Login  |  Register  |  Contact
Tuesday, May 25, 2010

Thoughts on Diversity and False Diversity

By Rich

Mike Bailey highlights a key problem with web applications in his post on diversity. Having dealt with these issues as a web developer (a long time ago), I want to add a little color.

We tend to talk about diversity as being good, usually with biological models and discussions of monoculture. I think Dan Geer was the first to call out the dangers of using only a single computing platform, since one exploit then has the capability of taking down your entire organization.

But the heterogeneous/homogenous tradeoffs aren’t so simple. Diversity reduces the risk of a catastrophic single point of failure by increasing the attack surface and potential points of failure.

Limited diversity is good for something like desktop operating systems. A little platform diversity can keep you running when something very bad hits the primary platform and takes those systems down. The trade off is that you now have multiple profiles to protect, with a great number of total potential vulnerabilities. For example, the Air Force standardized their Windows platforms to reduce patching costs and time.

What we need, on the OS side, is limited diversity. A few standard platform profiles that strike the balance between reducing the risk that a single problem will take us completely down, while maintaining manageability through standardization.

But back to Mike’s post and web applications…

With web applications what we mostly see is false diversity. The application itself is a monolithic entity, but use of multiple frameworks and components only increases the potential attack surface.

With desktop operating systems, diversity means a hole in one won’t take them all down. With web applications, use of multiple languages/frameworks and even platforms increases the number of potential vulnerabilities, since exploitation of any one of those components can generally take down/expose the entire application.

When I used to develop apps, like every web developer at the time, I would often use a hodgepodge of different languages, components, widgets, etc. Security wasn’t the same problem then it is now, but early on I learned that the more different things I used, the harder it was to maintain my app over time. So I tended towards standardization as much as possible. We’re doing the same thing with our sooper sekret project here at Securosis – sticking to as few base components as we can, which we will then secure as well as we can.

What Mike really brings to the table is the concept of how to create real diversity within web applications, as opposed to false diversity. Read his post, which includes things like centralized security services and application boundaries. Since with web applications we don’t control the presentation layer (the web browser, which is a ‘standard’ client designed to accept input from nearly anything out there), new and interesting boundary issues are introduced – like XSS and CSRF.

Adrian and I talk about this when we advise clients to separate out encryption from both the application and the database, or use tokenization. Those architectures increase diversity and boundaries, but that’s very different than using 8 languages and widgets to build your web app.


Monday, May 24, 2010

DB Quant: Discovery And Assessment Metrics (Part 1) Enumerate Databases

By Adrian Lane

Now that we’ve finished detailing the general planning metrics, it’s time to move on to measuring the costs associated with discovery and assessment. First on that list is enumeration of databases, which in layman’s terms means finding all the databases you need to secure. Unlike the Planning phase, the majority of these tasks are technical, so the work be performed IT and DBA groups. Larger organizations commonly rely upon tools to automate discovery and assessment, so we will include these as optional costs for the analysis.

As a reminder, the process we specified is as follows:

  1. Plan
  2. Setup
  3. Enumerate
  4. Document


Variable Notes
Time to define scope and requirements What databases/networks are in scope; what information to collect
Time to identify supporting tools to automate discovery
Time to identify business units & network staff Who owns the resources and provides information
Time to map domains and schedule scans


Variable Notes
Capital and time costs to acquire tools for discovery automation Optional
Time to contact business units & network staff
Time to configure discovery tool Optional
Time to contact database owners and obtain credentials and access As needed, depending on the tool and process selected


Variable Notes
Time to run active scan
Time to manually discover databases Optional, if automated tool not used. This could be a technical process, or manual contact with business units
Time to run scan/passive scan Automated port scan; network flow analysis
Time to contact business units ID databases discovered
Time to manually login, confirm scan, & filter results Optional
Time to repeat steps As needed


Variable Notes
Time to save scan results
Time to generate report(s)
Time to generate baseline of databases for future comparisons Cataloged by type, version, location, and ownership

Other Posts in Project Quant for Database Security

  1. An Open Metrics Model for Database Security: Project Quant for Databases
  2. Database Security: Process Framework
  3. Database Security: Planning
  4. Database Security: Planning, Part 2
  5. Database Security: Discover and Assess Databases, Apps, Data
  6. Database Security: Patch
  7. Database Security: Configure
  8. Database Security: Restrict Access
  9. Database Security: Shield
  10. Database Security: Database Activity Monitoring
  11. Database Security: Audit
  12. Database Security: Database Activity Blocking
  13. Database Security: Encryption
  14. Database Security: Data Masking
  15. Database Security: Web App Firewalls
  16. Database Security: Configuration Management
  17. Database Security: Patch Management
  18. Database Security: Change Management
  19. DB Quant: Planning Metrics, Part 1
  20. DB Quant: Planning Metrics, Part 2
  21. DB Quant: Planning Metrics, Part 3
  22. DB Quant: Planning Metrics, Part 4

—Adrian Lane

FireStarter: The Only Value/Loss Metric That Matters

By Rich

As some of you know, I’ve always been pretty critical of quantitative risk frameworks for information security, especially the Annualized Loss Expectancy (ALE) model taught in most of the infosec books. It isn’t that I think quantitative is bad, or that qualitative is always materially better, but I’m not a fan of funny math.

Let’s take ALE. The key to the model is that your annual predicted losses are the losses from a single event, times the annual rate of occurrence. This works well for some areas, such as shrinkage and laptop losses, but is worthless for most of information security. Why? Because we don’t have any way to measure the value of information assets.

Oh, sure, there are plenty of models out there that fake their way through this, but I’ve never seen one that is consistent, accurate, and measurable. The closest we get is Lindstrom’s Razor, which states that the value of an asset is at least as great as the cost of the defenses you place around it. (I consider that an implied or assumed value, which may bear no correlation to the real value).

I’m really only asking for one thing out of a valuation/loss model:

The losses predicted by a risk model before an incident should equal, within a reasonable tolerance, those experienced after an incident.

In other words, if you state that X asset has $Y value, when you experience a breach or incident involving X, you should experience $Y + (response costs) losses. I added, “within a reasonable tolerance” since I don’t think we need complete accuracy, but we should at least be in the ballpark. You’ll notice this also means we need a framework, process, and metrics to accurately measure losses after an incident.

If someone comes into my home and steals my TV, I know how much it costs to replace it. If they take a work of art, maybe there’s an insurance value or similar investment/replacement cost (likely based on what I paid for it). If they steal all my family photos? Priceless – since they are impossible to replace and I can’t put a dollar sign on their personal value. What if they come in and make a copy of my TV, but don’t steal it? Er… Umm… Ugh.

I don’t think this is an unreasonable position, but I have yet to see a risk framework with a value/loss model that meets this basic requirement for information assets.


Friday, May 21, 2010

The Secerno Technology

By Adrian Lane

I ran long on yesterday’s Oracle Buys Secerno, but it is worth diving into Secerno’s technology to understand why this is a good fit for Oracle. I get a lot of questions about Secerno product, from customers unclear how the technology works. Even other database activity monitoring vendors ask – some because they want to know what the product is really capable of, others who merely want to vent their frustration at me for calling Secerno unique. And make no mistake – Secerno is unique, despite competitor claims to the contrary.

Unlike every other vendor in the market, Secerno analyzes the SQL query construct. They profile valid queries, and accept only queries that have the right structure. This is not content monitoring, not traditional behavioral monitoring, not context monitoring, and not even attribute-based monitoring, but looking at the the query language itself.

Consider that any SQL query (e.g., SELECT, INSERT, UPDATE, CREATE, etc.) has dozens of different options, allowing hundreds of variations. You can build very complex logic, including embedding other queries and special characters. Consider an Oracle INSERT operation as an example. The (pseudo) code might look like:

INSERT INTO Table.Column

Or it might look like …

INSERT INTO User.Table.@db_Link ColumnA, ColumnC
VALUE 'XYZ', 'PDQ' | SELECT * FROM SomeSystemTable ...
WHERE 1=1;

We may think of INSERT as a simple statement, but there are variations which are not simple at all. Actually they get quite complex, and enable me to all sorts of stuff to confuse the query parser into performing operations on my behalf. There are ample opportunities for me to monkey with the WHERE clause, embed logic or reference other objects.

Secerno handles this by mapping every possible SQL query variation for the database platform it is protecting, but depending upon the application, only allows a small subset of known variations to be accepted. Everything else can be blocked. In the examples above, the first would be permitted while the latter blocked. Attackers commonly abuse query syntax to confuse the database query parser into doing something it is not supposed to do. The more obscure uses of the SQL query language are ripe targets for abuse. In essence you remove a lot of the possible attacks because you simply do not allow unacceptable query structures or variations. This is a different way to define acceptable use of the database.

Secerno calls this a “Database Firewall”, which helps the general IT audience quickly get the concept, but I call this technology query White Listing, as it is a bit more accurate. Pick the acceptable queries and their variations, and block everything else. And it can ‘learn’ by looking at what the application sends the database – and if my memory serves me, can even learn appropriate parameters as well. It’s less about context and content, and more about form. Other vendors offer blocking and advertise “Database Firewall” capabilities. Some sit in front of the database like Secerno does, and others reside on the database platform. The real difference is not whether or not they block, but in how they detect what to block.

As with any technology, there are limitations. If Secerno is used to block queries, it can create a performance bottleneck. Similarly to a network firewall, more rules means more checking. You can quickly build a very detailed rule set that creates a performance problem. You need to balance the number of rules with performance. And just like a firewall or WAF, if your application changes queries on a regular basis, your rule set will need to adapt to avoid breaking the application.

The real question is “Is this technology better?” The answer depends upon usage. For detection of insider misuse, data privacy violation, or hijacked accounts, either stateful inspection and behavioral monitoring will be a better choice. For databases that support a lot of ad hoc activity, content inspection is better. But for web applications, especially those that don’t add/change their database queries very often, this query analysis method is very effective for blocking injection attacks. Over and above the analysis capabilities, the handful of customers I have spoken with deployed the platform very quickly. And from the demos I have seen, the product’s interface is on par with the rest of the DAM providers.

Secerno is not revolutionary and does not offer extraordinary advantages over the competition. It is a good technology and a very good fit for Oracle, because it fills the gaps they in their security portfolio. Just keep in mind that each Database Activity Monitoring solution offers a different subset of available analysis techniques, deployment models, and supporting technologies – such as WAF, Assessment and Auditing. And each vendor provides a very different experience – in terms of user interface quality, ease of management, and deployment. DAM is a powerful tool for your arsenal, but you need to consider the whole picture – not just specific analysis techniques.

—Adrian Lane

The Laziest Phisher in the World

By Rich

I seriously got this last night and just had to share. It’s the digital equivalent of sending someone a letter that says, “Hello, this is a robber. Please put all your money in a self addressed stamped envelope and mail it to…”

Dear Valued Member,

Due to the congestion in all Webmail account and removal of all unused
Accounts,we would be shutting down all unused accounts, You will have to
confirm your E-mail by filling out your Login Info below after clicking
the reply botton, or your account will be suspended within 48 hours for
security reasons.

UserName: ..........................................
Date Of Birth: .....................................
Country Or Territory:...............................

After Following the instructions in the sheet,your account will not be
interrupted and will continue as normal.Thanks for your attention to this

We apologize for any inconvinience.

Webmaster Case number: 447045727401
Property: Account Security


Friday Summary: May 21, 2010

By Rich

For a while now I’ve been lamenting the decline in security blogging. In talking with other friends/associates, I learned I wasn’t the only one. So I finally got off my rear and put together a post in an effort to try kickstarting the community. I don’t know if the momentum will last, but it seems to have gotten a few people back on the wagon.

Alan Shimel reports he’s had about a dozen new people join the Security Blogger’s Network since my post (although in that post he only lists the first three, since it’s a couple days old). We’ve also had some old friends jump back into the fray, such as Andy the IT Guy, DanO, LoverVamp, and Martin.

One issue Alan and I talked about on the phone this week is that since Technorati dropped the feature, there’s no good source to see everyone who is linking to you. The old pingbacks system seems broken. If anyone knows of a good site/service, please let us know. Alan and I are also exploring getting something built to better interconnect the SBN. It’s hard to have a good blog war when you have to Tweet at your opponent so they know they’re under attack.

Another issue was highlighted by Ben Tomhave. A lot of people are burnt out, whether due to the economy, their day jobs, or general malaise and disenchantment with the industry. I can’t argue too much with his point, since he’s not the only semi-depressed person in our profession. But depression is a snowballing disorder, and maybe if we can bring back some energy people will get motivated again.

Anyway, I’m psyched to see the community gearing back up. I won’t take it for granted, and who knows if it will last, but I for one really hope we can set the clock back and party like it’s 2007.

On to the Summary:

Webcasts, Podcasts, Outside Writing, and Conferences

Favorite Securosis Posts

Other Securosis Posts

Favorite Outside Posts

Project Quant Posts

Research Reports and Presentations

Top News and Posts

Blog Comment of the Week

Remember, for every comment selected, Securosis makes a $25 donation to Hackers for Charity. This week’s best comment goes to Pablo, in response to How to Survey Data Security Outcomes?

In terms of control effectiveness, I would suggest to incorporate another section aside from ‘number of incidents’ where you question around unknowns and things they sense are all over the place but have not way of knowing/controlling.

I’ll break out my comment in two parts: 1 – “philosophical remarks” and 2 – suggestions on how to implement that in your survey

1 – “philosophical remarks”

If you think about it, effectiveness is the ability to illustrate/detect risks and prevent bad things from happening. So, in theory, we could think of it as a ratio of “bad things understood/detected” over “all existing bad things that are going on or could go on” (by ‘bad things’ I mean sensitive data being sent to wrong places/people, being left unprotected, etc. – with ‘wrong/bad’ being a highly subjective concept)

So in order to have a good measure of effectiveness we need both the ‘numerator’ (which ties to your question on ‘number of incidents’) and also a ‘denominator’

The ‘denominator’ could be hard to get at, because, again, things are highly subjective, and what constitutes ‘sensitive’ changes in the view of not only the security folks, but more importantly, the business. (BTW, I have a slight suggestion on your categories that I include at the bottom of this post)

However, I believe it is important that we get a sense of this ‘denominator’ or at least the perception of this ‘denominator’. My own personal opinion on this, by speaking to select CISOs is they feel things are ‘all over the place’ (i.e., the denominator is quite quite large).

2 – Suggestions on how to implement that in your survey

(We had to cut this quote for space, but they were great, practical suggestions – see the full comment at the original post).


Thursday, May 20, 2010

Quick Wins with DLP Webcast Next Week

By Rich

Next week I will be giving a webcast to complement my Quick Wins with Data Loss Prevention paper. This is a bit different than when I usually talk about DLP – it’s focused on showing immediate value, while also positioning for long term success.

Like the paper it’s sponsored by McAfee. We’re holding it at 11am PT on May 25, and you can register by clicking here.

Here’s the full description:

Quick Wins with DLP – How to Make DLP Work for You
Date: May 25, 2010
Time: 11am PDT / 2pm EDT

When used properly, Data Loss Prevention (DLP) provides rapid identification and assessment of data security issues not available with any other technology. However, when not optimized, two common criticisms of DLP are 1) its complexity and 2) the fear of false positives. Security professionals often worry that DLP is expensive and will fail to deliver the expected value.

A little knowledge and some planning go a long way towards a fast, simple, and effective deployment. By taking some straightforward best practice steps, you can realize significant immediate value and security gains without negatively impacting your productivity or wasting valuable resources.

In this webcast you will learn how to:

  • Establish a flexible incident management process
  • Integrate with major infrastructure components
  • Assess broad information usage
  • Set a foundation for future focused efforts and policy tuning

You will also hear how Continuum Health Partners safeguards highly sensitive patient data with McAfee DLP 9. Join us for this informative presentation.


  • Rich Mogull, Analyst & CEO, Securosis, LLC
  • Mark Moroses, Assistant CIO, Continuum Health Partners
  • John Dasher, Senior Director, Data Protection, McAfee


Privacy Is (Still) Personal

By Rich

I want to respond to something Adam wrote about Facebook over at Emergent Chaos, but first I’m going to excerpt my own article from TidBITS:

Privacy is Personal – In the Information Age, determining what you want others to know about you isn’t always a simple decision. Aside from the potential tradeoffs of avoiding particular features or services, we all have different thresholds for what we are comfortable sharing. It’s also extremely difficult to control our information even when we do make informed decisions, and often impossible to eradicate information that escaped our control before we realized the rules of the game had changed.

For example, I use both Amazon and Netflix, even though those services also collect personal information like my buying and viewing habits. I am trading my data (and money) for a combination of convenience and personalization. I’m less concerned with these services than Facebook since their privacy practices and policies are clearer, my information is compartmentalized within each service, and they have much more consistent and stable records.

On the other hand I have minimized my usage of Google services due to privacy concerns. Google’s reach is incredibly expansive, and despite their addition of Google Dashboard to help show some of what they record, and much clearer policies than Facebook, I’m generally uncomfortable with any single company or government having that much potential information on me. I fully understand this is a somewhat emotional response.

Facebook is building a similar Internet-wide ecosystem as they expand connections to external Web sites and services. In exchange for allowing them access to your information and activities, Facebook enables new kinds of services and personalization. The question each of us must answer is if those new services and personalization options are worth the privacy tradeoff.

Deciding where to draw your own privacy lines is a very personal, complex, and even sometimes arbitrary decision. I trust Amazon and Netflix to a certain extent based on their privacy policies, even though they sometimes make mistakes (I didn’t use Amazon for years after a policy change that they later reversed). Yet I’ve limited my usage of both Google and Facebook due to general concerns (Google) or outright distrust (Facebook).

Facebook, to me, is a tool to keep me connected to friends and family I don’t interact with on a daily basis. I restrict what information it has on me, and always assume anything I do on Facebook could be public. I’m willing to trade a little privacy for the convenience of being able to stay connected with an expanded social circle. I manage Facebook privacy by not using it for anything that’s actually private.

Adam has a lot in his article, and I think his criticisms of my original post come down to:

  1. Your perceptions of your own privacy change within different contexts and over time, so what you are okay with today may not be acceptable tomorrow.
  2. If you only use the service to post things you’d want public anyway, why use it at all?

I completely agree with Adam’s first point – what you share when you are 19 years old at college is very different than what you might want people to know about you once you are 35. Even things you might share at 35 as a member of the workforce might come back to haunt you when you are 55 and running for political office.

But I disagree that this means your only option is to completely opt out of all centralized social media services. I believe we as society are reaching the point where some degree of social networking is the norm. Even “private” communications like email, IM, and SMS are open to potential disclosure and subsequent inclusion in public search results. The same used to be true of the written and spoken word, but clearly the scale and scope are dramatically larger in the Information Age. We are losing the insular layers that created our current social norms of privacy – which already vary around the world.

The last time society needed to adapt to such changes in privacy was with the Industrial Age and movement from rural to urban society. Before that, it was probably the change from hunter/gatherers to an agrarian society.

I see three possible scenarios that could develop:

  1. Society adopts a combination of laws and social mores to better protect privacy. It will be expected that you own your own data, and in the future retain a right to edit your past. Essentially, we work to protect our current expectations of privacy – which will require active effort, as the terrain has already shifted under us, and will continue to do so.
  2. Social expectations change. You’ll be able to run for political office and no one will care that you called some chick or dude hot and joined the “I love some stupid emo vampire” movement. We gain better abilities to protect our privacy, but at the same time society becomes more accepting of greater personal information being public – partially through sheer boredom at the inanity and popularity of our embarrassing peccadilloes.
  3. There is no privacy.

We have many years before these issues resolve, if ever, and it’s going to be a rough road no matter where we are headed. The end result probably won’t match any of my scenarios, but will instead be some mish-mash of those options and others I haven’t thought of. My rough guess is that society will slowly become more accepting of youthful indiscretions (or we won’t have anyone to hire or elect), but we will also gain more control over our personal information.

Privacy isn’t dead, but it is definitely changing. We all need to make personal decisions about the level of risk we are willing to accept in the midst of changing social norms, government/business influence, and degrees of control.


Australian Border Security Insanity

By Rich

Australia is my second-favorite place on the planet to visit (New Zealand is first). But it’s a darn good thing I’m not a porn fiend, since they now require you to declare porn at the border, and, well, here’s a quote:

Australian customs officers have been given new powers to search incoming travellers’ laptops and mobile phones for pornography, a spokeswoman for the Australian sex industry says. … Fiona Patten, president of the Australian Sex Party, is demanding an inquiry into why a new question appears on Incoming Passenger Cards asking people if they are carrying “pornography”.

They are also working on a big Internet filter. You know, kind of like China and many Middle East countries. Gotta love democracy.

(Thanks to Slashdot for the pointer).


Oracle Buys Secerno

By Adrian Lane

This morning Oracle announced that it has entered into an agreement to acquire Secerno, the UK-based Database Activity Monitoring firm. Oracle posted a FAQ on the acquisition with some generic data points. Terms of the deal have not been disclosed and, knowing Oracle, won’t be.

Many of us in the security industry are chuckling at this purchase as Oracle – at least to customers – has been disparaging Database Activity Monitoring technologies as a whole and pushing Audit Vault as an equivalent solution. But when your database is Unbreakable™, maybe you don’t need a database firewall, eh? Seriously, DAM has been a hole in their security offerings for years, and after much blustering to the contrary, they have finally plugged the hole. And from the synergies of the platforms, I’d say they did a pretty good job of it.

Key Points about the Acquisition

Here are the most important top-level points:

  1. The deal is clearly about the security alerting and blocking features of Secerno. Oracle calls it a “Database Firewall”, and never says Database Activity Monitoring. Oracle sees Audit Vault as their DAM equivalent, and has heavily disparaged that market and the techniques used by DAM vendors.
  2. Customers really struggle with Oracle patching, which makes it very difficult to keep systems compliant and secure. Positioning Secerno as a stopgap to protect the database from particular exploits so you have time to patch is reasonable and appropriate.
  3. It’s also a good straight up security play. Secerno was always stronger on security than activity monitoring for compliance, which makes it more complementary to the existing Oracle product line and security messaging.
  4. Oracle may include this in Oracle Advanced Security, or keep it standalone. We’ll have to see, but based on the current physical architecture I’d bet on stand-alone for at least a few years.
  5. In terms of messaging, expect Audit Vault to remain the focus for building those audit trails, with Secerno positioned for real-time alerting and blocking.
  6. Expect to see Oracle market “Database Firewall” with “Zero False Positives”, but those claims overlook the real world difficulties in building and maintaining query rules.

Let’s delve deeper into the specifics.

What the Acquisition Does for Oracle

  1. Fills big technology gaps: Secerno provides Oracle a lot of security technology they did not have. Secerno includes real-time analysis not available from current Oracle products, which is a growing requirement – especially for customer-facing web applications. It also gives Oracle a security tool that offers genuine heterogenous database support for Oracle, Microsoft, and Sybase (IBM support is in beta). Oracle hates to admit it, but nearly all of their enterprise clients have several different databases in use, and customers want a common platform for security or compliance when possible. Secerno provides blocking capabilities – importantly before queries reach the database – to reduce DB load and risk. Secerno has a much better UI than Oracle Audit Vault, and hopefully Oracle will continue to use it rather than standardize on their own weaker UI.
  2. Prevention: Privately we have been calling Secerno a Query White Listing technology, as we think that better encompasses what they provide. “Database Firewall” is one of those throw-away marketing terms used by several DAM vendors, but fails to differentiate what Secerno provides. Yes, Secerno will block queries, and will do so before they get to the database, reducing processing and filtering load on the database engine. I’ll get into technology details later in this post, but Oracle now has a viable way to block many unwanted queries.
  3. Web Applications: Like it or not, web applications are a huge part of the Oracle database business, and auditing is totally inappropriate for securing web applications from things like SQL injection. This helps address Oracle’s repeated issues with patching and playing catch-up with vulnerabilities, finally helping prevent some attacks without totally disrupting business operations for database updates that applications don’t support.
  4. Circumvents a perception problem: Oracle Audit still has a serious perception problem, and correctly or not is considered a performance and operations burden. On paper, Oracle’s native audit trail can provide many of the same functions as other DAM and Auditing tools, but in practice Oracle Audi pales in the light of the competition – or even Audit Vault. This helps escape serious a perception problem for compliance and security adoption.

What This Means to the DAM Market

  1. Validation: Let’s face it – when Oracle and IBM both make investments into Database Activity Monitoring, we are past wondering when DAM will be considered viable technology. Even though Oracle isn’t positioning this as DAM, Secerno did, and this serves as high-profile validation of the market.
  2. Business to be won: There were many unhappy IPLocks customers who Fortinet was unable to bring into the fold with their upgraded offerings. Some of Guardium’s business has been at risk for a while, and some of their resellers started looking for other relationships after the IBM purchase. Oracle’s customers have looked at – and in many cases purchased – other security products to close the gaps. Imperva still needs to do a better job of converting WAF customers to DB Security customers, and Application Security still needs to do a better job at holding onto the customers they already have. All this shows that the leader of this segment has yet to be determined, and there is a lot of potential business.
  3. One less vendor: Tizor went to Netezza. IPLocks went to Fortinet. Guardium went to IBM. Now Secerno to Oracle. That leaves Application Security and Imperva as the major database security providers out there, with Sentrigo the best of the smaller niche players in the market. EMC needs this technology next, perhaps followed by Symantec or McAfee, but the price of entry just increased.
  4. Investors: Secerno’s investors, Amadeus Capital Parners, must be happy. They did a logical reset and re-investment back in early 2008, a decision that was clearly the right one. They also had considerably less initial investment than the competitors in this space. While we do not know the actual purchase price, we are certain it will be lower than Guardium’s price, as Secerno’s revenues were lower.

What This Means to Users

  1. We all know what happens when a big company gobbles up a little one, and there should be no surprises here, because we’ve seen plenty of Oracle acquisitions.
  2. We believe Secerno will get additional R&D resources, and product integration isn’t a big issue due to how it’s designed in the first place. Secerno can run stand-alone for the foreseeable future.
  3. On the other hand, don’t be surprised if pricing and support contracts eventually increase.
  4. For existing Oracle customers, there may be an opportunity to get a price drop with initial bundling. You never know for sure, and this will skew toward bigger customers with more sway.

All in all this is a very good technology fit, and we think it will be a good business fit. We don’t say that just because it puts this product in front of Oracle’s sales force and channel partnerships. We know many of their customers went to Oracle first, looking for a compliance and security solution, and walked away dissatisfied. Oracle only needed to see Secerno eating its lunch so many times before doing something about it.

-Rich and Adrian

—Adrian Lane

Lessons from LifeLock’s Lucky 13

By Mike Rothman

Much of the buzz around the security industry this week revolved around Wired’s story about LifeLock’s CEO getting his identity stolen not once (which we knew about), but an additional 12 times. Guess 13 is not Todd Davis’ lucky number.

Obviously the media blitz posting this guy’s Social Security number on buses, TV, and other mass media made this guy target #1. And the reality is no identity protection network is going to be foolproof for a pretty simple reason. The companies issuing credit don’t always check for fraud alerts, so a fraud alert may not be triggered when a new account is opened. Even if you are religiously monitoring your credit, you are blind until the fraudulent account shows up where you can see it.

But what’s troubling to me is the guy didn’t know about the issues until a collection agency came after him. I’m concerned for several reasons, and the blame can be directed everywhere. First to LifeLock, how do you not see 12 new accounts? Hard to believe that none of the accounts showed up on Davis’ credit history. If not, what is the point of their identity protection service again?

Also note that none of the 13 transactions were for big numbers. A couple hundred here, a couple hundred there. That’s been my personal experience as well. The fraudsters don’t try to milk personal accounts of thousands at a time because that will set off alarms. They don’t want to be discovered until they are long gone.

More disturbing is how the merchants handle most of these situations. In the crazy search for growth at any cost, they cut corners. It’s as simple as that. They don’t check credit ahead of time (or they would have seen the fraud lock). They don’t report new credit accounts to the bureaus (which would have triggered a credit monitoring alert). And they don’t verify addresses when sending bills (which would have shown an inconsistency on the original application). Amazingly enough, a collection agent finds the guy within a hour, but the companies can’t do that over a year.

I guess I shouldn’t be surprised, since these big companies just build a ‘shrinkage’ number into their models. They figure a certain percentage of their customers will not pay, either for legitimate or fraudulent reasons. And I guess that’s cheaper than setting up the right processes to prevent a portion of that fraud. Ultimately it’s just economics, but it’s still very disturbing.

Buyt if I allowed myself to get into a funk every time a big company did something stupid and harmful, I’d be even grumpier than I already am. So I need to let that go. Though there are things we can and should do to minimize the damage of identity theft.

  • (Try to) Prevent it: OK, you can’t really prevent it. But you can act proactively to minimize your attack surface. That means setting up your own fraud alerts (since the credit bureaus and their lobbyists succeeded in killing the ability for a service to do this for you) and use a credit monitoring service (I use Debix, but there are lots out there).
  • Accept it: Understand that it will happen and there is likely nothing you can do. Getting upset won’t help. You need to be focused and contain the damage.
  • Contain it: As we always say, you need an incident response plan for your business in the event of a breach, but you need a personal incident response plan as well. Who do you call? What steps do you take? Those should be documented and in a place you can get to quickly. You need to act fast, and having a documented process reduces emotion and lets you make the decisions when you’re clear-headed and not rushing.
  • Confirm it: The credit bureaus are a hassle to deal with, but you have to stay on top of them to make sure your credit rating is properly cleaned. The three you need to worry about are Experian, Equifax, and TransUnion. That means checking your credit rating on an ongoing basis and keeping all documentation on the fraudulent use of your accounts.

Finally, don’t post personal information on the side of a bus. We know how that turns out.

—Mike Rothman

Wednesday, May 19, 2010

DB Quant: Planning Metrics (Part 4)

By Adrian Lane

This phase is for those of you using data classification and data labels. The Planning for Classification phase is where we determine our data classification scheme, map it to labels, and map those to access groups. If you have an existing classification scheme we’ll just map to that.

As a reminder, the process we originally specified was:

  1. Identify Requirements
  2. Specify Data Security
  3. Select Access Method
  4. Map to AAA
  5. Document

But as we talked it over we realized this was ambiguous and failed to capture the process. So we have simplified the process to:

  1. Determine Classification Scheme
  2. Map to Labels
  3. Map to Access Groups
  4. Document

Determine Classification

Variable Notes
Time to identify existing classification scheme
Time to adjust or develop scheme

Map to Labels

Variable Notes
Time to determine label techniques for DBMS platforms Labeling is implemented differently in the various database platforms. In some cases, implementation may need to be manual
Time to map labels to classification levels

Map to Access Groups

Variable Notes
Time to map groups to data labels Which groups from the AAA planning should be allowed access to data, by label


Variable Notes
Time to document standard
Time to distribute standard and educate team members

Many of you may manage this on a per-application/database level, but we need to include this phase for those of you who adopt an enterprise standard.

Other Posts in Project Quant for Database Security

  1. An Open Metrics Model for Database Security: Project Quant for Databases
  2. Database Security: Process Framework
  3. Database Security: Planning
  4. Database Security: Planning, Part 2
  5. Database Security: Discover and Assess Databases, Apps, Data
  6. Database Security: Patch
  7. Database Security: Configure
  8. Database Security: Restrict Access
  9. Database Security: Shield
  10. Database Security: Database Activity Monitoring
  11. Database Security: Audit
  12. Database Security: Database Activity Blocking
  13. Database Security: Encryption
  14. Database Security: Data Masking
  15. Database Security: Web App Firewalls
  16. Database Security: Configuration Management
  17. Database Security: Patch Management
  18. Database Security: Change Management
  19. DB Quant: Planning Metrics, Part 1
  20. DB Quant: Planning Metrics, Part 2
  21. DB Quant: Planning Metrics, Part 3

—Adrian Lane

How to Survey Data Security Outcomes?

By Rich

I received a ton of great responses to my initial post looking for survey input on what people want to see in a data security survey. The single biggest request is to research control effectiveness: which tools actually prevent incidents.

Surveys are hard to build, and while I have been involved with a bunch of them, I am definitely not about to call myself an expert. There are people who spend their entire careers building surveys. As I sit here trying to put the question set together, I’m struggling for the best approach to assess outcome effectiveness, and figure it’s time to tap the wisdom of the crowd.

To provide context, this is the direction I’m headed in the survey design. My goal is to have the core question set take about 10-15 minutes to answer, which limits what I can do a bit.

Section 1: Demographics

The basics, much of which will be anonymized when we release the raw data.

Section 2: Technology and process usage

I’ll build a multi-select grid to determine which technologies are being considered or used, and at what scale. I took a similar approach in the Project Quant for Patch Management survey, and it seemed to work well. I also want to capture a little of why someone implemented a technology or process. Rather than listing all the elements, here is the general structure:

  • Technology/Process
  • Not Considering
  • Researching
  • Evaluating
  • Budgeted
  • Selected
  • Internal Testing
  • Proof of Concept
  • Initial Deployment
  • Protecting Some Critical Assets
  • Protecting Most Critical Assets
  • Limited General Deployment
  • General Deployment

And to capture the primary driver behind the implementation:

  • Technology/Process
  • Directly Required for Compliance (but not an audit deficiency)
  • Compliance Driven (but not required)
  • To Address Audit Deficiency
  • In Response to a Breach/Incident
  • In Response to a Partner/Competitor Breach or Incident
  • Internally Motivated (to improve security)
  • Cost Savings
  • Partner/Contractual Requirement

I know I need to tune these better and add some descriptive text, but as you can see I’m trying to characterize not only what people have bought, but what they are actually using, as well as to what degree and why. Technology examples will include things like network DLP, Full Drive Encryption, Database Activity Monitoring, etc. Process examples will include network segregation, data classification, and content discovery (I will tweak the stages here, because ‘deployment’ isn’t the best term for a process).

Section 3: Control effectiveness

This is the tough one, where I need the most assistance and feedback (and I already appreciate those of you with whom I will be discussing this stuff directly). I’m inclined to structure this in a similar format, but instead of checkboxes use numerical input.

My concern with numerical entry is that I think a lot of people won’t have the numbers available. I can also use a multiselect with None, Some, or Many, but I really hate that level of fuzziness and hope we can avoid it. Or I can do a combination, with both numerical and ranges as options. We’ll also need a time scale: per day, week, month, or year.

Finally, one of the tougher areas is that we need to characterize the type of data, its sensitivity/importance, and the potential (or actual) severity of the incidents. This partially kills me, because there are fuzzy elements here I’m not entirely comfortable with, so I will try and constrain them as much as possible using definitions. I’ve been spinning some design options, and trying to capture all this information without taking a billion hours of each respondent’s time isn’t easy. I’m leaning towards breaking severity out into four separate meta-questions, and dropping the low end to focus only on “sensitive” information – which if lost could result in a breach disclosure or other material business harm.

  • Major incidents with Personally Identifiable Information or regulated data (PII, credit cards, healthcare data, Social Security Numbers). A major incident is one that could result in a breach notification, material financial harm, or high reputation damage. In other words something that would trigger an incident response process, and involve executive management.
  • Major incidents with Intellectual Property (IP). A major incident is one that could result in material financial harm due to loss of competitive advantage, public disclosure, contract violation, etc. Again, something that would trigger incident response, and involve executive management.
  • Minor incidents with PII/regulated data. A minor incident would not result in a disclosure, fines, or other serious harm. Something managed within IT, security, and the business unit without executive involvement.
  • Minor incidents with IP.

Within each of these categories, we will build our table question to assess the number of incidents and false positive/negative rates:

  • Technology
  • Incidents Detected
  • Incidents Blocked
  • Incidents Mitigated (incident occurred but loss mitigated)
  • Incidents Missed
  • False Positive Detected
  • Per Day
  • Per Month
  • Per Year
  • N/A

There are some other questions I want to work in, but these are the meat of the survey and I am far from convinced I have it structured well. Parts are fuzzier than I’d like, I don’t know how many organizations are mature enough to even address outcomes, and I have a nagging feeling I’m missing something important.

So I could really use your feedback. I’ll fully credit everyone who helps, and you will all get the raw data to perform your own analyses.


Symantec’s Identity Crisis

By Mike Rothman

After a year at the helm of Symantec, it seems Enrique Salem is taking a big page out of his predecessor’s playbook, basically buying everything that isn’t chained to the wall. The latest is a $1.28 billion deal to acquire VeriSign’s security business, which consists of the SSL and authentication arms.

The price seems fair, at about 4x revenue, so at least the Big Yellow is not overpaying, but so close on the heels of the encryption deals we really have to wonder about the timing. It’s hard to believe the VRSN security businesses were a hot commodity, requiring immediate action.

Before we dig into the issues let’s think about the strategy. Seems like Big Yellow is having a bit of an identity crisis. On the surface, like the PGP and GuardianEdge deals, the VeriSign authentication technologies fill a rather noticeable gap in SYMC’s product line. There are potential bundling opportunities for SSL with many of the suites already being sold, especially into the mid-market. And VeriSign never had the focus to broaden the product line, in order to really become an identity player. Symantec has the resources to continue building on this base and become an identity player. But making all this stuff work together would be a tall order for anyone.

As Rich pointed out in email, Symantec seems to be playing a lot of defense nowadays. The encryption deals were all about fending off McAfee, and now the VeriSign deal is about going after EMC. It’s hard to regain market leadership by fighting wars on multiple fronts. Part of averting the identity crisis is to more clearly communicate Symantec’s ultimate vision. That’s been shelved since the Veritas fiasco.

Now let’s take a look at the risks:

  • Integration risk: As we’ve mentioned before, Symantec’s forte has been doing deals, not doing deals well. And trying to integrate the encryption companies at the same time threatens to stretch an already thin management team way too thin.
  • Bundling risk: It’s not like anyone has really tried to bundle SSL certs or tokens with anything else. It’s always been a standalone business. And without some distribution leverage, they can’t make this deal pay.
  • Incumbent risk: VeriSign was the big dog in SSL, but in enterprise authentication they’ve largely struggled. Which makes this an unusual deal for Symantec, which tends to overpay for market leadership. The question is whether Symantec’s channel is willing to replace RSA, which may not be a stretch given EMC’s general channel unfriendliness.
  • Whole product risk: Symantec shouldn’t stop at authentication, but should use this as a platform for building a full identity offering. So that means looking at provisioning (Courion) and Federation (Ping Identity), or perhaps even another bold move to take Novell’s identity business.

Symantec has a history of chasing shiny objects, and this deal runs the risk of absorbing yet another company that then erodes without focus and execution. And given the accelerating commoditization of VeriSign’s core business, integration problems may very well kill the patient under the Big Yellow umbrella. Clearly identity is a key part of the enterprise security stack, but the worry is that Symantec is so distracted trying to gain territory from MFE and EMC/RSA that they go back to crappy execution on the cash cows.

—Mike Rothman

Incite 5/19/2010: Benefits of Bribery

By Mike Rothman

Don’t blink – you might miss it. No I’m not talking about my prowess in the bedroom, but the school year. It’s hard to believe, but Friday is the last day of school here in Atlanta. What the hell? It feels like a few weeks ago we put the twins’ name tags on, and put them on the bus for their first day of kindergarten.

Just take it... The end of school also means it’s summertime. Maybe not officially, but it’s starting to feel that way. I do love the summer. The kids do as well, and what’s not to love? Especially if you are my kids. There is the upcoming Disney trip, the week at the beach, the 5-6 weeks of assorted summer camp(s), and lots of fun activities with Mom. Yeah, they’ve got it rough.

Yet we still face the challenge of keeping the kids grounded when they are faced with a life of relative abundance. Don’t get me wrong, I know how fortunate I am to be able to provide my kids with such rich experiences as they grow up. But XX1 got our goats over the weekend, when one of her friends got an iPod touch for her birthday. Of course, her reaction was “Why can’t I have an iPod touch, all my friends have them?”

Thankfully the Boss was there, as I doubt I would have responded well to that line of questioning. She calmly told XX1 that with an attitude like that, she’ll be lucky if we don’t take away all her toys. And that she needs to be grateful for what she has, not focused on what she doesn’t.

To be clear, not all of her friends have iPod touches. She is prone to exaggeration, like her Dad. What she doesn’t know is our plan to give her a hand-me down iPhone once we upgrade this summer. (Of course I’m upgrading, come on, now!) I think we need to tie it to some kind of achievement. Maybe if she works hard on her school exercises over the summer. Or is nice to her sister (yes, that is a problem). Or whatever kind of behavior we want to incent at any given time. There’s nothing like having a big anchor over her head to drag out every time she misbehaves. That’s right, it’s a bribe.

I’m sure there are better ways than bribery to get the kids to do what we want. I’m just not sure what they are, and nothing we’ve tried seems to work like putting that old carrot out there and waiting for Pavlov to work his magic.

– Mike.

Photo credits: “Unplug for safety” originally uploaded by mag3737

Incite 4 U

  1. Where is the Blog Love? – I’m going to break the rules and link to one of my own posts. On Monday I called out the decline of blogging. Basically, people have either moved to Twitter or left the community discussion completely. Twitter is great, but it can’t replace a good blog war. In response, Andy the IT Guy, DanO, and LoverVamp jumped back on the scene. These are 3 sites I used to read every day (and still do, when they are updated) and maybe we can start rebuilding the community. Why is that important? Because blogs provide a more nuanced, permanent archive of knowledge with more reasoned debate than Twitter, however wonderful, can sustain. – RM

  2. Critical Infrastructure Condition Critical – We all take uninterrupted power for granted. Yet, we security folks understand how vulnerable the critical infrastructure is to cyber-attacks. Dark Reading has an interesting interview with with Joe Weiss, who has written a book about how screwed we are. A lot of the discussions sound very similar to every other industry that requires the regulatory fist of God to come crashing down before they fix anything. And NERC CIP is only a start, since it exempts the stuff that is really interesting, like networks and the actual control systems. Unfortunately it will take a massive outage caused by an attack to change anything. But we all know that because we’ve seen this movie before. – MR

  3. Desktop, The Way You Want It – I am a big fan of desktop virtualization, and I am surprised it has gotten such limited traction. I think people view it ass backwards. The label “dumb terminal” is in the back of people’s minds, and that not a progressive model. But desktop virtualization is much, much more than a refresh of the dumb terminal model. The ability to contain the work environment in a virtual server makes things a heck of a lot easier for IT, and benefits the employee, who can access a fully functional desktop from anywhere inside – and possibly outside – the company. Citrix giving each employee $2,100 to buy their own computer for work is a very smart idea. The benefits to Citrix are numerous. Every employee gets to pick the computer they want, for better or worse, and they are now invested in their choice, rather than considering a work laptop to be a disposable loaner. The work environment is kept safe in a virtual container, and employees still get fully mobile computing. Every user becomes a tester for the company’s desktop virtualization environment, bringing diverse environments under the microscope. And it shows how they can blend work and home environments, without compromising one for the other. This is a good move and makes sense for SMB and enterprise computing environments. – AL

  4. Security 5.0 – HTML5 is coming down the pipe, and Veracode has some great advice on what to keep an eye on from a security perspective. Not to show my age, but I remember hand-coding sites in HTML v1, and how exciting it was when things like JavaScript started appearing. Any time we have one of these major transitions we see security issues crop up, and as you start leveraging all the new goodness it never hurtss to start looking at security early in the process. Odds are your developers are already using bits and pieces of it anyway… especially if they are coding for the iPhone/iPad. – RM

  5. DPI Behind the Scenes – I eyed Will Gragido’s post about deep packet inspection (DPI) as a next generation technology with bemusement. First because I hate the term next generation. But Will kind of misses the point here. Folks are resistant to new technology, but they are not resistant to solving their problems. DPI is not a product you buy, but a way to solve a number of problems – ranging from security enforcement, to network performance management, to content inspection. Who cares if anyone resists a particular name? They are not resistant to understanding what is happening on their networks, so they need some form of DPI. Just don’t call it DPI and we’ll be all good. – MR

  6. Cyber-Security and National Policy – Dan Geer does it again: Cybersecurity and National Policy. As usual from Dan, this is (to say the least) dense, and covers a broad range of topics. One favorite is: “To this extent, security becomes a subset of reliability in that an insecure system will not be reliable, but a reliable system is not necessarily secure.” Bonus: this fuels the rumor that Hoff is in fact Dan in disguise. – DMort

  7. Employees Look out for #1? Really? – The jackass survey of the week award goes to Trend Micro, who actually published the stunning fact that Employees Put Personal Security, Interests Above Company’s. And Dark Reading actually went with the story. Given the loyalty that most companies show their employees nowadays, why is this a surprise? Even better, 1 in 10 users go around corporate security to access restricted websites. Really, truly? All I can say is I hope they didn’t pay a lot for that survey. – MR

  8. Auditor School – Are you an auditor? Do you deal with auditors? How about “assessors” – you know, auditors who don’t want the title, because they think it’s not nice – or because it creates too much legal liability? If so, this post at Layer8 is mandatory reading. Shrdlu (who, as an end user, has to deal with them all the time) presents an open letter to auditors that should be part of every engagement. The audit process is bad enough without someone calling for last-minute meetings without a defined agenda, or blasting out random emails instead of structured documentation. Auditors are just as fallible as the rest of us, and setting expectations early can sure ease the process. – RM

  9. Back-Handed Compliments – Over on the CSO Online site, Bill Brenner posted an opinion piece on Rugged software. He makes a comparison between the data security features in the Oracle database, and software development principles that have yet to be fully defined. WTF? “Unbreakable” was marketing run amok, with product function falling far short of claims, giving Oracle a long lasting black eye. Bill is relating the two concepts, saying he is more comfortable with Rugged, as it implies “… a toughness that’s a lot better than what came before.” That is a little like saying Rugged doesn’t suck as much. Saying “Your new car is better than a Yugo,” is not a compliment. Of course “… rugged isn’t something you can contain in a box” is a correct statement. That’s because there is nothing to put in the box! Not yet anyway. Look, I admire what Josh Corman is doing over at 451 Group with Rugged. It’s the right idea. The real question is: What are the next steps to make Rugged more tangible? Pragmatic, actionable advice and recommended techniques are in order, as this conceptual blob tries to morph into useful approach. Bill’s getting the word out about Rugged, but frankly, the community is still on the fence, and will remain that way until there is something of substance for us to chew on. Comparing a bad marketing idea with Rugged principles achieves little more than kicking Oracle for a decade-old mistake. If we want to do something useful, let’s talk about how MS SDL is or is not Rugged, or contrast Rugged concepts with BSIMM. Those discussions would be much more interesting! But that sends chills down developers’ spines. The problem is that many in the secure code movement have trepidations about saying anything bad about any secure code practices, as the ideas are just now gaining momentum. But we have to go there at some point to make Rugged real. – AL

  10. Do They Have a Class for Common Sense? – Raf hits the nail on the head here, giving some career advice to security folks. The reality is that security is much less of a technical discipline than any other IT function. Sure, there is some level of kung fu that you need to get things done, but ultimately it’s about people. Security folks have to convince IT peers that security is important, and employees not to do stupid things. Many of these tactics depend on a level of business savvy and understanding of how to get things done in their specific organizations. As Raf says: “There is a distinct lack of the analytical mind, business-level understanding and even worse …common sense.” Unfortunately those aren’t skills you can teach – not in a SANS class, anyway. So we’ll end up with a glut of adequate technical folks and a distinct lack of leaders. Which makes us like every other technical discipline, I guess. – MR

—Mike Rothman