Login  |  Register  |  Contact
Thursday, February 13, 2014

Friday Summary: February 14, 2014

By Adrian Lane

Bacon as a yardstick: This year will see the 6th annual Securoris Disaster Recovery Breakfast, and I am measuring attendance in required bacon reserves. Jillian’s at the Metreon has been a more than gracious host each year for the event. But when we order food we (now) do it in increments of 50 people. At the moment we are ordering bacon for 250, and we might need to bump that up! We have come a long way since 2009, when we had about 35 close friends show up, but we are overjoyed that so many friends and associates will turn out. Regardless, we expect a quiet, low-key affair. It has always been our favorite event of the week because of that. Bring your tired, your hungry, your hungover, or just plain conference-weary self over and say ‘Howdy’. There will be bacon, good company, and various OTC pharmaceuticals to cure what ills you.

Note from Rich: Actually we had a solid 100 or so that first year. I know – I had to pay the bill solo.

Big Spin: More and more firms are spinning their visions of big data, which in turn makes most IT folks’ heads spin. These visions look fine within a constrained field of view, but the problem is what is left unsaid: essentially the technologies and services you will need but which are not offered – and vendors don’t talking about them. Worse, you have to filter through non-standard terminology deployed to support vendor spin – so it’s extremely difficult to compare apples against apples. You cannot take vendor big data solutions at face value – at this early stage you need to dig in a bit. But to ask the right questions, you need to know what you probably don’t yet understand. So the vendor product demystification process begins with translating their materials out of vendor-speak. Then you can determine whether what they offer does what you need, and finally – and most importantly – identify the areas they are not discussing, so you can discover their deficiencies. Is this a pain in the ass? You betcha! It’s tough for us – and we do this all day, for a living. So if you are just learning about big data, I urge you to look at the essential characteristics defined in the introduction to our Securing Big Data Clusters paper – it is a handy tool to differentiate big data from big iron, or just big BS.

Laying in wait. I have stated before that we will soon stop calling it “big data”, and instead just call these platforms “modular databases”. Most new application development projects do not start with a relational repository – instead people now use some form of NoSQL. Which should be very troubling to any company that derives a large portion of its revenue from database sales. Is it odd that none of the big three database vendors has developed a big data platform (a real one - not a make believe version)? Not at all. Why jump in this early when developers are still trying to decide whether Couch or Riak or Hadoop or Cassandra or something else entirely is best for their projects? So do the big three database vendors endorse big data? Absolutely. To varying degrees they encourage customer adoption, with tools to support integration with big data – usually Hadoop. It is only smart to play it slow, lying in wait like a giant python, and later swallow the providers that win out in the big data space. Until then you will see integration and management tools, but very tepid development of NoSQL platforms from big relational players. Yes, I expect hate mail on this from vendors, so feel free to chime in.

Hunter or hunted? One the Securosis internal chat board we were talking about open security job positions around the industry. Some are very high-profile meat grinders that we wouldn’t touch with asbestos gloves and a 20’ pole. Some we recommend to friends with substantial warnings about mental health and marital status. Others not at all. Invariably our discussion turned to the best job you never took: jobs that sounded great until you go there – firms often do a great job of hiding dirty laundry until after you come on board. Certain positions provide a learning curve for a company: whoever takes the job, not matter how good, fails miserably. Only after the post-mortem can the company figure out what it needs and how to structure the role to work out. Our advice: be careful and do your homework. Security roles are much more difficult than, say, programmer or generic IT staffer. Consult your network of friends, seek out former employees, and look at the firm’s overall financial health for some obvious indicators. Who held the job before you and what happened? And if you get a chance to see Mike Rothman present “A day in the life of a CISO”, check it out – he captures the common pitfalls in a way that will make you laugh – or cry, depending on where you work.

On to the Summary:

Webcasts, Podcasts, Outside Writing, and Conferences

Favorite Securosis Posts

Other Securosis Posts

Favorite Outside Posts

  • Dave Lewis: When hacking isn’t.
  • David Mortman: Tesla Hires Hacker Kristin Paget to, Well, Secure Some Things.
  • Mike Rothman: Your relationship with the future. Philosopher king Seth Godin says you need to make a choice. Focus efforts on folks who hope for a better tomorrow, or those who pine for the “good old days”. I tend to look to the future, but I am working on that right now. It’s hard but worth it…
  • Mike Rothman (apparently has two favorites this week): 6 Pieces of Advice from Successful Writers. You are a writer. Whether you get paid to write (like us) or not, you have to document something. There are some good tips for breaking through blocks and writing to make your points.
  • Adrian Lane: DRM in the real world. Cory Doctorow’s very good discussion of the “copy protection” side of Digital Rights Management (DRM) issues, and some very astute observations on how they relate to security. Keep in mind that DRM is much more than just copy protection. And Bruce Lehman’s regulatory framework may have been bonkers, but its roots went back to the Xanadu project many years before – people wanted huge compensation to go along with wide distribution.
  • Gunnar: BlackBerry laughs at Samsung’s Knox security struggles. The fact that Knox does not run on the majority of Samsung devices – much less all Android devices – is a major problem. And it is sad if your leading feature is supposed to be security, but you don’t have enough to sell your product.
  • Rich: American businesses are holding credit card security back. You will hear more form us on this soon. Pathetic.

Research Reports and Presentations

Top News and Posts

Blog Comment of the Week

This week’s best comment goes to Dwayne Melancon, in response to Firestarter: Mass Media Abuse.

One note that is odd: I get a “you don’t have javascript enabled” warning when I “Submit” from this page (and it is enabled on this browser), but it works if I go to Preview, then Submit. Just FYI.

I get that too – have not figured it out yet. Especially considering we don’t use JavaScript on the site so it must be something with the video player. Thanks, and we are working on it!

Note from Rich: That’s part of our anti-spam attempts. Not that it seems to stop much spam.

–Adrian Lane

Bit9 Bets on (Carbon) Black

By Mike Rothman

In an advanced endpoint and server protection consolidation play, Bit9 and Carbon Black announced a merger this morning. Simultaneously, the combined company raised another $38 million in investment capital to fund the integration, pay the bankers, and accelerate their combined product evolution. Given all the excitement over anything either advanced or cyber, this deal makes a lot of sense as Bit9 looks to fill in some holes in its product line, and Carbon Black gains a much broader distribution engine.

But let’s back up a bit. As we have been documenting in our Advanced Endpoint and Server Protection series, threat management has evolved to require assessment, prevention, detection, investigation, and remediation. Bit9’s heritage is in prevention, but they have been building out a much broader platform, including detection and early investigation capabilities, over the past 18 months. But pulling detailed telemetry from endpoints and servers is difficult, so they had a few more years of work to build out and mature their offering. Integrating Carbon Black’s technology gives them a large jump ahead, toward a much broader product offering for dealing with advanced malware.

Carbon Black was a small company, and despite impressive technology they were racing against the clock. With FireEye’s acquisition of Mandiant, endpoint forensic and investigation technology is becoming much more visible in enterprise accounts as FireEye’s sales machine pushes the new toy into existing customers. Without a means to really get into that market, Carbon Black risked losing ground and drowning in the wake of the FireEye juggernaut. Combined with Bit9, at least they have a field presence and a bunch of channel relationships to leverage. So we expect them to do exactly that.

Speaking of FireEye, the minute they decided to buy Mandiant, the die was cast on the strategic nature of their Bit9 partnership. As in, it instantly became not so strategic. Not that the technology overlapped extensively, but clearly FireEye was going to go its own way in terms of endpoint and server protection. So Bit9 made a shrewd move, taking out one of the main competitors to the MIR (now FireEye HX) product. With the CB technology Bit9 can tell a bigger, broader story than FireEye about prevention and detection on devices for a while.

We also like the approach of bundling both the Bit9 and Carbon Black technologies for one price per protected endpoint or server. This way they remove any disincentive to protect devices across their entire lifecycle. They may be leaving some money on the table, but all their competitors require multiple products (with multiple license fees) to provide comparably broad protection. Bundling makes it much easier to tell a differentiated story.

We got one question about whether Bit9 is now positioned to go after the big endpoint protection market. Many security companies have dancing fairies in their eyes, thinking of the multiple billions companies spend on endpoint protection that doesn’t work. Few outfits have been able to break the inertia of the big EPP vendors, to build a business on alternative technology. But it will happen at some point. Bit9 now has most of the pieces and could OEM the others pretty cheaply, because it’s not like an AV signature engine or FDE product is novel today. It is too early to tell whether they will go down that path – to be candid they have a lot of runway to sell protection for critical devices, and follow that with detection/investigation capabilities across the enterprise.

In a nutshell we are positive on this deal. Of course there are always pesky details to true technical integration and building a consistent and integrated user experience. But Bit9 + CB has a bunch of the pieces we believe are central to advanced endpoint and server protection. Given FireEye’s momentum, it is just a matter of time before one of the bigger network players takes Bit9 out to broaden their own protection to embrace endpoints and servers.

–Mike Rothman

RSA Conference Guide 2014 Deep Dive: Network Security

By Mike Rothman

As we begin deeper dives into our respective coverage areas, we will start with network security. We have been tracking the next generation (NG) evolution for 5 years, during which time it has fundamentally changed the meaning of the perimeter – as we will discuss below. Those who moved quickly to embrace NG have established leadership positions, at the expense of those that didn’t. Players who were leaders 5 short years ago have become non-existent, and there is a new generation of folks with innovative network security approaches to handle advanced attacks. After many years of stagnation, network security has come back with a vengeance.

Back to Big Swinging (St)icks

The battle for the perimeter is raging right now in network security land. In one corner you have the incumbent firewall players, who believe that because the future of network security has been anointed ‘NGFW’ by those guys in Stamford, it is their manifest destiny to subsume every other device in the perimeter. Of course the incumbent IPS folks have a bit to say about that, and are happy to talk about how NGFW devices keel over when you turn on IPS rules and SSL decryption.

So we come back to the age-old battle when you descend into the muck of the network. Whose thing is bigger? Differentiation on the network security front has gone from size of the application library in 2012, to migrating from legacy port/protocol policies in 2013, to who has the biggest and fastest gear in 2014. As they work to substantiate their claims, we see a bunch of new entrants in the security testing business. This is a good thing – we still don’t understand how to read NSS Labs’ value map.

Besides the size of the equipment, there is another more impactful differentiation point for NGXX boxes: network-based malware detection (NBMD). All the network security leaders claim to detect malware on the box, and then sling mud about where analysis occurs. Some run analysis on the box (or more often, set of boxes) while others run in the cloud – and yes, they are religious about it. So if you want to troll a network security vendor, tell them their approach is wrong.

You will also hear the NGXX folks who continue to espouse consolidation, but not in a UTM-like way because UTM is so 2003. But in a much cooler and shinier NGXX way. No, there is no difference – but don’t tell the marketeers that. They make their money ensuring things are sufficiently shiny on the RSAC show floor.

More Bumps (in the Wire)

Speaking of network-based malware detection (NBMD), that market continues to be red hot. Almost every organization we speak to either has or is testing one. Or they are pumping some threat intelligence into network packet capture devices to look for callbacks. Either way, enterprises have gotten religion about looking for malware on the way in – before it wreaks havoc.

One area where they continue to dawdle, though, is putting devices inline. Hold up a file for a microsecond, and employees start squealing like stuck pigs. The players in this market who offer this capability as a standalone find most of their devices deployed out-of-band in monitor mode. With the integration of NBMD into broader NG network security platforms, the capability is deployed inline because the box is inherently inline.

This puts standalone devices at a competitive disadvantage, and likely means there won’t be any standalone players for much longer. By offering capabilities that must be inline (like IPS), vendors like FireEye will force the issue and get their boxes deployed inline. Problem solved, right? Of course going inline requires a bunch of pesky features like fail open, hot standby, load balancing, and redundant hardware. And don’t forget the flack jacket when a device keels over and takes down a Fortune 10 company’s call center.

