Research

Yesterday Apple released iOS 7.06, an important security update you have probably seen blasted across many other sites. A couple points: Apple normally doesn’t issue single-bug out-of-cycle security patches for non-public vulnerabilities. They especially don’t release a patch when the same vulnerability may be present on OS X but there isn’t an OS X patch yet. I hate speculating, especially where Apple is concerned, but Apple has some reason for handling this bug this way. Active exploitation is one possibility, and expectations of a public full disclosure is another. The bug makes SSL worthless if an attacker is on the same network as you. OS X appears vulnerable (10.9 for sure). There is no public patch yet. This will very likely be remediated very quickly. A lot of bad things can be done with this, but it isn’t a remotely exploitable malware kind of bug (yes, you might be able to use it locally to mess with updates – researchers will probably check that before the weekend is out). It is bad for Man in the Middle (MitM) attacks, but it isn’t like someone can push a button and get malware on all our iOS devices. It will be interesting to see whether news outlets understand this. The best security pro article is over at ThreatPost. The best technical post is at ImperialViolet. They also have a test page. If you are in an enterprise, either push the update with MDM as soon as possible, or email employees with instructions to update all their devices. Share:

We may have gone too far. Okay, not really, but we hope you enjoy this beer-fueled extended episode of the Securosis Firestarter. Clocking in at a full hour, we prep and review the upcoming RSA show, which is really our way of covering how we think the year in the security industry will look. Fair warning. Someone, and I won’t say who, may have had a little potty mouth at a couple points. We are also up and running with an audio-only version, and will get that up in iTunes soon. Click here for an audio-only version. Share:

It is 6:44pm as I write this. Adrian just left after we recorded our first extended Firestarter/Happy Hour. The idea was that he would drive down, we would dial Mike in from Atlanta, talk about RSA stuff, Adrian would leave, and I would finish off work. It was a pretty sweet plan. Right up until some semi rolled over at a major intersection near my house, shutting down both a highway and an arterial surface street. Adrian’s ride was delayed, but the beer wasn’t. My wife was also delayed because she handles daycare pickups (I do dropoffs), but the beer wasn’t. You see where this is headed? I had some wonderful pre-RSA things to talk about today. Mostly how I’m finding that in my hands-on research I am pushing beyond the capabilities of some products I am working with. I am asking for API calls that don’t exist and features that aren’t exposed. And yet. So far I have been mostly able to work around these issues. Oh, your API can’t identify XYZ in AWS? No worries, I can code that up pretty quickly. To be honest, this is really new territory for me as an analyst and as a developer. In my dev days I mostly stuck to one platform and one database, and learned the lines pretty quickly. As analysts we mostly talk to users and vendors to understand how things work – we don’t really have the resources to get hands-on with products, and even if we did, that wouldn’t reflect operational realities (which is why most magazine/whatever writeups are garbage). But now with cloud and DevOps I can dig in and explore tools and technologies to an unprecedented degree. I am learning that some of what I’m trying is pushing the limits, and I get to figure out alternative ways of solving the random problem I picked. I won’t lie – this is a blast. Sure, it’s frustrating to hit a technical issue beyond my capabilities, but it is incredibly satisfying when I learn a significant percentage of them aren’t due to personal failures, but instead limitations of what I am working with. As an analyst that is awesome. There is no better validation that I am on the right track than breaking things, at a fundamental level. And to be honest this is the kind of intellectual curiosity I think defines a security professional. My advantage is that I figured out how to make a living out of writing about stuff, and producing crappy code that could never withstand a production environment. No accountability? Sign me up, baby! At this pint I should probably mention that I am 5 craft brews in, so… er…. I am not responsible for this Summary. That is all. On to the Summary: Webcasts, Podcasts, Outside Writing, and Conferences Mort quoted in Network World. Favorite Securosis Posts Adrian Lane: Deep Dive on Data Security. Mike Rothman: Deep Dive on Cloud Security. Rich kills it in his RSA Conference Guide piece on Cloud Security. He understands how all the pieces fit together. Read it – it will be pretty pertinent over the next couple years. Dave Lewis: After-School Special: It’s Time We Talked – about Big Data Security. David Mortman: RSA Conference Guide 2014 Watch List: DevOps. Rich: The (Full) 2014 Securosis RSA Conference Guide. Sure, we write the pieces, but for the past couple years Mike has pulled it together and added some serious awesome with his mad meme skills. He is really the driver who adds the awesome. Even if you already read the posts, you need to check out the PDF. Especially the IDM section – that’s all I will say. Other Securosis Posts Security Analytics with Big Data Research Paper. Incite 2/19/2014: Outwit, Outlast, OutRSA. Join the Securosis Firestarter Happy Hour: RSA Edition. Firestarter: Payment Madness. RSA Conference Guide 2014 Deep Dive: Endpoint Security. RSA Conference Guide 2014 Deep Dive: Identity and Access Management. RSA Conference Guide 2014 Deep Dive: Security Management and Compliance. RSA Conference Guide 2014 Deep Dive: Application Security. Favorite Outside Posts Adrian Lane: The thing to know about JavaScript. Ad a newbie with Javascript and NodeJS, I found this helpful. Mike Rothman: Wealth Logic founder shares his insights. Pretty much everyone has money pressures one way or another. I really liked this guy’s perspective. This is the money quote: “In other words, the portfolio’s purpose isn’t to produce income, but to be consumed to fuel your life. The goal isn’t to be the richest guy in the graveyard.” Man, that’s good advice. Rich: Target hack cost banks and credit unions more than $200 million. These are the kinds of numbers that move the meter. Gal: Swiss fighters grounded during hijacking as outside office hours. One of those stories that defies commentary. Rich (yup, another one): My hope for the new Cosmos. The original had a profound affect on how I see the world. My kids are probably too young but I will try to force this on them anyway. Research Reports and Presentations Security Analytics with Big Data. Security Management 2.5: Replacing Your SIEM Yet? Defending Data on iOS 7. Eliminate Surprises with Security Assurance and Testing. What CISOs Need to Know about Cloud Computing. Defending Against Application Denial of Service Attacks. Executive Guide to Pragmatic Network Security Management. Security Awareness Training Evolution. Firewall Management Essentials. A Practical Example of Software Defined Security. Top News and Posts Fix it tool available to block Internet Explorer attacks leveraging CVE-2014-0322 Shostack’s got a new book on Threat Modeling Forbes, Kickstarter breached New Whitepaper: Security at Scale: Logging in AWS. Iranian hack of US Navy network was more extensive and invasive than previously reported. RSA Exhibitor Guidelines that Make You Think…. Behind every line item, there is a story. Emergency Adobe Flash Update Handles Zero Day Under Attack. Share:

When we started the FireStarter we also decided to try a quarterly (or whenever convenient) extended edition that breaks out of our usual 15-minute time limit. We will be recording the very first of these this Thursday at 5pm ET. As usual, we will use Google Hangouts, and I have scheduled it so it shows up on the Securosis page. You can also watch live on YouTube. We will take questions and comments using the Hangouts On Air Q&A tool, and because Google doesn’t like anonymous comments on YouTube any more, we will keep an eye on Twitter (don’t forget – there is a bit of a delay). There will be beer, and you’ll get to see my home tiki bar. Share:

This is our last regular Firestarter before we record our pre-RSA Quarterly Happy Hour. This week, after a few non-sequiturs, we talk about the madness of payment systems. It seems the US is headed towards chip and signature, not chip and PIN like the rest of the world, because banks think American are too stupid to remember a second PIN. Share:

It is possible that 2014 will be the death of data security. Not only because we analysts can’t go long without proclaiming a vibrant market dead, but also thanks to cloud and mobile devices. You see, data security is far from dead, but is is increasingly difficult to talk about outside the context of cloud, mobile, or… er… Snowden. Oh yeah, and the NSA – we cannot forget them. Organizations have always been worried about protecting their data, kind of like the way everyone worries about flossing. You get motivated for a few days after the most recent root canal, but you somehow forget to buy new floss after you use up the free sample from the dentist. But if you get 80 cavities per year, and all your friends get cavities and walk complaining of severe pain, it might be time for a change. Buy us or the NSA will sniff all your Snowden We covered this under key themes, but the biggest data security push on the marketing side is going after one headlines from two different angles: Protect your stuff from the NSA. Protect your stuff from the guy who leaked all that stuff about the NSA. Before you get wrapped up in this spin cycle, ask yourself whether your threat model really includes defending yourself from a nation-state with an infinite budget, or if you want to consider the kind of internal lockdown that the NSA and other intelligence agencies skew towards. Some of you seriously need to consider these scenarios, but those folks are definitely rare. If you care about these things, start with defenses against advanced malware, encrypt everything on the network, and look heavily at File Activity Monitoring, Database Activity Monitoring, and other server-side tools to audit data usage. Endpoint tools can help but will miss huge swaths of attacks. Really, most of what you will see on this topic at the show is hype. Especially DRM (with the exception of some of the mobile stuff) and “encrypt all your files” because, you know, your employees have access to them already. Mobile isn’t all bad We talked about BYOD last year, and it is still clearly a big trend this year. But a funny thing is happening – Apple now provides rather extensive (but definitely not perfect) data security. Fortunately Android is still a complete disaster. The key is to understand that iOS is more secure, even though you have less direct control. Android you can control more visibly, but its data security is years behind iOS, and Android device fragmentation makes it even worse. (For more on iOS, check out our a deep dive on iOS 7 data security. I suppose some of you Canadians are still on BlackBerry, and those are pretty solid. For data security on mobile, split your thinking into MDM as the hook, and something else as the answer. MDM allows you to get what you need on the device. What exactly that is depends on your needs, but for now container apps are popular – especially cross-platform ones. Focus on container systems as close to the native device experience as possible, and match your employee workflows. If you make it hard on employees, or force them into apps that look like they were programmed in Atari BASIC (yep, I used it) and they will quickly find a way around you. And keep a close eye on iOS 7 – we expect Apple to close its last couple holes soon, and then you will be able to use nearly any app in the App Store securely. Cloud cloud cloud cloud cloud… and a Coke! Yes, we talk about cloud a lot. And yes, data security concerns are one of the biggest obstacles to cloud deployments. On the upside, there are a lot of legitimate options now. For Infrastructure as a Service look at volume encryption. For Platform as a Service, either encrypt before you send it to the cloud (again, you will see products on the show floor for this) or go with a provider who supports management of your own keys (only a couple of those, for now). For Software as a Service you can encrypt some of what you send these services, but you really need to keep it granular and ask hard questions about how they work. If they ask you to sign an NDA first, our usual warnings apply. We have looked hard at some of these tools, and used correctly they can really help wipe out compliance issues. Because we all know compliance is the reason you need to encrypt in cloud. Big data, big budget Expect to see much more discussion of big data security. Big data is a very useful tool when the technology fits, but the base platforms include almost no security. Look for encryption tools that work in distributed nodes, good access management and auditing tools for the application/analysis layer, and data masking. We have seen some tools that look like they can help but they aren’t necessarily cheap, and we are on the early edge of deployment. In other words it looks good on paper but we don’t yet have enough data points to know how effective it is. Share:

In our 2013 RSA Guide we wrote that 2012 was a tremendous year for cloud security. We probably should have kept our mouth shut and remembered all those hype cycles, adoption curves, and other wavy lines because 2013 blew it away. That said, cloud security is still quite nascent, and in many ways losing the race with the cloud market itself, expanding the gap between what’s happening in the cloud and what’s actually being secured in the cloud. The next few years are critical for security professionals and vendors as they risk being excluded from cloud transformation projects, and thus find themselves disengaged in enterprise markets as cloud vendors and DevOps take over security functions. Lead, Follow, or Get the Hell out of the Way 2013 saw cloud computing begin to enter the fringes of the early mainstream. Already in 2014 we see a bloom of cloud projects, even among large enterprises. Multiple large financials are taking tentative steps into public cloud computing. When these traditionally risk-averse technological early adopters put their toes in the water, the canary sings (okay, we know the metaphor should be that the canary dies, but we don’t want to bring you down). Simultaneously we see cloud providers positioning themselves as a kind of security providers. Amazon makes abundantly clear that they consider security one of their top two priorities, that their data centers are more secure than yours, and that they can wipe out classes of infrastructure vulnerabilities to let you focus on applications and workloads. Cloud storage providers are starting to provide data security well beyond what most enterprises can even dream of implementing (such as tracking all file access, by user and device). In our experience Security has a tiny role in many cloud projects, and rarely in the design of security controls. The same is true for traditional security vendors, who have generally failed to adapt their products to meet new cloud deployment patterns. We can already see how this will play out at the show, and in the market. There is a growing but still relatively small set of vendors taking advantage of this gap by providing security far better attuned to cloud deployments. These are the folks to look at first if you are involved in a cloud project. One key to check out is their billing model: do they use elastic metered pricing? Can they help secure SaaS or PaaS, like a cloud database? Or is their answer, “Pay the same as always, run our virtual appliance, and route all your network traffic through it.” Sometimes that’s the answer, but not nearly as often as it used to be. And assess honestly when and where you need security tools, anyway. Cloud applications don’t have the same attack surface as traditional infrastructure. Risks and controls shift; so should your investments. Understand what you get from your provider before you start thinking about spending anywhere else. SECaaS Your SaaS We are getting a ton of requests for help with cloud vendor risk assessment (and we are even launching a 1-day workshop), mostly driven by Software as a Service. Most organizations only use one to three Infrastructure as a Service providers, but SaaS usage is exploding. More often than not, individual business units sign up for these services – often without going through procurement process. A new set of vendors is emerging, to detect usage of SaaS, help integrate it into your environment (predominantly through federated identity management), and add a layer of security. Some of these providers even provide risk ratings, although that is no excuse for not doing your own homework. And while you might think you have a handle on SaaS usage because you block Dropbox and a dozen other services, there are thousands of these things in active use. And, in the words of one risk officer who went around performing assessments: at least one of them is a shared house on the beach with a pile of surfboards out front, an open door, and a few servers in a closet. There are a dozen or more SaaS security tools now on the market, and most of them will be on the show floor. They offer a nice value proposition but implementation details vary greatly, so make sure whatever you pick meets your needs. Some of you care more about auditing, others about identity, and others about security, and none of them really offer everything yet. Workload Security Is Coming “Cloud native” application architectures combine IaaS and SaaS in new highly dynamic models that take advantage of autoscaling, queue services, cloud databases, and automation. They might pass a workload (such as data analysis) to a queue service, which spins up a new compute instance in the current cheapest zone, which completes the work, and then passes back results for storage in a cloud database. Under these new models – which are in production today – many traditional security controls break. Vulnerability assessment on a server that only lives for an hour? Patching? Network IDS, when there is no actual network to sniff? Talk to your developers and cloud architects before becoming too enamored with any cloud security tools you see on the show floor. What you buy today may not match your needs in six months. You need to be project driven rather than product driven because you can no longer purchase one computing platform and use it for everything. That is, again, why we think you should focus on elastic pricing that will fit your cloud deployments as they evolve and change. So an elastic pricing model is often the best indicator that your vendor ‘gets’ the cloud. Barely Legal SECaaS We are already running long, so suffice it to say there are many more security offerings as cloud services, and a large percentage of them are mature enough to satisfy your needs. The combination of lower operational management costs, subscription pricing, pooled threat intelligence, and other analytics, is often better than what you can deploy and manage completely internally. You still need to

We have covered the key themes we expect to see at the RSA Conference, so now we will cover a theme or two you probably won’t see at the show (or not enough of, at least), but really should. The first is this DevOps things guys like Gene Kim are pushing. It may not be obvious yet, but DevOps promises to upend everything you know about building and launching applications, and make a fundamental mark on security. Or something I like to call “SecOps”. DevOps, Cloud, and the Death of Traditional IT Recently in one of my cloud security classes I had a developer in attendance from one of those brand-name consumer properties all of you, and your families, probably use. When he writes a code update he checks it in and marks it for production; then a string of automated tools and handoffs runs it through test suites and security checks, and eventually deploys it onto their infrastucture/platform automatically. The infrastructure itself adjusts to client demands (scaling up and down), and the concept of an admin accessing a production server is an anachronism. At the latest Amazon Web Services conference, Adobe (I believe the speaker was on the Creative Cloud team) talked about how they deploy their entire application stack using a series of AWS templates. They don’t patch or upgrade servers, but use templates to provision an entirely new stack, slowly migrate traffic over, and then shut down the old one when they know everything works okay. The developers use these templates to define the very infrastructure they run on, then deploy applications on top of it. Microsoft Office? In the cloud. Your CRM tool? In the cloud. HR? Cloud. File servers? Cloud. Collaboration? Cloud. Email? Cloud. Messaging? Get the picture? Organizations can move almost all (and sometimes all) their IT operations onto cloud-based services. DevOps is fundamentally transforming IT operations. It has its flaws, but if implemented well it offers clear advantages for agility, resiliency, and operations. At the same time, cloud services are replacing many traditional IT functions. This powerful combination has significant security implications. Currently many security pros are completely excluded from these projects, as DevOps and cloud providers take over the most important security functions. Only a handful of security vendors are operating in this new model, and you will see very few sessions address it. But make no mistake – DevOps and the Death of IT will show up as a key theme within the next couple years, following the same hype cycle as everything else. But like the cloud these trends are real and here to stay, and have an opportunity to become the dominant IT model in the future. Share:

There is no stopping the train now that it’s rolling. Here is the final key theme that we expect to see at the show, and yes it’s all about the cloud. And yes, I managed to work a Jimmy Buffett lyric into the piece. Rich 1, Internet 0. Cloud Everything. Again. We’re Bored Now. The cloud first appeared in this illustrious guide a mere three or four years ago. The first year it was all hype – with no products, few vendors realized that cloud computing had nothing at all to do with NOAA, and plenty of security pros thought they could just block the cloud at the firewall. The following year was all cloud washing, as booths branded themselves with more than sticky notes saying “We Heart Cloud,” but again, almost nobody did more than wrap a custom-hardware-accelerated platform onto a commodity hypervisor. But the last year or so we saw glimmers of hope, with not only a few real (okay, virtual) products, cloud curious security pros starting to gain a little experience, and more honest to goodness native cloud products. (Apologies to the half-dozen cloud native vendors who have been around for more than a few years, and don’t worry, we know who you are.) We honestly hoped to drop the cloud from our key themes, but this is one trend with legs. More accurately, cloud computing is progressing nicely through the adoption cycle, deep into the early mainstream. The problem is that many vendors recognize the cloud will affect their business, but don’t yet understand exactly how, and find themselves more in tactical response mode. They have products, but they are mostly adaptations of existing tools rather than the ground-up rebuilds that will be required. There are more cloud native tools on the market now, but the number is still relatively small, and we will still see massive cloud washing on the show floor. While we’re at it, we may was well lump in Software Defined Networking, though ‘SDN-washing’ doesn’t really roll off the tongue. Two areas you will see hyped on the show floor which provides real benefits are Security as a Service (SECaaS – say it loud and love it), and threat intelligence. Vendors may be slow to rearchitect their products to protect native cloud infrastructure and workloads, but they are doing a good job of pushing their own products into the cloud, and collective intelligence breaks some of the information sharing walls that have held security back for decades. But here is all you need to know about what you will see across the show – big financial institutions are all kicking around various cloud projects. The sharks smell the money, unlike in previous years when it was about looking good for the press and early adopters. In the immortal words of the great sage Jimmy Buffett, “Can you feel them circling honey, can you feel them schooling around? You got fins to right, fins to the left, and you’re the only game in town.” Share:

In this week’s Firestarter we talk about the Book of Mormon (the play, not the other thing), biking while intoxicated, and the ongoing predilection of mass media to abuse the truth about security for ratings. Because, NBC and Sochi. And we have a question. Please drop us a line in the comments or on Twitter if you’d like us to also post the Firestarter as an audio-only podcast. Share: