Research

I am in a bit of a pickle, and could use some advice. Over the time I have been an analyst, I have learned that it is important to have the right distribution of research. My rule of thumb is 80-90% of it should be practical research to help people get their jobs done on a daily basis. Then you can spend 10-20% on future research that I promise not to call thought leadership. Many analysts (and other pundits) fall into an esoteric trap, where they are so desperate to be seen as leaders that their research becomes more about branding and marketing, and less about helping people get their jobs done. It is totally fine to tilt at the occasional windmill, but everything in moderation. The corollary is that once you focus on the future too much you disconnect from the present and lose your understanding of current technologies and trends, and your subsequent predictions are based on reading science fiction and bad tech media articles. Those aren’t worth the bits they are printed on. And yeah, there is a lot of that going around. Always has been, especially in conference keynotes. This isn’t merely for ego gratification. On the business side you can’t survive long by selling research that doesn’t help someone get their job done. Many of my former Gartner colleagues lose track of this because they think people like their new “connected enterworld” junk, as opposed to paying for Magic Quadrants so they don’t lose their jobs when they buy something in the upper-right quadrant that doesn’t work. For a small firm like us, screw up the mix and it’s back to truck driving school. My dilemma is that a lot of the research I’m working on appears to be ahead of the general market, but still very practical and usable. I am thinking specifically of my work on Software Defined Security and DevOps. It’s the most fulfilling research I have done in a long time, especially because it gets me back to coding – even at a super-basic level. But I am borderline tilting at windmills myself – relatively few organizations are operationally ready for it. So it isn’t a load of hand-waving bullpoop – it is all real and usable today – but not for many organizations that lack the time or resources to start integrating these ideas. Not everyone has free time to play with new things. Especially with all the friggin’ auditors hanging over your head. Anyway, I have been bouncing this off people since Black Hat and am interested in what you folks think. I would love to make a go of it and have at least half my research agenda filled with using APIs, securing cloud management planes, integrating security into DevOps, and the like, but only if there is real interest out there – I gotta pay the bills. Drop me a line at rmogull at securosis dot com if you have an opinion, or leave a comment on this post. Thanks, and on to the Summary: Webcasts, Podcasts, Outside Writing, and Conferences Mike’s DDoS research quoted in the Economist… Really. Security issues are clearly becoming mass market news. Mike quoted in Dark Reading about Websense’s free CSO advisory offering. Don’t Be The Tortoise. Rich digs into his old book of parables at Dark Reading to point out that: “Agility may not always win the race, but you sure shouldn’t bet against it.” Incentives and Organizational Alignment (Or Lack Thereof). Mike’s latest Dark Reading column on Vulnerabilities and Threats. Rich on Threatpost – How I Got Here. I got to do my third favorite thing, talk about myself. Dave Mortman on Big Data Security Challenges. Rich’s piece on Apple’s security design quoted in a Techpinions article. Dave Lewis at CSO Online: Innovation And The Law Of Unintended Consequences. And more of Mr. Lewis: My (ISC)2 Report Card. Favorite Securosis Posts Mike Rothman: The future of security is embedded. Gunnar weighs in on our little blog ‘discussion’ about how to prove value in a security operation. And no, I don’t really think Rich and I were arguing. Rich: Random Thought: Meet Your New Database. Some trends are real. Both Adrian and I, former DBAs and developers, would likely go non-relational with our next projects. Mort: PCI 3.0 is coming. Hide the kids. Other Securosis Posts Tracking the Syrian Electronic Army. Third Time is the Charm. Security is Reactive. Learn to Love It. Deming and the Strategic Nature of Security. Incite 8/27/2013: You Can’t Teach Them Everything. Reactionary Idiot Test. VMWare Doubles Down on SDN. China Suffers Large DNS DDoS Attack. Friday Summary: August 23, 2013. “Like” Facebook’s response to Disclosure Fail. Research Scratchpad: Stateless Security. New Paper: The 2014 Endpoint Security Buyer’s Guide. Incite 8/21/2013: Hygienically Challenged. Two Apple Security Tidbits. Ecosystem Threat Intelligence: Use Cases and Selection Criteria. Ecosystem Threat Intelligence: Assessing Partner Risk. Favorite Outside Posts Mike Rothman: Innovation and the Law of Unintended Consequences. Dave has been killing it in his CSO blog. This latest one deals with the fact that until we can do security fundamentals well, dealing with all of these shiny innovative security objects is like moving deck chairs on the Titanic. David Mortman: ITIL vs. DevOps: Slugfest or Lovefest? Rich: Dark Patterns: inside the interfaces designed to trick you. Really great design stuff. Research Reports and Presentations The 2014 Endpoint Security Buyer’s Guide. The CISO’s Guide to Advanced Attackers. Defending Cloud Data with Infrastructure Encryption. Network-based Malware Detection 2.0: Assessing Scale, Accuracy and Deployment. Quick Wins with Website Protection Services. Email-based Threat Intelligence: To Catch a Phish. Network-based Threat Intelligence: Searching for the Smoking Gun. Understanding and Selecting a Key Management Solution. Building an Early Warning System. Implementing and Managing Patch and Configuration Management. Top News and Posts New York Times DNS Hacked. Android malware WAY worse than iOS. Russian spyboss brands Tor a crook’s paradise, demands a total ban. Obama administration asks court to force NYT reporter to reveal source. Amazon ‘wish list’ is gateway to epic social engineering hack. Former White House ‘copyright czar’

