Login  |  Register  |  Contact
Sunday, April 19, 2015

RSA Conference Guide 2015 Deep Dives: Cloud Security

By Mike Rothman

Before delving into the world of cloud security we’d like to remind you of a little basic physics. Today’s lesson is on velocity vs. acceleration. Velocity is how fast you are going, and acceleration is how fast velocity increases. They affect our perceptions differently. No one thinks much of driving at 60mph. Ride a motorcycle at 60mph, or plunge down a ski slope at 50mph (not that uncommon), and you get a thrill.

But accelerate from 0mph to 60mph in 2.7 seconds in a sports car (yep, they do that), and you might need new underwear. That’s pretty much the cloud security situation right now.

Cloud computing is, still, the most disruptive force hitting all corners of IT, including security. It has pretty well become a force of nature at this point, and we still haven’t hit the peak. Don’t believe us? That’s cool—not believing in that truck barreling towards you is always a good way to ensure you make it into work tomorrow morning.

(Please don’t try that—we don’t want your family to sue us).

Clouds Everywhere

The most surprising cloud security phenomena are how widespread cloud computing has spread, and the increasing involvement of security teams… sort of. Last year we mentioned seeing ever more large organizations dipping their toes into cloud computing, and this year it’s hard to find any large organization without some active cloud projects. Including some with regulated data.

Companies that told us they wouldn’t use public cloud computing a year or two ago are now running multiple active projects. Not unapproved shadow IT, but honest-to-goodness sanctioned projects. Every one of these cloud consumers also tells us they are planning to move more and more to the cloud over time.

Typically these start as well-defined projects rather than move-everything initiatives. A bunch we are seeing involve either data analysis (where the cloud is perfect for bursty workloads) or new consumer-facing web projects. We call these “cloud native” projects because once the customer digs in, they design the architectures with the cloud in mind.

We also see some demand to move existing systems to the cloud, but frequently those are projects where the architecture isn’t going to change, so the customer won’t gain the full agility, resiliency, and economic benefits of cloud computing. We call these “cloud tourists” and consider these projects ripe for failure because all they typically end up doing is virtualizing already paid-for hardware, adding the complexity of remote management, and increasing operational costs to manage the cloud environment on top of still managing just as many servers and apps.

Not that we don’t like tourists. They spend a lot of money.

One big surprise is that we are seeing security teams engaging more deeply, quickly, and positively than in past years, when they sat still and watched the cloud rush past. There is definitely a skills gap, but we meet many more security pros who are quickly coming up to speed on cloud computing. The profession is moving past denial and anger, through bargaining (for budget, of course), deep into acceptance and…DevOps.

Perhaps we pushed that analogy. But the upshot is that this year we feel comfortable saying cloud security is becoming part of mainstream security. It’s the early edge, but the age of denial and willful ignorance is coming to a close.

Wherever You Go, There You Aren’t

Okay, you get it, the cloud is happening, security is engaging, and now it’s time for some good standards and checklists for us to keep the auditors happy and get those controls in place.

Wait, containers, what? Where did everybody go?

Not only is cloud adoption accelerating, but so is cloud technology. Encryption in the cloud too complex? That’s okay—Amazon just launched a simple and cheap key management service, fully integrated through their services. Nailed down your virtual server controls for VMWare? How well do those work with Docker? Okay, with which networking stack you picked for your Docker on AWS deployment, that uses a different management structure than your Docker on VMWare deployment.

Your security vendor finally offers their product as a virtual appliance? Great! How does it work in Microsoft Azure, now that you have moved to a PaaS model where you don’t control network flow? You finally got CloudTrail data into your SIEM? Nice job, but your primary competitor now offers live alerts on streaming API data via Lambda. Got those Chef and Puppet security templates set? Darn, the dev team switched everything to custom images and rollouts via autoscaling groups.

None of that make sense? Too bad—those are all real issues from real organizations.

Everything is changing so quickly that even vendors trying to keep up are constantly dancing to fit new deployment and operations models. We are past the worst cloudwashing days, but we will still see companies on the floor struggling to talk about new technologies (especially containers); how they offer value over capabilities Amazon, Microsoft, and other major providers have added to their services, and why their products are still necessary with new architectural models.

The good news is that not everything lives on the bleeding edge. The bad news is that this rate of change won’t let up any time soon, and the bleeding edge seems to become early mainstream more quickly than it used to.

This theme is more about what you won’t see than what you will. SIEM vendors won’t be talking much about how they compete with a cloud-based ELK stack, encryption vendors will struggle to differentiate from Amazon’s Key Management Service, AV vendors sure won’t be talking about immutable servers, and network security vendors won’t really talk about the security value of their product in a properly designed cloud architecture.

On the upside not everyone lives on the leading edge. But if you attend the cloud security sessions, or talk to people actively engaged in cloud projects, you will likely see some really interesting, practical ways of managing security for cloud computing that don’t rely on ‘traditional’ approaches.

Bump in the Cloud

Last year we included a section on emerging SaaS security tools, and boy has that market taken off. We call them Cloud Security Gateways and Gartner calls them Cloud Access and Security Brokers (hint, you only get to have 3-letter acronyms for product categories, even if you’re Gartner, or a kitten dies).

There are at least a dozen vendors on the market now, and on the surface most of them look exactly the same. That’s because the market has a reasonably clear set of requirements, and there are only so many ways to message that target. You want products to find out what cloud stuff you are using, monitor the stuff you approve, block the stuff you don’t, and add security when your cloud provider doesn’t meet your needs.

There actually is a fair amount of differentiation between these products, but it is hard to see from the surface. Most if not all of these folks will be on the show floor, and if you manage security for a mid-size or large organization, they are worth a look. But, as always, have an idea of what you need before you go in. Discovery is table stakes for this market, but there are many possible directions to take after that. From DLP, to security analysis and alerts (such as detecting account takeovers), all the way up to encryption and tokenization (often a messy approach, but also likely your only option if you do not trust your cloud provider).

blue horseshoe loves the cloud

One key question to ask is whether they integrate with cloud provider APIs (when available), and which. The alternative is to proxy all your traffic to the cloud, which is a really crappy way to solve the problem—but often the only option. Fortunately some cloud providers offer robust APIs that reduce or eliminate the need for a CSG (see what I did there?) to sniff the connection. If they say ‘yes’ then ask for specific examples.

You might see some other vendors pushing their abilities to kinda-sorta do the same thing as a CSG. Odds are you won’t be happy with their kludges, so if this is on your list, stick with folks whose houses are on the line if the product doesn’t actually work.

Calling Mr. Tufte

One thing you won’t see any shortage of is the same damn charts from every damn SIEM and analytics vendor. Seriously—we have been briefed by pretty much all of them, and they all look the same. Down to the color palette.

The upside is that they now include cloud data. Mostly just Amazon CloudTrail, because no other IaaS platform offers management plane data yet (rumor has it Microsoft is coming soon).

We understand there are only so many ways to visualize this data, but the vendors also seem to be struggling to explain how their cloud data and analytics are superior to competitors’. Pretty charts are great, but you look at these things to find actionable information—probably not because you enjoy staring at traffic graphs. Especially now that Amazon allows you to directly set security alerts and review activity in their own consoles.

Cloud Taylor Swift

You have probably noticed that we tend to focus on Amazon Web Services. That isn’t bias—simply a reflection of Amazon’s significant market dominance. After AWS we see a lot of Microsoft Azure, and then a steep dropoff after that.

The interesting trend is that we see much less demand for information on other providers. Demand has declined from previous years.

So don’t be surprised if vendors and sessions skew the same. Amazon really does have a big lead on everyone else, and only Microsoft (and maybe Google) is in the ballpark. That will show through in sessions and on the show floor.

DevOps, Automation, Blah, Blah, Blah

We hate to dump our favorite topics into a side note at the bottom of this section, but we already went long, and are covering those topics… in pretty much every other section of this Guide. DevOps and automation are as disruptive to process as cloud is to infrastructure and architecture.

It’s the future of our profession, folks—there is no shortage of things to talk about. Which you probably figured out 500 words ago, about when you stopped reading this drivel.

—Mike Rothman

RSA Conference Guide 2015 Deep Dives: Overview

By Mike Rothman

With lots of folks (including us) at the RSA Conference this week, we figured we’d post the deep dives we wrote for the RSAC Guide and give those of you not attending a taste of what your missing. Though we haven’t figured out how to relay the feel of the meat market at the W bar after 10 PM nor the ear deafening bass at any number of conference parties nor the sharp pain you feel in your gut after a night of being way too festive. Though we’re working on that for next year’s guide.


While everyone likes to talk about the “security market” or the “security industry,” in practice security is more a collection of markets, tools, and practices all competing for our time, attention, and dollars. Here at Securosis we have a massive coverage map (just for fun, which doesn’t say much now that you’ve experienced some of our sense of humor), which includes seven major focus areas (like network, endpoint, and data security), and dozens of different practice and product segments.

It’s always fun to whip out the picture when vendors are pitching us on why CISOs should spend money on their single-point defense widget instead of the hundreds of other things on the list, many of them mandated by auditors using standards that get updated once every decade or so.

In our next sections we dig into the seven major coverage areas and detail what you can expect to see, based in large part on what users and vendors have been talking to us about for the past year. You’ll notice there can be a bunch of overlap. Cloud and DevOps, for example, affect multiple coverage areas in different ways, and cloud is a coverage area all on its own.

When you walk into the conference, you are likely there for a reason. You already have some burning issues you want to figure out, or specific project needs. These sections will let you know what to expect, and what to look for.

The information is based in many cases on dozens of vendor briefings and discussions with security practitioners. We try to help illuminate what questions to ask, where to watch for snake oil, and what key criteria to focus on, based on successes and failures from your peers who tried it first.

—Mike Rothman

Friday, April 17, 2015

LAST CHANCE! Register for the Disaster Recovery Breakfast

By Mike Rothman

Holy crap! The RSA Conference starts on Monday. Which means… you don’t have much time left to register for the 7th annual Disaster Recovery Breakfast.*

2015 DRB, the be careful what you wish for edition

Once again we have to provide a big shout out to our DRB partners, MSLGROUP, Kulesa Faul, and LEWIS PR. We’re expecting a crapton of folks to show up at the breakfast this year, and without their support there would be no breakfast for you.

no breakfast for you

As always, the breakfast will be Thursday morning 8-11 at Jillian’s in the Metreon. It’s an open door – come and leave as you want. We will have food, beverages, and assorted recovery items (non-prescription only) to ease your day.

See you there.

To help us estimate numbers, please RSVP to rsvp (at) securosis (dot) com.

*But don’t get nuts if you forget to RSVP – the bouncers will let you in… Right, there are no bouncers.

—Mike Rothman

Thursday, April 16, 2015

Presenting the 2015 RSA Conference Guide

By Mike Rothman

As you’ve seen over the past week, we’ve been reposting our RSAC Guide here. That’s because the RSA Conference folks allowed us to post it on their blog first. Yes, they are nuts, but we aren’t going to complain.

We also take all that raw content and format it into a snazzy PDF with a ton of meme goodness. So you can pop the guide onto your device and refer to it during the show. Without further ado, we are excited to present the entire RSA Conference Guide 2015 (PDF).

Just so you can get a taste of the memish awesomeness of the published RSAC Guide, check out this image. Plenty of folks are first finding out about Securosis through the RSAC blog. So we figured it would be good to provide some perspective on what we do and how we do it.

pontification FTW

Pontification FTW.

And in case you want to check out the coverage area deep dives (which will go up on the Securosis blog next week), check out the RSAC blog posts:

—Mike Rothman

Wednesday, April 15, 2015

Incite 4/15/2015: Boom

By Mike Rothman

I’ve been on the road a bit lately, and noticed discussions keep working around to the general health of our industry. I’m not sure whether we’re good or just lucky, but we security folk find ourselves in the middle of a maelstrom of activity. And that will only accelerate over the next week, as many of us saddle up and head to San Francisco for the annual RSA Conference. We’ve been posting our RSA Conference Guide on the RSA Conference blog (are they nuts?) and tomorrow we’ll post our complete guide with all sorts of meme goodness.

The theme of this year’s Disaster Recovery Breakfast is be careful what you wish for. For years we have wanted more internal visibility for security efforts. We wanted to engage with senior management about why security is important. We wanted to get more funding and resources to deal with security issues. But now it’s happening. CISO types are being called into audit committee meetings and to address the full board (relatively) frequently. Budget is being freed up, shaken loose by the incessant drone of the breach of the day. We wanted the spotlight and now we have it. Oh crap.

balloon go boom

And investors of all shapes and sizes want a piece of cybersecurity. We’ve been engaged in various due diligence efforts on behalf of investors looking at putting money to work in the sector. You see $100MM funding rounds for start-ups. WTF is that about? A friend told me his successful friends call him weekly asking to invest in security companies. It’s like when you get stock tips from a cabbie (or Uber driver), it’s probably time to sell. That’s what this feels like.

But security will remain a high-profile issue. There will be more breaches. There will be additional innovative attacks, probably hitting the wires next week, when there is a lot of focus on security. Just like at Black Hat last year. Things are great, right? The security juggernaut has left the dock and it’s steaming full speed ahead. So why does it feel weird? You know, unreal?

Part of it is the inevitable paranoia of doing security for a long time. When you are constantly trying to find the things that will kill you, it’s hard to step back and just appreciate good times. Another part is that I’ve lived through boom and bust cycles before. When you see low-revenue early-stage start-ups acquired in $200MM+ and $50MM+ funding rounds for, you can’t help but think we are close to the top of the boom. The place to go from there is down. Been there, done that. I’m still writing off my investment tax losses from the Internet bubble (today is Tax Day in the US).

But you know what? What’s the use in worrying? I’m going to let it play out and do a distinctly atypical thing and actually enjoy the boom. I was too young and naive to realize how much fun the Internet boom was on the way up. I actually believed that was the new normal. Shame on me if I can’t enjoy it this time around.

I’ll be in SF next week with a huge smile on my face. I will see a lot of friends at RSAC. Rich, Adrian, and I will offer a cloud security automation learning lab and JJ and I will run a peer-to-peer session on mindfulness. I’ll have great conversations with clients and I’m sure I’ll fill the pipeline for the next couple months with interesting projects to work on. I’ll also do some damage to my liver. Because that’s what I do.

These halcyon days of security will end at some point. There is no beanstalk that grows to the sky. But I’m not going to worry about that now. I’ll ride through the bust, whenever it comes. We all will. Because we’re security people. We’ll be here when the carpetbaggers have moved on to the next hot sector promising untold riches and easy jobs. We’ll be here after the investors doing stupid deals wash out and wonder why they couldn’t make money on the 12th company entering the security analytics business. We’ll be here when the next compliance mandate comes and goes, just like every other mandate.

We’ll be here because security isn’t just a job. It’s a calling. And those who have been called ride through the booms and the busts. Today is just another day of being attacked by folks who want to steal your stuff.


Photo credit: “Explosion de ballon Polyptyque“_ originally uploaded by Mickael

Have you registered for Disaster Recovery Breakfast VII yet? What are you waiting for. Check out the invite and then RSVP to rsvp (at) securosis.com, so we know how much food to get…

The fine folks at the RSA Conference posted the talk Jennifer Minella and I did on mindfulness at the 2014 conference. You can check it out on YouTube. Take an hour and check it out. Your emails, alerts and Twitter timeline will be there when you get back.

Securosis Firestarter

Have you checked out our new video podcast? Rich, Adrian, and Mike get into a Google Hangout and.. hang out. We talk a bit about security as well. We try to keep these to 15 minutes or less, and usually fail.

Heavy Research

We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, with our content in all its unabridged glory. And you can get all our research papers too.

Network-based Threat Detection

Applied Threat Intelligence

Network Security Gateway Evolution

Recently Published Papers

Incite 4 U

  1. Slap in the face: Part of the cellphone security model is locking and/or remotely wiping stolen cellphones. Allowing owners to control transfer of ownership makes stolen phones are almost worthless, and should discourage phone theft. But a giant case of insider fraud at AT&T barely made news last week, because it was positioned in the press as just another data breach. The real story is that a handful of employees in foreign markets accessed customer accounts to allow the transfer and activation of stolen phones. What makes the story so painful is that the criminal organization which got its mules into AT&T profited, the US government got the cost of its investigation covered by the $25M fine, and AT&T enjoyed 500k or so new subscribers on stolen phones and a tax write-down on the fine. The slap is to that people who had phones stolen get worthless “credit monitoring”, while FCC chair Tom Wheeler sprays perfume onto this steaming pile by claiming this is a victory for privacy – which implies the insiders actually stole personal information, rather than just transferring phone ownership. – AL

  2. Lay off my forensicators: In what appears to be another example of a company with too many lawyers, one company is sore another company hired a bunch of their people. MasterCard is suing Nike over former MC employees allegedly taking ‘proprietary’ network configurations to their new employer. But the hook in the suit is that some service providers were now working with Nike instead of MC. So apparently we are not in a free-market economy and service providers have become indentured servants to their clients. Bah. Too many damn lawyers. There has to be a better way to handle this. If they wanted to cut down employee churn, perhaps they could make it more interesting and attractive for employees to stick around. And there isn’t much you can do if an employee leaves, taking their multi-decade relationships with service providers. But when you have lawyers, evidently you need to lawyer up. – MR

  3. You’re the product: It’s not a question of whether your emails are tracked – Wired Magazine explains a browser tool to detect common email tracking elements, nicely illustrating that the only question is by whom and how many firms track each email you receive or send. It’s not uncommon to receive email with several trackers embedded – I get some with a half dozen. In some cases the trackers are added unbeknownst to the sender, instead tacked on by service providers. Most email providers earn money by tracking you, and every marketing manager running a ‘campaign’ demands to know not just who – but how – people are reading their precious content, so pretty much every email is tracked. Be it a browser or a dedicated mail tool, these email viewers don’t offer any insight into what’s being requested, by who, or how much data they pull out. Of course not, because that might interfere with their the ability to monetize you. The web pages you visit are far worse: even the Wired web page for that article serves fourteen trackers from sites you didn’t visit and which don’t serve the content you requested. They are solely to track what you do and how you do it, and that data is likely shared and resold yet again. The tools listed in this Wired article – such as UglyMail – lift just one veil obscuring the horrors underneath. If you really want to see – and control – what your email client and browsers transmit, get an outbound firewall to detect and filter. Remember, if you’re not paying, you’re the product. – AL

  4. Minority Security Report: One of the hot hot hot areas of security for 2015 is insider threat detection. These new security analytics tools look at a bunch of data and have means to determine when an employee is doing something that puts corporate data at risk. It turns out these technologies have been under development for a while for other use cases as well. For instance JP Morgan has a system that looks for signs that a trader is going to go rogue. Evidently they’ve profiled and found patterns that indicate an employee is going to do bad stuff. So they can then put the employee under watch. Is this a slippery slope? Yes and no. There is nothing wrong with monitoring an employee’s behavior if they show indicators of doing something bad for the organization. But how do you deal with false positives? And could the tools be used to curry favor for political purposes within the organization? I guess we should expect the equivalent of the Salem Witch Trials at some point. – MR

  5. Any time now: In 1999 I saw my first television ad proclaiming the amazing benefits of chip-based credit cards, and how they would protect customers and banks from fraud. It was the “Internet Age”, these cards looked Star Trek cool, and I wanted one. Too bad: My bank didn’t carry them. And even if they did, none of the merchants used the chip-based capabilities to counter card cloning. Fast forward to today, 16 frigging years later, and it’s still the same. My bank, sadly, still does not issue EMV-based credit cards. They do have a plan to roll them out, oh, sometime in 2016. So while I think it’s beyond pathetic that food retailers have asked for an extension on the EMV deadline – which shifts card fraud liability onto merchants who do not comply – I get it. It’s not just that they have been dragging their feet, but banks have been dragging as well. But honestly, the only way these cards can supplant magstripes in the US is for the card brands to not extend the deadline and to shift liability. When the financial incentive hits, we’ll see action. 16 years is enough warning. – AL

  6. Not a bad thing: Andreas Gal, Mozilla CTO, offers an interesting rant on limited access to Google search data available to other search engines. Over the last decade search engines have used user query data, more than crawling the Internet, to refine their own search results. Other search engines, ISPs, and telcos used to – ahem – collect user search data entered into Google and leverage that information. The crux of Andreas’ rant is that Google started encrypting its search strings, so only Google has access to user queries. But this is exactly what I want as a user – that the information I entrust ti Google not be shared. I want them to encrypt it and keep it to themselves. Further, this is part of Google’s moat, born from early technical advantages and the “network effect” of providing a service people really like, which is a good thing which Google earned. It requires other firms to innovate to attract users – and to do something unique or better before they can assail Google’s moat. Plus, I think Andreas missed that the embedded search bars in browsers like Firefox offer users a feature they do take advantage of: easy switching between search engines when they don’t like the results from their default option. Only vendors see this as a turf war; users see the value in both privacy and different results from different search tools. – AL

—Mike Rothman

Friday, April 10, 2015

RSAC Guide 2015: P.Compliance.90X

By Adrian Lane

Compliance. It’s a principle driver for security spending, and vendors know this. That’s why each year compliance plays a major role in vendor messaging on the RSA show floor. A plethora of companies claiming to be “the leader in enterprise compliance products” all market the same basic message: “We protect you at all levels with a single, easy-to-use platform.” and “Our enterprise-class capabilities ensure complete data security and compliance.” Right.

The single topic that best exemplifies our fitness meme is compliance. Most companies treat compliance as the end goal: you hold meetings, buy software, and generate reports, so you’re over the finish line, right? Not so much. The problem is that compliance is supposed to be like a motivational poster on the wall in the break room, encouraging you to do better – not the point itself. Buying compliance software is a little like that time you bought a Chuck Norris Total Gym for Christmas. You were psyched for fitness and harbored subconscious dreams it would turn you into a Chuck Norris badass. I mean, c’mon, it’s endorsed by Chuck Friggin’ Norris! But it sat in your bedroom unused, right next to the NordicTrack you bough a few years earlier. By March you hadn’t lost any weight, and come October the only thing it was good for was hanging your laundry on, so your significant other posted it on Craigslist.

The other side of the compliance game is the substitution of certifications and policy development for the real work of reducing risk. PCI-DSS certification suggests you care about security but does not mean you are secure – the same way chugging down 1,000-calorie fruit smoothies makes you look like you care about fitness but won’t get you healthy. Fitness requires a balance of diet and exercise over a long period; compliance requires hard work and consistent management towards the end goal over years. Your compliance requirements may hinge on security, privacy, fraud reduction or something else entirely, but success demands a huge amount of hard work.

So we chide vendors on their yearly claims about compliance-made-easy, and that the fastest way to get compliant is buy this vendors class-leading product. But this year we think it will be a little more difficult for vendors, because there is a new sheriff in town. No, it’s not Chuck Norris, but a new set of buyers. As with every period of disruptive innovation, developers start to play a key role in making decisions on what facilities will be appropriate with newer technology stacks. Big Data, Cloud, Mobile, and Analytics are owned by the fitness freaks who build these systems. Think of them as the leaner, meaner P90X fitness crowd, working their asses off and seeing the results of new technologies. They don’t invest in fancy stuff that cannot immediately show its worth: anything that cannot both help productivity and improve reliability isn’t worth their time. Most of the value statements generated by the vendor hype machine look like Olivia Newton-John’s workout gear to this crowd – sorely out of date and totally inappropriate. Still, we look forward to watching these two worlds collide on the show floor.

—Adrian Lane

Thursday, April 09, 2015

RSAC Guide 2015: IOWTF

By James Arlen

Have you heard a vendor tell you about their old product, which now protects the Internet of Things? No, it isn’t a pull-up bar, it’s an Iron Bar Crossfit (TM) Dominator!

You should be mentally prepared for the Official RSA Conference IoT Onslaught (TM). But when a vendor asks how you are protecting IoT, there’s really only one appropriate response:

“I do not think that means what you think it means.”

Not that there aren’t risks for Internet-connected devices. But we warned you this would hit the hype bandwagon, way back in 2013’s Securosis Guide to RSAC:

We are only at the earliest edge of the Internet of Things, a term applied to all the myriad of devices that infuse our lives with oft-unnoticed Internet connectivity. This wonʼt be a big deal this year, nor for a few years, but from a security standpoint we are talking about a collection of wireless, Internet-enabled devices that employees wonʼt even think about bringing everywhere. Most of these wonʼt have any material security concerns for enterprise IT. Seriously, who cares if someone can sniff out how many steps your employees take in a day (maybe your insurance underwriter). But some of these things, especially the ones with web servers or access to data, are likely to become a much bigger problem.

We’ve reached the point where IoT is the most under- or mis-defined term in common usage – among not just the media, but also IT people and random members of the public. Just as “cloud” spent a few years as “the Internet”, IoT will spend a few years as “anything you connect to the Internet”.

If we dig into the definitional deformation you will see on the show floor, IoT seems to be falling into two distinct classes of product: (a) commercial/industrial things that used to be part of the Industrial Control world like PLCs, HVAC controls, access management systems, building controls, occupancy sensors, etc.; and (b) products for the consumer market – either from established players (D-Link, Belkin, etc.) or complete unknowns who got their start on Kickstarter or Indiegogo.

There are real issues here, especially in areas like process control systems that predate “IoT” by about 50 years, but little evidence that most of these products are actually ready to address the issues, except for the ones which have long targeted those segments. As for the consumer side, like fitness bands? Security is risk management, and that is so low on their priority list that it is about as valuable as a detoxifying foot pad. We aren’t dismissing all consumer product risks, but worry about your web apps before your light bulbs.

At RSAC this year we will see ‘IoT-washing’ in the same way that we have seen ‘cloud-washing’ over the last few years – lots of mature technology being rebranded as IoT. What we won’t see is any meaningful response to consumer IoT infiltration in the business. This lack of meaningful response nicely illustrates the other kinds of change we still need in the field: security people who can think about and understand IPv6, LoPAN, BLE, non-standard ISM radios, and proprietary protocols. Sci-Fi writers have told us what IoT is going to look like – everything connected, all the time – so now we’d better get the learning done so we can be ready for the change that is already underway, and make meaningful risk decisions, not based on fear-mongering.

—James Arlen

Wednesday, April 08, 2015

RSAC Guide 2015: DevOpsX Games

By Rich

DevOps is one of the hottest trends in all of IT – sailing over every barrier in front of it like a boardercross racer catching big air on the last roller before the drop to the finish. (We’d translate that, but don’t want to make you feel too old and out of touch).

We here at Securosis are major fans of DevOps. We think it provides opportunities for security and resiliency our profession has long dreamed of. DevOps has been a major focus of our research, and even driven some of us back to writing code, because that’s really the only way to fully understand the implications.

But just because we like something doesn’t mean it won’t get distorted. Part of the problem comes from DevOps itself: there is no single definition (as with the closely related Agile development methodology), and it is as much as a cultural approach as a collection of technical tools and techniques. The name alone conveys a sense of de-segregation of duties – the sort of thing that rings security alarm bells. We now see DevOps discussed and used in nearly every major enterprise and startup we talk with, to varying degrees.

DevOps is a bit like extreme sports. It pushes the envelope, creating incredible outcomes that seem nearly magical from the outside. But when it crashes and burns it happens faster than that ski jumper suffering the agony of defeat (for those who remember NBC’s Wide World of Sports… it’s on YouTube now – look it up, young’ns).

Extreme sports (if that term even applies anymore) is all about your ability to execute, just like DevOps. It’s about getting the job done better and faster to improve agility, resiliency, and economics. You can’t really fake your way through building a continuous deployment pipeline, any more than you can to backflip a snowmobile (really, we can’t make this stuff up – YouTube, people). We believe DevOps isn’t merely trendy, it’s our future – but that doesn’t mean people who don’t fully understand it won’t try to ride the wave.

This year expect to see a lot more DevOps. Some will be good, like the DevOps.com pre-RSA day the Monday before the conference starts. And vendors updating products to integrate security assessment into that continuous deployment pipeline. But expect plenty bad too, especially presentations on the ‘risks’ of DevOps that show someone doesn’t understand it doesn’t actually allow developers to modify production environments despite policy. As for the expo floor? We look forward to seeing that ourselves… and as with anything new, we expect to see plenty of banners proclaiming their antivirus is “DevOps ready”.



RSA Guide 2015: Get Bigger (Data) Now!!!

By Dave Lewis

This year at RSA we will no doubt see the return of Big Data to the show floor. This comes along with all the muscle confusion that it generates – not unlike Crossfit. Before you hoist me to the scaffolding or pummel me with your running shoes, let’s think about this. Other than the acolytes of this exercise regimen, who truly understands it? Say “Big Data” out loud. Does that hold any meaning for you, other than a shiny marketing buzzword and marketing imagery? It does? Excellent. If you say it three times out loud a project manager will appear, but sadly you will still need to fight for your budget.

Last year we leveraged the tired (nay, exhausted) analogy of sex in high school. Everyone talks about it but… yeah. You get the idea. Every large company out there today has a treasure trove of data available, but they have yet to truly gain any aerobic benefit from it. Certainly they are leveraging this information but who is approaching it in a coherent fashion? Surprisingly, quite a few folks. Projects such as the Centers for Disease Control’s data visualizations, Twitter’s “Topography of Tweets”, SETI’s search for aliens, and even Yelp’s hipster tracking map. They all leverage Big Data in new and interesting ways. Hmm, SETI and Yelp should probably compare notes on their data sets.

These are projects happening, often despite the best intentions of organizational IT security departments. Big Data is here, and security teams need to get their collective heads around the situation rather than hanging about doing kipping pull-ups. As security practitioners we need to find sane ways to tackle the security aspects of these projects, to help guard against inadvertent data leakage as they thrust forward with their walking lunges. One thing we recommend is ahike out on the show floor to visit some vendors you’ve never heard of. There will be a handful of vendors developing tools specifically to protect Big Data clusters, and some delivering tools to keep sensitive data out of Big Data pools. And your Garmin will record a couple thousand more steps in the process. Second, just as many Big Data platforms and features are built by the open source community, so are security tools. These will be under-represented at the show, but a quick Google search for Apache security tools will find more options.

Your internal security teams need to be aware of the issues with big data projects while striking a balance supporting business units. That will truly lead to muscle confusion for some. If you’re looking for the Big Data security purveyors, they will most likely be the ones on the show floor quietly licking wounds from their workout while pounding back energy drinks.

—Dave Lewis

Tuesday, April 07, 2015

RSAC Guide 2015: Key Theme: Security Bonk

By Mike Rothman

The Security Bonk

For better or worse, a bunch of the Securosis team have become endurance athletes. Probably more an indication of age impacting our explosiveness, and constant travel impacting our respective waistlines, than anything else. So we’re all too familiar with the concept of ‘bonking’: hitting the wall and capitulating. You may not give up, but you are just going through the motions.

Sound familiar to you security folks? It should. You get bonked over the head with hundreds or thousands of alerts every day. You can maybe deal with 5, and that’s a good day. So choosing the right 5 is the difference between being hacked today and tomorrow. This alert fatigue will be a key theme at RSA Conference 2015. You’ll see a lot of companies and sessions (wait, there are sessions at RSA?) talking about more actionable alerts. Or increasing the signal to noise ratio. Or some similarly trite and annoying terminology for prioritization.

These vendors come at the problem of prioritization from different perspectives. Some will highlight shiny new analytical techniques (time for the Big Data drinking game!) to help you figure out which attack represents the greatest risk. Others will talk about profiling your users and looking for anomalous behavior. Yet another group will focus on understanding the adversary and sharing information about them. All with the same goal: to help you optimize limited resources before you reach the point of security bonk.

To carry the sports analogy to the next step, you are like the general manager of a football team. You’ve got holes all over your roster (attack surface) and you need to stay within your salary cap (budget). You spend a bunch of money on tools and analytics to figure out how to allocate your resources, but success depends more on people and consistent process implementation. Unfortunately people are a major constraint, given the limited number of skilled resources available. You can get staffers through free agency (expensive experienced folks who generally want long-term deals) or draft and develop talent, which takes a long time.

And in two years, if your draft picks don’t pan out or your high-priced free agents decide to join a consulting firm, you get fired. Who said security wasn’t like life? Or the football life, anyway!

—Mike Rothman

RSAC Guide 2015: Key Theme: Change

By Jennifer Minella, Rich

Every year we like to start the RSA Guide with review of major themes you will most likely see woven through presentations and marketing materials on the show floor. These themes are a bit like channel-surfing late-night TV – the words and images themselves illustrate our collective psychology more than any particular needs. It is easy to get excited about the latest diet supplement or workout DVD, and all too easy to be pulled along by the constant onslaught of finely-crafted messaging, but in the end what matters to you? What is the reality behind the theme? Which works? Is it low-carb, slow-carb, or all carb? Is it all nonsense designed to extract your limited financial resources? How can you extract the useful nuggets from the noise?

This year we went a little nutty, and decided to theme our coverage with a sports and fitness flavor. It seemed fitting, considering the growth of security – and the massive muscle behind the sports, diet, and fitness markets. This year Jennifer Minella leads off with our meta theme, which is also the conference theme: change.


This year at RSA the vendors are 18% more engaged, solutions are 22% more secure, and a whopping 73% of products and solutions are new. Or are they? To the untrained eye the conference floor is filled with new and sensational technologies, ripe for consumption – cutting-edge alongside bleeding-edge – where the world comes to talk security. While those percentages may be fabricated horse puckey, the underlying message here is about our perception of — and influence over – real change.

“It’s like deja-vu, all over again,” as Yogi Berra once mused. Flipping through the conference guide, that will be the reaction of observers who have made their way by watching the ebbs and flows of our industry for years. The immediate recognition of companies acquired, products rebranded, and solutions washed in marketing to make them 84% shinier, feeds a skeptical doubt that we are actually making progress through this growth we call ‘change’. So here is our Public Service Announcement: change is not necessarily improvement.

Change can be good, bad, or neutral, but for some reason our human brains crave it when we are at an impasse. When we hit a wall or bonk – when we are frustrated, confused, or just pissed off – we seek change. Not only seek, but force and abuse it. We wield change in unusual and unnatural ways because something that’s crappy in a new and different way is better than the current crappy we already have. At least with change there’s a chance for improvement, right? And there is something to be said for that. Coach John Wooten said “Failure is not fatal, but failure to change might be.” If we keep changing – if we keep taking more shots on goal – eventually we’ll score.

But are we changing the right things? Does reorganizing, rebranding, or reinventing the cloud or the IoT help in a meaningful way? Perhaps, but you are not simply at the mercy of change around you. You, too, can influence change. This year as you walk around the sessions, workshops, and booths at RSA, look for opportunities to change other things. Change your perspective, change your circle of influence, change your approach, or change your habits. Ask questions, meet new people, and consider the unimaginable. We guarantee at least 19% change with a 12% effort, 99% of the time.

by Jennifer Minella, Contributing Analyst

This article first appeared on the RSA Conference blog at http://www.rsaconference.com/blogs

Jennifer Minella, Rich

Friday, April 03, 2015

Friday Summary: April 3, 2013: Getting back in

By Adrian Lane

Running. I started running when I was 9. I used to tag along to exercise class at the local community college with my mom, and they always finished the evening with a couple laps around the track. High school was track and cross country. College too. When my friends and I started to get really fast, there would be the occasional taunting of rent-a-cops, and much hilarity during the chase, usually ending in the pursuers crashing into a fence we had neatly hopped over. Through my work career, running was a staple, with fantastic benefits for both staying healthy and washing away workday stresses.

Various injuries and illness stopped that over the last few years, but recently I have been back at it. And it was … frigging awful and painful. Unused muscles and tendons screamed at me. But after a few weeks that went away. And then I started to enjoy the runs again. Now I find myself more buoyant during the day – better energy and just moving better. It’s a subtle thing, but being fit just makes you feel better in several ways, all throughout the day.

This has been true for several other activities of late — stuff I love to do, but for various reasons dropped. Target shooting is something I enjoy, but the restart was awful. You forget how critical it is to control your breathing. You forget the benefit of a quality load. You forget how the trigger pull feels and how to time the break. I grew up taking two or three fishing trips a year, but had pretty much stopped fishing for the last 10 years – lack of time, good local places to go, and people you wanted to go with. You forget how much fun you can have sitting around doing basically nothing. And you forget how much skill and patience good fishermen bring to the craft.

In this year of restarts, I think the one activity that surprised me most was coding. Our research has swung more and more into the security aspects of cloud, big data, and DevOps. But I can’t expect to fully understand them without going waist-deep to really use them. Like running, this restart was painful, but this was more like being punched in the mouth. I was terrible. I am good at learning new tools and languages and environments, and I expected a learning curve there. The really bad part is that much of what I used to do is now wrong. My old coding methods – setting up servers to be super-resilient, code re-use, aspects of object-oriented design, and just about everything having to do with old-school relational database design, needs to get chucked out the window. I was not only developing slowly, but I found myself throwing code out and reworking to take advantage of new technologies. It would have been faster to learn Hadoop and Dynamo without my relational database background – I needed to start by unlearning decades of training. But after the painful initial foray, when I got a handle on ways to use these new tools, I began to feel more comfortable. I got productive. I started seeing the potential of the new technologies, and how I should really apply security. Then I got happy!

I’ve always been someone who just feels good when I produce something. But over and above that is something about the process of mastering new stuff and, despite taking some lumps, gaining confidence through understanding. Getting back in was painful but now it feels good, and is benefitting both my psyche and my research.

On to the Summary:

Webcasts, Podcasts, Outside Writing, and Conferences

  • In case you missed it, Dave Lewis, JJ, James Arlen, Rich, Mike, and Adrian posted some of our yearly RSA Conference preview on the RSAC Blog. We will post them and the remaining sections on the Securosis blog next week.
  • Mike on Endpoint Defense.

Favorite Securosis Posts

Other Securosis Posts

Favorite Outside Posts

Research Reports and Presentations

Top News and Posts

—Adrian Lane

Wednesday, April 01, 2015

Incite 4/1/2015: Fooling Time

By Mike Rothman

As we started recording the Firestarter Monday Rich announced the date. When he said “March 30”, it was kind of jarring. It’s March 30? How did that happen? Wasn’t it just yesterday we rang in the new year? I guess it was almost 90 yesterdays. Thankfully Rich cut me off as I went down the rabbit hole of wondering where the time went.


Every year is getting shorter, never seem to find the time
Plans that either come to naught or half a page of scribbled lines
Hanging on in quiet desperation is the English way
The time is gone, the song is over, thought I’d something more to say
– Pink Floyd, “Time”

Yup, I’m in one of those moods. You know, the mood where you are digging up Pink Floyd lyrics. Though it’s true – every year does seem to get shorter. It’s hard to find the time to do everything you want to. Everything you plan to. You can’t fool time, even on April Fool’s day. Time just keeps moving forward, which is what we all need to do.

I have become painfully aware of the value of time this year. It seems I have been in a cycle of work, run, yoga, travel, car pools, LAX games, and maybe a little sleep now and again. But when I pick my head up every so often, I see things changing. Right before my eyes. XX1 is no longer a little girl. She’s almost as tall as the Boss and is talking to me about getting her driver’s permit in 6 months. What? My little muncha driving? How can that be?

And people you know unexpectedly pass on. Many of us in the security community knew Michael Hamelin (@hackerjoe), and then over the holidays he was gone. Taken in a freak car accident. It makes you think about how you are using the short amount of time you have. I had a wave of inspiration and posted a few things on Twitter that day.


I’m fortunate to be a mentor, advisor, and friend to lots of folks who come to me for advice and perspective. I talk about courage a lot with these people. The courage to be who you want to be, regardless of who you ‘should’ be. The courage to make changes, if changes are necessary. The courage to get beyond your comfort zone and grow. It’s not easy to be courageous.

Ticking away the moments that make up a dull day
Fritter and waste the hours in an off-hand way
Kicking around on a piece of ground in your home town
Waiting for someone or something to show you the way
– Pink Floyd, “Time”

Many people choose to just march through life, even if they aren’t happy or fulfilled, and that’s okay. But time will move on, regardless of what you decide to do, or not do. If you think things will change without you changing them, you aren’t fooling time. You are only fooling yourself.


Photo credit: “hourglass_cropped“_ originally uploaded by openDemocracy

Have you registered for Disaster Recovery Breakfast VII yet? What are you waiting for. Check out the invite and then RSVP to rsvp (at) securosis.com so we know how much food to get…

The fine folks at the RSA Conference posted the talk Jennifer Minella and I did on mindfulness at the 2014 conference. You can check it out on YouTube. Take an hour and check it out. Your emails, alerts and Twitter timeline will be there when you get back.

Securosis Firestarter

Have you checked out our new video podcast? Rich, Adrian, and Mike get into a Google Hangout and.. hang out. We talk a bit about security as well. We try to keep these to 15 minutes or less, and usually fail.

Heavy Research

We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, with our content in all its unabridged glory. And you can get all our research papers too.

Network-based Threat Detection

Applied Threat Intelligence

Network Security Gateway Evolution

Recently Published Papers

Incite 4 U

  1. Better breach disclosure: I hate it when stuff I use gets breached. I have to change passwords and the like. It’s just a hassle. But it does provide a learning opportunity, if the pwned company will talk about what happened. The latest disclosure darling seems to be Slack. You know, the chat app everyone seems to use. Evidently they had an attacker in their user database and some private information was accessible. Things like email addresses and password hashes. Theor payment and financial information was apparently not accessible (segmentation FTW). Now they don’t know whether user data was actually accessed (but we need to assume it was). Nor do they have any proof passwords were decrypted. But at least they are candid about what they don’t know. And even better, they took action to address the issue. Like turning on two-factor authentication before it was quite ready. And providing a tool for an administrator to log everyone out of the system and force a password reset. As they learn more, we can only hope Slack shares more of the details of this attack. – MR

  2. The wisdom of retailers: Over the last decade I have been involved in two research projects to show how data breaches impacted firm’s brand value and stock prices. And yes, I worked for a security vendor at the time, who had a financial incentive to link them. What did I find? Nothing. The data was inconsistent, bu if anything it suggested breaches and company value were unrelated. Our own Gunnar Peterson has been tracking this topic for as long as I’ve known him, and based solely on stock price, finds that breached companies outperform the market. The Harvard Business Review has done many great case studies on firms that have been breached, going back at least to 2007, but I believe this is the first time the HBR has come out with reasons why data breaches don’t hurt stock prices. But does that mean those retailers with a laissez-faire approach to security were right all along? If breaches are “… an inevitability of doing business …”, does that mean firms should only invest in “cyber insurance” to help pay the costs of cleanup? – AL

  3. Darwin and the WAF: Brian McHenry of F5 calls for the death of WAF as we know it and even references some of Adrian’s and my research. And who says flattery gets you nowhere? Brian’s point is that WAF needs to evolve with the advent of DevOps and more agile development processes, because you can’t tune the WAF to keep up with every application change. He’s right, but it’s a bigger issue than just WAF. Though given Brian is in the WAF business, that is his focus. DevOps and cloud and mobility disrupt the game. You need to rethink security and data protection… or not. As Deming said, “It is not necessary to change. Survival is not mandatory.” It applies to pretty much everything. Technologies, but also processes. If those don’t evolve (and drag technology with it), you’ll be on the endangered species list. But don’t fret – you won’t be lonely. A lot of technologies, vendors and practitioners won’t be able to make the jump. Maybe there is a gig available for a front-end processor engineer. (Old school) – MR

  4. Grab the popcorn: Now that vendors have reassessed their approaches to mobile payments, subsequent to Apple Pay shaking things up, we see new payment products from every corner. Square announced the acquisition of Kili, giving them NFC capabilities. Now merchants using Square can support either card-swipe or NFC transactions. Vodafone will also standardize on NFC communication, but will deliver a SIM card that embeds a secure element to hold the encryption keys needed for secure payment on mobile devices. These secure elements are the preferred choice for carriers, because anyone who wants access must pay the carrier. Unsurprisingly, Visa and Mastercard recently announced they are backing the more open Host Card Emulation approach – effectively a virtual secure hardware element – but now Microsoft has also announced use of HCE for their new Tap To Pay offering on Windows phones. We went from a snail’s pace to hair-on-fire product delivery, which means we can expect implementation flaws and notable hacks during this vendor stampede for market share. – AL

  5. It’s a mobile app – what could possibly go wrong? You all know what a big fan of surveys I am, but sometimes the data makes a point worth making. Without less-than-rigorous math, that is. The Ponemonsters did a survey for IBM which analyzed mobile app security. Basically there isn’t much, which I’m sure is a shock to most of you. In another surprising turn, the rush to get mobile apps out there and to meet customer needs is forcing organizations to take security shortcuts. Really! I know you are shocked. Yes, I took my sarcasm pills today. If there is an upside it is that mobile OSes are inherently better protected than PCs. I did not say fully protected – just better protected. But this is a systemic issue. Why would mobile apps be much different than anything else? Companies feel pressure to ship, they take shortcuts, security suffers. Breach happens, company gets religion. Until next time they have to take a shortcut. Wash, rinse, repeat. And we needed a survey to tell us that? – MR

—Mike Rothman

Tuesday, March 31, 2015

Firestarter: Using RSA

By Rich

The RSA Conference is the biggest annual event in our industry (really – there are tens of thousands of people there). But bigger doesn’t mean everything is better, and it can be all too easy to get lost in the event and fail to get value out of it. Even if you don’t attend, this is the time of year a lot of security companies focus on, which affects everything you see and read – for better and worse. This week we discuss how we get value out of the event, and how to find useful nuggets in the noise. From skipping panels (except Mike’s, of course) to hitting some of the less-known opportunities like Learning Labs and the Monday events, RSA can be very useful for any security pro, but only if you plan.

Watch or listen:


Monday, March 30, 2015

New Paper! Endpoint Defense: Essential Practices

By Mike Rothman


We’ve seen a renaissance of sorts regarding endpoint security. To be clear, most of solutions in the market aren’t good enough. Attackers don’t have to be advanced to make quick work of the endpoint protection suites in place. That realization has created a wave of innovation on the endpoint that promises to provide a better chance to prevent and detect attacks. But the reality is far too many organizations can’t even get the fundamentals of endpoint security.

But the fact remains that many organizations are not even prepared to deal with unsophisticated attackers. You know, that dude in the basement banging on your stuff with Metasploit. Those organizations don’t really need advanced security now – their requirements are more basic. It’s about understanding what really needs to get done – not the hot topic at industry conferences. They cannot do everything to fully protect endpoints, so they need to start with essentials.

In our Endpoint Defense: Essential Practices paper, we focus on what needs to be done to address the main areas of attack surface. We cover both endpoint hygiene and threat management, making clear what should be a priority and what should not. It’s always useful to get back to basics sometimes, and this paper provides a way to do that for your endpoints.


We would like to thank Viewfinity for licensing the content in this paper. Our licensees allows us to provide our research for no cost and still pay our mortgages, so we should all thank them. As always, we developed this paper using our objective Totally Transparent Research methodology.

Visit the Endpoint Defense: Essential Practices landing page in our research library, or download the paper directly (PDF).

—Mike Rothman