Login  |  Register  |  Contact
Friday, April 17, 2015

LAST CHANCE! Register for the Disaster Recovery Breakfast

By Mike Rothman

Holy crap! The RSA Conference starts on Monday. Which means… you don’t have much time left to register for the 7th annual Disaster Recovery Breakfast.*

2015 DRB, the be careful what you wish for edition

Once again we have to provide a big shout out to our DRB partners, MSLGROUP, Kulesa Faul, and LEWIS PR. We’re expecting a crapton of folks to show up at the breakfast this year, and without their support there would be no breakfast for you.

no breakfast for you

As always, the breakfast will be Thursday morning 8-11 at Jillian’s in the Metreon. It’s an open door – come and leave as you want. We will have food, beverages, and assorted recovery items (non-prescription only) to ease your day.

See you there.

To help us estimate numbers, please RSVP to rsvp (at) securosis (dot) com.

*But don’t get nuts if you forget to RSVP – the bouncers will let you in… Right, there are no bouncers.

—Mike Rothman

Thursday, April 16, 2015

Presenting the 2015 RSA Conference Guide

By Mike Rothman

As you’ve seen over the past week, we’ve been reposting our RSAC Guide here. That’s because the RSA Conference folks allowed us to post it on their blog first. Yes, they are nuts, but we aren’t going to complain.

We also take all that raw content and format it into a snazzy PDF with a ton of meme goodness. So you can pop the guide onto your device and refer to it during the show. Without further ado, we are excited to present the entire RSA Conference Guide 2015 (PDF).

Just so you can get a taste of the memish awesomeness of the published RSAC Guide, check out this image. Plenty of folks are first finding out about Securosis through the RSAC blog. So we figured it would be good to provide some perspective on what we do and how we do it.

pontification FTW

Pontification FTW.

And in case you want to check out the coverage area deep dives (which will go up on the Securosis blog next week), check out the RSAC blog posts:

—Mike Rothman

Wednesday, April 15, 2015

Incite 4/15/2015: Boom

By Mike Rothman

I’ve been on the road a bit lately, and noticed discussions keep working around to the general health of our industry. I’m not sure whether we’re good or just lucky, but we security folk find ourselves in the middle of a maelstrom of activity. And that will only accelerate over the next week, as many of us saddle up and head to San Francisco for the annual RSA Conference. We’ve been posting our RSA Conference Guide on the RSA Conference blog (are they nuts?) and tomorrow we’ll post our complete guide with all sorts of meme goodness.

The theme of this year’s Disaster Recovery Breakfast is be careful what you wish for. For years we have wanted more internal visibility for security efforts. We wanted to engage with senior management about why security is important. We wanted to get more funding and resources to deal with security issues. But now it’s happening. CISO types are being called into audit committee meetings and to address the full board (relatively) frequently. Budget is being freed up, shaken loose by the incessant drone of the breach of the day. We wanted the spotlight and now we have it. Oh crap.

balloon go boom

And investors of all shapes and sizes want a piece of cybersecurity. We’ve been engaged in various due diligence efforts on behalf of investors looking at putting money to work in the sector. You see $100MM funding rounds for start-ups. WTF is that about? A friend told me his successful friends call him weekly asking to invest in security companies. It’s like when you get stock tips from a cabbie (or Uber driver), it’s probably time to sell. That’s what this feels like.

But security will remain a high-profile issue. There will be more breaches. There will be additional innovative attacks, probably hitting the wires next week, when there is a lot of focus on security. Just like at Black Hat last year. Things are great, right? The security juggernaut has left the dock and it’s steaming full speed ahead. So why does it feel weird? You know, unreal?

Part of it is the inevitable paranoia of doing security for a long time. When you are constantly trying to find the things that will kill you, it’s hard to step back and just appreciate good times. Another part is that I’ve lived through boom and bust cycles before. When you see low-revenue early-stage start-ups acquired in $200MM+ and $50MM+ funding rounds for, you can’t help but think we are close to the top of the boom. The place to go from there is down. Been there, done that. I’m still writing off my investment tax losses from the Internet bubble (today is Tax Day in the US).

But you know what? What’s the use in worrying? I’m going to let it play out and do a distinctly atypical thing and actually enjoy the boom. I was too young and naive to realize how much fun the Internet boom was on the way up. I actually believed that was the new normal. Shame on me if I can’t enjoy it this time around.

I’ll be in SF next week with a huge smile on my face. I will see a lot of friends at RSAC. Rich, Adrian, and I will offer a cloud security automation learning lab and JJ and I will run a peer-to-peer session on mindfulness. I’ll have great conversations with clients and I’m sure I’ll fill the pipeline for the next couple months with interesting projects to work on. I’ll also do some damage to my liver. Because that’s what I do.

These halcyon days of security will end at some point. There is no beanstalk that grows to the sky. But I’m not going to worry about that now. I’ll ride through the bust, whenever it comes. We all will. Because we’re security people. We’ll be here when the carpetbaggers have moved on to the next hot sector promising untold riches and easy jobs. We’ll be here after the investors doing stupid deals wash out and wonder why they couldn’t make money on the 12th company entering the security analytics business. We’ll be here when the next compliance mandate comes and goes, just like every other mandate.

We’ll be here because security isn’t just a job. It’s a calling. And those who have been called ride through the booms and the busts. Today is just another day of being attacked by folks who want to steal your stuff.

–Mike

Photo credit: “Explosion de ballon Polyptyque“_ originally uploaded by Mickael


Have you registered for Disaster Recovery Breakfast VII yet? What are you waiting for. Check out the invite and then RSVP to rsvp (at) securosis.com, so we know how much food to get…


The fine folks at the RSA Conference posted the talk Jennifer Minella and I did on mindfulness at the 2014 conference. You can check it out on YouTube. Take an hour and check it out. Your emails, alerts and Twitter timeline will be there when you get back.


Securosis Firestarter

Have you checked out our new video podcast? Rich, Adrian, and Mike get into a Google Hangout and.. hang out. We talk a bit about security as well. We try to keep these to 15 minutes or less, and usually fail.


Heavy Research

We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, with our content in all its unabridged glory. And you can get all our research papers too.

Network-based Threat Detection

Applied Threat Intelligence

Network Security Gateway Evolution

Recently Published Papers


Incite 4 U

  1. Slap in the face: Part of the cellphone security model is locking and/or remotely wiping stolen cellphones. Allowing owners to control transfer of ownership makes stolen phones are almost worthless, and should discourage phone theft. But a giant case of insider fraud at AT&T barely made news last week, because it was positioned in the press as just another data breach. The real story is that a handful of employees in foreign markets accessed customer accounts to allow the transfer and activation of stolen phones. What makes the story so painful is that the criminal organization which got its mules into AT&T profited, the US government got the cost of its investigation covered by the $25M fine, and AT&T enjoyed 500k or so new subscribers on stolen phones and a tax write-down on the fine. The slap is to that people who had phones stolen get worthless “credit monitoring”, while FCC chair Tom Wheeler sprays perfume onto this steaming pile by claiming this is a victory for privacy – which implies the insiders actually stole personal information, rather than just transferring phone ownership. – AL

  2. Lay off my forensicators: In what appears to be another example of a company with too many lawyers, one company is sore another company hired a bunch of their people. MasterCard is suing Nike over former MC employees allegedly taking ‘proprietary’ network configurations to their new employer. But the hook in the suit is that some service providers were now working with Nike instead of MC. So apparently we are not in a free-market economy and service providers have become indentured servants to their clients. Bah. Too many damn lawyers. There has to be a better way to handle this. If they wanted to cut down employee churn, perhaps they could make it more interesting and attractive for employees to stick around. And there isn’t much you can do if an employee leaves, taking their multi-decade relationships with service providers. But when you have lawyers, evidently you need to lawyer up. – MR

  3. You’re the product: It’s not a question of whether your emails are tracked – Wired Magazine explains a browser tool to detect common email tracking elements, nicely illustrating that the only question is by whom and how many firms track each email you receive or send. It’s not uncommon to receive email with several trackers embedded – I get some with a half dozen. In some cases the trackers are added unbeknownst to the sender, instead tacked on by service providers. Most email providers earn money by tracking you, and every marketing manager running a ‘campaign’ demands to know not just who – but how – people are reading their precious content, so pretty much every email is tracked. Be it a browser or a dedicated mail tool, these email viewers don’t offer any insight into what’s being requested, by who, or how much data they pull out. Of course not, because that might interfere with their the ability to monetize you. The web pages you visit are far worse: even the Wired web page for that article serves fourteen trackers from sites you didn’t visit and which don’t serve the content you requested. They are solely to track what you do and how you do it, and that data is likely shared and resold yet again. The tools listed in this Wired article – such as UglyMail – lift just one veil obscuring the horrors underneath. If you really want to see – and control – what your email client and browsers transmit, get an outbound firewall to detect and filter. Remember, if you’re not paying, you’re the product. – AL

  4. Minority Security Report: One of the hot hot hot areas of security for 2015 is insider threat detection. These new security analytics tools look at a bunch of data and have means to determine when an employee is doing something that puts corporate data at risk. It turns out these technologies have been under development for a while for other use cases as well. For instance JP Morgan has a system that looks for signs that a trader is going to go rogue. Evidently they’ve profiled and found patterns that indicate an employee is going to do bad stuff. So they can then put the employee under watch. Is this a slippery slope? Yes and no. There is nothing wrong with monitoring an employee’s behavior if they show indicators of doing something bad for the organization. But how do you deal with false positives? And could the tools be used to curry favor for political purposes within the organization? I guess we should expect the equivalent of the Salem Witch Trials at some point. – MR

  5. Any time now: In 1999 I saw my first television ad proclaiming the amazing benefits of chip-based credit cards, and how they would protect customers and banks from fraud. It was the “Internet Age”, these cards looked Star Trek cool, and I wanted one. Too bad: My bank didn’t carry them. And even if they did, none of the merchants used the chip-based capabilities to counter card cloning. Fast forward to today, 16 frigging years later, and it’s still the same. My bank, sadly, still does not issue EMV-based credit cards. They do have a plan to roll them out, oh, sometime in 2016. So while I think it’s beyond pathetic that food retailers have asked for an extension on the EMV deadline – which shifts card fraud liability onto merchants who do not comply – I get it. It’s not just that they have been dragging their feet, but banks have been dragging as well. But honestly, the only way these cards can supplant magstripes in the US is for the card brands to not extend the deadline and to shift liability. When the financial incentive hits, we’ll see action. 16 years is enough warning. – AL

  6. Not a bad thing: Andreas Gal, Mozilla CTO, offers an interesting rant on limited access to Google search data available to other search engines. Over the last decade search engines have used user query data, more than crawling the Internet, to refine their own search results. Other search engines, ISPs, and telcos used to – ahem – collect user search data entered into Google and leverage that information. The crux of Andreas’ rant is that Google started encrypting its search strings, so only Google has access to user queries. But this is exactly what I want as a user – that the information I entrust ti Google not be shared. I want them to encrypt it and keep it to themselves. Further, this is part of Google’s moat, born from early technical advantages and the “network effect” of providing a service people really like, which is a good thing which Google earned. It requires other firms to innovate to attract users – and to do something unique or better before they can assail Google’s moat. Plus, I think Andreas missed that the embedded search bars in browsers like Firefox offer users a feature they do take advantage of: easy switching between search engines when they don’t like the results from their default option. Only vendors see this as a turf war; users see the value in both privacy and different results from different search tools. – AL

—Mike Rothman

Friday, April 10, 2015

RSAC Guide 2015: P.Compliance.90X

By Adrian Lane

Compliance. It’s a principle driver for security spending, and vendors know this. That’s why each year compliance plays a major role in vendor messaging on the RSA show floor. A plethora of companies claiming to be “the leader in enterprise compliance products” all market the same basic message: “We protect you at all levels with a single, easy-to-use platform.” and “Our enterprise-class capabilities ensure complete data security and compliance.” Right.

The single topic that best exemplifies our fitness meme is compliance. Most companies treat compliance as the end goal: you hold meetings, buy software, and generate reports, so you’re over the finish line, right? Not so much. The problem is that compliance is supposed to be like a motivational poster on the wall in the break room, encouraging you to do better – not the point itself. Buying compliance software is a little like that time you bought a Chuck Norris Total Gym for Christmas. You were psyched for fitness and harbored subconscious dreams it would turn you into a Chuck Norris badass. I mean, c’mon, it’s endorsed by Chuck Friggin’ Norris! But it sat in your bedroom unused, right next to the NordicTrack you bough a few years earlier. By March you hadn’t lost any weight, and come October the only thing it was good for was hanging your laundry on, so your significant other posted it on Craigslist.

The other side of the compliance game is the substitution of certifications and policy development for the real work of reducing risk. PCI-DSS certification suggests you care about security but does not mean you are secure – the same way chugging down 1,000-calorie fruit smoothies makes you look like you care about fitness but won’t get you healthy. Fitness requires a balance of diet and exercise over a long period; compliance requires hard work and consistent management towards the end goal over years. Your compliance requirements may hinge on security, privacy, fraud reduction or something else entirely, but success demands a huge amount of hard work.

So we chide vendors on their yearly claims about compliance-made-easy, and that the fastest way to get compliant is buy this vendors class-leading product. But this year we think it will be a little more difficult for vendors, because there is a new sheriff in town. No, it’s not Chuck Norris, but a new set of buyers. As with every period of disruptive innovation, developers start to play a key role in making decisions on what facilities will be appropriate with newer technology stacks. Big Data, Cloud, Mobile, and Analytics are owned by the fitness freaks who build these systems. Think of them as the leaner, meaner P90X fitness crowd, working their asses off and seeing the results of new technologies. They don’t invest in fancy stuff that cannot immediately show its worth: anything that cannot both help productivity and improve reliability isn’t worth their time. Most of the value statements generated by the vendor hype machine look like Olivia Newton-John’s workout gear to this crowd – sorely out of date and totally inappropriate. Still, we look forward to watching these two worlds collide on the show floor.

—Adrian Lane

Thursday, April 09, 2015

RSAC Guide 2015: IOWTF

By James Arlen

Have you heard a vendor tell you about their old product, which now protects the Internet of Things? No, it isn’t a pull-up bar, it’s an Iron Bar Crossfit (TM) Dominator!

You should be mentally prepared for the Official RSA Conference IoT Onslaught (TM). But when a vendor asks how you are protecting IoT, there’s really only one appropriate response:

“I do not think that means what you think it means.”

Not that there aren’t risks for Internet-connected devices. But we warned you this would hit the hype bandwagon, way back in 2013’s Securosis Guide to RSAC:

We are only at the earliest edge of the Internet of Things, a term applied to all the myriad of devices that infuse our lives with oft-unnoticed Internet connectivity. This wonʼt be a big deal this year, nor for a few years, but from a security standpoint we are talking about a collection of wireless, Internet-enabled devices that employees wonʼt even think about bringing everywhere. Most of these wonʼt have any material security concerns for enterprise IT. Seriously, who cares if someone can sniff out how many steps your employees take in a day (maybe your insurance underwriter). But some of these things, especially the ones with web servers or access to data, are likely to become a much bigger problem.

We’ve reached the point where IoT is the most under- or mis-defined term in common usage – among not just the media, but also IT people and random members of the public. Just as “cloud” spent a few years as “the Internet”, IoT will spend a few years as “anything you connect to the Internet”.

If we dig into the definitional deformation you will see on the show floor, IoT seems to be falling into two distinct classes of product: (a) commercial/industrial things that used to be part of the Industrial Control world like PLCs, HVAC controls, access management systems, building controls, occupancy sensors, etc.; and (b) products for the consumer market – either from established players (D-Link, Belkin, etc.) or complete unknowns who got their start on Kickstarter or Indiegogo.

There are real issues here, especially in areas like process control systems that predate “IoT” by about 50 years, but little evidence that most of these products are actually ready to address the issues, except for the ones which have long targeted those segments. As for the consumer side, like fitness bands? Security is risk management, and that is so low on their priority list that it is about as valuable as a detoxifying foot pad. We aren’t dismissing all consumer product risks, but worry about your web apps before your light bulbs.

At RSAC this year we will see ‘IoT-washing’ in the same way that we have seen ‘cloud-washing’ over the last few years – lots of mature technology being rebranded as IoT. What we won’t see is any meaningful response to consumer IoT infiltration in the business. This lack of meaningful response nicely illustrates the other kinds of change we still need in the field: security people who can think about and understand IPv6, LoPAN, BLE, non-standard ISM radios, and proprietary protocols. Sci-Fi writers have told us what IoT is going to look like – everything connected, all the time – so now we’d better get the learning done so we can be ready for the change that is already underway, and make meaningful risk decisions, not based on fear-mongering.

—James Arlen

Wednesday, April 08, 2015

RSAC Guide 2015: DevOpsX Games

By Rich

DevOps is one of the hottest trends in all of IT – sailing over every barrier in front of it like a boardercross racer catching big air on the last roller before the drop to the finish. (We’d translate that, but don’t want to make you feel too old and out of touch).

We here at Securosis are major fans of DevOps. We think it provides opportunities for security and resiliency our profession has long dreamed of. DevOps has been a major focus of our research, and even driven some of us back to writing code, because that’s really the only way to fully understand the implications.

But just because we like something doesn’t mean it won’t get distorted. Part of the problem comes from DevOps itself: there is no single definition (as with the closely related Agile development methodology), and it is as much as a cultural approach as a collection of technical tools and techniques. The name alone conveys a sense of de-segregation of duties – the sort of thing that rings security alarm bells. We now see DevOps discussed and used in nearly every major enterprise and startup we talk with, to varying degrees.

DevOps is a bit like extreme sports. It pushes the envelope, creating incredible outcomes that seem nearly magical from the outside. But when it crashes and burns it happens faster than that ski jumper suffering the agony of defeat (for those who remember NBC’s Wide World of Sports… it’s on YouTube now – look it up, young’ns).

Extreme sports (if that term even applies anymore) is all about your ability to execute, just like DevOps. It’s about getting the job done better and faster to improve agility, resiliency, and economics. You can’t really fake your way through building a continuous deployment pipeline, any more than you can to backflip a snowmobile (really, we can’t make this stuff up – YouTube, people). We believe DevOps isn’t merely trendy, it’s our future – but that doesn’t mean people who don’t fully understand it won’t try to ride the wave.

This year expect to see a lot more DevOps. Some will be good, like the DevOps.com pre-RSA day the Monday before the conference starts. And vendors updating products to integrate security assessment into that continuous deployment pipeline. But expect plenty bad too, especially presentations on the ‘risks’ of DevOps that show someone doesn’t understand it doesn’t actually allow developers to modify production environments despite policy. As for the expo floor? We look forward to seeing that ourselves… and as with anything new, we expect to see plenty of banners proclaiming their antivirus is “DevOps ready”.

Posers.

—Rich

RSA Guide 2015: Get Bigger (Data) Now!!!

By Dave Lewis

This year at RSA we will no doubt see the return of Big Data to the show floor. This comes along with all the muscle confusion that it generates – not unlike Crossfit. Before you hoist me to the scaffolding or pummel me with your running shoes, let’s think about this. Other than the acolytes of this exercise regimen, who truly understands it? Say “Big Data” out loud. Does that hold any meaning for you, other than a shiny marketing buzzword and marketing imagery? It does? Excellent. If you say it three times out loud a project manager will appear, but sadly you will still need to fight for your budget.

Last year we leveraged the tired (nay, exhausted) analogy of sex in high school. Everyone talks about it but… yeah. You get the idea. Every large company out there today has a treasure trove of data available, but they have yet to truly gain any aerobic benefit from it. Certainly they are leveraging this information but who is approaching it in a coherent fashion? Surprisingly, quite a few folks. Projects such as the Centers for Disease Control’s data visualizations, Twitter’s “Topography of Tweets”, SETI’s search for aliens, and even Yelp’s hipster tracking map. They all leverage Big Data in new and interesting ways. Hmm, SETI and Yelp should probably compare notes on their data sets.

These are projects happening, often despite the best intentions of organizational IT security departments. Big Data is here, and security teams need to get their collective heads around the situation rather than hanging about doing kipping pull-ups. As security practitioners we need to find sane ways to tackle the security aspects of these projects, to help guard against inadvertent data leakage as they thrust forward with their walking lunges. One thing we recommend is ahike out on the show floor to visit some vendors you’ve never heard of. There will be a handful of vendors developing tools specifically to protect Big Data clusters, and some delivering tools to keep sensitive data out of Big Data pools. And your Garmin will record a couple thousand more steps in the process. Second, just as many Big Data platforms and features are built by the open source community, so are security tools. These will be under-represented at the show, but a quick Google search for Apache security tools will find more options.

Your internal security teams need to be aware of the issues with big data projects while striking a balance supporting business units. That will truly lead to muscle confusion for some. If you’re looking for the Big Data security purveyors, they will most likely be the ones on the show floor quietly licking wounds from their workout while pounding back energy drinks.

—Dave Lewis

Tuesday, April 07, 2015

RSAC Guide 2015: Key Theme: Security Bonk

By Mike Rothman

The Security Bonk

For better or worse, a bunch of the Securosis team have become endurance athletes. Probably more an indication of age impacting our explosiveness, and constant travel impacting our respective waistlines, than anything else. So we’re all too familiar with the concept of ‘bonking’: hitting the wall and capitulating. You may not give up, but you are just going through the motions.

Sound familiar to you security folks? It should. You get bonked over the head with hundreds or thousands of alerts every day. You can maybe deal with 5, and that’s a good day. So choosing the right 5 is the difference between being hacked today and tomorrow. This alert fatigue will be a key theme at RSA Conference 2015. You’ll see a lot of companies and sessions (wait, there are sessions at RSA?) talking about more actionable alerts. Or increasing the signal to noise ratio. Or some similarly trite and annoying terminology for prioritization.

These vendors come at the problem of prioritization from different perspectives. Some will highlight shiny new analytical techniques (time for the Big Data drinking game!) to help you figure out which attack represents the greatest risk. Others will talk about profiling your users and looking for anomalous behavior. Yet another group will focus on understanding the adversary and sharing information about them. All with the same goal: to help you optimize limited resources before you reach the point of security bonk.

To carry the sports analogy to the next step, you are like the general manager of a football team. You’ve got holes all over your roster (attack surface) and you need to stay within your salary cap (budget). You spend a bunch of money on tools and analytics to figure out how to allocate your resources, but success depends more on people and consistent process implementation. Unfortunately people are a major constraint, given the limited number of skilled resources available. You can get staffers through free agency (expensive experienced folks who generally want long-term deals) or draft and develop talent, which takes a long time.

And in two years, if your draft picks don’t pan out or your high-priced free agents decide to join a consulting firm, you get fired. Who said security wasn’t like life? Or the football life, anyway!

—Mike Rothman

RSAC Guide 2015: Key Theme: Change

By Jennifer Minella, Rich

Every year we like to start the RSA Guide with review of major themes you will most likely see woven through presentations and marketing materials on the show floor. These themes are a bit like channel-surfing late-night TV – the words and images themselves illustrate our collective psychology more than any particular needs. It is easy to get excited about the latest diet supplement or workout DVD, and all too easy to be pulled along by the constant onslaught of finely-crafted messaging, but in the end what matters to you? What is the reality behind the theme? Which works? Is it low-carb, slow-carb, or all carb? Is it all nonsense designed to extract your limited financial resources? How can you extract the useful nuggets from the noise?

This year we went a little nutty, and decided to theme our coverage with a sports and fitness flavor. It seemed fitting, considering the growth of security – and the massive muscle behind the sports, diet, and fitness markets. This year Jennifer Minella leads off with our meta theme, which is also the conference theme: change.

–Rich

This year at RSA the vendors are 18% more engaged, solutions are 22% more secure, and a whopping 73% of products and solutions are new. Or are they? To the untrained eye the conference floor is filled with new and sensational technologies, ripe for consumption – cutting-edge alongside bleeding-edge – where the world comes to talk security. While those percentages may be fabricated horse puckey, the underlying message here is about our perception of — and influence over – real change.

“It’s like deja-vu, all over again,” as Yogi Berra once mused. Flipping through the conference guide, that will be the reaction of observers who have made their way by watching the ebbs and flows of our industry for years. The immediate recognition of companies acquired, products rebranded, and solutions washed in marketing to make them 84% shinier, feeds a skeptical doubt that we are actually making progress through this growth we call ‘change’. So here is our Public Service Announcement: change is not necessarily improvement.

Change can be good, bad, or neutral, but for some reason our human brains crave it when we are at an impasse. When we hit a wall or bonk – when we are frustrated, confused, or just pissed off – we seek change. Not only seek, but force and abuse it. We wield change in unusual and unnatural ways because something that’s crappy in a new and different way is better than the current crappy we already have. At least with change there’s a chance for improvement, right? And there is something to be said for that. Coach John Wooten said “Failure is not fatal, but failure to change might be.” If we keep changing – if we keep taking more shots on goal – eventually we’ll score.

But are we changing the right things? Does reorganizing, rebranding, or reinventing the cloud or the IoT help in a meaningful way? Perhaps, but you are not simply at the mercy of change around you. You, too, can influence change. This year as you walk around the sessions, workshops, and booths at RSA, look for opportunities to change other things. Change your perspective, change your circle of influence, change your approach, or change your habits. Ask questions, meet new people, and consider the unimaginable. We guarantee at least 19% change with a 12% effort, 99% of the time.

by Jennifer Minella, Contributing Analyst

This article first appeared on the RSA Conference blog at http://www.rsaconference.com/blogs

Jennifer Minella, Rich

Friday, April 03, 2015

Friday Summary: April 3, 2013: Getting back in

By Adrian Lane

Running. I started running when I was 9. I used to tag along to exercise class at the local community college with my mom, and they always finished the evening with a couple laps around the track. High school was track and cross country. College too. When my friends and I started to get really fast, there would be the occasional taunting of rent-a-cops, and much hilarity during the chase, usually ending in the pursuers crashing into a fence we had neatly hopped over. Through my work career, running was a staple, with fantastic benefits for both staying healthy and washing away workday stresses.

Various injuries and illness stopped that over the last few years, but recently I have been back at it. And it was … frigging awful and painful. Unused muscles and tendons screamed at me. But after a few weeks that went away. And then I started to enjoy the runs again. Now I find myself more buoyant during the day – better energy and just moving better. It’s a subtle thing, but being fit just makes you feel better in several ways, all throughout the day.

This has been true for several other activities of late — stuff I love to do, but for various reasons dropped. Target shooting is something I enjoy, but the restart was awful. You forget how critical it is to control your breathing. You forget the benefit of a quality load. You forget how the trigger pull feels and how to time the break. I grew up taking two or three fishing trips a year, but had pretty much stopped fishing for the last 10 years – lack of time, good local places to go, and people you wanted to go with. You forget how much fun you can have sitting around doing basically nothing. And you forget how much skill and patience good fishermen bring to the craft.

In this year of restarts, I think the one activity that surprised me most was coding. Our research has swung more and more into the security aspects of cloud, big data, and DevOps. But I can’t expect to fully understand them without going waist-deep to really use them. Like running, this restart was painful, but this was more like being punched in the mouth. I was terrible. I am good at learning new tools and languages and environments, and I expected a learning curve there. The really bad part is that much of what I used to do is now wrong. My old coding methods – setting up servers to be super-resilient, code re-use, aspects of object-oriented design, and just about everything having to do with old-school relational database design, needs to get chucked out the window. I was not only developing slowly, but I found myself throwing code out and reworking to take advantage of new technologies. It would have been faster to learn Hadoop and Dynamo without my relational database background – I needed to start by unlearning decades of training. But after the painful initial foray, when I got a handle on ways to use these new tools, I began to feel more comfortable. I got productive. I started seeing the potential of the new technologies, and how I should really apply security. Then I got happy!

I’ve always been someone who just feels good when I produce something. But over and above that is something about the process of mastering new stuff and, despite taking some lumps, gaining confidence through understanding. Getting back in was painful but now it feels good, and is benefitting both my psyche and my research.

On to the Summary:

Webcasts, Podcasts, Outside Writing, and Conferences

  • In case you missed it, Dave Lewis, JJ, James Arlen, Rich, Mike, and Adrian posted some of our yearly RSA Conference preview on the RSAC Blog. We will post them and the remaining sections on the Securosis blog next week.
  • Mike on Endpoint Defense.

Favorite Securosis Posts

Other Securosis Posts

Favorite Outside Posts

Research Reports and Presentations

Top News and Posts

—Adrian Lane

Wednesday, April 01, 2015

Incite 4/1/2015: Fooling Time

By Mike Rothman

As we started recording the Firestarter Monday Rich announced the date. When he said “March 30”, it was kind of jarring. It’s March 30? How did that happen? Wasn’t it just yesterday we rang in the new year? I guess it was almost 90 yesterdays. Thankfully Rich cut me off as I went down the rabbit hole of wondering where the time went.

Hourglass

Every year is getting shorter, never seem to find the time
Plans that either come to naught or half a page of scribbled lines
Hanging on in quiet desperation is the English way
The time is gone, the song is over, thought I’d something more to say
– Pink Floyd, “Time”

Yup, I’m in one of those moods. You know, the mood where you are digging up Pink Floyd lyrics. Though it’s true – every year does seem to get shorter. It’s hard to find the time to do everything you want to. Everything you plan to. You can’t fool time, even on April Fool’s day. Time just keeps moving forward, which is what we all need to do.

I have become painfully aware of the value of time this year. It seems I have been in a cycle of work, run, yoga, travel, car pools, LAX games, and maybe a little sleep now and again. But when I pick my head up every so often, I see things changing. Right before my eyes. XX1 is no longer a little girl. She’s almost as tall as the Boss and is talking to me about getting her driver’s permit in 6 months. What? My little muncha driving? How can that be?

And people you know unexpectedly pass on. Many of us in the security community knew Michael Hamelin (@hackerjoe), and then over the holidays he was gone. Taken in a freak car accident. It makes you think about how you are using the short amount of time you have. I had a wave of inspiration and posted a few things on Twitter that day.

Tweets

I’m fortunate to be a mentor, advisor, and friend to lots of folks who come to me for advice and perspective. I talk about courage a lot with these people. The courage to be who you want to be, regardless of who you ‘should’ be. The courage to make changes, if changes are necessary. The courage to get beyond your comfort zone and grow. It’s not easy to be courageous.

Ticking away the moments that make up a dull day
Fritter and waste the hours in an off-hand way
Kicking around on a piece of ground in your home town
Waiting for someone or something to show you the way
– Pink Floyd, “Time”

Many people choose to just march through life, even if they aren’t happy or fulfilled, and that’s okay. But time will move on, regardless of what you decide to do, or not do. If you think things will change without you changing them, you aren’t fooling time. You are only fooling yourself.

–Mike

Photo credit: “hourglass_cropped“_ originally uploaded by openDemocracy


Have you registered for Disaster Recovery Breakfast VII yet? What are you waiting for. Check out the invite and then RSVP to rsvp (at) securosis.com so we know how much food to get…


The fine folks at the RSA Conference posted the talk Jennifer Minella and I did on mindfulness at the 2014 conference. You can check it out on YouTube. Take an hour and check it out. Your emails, alerts and Twitter timeline will be there when you get back.


Securosis Firestarter

Have you checked out our new video podcast? Rich, Adrian, and Mike get into a Google Hangout and.. hang out. We talk a bit about security as well. We try to keep these to 15 minutes or less, and usually fail.


Heavy Research

We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, with our content in all its unabridged glory. And you can get all our research papers too.

Network-based Threat Detection

Applied Threat Intelligence

Network Security Gateway Evolution

Recently Published Papers


Incite 4 U

  1. Better breach disclosure: I hate it when stuff I use gets breached. I have to change passwords and the like. It’s just a hassle. But it does provide a learning opportunity, if the pwned company will talk about what happened. The latest disclosure darling seems to be Slack. You know, the chat app everyone seems to use. Evidently they had an attacker in their user database and some private information was accessible. Things like email addresses and password hashes. Theor payment and financial information was apparently not accessible (segmentation FTW). Now they don’t know whether user data was actually accessed (but we need to assume it was). Nor do they have any proof passwords were decrypted. But at least they are candid about what they don’t know. And even better, they took action to address the issue. Like turning on two-factor authentication before it was quite ready. And providing a tool for an administrator to log everyone out of the system and force a password reset. As they learn more, we can only hope Slack shares more of the details of this attack. – MR

  2. The wisdom of retailers: Over the last decade I have been involved in two research projects to show how data breaches impacted firm’s brand value and stock prices. And yes, I worked for a security vendor at the time, who had a financial incentive to link them. What did I find? Nothing. The data was inconsistent, bu if anything it suggested breaches and company value were unrelated. Our own Gunnar Peterson has been tracking this topic for as long as I’ve known him, and based solely on stock price, finds that breached companies outperform the market. The Harvard Business Review has done many great case studies on firms that have been breached, going back at least to 2007, but I believe this is the first time the HBR has come out with reasons why data breaches don’t hurt stock prices. But does that mean those retailers with a laissez-faire approach to security were right all along? If breaches are “… an inevitability of doing business …”, does that mean firms should only invest in “cyber insurance” to help pay the costs of cleanup? – AL

  3. Darwin and the WAF: Brian McHenry of F5 calls for the death of WAF as we know it and even references some of Adrian’s and my research. And who says flattery gets you nowhere? Brian’s point is that WAF needs to evolve with the advent of DevOps and more agile development processes, because you can’t tune the WAF to keep up with every application change. He’s right, but it’s a bigger issue than just WAF. Though given Brian is in the WAF business, that is his focus. DevOps and cloud and mobility disrupt the game. You need to rethink security and data protection… or not. As Deming said, “It is not necessary to change. Survival is not mandatory.” It applies to pretty much everything. Technologies, but also processes. If those don’t evolve (and drag technology with it), you’ll be on the endangered species list. But don’t fret – you won’t be lonely. A lot of technologies, vendors and practitioners won’t be able to make the jump. Maybe there is a gig available for a front-end processor engineer. (Old school) – MR

  4. Grab the popcorn: Now that vendors have reassessed their approaches to mobile payments, subsequent to Apple Pay shaking things up, we see new payment products from every corner. Square announced the acquisition of Kili, giving them NFC capabilities. Now merchants using Square can support either card-swipe or NFC transactions. Vodafone will also standardize on NFC communication, but will deliver a SIM card that embeds a secure element to hold the encryption keys needed for secure payment on mobile devices. These secure elements are the preferred choice for carriers, because anyone who wants access must pay the carrier. Unsurprisingly, Visa and Mastercard recently announced they are backing the more open Host Card Emulation approach – effectively a virtual secure hardware element – but now Microsoft has also announced use of HCE for their new Tap To Pay offering on Windows phones. We went from a snail’s pace to hair-on-fire product delivery, which means we can expect implementation flaws and notable hacks during this vendor stampede for market share. – AL

  5. It’s a mobile app – what could possibly go wrong? You all know what a big fan of surveys I am, but sometimes the data makes a point worth making. Without less-than-rigorous math, that is. The Ponemonsters did a survey for IBM which analyzed mobile app security. Basically there isn’t much, which I’m sure is a shock to most of you. In another surprising turn, the rush to get mobile apps out there and to meet customer needs is forcing organizations to take security shortcuts. Really! I know you are shocked. Yes, I took my sarcasm pills today. If there is an upside it is that mobile OSes are inherently better protected than PCs. I did not say fully protected – just better protected. But this is a systemic issue. Why would mobile apps be much different than anything else? Companies feel pressure to ship, they take shortcuts, security suffers. Breach happens, company gets religion. Until next time they have to take a shortcut. Wash, rinse, repeat. And we needed a survey to tell us that? – MR

—Mike Rothman

Tuesday, March 31, 2015

Firestarter: Using RSA

By Rich

The RSA Conference is the biggest annual event in our industry (really – there are tens of thousands of people there). But bigger doesn’t mean everything is better, and it can be all too easy to get lost in the event and fail to get value out of it. Even if you don’t attend, this is the time of year a lot of security companies focus on, which affects everything you see and read – for better and worse. This week we discuss how we get value out of the event, and how to find useful nuggets in the noise. From skipping panels (except Mike’s, of course) to hitting some of the less-known opportunities like Learning Labs and the Monday events, RSA can be very useful for any security pro, but only if you plan.

Watch or listen:


—Rich

Monday, March 30, 2015

New Paper! Endpoint Defense: Essential Practices

By Mike Rothman

Securosis_EndpointDefenseEssentialPractices_FINAL.pdf

We’ve seen a renaissance of sorts regarding endpoint security. To be clear, most of solutions in the market aren’t good enough. Attackers don’t have to be advanced to make quick work of the endpoint protection suites in place. That realization has created a wave of innovation on the endpoint that promises to provide a better chance to prevent and detect attacks. But the reality is far too many organizations can’t even get the fundamentals of endpoint security.

But the fact remains that many organizations are not even prepared to deal with unsophisticated attackers. You know, that dude in the basement banging on your stuff with Metasploit. Those organizations don’t really need advanced security now – their requirements are more basic. It’s about understanding what really needs to get done – not the hot topic at industry conferences. They cannot do everything to fully protect endpoints, so they need to start with essentials.

In our Endpoint Defense: Essential Practices paper, we focus on what needs to be done to address the main areas of attack surface. We cover both endpoint hygiene and threat management, making clear what should be a priority and what should not. It’s always useful to get back to basics sometimes, and this paper provides a way to do that for your endpoints.


EDEP ToC

We would like to thank Viewfinity for licensing the content in this paper. Our licensees allows us to provide our research for no cost and still pay our mortgages, so we should all thank them. As always, we developed this paper using our objective Totally Transparent Research methodology.

Visit the Endpoint Defense: Essential Practices landing page in our research library, or download the paper directly (PDF).

—Mike Rothman

Wednesday, March 25, 2015

Network-based Threat Detection: Overcoming the Limitations of Prevention

By Mike Rothman

Organizations continue to invest heavily to block advanced attacks, on both endpoints and networks. Despite all this investment devices continue to be compromised in increasing numbers, and high-profile breaches continue unabated. Something isn’t adding up. It comes down to psychology – security practitioners want to believe that the latest shiny geegaw for preventing compromise will finally work and stop the pain.

Of course we are still waiting for effective prevention, right? So we have been advocating a shift in security spending, away from ineffective prevention and towards detection and investigation of active adversaries within your networks and systems. We know many organizations have spent a bunch of money on detection – particularly intrusion detection, its big brother intrusion prevention, and SIEM.

But these techniques haven’t really worked effectively either, so it’s time to approach the issue with fresh eyes. Our Network-based Threat Detection series will do just that. By taking a new look at detection, not from the standpoint of what we have done and implemented (IDS and SIEM), but what we need to do to isolate and identify adversary activity, we will be able to look at the kinds of technologies needed right now to deal with modern attacks. The times have changed, the attackers have advanced, and our detection techniques for finding adversaries need to change as well.

As always, we wouldn’t be able to publish our research for the awesome price of zero without clients supporting what we do. So we’d like to thank Damballa and Vectra Networks for potentially licensing this content at the end of this series. We will develop the content using our Totally Transparent Research methodology, with everything done in the open and objectively.

Threat Management Reimagined

Let’s revisit how we think about threat management now. As we first documented in Advanced Endpoint and Server Protection, threats have changed so you need to change the way you handle them. We believe threat management needs to evolve as follows:

  1. Assessment: You cannot protect what you don’t know about – that hasn’t changed and isn’t about to. So the first step is to gain visibility into all devices, data sources, and applications that present risk to your environment. Additionally you need to understand the security posture of anything you have to protect.
  2. Prevention: Next try to stop attacks from succeeding. This is where most of the effort in security has been for the past decade, with mixed (okay, lousy) results. A number of new tactics and techniques are modestly increasing effectiveness, but the simple fact is that you cannot prevent every attack. It is now a question of reducing attack surface as much as practical. If you can stop the simplistic attacks you can focus on advanced ones.
  3. Detection: You cannot prevent every attack, so you need a way to detect attacks after they get through your defenses. There are a number of different options for detection – most based on watching for patterns that indicate a compromised device. The key is to shorten the time between when the device is compromised and when you discover it has been compromised.
  4. Investigation: Once you detect an attack you need to verify the compromise and understand what it actually did. This typically involves a formal investigation – including a structured process to gather forensic data from devices, triage to determine the root cause of the attack, and a search to determine how widely the attack spread within your environment.
  5. Remediation: Once you understand what happened you can put a plan in place to recover the compromised device. This might involve cleaning the machine, or more likely re-imaging it and starting over again. This step can leverage ongoing hygiene activities (such as patch and configuration management) because you can and should use tools you already have to reimage compromised devices.

This reimagined threat management process incorporates people, processes, and technology – integrated across endpoints, servers, networks, and mobile devices. If you think about it, there is a 5x4 matrix of all the combinations to manage threats across the entire lifecycle for all device types. Whew! That would be a lot of work (and a really long paper). The good news for this series is that we will focus specifically on network-based detection.

Why Not Prevention?

From reading thus far, you may think we’ve capitulated and just given up on trying to prevent attacks. Not true! We still believe that having restrictive application-centric firewall policies and looking for malware on the ingress pipes is a good thing. Our point is that you can’t assume that your prevention tactics are sufficient. They aren’t.

Adversaries have made tremendous progress in being able to evade intrusion prevention and malware detonation devices (sandboxes). And remember that your devices aren’t always protected by the network perimeter or your other defenses at all times. Employees take the devices outside of the network and click on things. So your devices may come back onto the corporate network infected.

That doesn’t mean these devices don’t catch stuff, but they don’t catch everything. Thus, if you are having trouble understanding the importance of detection; think about it as Plan B. Every good strategist has Plan B (and Plan C, D, and E) and focusing effort on detection gives you a fallback position when your prevention doesn’t get it done.

So in a nutshell, it’s not either prevention or detection. It’s both.

Why Not Existing Monitoring?

You probably already spent a bunch of time and money implementing intrusion detection/prevention and SIEM to monitor those network segments. So why isn’t that good enough? It comes down to a fundamental aspect of IDS and SIEM: you need to know what you are looking for. Basically, you define a set of conditions (rules/policies) to look for typical patterns of attacks in your network traffic or event logs. If an attacker uses a common attack that has already been profiled, and you have added the rule to your detection system, and your device can handle the volumes (because you probably have 10,000 other rules defined in that device) you will be able to find that attack.

But what if the attacker is evading your devices by hiding traffic in a standard protocol and communicating by proxying through a legitimate network? What if they are using a pattern you haven’t seen before? Yep, you’ll miss the attack.

Again, it’s not like you don’t have to monitor your systems and networks anymore. Compliance mandates that you still need your IPS and your SIEM. It’s still critical to collect data and analyze it to find attacks you know about. And to be fair, many IDS/IPS and SIEM platforms are adding more sophisticated analysis to their standard correlation capabilities to improve detection. But these approaches still require a lot of tuning and experimentation to get right, and nobody has time to do everything. Nobody has time to waste on a noisy security monitor.

The Answer Is…

Unfortunately we haven’t found sustainable cold fusion, or a magic bullet that identifies every attack from every adversary every time (cold fusion actually seems a bit more likely). Would be nice though, right? But a couple capabilities have come together to enable better and more accurate detection on the network:

  1. Math: Actually math has been around for a while (yes, that’s sarcasm). But improved ability to find patterns among a variety of data sources has made a big difference in the effectiveness of detection. Vendors call this “Big Data Analytics” and “Machine Learning”. Shiny buzzwords aside, these capabilities improve your ability to find anomalous traffic earlier in the attack chain.
  2. Context: Anomaly detection has been around almost as long as math, but it offered limited value because it threw off a lot of false positives. An anomaly could just as easily be legitimate and malicious, but you had no way to tell the difference without a pretty deep investigation. So being able to evaluate other types of data such as identity and content/payload, and to prioritize anomalies based on which are more likely to be an attack, helps you eliminate now-obvious false positives.

So network-based detection has evolved to the point where you can identify devices that look like they have been compromised. To be clear, this is still suboptimal, because damage has already been done. Our inner security purist still wants to block every attack. But a breach doesn’t happen until exfiltration occurs, and if you are able to respond faster and better you can contain the damage. That’s what better detection is all about.

Our next post will dig into the typical indications of a compromised device. Attackers always leave traces, so by looking for certain things on your network you can find them.

—Mike Rothman

Incite 3/25/2015: Playing it safe

By Mike Rothman

A few weeks back at BSidesATL, I sent out a Tweet that kind of summed up my view of things. It was prompted by an email from a fitness company with the subject line “Embrace Discomfort.” Of course they were talking about the pain of whatever fitness regimen you follow. Not me. To me, comfort is uncomfortable.

Comfort is uncomfortable

I guess I have always been this way. Taking risks isn’t risky from where I sit. In fact playing it safe feels dangerous. Of course I don’t take stupid risks and put myself in harm’s way. At least I don’t any more – now I have a family who depends on me. But people ask me how I have the courage to start new businesses and try things. I don’t know – I just do. I couldn’t really play it safe it I tried.

Not that playing it safe is bad. To the contrary, it’s a yin-yang thing. Society needs risk-takers and non-risk-takers. However you see yourself, make sure you understand and accept it, or it will not end well.

For instance some folks dream of being a swashbuckling entrepreneur, jumping into the great unknown with an idea and a credit card to float some expenses. If you are risk-averse that path will be brutal and disappointing. Even if the venture is successful it won’t feel that way because the roller coaster of building a business will be agonizing for someone who craves stability.

Risk Takers

Similarly if you put an entrepreneur into a big stable company, they will get into trouble. A lot of trouble. Been there, done that. That’s why it is rare to see true entrepreneurs stay with the huge companies that acquire them, after the retention bonuses are paid and the stock is vested. It’s just soul-crushing for swashbucklers to work in place with subsidized cafeterias and large HR departments.

I joked that it was time to leave META Group back in the mid-90s, when we got big enough that there were people specifically tasked with making my job harder. They called it process and financial controls. I called it bureaucracy and stupid paperwork. It didn’t work for me so I started my own company. With neither a subsidized cafeteria nor an HR department. Just the way I like it.

–Mike

Photo credit: “2012_05_050006 Road to Risk Takers Select Committees” originally uploaded by Gwydion M. Williams


Have you registered for Disaster Recovery Breakfast VII yet? What are you waiting for. Check out the invite and then RSVP to rsvp (at) securosis.com, so we know how much food to get…


The fine folks at the RSA Conference posted the talk Jennifer Minella and I did on mindfulness at the 2014 conference. You can check it out on YouTube. Take an hour and check it out. Your emails, alerts and Twitter timeline will be there when you get back.


Securosis Firestarter

Have you checked out our new video podcast? Rich, Adrian, and Mike get into a Google Hangout and.. hang out. We talk a bit about security as well. We try to keep these to 15 minutes or less, and usually fail.


Heavy Research

We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, with our content in all its unabridged glory. And you can get all our research papers too.

Endpoint Defense Essential Practices

Applied Threat Intelligence

Network Security Gateway Evolution

Newly Published Papers


Incite 4 U

  1. We’re hacking your stuff too, eh! All my Canadian friends are exceedingly nice. I’m sure many of you know our contributors from up North, Dave Lewis and James Arlen, and there aren’t any nicer people. They are cranky security people like the rest of us, but they somehow never seem cranky. It’s a Canadian thing. So when you hear about the Canadians doing what pretty much every other government is doing and hacking the crap out of all sorts of things, you say, “Eh? The Canadians? Really?” Even better, the Canadians are collaborating with the NSA to use social engineering and targeted attacks to “garner foreign intelligence or inflict network damage.” The spinmeisters were spinning hard about the documents being old, blah blah blah. Maybe they need a little Rob Ford action in the cyber department to give us the real low-down. But you know what? I’m sure they were very polite guests and left everything exactly as they found it. – MR

  2. He had me at Manifesto: I love a good manifesto. Nothing gets the blood moving like a call to arms, to rally the troops to do something. My friend Marc Solomon of Cisco advocates for CISOs to write their own manifestoes to get the entire organization thinking about security. I’m not sure how you make security “a growth engine for the business”, but a lot of his other aspirations are good. Things like security must be usable, transparent, and informative. Yup. And security must be viewed as a “people problem,” which really means that if you didn’t have all these pesky employees you would have far fewer security problems. Really it’s a sales document. You (as CISO) are selling the security mindset to your organization, and that is a manifesto worth writing. – MR

  3. E-DDoS coming to a cloud near you: One of the newer attack vectors I highlighted in our denial of service research a couple years ago was an economic denial of service. An adversary can hammer a cloud-based system, driving costs up to the victim’s credit limit. No more credit, no more cloud services. I guess that’s the cloud analogue to “No shoes, no shirt, no dice.” [Dude)…] It seems someone in China doesn’t like that some website allows connectivity to censored websites, so they are blasting them with traffic, costing $30,000/day in cloud server costs. These folks evidently have a lot of credit with Amazon and haven’t been forced to shut down. Yet. Aside from the political reality an attack like this represents, it is a clear example of another more diabolical type of attack. A DDoS that knocks your stuff down may impact sales, but not costs. This kind of attack hits you below the belt: right in the wallet. – MR

—Mike Rothman