ET Phone Home

Another big theme you will see at this year’s RSA is the attack of Threat Intelligence (TI). You know, kind of like when ET showed up all those years ago, got lost, and figured out how to send a network ping zillions of light years with a Fisher Price toy. We are actually excited about how TI offerings are developing – with more data on things like callbacks, IP reputation, attack patterns, and all sorts of other cool indicators of badness. Even better, there is a specific drive to integrate this data more seamlessly into security monitoring and eventually update blocking rules on network security devices in an automated fashion.

Of course automatic blocking tends to scare the crap out of security practitioners. Mostly because they saw Terminator too many times. But given the disruption of cloud computing and this whole virtualization thing, security folks will get much more comfortable with having a machine tune their rules, because it’s going to happen fast. There is no alternative – carbon-based units just can’t keep up.

Though we all know how that story featuring Skynet turned out, so there will be a clear focus on ensuring false positives are minimized, probably to the point of loosening up the blocking rules just to make sure. And that’s fine – the last thing you want is a T1000 showing up to tell you that sessions you knocked down caused a missed quarter.

Network and Endpoints: BFF

When it comes to advanced malware, the network and the endpoints are not mutually exclusive. In fact over the past year we have seen integration between endpoint folks like Bit9 and network-based malware detection players such as FireEye and Palo Alto Networks. This also underlies the malware defense stories coming from Sourcefire (now Cisco) and McAfee, and pushed the FireEye/Mandiant acquisition announced in January. You can bet the Mandiant folks were drinking some high-end champagne as they welcomed 2014.

There is method to the madness, because network folks need visibility on endpoints. These network detection devices are going to miss at some point, both due to new attack tactics (those notorious 0-days) and devices that escape the comfy confines of the corporate network and perimeter defenses. It’s hard to keep track of those pesky laptops and mobile devices. If you can’t catch everything on the way in, you had better be able to figure out what happened on the devices and determine if that thing you missed caused a mess – quickly.

So what does it mean? You will likely see a bunch of kumbaya on the show floor – these enemies are now friends. Best friends, at that.

Clouds on the Horizon

As we wrote in the key themes, cloud everything remains a big driver of security stuff. And yes, it’s boring. But the network security folks have been largely left out of the cloudwashing for the past few years, and this year they will catch up. We will cover that in depth in our cloud security deep dive, but for now suffice it to say all the network security vendors continue to roll their stuff into VMs and AMIs that can run in public and private clouds. So they are ready to solve the cloud computing security problem. As usual, incumbents continue to solve yesterday’s problem tomorrow.

This isn’t all bad – just understand the potential performance impact of having to route all your traffic through a virtual network security device choke point to enforce policies. But all those issues go away as Software Defined Networks (SDNs) provide much more flexibility to route traffic as you need, and offer bigger faster networks. SDNs do promise to change a lot, but be wary of the double-edged sword – now your admins (or anyone who hacks them) can press a button and take your entire security layer out of the traffic flow.

–Mike Rothman

Security Management 2.5: Replacing Your SIEM Yet? [New Paper]

By Adrian Lane

  • Adrian Lane
  • Mike Rothman
  • Security Information and Event Management (SIEM) systems create a lot of controversy among security folks – they are a pain but it is an instrumental technology for security, compliance, and operations management. The problem is – given the rapid evolution of SIEM/Log Management over the past 4-5 years – that product obsolescence is a genuine issue. The problems caused by products that have failed to keep pace with technical evolution and customer requirements cannot be trivialized. This pain becomes more acute when a SIEM fails to collect the essential information during an incident – and even worse when it completely fails to detect a threat. Customers spend significant resources (both time and money) on caring for and feeding their SIEM. If they don’t feel the value is commensurate with their investment they will move on – searching for better, easier, and faster products. It is only realistic for these customers to start questioning whether their incumbent offerings make sense moving forward.

    We are happy to announce the launch our latest research paper: Security Management 2.5. We discuss changing customer demands, and how vendors are altering their platforms to address them. We then provide a detailed process to help determine whether you need to swap providers, and if so how.

    We would like to thank IBM and McAfee for licensing this research. Support from the community enables us to bring you our Totally Transparent Research free of charge, so we are happy IBM and McAfee chose to license this report. You can get the full paper: Security Management 2.5: Replacing Your SIEM Yet?

    –Adrian Lane

  • Adrian Lane
  • Mike Rothman
  • RSA Conference Guide 2014 Watch List: DevOps

    By Rich

    We have covered the key themes we expect to see at the RSA Conference, so now we will cover a theme or two you probably won’t see at the show (or not enough of, at least), but really should. The first is this DevOps things guys like Gene Kim are pushing. It may not be obvious yet, but DevOps promises to upend everything you know about building and launching applications, and make a fundamental mark on security. Or something I like to call “SecOps”.

    DevOps, Cloud, and the Death of Traditional IT

    Recently in one of my cloud security classes I had a developer in attendance from one of those brand-name consumer properties all of you, and your families, probably use. When he writes a code update he checks it in and marks it for production; then a string of automated tools and handoffs runs it through test suites and security checks, and eventually deploys it onto their infrastucture/platform automatically. The infrastructure itself adjusts to client demands (scaling up and down), and the concept of an admin accessing a production server is an anachronism.

    At the latest Amazon Web Services conference, Adobe (I believe the speaker was on the Creative Cloud team) talked about how they deploy their entire application stack using a series of AWS templates. They don’t patch or upgrade servers, but use templates to provision an entirely new stack, slowly migrate traffic over, and then shut down the old one when they know everything works okay. The developers use these templates to define the very infrastructure they run on, then deploy applications on top of it.

    Microsoft Office? In the cloud. Your CRM tool? In the cloud. HR? Cloud. File servers? Cloud. Collaboration? Cloud. Email? Cloud. Messaging? Get the picture? Organizations can move almost all (and sometimes all) their IT operations onto cloud-based services.

    DevOps is fundamentally transforming IT operations. It has its flaws, but if implemented well it offers clear advantages for agility, resiliency, and operations. At the same time, cloud services are replacing many traditional IT functions. This powerful combination has significant security implications. Currently many security pros are completely excluded from these projects, as DevOps and cloud providers take over the most important security functions.

    Only a handful of security vendors are operating in this new model, and you will see very few sessions address it. But make no mistake – DevOps and the Death of IT will show up as a key theme within the next couple years, following the same hype cycle as everything else. But like the cloud these trends are real and here to stay, and have an opportunity to become the dominant IT model in the future.


    Wednesday, February 12, 2014

    RSA Conference Guide 2014 Key Theme: Cloud Everything

    By Rich

    There is no stopping the train now that it’s rolling. Here is the final key theme that we expect to see at the show, and yes it’s all about the cloud. And yes, I managed to work a Jimmy Buffett lyric into the piece. Rich 1, Internet 0.

    Cloud Everything. Again. We’re Bored Now.

    The cloud first appeared in this illustrious guide a mere three or four years ago. The first year it was all hype – with no products, few vendors realized that cloud computing had nothing at all to do with NOAA, and plenty of security pros thought they could just block the cloud at the firewall. The following year was all cloud washing, as booths branded themselves with more than sticky notes saying “We Heart Cloud,” but again, almost nobody did more than wrap a custom-hardware-accelerated platform onto a commodity hypervisor. But the last year or so we saw glimmers of hope, with not only a few real (okay, virtual) products, cloud curious security pros starting to gain a little experience, and more honest to goodness native cloud products. (Apologies to the half-dozen cloud native vendors who have been around for more than a few years, and don’t worry, we know who you are.)

    We honestly hoped to drop the cloud from our key themes, but this is one trend with legs. More accurately, cloud computing is progressing nicely through the adoption cycle, deep into the early mainstream. The problem is that many vendors recognize the cloud will affect their business, but don’t yet understand exactly how, and find themselves more in tactical response mode. They have products, but they are mostly adaptations of existing tools rather than the ground-up rebuilds that will be required. There are more cloud native tools on the market now, but the number is still relatively small, and we will still see massive cloud washing on the show floor. While we’re at it, we may was well lump in Software Defined Networking, though ‘SDN-washing’ doesn’t really roll off the tongue.

    Two areas you will see hyped on the show floor which provides real benefits are Security as a Service (SECaaS – say it loud and love it), and threat intelligence. Vendors may be slow to rearchitect their products to protect native cloud infrastructure and workloads, but they are doing a good job of pushing their own products into the cloud, and collective intelligence breaks some of the information sharing walls that have held security back for decades.

    But here is all you need to know about what you will see across the show – big financial institutions are all kicking around various cloud projects. The sharks smell the money, unlike in previous years when it was about looking good for the press and early adopters. In the immortal words of the great sage Jimmy Buffett, “Can you feel them circling honey, can you feel them schooling around? You got fins to right, fins to the left, and you’re the only game in town.”


    Advanced Endpoint and Server Protection: Prevention

    By Mike Rothman

    As we return to our Advanced Endpoint and Server Protection series, we are back working our way through the reimagined threat management process. After discussing assessment you know what you have and what risk those devices present to the organization. Now you can design a control set to prevent compromise from happening in the first place.

    Prevention: Next you try to stop an attack from being successful. This is where most of the effort in security has gone for the past decade, with mixed (okay, lousy) results. A number of new tactics and techniques are modestly increasing effectiveness, but the simple fact is that you cannot prevent every attack. It has become a question of reducing your attack surface as much as practical. If you can stop the simplistic attacks you can focus on more advanced ones.

    Obviously there are many layers you can and should bring to bear to protect endpoints and servers. Our PCI-centric brethren call these compensating controls. But we aren’t talking about network or application stuff in this series, so we will restrict our discussion to technologies and tactics focused on preventing compromise on endpoints and servers themselves. As we described in 2014 Endpoint Security Buyer’s Guide, there are a number of alternative approaches to protecting endpoints and servers that need to be discussed, compared, and contrasted.

    Traditional File Signatures

    You cannot really discuss endpoint prevention without at least mentioning signatures. You remember those, right? They are all about maintaining a huge blacklist of known malicious files to prevent from executing. The Free AV products on the market now typically only use this approach, but the broader endpoint protection suites have been supplementing traditional signature engines with additional heuristics and cloud-based file reputation for years.

    To expand a bit on file reputation, AV vendors realized a long time ago that it wasn’t efficient to download hashes for every single known malware file to every single protected endpoint. So they took a cloud-based approach which involves keeping a small subset of frequently-seen malware signatures on each device, and if the file cannot be found locally the endpoint agent consults the cloud for a determination on the file. If the file isn’t known by the cloud either it may be uploaded for analysis. This is similar to how cloud-based network-based malware detection works.

    Traditional AV

    But detection of advanced attacks is still problematic if detection is restricted to matching files at runtime. You have no chance to detect zero-day or polymorphic malware attacks, which are both very common. So the focus has moved to other approaches.

    Advanced Heuristics

    You cannot rely on matching what a file looks like, so you need to pay much more attention to what it does. This is the concept behind the advanced heuristics used to detect malware in recent years. The issue with early heuristics was having enough context to know whether an executable was taking a legitimate action. Malicious actions were defined generically for each device based on operating system characteristics, so false positives (blocking a legitimate action) and false negatives (failing to block an attack) were both common: a lose/lose scenario.

    Heuristics have evolved to also recognize normal application behavior. This advance has dramatically improved accuracy because rules are built and maintained at a specific application-level. This requires understanding all the legitimate functions within a constrained universe of frequently targeted applications, and developing a detailed profile of each covered application. Any unapproved application action is blocked. Vendors basically build a positive security model for each application – which is a tremendous amount of work.

    Advanced Heuristics

    That means you won’t see every application profiled with true advanced heuristics, but that would be overkill. As long as you can protect the “big 7” applications targeted most often by attackers (browsers, Java, Adobe Reader, Word, Excel, PowerPoint, and Outlook), you have dramatically reduced the attack surface of each endpoint and server.

    To use a simple example, there aren’t really any good reasons for a keylogger to capture keystrokes while filling out a form on a banking website. And it is decidedly fishy to take a screen grab of a form with PII on it at the time of submission. These activities would have been missed previously – both screen grabs and reading keyboard input are legitimate operating system functions in specific scenarios – but context enables us to recognize these actions as attacks and stop them.

    To dig a little deeper let’s list some of the specific types of behavior the advanced heuristics would be looking for:

    • Executables/dependencies
    • Injected threads
    • Process creation
    • System file/configuration/registry changes
    • File system changes
    • OS level functions including print screen, network stack changes, key logging, etc.
    • Turning off protections
    • Account creation and privilege escalation

    Vendors’ ongoing research ensures their profiles of authorized activities for protected applications remain current. For more detail on these kinds of advanced heuristics check out our Evolving Endpoint Malware Detection research.

    Of course this doesn’t mean attackers won’t continue to target operating system vulnerabilities, applications (including the big 7), or the weakest link in your environment (employees) with social engineering attacks. But advanced heuristics makes a big difference in the efficacy of anti-malware technology for profiled applications.

    Application Control

    Application control entails a default deny posture on devices. You define a set of authorized executables that can run on a device, and block everything else. This provides true device lockdown – no executables (either malicious or legitimate) can execute without being explicitly authorized. We took a deep dive into application control in a recent series (The Double-Edged Sword & Use Cases and Selection Criteria), so we will just highlight some key aspects.

    Candidly, application control has suffered significant perception issues, mostly because early versions of the technology were thrust into a general-purpose use case, where they significantly impacted user experience. If employees think a security control prevents them from doing their jobs, it will not last. But over the past few years application control has found success in a few use cases where devices can and should be totally locked down. That typically means fixed-function devices such as kiosks and ATMs, as well as servers. Devices where a flexible user experience isn’t an issue.

    It is possible to deploy application control in a general-purpose context for knowledge workers, but the deployment must provide sufficient flexibility to allow employees to use the applications they need, when they need them. That may mean providing a grace period when users can run new software without waiting for authorization. Or perhaps specifically defining situations where software can run – perhaps for applications from authorized software publishers, or installed by trusted employees. But understand that the more flexibility you provide for who can run what software, the weaker the security model – and the point of application control is to greatly strengthen the model.


    In addition to better profiling malware and looking for indicators of compromise, another growing prevention technique is isolating executable from the rest of the device by running them in a kind of sandbox. The idea is to spin up a walled garden for a limited set of applications (the big 7, for example) to shield the rest of the device from anything bad happening to those applications. A more complicated approach involves isolating every process running on the device from other processes, which enables much finer granularity in which activities are allowed on the endpoint or server.

    In the event an application is compromised (and detected using advanced heuristics, as described above), the sandbox prevents the application (and whoever has subverted it) from accessing core device features such as the file system and memory, and prevents the attacker from loading additional malware. Isolation technology can take a forensic image of the application to facilitate malware analysis before killing the application and reseting the sandbox.


    This approach isn’t actually new. Security-aware individuals have been running virtual machines on endpoints for risky applications for years. These new endpoint protection technologies focus on being transparent – users might not even know they are running applications in isolated environments.

    Of course sandboxes are not a panacea. The isolation technology needs base operating system services (network stacks, printer drivers, etc.), so the device may still be vulnerable to attacks on those services despite isolation. The technology doesn’t relieve you from the need to manage device hygiene (patching and configuration), as discussed in our Endpoint Security Buyer’s Guide.

    Another issue with isolation is increasingly sophisticated evasion tactics, as attackers have means to recognize their malware is running in an isolated environment and “lie low”. Of course making malware inert is a desired outcome, but that can prevent you from detecting and removing it or stopping its spread. And when isolating server devices (either by running them in a private cloud or using isolation technologies), many of the tactics to defeat network-based sandboxes come into play. These include requiring human interaction (such as dialog boxes), malware quiet periods (waiting out the sandbox), process hiding (to evade heuristic detection), and version/environmental checks (to only attack vulnerable applications or operating systems).

    Keep in mind that isolation technologies can tax the underlying device. So without a fairly recent and high-powered device these prevention products can adversely impact the performance.


    As with traditional endpoint protection suites, these new offerings require presence on each protected desktop or server. Yes, you need agents everywhere, and yes, they basically act as benign rootkits on each device. That is necessary because much of today’s malware interacts at the kernel level, so prevention needs to run similarly deep to keep up. The good news is that technologies to deploy and manage agents (even hundreds of thousands) are robust and mature.

    The bad news is that most of these advanced endpoint and server prevention technologies do not include traditional signature engines. And yes, earlier we did discuss the ineffectiveness of those older techniques, but there is one significant reason signatures are still in play: compliance. A strict assessor might interpret the requirement for anti-malware on all in-scope devices to require signature-based detection. Until there is a precedent for assessors to accept advanced heuristics and isolation technologies as sufficient to satisfy the requirement for anti-malware defenses, you may also need a traditional agent on each device.

    A Note on ‘Effectiveness’

    As you start evaluating these advanced prevention offerings, don’t be surprised to get a bunch of inconsistent data on the effectiveness of specific approaches. You are also likely to encounter many well-spoken evangelists spouting monumental amounts of hyperbole and religion in favor of their particular approach – whatever it may be – at the expense of all other options. This happens in every security market undergoing rapid innovation, as companies try to establish momentum for their approach and products.

    And a lab test upholding one product or approach over another isn’t much consolation when you need to clean up an attack your tools failed to prevent. And those evangelists will be nowhere to be found when a security researcher shows how to evade their shiny technology. We at Securosis try to float above the hyperbole and propaganda, to keep you focused on what’s really important – not 1% alleged effectiveness differences. If products or categories are within a few percent of each other across a variety of tests, we consider that a draw.

    But there can be value in comparative tests. If you see an outlier, that warrants investigation and a critical assessment of the test and methodology. Was it skewed toward one category? Was the test commissioned by a vendor or someone else with an agenda? Was real malware, freshly found in the wild, used in the test? All testing methodologies have issues and limitations – don’t base a decision, or even a short list, around a magic chart or a product review/test.

    What’s Right for You?

    That begs the question of how to decide on a preventative technology. It comes down to a few questions:

    1. What kind of adversaries do you face?
    2. Which applications are most frequently used?
    3. How disruptive will employees allow the protection to be?
    4. What percentage of devices have been replaced in the past year?

    With answers to these questions you should be able to implement a set of prevention controls on endpoints and servers, which will work within the organization’s constraints.

    Accepting Reality

    Now your friends at Securosis are going to deliver the hard truth. You cannot block the attacks. Not all of them. That is just harsh reality. You are still locked in an arms race that shows no signs of abating any time soon. It is just a matter of time before the attackers come out with new tactics to defeat even the latest and greatest endpoint and server protection technologies.

    The next two aspects of the threat management cycle – detection and investigation – come into play more often than we would like. So our next post will focus on detection and investigation.

    –Mike Rothman

    RSA Conference Guide 2014 Key Theme: Crypto and Data Protection

    By Adrian Lane

  • Gal Shpantzer
  • Adrian Lane
  • You didn’t think you would need to wait long for a Snowden reference, did you? Well, you know we Securosis guys like to keep you in suspense. But without further ado, it’s time. Snowden time!


    The biggest noisemaker at RSA this year – besides Rothman – will be everyone talking about the NSA revelations. Everyone with a bully pulpit (which is basically everyone) will be yelling about how the NSA is all up in our stuff. Self-aggrandizing security pundits will be preaching about how RSA took a bribe, celebrating their disgust by speaking in the hallways and at opportunistic splinter conferences, instead of at the RSA podia. DLP, eDiscovery, and masking vendors will be touting their solutions to the “insider threat” with Snowden impersonators (as discussed in APT0). Old-school security people will be mumbling quietly in the corners of the Tonga Room, clutching drinks with umbrellas in them, saying “I told you so!”

    One group who will be very, very quiet during the show: encryption vendors. They will not be talking about this! Why? Because they really can’t prove their stuff is not compromised, and in the absence of proof, they have already been convicted in the security star chamber. Neither Bruce Schneier nor Ron Rivest will be pulling proofs of non-tampering out of magic math hats. And even if they could, the security industry machine isn’t interested. There is too much FUD to throw. What’s worse is that encryption vendors almost universally look to NIST to validate the efficacy of their solutions – now that NIST is widely regarded as a pawn of the NSA, who can provide assurance? I feel sorry for the encryption guys – it will be a witch hunt!

    The real takeaway here is that IT is – for the first time – questioning the foundational technologies data security has been built upon. And it has been a long time coming! Once we get past Snowden and NSA hype, the industry won’t throw the baby out with the bathwater, but will continue to use encryption – now with contingency plans, just in case. Smart vendors should be telling customers how to adjust or swap algorithms if and when parts of the crypto ecosystem becomes suspect. These organizations should also be applying disaster recovery techniques to encryption solutions, just in case.

    –Adrian Lane

  • Gal Shpantzer
  • Adrian Lane
  • Incite 2/12/2014: Kindling

    By Mike Rothman

    Sitting at my feet is the brand spanking new Kindle I ordered for XX1. It arrived before the snow and ice storm hits the ATL, so we got pretty lucky. She’s a voracious reader and it has become inefficient (and an ecological crime) to continue buying her paper books. She has probably read the Harry Potter series 5 or 6 times, and is constantly giving me new lists of books to buy. She has books everywhere. She reads on the bus. She gets in trouble because sometimes she reads in class. It’s pretty entertaining that the Boss and I need to try to discipline her, when her biggest transgression is reading in class. I kind of want to tell the teacher that if they didn’t suck at keeping the kid’s attention, it wouldn’t be a problem. But I don’t.

    Read much?

    I have used the Kindle app on my iOS devices for a couple years. I liked it but my older iPads are kind of heavy, so it wasn’t a very comfortable experience to prop on my chest and read. I also had an issue checking email and the Tweeter late at night. So I bought a Kindle to just read. And I do. Since I got it my reading has increased significantly. Which I think is a good thing.

    So I figured it was time to get XX1 a Kindle too. The Boss was a bit resistant, mostly because she likes the tactile feeling of reading a book and figured XX1 should too. Once we got past that resistance, I loaded up the first Divergent book onto my Kindle and let her take it for a test drive. I showed her two features, first the ability to select a word and see it in the dictionary. That’s pretty awesome – how many kids do you know who take the time to write down words they don’t know and look them up later? I also showed her how to highlight a passage. She was sold.

    A day and half later, she was ready for book 2 in the Divergent series. Suffice it to say, I loaded up book 3 as well, preemptively. Of all the vices my kids have, reading is probably okay. Before I go to bed tonight I will set up her new device and load up a bunch of books I have which I think she’ll like. We will be snowed in for at least a day, so they will give her something to do. The over/under in Vegas is that she reads two books over the next couple days. I’m taking the over.

    What’s really cool is that in a few years, she will hardly remember carrying a book around. That will seem so 2005. Just like it seems like a lifetime ago that I loaded up 40-45 CDs to go on a road trip in college (or cases of cassette tapes when I was in high school). Now I carry enough music on my phone to drive for about 3 weeks, and never hear the same song twice.

    It’s the future, and it’s pretty cool.


    Photo credit: “Stack of Books” originally uploaded by Indi Samarajiva


    Have you checked out our new video podcast? Rich, Adrian, and Mike get into a Google Hangout and, well, hang out. We talk a bit about security as well. We try to keep these less than 15 minutes, and usually fail.

    2014 RSA Conference Guide

    We’re at it again. For the fifth year wea re putting together a comprehensive guide to what you need to know if you will be in San Francisco for the RSA Conference at the end of February. We will also be recording a special Firestarter video next week, because you obviously cannot get enough of our mugs.

    Key Themes

    And don’t forget to register for the Disaster Recovery Breakfast Thursday, 8-11 at Jillian’s.

    Heavy Research

    We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, where you can get all our content in its unabridged glory. And you can get all our research papers too.

    The Future of Information Security

    Leveraging Threat Intelligence in Security Monitoring

    Advanced Endpoint and Server Protection

    Newly Published Papers

    Incite 4 U

    1. Hot or Not: We spend a ton of time working with security startups (and lately cloud startups looking for security help). So we will be the first to admit we don’t know all of them, and it can sometimes be hard to evaluate broad market perception – our instincts and research are good but we don’t do quantitative market surveys. Justin Somaini just published his personal survey results on security startups and issues and it’s pretty interesting. (Full disclosure: Justin is Chief Trust Officer at Box, who is licensing a paper of ours). Justin got 500 responses from people rating the perceived value of every security startup he could find, and also teased out a bit on perceived top security issues. I’m sure there is survey bias, but if you want a sense of which startups have the best recognition this is a great start, and Justin published all the results in the open, just the way we like it. (Note to Mike: I call dibs on the new prospect list.). – RM

    2. Attacks are not evenly distributed: You have to love Rob Graham. Words matter to Rob. And when he see words misused he usually pens a very detailed diatribe on the Errata blog. This time he takes Glenn Greenwald and NBC News to task for incorrectly calling an attack DDoS. Rob’s point is that nation-states would not likely launch a DDoS attack because it involves lots of compromised devices taking down networks. Nation-states aren’t likely to use compromised devices when they have more efficient means of knocking things down. The whole rant comes back to Rob’s general expectation that professional reporters should get it right, rather than simply parroting hacktivists without even trying to understand what they are repeating. The hacktivists get a pass because they “are largely unskilled teenagers with a very narrow range of expression.” Kind of sounds like a lot of adults I know as well… But that’s just me. – MR

    3. Facing the unfamiliar: When I was a programmer there was always a ‘dread’ project: a task I dreaded facing because it was new, tough, and would require significant effort to solve. I would drag my feet, worry about the project, and keep pushing it to the bottom of the stack. More often than not, once I jumped in, not only did the task turn out easier than I thought, but the process of learning made the whole effort exciting and fun! “How do you face a programming task you’ve never done before?” brought this to mind, and I can say without reservation, “Jump in and try it.” If you fail, that’s actually okay – we call that “rapid prototyping” now, and it’s part of the learning process. But I’m betting that more often than not new tasks are not as hard as you think, and more rewarding that you imagine! – AL

    4. Snap, Clinkle, Popped: Peter Hesse makes a good case for why even startups need to worry about security with a story of a stealth-mode payment startup called Clinkle getting pwned recently. Was the breach a death blow? Probably not, but it doesn’t look good for a company trying to get established in the payment space. It highlights a key reality of today’s world: you need to think about security early. Like Day 2, right after you open your bank account and make your first Staples run. You can use the cloud for a bunch of stuff, but ultimately you need a security strategy both for your product (whatever it is) and your company. – MR

    5. Let’s talk about trust: I will be publishing my “Security’s Future” paper next week, and one of the key things I call out is the need for cloud providers to establish trust. We have two great examples of trust failures this week, with both Snapchat (again) and Instagram suffering security malfunctions. With a difference: Snapchat is struggling to manage their security responses, while Instagram (owned by Facebook, BTW) fixed things quickly and paid the discoverer a bug bounty. This is the new normal, folks, and cloud providers need to not only bake in security as best they can, but learn to respond like Facebook/Instagram too – nail issues early and work well with researchers. – RM

    6. Proof of concept companies: Normally we provide a detailed writeup when technology vendors in key coverage areas (e.g., WAF, DAM and cloud) go on acquisition sprees like Imperva did last week when they acquired Incapsula and Skyfence in one fell swoop. But these acquisitions are so closely aligned with Imperva’s vision that there was not much to report: both offer SaaS-based security gateways, monitoring and blocking suspicious behavior – albeit for slightly different use cases. In both cases the firms were funded by Imperva’s founder Shlomo Kramer, and Incapsula licensed Imperva’s technology in exchange for an equity stake. It was as if these two firms were externally incubated by Imperva – an astute move in case things did not work out, in which case they wouldn’t have impacted Imperva’s reputation, and the financial cost would have been minimal. But the concepts worked, so once the models were proven they were rolled up into the Imperva stable without much fuss or the typical worries about technology or cultural integration. In the interest of full disclosure, we have been using Incapsula for a number of years here, after Cloudflare failed to offer some of the security features and performance we wanted, and we have been happy with it. Incapsula isn’t the last word in filtering, but it filters out most cruft. – AL

    –Mike Rothman

    Tuesday, February 11, 2014

    RSA Conference Guide 2014 Key Theme: Retailer Hacking

    By Mike Rothman

    As we continue posting the key themes we expect to see at this year’s RSA Conference, it’s time hit the source of all things FUD: recent retailer breaches. Security marketing is driven by catalysts, to create urgency, to buy products and services. There have been plenty so far this year, and we will hear all about them at the show.

    It POSitively Sucks to be in Retail

    Just when you were getting numb to all the angst around the NSA, Target got thoroughly owned via a busted web server accessed via third-party credentials that gave attackers access to all their POS systems and lots of other goodies on their internal networks. So clearly this year we will hear lots of rumblings about retailers and their inability to secure anything. At least brick and mortar retailers have great margins, no online competition, and limited attack surface, right?

    At first we thought this kind of attack was the return of Gonzales and his band of merry wireless hackers. But actually that was an outside-in attack, where the attackers gained presence through stores and then moved into the data center. This is the opposite. They gained presence through the corporate network and then moved out to stores. Although the end result was the same: 70+ million credit cards and other personal information exposed.

    Even better, these attackers waited until the holidays, when the card brands relax their fraud protections a bit, to start monetizing the cards. So they maximized their ability to steal stuff. Now that’s innovation, folks. I guess PCI 4.0 will have specify that all ROCs go into hiatus from Black Friday to New Year’s Day.

    But the points you will hear this year will be typical FUD-laden nonsense. “Buy this box and everything will be all right.” That focuses on the wrong issue. As we mentioned in a recent Firestarter, it’s not the compromise that’s disturbing – it’s the fact that they penetrated so deeply and exfiltrated so much information without being noticed.

    And if your new shiny business plan involves building 10,000 stores and aggregating 100 million credit cards, maybe you should start working on a different idea or hire some security rock stars onto the founding team.

    –Mike Rothman

    Firestarter: Mass Media Abuse

    By Rich

    In this week’s Firestarter we talk about the Book of Mormon (the play, not the other thing), biking while intoxicated, and the ongoing predilection of mass media to abuse the truth about security for ratings. Because, NBC and Sochi.

    And we have a question. Please drop us a line in the comments or on Twitter if you’d like us to also post the Firestarter as an audio-only podcast.


    Monday, February 10, 2014

    RSA Conference Guide 2014 Key Theme: Big Data Security

    By Adrian Lane

    As we continue posting our key themes for the 2014 RSA Conference, let’s dig a bit into big bata, because you won’t be hearing anything about it at the show…

    After-School Special: It’s Time We Talked – about Big Data Security

    The RSA Conference floor will be packed full of vendors talking about the need to secure big data clusters, and how the vast stores of sensitive information in these databases are at risk. The only thing that can challenge “data velocity” into a Hadoop cluster is the velocity at which FUD comes out the mouth of a sales droid. Sure, potential customers will listen intently to this hot new trend because it’s shiny and totally new. But they won’t actually be doing anything about it.

    To recycle an overused analogy, big data security is a little like teen sex: lots of people are talking about it, but not that many are actually doing it. Don’t get us wrong – companies really are using big data for all sorts of really cool use cases including analyzing supply chains, looking for signs of life in space, fraud analytics, monitoring global oil production facilities, and even monitoring the metadata of the entire US population. Big data works! And it provides advanced analysis capabilities at incredibly low cost. But rather than wait for your IT department to navigate their compliance mandates and budgetary approval cycles, your business users slipped out the back door because they have a hot date with big data in the cloud.

    Regardless of whether those users understand the risks, they are pressing forward. This is where your internal compliance teams start to sound like your parents telling you to be careful and not to go out without your raincoat on. What users hear is that the audit/compliance teams don’t want them to have any fun because it’s dangerous. The security industry is no better, and the big data security FUD is sure to come across like those grainy old public service films you were forced to watch in high school about something-something-danger-something… and that’s when you fell asleep. We are still very early in our romance with big data, and your customers (yes, those pesky business users) don’t want to hear about breaches or discuss information governance as they explore this new area of information management.

    –Adrian Lane

    New Paper: Defending Data on iOS 7

    By Rich

    I have been working on this one quietly for a while. It is a massive update to my previous paper on iOS security.

    It turns out Apple made a ton of very significant changes in iOS 7. So many that they have upended how we think of the platform. This paper digs into the philosophy behind Apple’s choices, details the security options, and then provides a detailed spectrum of approaches for managing enterprise data on iOS. It is 30 pages but you can focus on the sections that matter to you.

    I would like to thank WatchDox for licensing the content, which enables us to release it for free.

    Normally we publish everything as a blog series, but in this case I had an existing 30-page paper to update and it didn’t make sense to (re-)blog all the content. So you might have noticed me slipping in a few posts on iOS 7 recently with the important changes. I can do another revision if anyone finds major problems.

    And with that, here is the landing page for the report.

    And here is the direct download link: Defending Data on iOS 7 (PDF)

    And lastly, the obligatory outline screenshot:

    Defending Data on iOS 7: ToC


    RSA Conference Guide 2014 Key Theme: APT0

    By Mike Rothman

    It’s that time of year. The security industry is gearing up for the annual pilgrimage to San Francisco for the RSA Conference. For the fifth year your pals at Securosis are putting together a conference guide to give you some perspective on what to look for and how to make the most of your RSA experience. We will start with a few key themes for the week, and then go into deep dives on all our coverage areas. The full guide will be available for download next Wednesday, and we will post an extended Firestarter video next Friday discussing the Guide. Without further ado, here is our first key theme.


    Last year the big news at the RSA Conference was Mandiant’s research report outing APT1 and providing a new level of depth on advanced attacks. It seemed like every vendor at the show had something to say about APT1, but the entire conference was flowing in Mandiant’s wake. They should have called the report “How to increase your value by a couple hundred million in 12 short months”, but that’s another story for another day.

    In 2014 Edward Snowden put on his Kevin Mandia costume and identified the clear predecessor to the APT1 group. That’s right, the NSA is APT0. Evidently the NSA was monitoring and hacking things back when the APT1 hackers were in grade school. We expect most vendors will be selling spotlights and promises to cut through the fog of the NSA disclosures. But getting caught up in FUD misses the point: Snowden just proved what we have always known. It is much harder to build things than to break them.

    Our position on APT0 isn’t much different than on APT1. You cannot win against a nation-state. Not in the long term, anyway. Rather than trying to figure out how much public trust in security tools has eroded, we recommend you focus on what matters: how to protect information in your shop. Are you sure an admin (like Snowden) can’t access everything and exfiltrate gigabytes of critical data undetected? If not you have some work to do.

    Keep everything in context at the show. Never forget that the security marketing machine is driven by high-profile breaches as a catalyst for folks who don’t know what they are doing to install the latest widget selling the false hope of protection. And the RSA Conference is the biggest security marketing event of the year. So Snowden impersonators will be the booth babes of 2014.

    –Mike Rothman

    We Need to Thank Target for Being Hacked

    By Rich

    Normally we like to blame the victim, but in this case we need to thank them. From the WSJ, the swap to Chip and PIN will happen by October 2015. Here is the key point:

    Part of the October 2015 deadline in our roadmap is what’s known as the ‘liability shift.’ Whenever card fraud happens, we need to determine who is liable for the costs. When the liability shift happens, what will change is that if there is an incidence of card fraud, whichever party has the lesser technology will bear the liability.

    So if a merchant is still using the old system, they can still run a transaction with a swipe and a signature. But they will be liable for any fraudulent transactions if the customer has a chip card. And the same goes the other way – if the merchant has a new terminal, but the bank hasn’t issued a chip and PIN card to the customer, the bank would be liable.

    None of this affects online transactions, though.