Login  |  Register  |  Contact
Wednesday, March 10, 2010

Incite 3/9/2010 - Ten Reasons I Love the RSAC

By Mike Rothman

To stir the pot a bit before the RSA Conference, I did a FireStarter wondering out loud if social media would ever replace big industry conferences. Between the comments and my experiences last week, I’d say no. Though I can say social media provides the opportunity to make business acquaintances into friends and let loudmouths like Rich, Adrian and myself make a living having on an opinion (often 3 or 4 between us).

The rise of the anti-con... So I figured this week, I’d do a Top 10 list of things I can’t do on Twitter, which will keep me going to the RSA Conference as long as they keep letting me in.

  1. This is your life – Where else can I see 3 CEOs who fired me in one room (the AGC conference)? Thankfully I left my ice pick in the hotel room that morning.
  2. Everybody knows your name – Walk into the W Hotel after 9pm, and if you’ve been in the business more than a week, odds are you’ll see plenty of people you know.
  3. Trend spotting – As we expected, there was lots of APT puffery at the show, but I also saw lots of activity on wireless security – that was mildly surprising. And group conversations provided additional unexpected perspectives. Can’t do that on Twitter.
  4. Evasive maneuvers – To save some coin, I don’t stay in the fancy hotels. But that means you have to run the panhandler gauntlet between the parties and the hotel. I was a bit out of practice, but escaped largely unscathed.
  5. Rennaissance security folks – It seems lots of security folks are pretty adept at some useful skills. Like procuring entire bottles of top shelf liquor at parties. Yes, very useful indeed.
  6. Seeing the sights – I know Shimmy doesn’t like booth babes, but that’s his problem. I thought I took a wrong turn when I got to the Barracuda party and ended up at the Gold Club, though I was happy I had a stack of $1s in my pocket.
  7. Making new friends – The fine folks at SafeNet held a book signing for The Pragmatic CSO at the show. I got to meet lots of folks and they even got to take home copies. Can’t do that on Twitter either.
  8. Splinter conferences – Given the centralization of people that go to RSA, a lot of alternative gatherings happen during RSA week. Whether it’s BSides, Cloud Security Alliance, Metricon, AGC, or others, most folks have alternatives to RSA Conference panel staples.
  9. Recovery Breakfast – Once again, we held our Disaster Recovery Breakfast and it was the place to be on Thursday morning. A who’s who of security royalty passed through to enjoy the coffee, bloody mary’s, and hot tasty breakfast. Thanks to Threatpost for co-sponsoring with us.
  10. Elfin underwear – Where else can your business partner pull down his pants in front of 500 people and not get put in the slammer? That’s right, RSA. Check it out – it was really funny.

So in a nutshell, from an educational standpoint I’m not sure spending a week at the RSA Conference makes sense for most practitioners. But from a networking and fun perspective, it remains the best week of the year. And thankfully I have 12 months to dry out and rest my liver for next year’s show.

– Mike

Photo credit: “Frank Chu Bsides SF” originally uploaded by my pal St0rmz


Incite 4 U

Ah, digging out from under the RSA mayhem is always fun. There was lots to see, many meaningless announcements, and plenty of shiny objects. Here is a little smattering of stuff that happened at the show, as well as a few goodies not there.

  1. AP(ressure)T Explained – As Rich pointed out, APT was in full swing last week at RSA and Richard Bejtlich has been calling out folks with extreme malice for this kind of behavior – which we all think is awesome. But to really understand the idiocy, you need to relate it to something you can understand. Which is why I absolutely loved Richard’s analogy of how martial arts folks dealt with a new technique based on pressure points. Read this a post a few times and it will click. Folks either jump on the bandwagon or say the bandwagon is stupid. Not many realize something new and novel is happening and act accordingly. – MR

  2. Patch Tuesday, Exploit Monday – You have to feel for the guys in the Microsoft security center. They line up their latest patch set, and some bad guys blow it by attacking unpatched vulnerabilities before Microsoft can include them in the latest release. I’m a big fan of the Patch Tuesday cycle, but that means anything released on “Exploit Wednesday” or even close to Patch Tuesday potentially has a month to run before Microsoft can fix it. MS is pretty good at releasing out of band patches if something is being widely exploited, and they’re the ones providing the warning, but it makes me long for the days when an 0day was so rare as to be nearly mythical. This latest attack hits IE 6 and 7 on various platforms, and you can mitigate with a content filtering gateway or an alternative browser, or by following some suggestions in the linked article (setting IE security zone settings to High). – RM

  3. Creating the Insecurity Index – If we know that your A/V and anti-malware only catch 20% of malicious code, or your firewall only blocks 20%, and your WAF only blocks 60% of application flaws, and so on, can we create some meaningful metrics on application security FAIL? Kind of a Mean Time Between Failure analysis for IT? I got to thinking about this when talking to Kelly Jackson Higgins at RSA about her post on Dark Reading regarding application testing, which found that 60% of applications they tested remained vulnerable. To me this is not a surprise at all, given that most adopt a security model to surround applications with add-on services and appliances to protect the application from the nasty attackers and viruses rather than fix the code itself. For most large organizations the amount of work necessary to fix their crappy code would be monumental, and a rewrite would mean years of development time. I have never fully bought into that idea, and given that most open source projects are very large and still manage to fix flaws within the code, Veracode’s report does support the idea that we should dedicate more resources to development. Survey results do expose how much organization rely upon internally developed web-based applications and, quite frankly, how bad most of them are in terms of security. Still, I wonder how people will react to this data, and whether it will change the amount of in-house development, or how they develop. – AL

  4. Finding Value in Site Certifications – We’ve all made fun of these $99 web site certifications that ‘prove’ security. Most aren’t any better than ScanlessPCI. But that isn’t stopping all sorts of folks from trying to get at the market that ScanAlert, now McAfee (through its HackerSafe offering) pioneered. You had Qualys, Dasient, and VeriSign talking about their new programs. But a word to the wise: make sure your lawyers are all over whatever claims of security go along with the marketing puffery of these services. ControlScan found this out the hard way. Good job by Raf of digging into the settlement and what it means. – MR

  5. Selling the Conference – One of the under-appreciated aspects of professional conferences is employee retention and motivation. We talk about the need for education, which can certainly be a benefit, but it’s secondary IMHO. As a VP of Engineering, getting budget to send employees to conferences, or finding local conferences that were free, was a priority. As opposed to this poor sap mentioned on the InfoSec Leaders blog, my folks never really had to make the case to go to a conference, since I’d make it for them. Whatever productivity was lost during the sessions was more than made up for in the subsequent days (yes, days) after the conference. My team member usually learned something – perhaps a new technology, or in some cases what not to do – from the lectures. And usually they learned about new technologies in the sessions, and met new peers outside. In all cases I saw enthusiasm and renewed interest in their careers. Maybe it is the change of scenery, maybe it is thinking about new things related to work but outside the office, that stirs creativity and interest. I am not sure exactly how it works, but productivity and retention were motivators enough to send people. I know times are tough, and we all know that some conferences are very expensive, but I have seen the benefits conferences provide above and beyond those ‘team building’ miniature golf events and the like that HR is so fond of organizing. Give it a try and see for yourself! – AL

  6. Pr0n Stick Is on the Way – I realize that 90% of the time my mind is in the gutter. I’m not sure which gutter at any given time, but, well, you know… So when I see IronKey and TrueCrypt partnering up for a trusted OS on a stick, and then Check Point announcing something similar (with more enterprise control), my first thought is how this is a boon to all those folks trying to peruse sites they shouldn’t be from machines they don’t own. But that’s just me. The use case for this is pretty compelling, especially for folks who embrace desktop virtualization and have folks accessing sensitive data in sleazy places. Which kind of proves a hypothesis I’ve been playing with: security innovation will be driven by things that can be sold to the DoD or makes pr0n more accessible. That’s a lot different than the last 10 years. – MR

  7. Numbers Good. Nom Nom Nom – I like numbers. I mean I really like good information security numbers, and they are few and far between. I’m not talking the risk/threat garbage that’s mostly imaginary, but hard data to help support our security decisions. That’s why I think it’s so great that Verizon is releasing their Incident Sharing Framework that I even joined their advisory board (a non-compensated, no-conflicts outside position). I’ve written and spoken about the Data Breach Investigations Report before, as well as Trustwave’s similar report and the Dataloss Database. We do a terrible job in security of sharing information, because we’re worried about the consequences of breaches becoming public. But without that sharing, we don’t have a chance of properly orienting our security controls. Tools like these reports and the Incident Sharing Framework help us gather real-world information without exposing individual organizations to the consequences of going public. – RM

  8. The First SIEM Domino Falls – Finally it seems the long awaited consolidation in the SIEM and Log Management business is starting. Many of us have been calling for this for a while, but the only deals to date were a couple years ago (Cisco/Protego, RSA/Network Intelligence) or strictly technology deals (TripWire/ActiveWorx). But now TrustWave continues its bargain basement shopping spree by acquiring Intellitactics. At first glance you say, “Intellitactics? Really?” but then after looking at it, you realize TrustWave just needs “something” in the space. They do a lot of PCI work, so having Requirement 10 in a box (or packaged as a service) isn’t a bad thing. Truth be told, most companies aren’t pushing on these solutions more than gathering some logs and pumping out a report for the auditor. Good enough probably is. Also factor in the price tag (a reported $20 million in stock), and you don’t have to sell too much to make the deal pay. But let’s be clear: there will be a number of transactions in the space this year, at least if the conversations I had at RSA about potential targets were any indication. – MR

  9. You Want Fries with That? – I am not quite clear on Anton’s motivation for “An Analyst in the box, Part II”. And it’s not clear who this rant is aimed at. Yeah, it’s tongue in cheek, but who in the vendor community has not gone through this before? I have seen customers ask for technologies that they knew we could not provide. Sometimes it was to see if we were really reading the RFP. Sometimes it was to see if we would lie to them. Sometimes it was to see if we would push back and tell them it was not important. Sometimes they would ask about technology purely because they had experience with it or were interested in it, yet it was completely unrelated to the project that motivated their research. Sometimes customers ask because they are whiny and want someone to commiserate with them on how hard their job is, and think every vendor is obliged to be a good listener in order to earn the business. I know when I evaluated products, for the prices some vendors charged I expected their appliances keep me secure – but also to wash, fold, and iron my laundry as well. Whatever the reason may be, “Analyst in the box” is just part of the game. Suck it up and cash the check. – AL

—Mike Rothman

Tuesday, March 09, 2010

Is It Wireless Security or Secure Wireless?

By Mike Rothman

As I’ve been digesting all I saw and heard last week at the RSA show, the major topic of wireless security re-emerged with a vengeance. To be honest, wireless security had kind of fallen off my radar for a while. Between most of the independent folks being acquired (both on the wireless security and wireless infrastructure sides) and lots of other shiny objects, there just wasn’t that much to worry about.

We all know retailers remained worried (thanks, Uncle TJX!) and we saw lots of folks looking to segregate guest access from their branch networks when offering wireless to customers or guests. But WEP was dead and buried (right?) and WPA2 seemed reasonably stable. What was left to worry about?

As with everything else, at some point folks realized that managing all these overlay networks and maintaining security is a pain in the butt. So the vendors inevitably get around to collapsing the networks and providing better management – which is what we saw at RSA.

Secure Wireless

Cisco puffed its chest out a bit and announced its Security Without Borders strategy, which sounds like someone over there overdosed on some Jack Welch books (remember borderlessness?). Basically they are finally integrating their disparate security devices, pushing the IronPort and ASA boxes to talk to each other, and adding some stuff to the TrustSec architecture.

In concept, being able to enable business users to access information from any device and any location with a high degree of ease and security sounds great. But the devil is in the details, which makes this feels a lot like the “self-defending network.” Great idea, not so hot on delivery. So if you have Cisco everywhere and can be patient, the pieces are there. But if you work in a heterogeneous world or have problems today, then this is more slideware from Cisco.

Wireless Security

On the other side of the coin, you have the UTM vendors expanding from their adjacent markets. Both Fortinet and Astaro made similar announcements about entering the wireless infrastructure market. Given existing strength in the retail market, it makes sense for UTM vendors to introduce thin access points, moving management intelligence to (you guessed it) their UTM gateways.

Introducing and managing wireless security policy from an enterprise perspective is a no-brainer (rogue access points die die die), though there isn’t much new here. The wireless infrastructure folks have been doing this for a while (at a cost, of course). The real barrier to success here isn’t technology, it’s politics. Most network folks like to buy gear from network companies, so will it be the network team or the security team defining the next wave of wireless infrastructure roll-out?

Who Wins?

My bet is on the network team, which means “secure wireless” will prevail eventually. I suspect everyone understands security must be a fundamental part of networks, data centers, endpoints, and applications, but that’s not going to happen any time soon. Rugged or not. This provides an opening for companies like Fortinet and Astaro. But to be clear, they have to understand they are selling to different customers, where they have very little history or credibility.

And since the security market still consists mostly of lemmings, I suspect you’ll see a bunch more wireless security activity over the next few months as competitors look to catch up with Cisco’s slideware.

—Mike Rothman

SecurosisTV: Low Hanging Fruit - Endpoint Security

By Mike Rothman

We’re happy to post the next SecurosisTV episode, in which yours truly goes through the Low Hanging Fruit of Endpoint Security. This is a pretty high-level view of the 7 different tactics (discussed in much more detail in the post), intended to give you a quick (6 minute) perspective on how to improve endpoint security posture with minimal effort.

Direct Link: http://blip.tv/file/3281010

See it on YouTube: http://www.youtube.com/watch?v=jUIwjc5jwN8

Yes, we know embedding a video is not NoScript friendly, so for each video we will also include a direct link to the page on blip.tv and on YouTube. We just figure most of you are as lazy as we are, and will appreciate not having to leave our site.

We’re also learning a lot about video production with each episode we do. Any comments you have on the video would be much appreciated. Whether it’s valuable, what we can do to improve the quality (besides getting new talent), and any other feedback you may have.

—Mike Rothman

Monday, March 08, 2010

RSA Tomfoolery: APT is the Fastest Way to Identify Fools and Liars

By Rich

It is better to stay silent and let people think you are an idiot than to open your mouth and remove all doubt.

–Abraham Lincoln

Although we expected APT to be the threat du jour at RSA, I have to admit even I was astounded at the outlandish displays of idiocy and outright deception among pundits and the vendor community.

Now, let’s give credit where credit is due – only a minority of vendors hopped on the APT bandwagon. This post isn’t meant to be a diatribe against the entire product community, only those few who couldn’t help themselves in the race to the bottom.

I’m not claiming to be an expert in APT, but at least I’ve worked with organizations struggling with the problem (starting a few years ago when I began to get data security calls related to the problems of China-related data loss). The vast majority of the real experts I’ve met on the topic (those with direct experience) can’t really talk about it in public, but as I’ve mentioned before I’d sure as heck read Richard Beijtlich if you have any interest in the topic. I also make a huge personal effort to validate what little I say with those experts.

Most of the APT references I saw at RSA were ridiculously bad. Vendors spouting off on how their product would have blocked this or that malware version made public after the fact. Thus I assume any of them talking about APT were either deceptive, uninformed, or stupid.

All this was summarized in my head by one marketing person who mentioned they were planning on talking about “preventing” APT (it wasn’t in their materials yet) because they could block a certain kind of outbound traffic. I explained that APT isn’t merely the “Aurora” attack and is sort of the concerted espionage efforts of an entire country, and they responded, “oh – well our CEO heard about it and thought it was the next big thing, so we should start marketing on it.”

And that, my friends, is all you need to know about (certain) vendors and APT.

—Rich

Monday, March 01, 2010

Securosis at RSA Conference 2010

By Mike Rothman

Rich, Mike, and Adrian keep pretty busy schedules at RSA each year, so we are likely to be quiet on the blog this week. If you happen to be at the show, here are the speaking sessions and other appearances we’ll be doing throughout the week. Hopefully you’ll come up and say “Hi.” Rich and Adrian don’t bite.

Speaking Sessions

  • STAR-106: Security Groundhog Day – Third Time’s a Charm – Mike and Rich (Tuesday, March 2 @ 1pm)
  • EXP-108: Winnovation – Security Zen through Disruptive Innovation and Cloud Computing – Rich and Chris Hoff (Tuesday, March 2 @ 3:40pm)
  • END-203: How to Expedite Patching in the Enterprise? A View from the Trenches – Rich (Wednesday, March 3 @ 10:40 AM)
  • P2P-304A: Security Posture: Wading Through the Hype… – Mike (Thursday, March 4 @ 1pm)
  • DAS-403: Securing Enterprise Databases – Adrian (Friday, March 5 @ 11:20am)

Other Events

  • America’s Growth Capital Conference: Mike will be roaming around the AGC conference for portions of Monday. The event is taking place at the Westin San Francisco on Market Street. You need an invite to this one.
  • RSA Conference Experienced Security Professionals Program: All of us will be at this event (you need to have pre-registered) at the Moscone on Monday as well.
  • Security Blogger Meet Up: Securosis will be at the 3rd annual Security Blogger Meet Up at the classified location. You need to have a blog and be pre-registered to get in.
  • Securosis and Threatpost Disaster Recovery Breakfast: Once again this year Securosis will be hosting the Disaster Recovery Breakfast on Thursday, March 4 between 8 and 11. RSVP and enjoy a nice quiet breakfast with plenty of food, coffee, recovery items (aspirin & Tums), and even the hair of the dog for those of you not quite ready to sober up.
  • PechaKucha (PK) Happy Hour: Rich will be presenting at the PK Happy Hour on Thursday, March 4 between 5 and 6:30 pm in the Crypto Commons. See if he can get through 20 slides in about 6 1/2 minutes. Fat chance, but Rich is going to try.

—Mike Rothman

FireStarter: Will Social Media Kill the Conference Star?

By Mike Rothman

On the eve of perhaps the biggest conference we security folks have (RSA Conference), we wanted to bait the echo chamber a bit, and wonder what the future of conferences is – especially given the amount and depth of information that is available via blogs and social media. Interestingly enough, we don’t necessarily have a consistent opinion here, but we want to hear what the community has to say.

Hypothesis: Security conferences continue to decrease in importance because the events don’t really help customers do their jobs any better.

The Bad and the Ugly

  • Weak sessions: In general, most sessions at any big conference are weak. Either poor content, poor speaking skills, or the double whammy of both, make most sessions intolerable – unless you dig making fun of the speaker on Twitter throughout the entire session.

  • Vendor Shiny Objects: The expo floors have degraded to a combination of booth babes and bandwagon-jumping exhibitors who are just trying to capitalize on whatever the buzzword or attack du jour happens to be.

The Good

  • Relationship building: All the folks I talk to continue to value the networking and relationship building opportunities that can only be accomplished in a face to face environment. These shows provide an opportunity to compare notes and figure out if you are missing something. Personally, this is the #1 reason I go to RSA and Black Hat and other conferences.

  • Trend watching: Clearly the “hallway track”, the show floor, and the conversations after hours provide guys like me with a good idea of what is hot and happening. Not necessarily what is working in the real world, but tracking trends is important too – especially for end users trying to make sure they aren’t losing too much ground to the bad guys.

  • Getting out of the office: With the number of directions the typical practitioner is pulled when they’re setting at their desk, sometimes they need to get out to have a chance to focus. Going to a nice locale is only part of this, but also the ability to do a lot of research in a short time.

Social Media Impact

So the real question is: can you replicate the relationship building and trend-spotting aspects of great conferences via social media? If you Twitter, can you build relationships and stay in tune with what is happening out there? The answer is yes, but not entirely. Personally, interacting with folks via Twitter allows me to stay in touch much more frequently and interact on a less superficial level than grabbing a beer at the W during RSA. And via blogs, online media, and forums, focused end users can do the kind of research typically possible only at a big show in the past, with a level of objective commentary which was simply not available before. So overall, social media certainly has the basis to largely supplant conferences over the next few years.

But as Rich pointed out during his review of this post, in a lot of cases social media can add impact to a conference. There is nothing like actually meeting someone you interact with through the ether, but the electronic interactions eliminates a lot of the “getting to know you” phase, because through social media you can familiarize yourself with the folks in your networks. And as Adrian mentioned, social media brings us back to an another advantage of attendance – conversations amongst small groups of folks, which gets lost in a crowd of 10,000 of your closest friends.

Not So Fast

Before we start shoveling the dirt on big security conferences, we need to look at the dark side of social media. Adrian actually calls it “anti-social media”, and he’s right. It seems vendors are working hard to screw up social media and make it basically an always-on trade show. Unfortunately, without the booth babes to make it tolerable.

For example, many bloggers got hammered with LinkedIn spam in the now-infamous Rapid7 incident a few weeks ago. My Twitter stream is polluted by PR types basically just linking to press releases and other press coverage notes. I won’t friend work contacts on Facebook (for the most part) because it’s hard enough keeping up with all the folks from high school I don’t want to hear from.

Unless folks figure out how to increase the signal to noise ratio, many of the social media networks will become as fun and as well attended as CSI. Yeah, I know that’s a low blow.

Conference 2.0

So what should the organizers be doing to change this trend? Here are a couple ideas, which may or may not be interesting. At least they should get the conversation going.

  • Get Small(er)

  • Kill Keynotes (will you miss the hot air?)

  • Community-driven content (like B-sides)

  • More pragmatism and tactics, less pontificating in sessions

The good news (for RSAC anyway) is that the show organizers recognize some of these issues and are working to address them. RSA specifically has been very welcoming to blogger types, and is experimenting with programs like the ESPP and Innovation Sandbox to add value. Over the past few years, there has also been a focus on improving the sessions through greater reviews and more oversight of presentation materials. This includes sending speaker scores from previous conferences to selection committee members in an attempt to eliminate crappy speakers from subsequent shows. But is it enough?

What do you think? At some point will you bypass the big cons for the warm confines of social media?

—Mike Rothman

Friday, February 26, 2010

RSAC 2010 Guide: Compliance

By Rich

And this is it: the final piece of the Securosis Guide to the RSA Conference 2010. Yes, there will be a lot to see at the show, and we hope this guide has been helpful for those planning to be in San Francisco. For those of you not able to attend, we’d like to think getting a feel for the major trends in each of our coverage areas wasn’t a total waste of time.

Anyhow, without further ado, let’s talk about another of the big 3 themes, and the topic you love to hate (until it allows you to fund a project): compliance.

Compliance

Compliance isn’t merely a major theme for the show, it’s also likely the biggest driver of your security spending. While there’s no such thing as a compliance solution, many security technologies play a major role in helping achieve and maintain compliance.

What We Expect to See

For compliance, we will see a mix of regulation-focused messages and compliance-specific technologies:

  • New Regulations/Standards: Over the past year we’ve seen the passing or increased enforcement of a handful of new regulations with security implications – the HITECH act in healthcare, NERC-CIP for energy utilities, and the Massachusetts data protection law (201 CMR 17.00). Each of these adds either new requirements or greater penalties than previous regulations in their industries, which is sure to get the attention of senior management. While PCI is still the biggest driver in our industry, you’ll see a big push on these new requirements. If you are in one of the targeted verticals, we suggest you brush up on your specific requirements. Many of the vendors don’t really understand the specific industry details, and are pushing hard on the FUD factor. Ask which requirements they meet and how, then cut vendors who don’t get it. Your best bet is to talk with your auditor or assessor before the show to find out where you have deficiencies, and focus on addressing those issues.

  • The ‘Easy’ Compliance Button: While it isn’t a new trend, we expect to see a continued push to either reduce the cost and complexity of compliance, or convince you that vendors can. Rapid deployment, checkbox rules sets, and built-in compliance reports will top feature lists. While these capabilties might help you get off to a good start, even checkbox regulations can’t always be satisfied with checkbox solutions. Instead of focusing on the marketing messaging, before you wander the floor have an idea of the areas where you either need to improve efficiency, or have an existing deficiency. Many of the reporting features really can reduce your overhead, but enforcement features are trickier. Also, turning on all those checkboxes (especially in tools with alerts) might actually increase the time the tool eats up. Ask to walk through the interface yourself rather than sticking with the canned demos – that will give you a much better sense of whether the product can help more than it hurts. Also check on licensing, and whether you have to pay more for each compliance feature or rule set.

  • IT-GRC and Pretty Dashboards: Even though only a handful of large enterprises actually buy GRC (Governance, Risk, and Compliance) products, plan on seeing a lot of GRC tools and banners on the show floor. Most of you don’t need dedicated IT-GRC tools, but you do need good compliance reporting in your existing security tools. Dashboards are also great eye candy – and some can be quite useful – but many are more sales tools for internal use than serious efforts to improve the security of your environment. Dig in past the top layer of GRC tools and security dashboards. Are they really the sorts of things that will help you get your job done better or faster? If not, focus on obtaining good compliance reports using your existing tools. You can use these reports to keep assessors/auditors happy and reduce audit costs.

Just in case you are getting to the party late, you can download the entire guide (PDF). Or check out the other posts in our RSAC Guide: Network Security, Data Security, Application Security, Endpoint Security, Content Security, Virtualization/Cloud Security, and Security Management.

—Rich

Friday Summary: February 26, 2010

By Adrian Lane

Next week is the RSA conference. You might have noticed from some of our recent blog entries. And I am really looking forward to it. It’s one of my favorite events, but I am especially anxious for good food. Yes, I want to see a bunch of friends, and yes, I have a lot of vendors I am anxious to catch up with to chat ‘bout some of their products. But honestly, all that takes a back seat to food. I like living in Arizona, but the food here sucks. Going to San Francisco, even the small hole-in-the-wall lunch places are excellent. In Phoenix, if you want a decent steak or good Mexican food, you’re covered. If you want Thai, Greek, Japanese or quality Chinese (and by that I mean a restaurant with less than two health code violations), you are out of luck. San Francisco? Every other block you find great places. And Italian. Really good Italian.

sigh … What was I talking about? Oh yeah, food!

Have you ever noticed that most security guys are into martial arts and food? Seriously. It’s true. Ask the people you know and you may be surprised at the pervasiveness of this phenomena. Combined with the fact that there are a lot of ‘foodies’ in the crowd of people I want to see, I am going look like I want to hang out, but still find quality pad thai. And I know there are going to be a dozen or so people I want to see who have the same priorities, so they won’t be offended by my ulterior motives. I plan to sneak off a couple of days and get a good lunch, and at least one evening for a good dinner, schedule be dammed! Maybe some of the noodle houses on the way up to Union Square or the hole-in-the-wall at the Embarcadero center that has surprisingly good sushi. Then swing by Peet’s on the way back for coffee that could fuel a nuclear reactor.

Anyway, it’s a short Friday summary this week because I’ve got to pack and get my presentations ready. Hope to see you all there, and please shoot me an email if you are in town and want to catch up! Just say Venti-double-shot-iced-with-cream-n-splenda-shaken, and I’m there.


On to the Summary:

Webcasts, Podcasts, Outside Writing, and Conferences

Favorite Securosis Posts

Other Securosis Posts

Favorite Outside Posts

Project Quant Posts

Research Reports and Presentations

Top News and Posts

Blog Comment of the Week

Remember, for every comment selected, Securosis makes a $25 donation to Hackers for Charity. This week’s best comment goes to Alan Shimel, in response to RSAC 2010 Guide: Network Security. And in case you think this is a case of nepotism, this very topic has been on the minds of every Securosis team member too. We will have a lot more to say on this subject, but Alan is this week’s winner as he captured the essence of our internal debate!

Guys I love the RSA guide. here is one stat I would like to see though. How many at RSA are actually potential customers or is truly a party by the security industry for the security industry. SE’s actually showing you stuff on the show floor? Its more adult trick or treaters looking for t-shirts and other chatchkes.

—Adrian Lane

Thursday, February 25, 2010

RSAC 2010 Guide: Security Management

By Mike Rothman

To end a fine day, let’s continue through the Securosis Guide to the RSA Conference 2010 and discuss something that has been plaguing most of us since we started in this business: security management.

Security Management

For the past 20 years, we’ve been buying technologies to implement security controls. Yet management of all this security tends to be considered only when things are horribly broken – and they are.

What We Expect to See

There are four areas of interest at the show relative to security management:

  • Log Religion: Driven by our friends at the PCI Security Standards Council, the entire industry has gotten the need to aggregate log data and do some level of analysis. Thank you, Requirement 10! So at the show this year, we’ll find a log management infestation, with a new vendor poking out of every nook and cranny to espouse a new architecture, disruptive pricing, or some other eye candy. And yes, you do need to collect logs, so focus your efforts at the show on figuring out what is the best fit for your organization. Are you just collecting logs, or do you need to correlate and alert? What are your volume and scalability requirements? What kind of reporting do you need? What about integration with the rest of your infrastructure? The point here is not to make a decision but to establish a short list of 3-4 vendors to dig deeper into after the show.

  • Platform Mentality: Since security management is supposed to make your life easier, you don’t need to be a genius to realize that having a management console for every device type in your network doesn’t make a lot of sense. So you’ll hear a lot about SIEM + Log Management + Configuration/Patch + Vulnerability + Network Flow = Nirvana. To be clear, management leverage is good. Getting it by adding even more complexity to your environment: not so much. So to the degree that you are ready to start integrating management disciplines, focus your discussions on migration. How do you get to the promised land? Which hopefully doesn’t involve a truckload of high-priced consultants to do the ‘customization’.

  • Risk Mumbo Jumbo: Risk is likely to be a hot topic at RSA as well. The more mature security programs have figured out that ‘security’ means nothing to senior management, but C-level folks get ‘risk’. Unfortunately, there are no accepted mechanisms to define or quantify risk. So when a vendor starts talking about “risk scores” you should focus on the amount of effort to get a risk model set up and what’s required to keep it up to date. You can’t go down to Best Buy and get Risk Management in a box, so the question is how much effort you are willing to put in to show a graph – which may or may not reflect reality – to the CFO.

  • Operational Efficiency: Finally, you’ll likely hear a lot about improving the operations of your environment. That was a major theme last year in the depths of the recession, but the issue hasn’t gone away. This plays into the themes around integration and platforms, but ultimately there will be a number of niche tools (like firewall policy managers) designed to make your operational teams more efficient, saving money. Depending on the size and/or maturity of your security program, some of these tools may yield value. But adding yet another widget isn’t a good thing unless you can redeploy resources onto other functions by taking advantage of automation.

For those so inclined (or impatient), you can download the entire guide (PDF). Or check out the other posts in our RSAC Guide: Network Security, Data Security, Application Security, Endpoint Security, Content Security, and Virtualization/Cloud Security.

—Mike Rothman

Retro Buffoonery

By Mike Rothman

I’m probably not supposed to do this, as I took the security marketer’s oath to get my first VP Marketing gig. But I’m going to pull the curtain back on some of the wacky stuff vendors do to sell their product/services. Today’s specific tactic is what I’ll dub retro buffoonery, which is when a vendor looks back in time, and states that they could have stopped attack X, Y and Z – if only their products were deployed before the attack.

Time machine + t-shirt = retro buffoon

You see this stuff all the time. Whether it was TJX, Heartland, ZeuS, or now the APT, vendor after vendor builds a marketing program saying they could have stopped or detected the attack. They build very specific timelines and show how their product theoretically defended customers. Note I said ‘theoretically’, because I’ve yet to see a case where a vendor had an actual customer to say “I didn’t get hosed by [Attack X] because I was using [Product Y].”

To illustrate my point, let’s take a look at McAfee’s recent post-mortem on Operation Aurora. Now I’m singling out McAfee here, but there is nothing personal. Every vendor does it. I’ve done it probably a hundred times. If you work for a vendor, you’ve done it too. Rees Johnson, the blogger, did his job and pieced together a somewhat plausible story about how a combination of McAfee products could have been assembled to defend against the Aurora attack.

Basically, if you had all your traffic going through a SSL proxy, had reputation working on every single gateway seeing network traffic, had whitelisting on every single device running code, and a huge research arm that could tell you there was something going on – then you could have detected the attack. Yeah, that doesn’t sound like either an economically feasible or realistic user experience situation – but let’s not split hairs here. And we know plenty of folks were running McAfee, but they don’t seem to have any success stories of actual Aurora detection ahead of the fact to share.

Now to be clear, retro buffoonery tells a good marketing story and allows sales people to make a compelling case to customers for a company’s technology. Even better, by referencing a real attack, it can create enough customer urgency to get a check written. Which is good because security sales reps have those monthly BMW payments to make.

But please understand, this Tuesday Morning Quarterback exercise will not help you protect your environment any better for the next attack.

In the 20 years I’ve been in this business, we have proven to be lousy at predicting the future. How many of you predicted that a 0-day attack against IE6 on XP would constitute 30+ huge and successful attacks over the past 3 months? Probably the same folks who predicted SQL Slammer, TJX-style wireless POS attacks, and Heartland-style network sniffers. Even better, there are always multiple vendors telling stories about how different classes of products stop these attacks. Yet the attacks still happen, so it always gets back to the same thing – in hindsight, you’re sure you could’ve caught the attack. In reality, not so much.

Vendors hope we’ll forget that it’s more than just a signature or a product that actually protects us against these attacks. We also must remember process and people complete the picture. Maybe if you backed up the truck and implemented everything McAfee has to sell you, you could have stopped Aurora. But probably not, because most companies have at least one unsuspecting employee who would have clicked on the wrong thing from the wrong place, and given the attacker a foothold on your network. And remember what persistent means. These folks are targeting you, so they’ll find a way in, regardless of how many cents per share you contribute to the bottom line of your favorite security vendor.

So sorry, Mr. Retro Buffoonery Tuesday Morning Quarterback Always Completing the Pass Because It’s Easy to See in the Rear View Mirror, I don’t buy it. There are too many other things that go wrong to believe a wacky marketing claim that any set of products would stop a determined, well-funded attacker specifically targeting your organization.

But you’ll see plenty of this bravado at the RSA Conference next week. And hopefully you’ll do as I do, and just laugh.

—Mike Rothman

RSAC 2010 Guide: Virtualization and Cloud Security

By Rich

Now that we are at the end of the major technology areas covered in the Securosis Guide to the RSA Conference 2010, let’s discuss one of the 3 big themes of the show: Virtualization and Cloud Security.

Virtualization and Cloud Security

The thing about virtualization and ‘cloud’ is that they really cut across pretty much every other coverage area. But given they’re new and shiny – which really means confusing and hype-ridden – we figured it was better to split out this topic, to provide proper context on what you’ll see, what to believe, and what is important.

What We Expect to See

For virtualization and cloud security there are four areas to focus on:

  • Virtualization Security: The tools and techniques for locking down virtual machines and infrastructures. Most virtualization risk today is around improper management configuration and changes to networking, which may introduce new security issues or circumvent traditional network security controls. Focus on virtualization security management tools – especially configuration management that can handle the virtualization configuration, not just the operating system configuration and network security. Be careful when vendors over-promise on network security performance – you can’t simply move a physical appliance into a virtual appliance on shared hardware and expect the same performance.

  • Security as a Service: A variety of new and existing security technologies can be delivered as services via the cloud. Early examples included cloud-based email filtering and DDoS protection, and we now have options for everything from web filtering, to log management, to vulnerability assessment, to configuration management. Many of these are hybrid models, which require some sort of point of presence server or appliance on your network. Security as a Service is especially interesting for mid-sized enterprises, since it’s often able to substantially reduce management and maintenance costs. Although many of these offerings don’t technically meet the definition of cloud computing, don’t tell the marketing departments.

  • Cloud-Powered Security: Some vendors are leveraging cloud-based features to enhance their security product offerings. The product itself isn’t delivered from the cloud or aimed at securing the cloud, but uses the cloud to enhance its capabilities. For example, an anti-malware vendor that leverages cloud technologies to collect malware samples for signature generation. This is where we see the most abuse of the term ‘cloud’, and you should push the vendor on how the technology really works rather than relying on branding vapor.

  • Cloud Security: The tools and techniques for securing cloud deployments. This is what most of us think of when we hear “cloud security”, but it’s what you’ll see the least of on the show floor. We suggest you attend the Cloud Security Alliance Summit on Monday (if you’re reading this before then) or Rich’s presentation with Chris Hoff on Tuesday at 3:40. You can also visit the Cloud Security Alliance in booth 2641.

We guarantee your data center, application, and storage teams are looking hard at, or are already using, cloud and virtualization, so this is one area you’ll want to pay attention to despite the hype.

For those so inclined (or impatient), you can download the entire guide (PDF). Or check out the other posts in our RSAC Guide: Network Security, Data Security, Application Security, Endpoint Security, and Content Security.

—Rich

RSAC 2010 Guide: Content Security

By Adrian Lane

Two business days and counting, so today and tomorrow we’ll be wrapping up our Securosis Guide to the RSA Conference 2010. This morning let’s hit what the industry calls “content security,” which is really email and web filtering. Rich just loves the term content security, so let’s see how many times we can say it.

Email/Web (Content) Security

In case you missed it, every email security vendor on the planet offers web content filtering within their portfolio of products and – for better or worse – the combination is now known as content security. No other security market has embraced the concept of ‘the cloud’ and SaaS offerings as enthusiastically as content security providers. In an effort to deal with increasing volumes of spam and malware without completely overhauling all your hardware, vendors offer outsourced content filtering as a cost effective way to add both capacity and capability. Almost all vendors offer traditional on-premise software or appliances, fortified with cloud services (most refer to this as a hybrid model) for additional screening of content.

What We Expect to See

There are three areas of interest at the show relative to content security:

  • Fully Integrated Platforms: As you wander the show floor at Moscone Center, we expect every vendor to say that their web and email security platforms are completely integrated. What this usually means is that your reports are shared, but cloud and appliance consoles are separate, as is policy management. It’s funny how the vendors have such a flexible definition of ‘integrated.’ If you are looking at migrating to a combined solution, you need to dig in to see what is really integrated and what simply shares the same dashboard, how your user experience will change (for the better), and how effective & clean their results are – end users get grumpy if their favorite web sites are classified as unsafe or they get spam in their inboxes.

  • Hybrid Cloud Services: We expect every vendor to offer a ‘cloud’ service in order to jump on the cloud bandwagon. This may be nothing more that an anti-spam or remote web filtering gateway deployed on shared infrastructure as a hosted service. The quality and diversity of cloud services varies greatly, as does the level of security provided by different cloud hosting companies. Once you get past the hype of certifications and technobabble, ask the vendors what types of audits and third party security certifications they will allow. Ask what sort of financial commitments they will make in the event that they fail to live up to their service level agreements, and what their SLAs with the cloud infrastructure providers look like. Those two questions usually halt the discussion, and will quickly distinguish hype mongers rom folks who have really thought through cloud deployment.

  • DLP Lite: As we’ll see in the Data Security section, DLP is hot again. Thus we expect to see every content security vendor offering ‘DLP’ or ‘Data Loss Prevention’ within their products, but in reality most only offer regular expression checks of network content. Yes, they’ll be able to detect an account number or a social security number, but that is only a sliver of what DLP needs to be. Content discovery and more advanced forms of content inspection (heuristic, lexical, cyclic hash, etc.) will be noticeably absent. Again, we recommend you challenge the content security vendor to dig into their discovery and detection capabilities and prove it’s more than regular expressions. Keep in mind that a trade show demo is probably inadequate for you to sufficiently explore the advanced features, so your objective should be to identify 3-4 vendors for deep dives after the show.

For those so inclined (or impatient), you can download the entire guide (PDF). Or check out the other posts in our RSAC Guide: Network Security, Data Security, Application Security, and Endpoint Security.

—Adrian Lane

Answering Dan Geer: It’s Time to Reexamine Priorities and Revisit Paradigms

By Adrian Lane

Dan Geer wrote an article for SC Magazine on The enterprise information protection paradigm, discussing the fundamental disconnect between the derived value of data and the investment to protect information. He asks the important question: If we reap ever increasing returns on information, where is the investment to protect the data? Dan has an eloquent take on a long-standing viewpoint in the security community that Enterprise Information Protection (EIP) is a custodial responsibility of corporations, as it is core to generation of revenue and thus the company’s value.

Dan’s point that we don’t pay enough attention (and spend enough money and time) on data security is inarguable – we lose a lot of data, and it costs. His argument that we should concentrate on (unification of) existing technologies (such as encryption, audit, NAC, and DLP), however, is flawed – we already have lots of this technology, so more of the same is not the answer.

Part of our problem is that in the real world, inherent security is only part of the answer. We also have external support, such as police who arrest bank robbers – it’s not entirely up to the bank to stop bank robbers. In the computer security world – for various reasons – legal enforcement is highly problematic and much less aggressive than for physical crimes like robbery.

I don’t have a problem with Dan’s reasoning on this issue. His argument for the motivation to secure information is sound. I do, however, take issue with a couple of the examples he uses to bridge his reasoning from one point to the next.

First, Dan states, “We have spent centuries learning about securing the physical world, plus a few years learning about securing the digital world. What we know to be common to both is this: That which cannot be tolerated must be prevented.” He puts that in very absolute terms, and I do not believe it is true in either the physical or electronic realms. For example, our society absolutely does not tolerate bank robberies. However, preventative measures are miniscule. The banks are open for business and pretty much anyone can walk in the door. Rather than prevent a robbery, we collect information from witnesses, security cameras, and other forensic information – to find, catch, and punish bank robbers. We hope that the threat of the penalty will deter most potential robbers, and sound police work will allow us to catch up with the remainder who are daring enough to commit these crimes.

While criminals are very good at extracting real value from virtual objects, law enforcement has done a crappy job at investigating, punishing, and (indirectly) deterring crimes in and around data theft. These two crucial factors are absent in electronic crimes in comparison to physical crimes. It’s not that we can’t – it’s that we don’t.

This is not to undermine Dan’s basic point – that enterprises which derive value from data are not protecting themselves sufficiently, and contributorily negligent. But stating that “The EIP mechanism – an unblinking eye focused on information – has to live where the data lives.” and “EIP unifies data leakage prevention (DLP), network access control (NAC), encryption policy and enforcement, audit and forensics,” argues that network and infrastructure security are the answer. As Gunnar Peterson has so astutely pointed out many times, while the majority of IT spending is in data management applications, our security spending is predominately in and around the network. That means the investments made today are to secure data at rest and data in motion, rather than data in use. Talking about EIP as an embodiment of NAC & DLP and encryption policy reinforces the same suspect security investment choices we have been making for some time. We know how to effectively secure data “at that point where data-at-rest becomes data-in-motion”. The problem is we suck ” … at the point of use where data is truly put at risk …” – that’s not network or infrastructure, but rather in applications.

A basic problem with data security is that we do not punish crimes at anywhere near the same rate as we do physical crimes. There is no (or almost no) deterrence, because examples of capturing and punishing crimes are missing. Further, investment in data security is typically misguided. I understand how this happens – protecting data in use is much harder than encrypting TCP/IP or disk drives – but where we invest is a critical part of the issue. I don’t want this to come across as disagreement with Dan’s underlying premise, but I do want to stress that we need to make more than one evolutionary shift.

—Adrian Lane

Wednesday, February 24, 2010

Webcast on Thursday: Pragmatic Database Compliance and Security

By Rich

Auditors got you down? Struggling to manage all those pesky database-related compliance issues?

Thursday I’m presenting a webcast on Pragmatic Database Compliance and Security. It builds off the base of Pragmatic Database Security, but is more focused on compliance, with top tips for your favorite regulations.

It is sponsored by Oracle, and you can sign up here.

We’ll cover most of the major database security domains, and I’ll show specifically how to apply them to major regulations (PCI, HIPAA, SOX, and privacy regs). If you are a DBA or security professional with database responsibilities, there’s some good stuff in here for you.

—Rich

RSAC 2010 Guide: Endpoint Security

By Mike Rothman

The fun is just beginning. We continue our trip through the Securosis Guide to the RSA Conference 2010 by discussing what we expect to see relative to Endpoint Security.

Endpoint Security

Anti-virus came onto the scene in the early 90’s to combat viruses proliferated mostly by sneakernet. You remember sneakernet, don’t you? Over the past two decades, protecting the endpoint has become pretty big business, but we need to question the effectiveness of traditional anti-virus and other endpoint defenses, given the variety of ways to defeat those security controls. This year we expect many of the endpoint vendors to start espousing “value bundles” and alternative controls such as application whitelisting, while jumping on the cloud bandwagon to address the gap between claims and reality.

What We Expect to See

There are four areas of interest at the show for endpoint security:

  • The Suite Life: There are many similarities between current endpoint security suites and office automation suites in the early part of the decade. The applications don’t work particularly well, but in order to keep prices up, more and more stuff you don’t need gets bundled into the package. There is no end to that trend in sight, as the leading endpoint agent companies have been acquiring new technologies (such as full disk encryption and DLP) to broaden their suites and maintain their price points. But at the show this year, it’s reasonable to go to your favorite endpoint agent vendor and ask them why they can’t seem to “get ahead of the threat.” Yes, that is a rhetorical question, but we Securosis folks like to see vendors squirm, so that would be a good way to start the conversation. Also be on the lookout for the folks offering “Free AV” and talking about how ridiculous it is to be paying for AV nowadays. Just be aware, the big booths with the Eastern European models don’t come cheap, so they will get their pound of flesh in the form of management consoles and upselling to more full-featured suites (which actually may do something).

  • The Cloud Messiah: Endpoint vendors aren’t the only ones figuring the ‘cloud’ will save them from all their issues, but they will certainly be talking about how integrating malware defenses into the ‘cloud’ will increase effectiveness and keep the attackers at bay. This is another game of three-card monty, and the endpoint vendors are figuring you won’t know the difference. After you’ve asked the vendor why they can’t stop even simplistic web attacks or detect a ZeuS infection, they’ll probably start talking about “shared intelligence” and the great googly-moogly malware engine in the sky. At this point, ask a pretty simple question: “How do you win this arms race?” With 2-3 million new malware attacks happening this year, how long can this signature-based approach work? That should make for more interesting conversation.

  • Control Strategies: Given that traditional anti-virus is mostly useless against today’s attacks, you are going to hear a number of smaller application whitelisting vendors start to go more aggressively after the endpoint security companies. But this category (along with USB device control technology) suffers from a perception that the technology breaks applications and impacts user experience. As with every competitive tete-a-tete, there is some truth to that argument. So challenge the white listing vendors on how they impact the user experience (or don’t) and can provide similar value to an endpoint security suite (firewall, HIPS, full disk encryption, etc.).

  • Laptop Encryption: You’ll likely also be hearing about another feature of most of the endpoint suites: full disk encryption (FDE). There will be lots of FUD about the costs of disclosure and why it’s just a lot easier to encrypt your mobile devices and be done with it. For once, the vendor mouthpieces are absolutely right. But this brings us to the question of what features you need, whether FDE should be bundled into your endpoint suite, and how you can recover data when users inevitably lose passwords and devices are stolen. So if you have mobile users (and who doesn’t?), it’s not an issue of whether you need the technology – it’s the most effective way to procure and deploy.

For those so inclined (or impatient), you can download the entire guide (PDF). Or check out the other posts in our RSAC Guide: Network Security, Data Security, and Application Security.

—Mike Rothman