AWS accounts for different environments and projects compartmentalizes risks while supporting cross-account access when necessary. Amazon’s IAM policies are incredibly granular, down to individual API calls. They also support basic logic, such as tying a policy to resources with a particular tag. It can get complicated quickly, so aside from ‘super-admin’ accounts there are several other IAM best practices: Use the concept of least privilege and assign different credentials based on job role or function. Even if someone needs full administrative access sometimes, that shouldn’t be what they use day to day. Use IAM Roles when connecting instances and other AWS components together. This establishes temporary credentials which AWS rotates automatically. Also use roles for cross account access. This allows a user or service in one AWS account to access resources in another, without having to create another account, and ties access to policies. Apply object-level restrictions using IAM policies with tags. Tag objects and the assigned IAM policies are automatically enforced. For administrative functions use different accounts and credentials for each AWS region and service. If you have a user directory you can integrate it with AWS using SAML 2.0 for single sign-on. But be careful; this is most suitable for accounts that don’t need deep access to AWS resources, because you lose the ability to compartmentalize access using different accounts and credentials. Never embed Access Keys and Secret Keys in application code. Use IAM Roles, the Security Token Service, and other tools to eliminate static credentials. Many attackers are now scanning the Internet for credentials embedded in applications, virtual images, and even posted on code-sharing sites. These are only a starting point, focused on root and key administrator accounts. Tying them to multifactor authentication is your best defense against most management plane attacks. Monitor activity Amazon provides three tools to monitor management activity within AWS. Enable all of them: CloudTrail logs all management (API) activity on AWS services, including Amazon’s own connections to your assets. Where available it provides complete transparency for both your organization’s and Amazon’s access. CloudWatch monitors the performance and utilization of your AWS assets, and ties tightly into billing. Set billing alarms to detect unusually high levels of activity. You can also send system logs to CloudWatch but this isn’t recommended as a security control. Config is a new service that discovers services and configurations, and tracks changes over time. It is a much cleaner way to track configuration activity than CloudTrail. CloudTrail and Config don’t cover all regions and services, so understand where the gaps are. As of this writing Config is still in preview, with minimal coverage, but both services expand capabilities regularly. These features provide important data feeds but most organizations use additional tools for overall collection and analysis, including log management and SIEM. As a