Brian Krebs is digging into the SEA and trying to out individuals: A hacking group calling itself the Syrian Electronic Army (SEA) has been getting an unusual amount of press lately, most recently after hijacking the Web sites of The New York Times and The Washington Post, among others. But surprisingly little light has been shed on the individuals behind these headline-grabbing attacks. Beginning today, I’ll be taking a closer look at this organization, starting with one of the group’s core architects. He’s just getting started, and his techniques wouldn’t stand forensic or legal scrutiny, but are still very interesting. Very similar to the stuff Mandiant dug up on Chinese hackers. Everyone leaves tracks. Everyone. Share:

Few things make me happier than getting to publicly disagree with one of my coworkers. Earlier today Mike suggested that security is too reactive and tactical to succeed. Then we hear the usual platitudes about treating security as a risk management function, better metrics, blah blah blah. Not that there is anything wrong with all that, but it needs to be discussed in context of the fundamental nature of security. Which is an ongoing state of disruptive innovation. Security is reactive by nature – the moment it isn’t is the moment you really lose. The question is how to best provide yourself with the most time to plan your reactions, and what kind of infrastructure you can put in place to reduce the cost and complexity of any course corrections. Business innovation tends to result from three primary drivers: Competitive response. A competitor does something; you need to respond to stay in the game. Competitive advantage. You do something to gain an edge, and force others to respond. Efficiency/effectiveness. You streamline and improve your processes to reduce overhead. But security only shares one of those drivers. Security innovation is dominated by externalities: Business innovation. The business does something new, so you need to respond. Attacker innovation. Internal efficiency/effectiveness. “Doing security better”. Two of the three forces on a business are internal, with only competitive response driven by an outside actor. Security flips that. We can’t ever fully predict what the business or attackers will do down the road, so we need to scramble to react. That’s why we can never seem to skate ahead of the puck. You can’t skate ahead of a quantum field state that will eventually collapse into a single wave function – there are too many options to choose one. The trick, as Chris Hoff and I have been talking about at RSA for about 6 years now, is to take a strategic approach to prediction. This is why even a risk-based security approach is, in reality, just another tactical piece. The strategic piece is building a methodology to inform your working assumptions for what the future holds, and building your program to respond quickly once a direction is set. It isn’t magic, and some of you do this intuitively. You stay up to date on the latest research, both in and out of security. You track both new attack and general technology trends. You engage heavily with the business to understand their strategic direction before they make the tactical technology choices you later have to secure. A lot of this looks almost identical to Mike’s recommendations, but the reason organization after another fails in their risk-based, metrics-driven, incident response programs is they to and run them in a bubble, and assume situations are static on at least an annual basis. If you build your program assuming everything will change underneath you, you will be in much better shape. And I absolutely believe this is a realistic and pragmatic goal that others have achieved. Share:

We generally avoid talking about the NSA, Snowden, and such, but this piece is actually illuminating, without any sort of political commentary. Steven J. Vaughan-Nichols points out that moving your stuff outside the US gives the NSA more freedom to snoop: Because, in the United States, the NSA and friends need to jump through the FISC hoops to listen in to your e-mail, cloud data transfers, phone calls, whatever. If you’re doing any of the above to someone or some site outside of the US, any of your communications are pretty much fair game. I always like to out reactionary foolishness like this. Just a little bit of knowledge and analysis make clear that your data isn’t safer overseas. Consider this a commentary on reactionism – not on the scope of NSA monitoring. Share:

The Payment Card Industry Security Standards Council recently released a preview of potential changes in PCI 3.0 that will go into effect in 2014. It looks like they read the Verizon DBIR: The PCI Standards are updated based on feedback from the industry, per the standards development lifecycle as well as in response to current market needs. Common challenge areas and drivers for change include: Lack of education and awareness Weak passwords, authentication Third-party security challenges Slow self-detection, malware Inconsistency in assessments Nothing is final, but a few highlights worth understanding now, since they may sure as heck nail you later: Better current documentation of cardholder data flow and everything within PCI scope. Penetration testing is a requirement. If they are serious about this I am not sure how that will play out for the SMB side of the world. This one I’m darn curious to see how they handle. I predict total failure: To address compromises where the organization had been PCI DSS compliant but did not maintain that status. Recommendations focus on helping organizations take a proactive approach to protect cardholder data that focuses on security, not compliance, and makes PCI DSS a business-as-usual practice. An emphasis on consistency of assessments. More specifics on “daily log reviews”. Oh my. PCI isn’t totally worthless, but I don’t expect much practical improvement to come out of the 3.0 updates. These are very reasonable holes to address, and will help, but we may be about to burden many organizations with activities they cannot possibly support. Start your SaaS engines now… Share:

VMWare is pushing hard on the virtual datacenter concept this week at VMWorld, with the first release of their new SDN networking approach based on the Nicira acquisition. Greg Ferro has a good take (hat tip to @beaker/Hoff for the link): VMware NSX is a solution for programmable and dynamic networking service that interoperates with VMware vCloud director, OpenStack or Hyper-V–this is where the real value is derived. In the near future, servers will no longer be “operating systems” but “application containers.” Instead of installing an application onto a operating system, the application will part of a service template that will do most or all of these: Three things: I don’t think it is a game changer itself, but it is a (sort of new) entry by a major player into an area of growing interest. It will certainly create a lot more dialogue. Oh crap, now I need to brush up on networking again. And you networking types need to brush up on programming and APIs. SDN coupled with the cloud can enable seriously cool security capabilities. Like a couple API calls to identify every server on every network segment, every path to said servers, and all the firewall rules around them. In real time. Share:

From the Wall Street Journal (via The Verge): The attack began at 2 a.m. Sunday morning and was followed by a more intense attack at 4 a.m., according to the China Internet Network Information Center, which apologized to affected users in its statement and said it is working to improve its “service capabilities.” The attack, which was aimed at the registry that allows users to access sites with the extension “.cn,” likely shut down the registry for about two to four hours, according to CloudFlare No idea on the motivation yet, which is interesting. China has one of the most sophisticated filtering systems in the world and analysts rate highly the government’s ability to carry out cyber attacks. Despite this, China is not capable of defending itself from an attack, which CloudFlare says could have been carried out by a single individual. Dear mass media, offense isn’t defense. They come out of different budgets with different motivations. China has IT silos just like we do, get over it. Share:

Here’s another idea I’ve been playing with. As I spend more time playing with various cloud and infrastructure APIs, I’m starting to come around to the idea of Stateless Security. Here’s what I mean: Right now, a reasonable number of our security tools rely on their own internal databases for tracking state. Now for something like IPS this isn’t a problem, but there are a lot of other functions that have to rely on potentially stale data since there are only so many times we can run security checks before pissing off the rest of the infrastructure. Take configuration and vulnerability management — we tend to lack even an accurate idea of our assets and have to scan the heck out of our environment to keep track of things. But as both security tools and infrastructure expose APIs, we can use Software Defined Security to pull data, in real time, from the most canonical source, rather than relying on synchronization or external scanning. Take the example I wrote up in my SecuritySquirrel proof of concept. We pull a real time snapshot of running instances directly from the cloud, then correlate it with a real time feed from our configuration management tool in order to quickly identify any unmanaged servers. I originally looked at building a simple database to track everything, but quickly realized I could handle it more quickly and accurately in memory resident code. Even 100,000 servers could easily be managed like this with the memory in your laptop (well, depending on the responsiveness of the API calls). The more I think about it, the more I can see a lot of other use cases. We could pull data from various security tools and the infrastructure itself, performing real time assessments instead of replicating databases. Now it won’t work everywhere, and maybe not even in the majority of cases, but especially as we add more API enabled infrastructure and applications it seems to open a lot of doors. Using a software defined network? Need to know the real-time route to a particular server and correlate with firewall rules based on a known vulnerability? With stateless security this is potentially a few dozen lines of code (or less) that could trigger automatically anytime a new vulnerability is either detected or an advisory released (just add your threat intelligence feed). The core concept is, wherever possible, pull state in real time from the most canonical source available. I’m curious what other people think about this idea. Share:

Two interesting items. First up, whatever actual vulnerability was used, the Apple Developer Center was exploited with a code execution flaw: On the site, Apple credits 7dscan.com and SCANV of www.knownsec.com for reporting the bug on July 18, which is the same day the Developer Center was taken offline. During the downtime, Apple reported that the Developer Center website had been hacked, with an intruder attempting “to secure personal information” from registered developers. The company noted that while sensitive information was encrypted, some developer names, mailing addresses, and/or email addresses may have been acquired. Expect to see constant developer targeting, on all platforms, as operating systems themselves become hardened. No details on the flaw other than that, but I didn’t even expect them to release that much. They also credit the researcher who pulled user account info using, it turns out, a different flaw. That’s the guy some expected them to go after legally, which is even more interesting. Item number 2. Researchers from Georgia Tech slipped some test malware into Apple’s App Store: A group of researchers from Georgia Tech developed an app that masqueraded as a news reader that would phone home to reprogram itself into malware – something that was apparently not picked up in Apple’s security screening procedures, reports the MIT Technology Review. Charlie Miller did this once before, and I’m sure it will happen again. It’s a big cat and mouse game, and Apple is in for constant battles (as are Google, Microsoft, and Amazon with their stores). It will keep getting harder, but likely never impossible. The real question is mitigation. Apple yanks apps when needed, but generally won’t claw them back off a device. For Macs that requires a software update, and I am investigating whether it is more automated for iOS. Share:

It appears that Lockheed Martin has trademarked the term “Cyber Kill Chain”. This should be no surprise, and you can read my House of Cybercards post if you want to know why this isn’t merely humorous. In an interview, James Arlen, creator of the term ‘Cyberdouche’, confirmed his term “is still free to use, as also demonstrated by Lockheed.” Share: