Research

It’s easy to believe the hype. You know, that NGFW (Next Generation Firewall) devices will take over the perimeter tomorrow. Get on the bandwagon now before it’s too late. And the anecdotal evidence leads in this direction as well. You see lines around the corners at trade shows to glimpse an NGFW Godbox, and local seminars are standing room only to hear all about application-aware policies which can help you control those pesky users who want to Facebook all day in the office. Of course reality is usually a bit behind the hype. We do believe NGFW technology (application awareness) will have a disruptive and lasting impact on network security, but it won’t happen overnight. Our pals at 451 Group do a bunch of surveys each year to track vendor momentum and buying plans. These show tremendous growth for NGFW. The technology, a fusion of application layer firewalls and stateful firewalls, continues a multi-year run of growth that has seen it rise in ‘in use’ percentage from 26% in 2010 to 33% last year. But are they totally displacing traditional firewalls? Not yet – many organizations start deploying NGFW (and NGIPS for that matter) in a monitoring role right next to the existing firewalls, to provide greater visibility into application usage. This visibility, then control deployment approach has been fairly consistent since the first NGFW devices hit the market a few years ago. …application-aware firewalls are rising as complementary or companion capabilities alongside a primary network firewall, where enterprises still seem to employ solutions from fairly longstanding firewall providers. But that is starting to change. We now hear about folks blowing up their perimeters; forklifting their traditional firewalls; and going lock, stock and barrel into NGFW gear. These are not small networks by the way. As the technology matures and the traditional network security players evolve their product lines to include NG capabilities, we will see this more and more often. That’s a good thing – port and protocol policies don’t provide much protection against current attacks. Photo credit: “No riding on forklift” originally uploaded by Leo Reynolds Share:

They say you can’t go home. What a load of garbage. You can totally go home (unless you’re from Fukushima or Chernobyl). In fact I am writing this week’s Summary in Boulder, Colorado – on a three-week trip to catch up with old friends, play hipster in coffee shops, and change my attitude with a little altitude. Better yet, I am writing this sitting in the Boulder Library while my kids enjoy musical story time. You can always go home – what you can’t do is go back in time. It doesn’t matter if you live within 15 miles of where you grew up, or run off to distant lands like me – time marches on. People leave, restaurants change, and even culture evolves and adapts. The point isn’t how much home changes, but how much you change – or don’t. I am not the same person I was when I arrived in Boulder back in 1989, and that’s a good thing. I’m not the same person I was 8 years ago when I left for a girl in Arizona. Among other things I have 3 kids and can’t spend my free time running off for mountain rescues. I had an awesome life back then, but it isn’t the life I want now. There is nothing wrong with nostalgia, but there is a fine line between reminiscing for days on the past and trying to live in the past. We all have friends stuck in their own personal glory days, making themselves miserable by refusing to move on. I may miss my kid-free freedom back then, but I am living the life I want now, and I would be missing out on the constant stream of amazing experiences my family gives me. Some stores have changed, some bars have changed, and some buildings were updated, but it’s still Boulder. As much as I miss Tulagis, Potters, and Pearls, I would be pathetic if I tried to hang there now, over 40. There seems to be more money in town, but this was always the national headquarters of the Limousine Liberals of the People’s Republic. It’s just as intolerantly tolerant as ever, and after spending time in Phoenix I really do notice the hippies more. (And the hippies still suck). I’m home and loving it. I may not be hanging with my old friends at the old places but I get to take my kids on my favorite hikes, enjoy the surprising number of local restaurants still here, and sneak off for some favorite rides and runs. I am also learning how much better a place this is to be with children than I thought when living here – there are an amazing range of activities, even without popping down to Denver. On that note, I need to take my bike in for service, pick up a new bike trailer for the baby, decide which organic, sustainably fed and ‘humanely’ slaughtered ground bird I will grill for dinner, and arrange a few post-hike microbrew excursions. Yeah, my life is hard. On to the Summary: Webcasts, Podcasts, Outside Writing, and Conferences Adrian presenting next week on Tokenization vs. Encryption. Favorite Securosis Posts Adrian Lane: Bloomberg Pulls a News Corp on Goldman. We have hypothesized about this type of thing happening for a few years – this is the greatest fear of enterprises about cloud services. Mike Rothman: $45M Heist Used a 5 Year Old (at least) Technique. Rich nails it: what’s old is new. Rich: The Onion hack brings tears to my eyes. What’s not to love? Other Securosis Posts Boundaries won’t help GRC. Incite 5/15/2013: Fraud Hits Close to Home. Favorite Outside Posts Adrian Lane: A Saudi Arabia Telecom’s Surveillance Pitch. “What Mobily is up to is what’s currently happening everywhere, and we can’t ignore that.” < That. Governments and enterprise often place more value on your social media communications than you do. Mike Rothman: Warren Buffett: The three things I look for in a person. Adrian and Gunnar are card-carrying Buffett fanboys so I expect them to like this. I love this way to evaluate people: “Intelligence, energy, and integrity. And if they don’t have the last one, don’t even bother with the first two.” Rich: Ricky Gervais on the difference between US and UK humor. Actually, there is a lot in here about how we approach writing about security, and the difference between analytical humor and pure trolling. Dave Lewis: Hear Ye, Future Deep Throats: This Is How to Leak to the Press. Research Reports and Presentations Email-based Threat Intelligence: To Catch a Phish. Network-based Threat Intelligence: Searching for the Smoking Gun. Understanding and Selecting a Key Management Solution. Building an Early Warning System. Implementing and Managing Patch and Configuration Management. Defending Against Denial of Service (DoS) Attacks. Securing Big Data: Security Recommendations for Hadoop and NoSQL Environments. Tokenization vs. Encryption: Options for Compliance. Pragmatic Key Management for Data Encryption. The Endpoint Security Management Buyer’s Guide. Top News and Posts Indian companies at center of global cyber heist. Update on last week’s $45M theft. Bloomberg reporters allegedly used financial terminals to spy on Wall Street. Larry Page I/O keynote: Google CEO blasts Microsoft, Oracle, laws, and the media. Chinese internet: ‘a new censorship campaign has commenced’. Apple deluged by police demands to decrypt iPhones. Skype with care – Microsoft is reading everything you write. Boston judge limits access to Aaron Swartz court records < wagons circling. Blog Comment of the Week This week’s best comment goes to Andrew, in response to Boundaries won’t help GRC. I mischievously ask GRC vendors “who is the intended budget holder, G, R or C?” And often as not, the benefits of GRC tools go to audit. Business lines, as we all know, love to make audit more powerful …. Share:

We are in the school year endgame right now. The kids will be done for the year in 10 days, and then summer officially begins. It is a frantic time in our house – the kids head off for camp in mid-June and we take family vacations before then. There is a lot of stuff to buy, a lot of packing to do, and a lot of quality time to squeeze in before The Boss and I become empty nesters for 7 weeks. One of those tasks is haircuts. It turns out the Boy has my hair. And that means he needs to get it cut. Frequently. I’m not complaining but it requires some planning. If they leave in mid-June we need to get his hair trimmed mid-May, which gives it a month before we get the short camp cut. Yes, we actually have to think about stuff like this. So I took the Boy for a haircut on Saturday afternoon, and my phone rang with a number I didn’t recognize from South Florida. Normally I would let it go to voicemail, especially on a Saturday, but my paranoia kicked in because Mom is in South Florida. When you get to my age you dread calls from numbers you don’t know in South Florida. So I picked up the phone for my friends in Office Depot’s fraud department. No, they aren’t really my friends, but they did me a huge solid by catching a strange transaction. Evidently someone used my credit card and address (with cellphone number) to buy a laptop for delivery to a store in California. They asked if I had bought a computer for $519 that day. I had to laugh because everyone knows you can’t buy a Mac for $519, and I wouldn’t be caught dead with a Windows laptop. Kidding aside, they quickly canceled the transaction and kindly suggested I call MasterCard to shut down my clearly compromised card. Yeah, I was already 2-3 steps ahead. Card was shut down, new card ordered, and fraud investigation underway within 5 minutes. Then came the damage assessment. I checked my personal email account to ensure no funkiness (2FA for the win) and also reviewed transactions on my other financial accounts in case of a larger compromise on my end. All clean, for now. But then I got thinking – which of the zillion online merchants I use got popped? They had my cell phone, so it wasn’t a skimming attack. This involved both card number and address/phone, so it was full-on total pwnage of some merchant. But I never expect to learn which. I can’t be too pissed – I had a pretty good run with that MasterCard number. It lasted 18 months, which sadly is a long time between card credential compromises. I could be angry, but it’s just the way it is. When my new card comes in I will need to spend a couple hours wading through my bills and changing all the automatic charges for monthly stuff. I need to monitor that account much more closely until I am confident everything is clean. In 12-18 months I will need to do it again. At least the merchant didn’t give me a hard time – unlike last time this happened, when someone bought auto parts and had them delivered to an address in my town. Of course it wasn’t my address, but those are pesky details. AmEx did good work on that situation, fortunately. And with that, let me tip my hat to Office Depot once again. Once attackers get a working card the fraud transaction come fast and furious, so they saved me a bunch of angst. Now I need to go by some office supplies from Amazon. Come on, man, you didn’t think this would buy any office supply loyalty, did you? –Mike Share:

Amen to our buddy Paul Proctor, who starts a post, Why I hate the term GRC, with “GRC is the most worthless term in the vendor lexicon.” I couldn’t agree more. 10 years later I still don’t know what it means. Besides everything, as Paul explains: Vendors use it to describe whatever they are selling and Gartner clients use it to describe whatever problem they have. For seven years I have battled this monolithic term and I fear I’m losing the battle. The alternative is to try to bring some clarity to its usage by defining some boundaries. Unfortunately boundaries aren’t going to help. As long as Risk or Compliance (the R and C of GRC) continues to have budget line items, we will have both vendors and users dumping whatever they can into the GRC bucket. It’s a funding strategy that has worked for years, and unless there is some miraculous movement away from regulation it will be successful for years to come. Then Paul tries to put GRC tools into a box. Good luck with that. But he makes a good point: “Buying a tool to solve your GRC problems is putting the cart before the horse. For example, if you don’t have risk assessment, buying a GRC tool is not going to give it to you.” I applaud this attempt to provide some sanity to the idiocy of GRC. But that’s too positive and constructive for me. I would rather just bitch about it some more. Which I think I did… Share:

OK, not really. But as Rich pointed out in last week’s Incite (Truth is stranger than satire), The Onion getting hacked, and then the hackers posting stuff that seemed very Onion-like, was one step short of crossing the streams. In less than true Onion form – honest and satire-free –= they go through exactly what happened in a recent blog post, and it was very unsophisticated phishing. Phase 1 seemed random, and only one Onion staffer fell for the ruse. Leveraging that initial compromised account the attackers sent another wave of phishing messages. A few clicked the link but only two actually provided credentials. At that point the Onion folks realized they had compromised accounts and forced a company-wide password reset. But the attackers weren’t done. They were able to send a duplicate password reset email (through yet another compromised account) and they then got control of another 2 email accounts. One of which had access to the corporate Twitter account. Yikes! Hats off to The Onion – these posts are helpful for everyone to learn from the misfortune of others. They have some decent tips in the post as well, including using a dedicated application to access the corporate Twitter account (where you could apply more granular access control) and having email addresses associated with the corporate accounts on a totally separate system to provide account segregation. Rich talked about some other tactics to protect corporate Twitter accounts as well, with two-factor authentication topping the list. Photo credit: “Never again Mr. Onion” originally uploaded by dollen From the New York Post, of all places: Goldman later learned that Bloomberg staffers could determine not only which of its employees had logged into Bloomberg’s proprietary terminals but how many times they had used particular functions, insiders said. The matter raised serious concerns for the firm about how secure information exchanged through the terminals within the firm actually was – and if the privacy of their business strategy had been compromised. Oops. Imagine if AWS or Salesforce did something like this? They won’t because it is a kiss-of-death type mistake if there are viable alternatives, but Bloomberg is too entrenched for this to damage them materially. Share:

I have never been a fan of large gatherings of people. You would never find me at a giant convention center listening to some evangelist, motivational speaker, politician, or business ‘guru’ tell me how to improve my life. I don’t stalk celebrities; participate in “million man marches”, tea party gatherings, promise-keepers, or any something-a-palooza to support a cause. I don’t have a cult-like appreciation of ‘successful’ people. It has nothing to do with a political or religious bent and I don’t fear crowds – it is a personality trait. To me group-think is a danger signal. I’m a skeptic. A contrarian. If everyone’s doing it, it must be wrong. But it’s not like I never attend large events: AC/DC concerts are a go, and I’ll wait in long lines to get an iPhone. But it’s just as likely to bite you as be rewarding – you know, like the last Star Trek movie, the one with the terrible plot you’ve seen six times, because the cast and cinematography are oddly appealing. Anyway, when lots of people think something’s great I usually walk the other way. So what the heck was I doing at the Berkshire Hathaway Shareholders meeting last weekend? In Omaha, Nebraska, of all places? Forty thousand finance geeks standing in near-freezing rain, waiting for the doors to open at the CenturyLink center to hear Warren Buffett and Charlie Munger talk about stock performance? Are you kidding me? But there I was, with Gunnar Peterson, listening to the “Oracle of Omaha” talk about Berkshire Hathaway and investment philosophy. And it was a bit like a cult – a pilgrimage to listen to two of the greatest investors in history. But despite all my reservations I had a great time. You wouldn’t expect it from the topic but the meeting was entertaining. They were funny, insightful, and incredibly rational. They are politically incorrect and unapologetic about it. They are totally transparent, and as likely to remind you of their failures as successes. And they are more than happy to critique one another for their flaws (I’m certain I have seen these traits at another company before). As much as I have read about Munger and Buffett in the last 18 months – I think I read most of their funny quips before the meeting – there is something about hearing all of it in one place that weaves their concepts into a single cohesive tapestry of thought. You see the core set of values repeated consistently as they answer questions, no matter what the subject. If you are interested in a recap of the event, the Motley Fool blog did an excellent job of capturing the questions and some of the humor. I only started to follow Charlie and Warren about 18 months ago, because Gunnar’s use of sage Charlie Munger quotes got me curious. Now I am hooked, but not because I want investment ideas – instead I am fascinated by an incredibly simple investment philosophy, that involves an incredibly complex set of rational models, that forms the foundation of their decision process. Both men are contrarians – they choose to invest in a method that for decades people thought was a fluke. Berkshire has been called a 6-sigma outlier. They have been derided for not investing in tech companies during the tech boom – a profound critique when you consider Apple, Google, and Microsoft are some of the fastest-growing and 3 out of of 5 of the largest companies in the world. They have been mocked in the press as being “out of touch” when the market was going crazy during the whole mortgage/CDO fiasco. But they have stayed the course, despite fickle and fashionable trends, on their way to become the most successful investors in history. Berkshire is now one of the top 5 companies in the world, but ultimately their approach to decisions is what fascinates me. Had I heard about them during college, and comprehended their message as I do today, I would probably have gone into finance instead of computer science. Oh, before I forget, the majority of the Securosis team will be at Secure360 next week. Mort and I will be presenting on big data security. Ping us if you’re in Minneapolis/St. Paul and want to get together! On to the Summary: Webcasts, Podcasts, Outside Writing, and Conferences Adrian’s Security Implications of Big Data. Favorite Securosis Posts Rich: My “Peak Experience” article in The Magazine. I am really excited about this one, so even though it is technically an ‘Outside’ item I picked it as my favorite post. It’s the story of a mountain rescue I was on over a decade ago, for a really exciting publication, which I am honored to write for. David Mortman: The CISO’s Guide to Advanced Attackers: Evolving the Security Program. Mike Rothman: Some (re)assembly required. Need to show some love for our contributor Gal, who posted his first solo piece on the blog. He makes a great point about never forgetting the data security lifecycle. Adrian Lane: Finger-pointing is step 1 of the plan. Other Securosis Posts Database Breach Results in $45M Theft. Security Earnings Season in Full Swing. McAfee Gets Some NGFW Stones. Incite 5/8/2013: One step at a time. 2FA isn’t a big enough gun. Now China is stealing our porn. The CISO’s Guide to Advanced Attackers: Breaking the Kill Chain. Friday Summary: May 3, 2013. IaaS Encryption: How to Choose. IaaS Encryption: Object Storage. Favorite Outside Posts Rich: White House close to backing FBI’s wiretap backdoor proposal, says NYT. This is a short piece, but insanely important. Backdoors for wiretapping are horrible for security, with a long history of misuse and compromise. David Mortman: Google unveils 5-year roadmap for strong authentication. Mike Rothman: FUDwatch: Armenia. Marcus Ranum determines (with tongue firmly in cheek) that the biggest threat in the known world is… Armenia. Which just goes to show that you can make data say pretty much whatever you want it to. So interpret the breach reports and other data sources carefully, and figure out what you want them to say. Adrian Lane: The State of Web

Big news, big money – hackers stole $45M in a flash attack. They hacked into the bank system, focused on debit and pre-paid cards that lack the usual credit card anti-fraud detection, then made massive rapid withdrawals using mules scattered around the world. Not new. Viktor Pleshchuk, Sergei Tsurikov, Oleg Covelin and a fourth man, identified only as “Hacker 3,” pooled their talents, and with the help of a worldwide network of “cashers” in more than 280 cities, they were able to walk away with $9 million of RBS WorldPay’s money. The attack, detailed in a federal indictment announced Tuesday by the Department of Justice, illustrates clearly the level of organization and sophistication involved in ATM and payment-card fraud, as well as the difficulty banks face in guarding against these schemes. The scam began simply and came together quickly. In early November 2008, prosecutors allege that Covelin discovered a vulnerability in the network of RBS WorldPay, a subsidiary of the Royal bank of Scotland that handles payroll and other payment-processing transactions for companies around the world. As Gal Shpantzer said in our chat room today: this is the sort of ATM hack that should be in the Verizon DBIR – not necessarily skimming. Share:

From the New York Post, of all places: Goldman later learned that Bloomberg staffers could determine not only which of its employees had logged into Bloomberg’s proprietary terminals but how many times they had used particular functions, insiders said. The matter raised serious concerns for the firm about how secure information exchanged through the terminals within the firm actually was – and if the privacy of their business strategy had been compromised. Oops. Imagine if AWS or Salesforce did something like this? They won’t because it is a kiss-of-death type mistake if there are viable alternatives, but Bloomberg is too entrenched for this to damage them materially. Share:

There is no single right way to pick the best encryption option. Which is ‘best’ depends on a ton of factors including the specifics of the cloud deployment, what you already have for key management or encryption, the nature of the data, and so on. That said, here are some guidelines that should work in most cases. Volume Storage Always use external key management. Instance-managed encryption is only acceptable for test/development systems you know will never go into production. For sensitive data in public cloud computing choose a system with protection for keys in volatile memory (RAM). Don’t use a cloud’s native encryption capabilities if you have any concern that a cloud administrator is a risk. In private clouds you may also need a product that protects keys in memory if sensitive data is encrypted in instances sharing physical hosts with untrusted instances that could perform a memory attack. Pick a product designed to handle the more dynamic cloud computing environment. Specifically one with workflow for rapidly provisioning keys to cloud instances and API support for the cloud platform you use. If you need to encrypt boot volumes and not just attached storage volumes, select a product with a client that includes that capability, but make sure it works for the operating systems you use for your instances. On the other hand, don’t assume you need boot volume support – it all depends on how you architect cloud applications. The two key features to look for, after platform/topology support, are granular key management (role-based with good isolation/segregation) and good reporting. Know your compliance requirements and use hardware (such as an HSM) if needed for root key storage. Key management services may reduce the overhead of building your own key infrastructure if you are comfortable with how they handle key security. As cloud natives they may also offer other performance and management advantages, but this varies widely between products and cloud platforms/services. It is hard to be more specific without knowing more about the cloud deployment but these questions should get you moving in the right direction. The main things to understand before you start looking for a product are: What cloud platform(s) are we on? Are we using public or private cloud, or both? Does our encryption need to be standardized between the two? What operating systems will our instances run? What are our compliance and reporting requirements? Do we need boot volume encryption for instances? (Don’t assume this – it isn’t always a requirement). Do root keys need to be stored in hardware? (Generally a compliance requirement because virtual appliances or software servers are actually quite secure). What is our cloud and application topology? How often (and where) will we be provisioning keys? Object storage For server-based object storage, such as you use to back an application, a cloud encryption gateway is likely your best option. Use a system where you manage the keys – not your cloud provider – and don’t store those keys in the cloud. For supporting users on services like Dropbox, use a software client/agent with centralized key management. If you want to support mobile devices make sure the product you select has apps for the mobile platforms you support. As you can see, figuring out object storage encryption is usually much easier than volume storage. Conclusion Encryption is our best tool protecting cloud data. It allows us to separate security from the cloud infrastructure without losing the advantages of cloud computing. By splitting key management from the data storage and encryption engines, it supports a wide array of deployment options and use cases. We can now store data in multi-tenant systems and services without compromising security. In this series we focused on protecting data in IaaS (Infrastructure as a Service) environments but keep in mind that alternate encryption options, including encrypting data when you collect it in an application, might be a better choice or an additional option for greater granularity. Encrypting cloud data can be more complex than on traditional infrastructure, but once you understand the basics adapting your approach shouldn’t be too difficult. The key is to remember that you shouldn’t try to merely replicate how you encrypt and manage keys (assuming you even do) in your traditional infrastructure. Understand how you use the cloud and adapt your approach so encryption becomes an enabler – not an obstacle to moving forward with cloud computing. Share:

Most folks think you need to be a day trading financial junkie to have any interest in quarterly earnings releases and/or conference call transcripts. But you can learn a lot from following the results of your strategic security vendors and companies you don’t do business with, but who would like to do business with you. You can glean stuff about overall market health, significant problem spaces, technology innovation, and business execution. For instance, if you are thinking about upgrading your perimeter network security gear you have a bunch of options, most of them public companies. You cannot going much about Cisco, Juniper, IBM, Dell, or HP through their conference calls. Security is barely a rounding error for those technology behemoths, although a company like Intel does talk a little bit about its McAfee division because it is key to its growth prospects. But if you pay attention to the smaller public companies, such as Symantec, Check Point, Fortinet, Palo Alto, Sourcefire, Imperva, Websense, Qualys, etc., you can learn about how those bigger companies are competing. You need to keep in mind that you get a very (very very) skewed perspective, but it provides some ammo when challenging sales reps from those big companies. You can also learn a lot about business. How certain channel strategies work, or don’t work, which can help optimize how you procure technology. You can get a feel for R&D spend by your key vendors, which is important to the health of their new product pipelines. You should also read the Q&A transcripts, where investment analysts ask about different geographies, margins, product growth, and a host of other things. This information cannot help you configure your devices more effectively, but it does help you understand the folks you do business with, and feel better about writing big checks to your strategic vendors. Especially when you know the big deal they mention in the conference call is you. Here is a list of transcripts for the major publicly traded security companies. And if your favorite company (or the one in your 401k) isn’t here, it’s likely because they haven’t announced their Q1 results yet (like Splunk), or they may still be private. Symantec FQ4 2013 Earnings Call Transcript Check Point Q1 2013 Earnings Call Transcript Fortinet Q1 2013 Earnings Call Transcript Sourcefire Q1 2013 Earnings Call Transcript Qualys Q1 2013 Earnings Call Transcript Imperva Q1 2013 Earnings Call Transcript Websense Q1 2013 Earnings Call Transcript Proofpoint Q1 2013 Earnings Call Transcript SolarWinds Q1 2013 Earnings Call Transcript VASCO Data Security Q1 2013 Earnings Call Transcript Zix Q1 2013 Earnings Call Transcript That should keep you busy for a little while… Photo credit: “scrooge-mcduck” originally uploaded by KentonNgo Share: