I think I’m finally waking up. After a week at RSA where I basically don’t sleep – not all bad, mind you – it takes a while to recover. In fact Monday might as well not have happened – I certainly got nothing done. It was not for lack of trying, but I was simply part of the zombie apocalypse – but I don’t want brains, just some Captain Crunch and sleep. Today I had the ‘Oh crap!’ realization – I promised people things last week, and I need to deliver. As much as I’d like to shuffle this stuff onto Rich, he has got a new baby and won’t take my calls. Something about taking it easy and enjoying time with the family.

On the subject of the RSA Conference, I have to confess I’m not usually surprised by trends at RSA. If you read out pre-RSAC stuff, you noticed it was clear to us that Big Data and malware were going to take center stage, and those trends did not disappoint. But we are never quite sure whether we are going to run into grumpy vendors spewing forth about their dissatisfaction with foot traffic, booth space, and the lack of quality leads. This year … none of that. In fact most vendors told me traffic was up and, more importantly, prospects were seeking them out. They were happy. It certainly made the week a lot more fun, but happy are a bit like Mike Rothman’s smile – rare and it makes me nervous.

The other thing that really surprised me was that every single vendor seemed to be asking for help locating talent. Penetration testers, product managers, marketing managers, engineering managers, researchers – you name it. But I am not aware of any seasoned security people who are looking – quite the opposite. I did not anticipate the security industry hiring so heavily, but that’s a good thing, and another sign that things are humming along. Let the good times roll.

You know what else surprised me? The force field surrounding the Huawei booth. Okay, maybe there was no actual force field, but people walking the show floor acted like there was. They kept a curious 2-3’ distance from the booth. Maybe their schwag sucked. Or perhaps it was Huawei’s lack of booth babes. Or maybe people are pissed about the Mandiant report and think of Huawei as part of that whole fiasco. I don’t really know, but most vendors were humming with activity, yet the half-dozen times I went by their booth they were noticeably un-busy.

–Adrian

On to the Summary:

Webcasts, Podcasts, Outside Writing, and Conferences

• Our own ‘Mark’ Rothman’s DR post: You’re A Piece Of Conference Meat. snort
• Adrian’s Pragmatic Database Security Presentation.

Favorite Securosis Posts

• Adrian Lane: Karmic Balance. I have witnessed 25 years of shenanigans, and it has turned out that most wrongs met their karmic opposite at some point.
• David Mortman: Flash! And it’s gone….
• Mike Rothman: Karmic Balance. Yeah, I’m a homer for favoriting my own Incite this week. But it sums up what I’m about. Like most folk I have been scarred and battered and bruised. But I try to make those negatives into positives whenever I can.

Other Securosis Posts

• Understanding Cloud IAM: Buyers Guide.
• Use cases are your friends.
• Isolating the Security Skills Gap.
• Be Careful What You Wish for…Now You’re CISO.
• Announcing the CCSK UK Train the Trainer Class in April.
• New Paper: Network-based Threat Intelligence.
• Friday Summary, RSA Edition: March 1, 2012.

Favorite Outside Posts

• Dave Lewis: Time Stamp Bug in Sudo Could Have Allowed Code Entry.
• Gunnar: Google services should not require real names – Vint Cerf. Two years back Bob Blakley brought us on a quick tour of the weak points of Google requiring real names, in a word: insane.
• Adrian Lane: Creating and Validating a Sock Puppet. Everyone should have a couple of these. They come in handy.
• David Mortman: Barn Doors. “Mobile is just an amplification of all the insecure practices you and your company have been using for decades.” – Sing it, sister!
• Mike Rothman: Cisco CEO: We’re All In On Internet Of Everything. In the NSS (No Sh*t Sherlock) list this week, Cisco decides it’s in their best interest to drive “The Internet of Things.” Duh. But as we wrote in the RSAC Guide, the Internet of Things is something to keep an eye on. Check it out for the hype, but stay around because there will be all sorts of devices connecting to your stuff.

Project Quant Posts

• Network-based Threat Intelligence: Searching for the Smoking Gun.
• Understanding and Selecting a Key Management Solution.
• Building an Early Warning System.
• Implementing and Managing Patch and Configuration Management.
• Defending Against Denial of Service (DoS) Attacks.
• Securing Big Data: Security Recommendations for Hadoop and NoSQL Environments.
• Tokenization vs. Encryption: Options for Compliance.
• Pragmatic Key Management for Data Encryption.

Top News and Posts

• Appsec at RSA 2013: nice recap.
• Oracle Issues Emergency Java Update via Krebs.
• Details of the February 22nd 2013 Windows Azure Storage Disruption
• HP Exec: We’re Investing $1 Billion in Big Data This Year
• Understanding iOS passcode security
• The Phoenix Project
• Critics: Substandard crypto needlessly puts Evernote accounts at risk
• Evernote plans two-factor authentication following last week’s hack
• Recent 10-Ks mentioning “cyber” incidents
• Java malware spotted using stolen certificate
• Google+ Can Be A Social Network Or The Name Police – Not Both

Blog Comment of the Week

This week’s best comment goes to Matt, in response to Attribution Meh. Indicators YEAH! if for no other reason than becausae he put a lot of thought and effort into it.

The greatest significance can be found in this report’s overarching message to China: we see you and we’re doing something about it. This may well represent the catalyst for major geopolitical change.

The value of this report is that it will likely disrupt the adversary’s operational capability for some time as corporations bolster defenses. The adversary is no longer a vague term referring to an unknown group somewhere in the world. We’re talking about the government of China. We’re talking about disrupting their economy by stopping their Cyber espionage and theft. The infrastructure put in place by the PLA is not easily dismantled. Their missions and targets were conceived by the political party as essential to sustaining their government. They will be forced to shut down operations, or continue while migrating quietly. Not only were the adversary’s specific behavioral indicators exposed, but this report shows the extent of US counter-espionage capabilities in the commercial, UNCLASSIFIED sphere. If there was any notion by the adversary that they were functioning in stealth, that notion should be well dissolved by now.

This report describes the ultimate cyber war; siphoning out the tools that make a great society sustain through silent espionage, theft, and reuse.

This report also demands response from the highest levels of our society. While bloggers, pundits, researchers, and media have long broadcast China as the original and most prolific APT, definitive responses from those enabled to effect change have yet to materialize. The name-and-shame pundits have been restricted and ignored, often for political reasons or due to the lack of elicit evidence tracing a group to a government. I have also heard executives make claims like “we don’t want to offend because we don’t want to risk losing business,” while politicians fear angering a major trade partner. Those near-sighted excuses will result in self-destruction in the long-term. China is paying for or supporting our businesses now, but as they are doing that, they are siphoning off intellectual property so they can replicate technology, goods, and services internally so that they become the world’s greatest provider. The damage to our own economy should China realizes their mission, is incalculable. Their actions place the sustainability of our society at risk. If China can produce goods and services at the same quality as US providers at cheaper costs to the consumer, then free-market principles will result in economic collapse.

In the same vein, their actions are essential to continuing the sustainability of their current society. It is for the very reason that they cannot under their current governmental structure produce as free societies do, that they must reach out and steal to survive. Readers of the Mandiant report will note the mission orders of this group are derived from the PLA regarding those markets and industries critical to China’s growth. If they cannot grow, they cannot sustain. If they cannot sustain, their government will collapse like the Soviet Union. Cyber espionage is an instrument of sustainment for China’s government. Without it, they will not survive and this report blows their cover.

I believe this history of a lack of effective response is due to the relatively vague connections drawn between active campaigns and the PLA in the past. This discussion has largely remained quarantined by the vaults of information classification. While everyone has been saying this publically, no one has been proving it. This report demands action and eliminates the excuses used to evade this topic in the past, namely those who cite unconfirmed reports as their shelter.

Never before have I seen evidence like this linking China’s People’s Liberation Army (PLA) to this group, or any international espionage in a public discussion. Private intelligence sharing groups have long kept these details hidden, and public disclosure essentially counters the principles behind keeping the data protected; namely that now that the adversary has been so publically exposed, they will likely hide. The security blog world is clearly divided about this action by Mandiant, but again, those fears are near-sighted.

If you expose your adversary, you can effectively counter their capabilities and mitigate the threat they pose.