Rich here. I don’t remember actually seeing Star Wars in the movie theater. I was six years old in 1977, and while I cannot remember the feelings of walking along the sticky theater floor, finding a seat I probably had to kneel on to see the screen from, and watching as the lights dimmed and John Williams assaulted my ears, I do remember standing with my father outside. In a line that stretched around the building. My lone image of this transformative day is of waiting near the back doors, my father beside me, wondering just what the big deal was. Memories of the film itself come from the television in the living room of my childhood home. Not from years later, when VCRs invaded suburbia and VHS vs. Beta made the evening news, but that year. 1977. When I watched my very own copy of Star Wars on a three-quarter-inch professional video deck connected to our TV. My father was recently shut out of a business he co-founded when his partner, who owned the majority share, decided to take everything. The company was contracting to place video decks on long-haul merchant ships and provide first-run movies to entertain the crews. The business fell apart after my dad left, and all he walked away with (so far as I know – he died when I was in high school) was that video player and three sets of tapes (each tape only held an hour). A documentary on the US Bicentennial celebration we attended as a family in NYC, the Wizard of Oz, and Star Wars. Imagine being the only kid in your neighborhood – heck, possibly the entire state – with a copy of Star Wars at home in 1977 or 1978 (it’s possible I got the tape in 78, but I’m pretty sure it was 77). Tapes of higher quality than VHS or Beta; not that it mattered with our TV. I watched Star Wars hundreds of times over the next few years. I watched it so many times that, to this day, I still start to get up to swap tapes every time the Millennium Falcon is pulled into the Death Star by the tractor beam. And, as has happened to so many others over the past 37 years, the film, and its sequels, didn’t merely influence my life, it defined it in many ways. It is hard to know how anything truly affects you in the long term. But I have to assume the philosophies of the fictional jedi [Ed: Not entirely fictional. Wish fullfillment FTW!] pointed me in certain directions. To martial arts, public service, the study of Japanese history, an obsession with space and science, an attraction to women who kick ass, and a moral framework that prizes self-sacrifice and the protection of others. To bombing recklessly down a Pikes Peak hiking trail on my mountain bike, laughing hysterically as I dodged the trees like I was on a speeder bike. (I was working rescue – it was totally legit!). So the day after Thanksgiving I fired up my Apple TV, went to the Trailers app, and shed a few tears over the next 88 seconds. More tears than I expected. I never thought I would live to see a new Star Wars. A new story – not merely backstory with an inevitable ending. With the actors of my youth, playing the same characters. Written by the writer of Empire, and directed by the guy who saved Star Trek?!? And I certainly never thought I would be standing in line in a theater next December, holding the hand of my daughter, who will be the same age I was when it all started in 1977. (And her younger sister, but probably not the boy – he won’t even be 3 yet). I realize I have been geeking out a lot lately here in the Summary, but for good reason. These are the tools I used to define myself as I built my identity. Perhaps not the same tools you used, and not the only tools, but certainly some of the most influential. I no longer need to look back on them nostalgically. I don’t need to relive my youth. I can once again make them part of my future, and perhaps drag my own children along with me. It’s gonna be a hell of a year. On to the Summary: Webcasts, Podcasts, Outside Writing, and Conferences Nada. No one loves us anymore. Favorite Securosis Posts Mike Rothman: Monitoring the Hybrid Cloud: Solution Architectures. These concepts will become a lot more important in 2015 as the lack of visibility in cloud-land becomes a higher profile issue. Rich: Winding Down. Like Mike, I’m cramming, but also blocking some time to relax and refocus for the coming year. I can’t really say much, but it’s going to be a wild one. Other Securosis Posts Security Best Practices for Amazon Web Services. Monitoring the Hybrid Cloud: Technical Considerations. Firestarter: Numbness. Securing Enterprise Applications [New White Paper]. Favorite Outside Posts Adrian Lane: Dog Follows Athletes. Not security but a great story. Mike Rothman: Fixed vs. Growth: The Two Basic Mindsets that Shape Our Lives. A very interesting article about how you view the world. There is no single right answer, but understanding your mindset enables you to make decisions that work better for you. Rich: The Sony Hack Is A Watershed Moment – Especially If North Korea Is Involved. Not really. Saudi Aramco was the watershed moment. The one that sent shock waves through government and the energy industry. But nothing grabs the headlines like Hollywood. Just imagine if they posted naked pictures of Seth Rogen and James Franco! Research Reports and Presentations Securing Enterprise Applications. Secure Agile Development. Trends in Data Centric Security White Paper. Leveraging Threat Intelligence in Incident Response/Management. Pragmatic WAF Management: Giving Web Apps a Fighting Chance. The Security Pro’s Guide to Cloud File Storage and Collaboration. The 2015 Endpoint and Mobile Security Buyer’s Guide. Analysis

SLmageddon V12. Polar Vortices. Ebola. APT123. We live in an era when every week it seems some massive new vulnerability, exploit, or attack is going to take down society. This week Rich, Mike, and Adrian tackle the endless progression of bad news; and how to maintain focus when everyone wants you to save the children. As a side note, if you haven’t seen or read about #feministhackerbarbie on Twitter… oh my, you need to. The audio-only version is up too. Share:

This is a corporate news post, so skip it if all you want is our usual snarky security analysis. For the first time since starting Securosis we are increasing our prices. Yes, it has been over seven years without any change in pricing for our services. The new prices are only a modest bump, and also streamlined to remove the uncertainty of travel expenses on engagements. Call it ego, but we think we are a heck of a bargain. This only affects speaking/strategy days and retainers. Papers, Securosis Project Accelerator workshops, and one-off projects aren’t changing. Strategy day pricing stays the same at $6,000, but we are adding in $1,000 for travel expenses and will no longer bill travel separately (total of $7,000 for a strategy day or speaking engagement which involves travel). Webcasts stay the same, at $5,000 if we don’t need to travel. Our retainer rates are increasing slightly, around $2-3K each, with $2,000 also being added to our Platinum plan to cover the travel for the two included strategy days: $10K for Silver. $15K for Gold. $25K for Platinum. The new pricing goes into effect immediately for all new clients and renewals. As a reminder, for our papers we offer licenses, not sponsorship, so nothing has changed there. Securosis Project Accelerators (our focused end-user workshops for SaaS providers, enterprise cloud security, security management, network security, and database/big data security) are still $10,000. We do have some other workshops in the… works for next year, so if you are interested in another topic just ask. If you have any other questions, just go ahead and email. Service levels remain the same. You can only blame yourselves for keeping us so darn busy. Share: