Login  |  Register  |  Contact
Thursday, April 01, 2010

Hit the Snooze on Lancope’s Data Loss Alarms

By Rich

Update- Lanscope posted some new information positioning this as a compliment, not substitute, to DLP. Looks like the marketing folks might have gotten a little out of control.

I’ve been at this game for a while now, but sometimes I see a piece of idiocy that makes me wish I was drinking some chocolate milk so I could spew it out my nose in response the the sheer audacity of it all.

Today’s winner is Lancope, who astounds us with their new “data loss prevention” solution that detects breaches using a Harry Potter-inspired technique that completely eliminates the need to understand the data. Actually, according to their extremely educational marketing paper, analyzing the content is bad, because it’s really hard! Kind of like math. Or common sense.

Lancope’s far superior alternative monitors your network for any unusual activity, such as a large file transfer, and generates an alert. You don’t even need to look at packets! That’s so cool! I thought the iPad was magical, but Lancope is totally kicking Apple’s ass on the enchantment front. Rumor is your box is even delivered by a unicorn. With wings!

I’m all for netflow and anomaly detection. It’s one of the more important tools for dealing with advanced attacks. But this Lancope release is ridiculous – I can’t even imagine the number of false positives. Without content analysis, or even metadata analysis, I’m not sure how this could possibly be useful. Maybe paired with real DLP, but they are marketing it as a stand-alone option, which is nuts. Especially when DLP vendors like Fidelis, McAfee, and Palisade are starting to add data traffic flow analysis (with content awareness) to their products.

Maybe Lancope should partner with a DLP vendor. One of the weaknesses of many DLP products is that they do a crappy job of looking across all ports and protocols. Pretty much every product is capable of it, but most of them require a large number of boxes with sever traffic or analysis limitations, because they aren’t overly speedy as network devices (with some exceptions). Combining one with something like Lancope where you could point the DLP at target traffic could be interesting… but damn, netflow alone clearly isn’t a good option.

Lancope, thanks for a great DLP WTF with a side of BS. I’m glad I read it today – that release is almost as good as the ThinkGeek April Fool’s edition!


Wednesday, March 31, 2010

Help a Reader: PCI Edition

By David Mortman

One of our readers recently emailed me with a major dilemma. They need to keep their website PCI compliant in order to keep using their payment gateway to process credit card transactions. Their PCI scanner is telling them they have vulnerabilities, while their hosting provider tells them they are fine. Meanwhile our reader is caught in the middle, paying fines.

I don’t dare to use my business e-mail address, because it would disclose my business name. I have been battling with my website host and security vendor concerning the Non-PCI Compliance of my website. It is actually my host’s IP address that is being scanned and for several months it has had ONE Critical and at least SIX High Risk scan results. This has caused my Payment Gateway provider to start penalizing me $XXXX per month for Non-PCI compliance. I wonder how long they will even keep me. When I contact my host, they say their system is in compliance. My security vendor is saying they are not. They are each saying I have to resolve the problem, although I am in the middle. Is there not a review board that can resolve this issue? I can’t do anything with my host’s system, and don’t know enough gibberish to even interpret the scan results. I have just been sending them to my host for the last several months.

There is no way that this could be the first or last time this has happened, or will happen, to someone in this situation. This sort of thing is bound to come up in compliance situations where the customer doesn’t own the underlying infrastructure, whether it’s a traditional hosted offering, and ASP, or the cloud. How do you recommend the reader – or anyone else stuck in this situation – should proceed? How would you manage being stuck between two rocks and a hard place?

—David Mortman

Incite 3/31/2010: Attitude Is Everything

By Mike Rothman

There are people who suck the air out of the room. You know them – they rarely have anything good to say. They are the ones always pointing out the problems. They are half-empty type folks. No matter what it is, it’s half-empty or even three-quarters empty.

The problem is that my tendency is to be one of those people.

They don't make 'em like they used to... I like to think it’s a personality thing. That I’m just wired to be cynical and that it makes me good at my job. I can point out the problems, and be somewhat constructive about how to solve them. But that’s a load of crap. For a long time I was angry and that made me cynical.

But I have nothing to be angry about. Sure I’ve gotten some bad breaks, but show me a person who hasn’t had things go south at one point or another. I’m a lucky guy. My family loves me. I have a great time at work. I have great friends. One of my crosses to bear is to just remember that – every day.

A good attitude is contagious. And so is a bad attitude. My first step is awareness. I make a conscious effort to be aware of the vibe folks are throwing. When I’m at a coffee shop, I’ll take a break and just try to figure out the tone of the room. I’ll focus on the folks in the room having fun, and try to feed off that. I also need to be aware when I need an attitude adjustment.

Another reason I’m really lucky is that I can choose who I’m around most of the time. I don’t have to sit in meetings with Mr. Wet Blanket. And if I’m doing a client engagement with someone with the wrong attitude, I just call them out on it. What do I care? I’m there to do a job and people with a bad attitude get in my way.

Most folks have to be more tactful, but that doesn’t mean you need to just take it. You are in control of your own attitude, which is contagious. Keep your attitude in a good place and those wet blankets have no choice but to dry up a little. And that’s what I’m talking about.

– Mike.

Photo credit: “Bad Attitude” originally uploaded by Andy Field

Incite 4 U

  1. What’s that smell? Is it burnout? – Speaking of bad attitudes, one of the major contributors to a crappy outlook is burnout. This post by Dan Lohrmann deals with some of the causes and some tactics to deal with it. For me, the biggest issue is figuring out whether it’s a cyclical low, or it’s not going to get better. If it’s the former, appreciate that some days you feel like crap. Sometimes it’s a week, but it’ll pass. If it’s the latter start looking for another gig, since burnout can result from not being successful, and not having the opportunity to be successful. That doesn’t usually get better by sticking around. – MR

  2. Screw the customers, save the shareholders – Despite their best attempts to prevent disclosure, it turns out that JC Penney was ‘Company A’ in the indictment against Alberto Gonzales that didn’t work for the Bush administration. Penney fought disclosure of their name tooth and nail, claiming it would cause “confusion and alarm” and “may discourage other victims of cyber-crimes to report the criminal activity or cooperate with enforcement officials for fear of the retribution and reputational damage.” In other words, forget about the customers who might have been harmed – we care about our bottom line. Didn’t they learn anything from TJX? It isn’t like disclosure will actually lose you customers, $202 per record and all be damned. – RM

  3. Hard filters, injected – SQL injection remains a problem as the attacks are difficult to detect and can often be masked, and detection scripts can fooled by attackers gaming scanning techniques to find stealthy injection patterns. It seems like a fool’s errand, as you foil one attack and attackers just find some other syntax contortion that gets past your filter. Exploiting hard filtered SQL Injections is a great post on the difficulties of scanning SQL statements and how attackers work around defenses. It’s a little more technical, but it walks through various practical attacks, explaining the motivations behind attacks and plausible defenses. The evolution of this science is very interesting. – AL

  4. The FTC can haz your crap seal – I ranted a few weeks ago about these web security seals, and the fact they some are bad jokes – just as a number of new vendors are rolling out their own shiny seals. Sure there seems to be a lot of money in it, but promoting a web security seal as a panacea for customer data protection could get you a visit from some nice folks at the Federal Trade Commission. Except they probably aren’t that nice, as they are shutting down those programs. Especially when the vendor didn’t even test the web site – methinks that’s a no-no. Maybe I should ask ControlScan about that – as RSnake points out, they settled with the FTC on deceptive security seals. As Barnum said, there is a sucker born every minute. – MR

  5. The Google smells a bit (skip)fishy – Last week Google launched Skipfish. Even though I was on vacation I found a few minutes to download and try it out. From the Google documentation: “Skipfish is an active web application security reconnaissance tool. It prepares an interactive sitemap for the targeted site by carrying out a recursive crawl and dictionary-based probes … The final report generated by the tool is meant to serve as a foundation for professional web application security assessments.” The tool is not bad, and it was pretty fast, but I certainly did not stress test it. But the question on my mind is ‘why’? And no, not “why would I use this tool”, but why would Google build and release such a tool? What problem does it solve for them, and what value does it provide to Google or the user community at large? My guess is that Google is building out a needed component to their web application development suite so developers can test code on their Android stack. And taking a page from the Oracle playbook in educating the masses on their product, the Summer of Code 2010 virally builds out a user base while evolving their products and visibility. I have been slow to realize competing with Apple app development is ancillary, and Google’s efforts are working towards creation of a new primary web development environment. – AL

  6. Does compliance help security? – That’s the age old question, right? Are we more secure thanks to compliance, or less secure because it becomes the lowest common denominator? Mike Dahn has a pretty interesting analysis of some drivers of compliance, and applies things like traffic analysis and other modeling techniques in an attempt to figure out the impact of regulation by looking at other industries. He also makes some suggestions about what makes for effective regulation, and those are on point. IMO unless there is an economic benefit to doing something, it won’t happen unless it’s regulated. So without a regulatory driver, security won’t happen. So although I think most regulations are horribly imperfect, without them we’d be in far worse shape. – MR

  7. The house always wins – Brian Krebs reports on yet another case of a small business losing major bucks in bank account fraud, and the bank telling them to suck up the losses. As usual, the bad guys probably nailed one of the office computers with Zeus or a similar trojan, giving them full credentials to the online banking account. In this case, losses were $200K and the bank refuses to cover the charges. With a personal account you get a full 2 days to detect and report the fraud, but on business accounts you’re out of luck. But hey, for that $200K they got a security token in the mail that probably won’t help. Might be time to look for a bank that takes security seriously, and maybe uses something like Trusteer to protect sessions. Oh – and stop accessing your accounts on an insecure computer. – RM

  8. Survey says BZZZT! WRONG ANSWER! – Yet another data loss story. When ECMC Group Inc. announced that the information of some 3.3 million borrowers has been compromised, Richard Boyle, president and CEO of ECMC Group, Inc. said: “We deeply regret that this incident occurred and the stress it has caused our borrowers and our partners and are doing everything we can to help protect our borrowers’ identity and personal information.” Short and professional. Cuts to the heart of the issue and says the right things without divulging too much information. Contrast that with Education Department spokesman Justin Hamilton who stated “Protecting student privacy is a top priority for the department,” and “We are working with ECMC to make sure that affected individuals are provided with resources to protect their information and to provide them with identity-theft insurance.” Individuals cannot protect the information stored at ECMC. Nor can they really protect their identities, as that really falls on the financial and government institutions who grant credit or provide services andbenefits. Nor do borrowers want “Identity Theft Insurance” – they simply do not want to deal with the problem that was created for them. The later quote reeks of someone who is unprepared and unsympathetic to the issue. Regardless of what either of these people really thinks, and the actions they are taking, planning and preparedness (and the lack thereof) show. – AL

  9. Is there an ass personality type? – I remember how enlightening it was the first time I took a Myers-Briggs test. I read the description of my type (INTJ) and it was like looking into a mirror. How’d they know that about me? It was actually very helpful in my relationships, since The Boss can at least understand that I’m not intentionally trying to be an ass, just that I look at situations differently than she does. As Trish Smith points out on the Catalyst blog, understanding your colleagues’ personality types can help you interact with them much more productively. Now it’s probably not appropriate to force your entire team to take a personality test, but you certainly can do a lunch and learn and make it a game. You all take the test (those who agree, anyway) and then discuss how that can help the team work more cohesively and be more aware of how different folks need to be addressed. – MR

—Mike Rothman

Tuesday, March 30, 2010

How Much Is Your Organization Telling Google?

By Rich

Palo Alto Networks just released their latest Application Usage and Risk Report (registration required), which aggregates anonymous data from their client base to analyze Internet-based application usage among their clients. For those of you who don’t know, one of their product’s features is monitoring applications tunneling over other protocols – such as P2P file sharing over port 80 (normally used for web browsing). A ton of different applications now tunnel over ports 80 and 443 to get through corporate firewalls.

The report is pretty interesting, and they sent me some data on Google that didn’t make it into the final cut. Below is a chart showing the percentage of organizations using various Google services. Note that Google Buzz is excluded, because it was too new collect a meaningful volume of data. These results are from 347 different organizations.

Here are a few bits that I find particularly interesting:

  • 86% of organizations have Google Toolbar running. You know, one of those things that tracks all your browsing.
  • Google Analytics is up at 95% – is 5% less than I expected. Yes, another tool that lets Google track the browsing habits of all your employees.
  • 79% allow Google Calendar. Which is no biggie unless corporate info is going up there.
  • Same for the 81% using Google Docs. Again, these can be relatively private if configured properly, and you don’t mind Google having access.
  • 74% use Google Desktop. The part of Desktop that hits the Internet, since Palo Alto is a gateway product that can’t detect local system activity.

Now look back at my post on all the little bits Google can collect on you. I’m not saying Google is evil – I just have major concerns with any single source having access to this much information. Do you really want an unaccountable outside entity to have this much data about your organization?


Monday, March 29, 2010

FireStarter: Nasty or Not, Jericho Is Irrelevant

By Mike Rothman

It seems the Jericho Forum is at it again. I’m not sure what it is, but they are hitting the PR circuit talking about their latest document, a Self-Assessment Guide. Basically this is a list of “nasty” questions end users should ask vendors to understand if their products align with the Jericho Commandments.

If you go back and search on my (mostly hate) relationship with Jericho, you’ll see I’m not a fan. I thought the idea of de-perimeterization was silly when they introduced it, and almost everyone agreed with me. Obviously the perimeter was changing, but it clearly was not disappearing. Nor has it.

Jericho fell from view for a while and came back in 2006 with their commandments. Most of which are patently obvious. You don’t need Jericho to tell you that the “scope and level of protection should be specific and appropriate to the asset at risk.” Do you? Thankfully Jericho is there to tell us “security mechanisms must be pervasive, simple, scalable and easy to manage.” Calling Captain Obvious.

But back to this nasty questions guide, which is meant to isolate Jericho-friendly vendors. Now I get asking some technical questions of your vendors about trust models, protocol nuances, and interoperability. But shouldn’t you also ask about secure coding practices and application penetration tests? Which is a bigger risk to your environment: the lack of DRM within the system or an application that provides root to your entire virtualized datacenter?

So I’ve got a couple questions for the crowd:

  1. Do you buy into this de-perimeterization stuff? Have these concepts impacted your security architecture in any way over the past ten years?
  2. What about cloud computing? I guess that is the most relevant use case for Jericho’s constructs, but they don’t mention it at all in the self-assessment guide.
  3. Would a vendor filling out the Jericho self-assessment guide sway your technology buying decision in any way? Do you even ask these kinds of questions during procurement?

I guess it would be great to hear if I’m just shoveling dirt on something that is already pretty much dead. Not that I’m above that, but it’s also possible that I’m missing something.

—Mike Rothman

Friday, March 26, 2010

Security Innovation Redux: Missing the Forest for the Trees

By Mike Rothman

There was a great level of discourse around Rich’s FireStarter on Monday: There is No Market for Security Innovation. Check out the comments to get a good feel for the polarization of folks on both sides of the discussion.

There were also a number of folks who posted their own perspectives, ranging from Will Gragido at Cassandra Security, Adam Shostack on the New School blog, to the hardest working man in showbiz, Alex Hutton at Verizon Business. All these folks made a number of great points.

But part of me thinks we are missing the forest for the trees here. The FireStarter was really about new markets and the fact that it’s very very hard for innovative technology to cross the chasm unless it’s explicitly mandated by a compliance regulation. I strongly believe that, and we’ve seen numerous examples over the past few years.

But part of Alex’s post dragged me back to my Pragmatic philosophy, when he started talking about how “innovation” isn’t really just constrained to a new shiny widget that goes into a 19” rack (or a hypervisor). It can be new uses for stuff you already have. Or working the politics of the system a bit better internally by getting face time with business leaders.

I don’t really call these tactics innovation, but I’m splitting hairs here. My point, which I tweeted, is “Regardless of innovation in security, most of the world doesn’t use they stuff they already have. IMO that is the real problem.”

Again, within this echo chamber most of us have our act together, certainly relative to the rest of the world. And we are passionate about this stuff, like Charlie Miller fuzzing all sorts of stuff to find 0-day attacks, while his kids are surfing on the Macs.

So we get all excited about Pwn2Own and other very advanced stuff, which may or may not ever become weaponized. We forget the rest of the world is security Neanderthal man. So part of this entire discussion about innovation seems kind of silly to me, since most of the world can’t use the tools they already have.

—Mike Rothman

Friday Summary: March 26, 2010

By Rich

It’s been a bit of a busy week. We finished up 2 major projects and I made a quick out of town run to do a little client work. As a result, you probably noticed we were a bit light on the posting. For some silly reason we thought things might slow down after RSA.

I’m writing this up on my USAirways flight but I won’t get to post it until I get back home. Despite charging the same as the other airlines, there’s no WiFi. Heck, they even stopped showing movies and the AirMall catalogs are getting a bit stale. With USAirways I feel lucky when we have little perks, like two wings and a pilot. You know you’re doing something wrong when you provide worse service at the same price as your competitors. On the upside, they now provide free beer and wine in the lounge. Assuming you can find it. In the basement. Without stairs. With the lights out. And the “Beware of Tiger” sign.

Maybe Apple should start an airline. What the hell, Hooters’ pulled it off. All the flight attendants and pilots can wear those nice color coded t-shirts and jeans. The planes will be “magical” and they’ll be upgraded every 12 months so YOU HAVE TO FLY ON ONE! The security lines won’t be any shorter, but they’ll hand out water and walk around with little models of the planes to show you how wonderful they all are.

Er… maybe I should just get on with the summary. And I’m sorry I missed CanSecWest and the Pwn2Own contest. I didn’t really expect someone to reveal an IE8 on Windows 7 exploit, considering its value on the unofficial market. Pretty awesome work.

Since I have to write up the rest of the Summary when I get home it will be a little lighter this week, but I promise Adrian will make up for it next week.

On to the Summary:

Webcasts, Podcasts, Outside Writing, and Conferences

Favorite Securosis Posts

Other Securosis Posts

Favorite Outside Posts

Project Quant Posts

Top News and Posts

Blog Comment of the Week

Remember, for every comment selected, Securosis makes a $25 donation to Hackers for Charity. This week’s best comment goes to Jim Ivers, in response to FireStarter: There is No Market for Security Innovation.

Great post and good observations. The security market is a very interesting and complex ecosystem and even companies that have an innovation that directly addresses a generally accepted problem have a difficult road. The reactive nature of security and the evolving nature of the problems to which the market responds is one level of complexity. The sheer number of vendors in the space and the confusing noise created by those numbers is another. Innovation is further dampened by the large established vendors that move to protect market share by assuring their customer base that they have known problems covered when there is evidence to the contrary.

Ultimately revenue becomes the gating factor in sustaining a growing company. But buyers have a habit of taking a path of risk avoidance by placing bets on establish suites of products rather than staking professional reputation on unproven innovative ideas. Last I checked, Gartner had over 20 analysts dedicated to IT security in one niche or another, which speaks to how complex the task of evaluating and selecting IT security products can be for any organization. The odds of even the most innovative companies being heard over the noise are small, which is a shame for all concerned, as innovation serves both the customers and the vendors.


Thursday, March 25, 2010

Hello World. Meet Pwn2Own.

By Rich

I’m currently out on a client engagement, but early results over Twitter say that Internet Explorer 8 on Windows 7, Firefox on Windows 7, Safari on Mac OS X, and Safari on iPhone were all exploited within seconds in the Pwn2Own contest at the CanSecWest conference. While these exploits took the developers weeks or months to complete, that’s still a clean sweep.

There is a very simple lesson in these results:

If your security program relies on preventing or eliminating vulnerabilities and exploits, it is not a security program.


Tuesday, March 23, 2010

Project Quant: Database Security - Patch

By Adrian Lane

Filling out one of our last steps in the Database Security process Framework is the Patch Management task of the Manage phase. There is really no need to re-invent the wheel here, so we will follow the process outlined in the original Project Quant for Patch Management project conducted in 2009. I have adjusted several of the tasks to be database specific, but the process as a whole is the same.

The beautiful thing about processes is, since they are a framework to guide our efforts and interactions with others, we can adjust them in whatever way that suits our needs. Add or remove steps to fit your organization’s size and dependencies. And I did just that in Database Security Fundamentals for Patching for small and medium businesses. But here it is best to examine this task at a high level because patch management takes far more time and resources than typical estimates account for. It’s not just the installation of the patches – but the review and certification tests to ensure that your production environment does not come to a crashing halt – that cost so much in time, organization, and automation tools. You will need to spend more time on this task than the others we have already discussed.

Make no mistake – patching is a critical security operation for databases. The vast majority of security concerns and logic flaws within the database will be addressed by the database vendor. You may have workarounds, or be able to mask some flaws with third party security products, but the vendor is the only way to really ‘fix’ database security issues. That means you will be patching on a regular basis to address 0-days just as you do with ‘Priority 1’ functional issues. Database vendors have dedicated security teams to analyze attacks against their databases, and small firms must leverage their expertise. But you still need to manage the updates in a predictable fashion that does not disrupt business functions.

The following is our outline of the high level steps, with an itemization of the costs you want to consider when accounting for your database patch management process.

DB Patch Process

  1. Monitor for Release/Advisory: Time to gather patch release and associated data. Each of the database vendors follows a different process, but most provide patch pre-notification alerts and notification when functional and security patches are available, and do so in predictable cycles.
  2. Acquire: Time to get the patch. Download patch and documentation.
  3. Evaluate: Time to perform the initial ‘paper’ evaluation of the patch. What’s it for? Is it security-sensitive? Do we use that software? Is the issue relevant in our environment? Are there workarounds or dependencies? If the patch is appropriate, continue.
  4. Schedule: Time to coordinate with other groups to schedule testing and deployment. Prioritize based on the nature of the patch itself, and your infrastructure/assets. Then build out a deployment schedule based on your prioritization.
  5. Test and Certify: Time to perform any required testing, and certify the patch for release. Remember to include time to add or update test cases, and if you use masked production data, extract & load of new data set. Verify functional tests pass and meet functional requirements. If the tests pass continue with this process; otherwise clean up the failed test area. Factor in the cost of tools or services.
  6. Create Deployment Package: Prepare the patch for deployment.
  7. Deploy.
  8. Confirm Deployment: Time to verify that patches were properly deployed. This includes use of configuration management or vulnerability assessment tools, as well as functional ‘sanity’ tests.
  9. Clean up: Time to clean up any bad deployments, remnants of the patch application procedure, rollbacks, and any other associated cruft/detritus.
  10. Document and Update Configuration Standards: Time to document the patch deployment (which may be required for regulatory compliance) and update any associated configuration standards/guidelines/requirements. Save the patch and documentation in a safe archive area so the update process can be repeated in a consistent fashion.

—Adrian Lane

Monday, March 22, 2010

FireStarter: There is No Market for Security Innovation

By Rich

I often hear that there is no innovation left in security.

That’s complete bullshit.

There is plenty of innovation in security – but more often than not there’s no market for that innovation.

For anything innovative to survive (at least in terms of physical goods and software) it needs to have a market. Sometimes, as with the motion controllers of the Nintendo Wii, it disrupts an existing market by creating new value. In other cases, the innovation taps into unknown needs or desires and succeeds by creating a new market.

Security is a bit of a tougher nut. As I’ve discussed before, both on this blog and in the Disruptive Innovation talk I give with Chris Hoff, security is reactive by nature. We are constantly responding to changes in the underlying processes/organizations we protect, as well as to threats evolving to find new pathways through our defenses. With very few exceptions, we rarely invest in security to reduce risks we aren’t currently observing. If it isn’t a clear, present, and noisy danger, it usually finds itself on the back burner.

Innovations like firewalls and antivirus really only succeeded when the environment created conditions that showed off value in these tools. Typically that value is in stopping pain, and not every injury causes pain. Even when we are proactive, there’s only a market for the reactive. The pain must pass a threshold to justify investment, and an innovator can only survive for so long without customer investment.

Innovation is by definition almost always ahead of the market, and must create its own market to some degree. This is tough enough for cool things like iPads and TiVos, but nearly impossible for something less sexy like security. I love my TiVo, but I only appreciate my firewall.

As an example, let’s take DLP. By bringing content analysis into the game, DLP became one of the most innovative, if not the most innovative, data security technologies we’ve seen. Yet 5+ years in, after multiple acquisitions by major vendors, we’re still only talking about a $150M market. Why? DLP didn’t keep your website up, didn’t keep the CEO browsing ESPN during March Madness, and didn’t keep email spam-free. It addresses a problem most people couldn’t see without DLP a DLP tool! Only when it started assisting with compliance (not that it was required) did the market start growing.

Another example? How many of you encrypted laptops before you had to start reporting lost laptops as a data breach?

On the vendor side, real innovation is a pain in the ass. It’s your pot of gold, but only after years of slogging it out (usually). Sometimes you get the timing right and experience a quick exit, but more often than not you either have to glom onto an existing market (where you’re fighting for your life against competitors that really shouldn’t be your competitors), or you find patient investors who will give you the years you need to build a new market. Everyone else dies.

Some examples?

  • PureWire wasn’t the first to market (ScanSafe was) and didn’t get the biggest buyout (ScanSafe again), but they timed it right and were in and out before they had to slog.
  • Fidelis is forced to compete in the DLP market, although the bulk of their value is in managing a different (but related) threat. 7+ years in and they are just now starting to break out of that bubble.
  • Core Security has spent 7 years building a market- something only possible with patient investors.
  • Rumor is Palo Alto has some serious firewall and IPS capabilities, but rather than battling Cisco/Checkpoint, they are creating an ancillary market (application control) and then working on the cross-sell.

Most of you don’t buy innovative security products. After paying off your maintenance and licens renewals, and picking up a few widgets to help with compliance, there isn’t a lot of budget left. You tend to only look for innovation when your existing tools are failing so badly that you can’t keep the business running.

That’s why it looks like there’s no security innovation – it’s simply ahead of market demand, and without a market it’s hard to survive. Unless we put together a charity fund or those academics get off their asses and work on something practical, we lack the necessary incubators to keep innovation alive until you’re ready to buy it.

So the question is… how can we inspire and sustain innovation when there’s no market for it? Or should we? When does innovation make sense? What innovation are we willing to spend on when there’s no market? When and how should we become early adopters?


Some DLP Metrics

By Rich

One of our readers, Jon Damratoski, is putting together a DLP program and asked me for some ideas on metrics to track the effectiveness of his deployment. By ‘ask’, I mean he sent me a great list of starting metrics that I completely failed to improve on.

Jon is looking for some feedback and suggestions, and agreed to let me post these. Here’s his list:

  • Number of people/business groups contacted about incidents – tie in somehow with user awareness training.
  • Remediation metrics to show trend results in reducing incidents – at start of DLP we had X events, after talking to people for 30 days about incidents we now have Y events.
  • Trend analysis over 3, 6, & 9 month periods to show how the number of events has reduced as remediation efforts kick in.
  • Reduction in the average severity of an event per user, business group, etc.
  • Trend: number of broken business policies.
  • Trend: number of incidents related to automated business practices (automated emails).
  • Trend: number of incidents that generated automatic email.
  • Trend: number of incidents that were generated from service accounts – (emails, batch files, etc.)

I thought this was a great start, and I’ve seen similar metrics on the dashboards of many of the DLP products.

The only one I have to add to Jon’s list is:

  • Average number of incidents per user.

Anyone have other suggestions?


Announcing NetSec Ops Quant: Network Security Metrics Suck. Let’s Fix Them.

By Mike Rothman

The lack of credible and relevant network security metrics has been a thorn in my side for years. We don’t know how to define success. We don’t know how to communicate value. And ultimately, we don’t even know what we should be tracking operationally to show improvement (or failure) in our network security activities.

But we in the echo chamber seem to be happier bitching about this, or flaming each other on mailing lists, than focusing on finding a solution. Some folks have tried to drive towards a set of metrics that make sense, but I can say most of the attempts are way too academic and also cost too much to collect to be usable in everyday practice. Not to mention that most of our daily activities aren’t even included in the models.

Not to pick on them too much, but I think these issues are highlighted in the way the Center for Internet Security has scoped out network security metrics. Basically, they didn’t. They have metrics on Incident Management, Vulnerability Management, Patch Management, Configuration Change Management, Application Security, and Financial Metrics. So the guy managing the network security devices doesn’t count? Again, I know CIS is working towards a lot of other stuff, but the reality is the majority of security spending is targeted at the network and endpoint domains, and there are no good metrics for those.

So let’s fix it.

Today, we are kicking off the next in our series of Quant projects. This one is called Network Security Operations Quant, and we aim to build a process map and underlying cost model for how organizations manage their network security devices.

The project’s formal objective and scope are:

The objective of Network Security Operations Quant is to develop a cost model for monitoring and managing network security devices that accurately reflects the associated financial and resource costs.

Secondarily, we also want to:

  • Build the model in a manner that supports use as an operational efficiency model to help organizations optimize their network security monitoring and management processes, and compare costs of different options.
  • Heavily engage the community and produce an open model with wide support and credibility, using the Totally Transparent Research process.
  • Advance the state of IT metrics, particularly operational security metrics.

We are grateful to our friends at SecureWorks, who are funding this primary research effort.

As with all our quant processes, our methodology is:

  1. Establish the high level process map via our own research.
  2. Use a broad survey to validate and identify gaps in the process map.
  3. Define a set of subprocesses for each high-level process.
  4. Build metrics for each subprocess.
  5. Assemble the metrics into a model which can be used to track operational improvement.

From a scoping standpoint, we are going to deal with 5 different network security processes:

  1. Monitoring firewalls
  2. Monitoring IDS/IPS
  3. Monitoring server devices
  4. Managing firewalls
  5. Managing IDS/IPS

Yes, we know network security is bigger than just these 5 functions, but we can’t boil the ocean. There is a lot of other stuff we’ll model out using the Quant process over the next year, but this should be a good start.

Put up or shut up

We can’t do this alone. So we are asking for your help. First off, we are going to put together a “panel” of organizations to serve as the basis for our initial primary research. That means we’ll be either doing site visits or detailed phone interviews to understand how you undertake network security processes. We’ll also need the folks on the panel to shoot holes in our process maps before they are posted for public feedback. We are looking for about a dozen organizations from a number of different verticals and company sizes (large enterprise to mid-market).

As with all our research, there will be no direct attribution to your organization. We are happy to sign NDAs and the like. If you are interested in participating, please send me an email directly at mrothman (at) securosis . com.

Once the initial process maps are posted, we will post a survey to find out whether you actually do the steps we identify. We’ll also want your feedback on the process via posts that describe each step in the process. Everyone has an opportunity to participate and we hope you will take us up on it.

This is possibly the coolest research project I’ve personally been involved with and I’m really excited to get moving on it. We look forward to your participation, so we finally can get on the same page, and figure out how to measure how we “network security plumbers” do our business.

—Mike Rothman

Friday, March 19, 2010

Bonus Incite 3/19/2010: Don’t be LHF

By Mike Rothman

I got a little motivated this AM (it might have something to do with blowing off this afternoon to watch NCAA tourney games) and decided to double up on the Incite this week.

I read Adrian’s Friday Summary intro this and it kind of bothered me. Mostly because I don’t know the answers either, and I find questions that I can’t answer cause me stress and angst. Maybe it’s because I like to be a know-it-all and it sucks when your own limitations smack you upside the head.

Just because it's low hanging doesn't mean it's tasty... Anyhow, what do we do about this whole information sharing culture we’ve created – and more importantly, how do we make sure the next generation is protected from the new age scam artists who prey on over-sharers? I came across this coverage from RSA of Hugh Thompson’s interviews of Craigslist and the Woz. Both Newmark and Wozniak believe education is the answer.

Truth be told, I have mixed feelings. I know the futility of widespread education because you can’t possibly keep up with the attackers, not within a mass market context. Yet my plan is still to use education as one of a few tactics that I’ll use to keep my kids (and the Boss) safe online.

The reality is that because my kids will be trained on how to recognize fraud and what not to do online, they will be ahead of 95% of the other folks out there. And remember, most attackers prey on the lowest hanging fruit. As long as my kids aren’t that, I think things will work out OK.

But I also maintain pretty tight controls on the machines they use and the network they connect to. As they get more sophisticated, so will the defenses. I’ll implement a kids’ browsing network, and segment out my business machines and sensitive data). I already lock down their devices so they can’t install software (unless I know about it). At some point, they’ll get their own machines and I’ll centralize the file storage (both for backup and oversight), so I can easily rebuild their machines every couple months.

And we’ve got a lot of controls to protect our finances as well. We check the credit cards frequently (to ensure unauthorized transactions get caught quickly) and have a home incident response plan in the event one of my devices does get pwned.

Of course, that doesn’t answer the question of how to solve the macro problem, but honestly I’m not sure we can. Fraud has been happening since the beginning of time, and it’s a bit crazy to think we could stop it entirely.

But I can work my ass off to minimize the impact of the bad guys on my own situation, which is a pretty good objective – both at home and at work.

Have a great weekend.

– Mike.

Photo credit: “that low-hanging fruit they keep talking about in meetings” originally uploaded by travelskerricks

Bonus Incite 4 U

  1. Getting screwed by the back channel – I read a recent post from the security career counselors (Mike Murray and Lee Kushner) and it got my goat a bit. The post was about how to deal with negative references, and I’m sensitive to this. I’ve been in a situation where a former boss sent a torpedo through my engine room as I had a new job lined up and closed. It was during a back channel conversation so I had no recourse (even though there was a non-disparagement clause in my exit agreement). Mike and Lee suggest first assembling a list of positive references that can offset a negative reference, as well as being candid with your prospective employer about the issues. This is great advice, since that’s exactly how I dealt with the situation. I did my own backchannel work and got folks inside the company to talk about me (on deep background), as well as confronting the situation head on. It worked out for me, but everyone needs to have contingency plans for everything, and a negative reference is certainly one of them. – MR

  2. Isn’t UTM a hopping market? – From all the market share projections and growth numbers, the UTM (unified threat management) market is growing like gangbusters. Yet you see companies like Symantec (a few years ago) and McAfee (who recently shut down their SnapGear offering) getting out of the business. The reality is there are multiple market segments in network security and they require different solutions. UTM can be applicable to large enterprises, but they don’t buy combined solutions. They evaluate the products on a function-by-function basis. So they will compare the UTM-based IPS to the stand-alone IPS and so on, before they decide whether to embrace an integrated solution. Whereas the mid-market wants a toaster to make their problems go away. So hats off to McAfee for deciding they didn’t have a competitive offering or leveraged path to market, and getting out of the business. One of the hardest things to do is kill a product, no matter how competitive it is. Strong companies need to kill things, or they become overpopulated and operate sub-optimally. – MR

  3. Stupid is as stupid does – I recently watched Forrest Gump again, and it’s a treasure trove of little saying that really apply to our daily existence. We are security professionals, which mean we should understand risks and act accordingly. How can you tell your internal users to do something if you don’t do it yourself? I guess you can, but come back into the shop after having your own machine pwned and see how much credibility you have left. So when I see the inevitable reports from security conferences about how stupid our own professionals are, it makes me nuts. At the RSA show, Motorola AirDefense found all sorts of wireless stupidity from the attendees, and it’s really nutty. If you don’t have a 3G card, then just make due without connecting for a few hours while you are at the show. You have a mobile device and if it’s that important, go back to your hotel. At a security show they are always watching, even if not trying to put you on the wall of sheep. Get your head in the game, folks. – MR

  4. Seeing the Hydra in action – We talk about the need for redundancy and contingency plans to keep our networks operational. Well, the bad guys do too. Krebs digs into some of the things the folks running the big botnets have done to keep operating even when one of their network connectivity points (Troyak) gets taken down. It’s fascinating stuff and just goes to show that our adversaries have well-thought-out business plans in place. Not sure you can put “Director of Network Resiliance, Zeus Botnet” on a business card, but I assure you someone has that title, somewhere. And be sure to put Brian Krebs on your holiday card list. The work he does is consistently outstanding. – MR

  5. PCI a success? Why do we bitch about it so much? – CSOAndy makes a good point in covering the PCI panel that happened at Security BSides at RSA. To be clear, PCI has done more for security folks than any other standard to date. Hands down. The real issue is that we in the echo chamber know how much more needs to be done. But referring back to RSnake’s conversations with black hat hackers, we are making progress because the bad guys have to work harder. PCI is partially responsible for making sure people are closing the windows and locking the doors. Of course, there are still ways in, and any standard will always be behind the current attack space, but let’s take a step back and remember how things were a few years ago. Tick tock tick tock. OK, enough reflection. The PCI folks need to figure out how to reduce the cycle time of their updates, or at least put tiered guidance in place for folks where not hitting a low bar results in fines, where a set of advanced practices would more accurately address the current attack patterns. – MR

—Mike Rothman

Friday Summary: March 19, 2010

By Adrian Lane

Your Facebook account gets compromised. Your browser flags your favorite sports site as a malware distributor. Your Twitter account is hacked through a phishing scam. You get AV pop-ups on your machine, but cannot tell which are real and which are scareware. Your identify gets stolen. You try to repair the damage and make sure it doesn’t happen again, only to get ripped off by the credit agency (you know who I am talking about). Exasperated, you just want to go home, relax, and catch up on March Madness. But it turns out the bracket email from your friend was probably another phishing attempt, and your alma mater suspends a star player while it investigates derogatory public comments – which it eventually discovers were forged. Man, it sucks to be Generation Y.

There has been an incredible cacophony over the last couple weeks across the mainstream media about social networks being manipulated for fun, personal satisfaction, and profit. Even the people my my semi-rural area are discussing how it has affected them and their children, so I know it is getting national attention. What I can’t figure out is how their behavior will change – if at all. RSnake discussed a Microsoft paper recently, expanding on its discussion of why training users on the dangers of unsafe browsing often does not make economic sense. Even if it was viable, people don’t want to learn all that stuff, as it makes web browsing more work than fun.

So what gives? I believe that our increasing use of and dependency on the Internet, and the corresponding increases in fraud and misuse, require change. But will people feel differently, and will this drive them to actually behave differently? Will the changes be technological, legal, or social? We could see tighter or looser privacy rules on websites, or legal precedents or new laws – we have already seen dramatic shifts in what younger people consider private and are willing to publicize online. The paper asserts that “The wisdom of the crowd discerns that ignoring some threats brings little actual harm …” which I totally agree with, and describes Twitter phishing and Facebook hacks. Bank accounts being drained and cars being shut down are a whole different level of problem, though. I really don’t have an answer – or even an inkling – of what happens next. I do think the problem has gotten sufficiently mainstream that we will to see mainstream impacts and reactions, though. Interesting times!

On to the Summary:

Webcasts, Podcasts, Outside Writing, and Conferences

Favorite Securosis Posts

Other Securosis Posts

Favorite Outside Posts

  • Rich: Conversations With a Blackhat. The best takeaway from RSnake’s summary of talking with some bad guys is that at least some of what we are doing on the security side is actually working. So much for the “security is failing” meme…
  • David Mortman: Three Steps to a Rational Security Budget.
  • Mike Rothman: Why I’m Skeptical of “Due Diligence” Based Security. I have no idea what Alex is talking about, but he has a picture of Anakin, Obi-Wan and Yoda with the glowing ghosts of John Lennon and George Harrison. So it’s my favorite of the week.
  • Adrian Lane: Walkthrough: Click at Your Own Risk. Analysis of privacy and the manipulation of public impressions through social media. An excellent piece of analysis from … a football statistics site. Long but very informative, and a perspective I don’t think a lot of people appreciate.

Project Quant Posts

Top News and Posts

Blog Comment of the Week

Remember, for every comment selected, Securosis makes a $25 donation to Hackers for Charity. This week’s best comment goes to Andy Jaquith, in response to RSA Tomfoolery: APT is the Fastest Way to Identify Fools and Liars. When a comments makes me laugh out loud, it usually gets my vote!

I’ve been using the phrase “Advanced Persistent Chinese” lately. It sounds good, it’s more accurate, and it’s funny. What’s not to like?

I completely agree that the displays of vendor idiocy around APT are far too widespread. You can’t have a carnival without the barker, apparently.

Good seeing you, by the way, Any – albeit far too briefly.

—Adrian Lane

Thursday, March 18, 2010

Network Security Fundamentals: Egress Filtering

By Mike Rothman

As we wrap up our initial wave of Network Security Fundamentals, we’ve already discussed Default Deny, Monitoring everything, Correlation, and Looking for Not Normal. Now it’s time to see if we can actually get in the way of some of these nasty attacks.

So what are we trying to block? Basically a lot of the issues we find through looking for not normal. The general idea involves implementing a positive security model not just to inbound traffic (default deny), but to outbound traffic as well. This is called egress filtering, and in practice is basically turning your perimeter device inside out and applying policies to outbound traffic.

This defensive tactic ensures that non-standard ports and protocols don’t make their way out of your network. Filtering can also block reconnaissance tactics, network enumeration techniques, outbound spam bots, and those pesky employees running Internet businesses from within your corporate network. Amazingly enough this still happens, and too many organizations are none the wiser.

Defining Egress Filtering Policies

Your best bet is to start with recent incidents and their root causes. Define the outbound ports and protocols which allowed the data to be exfiltrated from your network. Yes, this is obvious, but it’s a start and you don’t want to block everything. Not unless you enjoy being ritually flayed by your users.

Next leverage the initial steps in the Fundamentals series and analyze correlated data to determine what is normal. Armed with this information, next turn to the recent high-profile attacks getting a lot of airtime. Think Aurora and learn how that attack exfiltrates data (custom encrypted protocol on ports 443). For such higher-probability attacks, define another set of egress filtering rules to make sure you block (or at least are notified) when you have outbound traffic on the ports used during the attacks.

You can also use tighter location-based filtering policies, like not allowing traffic to countries where you don’t do business. This won’t work for mega-corporations doing business in every country in the world, but for the other 99.99% of you, it’s an option. Or you could enforcing RFC standards on Port 80 and 443 to make sure no custom protocol is hiding anything in a standard HTTP stream.

Again, there are lots of different ways to set up your egress filtering rules. Most can help, depending on the nature of your network traffic, none are a panacea. Whichever you decide to implement, make sure you are testing the rules in non-blocking mode first to make sure nothing breaks.

Blocking or Alerting

As you can imagine, it’s a dicey proposition to start blocking traffic that may break legitimate applications. So take care when defining these rules, or take the easy way out and just send alerts when one of your egress policies is violated. Of course, the alerting approach can (and probably will) result in plenty of false positives, but as you tune the policies, you’ll be able to minimize that.

Which brings up the hard truth of playing around with these policies. There are no short cuts. Vendors who talk about self-defending anything, or learning systems, or anything else that doesn’t involve the brutal work of defining policies and tuning them over time until they work in your environment, basically doesn’t spend enough time in the real world. ‘nuff said.

To finish our discussion of blocking, again think about these rules in terms of your IPS. You block the stuff you know is bad, and you alert on the stuff you aren’t sure about. Let’s hope you aren’t so buried under alerts that something important gets by, but that’s life in the big city.

No Magic Bullets

Yes, we believe egress filtering is a key control in your security arsenal, but as with everything else, it’s not a panacea. There are lots of attacks which will skate by undetected, including those that send traffic over standard ports. So once again, it’s important to look at other controls to provide additional layers of defense. These may include outbound content filtering, application-aware perimeter devices, deep packet inspection, and others.

More Network Security Fundamentals

I’m going to switch gears a bit and start documenting Endpoint Security Fundamentals next week, but be back to networks soon enough, getting into wireless security, network pen testing, perimeter change control, and outsourced perimeter monitoring. Stay tuned.

—Mike Rothman