Login  |  Register  |  Contact
Friday, March 28, 2014

Security Sharing

By Mike Rothman

I really like that some organizations are getting more open about sharing information regarding their security successes and failures. Prezi comes clean about getting pwned as part of their bug bounty program. They described the bug, how they learned about it, and how they fixed it. We can all learn from this stuff.

Invest in Boardwalk. Pays more.

Facebook talked about their red team exercise last year, and now they are talking about how they leverage threat intelligence. They describe their 3-tier architecture to process intel and respond to threats. Of course they have staff to track down issues as they are happening, which is what really makes the process effective. Great alerts with no response don’t really help. You can probably find a retailer to ask about that…

I also facilitated a CISO roundtable where a defense sector attendee offered to share his indicators with the group via a private email list. So clearly this sharing thing is gaining some steam, and that is great. So why now? What has changed that makes sharing information more palatable?

Many folks would say it’s the only way to deal with advanced adversaries. Which is true, but I don’t think that’s the primary motivation. It certainly got the ball rolling, and pushed folks to want to share. But it has typically been general counsels and other paper pushers preventing discussion of security issues and sharing threat information.

My hypothesis is that these folks finally realized have very little to lose by sharing. Companies have to disclose breaches, so that’s public information. Malware samples and the associated indicators of attack provide little to no advantage to the folks holding them close to the vest. By the time anything gets shared the victim organization has already remediated the issue and placed workarounds in place. I think security folks (and their senior management) finally understand that. Or at least are starting to, because you still see folks who will only share on ‘private’ fora or within very controlled groups.

Of course there are exceptions. If an organization can monetize the data, either by selling it or using it to hack someone else (yes, that happens from time to time), they aren’t sharing anything.

But in general we will see much more sharing moving forward. Which is great. I guess it is true that everything we need to know we learned in kindergarten.

Photo credit: “Sharing” originally uploaded by Toban Black

–Mike Rothman

Thursday, March 27, 2014

Friday Summary: March 28, 2014—Cloud Wars

By Adrian Lane

Begun, the cloud war has.

We have been talking about cloud computing for a few years now on this blog, but in terms of market maturity it is still early days. We are really entering the equivalent of the second inning of a much longer game, it will be over for a long time, and things are just now getting really interesting. In case you missed it, the AWS Summit began this week in San Francisco, with Amazon announcing several new services and advances. But the headline of the week was Google’s announced price cuts for their cloud services:

Google Compute Engine is seeing a 32 percent reduction in prices across all regions, sizes and classes. App Engine prices are down 30 percent, and the company is also simplifying its price structure. The price of cloud storage is dropping a whopping 68 percent to just $0.026/month per gigabyte and $0.2/month per gigabyte/DRA. At that price, the new pricing is still lower than the original discount available for those who stored more than 4,500TB of data in Google’s cloud.

Shortly thereafter Amazon countered with their own price reductions – something we figured they were prepared to do, but didn’t intend during the event. Amazon has been more focused on methodically delivering new AWS functionality, outpacing all rivals by a wide margin. More importantly Amazon has systematically removed impediments to enterprise adoption around security and compliance. But while we feel Amazon has a clear lead in the market, Google has been rapidly improving. Our own David Mortman pointed out several more interesting aspects of the Google announcement, lost in the pricing war noise:

“The thing isn’t just the lower pricing. It’s the lower pricing with automatic “reserve instances” and the managed VM offering so you can integrate Google Compute Engine (GCE) and Google App Engine. Add in free git repositories for managing the GCE infrastructure and support for doing that via github – we’re seeing some very interesting features to challenge AWS. GOOG is still young at offering this as an external service but talk about giving notice…

Competition is good! This all completely overshadowed Cisco’s plans to pour $1b into an OpenStack-based “Network of Clouds”. None of this is really security news, but doubling down on cloud investments and clearly targeting DevOps teams with new services, make it clear where vendors think this market is headed. But Google’s “Nut Shot” shows that the battle is really heating up.

On to the Summary, where several of us had more than one favorite external post:

Favorite Securosis Posts

Other Securosis Posts

Favorite Outside Posts

Research Reports and Presentations

Top News and Posts

Blog Comment of the Week

This week’s best comment goes to Marco Tietz, in response to Friday Summary: IAM Mosaic Edition.

Thanks Adrian, it looks like you captured the essence of the problem. IAM is very fragmented and getting everything to play together nicely is quite challenging. Heck, just sorting it out corp internal is challenging enough without even going to the Interwebs. This is clearly something we need to get better at, if we are serious about ‘The Cloud’.

–Adrian Lane

Mike’s Upcoming Webcasts

By Mike Rothman

After being on the road for what seems like a long time (mostly because it was), I will be doing two webcasts next week which you should check out.

  1. Disruption Ahead: How Tectonic Technology Shifts Will Change Network Security. Next Tuesday (April 1 at 11 am ET) I will be applying our Future of Security concepts to the network security business. Tufin’s Reuven Harrison will be riding shotgun and we will have a spirited Q&A after my talk to discuss some of the trends he is seeing in the field. Register for this talk.
  2. Security Management 2.5: Replacing your SIEM Yet? On Wednesday, April 2 at 11 am ET I will be covering our recent SIEM 2.5 research on a webcast with our friends at IBM. I will be honing in on the forensics and security analytics capabilities of next-generation SIEM. You can register for that event as well.

See you there, right?

UPDATE: I added the links. Driver error.

–Mike Rothman

Wednesday, March 26, 2014

Incite 3/26/2014: One Night Stand

By Mike Rothman

There is no easy way to say this. I violated a vow I made years ago. It wasn’t a spur of the moment thing. I have been considering how to do it, without feeling too badly, for a few weeks. The facts are the facts. No use trying to obscure my transgression. I cheated. If I’m being honest, after it happened I didn’t feel bad. Not for long anyway.

It happened and now it's over...

This past weekend, I ate both steak and bacon. After deciding to stop eating meat and chicken almost 6 years ago. Of course there is a story behind it. Basically I was in NYC celebrating a close friend’s 45th birthday and we were going to Peter Luger’s famous steakhouse. Fish isn’t really an option, and the birthday boy hadn’t eaten any red meat for over 20 years. Another guy in the party has never eaten bacon. Never! So we made a pact. We would all eat the steak and bacon. And we would enjoy it.

It was a one night stand. I knew it would be – it meant nothing to me. I have to say the steak was good. The bacon was too. But it wasn’t that good. I enjoyed it, but I realized I don’t miss it. It didn’t fulfill me in any way. And if I couldn’t get excited about a Peter Luger steak, there isn’t much chance of me going back back to my carnivorous ways.

Even better, my stomach was okay. I was nervously awaiting the explosive alimentary fallout that goes along with eating something like a steak after 6 years. Although the familiar indigestion during the night came back, which was kind of annoying – that has been largely absent for the past 6 years – but I felt good. I didn’t cramp, nor did I have to make hourly trips to the loo. Yes, that’s too much information, but I guess my iron stomach hasn’t lost it.

To be candid, the meat was the least of my problems over the weekend. It was the Vitamin G and the Saturday afternoon visit to McSorley’s Old Ale House that did the damage. My liver ran a marathon over the weekend. One of our group estimated we might each have put down 2 gallons of beer on Saturday. That may be an exaggeration, but it may not be. I have no way to tell.

And that’s the way it should be on Boys’ Weekend. Now I get to start counting days not eating meat again. I’m up to 5 days and I think I’ll be faithful for a while…

–Mike

Photo credit: “NoHo Arts District 052309” originally uploaded by vmiramontes


Securosis Firestarter

Have you checked out our new video podcast? Rich, Adrian, and Mike get into a Google Hangout and.. hang out. We talk a bit about security as well. We try to keep these to 15 minutes or less, and usually fail.


2014 RSA Conference Guide

In case any of you missed it, we published our fifth RSA Conference Guide. Yes, we do mention the conference a bit, but it’s really our ideas about how security will shake out in 2014. You can get the full guide with all the memes you can eat.


Heavy Research

We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, with our content in all its unabridged glory. And you can get all our research papers too.

Defending Against Network Distributed Denial of Service Attacks

Advanced Endpoint and Server Protection

Newly Published Papers


Incite 4 U

  1. Palo Alto Does Endpoints: It was only a matter of time. After the big FireEye/Mandiant deal and Bit9/Carbon Black, Palo Alto Networks needed to respond. So they bought a small Israeli start-up named Cyvera for $200 million! And I thought valuations were only nutty in the consumer Internet market. Not so much. Although no company can really have a comprehensive advanced malware story without technology on the network and endpoints. So PANW made the move, and now they need to figure out how to sell endpoint agents, which are a little bit different than boxes in the perimeter… – MR

  2. Payment Tokenization Evolution: EMVCo – the Visa, Mastercard, and Europay ‘standards’ organization, has released the technical architecture for a proposed Payment Tokenisation Specification, which will alter payment security around the globe over the coming years. The framework is flexible enough to both enable Near Field Communication (NFC, aka mobile payments) and help combat Card Not Present fraud – the two publicly cited reasons for the card brands to create a tokenization standard in parallel with promotion of EMV-style “smart cards” in the US. The huge jump in recent transactional fraud rates demands some response, and this looks like a good step forward. The specification does not supersede use of credit card numbers (PAN) for payment yet, but would enable merchants to support either PAN or tokens for payment. And this would be done either through NFC – replacing a credit card with a mobile device – or via wallet software (either a mobile or desktop application). For those of you interested in the more technical side of the solution, download the paper and look at the token format! They basically create a unique digital certificate for each transaction, which embeds merchant and payment network data, and wrapped it with a signature. And somewhere in the back office the payment gateways/acquirer (merchant bank) or third-party service will manage a token vault. More to come – this warrants detailed posts. – AL

  3. Vultures are going to vulture: I’m not surprised that Trustwave is being sued as part of the Target breach. Class-action vultures (lawyers) see a company with money, so they sue. It’s the American way. Of course, the assessment contract removes much of the liability in what the customer actually does, but it’s an excuse to try for shakedown money. It would be really disappointing to see anyone settle in this kind of nonsensical case – setting an absolutely horrible precedent regarding liability for auditors/assessors. If there was truly malfeasance, that might be exposed during discovery, and that would be good to know. But pinning the Target breach on a PCI assessor would be ridiculous. – MR

  4. Password Hashing Competition: Most people know hashing as a means of validating someone’s password without actually storing the original value. To a developer hashing algorithms are a handy way to ‘fingerprint’ an object, allowing quick verification of whether an object is still in its original state, or it had been tampered with. But hash algorithms, as noted by Thomas Ptacek, are often employed incorrectly. Still, they remain a core cryptographic tool in the security toolbox. As we get better at breaking stuff, and computational power continues to double every couple years, it is good that a new password hashing competition is under way, with submissions due at the end of the month. If you think you have the math and coding chops, get your submission in! This is community innovation that both makes and breaks security, so give it a try, and maybe they’ll name a standard after you. – AL

  5. The Power of Change: Wendy kills it on her personal blog with her Power of Change post. Her point is that security is all about detecting and controlling change. Of course that is easier said than done, especially with the disruption we are seeing all over the security stack. But she is right on the money. If it is too hard to detect and manage change, you won’t. Until you need to, or perhaps your successor. She closes by pointing out that you don’t need to spend a lot of money to get a handle on change. It is about “knowing what your systems, applications and users are supposed to do,” and then looking for cases when they are doing otherwise. That i also a good metaphor for life, but that’s another story for another day. – MR

–Mike Rothman

Monday, March 24, 2014

Firestarter: The End of Full Disclosure

By Rich

Last week we held a wake for Windows XP. This week we continue that trend, as we discuss the end of yet era – coincidentally linked to XP. Last week the venerable Thunderdome of security lists bid adieu, as the Full Disclosure list suddenly shut down. And yes, this discussion is about more than just one email list going bye-bye.

The audio-only version is up too.

–Rich

Thursday, March 20, 2014

Friday Summary: March 21, 2014—IAM Mosaic Edition

By Adrian Lane

Researching and writing about identity and access management over the last three years has made one thing clear: This is a horrifically fragmented market. Lots and lots of vendors who assemble a bunch of pieces together to form a ‘vision’ of how customers want to extend identity services outside the corporate perimeter – to the cloud, mobile, and whatever else they need. And for every possible thing you might want to do, there are three or more approaches. Very confusing.

I have had it in mind for several months to create a diagram that illustrates all the IAM features available out there, along with how they all link together. About a month ago Gunnar Peterson started talking about creating an “identity mosaic” to show how all the pieces fit together. As with many subjects, Gunnar and I were of one mind on this: we need a way to show the entire IAM landscape. I wanted to do something quick to show the basic data flows and demystify what protocols do what. Here is my rough cut at diagramming the current state of the IAM space (click to enlarge):

IAM Mosaic

But when I sent over a rough cut to Gunnar, he responded with:

“Only peril can bring the French together. One can’t impose unity out of the blue on a country that has 265 different kinds of cheese.”

– Charles de Gaulle

Something as basic as ‘auth’ isn’t simple at all. Just like the aisles in a high-end cheese shop – with all the confusing labels and mingled aromas, and the sneering cheese agent who cannot contain his disgust that you don’t know Camembert from Shinola – identity products are unfathomable to most people (including IT practitioners). And no one has been able to impose order on the identity market. We have incorrectly predicted several times that recent security events would herd identity cats vendors in a single unified direction. We were wrong. We continue to swim in a market with a couple hundred features but no unified approach. Which is another way to say that it is very hard to present this market to end users and have it make sense.

A couple points to make on this diagram:

  1. This is a work in progress. Critique and suggestions encouraged.
  2. There are many pieces to this puzzle and I left a couple things out which I probably should not have. LDAP replication? Anyone?
  3. Note that I did not include authorization protocols, roles, attributes, or other entitlement approaches!
  4. Yes, I know I suck at graphics.

Gunnar is working on a mosaic that will be a huge four-dimensional variation on Eve Mahler’s identity Venn diagram, but it requires Oculus Rift virtual reality goggles. Actually he will probably have his kids build it as a science project, but I digress. Do let us know what you think.

On to the Summary:

Webcasts, Podcasts, Outside Writing, and Conferences

Favorite Securosis Posts

Other Securosis Posts

Favorite Outside Posts

  • A Few Lessons From Sherlock Holmes. Great post here about some of the wisdom of Sherlock that can help improve your own thinking.
  • Gunnar: Project Loon. Cloud? Let’s talk stratosphere and balloons – that’s what happens when you combine the Internet with the Montgolfiers
  • Adrian Lane: It’s not my birthday. I was going to pick Weev’s lawyers appear in court by Robert Graham as this week’s Fav, but Rik Ferguson’s post on sites that capture B-Day information struck an emotional chord – this has been a peeve of mine for years. I leave the wrong date at every site, and record which is which, so I know what’s what.
  • Gal Shpantzer: Nun sentenced to three years, men receive five. Please read the story – it’s informative and goes into sentencing considerations by the judge, based on the histories of the convicted protesters, and the requests of the defense and prosecution. One of them was released on January 2012 for a previous trespass. At Y-12…
  • David Mortman: Trust me: The DevOps Movement fits perfectly with ITSM. Yes, trust him. He’s The Real Gene Kim!

Research Reports and Presentations

Top News and Posts

–Adrian Lane

Wednesday, March 19, 2014

Firestarter: An Irish Wake

By Rich

We originally recorded this episode on St. Patty’s Day and thought it would be nice to send off Windows XP with a nice Irish wake, but Google had a hiccup and our video was stuck in Never Never Land for an extra day. To be honest, we thought we lost it, so no complaints.

But yes, the end is nigh, all your coffee shops are going to be hacked now that XP is unsupported, yadda yadda yadda…

–Rich

Jennifer Minella Is Now a Contributing Analyst

By Rich

We are always pretty happy-go-lucky around here, but some days we are really happy.

Today is one of those days.

As you probably grasped from the headline, we are insanely excited to announce that Jennifer ‘JJ’ Minella is now a Contributing Analyst here at Securosis.

JJ has some of the deepest technical and product knowledge of anyone we know, on top of a strong grounding as a security generalist. As a security engineer she has implemented countless products in various organizations. She is also a heck of a good speaker/writer, able to translate complex topics into understandable chunks for non-techie types. There is a reason she worked her way up to the executive ranks. JJ also has one of the most refined BS sensors in the industry. Seems like a good fit, eh?

This is actually a weird situation because we always wanted to have her on the team but figured she was too busy to ask. Mike and JJ even worked together for months on their RSA presentation. It was classic over-analysis – she didn’t hesitate when we finally brought it up. Okay, probably over beers at RSA, which is how a lot of our major decisions are made.

JJ joins David Mortman, Gunnar Peterson, James Arlen, Dave Lewis, and Gal Shpantzer as a contributor. Mike, Adrian, and I feel very lucky to have such an amazing group of security pros practically volunteer their time to work with us and keep the research real.

–Rich

Incite 3/18/2014: Yo Mama!

By Mike Rothman

It’s really funny and gratifying to see your kids growing up. Over the weekend XX1 took her first solo plane trip. I checked her in as an unaccompanied minor, and she miraculously got TSA Pre-check. Of course that didn’t mean I did with my gate pass. So the TSA folks did their darndest to maintain the security theater, and swabbed my hands and feet.

We had some time so I figured we’d hang out in the airline club. Not so much. I have access to the SkyClub via my AmEx Platinum card, but evidently I have to be flying. So we got turned away at the door. Really? Total fail, Delta. And your club receptionist was mean. But I had XX1 with me, so I mumbled some choice words under my breath and just let her mention that person wasn’t nice.

Then the gate agent called for her, and after a quick goodbye… Okay, not so quick – no goodbye is quick with XX1 – she headed down the jetway and was gone. Of course I got dispatches every 10 minutes or so via text. So I knew when her bag was in the overhead bin, when she got a refreshment, how much she was enjoying Tower Heist on the iPad, when the plane was loaded, and finally when she had to shut down her phone. She made it to her destination in one piece, and met Grandma at the gate. Another milestone achieved.

yo mama and then some

Then on Saturday morning I had the pleasure of taking the boy to breakfast. His sports activities (tennis and LAX) weren’t until afternoon so we had some boy time. As we were chatting I asked him about his friends. He then launched into a monologue about how all his friends tell Yo Mama! jokes now. He even had some pretty funny ones ready to go. He asked me if I had heard of those kinds of jokes. I just had to chuckle. You know those kids today – they invented everything.

Though how they get their material is radically different. It seems they get the jokes on YouTube and then tell them to each other the next day at school. I had to actually read joke books to get my material and my delivery wasn’t very good. It seems to be in good fun, for now. I remember getting into fights with kids over those kinds of jokes, mostly because they weren’t really intended to be joking. And it’s a bit strange to think the Boss is the Mama in question, and at some point he may need to defend her honor. Although the Boy is pretty mild-mannered and very popular, so it’s hard to envision someone telling a joke to get a rise out of him.

All the same, the kids are growing up. And unaccompanied plane rides and Yo Mama! jokes are all part of the experience.

–Mike

Photo credit: “Yo Mama’s Sign” originally uploaded by Casey Bisson


Securosis Firestarter

Have you checked out our new video podcast? Rich, Adrian, and Mike get into a Google Hangout and.. hang out. We talk a bit about security as well. We try to keep these to 15 minutes or less, and usually fail.


2014 RSA Conference Guide

In case any of you missed it, we published our fifth RSA Conference Guide. Yes, we do mention the conference a bit, but it’s really our ideas about how security will shake out in 2014. You can get the full guide with all the memes you can eat.


Heavy Research

We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, with our content in all its unabridged glory. And you can get all our research papers too.

Advanced Endpoint and Server Protection

Newly Published Papers


Incite 4 U

  1. Pwn to Pwn: Our friend Mike Mimoso has a great summary of the annual Pwn2Own contest at CanSecWest. This is the one where prizes are paid out to researchers who can crack browsers and other high-value targets (all picked ahead of time, with particular requirements). The exploits are bought up and later passed on to the affected vendors. As usual, all the products were cracked, but the effort required seems higher and higher every year. This level of exploitation is beyond your usual script kiddie tactics, and it’s nice to see the OS and browser vendors make practical security advances year after year. On the downside, BIOS and firmware hacking are going beyond scary. I really feel bad I haven’t made it to CanSecWest (usually due to work conflicts so close to RSA), but I think I need to make it a priority next year. It’s a great event, and a powerful contributor to the security community. – RM

  2. PCI is relevant. Really. It’s just those careless retailers: I’m in the air right now so I can’t check the TripWire folks’ interview with the PCI Standards Council’s Bob Russo at RSA, but some of the quotes I have seen are awesome. “People are studying for the test. Passing the compliance assessment and then leaving things open. They’re being careless,” said Bob Russo. Man, that is awesome. The standards are great – the retailers are just careless. Really? To be clear, Target was careless, but nowhere in the PCI standards do I see anything about locking down third-party access to non-protected information. Or having a network-based malware detection device to detect malware before it exfiltrates data. How about this one? “Russo said it appears the companies affected were covered one way or another in the PCI standards. But if they learn something new, then they will update the standards accordingly.” So they will update the standards in 3 years? That’s how long it takes to implement any change. Listen, I’ll be the first to say that PCI helped 5 years ago. But today its low bar is just too low. – MR

  3. To PIN or not to PIN: If you still don’t believe us that PCI-DSS is just one of many liability-shifting games to improve banking profits, consider Visa and Mastercard’s recent announcement that they will market EMV ‘smart’ payment cards in the US. They want smart cards, but no PIN numbers to validate users – instead they intend to use the same signature-based system we have today. The National Retail Federation has jumped into the fray, saying Easy-to-forge signatures are a virtually worthless form of authentication. Fraud rates with mag-stripe cards in the US are a serious problem, and Chip and Pin style cards have proven to reduce fraud from card cloning and in-person misuse. So what’s the problem? The gripe is that the cards, along with the required systems to set up digital signatures on them, cost about ten times as much – but the real worry is that customers won’t use them. The issuers argue that setting a PIN is too much hassle so people won’t use the cards at all. They believe overall transaction volume would fall off – a no-no for the card brands. Credit cards are a proven financial lubricant, and they consider reductions in usage levels much worse than fraud. But under the shadow of never-ending breaches I suspect we will now get ‘chipped’ cards without PINs. At least for a while. – AL

  4. DDoS goes to 11: We have been hearing a bit less about Distributed Denial of Service attacks (DDoS) recently. Not because they aren’t happening, but many targets are getting better at defending against them and keeping their systems available. But the adversaries are evolving their tactics as well using amplification techniques. So as the fellows from Spinal Tap would say, “This attack goes to 11!” The OpenDNS Lab folks describe DNS amplification attacks in a blog post, with a good overview of the techniques. And they are in a good position to know what’s going on with DNS. Timing is everything, right? I am starting a network DDoS blog series so I will be covering a lot of these topics as well. Keep an eye out for that. – MR

  5. So bad it’s good: Despite the poorly written post, unfiltered vendor hype, and the even-more-horrific term “data lake”, there is something very cool going on with XACML based permissions for big data queries. The real story is the ability to retrofit fine-grained authorization mapping into big data queries. This means that you can implement attribute based authorization – not just typical role-based access controls – without modifying the application! Control down to the data element level is possible, but implemented as a proxy between the application and the database. Note that this does not protect data at rest and assumes that you route queries through a proxy, and you need to actually know what is in your big data repository. But regardless, it is a a viable approach to fine-grained authorization controls for big data clusters. For those identity geeks out there who were skeptical about the adoption of XACML, it just may sneak in through the back door. – AL

  6. Chasm jumping unicorns? Gene Kim has a great post on DevOps.com asking whether DevOps can cross the chasm to mainstream enterprises (disclosure: I’m on the DevOps.com advisory board). Gene, you may recall, wrote The Phoenix Project about the power of DevOps. I’ll be honest: I am biased. But I do believe DevOps operational frameworks can increase agility, resiliency, and security – all at the same time. Gene cites actual statistics, such as twice the change success rate when using DevOps, and 12x faster restorations after breaks (all from a Puppet Labs survey, so beware possible bias). DevOps isn’t the answer for everything, and it comes with its own risks, but once you start learning the patterns it makes a ton of sense. The ability to do things like build an entire application stack automatically and as needed, using templates with embedded security configurations, sure seem like a nifty way to build and fix things. – RM

  7. Understanding the different levels of malware analysis: With more advanced malware out there, many organizations have started dipping their toes into malware analysis to figure out what attacks do. Lenny Zeltser has a good overview of 4 different types of analysis in this post: discussing fully automated analysis, static analysis, interactive (dynamic) analysis, and finally full code reversing. Many of the cloud services out there doing malware analysis do at least the first three, and manage a decent job at this point. Of course you can’t (yet) completely displace a human analyst, so there will be room for carbon-based analysis for a quite a while, to understand the nuances and patterns across attacks. But it is very difficult to find folks who can do reverse code, so automated services may be the only option for many companies. For more detail on what’s involved in malware analysis, check out our Malware Analysis Quant research. – MR

–Mike Rothman

Tuesday, March 18, 2014

Webinar Tomorrow: What Security Pros Need to Know About Cloud

By Rich

Hey everyone,

I mentioned it on Twitter but also wanted to post it here. Tomorrow I will be giving a webinar on What Security Pros Need to Know About Cloud, based on the white paper I recently released.

CloudPassage is sponsoring the webinar, but, as always, the content is our objective view.

You can register online, and we hope to see you there…

–Rich

Monday, March 17, 2014

Defending Against Network Distributed Denial of Service Attacks [New Series]

By Mike Rothman

Back in 2013, volumetric denial of service (DoS) attacks targeting networks were all the rage. Alleged hacktivists effectively used the tactic first against Fortune-class banks, largely knocking down major banking brands for days at a time. But these big companies adapted quickly and got proficient at defending themselves, so attackers then bifurcated their attacks. On one hand they went after softer targets like public entities (the UN, et al) and smaller financial institutions. They also used new tactics to take on content delivery networks like CloudFlare with multi-hundred-gigabyte attacks, just because they could.

In our Defending Against Denial of Service Attacks research we described network-based DoS attacks:

Network-based attacks overwhelm the network equipment and/or totally consume network capacity by throwing everything including the kitchen sink at a site – this interferes with legitimate traffic reaching the site. This volumetric type of attack is what most folks consider Denial of Service, and it realistically requires blasting away from many devices, so current attacks are called Distributed Denial of Service (DDoS). If your adversary has enough firepower it is very hard to defend against these attacks, and you will quickly be reminded that though bandwidth may be plentiful, it certainly isn’t free.

Application-based attacks are different – they target weaknesses in web application components to consume all the resources of a web, application, or database server to effectively disable it. These attacks can target either vulnerabilities or ‘features’ of an application stack to overwhelm servers and prevent legitimate traffic from accessing web pages or completing transactions.

The motivation for these attacks hasn’t changed much. Attackers tend to be either organized crime factions stealing money via ransom attacks, or hacktivists trying to make a point. We do see a bit of competitor malfeasance and Distributed DoS (DDoS) to hide exfiltration activities, but those don’t seem to be primary use cases any more.

Regardless of motivation, attackers now have faster networks, bigger botnets, and increasingly effective tactics to magnify the impact of DDoS attacks, forcing most organizations to devote attention to implementing plans to mitigate these attack. After digging deeper into the application side of denial of service in Defending Against Application Denial of Service Attacks, we now turn our attention to the network side of the house.

We are pleased to start this new series, entitled Defending Against Network Distributed Denial of Service Attacks. As with all our public research, we will build the series using our Totally Transparent Research model. Before we get going we would like to thank A10 Networks, as they have agreed to potentially license this research at the end of the project.

It’s Getting Easier

If anything, it is getting easier to launch large-scale network-based DDoS attacks. There are a few main reasons:

  • Bot availability: It’s not like fewer devices are being compromised. Fairly sophisticated malware kits are available to make it even easier to compromise devices. As a result there seem to be millions of (predominately consumer) devices compromised daily, adding to the armies which can be brought to bear in DoS attacks.
  • Faster consumer Internet: With a bandwidth renaissance happening around the world, network speeds into homes and small offices continue to climb. This enables consumer bots to blast targets with growing bandwidth, and this trend will continue as networks get faster.
  • Cloud servers: It is uncommon to see 50mbps sustained coming from a consumer device. But that is quite possible at the server level. Combine this with the fact that cloud servers (and management consoles) are Internet-facing, and attackers can now use compromised cloud servers to blast DDoS targets as well. This kind of activity is harder to detect because these servers should be pumping out more traffic.
  • Magnification: Finally, attackers are getting better at magnifying the impact of their attacks, manipulating protocols like DNS and ICMP which can provide order-of-magnitude magnification of traffic hitting the target site. This makes far better use of attacker resources, allowing them to use each bot sporadically and with more lightly (in terms of bandwidth) to better hide from detection.

Limitations of Current Defenses

Before we dive into specifics of how these attacks work we need to remind everyone why existing network and security devices aren’t particularly well-suited to DDoS attacks. It’s not due to core throughput – we see service provider network firewalls processing upwards of 500gbps of traffic, and they are getting faster rapidly. But the devices aren’t architected to deal with floods of legitimate traffic from thousands of devices. Even with NGFW capabilities providing visibility into web and other application traffic; dealing with millions of active connection requests can exhaust link, session, and application handling capacity on security devices, regardless of their maximum possible throughput.

IPS devices are in the same boat, except that their job is harder because they are actively looking for attacks and profiling activity to find malicious patterns. So they are far more compute-intensive, and have an even harder time keeping pace with DDoS bandwidth. In fact many attackers target firewalls and IPS devices with DDoS attacks, knowing the devices typically fail closed, rendering the target network inoperable.

You should certainly look to service providers to help deal with attacks, first by over-provisioning your networks. This is a common tactic for networking folks: throw more bandwidth at the problem. Unfortunately you probably can’t compete with a botmaster leveraging the aggregate bandwidth of all their compromised hosts. And it gets expensive to provision enough unused bandwidth to deal with a DDoS spike in traffic.

You can also look at CDNs (Content Delivery Networks) and/or DoS scrubbing service. Unfortunately CDN offerings may not offer full coverage of your entire network and are increasingly DDoS targets themselves. Scrubbing centers can be expensive, and still involve downtime as you shift traffic routes to the scrubbing center. Finally, any scrubbing approach is inherently reactive – you are likely to already be down by the time you learn you have a problem.

Further complicating things is the fundamental challenge of simply detecting the onset of a DDoS attack. How can you tell the difference between a temporary spike in traffic and a full-on blitzkrieg on your networks? It is hard to know exactly, and some anomaly-based approaches are challenged to strike a good balance between pulling the alarm (and shifting traffic to the scrubbing center) vs. waiting too long, resulting in significant downtime. Even if you have devices in place to deal with DDoS traffic, you can still be taken down if you don’t time things correctly.

So what to do? You need a multi-pronged approach to adequately protect networks against DDoS attacks. This series will delve into types of attacks and how they are changing. We will also help you understand how attackers are increasing the efficiency of their tactics to blast targets with unprecedented traffic levels. Finally we will talk about specific tactics for defending yourself.

–Mike Rothman

Reminder: We all live in glass houses

By Mike Rothman

Forrester’s Rick Holland makes a great point in the epic Target Breach: Vendors, You’re Not Wrestlers, And This Isn’t The WWE post. Epic mostly because he figured out how to work the WWE and a picture of The Rock into a security blog post.

Rick’s irritation with competitors trying to get a leg up on FireEye based on their presence in Target’s network is right on the money.

Vendors who live in glass houses shouldn’t throw stones. It didn’t take long; I’ve already started hearing FireEye competitors speaking out against their competitor’s role in the Target breach. As I mentioned above, this wasn’t a technology failure: FireEye detected the malware. This was a people/process/oversight failure.

Looks like the threat model forgot about rocks...

We all live in glass houses and karma is a bitch. But more to the point, if you think I take as fact anything written about a security attack in the mainstream business press, you’re nuts. If Krebs writes something I believe it because he knows what he’s doing. Not that no other reporters have enough technical credibility to get it right, there are. But without the full and complete picture of an attack, trying to assign blame is silly. Clearly in Target’s case there were many opportunities to detect the malware and perhaps stop the breach. They didn’t, and they are suffering now. Their glass house is shattered.

But this could happen to any organization at any time. And to think otherwise is idiotic. So think twice before thinking that would never happen to you. Never is a long time.

Photo credit: “Going into the Glass House” originally uploaded by Melody Joy Kramer

–Mike Rothman

Sunday, March 16, 2014

New Paper: Reducing Attack Surface with Application Control

By Mike Rothman

Attacks keep happening. Breaches keep happening. Senior management keeps wondering what the security team is doing.

The lack of demonstrable progress [in stopping malware] comes down to two intertwined causes. First, devices are built using software that has defects attackers can exploit. Nothing is perfect, especially not software, so every line of code presents an attack surface. Second, employees can be fooled into taking action (such as installing software or clicking a link) that enables attacks to succeed.

Application Control technology can have a significant impact on the security posture of protected devices, but has long been much maligned. There was no doubt of its value in stopping attacks, especially those using sophisticated malware. Being able to block the execution of unauthorized executables takes many common attacks out of play. But there is a user experience cost for that protection.

Reducing Attack Surface with Application Control

In Reducing Attack Surface with Application Control, we look at the double-edged sword of application control, detail a number of use cases where it fits well, and define selection criteria to consider for the technology.

Keep in mind that no one control or tactic fits every scenario. Not for every company, nor for every device within a company. If you are looking for a panacea you are in the wrong business. If you are looking for a technology that can lock down devices in appropriate circumstances, check out this paper.

Conclusion: Application control can be useful – particularly for stopping advanced attackers and securing unsupported operating systems. There are trade-offs as with any security control, but with proper planning and selection of which use cases to address, application control resists device compromise and protects enterprise data.

We would like to thank AppSense for licensing the paper and supporting our research. We make this point frequently, but without security companies understanding and getting behind our Totally Transparent Research model you wouldn’t be able to enjoy our research.

Get the paper via our permanent landing page or download the paper directly (PDF).

–Mike Rothman

Thursday, March 13, 2014

Summary: DevOps Trippin’

By Rich

Rich here,

As technology professionals we always place bets with our careers. There is no way to really know, for certain, which sets of skills will be most in demand down the road. Yet, as with financial investments, we only have so many resources (time and brain cells) to allocate at any given time. Invest too much too early and your nifty new skills won’t be in demand. Too late and you miss the best opportunities, and are stuck playing catch-up if that’s even possible.

Sometimes we make deliberate decisions, and sometimes we just sort of luck out.

This week I am excited to announce my involvement as an Advisory Board member of DevOps.com. It’s something I basically fell into when I mentioned to Alan Shimmel, who founded it, that I was spending a ton of research time on DevOps and security.

I never really intended to revert to my roots and start writing code and managing systems again – never mind realizing I was hooked into what may be one of the most important operational framework changes to hit IT in a long time. For me it was a series of chained intellectual and professional challenges that self-organized into a logical progression. I would love to say I planned it, but really I mostly tripped into it.

It all started when Jim Reavis of the Cloud Security Alliance asked if I would be interested in building a training class for the CCSK exam. I said sure, but only if we could build some hands-on labs so security pros would learn how the cloud really works, and weren’t merely looking at architectural diagrams.

I had launched some things in Amazon before, but I had never needed to create packaged, reproducible environments (the labs). Never mind ones that could hide complexity from students while still allowing them to create complete application stacks almost completely automatically. At the time I was solving problems to make labs and teach a few cloud security essentials. In the process, I was learning the foundation of techniques that underlie many DevOps processes.

Total. Blind. Luck. This was before DevOps was a hot term – I just worked from problem to problem to meet my own needs.

Then I refined the labs. Then I decided to create some proof of concept demonstrations of Software Defined Security techniques. Solving, in the process, some core DevOps problems that weren’t well documented anywhere. I wasn’t the first to hit the problem or come up with a solution, but no one else seemed to write it down, so I had to work my way through it from scratch.

Then I started hearing more about DevOps. And as I dug in, I realized I was solving many of the same problems with many of the same tools.

This is why I think DevOps is so important. I didn’t set out to “learn DevOps” – I set out to solve a set of practical implementation problems I was experiencing in the cloud, and in the process found myself smack in the middle of the DevOps ‘movement’ (whatever that is). Anyone who wants to operate in that environment needs the same basic skills, and any organizations deploying applications into the cloud will find themselves using the same techniques, to one degree or another.

It is early days still, but I am not doubling down on cloud and DevOps because I think they are overhyped analyst fads. Spend some time in the trenches and you will realize there really isn’t any other way to get the job done, once you start down a certain road.

On to the Summary:

Webcasts, Podcasts, Outside Writing, and Conferences

Favorite Securosis Posts

Other Securosis Posts

Favorite Outside Posts

  • Mike Rothman: The cost of doing business at the RSA Conference. Big money. Big money. No whammies. Check out these numbers and maybe you will understand why some companies opt for a suite at the W to do meetings.
  • Adrian Lane: To Wash It All Away. And epic rant that includes such gems as “For the uninitiated, Cascading Style Sheets are a cryptic language developed by the Freemasons to obscure the visual nature of reality and encourage people to depict things using ASCII art.” and “Here’s a life tip: when you’re confused about what something is, DON’T EXECUTE IT TO DISCOVER MORE CLUES!”
  • Rich: Does devops leave security out in the cold? I will be writing more on this in coming days, but I think it’s safe to say this article misses the target. I guarantee you security can effectively integrate with DevOps, but not using some of the techniques mentioned in this article. Security has to fully integrate into the process.
  • Gunnar Peterson: Ultimate Cheat Sheet for Dealing with Haters.

Research Reports and Presentations

Top News and Posts

–Rich

Wednesday, March 12, 2014

Incite 3/12/2014: Digging Out

By Mike Rothman

The ritual is largely the same. I do my morning stuff (usually consisting of some meditation and some exercise), I grab a quick bite, and then I consult my list of things that need to get done. It is long, and seems to be getting longer. The more I work, the more I have to do. It’s a good problem to have, but it’s still a problem.

And going to RSA two weeks ago exacerbated it. I had a lot of great conversations with lots of folks who want to license our research, have us speak at their events, and have us advise them on all sorts of things. It’s awesome, but it’s still a problem.

Just keep digging

Of course you probably think we should expand and add a bunch of folks to keep up with demand. We have thought about that. And decided against it. It takes a unique skill set to do what we do, the way we do it. The folks who understand research tend to be locked up by big research non-competes. The folks who understand how to develop business tend not to understand research. And the very few who can do both generally aren’t a cultural fit for us. Such is life…

But that’s not even the biggest obstacle. It’s that after 4+ years of working together (Rich and Adrian a bit more), we enjoy a drama-free environment. The very few times we had some measure of disagreement or conflict, it was resolved with a quick email or phone call, in a few minutes. Adding people adds drama. And I’m sure none of us wants more drama.

So we put our heads down and go to work. We build the pipeline, push the work over the finish line, and try to keep pace. We accept that sometimes we need to decide not to take a project or see how flexible the client is on delivery or scheduling. As with everything, you make choices and live with them.

And while it may sound like I’m whining about how great our business is, I’m not. I am grateful to have to make trade-offs. That I have a choice of which projects I work on, for which clients. Not that I can’t find work or deal with slow demand. The three of us all realize how fortunate we are to be in this position: lots of demand and very low overhead. That is not a problem. We want to keep it that way. Which is basically my way of saying, where is that shovel again? Time to get back to digging.

–Mike

Photo credit: “Digging out auto” originally uploaded by Boston Public Library


Securosis Firestarter

Have you checked out our new video podcast? Rich, Adrian, and Mike get into a Google Hangout and well hang out. We talk a bit about security as well. We try to keep these to less than 15 minutes and usually fail.


2014 RSA Conference Guide

In case any of you missed it, we published our fifth RSA Conference Guide. Yes, we do mention the conference a bit, but it’s really our ideas about how security will shake out in 2014. You can get the full guide with all the memes you can eat.


Heavy Research

We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, where you can get all our content in its unabridged glory. And you can get all our research papers too.

Advanced Endpoint and Server Protection

Newly Published Papers


Incite 4 U

  1. Incentives drive organizational behavior: I am not sure why Gunnar tweeted a link to something he posted back in October, but it gave me an opportunity to revisit a totally awesome post. In Security Engineering and Incentives he goes through the key aspects of security engineering, and incentives are one of the four cornerstones (along with security policy, security mechanism, and assurance). Probably the most important of the cornerstones, because without proper incentives no one does anything. If you have ever been in sales you know the compensation plan drives behavior. It is that way in every functional part of the business. In the not-so-real world you have folks who do what they are supposed to because they do. And in the real world, those behaviors are driven by incentives, not risk (as GP points out). So when you wonder why the Ops team ignores the security policy and developers couldn’t give less of a crap about your security rules, look at what they are incented to do. Odds are be secure isn’t really on that list. – MR

  2. Persona non grata: The Mozilla Wiki does not really capture the essence of what’s going on with Mozilla’s Persona project, but the gist is that their effort to offer third party identity federation has failed. There is some debate about whether technical or financial derailed the project and prevented it from reaching “critical mass”, but I think the statement “We looked at Facebook Connect as our main competitor, but we can’t offer the same incentives (access to user data)” pretty much nails it. If you wonder why Yahoo is ditching Facebook and Google federation services in lieu of their own offering, understand that identity is the next generation’s “owning the user”, and a key means for data providers (advertising networks) to differentiate their value to advertisers. The goal of federated identity was to offer easier and better identity management across web applications, doing away with user names and passwords. But identity providers have seen the greatest benefit, through enrichment of the data they collect. – AL

  3. Ranum and Turner on whitelisting: Searchsecurity posted a great discussion between Marcus Ranum and Aaron Turner on whitelisting. I have been a huge fan of the technology for years as well, and have been doing a bunch of research on what is now called application control. I will link to our completed AppControl white paper later this week. Aaron provides a bunch of real-world perspective on the challenges, which echo the way I described the Double-Edged Sword. Marcus keeps coming back to the reality that iOS and now OS X can be governed by whitelisting, which is basically the App Store model. So is it just fear that is still preventing folks from embracing this security model? Maybe, but I don’t know that fight is still worth fighting. For those use cases where AppControl is a no-brainer, just do that. For those where you have to think about it or face an onerous application management situation, look at something like advanced heuristics which can do a decent job of protecting a subset of the most targeted applications, as I described in the Prevention post in our Advanced Endpoint and Server Protection series. – MR

  4. You don’t need to see his identification: I like being able to look at the code changes on Github and similar sites – you get to see fixes for serious security bugs like the TLS security bug reported last week. If I read this correctly it was a simple uninitialized return variable. But what bothers me is how this could have gone undetected – the first thing you do when testing SSL/TLS is send bad or odd certificates to see if the user still connects. And uninitialized return variables should pop up in static analysis as well. Much in the same way the goto bug in OS X makes a security paranoid’s hair stand on end, it is hard to imagine how this bug – bypassing one of the three crucial checks – was not caught during normal testing or manual code scans. It also reminds me to put logging code into exception handlers, because executing a routine called ‘fail’ should not be confused with successful operation. – AL

  5. Turning the tables on the adversary: Dave Meltzer has a good line of discussion on TripWire’s blog about increasing the cost to attackers of compromising your devices. His point is that you should make it fiscally irresponsible to exploit you. Great idea, but how? One suggestion is to decentralize your most valuable assets. That makes sense but also increases your cost to manage that data. So you need to trade off increasing the cost to adversaries against screwing up your own financial models. Another suggestion is to force the adversary to burn a very valuable (expensive) 0-day attack. That requires making sure you can defend yourself against widely available tools like Metasploit and the zillion attack kits available on the gray market. It comes back to Corman’s magical HDMoore’s Law. If you can’t defend against Metasploit, you have very little chance to cost an adversary much of anything. So get working on that, okay? – MR

–Mike Rothman