June is a special time for us. School is over and we take a couple weeks to chill before the kids head off to camp. Then we head up to the Delaware beach where the Boss and I met many moons ago, and then put the kids on the bus to sleepaway camp. This year they are all going for 6 1/2 weeks. Yes, it’s good to be our kids. We spend the rest of the summer living vicariously through the pictures we see on the camp’s website.

The title of today’s Incite has a double meaning. Firstly, camp does rule. Just seeing the kids renew friendships with their camp buddies at the bus stop and how happy they are to be going back to their summer home. If it wasn’t for all these damn responsibilities I would be the first one on the bus. And what’s not to love about camp? They offer pretty much every activity you can imagine, and the kids get to be pseudo-independent. They learn critical life lessons that are invaluable when they leave the nest. All without their parents scrutinizing their every move. Camp rules!

But there are also rules that need to be followed. Like being kind to their bunkmates. Being respectful to their counselors and the camp administrators. Their camp actually has a list of behavioral expectations we read with the kids, which they must sign. Finally, they need to practice decent hygiene because we aren’t there to make sure it happens.

For the girls it’s not a problem. 3 years ago, when XX1 came back from camp, she was hyper-aware of whether she had food on her face after a meal and whether her hair looked good. Evidently there was an expectation in her bunk about hygiene that worked out great. XX2 has always been a little fashionista and takes time (too much if you ask me) for her appearance, so we know she’ll brush her hair and keep clean. We look forward to seeing what new look XX2’s going with in the pictures we see every couple of days.

The Boy is a different story. At home he needs to be constantly reminded to put deodorant on, and last summer he didn’t even know we packed a brush for his hair. Seriously. He offered a new definition for ‘mophead’ after a month away. Being proactive, I figured it would be best if I laid out the camp rules very specifically for the Boy. So in the first letter I sent him I reminded him of what’s important:

Here is my only advice: Just have fun. And more fun. And then have some additional fun after that. That’s your only responsibility for the next 6 1/2 weeks. And you should probably change your underwear every couple of days. Also try not to wear your Maryland LAX shorts every day. Every other day is OK…

The Boss thought it was pretty funny until she realized I was being serious. Boys will be boys – even 44-year-old boys…

–Mike

Photo credit: “Outhouse Rules” originally uploaded by Live Life Happy

Heavy Research

We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, where you can get all our content in its unabridged glory. And you can get all our research papers too.

API Gateways

• Access Provisioning
• Security Enabling Innovation

Security Analytics with Big Data

• Deployment Issues
• Integration
• New Events and New Approaches
• Use Cases
• Introduction

Network-based Malware Detection 2.0

• Deployment Considerations
• The Network’s Place in the Malware Lifecycle
• Scaling NBMD
• Evolving NBMD
• Advanced Attackers Take No Prisoners

Newly Published Papers

• Email-based Threat Intelligence: To Catch a Phish
• Network-based Threat Intelligence: Searching for the Smoking Gun
• Understanding and Selecting a Key Management Solution
• Building an Early Warning System
• Implementing and Managing Patch and Configuration Management

Incite 4 U

1. You, yes you. You are a security jerk. @ternus had a great post abut being an Infosec Jerk, which really hits on core issue hindering organizations’ willingness to take security seriously. It comes down to an incentive problem, as most behaviors do. @ternus sums it up perfectly: “Never attribute to incompetence that which can be explained by differing incentive structures.” Developers and ops folks typically have little incentive to address security issues. But they do have incentive to ship code or deploy servers and apps. We security folks don’t add much to the top line so we need to meet them more than halfway, and the post offers some great tips on how to do that. Also read The Phoenix Project to get a feel for how to make a process work with security built in. Or you can continue to be a jerk. How’s that working out so far? – MR
2. False confidence: No, it’s not surprising that most companies don’t use big data for security analytics, per the findings of a recent McAfee study. Most security teams don’t know what big data is yet, much less use it for advanced threat and event analysis. But the best part of the study was the confidence of the respondents – over 70% were confident they could identify insider threats and external attacks. Which is ironic as that is the percentage of breaches detected by people outside their organization. Maybe it’s not their security products that give them confidence, but the quality of their customers or law enforcement who notify them of breaches. But seriously, if we agree that big data can advances security the reason most customers can’t harness that value is that they are waiting for their vendors to deliver, but the vendors are not quite there yet. – AL
3. You break it, you own it: Although it is very far from perfect, one of the more effective security controls in the Apple universe is the application vetting process. Instead of running an open marketplace, Apple reviews all iOS and Mac apps that come into their stores. They definitely don’t catch everything, but it is impossible to argue that this process hasn’t reduced the spread of malware – the number of malicious apps in Apple’s stores appears to be quite low. Contrast this to the Android and Chrome universes, where the more-open marketplaces experience more malware (the core Google Play marketplace doesn’t look horrible, but still experiences many more incidents than Apple). Google appears to be adding automated scanning to new Chrome plugins to reduce the security risk to users, which they already use for Android apps. They are pretty tight-lipped on the details and I assume the scan is automatic because it only adds an hour to the application release process. This is a good start and should be a strong enticement for users to stick to official marketplaces. – RM
4. React slower and worse: We have been talking about reacting faster and better for years. You cannot stop all attacks so you had better be able to shorten the window of exposure and remediate effectively. So why do most organizations still take way too long to find attackers and respond to incidents? It’s a perception issue of course. According to a McAfee survey most internal folks think they respond a lot faster than reality. Perhaps they have a different definition of ‘breach’. Or maybe they are delusional. Either way, until these folks recognize they aren’t performing well enough or spending enough on detection and response (as opposed to flushing money down the detection toilet), nothing will change. Wishing the problem away is not a defendable strategy. – MR
5. Web filtering is a must have: A lot of organizations I talk with are still running basic URL filters to keep their users from browsing porn, but haven’t even touched the process of protecting them from web-based malware. Even though the numbers show that one of the best ways to compromise users is through web browsers – whether via drive-by malware or targeted attacks. Brian Krebs notes Google just released some numbers to back up this assertion. Many compromised sites aren’t as obvious as hackme.com, but legitimate sites and advertising networks compromised as malware hosts or C&C nodes. The best first line of defense is a web-based malware filter (not your desktop), and many of you should take hard looks at cloud options that work well for mobile users, which tend to include more responsive threat intelligence. – RM
6. PII as a fashion accessory: Instead of getting the necktie her fiance ordered from The Gap, a couple received a box full of HR records – which is awesome. They received Social Security information, handwritten resignation letters, doctors’ notes, and salary information and employee records in their entirety for a bunch of former employees. Oops. As far as security and privacy goes, this is akin to the automatic address-filling problem, where you accidentally send confidential email to the wrong people and try to blame your email client. It’s bad but happens when you involve humans. But this is not a call to arms for PII protection and additional legislation, although it’s not clear that Skynet would have made this mistake. I point out issues like this for why we need risk analysis to understand what problems we should respond to and which we should ignore entirely; to date PII does not pose a large enough risk for companies to invest a dime into. – AL
7. Walking in their shoes: It is curious to me that folks (mostly in the Twitter echo chamber) can have opinions about being a security practitioner, or a researcher, or an analyst, or a vendor .. without ever sitting in that seat. Michelle’s on perspective moving from a consulting role to an internal role is interesting. Dropping a report of findings with non-negotiable steps to take may work when you move on to the next client. But it doesn’t work in the real world with competing priorities, limited budgets, and even more limited resources & expertise. As @ternus mentioned above, sometimes you need to be flexible and to sit in the other person’s seat for little for some perspective and context for their decisions. They may well may be incompetent and maliciously ignoring you. But more likely they have a full list of high-priority issues to deal with, and your stuff is somewhere on that list. – MR