Research

A while back I got the weird idea that Database Activity Monitoring is useful enough that it would make sense to do the same thing for file repositories. I’m not talking about full DLP – but about granular tracking of user access to major file servers and document management solutions. I added “File Activity Monitoring” to the Data Security Lifecycle and figured someone would develop it eventually. And that day is finally here, and the tech is way cooler than I expected – tying in tightly (in most cases) to entitlement management for some nifty real-time security scenarios. This is pretty practical stuff, with uses such as detecting a user snagging an entire directory and catching service accounts poking around inappropriate files. I am excited to launch our white paper on the topic, Understanding and Selecting a File Activity Monitoring Solution. That’s the landing page, or you can download the PDF directly. Special thanks to Imperva for licensing the report, and I hope you like it. Share:

In the 4 years since I started Securosis, this is absolutely the most bat-sh** crazy time I have experienced. Between cramming for the cloud security training class, managing a software development project, keeping our infrastructure up and running, hitting writing deadlines, and keeping up with prospects and clients, I barely have time to breathe. Add in a couple young kids who have done their best to ensure I don’t get a good night’s sleep at home for the past 6 months… and it’s no wonder I finished last week alternating between passing out and participating in commode-based religion. But I’m loving it. Right now I have the exact same feeling as when I hit the last couple miles in a triathlon. It’s painful. Oh so painful. But the endorphins kick in and you start thinking about life after the race. But now isn’t the time to lose focus. So time to bang this out and move on to the next item on the list. On to the Summary: Webcasts, Podcasts, Outside Writing, and Conferences Rich contributed Mac Defender: Pay attention but don’t panic to Macworld. Oracle 11G Available On Amazon AWS: Adrian’s Dark Reading post. Favorite Securosis Posts Mike Rothman: Cloud Security Training: June 8-9 in San Jose. If you need to know about cloud security, we’ll teach you. A few spots remain. The curriculum kicks ass. Adrian Lane: Planning vs. Acting. Rich: Sowing the Seeds of Token Panic. Other Securosis Posts End Users, Fill out Our Security Marketing Content Survey. Incite 5/25/2011: Rapturing the Middle Ground. Favorite Outside Posts Mike Rothman: Mac Defender: Pay attention but don’t panic. Love it when a post Rich writes is highlighted on Techmeme and Daring Fireball. Especially when it’s posted on MacWorld. 🙁 But the traffic is well deserved – great perspectives on the next wave of Mac attacks. Adrian Lane: Siemens Downplaying Serious SCADA Holes. Thought they would have taken a lesson from Oracle and Microsoft – I guess not. Chris Pepper: Dilbert deals with [firewall] managment. “Keep me informed.” Research Reports and Presentations React Faster and Better: New Approaches for Advanced Incident Response. Measuring and Optimizing Database Security Operations (DBQuant). Network Security in the Age of Any Computing. The Securosis 2010 Data Security Survey. Monitoring up the Stack: Adding Value to SIEM. Network Security Operations Quant Metrics Model. Network Security Operations Quant Report. Understanding and Selecting a DLP Solution. Top News and Posts New version of Mac malware doesn’t require password. Siemens Working On Fix For ‘Security Gaps’ In Logic Controllers. Keys to the cloud castle. The rise of the chaotic actor: Understanding Anonymous and ourselves. Blog Comment of the Week Remember, for every comment selected, Securosis makes a $25 donation to Hackers for Charity. This week’s best comment goes to Shack, in response to Planning vs. Acting. Except that i’m not. I’ve been there, and appreciate the whole “water cooler” thing. However, i see way too many security managers who wrap themselves in “governance” and rhetoric. C’mon. I’m not ignorant to understanding the risk and threat landscape. But all talk, and reciting the latest incedible “news story” does … What? Ours is a discipline technical in nature, and relies on technical acumen to fully understand and articulate risk. If your career is built on “water cooler” topics, i’ll likely be reading about your organization in the news in the future. I for one have had enough of the “strategists” with no tactical knowledge or understanding. Share:

You might have noticed I haven’t been blogging much for a couple months. That’s because I’m spending nearly every waking hour on our training class for the Cloud Security Alliance. This is a pretty big deal for us and I’m psyched it’s almost finished. The class is the Cloud Computing Security Knowledge course, tied to the CCSK certification. I just checked, and we have about 10 slots left for the first full class we’ll be giving June 8-9 at the eBay North campus. You can sign up online. This version is evolved and seriously revised from our February test class at RSA. Actually, it is now three classes: CCSK Basic: A one-day lecture to cover the core material and prepare you for the CCSK exam. This is close to what we delivered at RSA, a firehose of material on all things cloud security – from defining the cloud, to encryption models, to IAM. CCSK Plus: This includes the first day, then adds a day of additional lecture and hands-on activities. This is what’s killing my time, and where we get into the meat of cloud security. We start with threat models, move into creating and securing EC2 instances (and understanding the EC2 security model), encrypting EBS volumes, building an application infrastructure with availability and security zones, building an OpenStack cloud, IAM, and so on. It’s designed so you don’t need to be a tech god, but there’s room to explore for those of you with stronger skills who don’t want to get bored. And be honest: how many of you have installed MySQL in an encrypted EBS volume? Train the Trainer: Yes, you can get certified to teach the class yourself (note that you’ll need to sign an agreement with the CSA). This is a third day to go into more depth, including walking through all the scripts and tech used in the class, how to set up your instructor system, and deeper Q&A on the material. The class is pretty broad, but we do get as in-depth as we can in the limited time. And not to worry, we’ll be hitting the road with it soon, and we know a bunch of training organizations will also be picking it up. Share:

If you follow me on Twitter (@rmogull) you might suspect that last week I took a short vacation. And that said vacation started somewhat auspiciously. And said event really pissed me off to a degree I normally don’t let myself hit. And, just perhaps, American Airlines was responsible. Like many of you I spend a heck of a lot of time in airports. Enough that I tend to shun personal travel since it isn’t really worth the hassles. Starting a vacation at the airport is, for me, like trying to start a vacation by heading to work in a traffic jam, hunting for a parking spot, getting groped by the security guard at the door, and having my ass duct taped to a chair for 5 hours while being force-fed flavored cardboard. Well, I suppose there’s beer and wine. If by “beer” you mean some piss-yellow watered down crap with a german name, and by “wine” you mean a small bottle of grape juice likely fermented in a cattle stall. Back to the story. This trip was special. It was the first time my wife and I would get away without the kids since our second little nugget showed up. Plus it was for my 40th birthday and our 5th anniversary. The idea of sleeping more than 3-4 hours at a stretch was drool-inspiring. Our first plane took off on time. It even landed early. WAY early. At the airport we started from. With a mechanical. As soon as we hit the runway I was calling AA and holding a space on a backup for our connecting flight. Then we were told it would be a 2 hour wait (at least) so I was back on the phone getting our next flight, and then an even later connecting flight to our eventual destination. Our new flight was then delayed. With a mechanical. We landed with mere seconds to spare for us to get to our connecting flight, so we literally sprinted through the airport and arrived maybe 60 seconds after the 10 minute cutoff. Most airlines will hold a connecting flight for a minute or two, or at least leave the gate door open a little longer, if they know there are connecting passengers and it’s the airline’s fault they’re late. But not AA. That door slammed closed leaving about 5 of us (from different delayed flights) waiting another 4 hours for the next one. For the first time ever I asked to speak with a supervisor. He told me that because they were #16 of 17 for on-time rate, they never hold flights. Nice. So they get to maybe improve their numbers and piss off their passengers in the process. While I was speaking with him about a half-dozen other passengers from different flights and connections all made the same complaint. This is a classic example of focusing on a metric to the detriment of the business. As for us? We finally got to our destination over 7 hours late. On the upside it was the Margaritaville Beach Resort and the bar was still open. I wasn’t quite as angry after my first top-shelf marg. By the time we saw Jimmy Buffett at the New Orleans Jazz Fest? Well, heck, I would have kissed one of those crappy AA planes. On the nose, not the tail. It isn’t like I’m some sort of weirdo. On to the Summary: Webcasts, Podcasts, Outside Writing, and Conferences Adrian’s Dark Reading Post on Secure Access to Relational Data. Rich’s Cloud Encryption Use Cases. (registration required) Favorite Securosis Posts Adrian Lane: Thoma Bravo Trips the Wire Fantastic. Money trumps security strategy. Mike Rothman: SIEM: Out with the Old. SIEM is not the only technology companies are looking to swap out in the near term. Adrian does a good job of dealing with how to select that new SIEM. Rich: Sophos Wishes upon A-star-o. First we like RSA/NetWitness, now this. I swear we must be going soft or something. Other Securosis Posts Incite 5/11/2011: Generalists and Specialists. Incomplete Thought: Existential Identities (or: Who the F*** are You?). Favorite Outside Posts Gunnar: Process kills developer passion. Best practices sound good in isolation, but they can suck the life out of developers. Adrian Lane: Process kills developer passion. When you de-Agile Agile, it’s no longer Agile, and no freakin’ fun! Mike Rothman: A Veteran of SEAL Team Six Describes His Training. Not security related, but a great read. These guys are bad ass. Pepper: Apps to stop data breaches are too complicated to use. Sounds like folks need guidance, eh? 😉 Rich OpenStack Beginner’s Guide for Ubuntu 11.04. I’ve been banging my head against OpenStack and this is the best how-to guide I’ve hit. Research Reports and Presentations React Faster and Better: New Approaches for Advanced Incident Response. Measuring and Optimizing Database Security Operations (DBQuant). Network Security in the Age of Any Computing. The Securosis 2010 Data Security Survey. Monitoring up the Stack: Adding Value to SIEM. Network Security Operations Quant Metrics Model. Network Security Operations Quant Report. Understanding and Selecting a DLP Solution. Top News and Posts Google Fixes Two Chrome Bugs, Adds Flash 10.3 to Browser. Microsoft Security Intelligence Report (SIRv10) released. Zeus Source Code Leaked. VUPEN Whitehats Claim To Have Broken Chrome Sandbox. FCC Chairman becomes FCC Lobbyist. For a firm she just ruled in favor of. Meredith Attwell Baker rates an 8.5 on the scumbag scale. Microsoft Patch Remote Code Execution Vulnerability in WINS. Anonymous Splinter Group Implicated in Sony Hack. FBI Spyware and Electronic Surveillance. Blog Comment of the Week Remember, for every comment selected, Securosis makes a $25 donation to Hackers for Charity. This week’s best comment goes to Zac, in response to Earth to Symantec: AV doesn’t stop the APT. I’d like to point out one of the massive flaws in our security systems – one that all the vendors out there exploit: those that make the purchasing/planning decisions at most of the businesses / institutions / governments / etc.

I’ve taught a lot of different classes over the years, and always found the different structures to be pretty interesting. On one end were highly scripted first aid classes that forced us to show crappy “Help! I’ve fallen!” videos produced in 1878 accompanied by a mandatory script. The name of the game was baseline consistency. Lock everything down as tight as possible because you can’t predict the quality of the instructor. Heck, few CPR instructors have ever actually done CPR. I know how I taught changed after I cracked some ribs on mostly-dead people. (No, they don’t wake up and thank you like on Baywatch. And they are never that hot or in bikinis. Well sometimes bikinis, but trust me, you really should dress more appropriately before letting your heart stop.) In a completely different direction is martial arts – which is all about tailoring the experience to best connect with the student over many years. I only ran a solo class for about 6 months while my instructor ran off to start his family, and learned a hell of a lot in the process. Then my IT career hit and that was the end of that. Why bring this up now? I’ve been hip-deep in pulling together all the final materials for the first fully packaged CCSK class we will be teaching June 8-10. For the first time I’m in the position of developing courseware for a structured class, with hands-on, which others will have to teach. The lecture slides are pretty straightforward, although we have to be careful to include plenty of instructor notes and not assume any experience level. The hands-on exercises? Those are a challenge. Building the scenarios wasn’t too tough. But it takes me 5 times longer to convert one into a package someone else can teach from. Everything has to be scripted, packaged, and able to run on everything from a high-end Mac Pro to a freaking Speak-n-Spell. And run a private cloud for 40 students on a Windows ME netbook. A lot more people have performed CPR than have built private clouds. I’m not complaining – it’s a blast to work with my hands again. Although I have always sucked at debugging, and my wife is pissed I keep bleeding on the floor from banging my head against all our walls. But it’s very cool to put everything together like a puzzle. Pre-script pieces in module 1 we won’t need until module 8, just so students can focus on the concepts rather than the command lines, while still giving advanced folks freedom to explore and play so they don’t get bored. I just hope it all works. On to the Summary: Webcasts, Podcasts, Outside Writing, and Conferences Adrian quoted in CSO Magazine. Rich on security and the AWS outage. The Network Security Podcast, Episode 239. With special guest Josh Corman. Favorite Securosis Posts Mike Rothman: Why We Didn’t Pick the Cloud (Mostly) and That’s OK. Who else gives you such a look into the thought processes behind major decisions? Right, no one. You’re welcome. David Mortman: Why We Didn’t Pick the Cloud (Mostly), and That’s Okay. Adrian Lane: Why We Didn’t Pick the Cloud. Operations played a bigger part in the decision process than we expected. Rich: Software vs. Appliance: Software. Other Securosis Posts Incite 4/27/2011: Just Write. Security Benchmarking, Beyond Metrics: Benchmarking in Action. Security Benchmarking, Beyond Metrics: Index. Favorite Outside Posts Mike Rothman: DHS chief: What we learned from Stuxnet. How cool would it have been if Secretary Napolitano had just said “We’re screwed.”? We are, but this article hits on responding faster and more effectively. David Mortman: TCP-clouds, UDP-clouds, “design for fail” and AWS. Because DR is a security issue Adrian Lane: Anatomy of a SQL Injection Attack. Dave Lewis: DHS needs to point finger at self, not private industry. Rich: Richard Bejtlich’s Cooking the Cucko’s Egg. Research Reports and Presentations React Faster and Better: New Approaches for Advanced Incident Response. Measuring and Optimizing Database Security Operations (DBQuant). Network Security in the Age of Any Computing. The Securosis 2010 Data Security Survey. Monitoring up the Stack: Adding Value to SIEM. Network Security Operations Quant Metrics Model. Network Security Operations Quant Report. Understanding and Selecting a DLP Solution. Top News and Posts Sony’s PlayStation Network and Qriocity hacked. How SmugMug survived the Amazonpocalypse. Flash + 307 Redirect = Game Over. Amazon Is Amazing! Smells of back-handed compliments, but much of the content is accurate. Share:

It’s no secret that we are currently working on a new software platform to deliver actionable security research to a broader market, engage folks, and… umm… feed our families. As you might expect, like any software project, it’s running about 30% late and 70% over budget. I just can’t seem to stop making our developers find exactly the right imagery and user experience to best represent the Securosis brand. Mike has coined a new term, ‘analness’, to describe the gyrations we’ve gone through, but I’m okay with that because we have spent years building our reputation and aren’t about to roll out a huge steaming pile of crap just to hit a delivery date. As we close in on the finish line, we faced a huge decision on how to host this. Our current provider is pretty good, but we ran into some issues earlier this year that prompted us to look at alternatives. And we are co-hosted, which won’t work once we start loading sensitive content into a paid service. So we began the long evaluation process of picking the right architecture and host. Well, that and satisfying our paranoia regarding site security. Despite being heavy cloud folks, we eventually decided on a dedicated server model offered by a specialized hosting company. Yes, we understand that’s probably counterintuitive, so here’s why we didn’t go that way. Co-hosting and VPS For the most part our current site is totally fine with our current load, and our hosting provider is a lot more security-conscious than most. I launched securosis.com as a blog over at Bluehost, on a WordPress co-host. It worked totally fine, but as we started expanding it was clear that platform couldn’t meet our growing needs. We decided to switch to a better content management system (ExpressionEngine), and while we could technically run it there, we decided to go with a more specialized provider (enginehosting.com). We have been mostly happy with the change, even though EH is considerably more expensive, because we get a lot more for what we pay. They also have excellent growth options to expand to a Virtual Private Server or even dedicated boxes if needed. But it’s still a co-host model. The one problem we hit earlier this year appeared after a major platform upgrade. Our back end became nearly unusable due to performance problems, and when I submitted a support request they kept blaming our configuration or plugins. We are big boys, and willing to accept when we screw up. We turned our system upside down and couldn’t find anything that would kill the performance of the admin console. As it turned out we were right. Another client in our cluster over-used resources – as I had initially suggested. We were bothered by their lack of investigation, and by the (realized) potential for another customer to impact us. That convinced us we need to get off co-hosting, and into VPS or cloud. We also had to factor in all the security reasons to drop a co-hosted model once we have content we want to protect. VPS vs. Cloud We quickly ruled out VPS. As our knowledge and experience working with various cloud services grew, we saw no reason to pick VPS over a pure cloud model. To be honest, while I see co-hosting surviving for a while, I definitely see the allure of VPS cratering in the next few years, as customers keep comparing VPS offerings against the rapidly evolving public cloud offerings. I decided we would go completely cloud. Aside from the lack of advantages to VPS, we were conscious of the importance of eating our own dogfood, now that we are working so deeply with the Cloud Security Alliance and advising people on cloud projects. Our criteria for a cloud provider including a security conscious shop, judged on both what they publish and checks with various industry connections. We wanted some IPS/firewall and patch management support options to improve our baseline security and reduce our management overhead. As our IT guy, I simply don’t have the time to manage all our patches/fixes myself. If I were caught on an international flight when we needed to block and fix a critical 0day, we could be screwed. That was unacceptable. Other factors included our plan to use a cloud-based WAF. Not that it could block everything, but the combination of blocking basic scans and providing better analytics was attractive. We also factored in performance, as we know our potential audience is self-limiting, and what we are delivering isn’t very CPU intensive. We need a little beef, and more importantly the capability to grow, but we couldn’t forsee a need for anything too crazy. It’s not like we are Netflix or anything (yet). So there we were – I thought we were all set, until… From Cloud to Dedicated I wasn’t fully satisfied with the options I found (all of which cost a heck of a lot more than a basic AWS deployment), but I felt confident that we could get what we need at a reasonable price. Then we mentioned what we were doing to a trusted friends in the industry. For now I won’t mention who we are working with, but someone we highly respect offers dedicated hosting in a special section of a major data center they lease (their own cage). I am not sure they expected us to take them up on the offer. It’s not like they were soliciting our business – this came up over beer. These folks are as paranoid as we are (maybe more), and aside from hosting the site they will implement some stringent and unusual security controls we couldn’t possibly get anywhere else for any reasonable price. Normally they don’t use this model even with their existing clients, and we are going to be their first test case beyond internal infrastructure. As a bonus, their data center guarantees 100% infrastructure uptime. In writing. (Note: this doesn’t mean our boxes, just their network and power). Trusted

I love it when people froth at the mouth once they finally realize the blazingly obvious! For today’s example let’s look at the big Dropbox data privacy controversy. There are a few serious problems with Dropbox, such as not requiring a password after a host is added, making it super easy for someone to pretend to be you (if they get your host ID) and access your data. That’s not great, but there are far worse things out there I worry about. But the big controversy is that… ghasp… Dropbox employees could access your data! But if you know anything about security you know that if you get a nice, pretty web interface; then somewhere, somehow, the odds are an admin at the service provider can access your data. There are techniques around this using creative programming, but one look at the Dropbox code in your browser makes it clear they aren’t using anything like that. This is because the Dropbox web servers need to see your data to show you the web interface. Ergo, the servers can decrypt your data. Ergo, someone at Dropbox can see it. Now this doesn’t need to be true – they could have restricted the web UI to metadata and still encrypted file contents, then used a browser plugin (or maybe even JavaScript) to decrypt the files. But both options entail usability and security tradeoffs. A great example of how to manage issues like these is the CrashPlan backup service. CrashPlan offers a cascade of security options, each with usability tradeoffs, and all available to users. (All these options protect your symmetric encryption key, not the data itself): Protect with your account password. CrashPlan can access and see your data if needed. Protect with a separate data password stored locally. CrashPlan admins can’t access your data (even to restore it). You need to keep and secure an extra password. Set your own encryption key. Can be on a per-machine basis. Very secure, requiring more management. There is, of course, much more to their encryption scheme – this is just the user-controllable portion. Dropbox could do something similar: Standard (perhaps the only option on their free plan): Basic account username/password as they have now. Enhanced Security: Set a personal password, with metadata in the clear. You can manipulate your files, but they can only be downloaded by the local agent (not via a browser) and you need to remember the password (no password restore capability). You can still share public files, which are stored in a separate directory using your account password as on the old system. High Security: Metadata and file data encrypted using your personal passphrase, separate from your account passphrase. Web UI can only manage public files – everything else is accessible only through their client. These would require serious development effort, and I don’t want to gloss over the complexity or importance of implementing this type of security correctly and safely. This stuff is hard. But it would be manageable if they made it a priority. But seriously, people – if you want something free/cheap with a pretty web interface to manage your data, odds are you are trading off security. I use Dropbox extensively and just encrypt the things I consider too private to expose. Share:

Today Verizon released the 2011 Data Breach Investigations Report: our single best source of actual incident data in the security industry, based on comprehensive metrics gathered during hundreds of incident investigations. In the coming weeks there won’t be any shortage of stories on, and analysis of, the DBIR. Rather than rehashing all the talking points we expect other sources to cover well, we will instead focus on actionable guidance based on the report. We will focus on how to read the DBIR, what it teaches us, and how should it change what you do. How to read the DBIR With so much data it’s all too easy to get lost in the numbers. It’s also very easy to lose context and misinterpret what’s in there. First let’s cover the four most important trends: The industrialization of attacks: There is an industry encompassing many actors, from coders to attackers to money launderers. They use automated tools and manage themselves and their operations as businesses – including use of independent contractors. Like any other business, these folks want to maximize profits and minimize risk, and the results of the 2011 DBIR show their work towards these goals – especially compared with the 2009 and 2010 DBIRs. Financial attacks focused on leveraged activities such as credit card skimming, point of sale attacks, and ACH fraud: This ties in with the first point: instead of spending massive resources for high risk/high gain (Gonzalez-style attacks), attackers are hammering the financial system’s weak points with significant automation to broaden scope and expand their scale. All forms of attack are up by all threat actors: If someone writes (or tweets) that APT is a myth or IP loss isn’t a problem based on this report, kick them in the nuts. Hard. Twice. Law enforcement really does catch some of the bad guys: 1,200 arrests over the past several years by the Secret Service alone. Many of these bad guys/gals attack small business. We could use more, given the scale of the problem, but law enforcement is having an impact. I will add my own interpretation, which I have separated from the direct DBIR trends: Successful financial attacks (more often than not) target smaller organizations, whereas complex IP (intellectual property) attacks focus (more often than not) on larger or specialized organizations. So for the first time we see a type of market segmentation by attackers. Using automated systems against weak targets and riding the associated economies of scale can be very lucrative, and it’s not surprising to see these targets multiply. But that doesn’t mean bigger companies, more sophisticated about security, are in the clear. We also see an increase in sophisticated attacks focusing on IP, although these numbers are not as obvious in the DBIR data. And now highlights and where to focus your reading, in no particular order: There was a large increase in the number of incidents investigated in 2010. Even accounting for sampling bias, this is still significant. 141 breaches were evaluated in 2009, and 761 in 2010. Yes, sports fans, that’s a 5x multiple. Such a massive increase skews the trend data, so you need to understand that percentage increases and decreases may obscure important information. For example, there was a significant decline in the percentage of attacks involving SQL injection, yet the actual quantity of reported SQL injection attacks actually increased dramatically. There are more small and medium businesses in the world than large ones. So we should see more attacks against them, and the data skews in that direction this year. As stated clearly in the report and in our briefing, the increased number of incidents is mostly due to massive growth in two attack forms: compromise of remote management tools for point of sale (POS) systems in hospitality and retail, and ATM and credit card skimmers (including employees using handheld skimmers). This data came from the Secret Service and we don’t know if it is means the bad guys have found a new focus, or the Secret Service is paying more attention to these attacks. Either way, the increase is significant. Anecdotal evidence from other sources does seem to indicate attackers are increasingly focused on these areas, especially against smaller companies and outlets. Most of the headlines will focus on the massive drop in lost records from 361 million in 2008, to 144 million in 2009, to 4 million in 2010. You should mostly ignore this. The large numbers were highly likely due to a small number of incidents involving massive quantities of records. As the DBIR itself states, Albert Gonzales alone was responsible for tens (possibly hundreds) of millions of records lost over this time period. Pull out those few distorting large campaigns, and the general trend in lost records evens out. The trend shows more bad guys hitting smaller targets. Your risk of being attacked successfully is greater if you are in a targeted industry, such as hospitality and retail. Each incidence of lost intellectual property was typically counted as a single lost record. So IP theft is inherently ranked much lower in studies like the DBIR than credit card breaches, which always involve more records per incident. But the F-14’s avionics schematics probably command a slightly higher value than a single credit card… The VERIS framework used to collect the data uses a multiple-select system. So if 5 attack methods were used in an single attack, each method is counted. They try to make this clear in the report and don’t misinterpret these findings like most of the armchair analysts (including vendors pushing their own agendas) probably will. For example, SQL injection dropped considerably as an overall percentage of attacks… but if you normalize the data to factor in the large number of skimmers and remote management breaches, injection probably climbs back to the top 3. Figure 6 on page 15 is the most important in the entire report. It shows that most attacks involve hacking and malware against user devices. Network sniffing is barely a blip. Physical attacks are also a major vector (mostly skimming, according to our briefing and the report), but

So you have defined your peer groups and analysis and spent a bunch of time communicating what you found to your security program’s key stakeholders. Now it’s time to shift focus internally. One of the cool things about security metrics and benchmarks is the ability to analyze trends over time and use that data to track progress against your key goals. Imagine that – managing people and programs based on data, not just gut feel. Besides being able to communicate much more authoritatively how you are doing on security, you can also focus on continuously improving your activities. This is a good thing to do – particularly if you want to keep your job. We will harp on the importance of consistency in gathering data and benchmarks over a long period of time, and then getting sustained value from the benchmark by using it to mark progress toward a better and more secure environment. Programs and feedback loops We don’t want to put the cart ahead of the horse, so let’s start at a high level, with describing how to structure the security program so it’s focused on improvement rather than mere survival. Here are the key steps: Define success (and get buy-in up the management stack) Distill success characteristics into activities that will result in success Quantify those activities, determine appropriate metrics, and set goals for those metrics Set objectives for each activity and communicate those objectives Run your business; gather your metrics Analyze metrics; report against success criteria/objectives Identify gaps, address issues, and reset objectives accordingly Wash, rinse, repeat Digging deeply into security program design and operation would be out of scope, so we’ll just refer you to Mike’s methodology on building a security program: The Pragmatic CSO. Communicating to the troops In our last post, on Benchmarking Communication Strategies, we talked about communicating with key stakeholders in the security process, and a primary constituency is your security team. Let’s revisit that discussion and its importance. Your security team needs to understand the process, how benchmark data will be used to determine success, and what the expectations will be. Don’t be surprised to experience some push-back on this new world order, and it could be quite significant. Just put yourself in your team’s shoes for a moment. For most of these folks’ careers they have been evaluated on a squishy subjective assessment of effectiveness and effort. Now you want to move them to something more quantified, where they can neither run nor hide. Top performers should not be worried – at all. That’s a key point to get across. So exercise some patience in getting folks heads in the right spot, but remember that you aren’t negotiating here. Part of the justification for investing (rather significantly) in metrics and benchmarks is to leverage that data in operations. You can’t do that if the data isn’t used to evaluate performance – both good and bad. It’s not a tool, it’s a lifestyle Another point to keep in mind is that this initiative isn’t a one-time thing. It’s not something you do for an assessment, and then forget it in a drawer the moment the auditor leaves the building. Benchmarking, done well, becomes a key facet of managing your security program. This data becomes your North Star, providing a way to map out objectives and ensure you stay on course to reach them. We have seen organizations start with metrics as a means to an end, and later recognize that they can change everything about how operational efforts are managed, perceived, and supported within the organization. The lack of security data has hindered acceptance of benchmarking in the security field, but it’s time to revisit that. As per usual, there are some caveats to data-driven management. No one size fits all. We see plenty of cultural variation, which may require you to take a less direct path to the benchmark promised land. But there can be no question about the effectiveness of quantifying activity, compared to not quantifying it. If you have gotten this far, successfully implemented this kind of benchmark, and institutionalized it as a management tool, you are way ahead of the game. But what’s next? Digging into deeper and more granular metrics, such as the metrics we defined as part of our Project Quant research. So we will discuss that next. Share:

It’s tax day. You don’t have time to read this. I don’t have time to write it. Actually, my accountant is taking care of my taxes (I don’t trust myself with them). What’s really sucking down my time is preparing all the hands-on portions of the Cloud Security Alliance training. For the second time. We decided to split the class into two days, which means I have the opportunity to both tune the material and add new material. The cloud security portions of this are actually pretty straightforward – the harder part is scripting all the instances and configurations to focus the students on the important security bits without them having to learn things like MySQL, UNIX command lines (since, you know, auditor types will be in the class) and so on. That means I get to figure out all the scripting. Which isn’t a big deal, except I’m working with programs I don’t really deal with on a day to day basis. So there’s a lot of learning involved, and things that used to be instinctive when I was working as an admin now involve multiple web searches and mistakes to get correct. And little things like figuring out the mechanics of running a private cloud for 40 students on a single laptop and still providing some hands-on, as opposed to just an instructor demo. But I’m loving it. So go away and do your taxes. I need to play. On to the Summary: Webcasts, Podcasts, Outside Writing, and Conferences Adrian’s Dark Reading post on Cloud DB Security. Rich and Adrian quoted on our DBQuant press release. The Network Security Podcast, episode 237. Favorite Securosis Posts Adrian Lane: Database Trends. Mike Rothman: Our insanely comprehensive database security framework. No one else does this kind of research. It’s awesome to see it in its entirety. And we provide it at no cost. You’re welcome. David Mortman: Database Trends. Rich: Software vs. Appliance: Understanding DAM Deployment Tradeoffs. Other Securosis Posts Security Benchmarking, Going Beyond Metrics: Defining Peer Groups and Analyzing Data. Security Benchmarking, Going Beyond Metrics: Communications Strategies. Incite 4/13/2011: Jonesing for Air. Favorite Outside Posts Mike Rothman: Security vendors should face the music, even if they hate the tune. Bill Brenner nails it. Even when a review goes south, there are ways to handle it. Scorched earth on a well-respected testing house isn’t a winning strategy. David Mortman: How Dropbox sacrifices user privacy for cost savings. reppep: Cloud validation: 8 hours of 10,000-core computation for $8k. Okay, it’s still not for everybody, but this demonstrates that “cloud computing” does have a point. Adrian Lane: Russian Security Service proposes ban on Gmail, Skype, Hotmail. Skype a threat to National Security? Government’s the same all over. Research Reports and Presentations Measuring and Optimizing Database Security Operations (DBQuant). Woo hoo!!! Network Security in the Age of Any Computing. The Securosis 2010 Data Security Survey. Monitoring up the Stack: Adding Value to SIEM. Network Security Operations Quant Metrics Model. Network Security Operations Quant Report. Understanding and Selecting a DLP Solution. White Paper: Understanding and Selecting an Enterprise Firewall. Top News and Posts Veris Community Project Update The Web’s Trust Issues. Private records of 3.5 million people exposed by Texas. Hack attack spills web security firm’s confidential data. Adobe to Patch Flash Zero Day on Windows, Mac on Friday. DOJ Shuts Down Botnet, Disables Infected Systems Share: