Research

Kelly at Dark Reading posted an interesting article today, based on a survey done by BT around hacking and penetration testing. I tend to take most of the stats in there with a bit of skepticism (as I do any time a vendor publishes numbers that favor their products), but I totally agree with the first number: Call it realism, or call it pessimism, but most organizations today are resigned to getting hacked. In fact, a full 94 percent expect to suffer a successful breach in the next 12 months, according to a new study on ethical hacking to be released by British Telecom (BT) later this week. The other 6% are either banking on luck or deluding themselves. You see, there’s really no difference between cybercrime and normal crime anymore. If you’ve ever been involved with physical security in an organization, you know that everyone suffers some level of losses. The job of corporate security and risk management is to keep those losses to an acceptable level, not eliminate them. It’s called shrinkage, and it’s totally normal. I have no doubts I’ll get hacked at some point, just as I’ve suffered from various petty crime over the years. My job is to prepare, make it tough on the bad guys, and minimize the damage to the best of my ability when something finally happens. As Rothman says, “REACT FASTER”, and as I like to say, “REACT FASTER AND BETTER”. Once you’ve accepted your death, it’s a lot easier to enjoy life. Share:

It’s been a bit of a strange week on the security front, with good guys hacking a botnet, a major security vendor called to the carpet for some vulnerabilities, and yet another set of Adobe 0days. But being Cinco de Mayo, we can just margarita our worries away. In this episode we review some of the bigger stories of the week, and spend a smidge of time pimping for a (relatively) new site started by some of our security friends, and a new project Rich is involved with. Network Security Podcast, Episode 149, May 5, 2009 Time: 34:08 Show Notes: The Social Security Awards video is up! Yet more Adobe zero day exploits. Now it’s just annoying. McAfee afflicted with XSS and CSRF vulnerabilities. Torpig botnet hijacked by researchers. New School of Information Security blog launched. Project Quant patch management project seeking feedback. Tonight’s Music: Wound up Tight by Hal Newman & the Mystics of Time Share:

If you’ve been following this series, we’ve highlighted some of the breaches of trusted sites that were, or could have been, used to attack visitors. There’s nothing like hitting a major media or financial site and using it to hack anyone who wanders by that day. This week we’re breaking it down security style, thanks to multiple vulnerabilities at McAfee. McAfee suffered multiple XSS and CSRF vulnerabilities in different areas, including a simple CSRF in their vulnerability scanning service (ironic, eh?). If you don’t know, Cross Site Request Forgery allows an attacker to “influence” your session if you are logged into a service. If you are logged into your bank in one window, they can use malicious code from the evil site under their control to transfer funds and such. I know a lot of exceptional security types over at McAfee so I don’t want to slam them too hard. This shows that in any large organization, web application security is a tough issue. Hopefully they will respond publicly, openly, and aggressively, which is really the best approach when you’ve been exposed like this. Just a friendly reminder that you can’t trust anyone or anything on the Internet. Except us, of course. Share:

On Thursday at the RSA Conference, I had the opportunity to attend a lunch with the conference advisory board: Benjamin Jun of Cryptography Research, Tim Mather of RSA, Ari Juels of RSA Laboratories, and Asheem Chandna of Greylock Partners. It was an interesting event, and Alex Howard of TechTarget did a good job of covering the discussion in a recent article. As with many things associated with the RSA Conference, it took me a bit of time to digest and distill all the various bits of information crammed into my sleep-deprived brain. I find that these big events are an excellent opportunity to smash my consciousness with far more data than it can possibly process, and eventually a few trends emerge. No, not this year’s “hot technology”, but macro themes that seem to interweave the disparate corners of our practice and industry. It might run contrary to many of the articles I read, or conversations I’ve had, but I think this year’s subtext was “innovation”. (And not because I presented on it with Hoff). Every year when I run into people on the show floor, the first question they tend to ask is “see anything new and interesting?” Finding something new I care about is pretty rare these days for two reasons. First, if it’s in my coverage area I sure as heck had better know about it before RSA. Second, most of the advances we see these days are evolutionary, and earth-shattering new products are few and far between. That doesn’t mean I don’t think we’re innovating, but that innovation is more pervasive throughout the year and less tied to any single show floor. One really interesting bit that popped out (from Asheem) was that the Innovation Station had only 14 applicants last year, and over 50 this year. I think in these days of tight marketing budgets for startups, a floor booth is hard to justify, and perhaps some of the total crap was weeded out, but security startups are far from dead (just look at my Inbox). But more interesting than innovation in startups is innovation from established players. For the first time in a very long time I’m seeing early tendrils of real innovation leaking from some of the big vendors again. We talked about it for a few minutes at the lunch, but it’s obvious that the security industry was able to coast for a few years on its core approaches. Customers were more focused on performance and throughput than new technologies, thus there was little motivation for big innovation. The limited market demand pushed innovation into the realm of startups, where new technologies could incubate until the big companies would snatch them up. Our financial friends at Marker Advisors even talked about this trend in a recent guest post, and how “traditional” buying cycles are now disrupted by technology turnover and changing client requirements. It all ties in perfectly to Hoff’s Hamster Sign Wave of Pain. On the other side, we’re seeing some of the most dramatic attack innovation since the discovery of the buffer overflow. And for the first time, these attacks are causing consistent, real, measurable, and widespread losses. We’ve seen major financial institutions breached, the plans for the Joint Strike Fighter stolen (‘leaked’ doesn’t nearly convey the seriousness), and malware hitting the major news outlets (with often crappy reporting). There is evidence that all aspects of our information society are deeply penetrated and fallible. Not that the world is coming to an end, but we can’t pretend we don’t have problems. This combination of buying cycles, threat innovation, growing general awareness, and product and practice innovation creates what may be the most interesting time in history to work in security. We’ve never before had such a high profile, faced such daunting challenges, and seen such open opportunities. Merely building on what we’ve done before doesn’t have a chance of restoring the risk balance, and there’s never been better motivation for big financials, the government, and big manufacturing (you know, the guys with all the money) to invest in new approaches. I’d call it a “Perfect Storm” if that phrase wasn’t banned by the Securosis Guide of Crappy Phrases, Marketing Hyperbole, and Silly, Meaningless Words (after “holistic” and before “synergy”). Frankly, we don’t have any choice but to innovate. When market forces like this align the outcome is inevitable. Tim Mather referred to the National Cyber Leap Year, a program by the government to engage industry and push for game-changing security advancements. Not that the Leap Year program itself will necessarily succeed, but there is clear recognition that innovation is essential to our survival. We can’t keep layering the same old crap onto hot newness and expect a good result. Those of you who hate change are going to be seriously unhappy. Those who revel in challenges are in for a wild ride. The good news is there’s no way we can lose – it isn’t like society will let itself break down completely and go all Road Warrior. Especially since Mel turned into an anti-semitic whack job. (Image courtesy www.pdrater.com). Share:

Last week I posted an outline for a patch management cycle to base Project Quant metrics on. Based on some feedback, I think we need to hear from those of you who actually do this for a living (you really don’t want to know the crappy process we used back in my sysadmin days). If you have a moment, please pop over to the forums and let us know what you are using for your process. (If you want to leave anonymous feedback, instead of the forums you can leave it as a comment on the main post; this is a weird limitation of our platform). Thanks Share:

Sometimes the most energizing thing you can do is absolutely nothing. Last week at RSA was absolutely insane, in a good way. It’s kind of like being a kid and going to summer camp. You get to see all the friends who live in other towns, you all go nuts for a week with minimal supervision, and then everyone staggers home all excited. Between the Recovery Breakfast, 4 official RSA panels, a Jericho panel, my 160+ slide Friday morning session with Chris Hoff, and the nonstop speed-dating during the day, and parties at night, I should really be in much worse shape. But I found this year’s RSA to be incredibly motivating on multiple levels. First, I think this is absolutely one of the best times to be in information security. Yes, major crap is hitting the fan all over the place, including massive national security, financial, and infrastructure breaches, but security is also hitting the front pages and reaching into the common consciousness. This is exactly the kind of environment true security professionals thrive on – with challenges and opportunities on all sides. As someone who loves the practice and theory of security, I find these challenges to be absolutely energizing and I wouldn’t want to be doing anything else. Well, except for maybe being an astronaut. Next, RSA was extremely motivating from a corporate standpoint. I won’t say much, but it validated what we’re trying to do, and how we are positioning ourselves. Finally, it was a very motivating week on a personal level. I used to have friends at work, and acquaintances in the industry. But these days I find some of my closest friends are scattered throughout the world in different jobs. I realized I spend more time interacting with many of you than I do with my local ‘meatspace’ friends outside of the industry. I especially appreciated the group that took me out for my birthday on Monday night – it really eased the pain of spending yet another family event away from my wife and (new) daughter. After RSA I took 4 days off, and the combination of intensity followed by relaxation was a major recharge, but didn’t leave me much content for this week’s summary. Except stay away from, like, every Adobe product on the planet since they are all full of 0days. One reminder – if you’d like to get our content via email instead of RSS, please head over and sign up for the Daily Digest (it goes out every night). We’re also thinking of creating a Friday Summary-only version, so let us know if that would be of interest. And now for the week in review: Webcasts, Podcasts, Outside Writing, and Conferences Martin and Rich on the weekly Network Security Podcast. I did a series of three videos and an executive overview on DLP for Websense. It was kind of cool to go to a regular studio and have it professionally edited. The videos (all about 2 minutes long) and Executive Guide are designed to introduce technical or non-technical executives to DLP. It’s all objective stuff, and cut-down versions of our more extensive materials. I show up in the Sydney Morning Herald, based on some TidBITS/Mac writing. Speaking of TidBITS, I wrote up some thoughts on how to read Mac security articles. I was quoted in a TechTarget article on cloud computing, based on my involvement in the Jericho panel. Favorite Securosis Posts Rich: The latest Project Quant post – we really need your feedback on the patch management cycle! Adrian: Rich’s post on the Security Industry Anti-Disambiguation Movement. Having watched this first-hand at a couple of startups, I know how well the mere mention of a competing technology by one of the major competitors could halt your POC process in an instant. Favorite Outside Posts Adrian: Favorite external was Greg Young’s comment on Becoming the Threat … An excellent analysis of something we see in society, and certainly something that is a problem here in Phoenix. Oddly, this is something I do NOT see with most corporate IT. Why is that? Rich: Chris Eng’s Decoding the Verizon DBIR 2009 Cover. Very cool. Top News and Posts Joint Strike fighter plans nicked. Will someone in charge WAKE THE FUCK UP! Good: Microsoft removes ‘AutoRun’ option for Memory sticks. Bad: Pushing 8 out through auto-update? What if I don’t want it? Targetted worms and banking scams. Adobe is having a seriously bad run. More 0days. Interesting take on WAF+VA. The Black Hat call for papers is extended. Blog Comment of the Week This week’s best comment was from Ant in response to Rich’s post on Security Industry Disambiguation Movement. Well I mint not have chosen those terms, but I personally* fully endorse the sentiment! A different problem arises where a perfectly serviceable term is pressed into use in several different but not wholly dissimilar markets, leading to ambiguity and confusion – e.g., identity management, policy management. So… it’s not strictly anti-disambiguation, but it some vendors are guilty of disingenuously using a term which doesn’t apply to them in their market. – Ant * i.e., this is not (necessar Share:

While we don’t plan on posting every Project Quant update here on the main blog, we will be cross-posting some of the more significant project updates, as well as other content we relevant to our broader readership. (For these posts we will turn off comments to consolidate them all in the Project Quant area.) So here is our first pass at defining a patch management process for the project: Although we posted some of our initial thoughts, and have been getting some great feedback from everyone, Jeff and I realized that we haven’t even defined a standard patch management cycle yet to start from. DS, Dutch, and a few others have started posting some metrics/variables, but we didn’t have a process to fit them into. I’ve been researching other patch management cycles, and here’s my first stab at one for the project. You’ll notice it’s a little more granular than most of the other ones out there – I think we need to break out phases in more detail to both match the different processes used by different organizations, and to give us cleaner buckets for our metrics. Here’s a quick outline of the steps: Monitor for Release/Advisory: Anything associated with tracking patch releases, since all vendors follow different processes. Acquire: Get the patch. Evaluate: Initial evaluation of the patch. What’s it for? Is it security-sensitive? Do we use that software? Is the issue relevant in our environment? Are there workarounds or dependencies? Prioritize/Schedule: Prioritize based on the nature of the patch itself, and your infrastructure/assets. Then build out a deployment schedule, based on your prioritization. Test and Certify/Accredit: Perform any required testing, and certify the patch for release. This could include any C&A requirements for you government types, compliance requirements, or internal policy requirements. Create Deployment Package: Prepare the patch for deployment. Deploy. Confirm Deployment: Verify that patches were properly deployed. This might include use of configuration management or vulnerability assessment tools. Clean up: Clean up any bad deployments, remnants of the patch application procedure, or other associated cruft/detritus. Document and Update Configuration Standards: Document the patch deployment, which may be required for regulatory compliance, and update any associated configuration standards/guidelines/requirements. This is a quick and dirty pass and meant to capture the macro-level steps in the process. I know not all organizations follow, or need to follow, a process like this, but it will help us organize our metrics. Let me know what you think – I’m sure I’m missing something… To comment on this post, please see the original over in the Project Quant area. Share:

With all the recent talk about cloud security, I’ve really been struck by the blatant deliberate confusion promulgated by various industry stakeholders. For example, last week around RSA I saw a nonstop stream of press releases containing the word “cloud” for products and services that were merely the same old beloved security tools, now rebranded to ride the froth of the cloud marketing wave. But ‘cloud’ is only the latest example – from NAC to DLP to GRC and other technologies of yore, we see often-deliberate message dilution and confusion so certain poorly-positioned individuals or companies can avoid being left behind by market innovators. We don’t just see this in security; calling yourself “green” is an instantly classic example (hello “green” bottled water), but I do think we see it more in security than other areas of IT. When you think about it, we are probably the farthest reaching area of IT- spanning everything from development to storage to desktops to networking, and as such have a fair bit more running room. You might be able to rebrand your storage solution “green”, but it isn’t like you can call a hard drive a WWAN SAN just to hop on a trend (having been to many non-security conferences, I think this is a reasonably safe statement). And what I’m focusing on today isn’t mere bandwagon hopping, but purposeful efforts by laggards to create confusion in a market and defeat clarity. I call it the Anti-Disambiguation Movement, and it follows a predictable path. The movement is led by vendors, press, and analysts; with end-users (and some innovative vendors) suffering the consequences. Here’s how it works – when a vendor is late to the party, they start issuing a bunch of marketing chaff to distract everyone from the real innovation. This takes a number of forms (which we will talk about in a moment), which result in one of several outcomes (which we’ll also detail). Interestingly enough, I think this tracks very nicely with the Gartner Hype Cycle (I love the Hype Cycle, and am sad I don’t get to use it anymore). Let’s start with the methods (I’d apologize for the language, but you should be used to it by now): The Marketing Cock Block: A large vendor claims that they are bringing a product to market within a nebulous time frame, when they have no existing product in that market. The goal is to Osborne effect any direct competitors or small vendors in the space by creating a belief that the “official” solution from a stable supplier is just around the corner. In some cases the vendor has a product, but it isn’t close to competitive. Example: Microsoft and Cisco with NAC. Neither had a viable solution until relatively recently (and that’s still debatable), but that didn’t even slow down their marketing efforts and interoperability announcements. The PR Territory Piss: A variant of the Cock Block in which the vendor issues extensive press releases on their ownership of a trend, which they may or may not later buy or build into. Example: AV vendors and antispyware. Malicious Confusion: Vendors know they don’t have an offering in that market/trend, so they expand or otherwise deliberately misuse the definition of that trend to include their products under the hot umbrella. The goal isn’t to produce anything for that market, but to create enough confusion that whatever they already had on the shelf can be marketed with today’s cool term. They purposely and maliciously create confusion for their own benefit. Ideally, they even convince some press or analysts to include them in a market list or product evaluation. Example: DLP and USB port blockers, endpoint encryption, and about a dozen other things that have nothing to do with DLP. The Glom-on: A trend starts hitting and clumps of vendors start piling on for the ride, making a subconscious but collective decision to link their market to the trend until the trend/market definition becomes so diluted as to be worthless. Examples: Cloud and information-centric security. The Lemming Roller Coaster: A trend becomes hot, and less-intelligent vendors jump on, usually late, without really knowing where they are headed. The lemming is less deliberate than some of our other examples, and typically the result of a brain dead marketing/PR type. It’s usually smaller companies, and may lead to their death once users figure out the product doesn’t help with that problem, or after they score poorly in magazine/analyst ratings. Examples: Seeing this a lot with DLP and a bit in GRC. Unintelligent Design: Some ass-clown of an analyst invents their own term for something, often issuing some sort of market report, triggering one of the other methods listed above. Examples: The Anti-Disambiguation Movement… and GRC. The result falls into these categories: Death: The trend/market becomes so toxic that it dies, taking the slower companies with it. Example: PKI. Clarity: The ambiguities fade away and clear definitions emerge, although often not until after a few early innovators die. Example: NAC. Redefinition: The term/market is redefined, but doesn’t necessarily resemble its original form. Example: I think cloud security is headed this way. Meaninglessness: The term becomes so diluted it’s essentially worthless, even though there might be some nuggets of truth in there. Example: GRC. I’m having a bit of fun here, but the simple truth is that very often market terms are atrociously abused by laggards, often (deliberately) damaging the real innovation and innovators. Share:

Hey folks, Just a quick note that we had a few people ask if we were going to hold a meeting on Project Quant out here at RSA. We know it’s last minute, but if you are interested in hearing more about the project and providing some input, we’ve decided to hold a Town Hall meeting right after the Securosis Recovery Breakfast on Wednesday morning at Jillian’s. The breakfast runs until 11, and we’ll gather up all the Quant people right after that and find a quiet corner. The WASC meetup is at 12, so if you plan things right you can probably hang out at Jillian’s all day and never head over to Moscone. Feel free to drop a comment if you think you might show, but otherwise we’ll see you there… Share:

Yesterday, our friends over at Marker Advisors shared some information on what they see on the financial side of the IT security world. Today they follow up with a brief conclusion about how this is playing out. We’ve seen a ton of M&A activity ourselves, and have even written about it before. We’re seeing exactly the same trend- from a valuation standpoint it’s a buyers market, but many sellers are hanging on, hoping for a better exit. I think it will be fascinating to watch this dance play out at RSA this year, and plan on asking Randy and Russ for a follow-on post once we all get back from the show. M&A activity happens in cycles that are directly related to major product buying cycles. In times of slow growth, larger companies that can invest in the future try to project the ‘next big thing’. They then identify and purchase technology / expertise that will hopefully prepare them for the next upswing. The software business has always been one where ‘the rich get richer’. Large companies have the cash and cash flow, the sales organization, and the market presence to use downturns to augment their product lines. We have seen both traditional software companies (ORCL, MFE, SYMC, QSFT, OTEX, CA, BMC) grow via acquisition, as well as nontraditional buyers (IBM, EMC, HPQ) enter the market. As we came out of the 2001 – 2002 slowdown, M&A activity increased materially. However, in the last couple of years, as that cycle waned, combinations slowed. Marker believes another M&A cycle is imminent. Today, we have many interested buyers, but few sellers willing to entertain today’s valuations. Although we are not going to the valuations of 2006 / 2007 anytime soon, they should trend higher in time, and buyers and sellers will meet somewhere in the middle. Smaller public and private organizations desiring to be acquired should be preparing their business for this next M&A wave. How a company reacts and positions itself in the short term will eventually determine whether or not they are one of the prize catches, or one of the throwaways. About Marker Advisors: Marker is a research consultancy firm specializing in the software industry. We work with senior company management as well as sophisticated industry investors to create shareholder value. We provide detailed market intelligence, business and product strategy, and M&A advisory services. Share: