Research

Thales released a 2012 survey on encryption spending trends today. In a nutshell, spending was up a modest amount for the first time in several years. From the Deep Dive post: estimated total spending on encryption by all sectors grew by 2.5 percent from 2011 to 2012, one of the biggest jumps in the eight years the survey has been conducted. Thales released the “2012 Global Encryption Trends Study” today. The Ponemon Institute of Traverse City, Mich., surveyed 4,205 individuals on Thales’ behalf. The spending figures were particularly interesting to Thales: “This last year we saw one of the biggest hikes in budgets that we’ve seen for the last seven years or so,” said Thales e-Security’s Richard Moulds, vice president of product strategy. In 2011, businesses and governments spent 15.1 percent of their information technology security budget on encryption. The number jumped to 17.6 in 2012. A couple things to note about this information. For security products not driven by compliance (like PCI) or vulnerabilities that totally disrupt IT (think SQL Slammer), sales typically grow at a rate of 2-3% a year. From our conversations with companies of all sizes, use of encryption is up across the board. However, adoption is mostly for new projects, rather than expansion of existing installations. And in many cases developers are the ones who select free or open source encryption products, not commercial products. They do this so the development process is not burdened by having to get budget or deal with sales droids. This means spending does not go up at the same rate that usage goes up. Still, the encryption market has not seen the sales growth we would otherwise expect – instead people invest in better key management services, or in alternatives to encryption (e.g. tokenization, masking) to protect data. It’s a growing market, but buyers are cautious about how and where they spend their money. Share:

One trend we see coming on like a freight train is the rebirth of security awareness training. Folks are working on content that doesn’t suck and enterprises are finally starting to gather data about how stupid mistakes (such as clicking phishing messages) are decreasing after training sessions. NetworkWorld recently ran an article (in their Insider section, which requires registration – boo!) providing some tips to deal with phishing. The part of the article I found most interesting was a description of how attackers appeal to either greed or fear to entice action. It sounds a bit like marketing to me… “most spear phishing attacks take one of two tacks – they either appeal to human greed or fear. In other words, either they offer money, coupons, discounts or bargains that are too good to be true. Or they announce that your checking account or eBay account has been frozen and you need to re-enter your credentials, or some other scenario in which you are required to enter personal information….or else.” Then there are a few tips about educating users, including having them look at URLs from right to left. Folks who read Hebrew have a clear advantage at this. And other obvious stuff, including not opening files from folks you don’t know, and never providing account credentials to an unsolicited query. Of course all this seems obvious to you and me. It’s too bad it’s not obvious to your employees. Get on board with security awareness training. Or keep cleaning up the mess. Photo credit: “Clean Up or You’re Out! :Brooklyn Street Sign” originally uploaded by emilydickinsonridesabmx Share:

With our last post in this series on Understanding and Selecting Cloud Identity and Access Management, we want to help guide you through product selection. No two customer environments or lists of requirements are the same, but key decision criteria will help you narrow down the field to suitable platforms. We will provide questions to help determine which vendors offer solutions that fit your architecture, a set of criteria to measure the appropriateness of a vendor solution to your design goals, and help walk you through the evaluation process. Your mileage WILL vary Spoiler alert – there’s no such thing as plain vanilla IAM. You may need a solution for customers as well as users. You may or may not need to include mobile devices. You may need fine-grained authorization controls for external applications. There are far too many variables in play for IAM evaluation to be fully quantifiable. But to help you weed out some players, to align your needs with product function, and to give you a handle on major product differentiators, we created the table below. You need to make sure products match your goals. Even IAM suites that can do everything on paper have their own strengths and weaknesses, so make sure you know them before leaping in. As we have discussed, prospective buyers should start with understanding their use cases and governance processes before analyzing the IAM marketplace. That said, here is a proposed checklist for beginning to analyze IAM products: Product Architecture What are the product’s key capabilities? What are the internal data models and formats for identity? What are the external data models and formats for identity? How does the product scale, vertically or horizontally? Development What is the development interface for implementing and extending the product? Is development typically performed by the company or third party consultants? Answer for both development and maintenance phases. What integration is available for source code and configuration management? What languages and tools are required to extend the product by with wrappers, adapters, and extensions? Interoperability What IAM standards are supported and where are they available in the product? What interfaces are standards based and what are proprietary? What directories are supported – Active Directory, LDAP …? What application servers are supported – Websphere, IIS, Tomcat, SAP …? Are cloud applications supported? Which ones? Are mobile platforms supported? Which ones? Product Security What is the product security model? Is Role-Based Access Control supported? Where? How is access audited? Use Case Support Describe the product’s support for provisioning uses Describe the product’s support for Singe Sign On uses Describe the product’s support for attribute exchange use cases What user self-service capabilities does the product support? Cost Model How is the product licensed? Does cost scale based on number of users, number of servers, or something else? What is the charge for adapters and extensions? This checklist provides a starting point for analyzing IAM products. As the evaluation unfolds, it is key to remember what matters: integration, standards, and cost. The buying process works much better if the initial step includes an inventory of IAM sources and targets: where identity is used, and what the authoritative sources are. What IAM processes exist currently, and which and are desired in future? POC FTW Securosis highly recommends a Proof-of-Concept (POC) as a final step for IAM buyers. PowerPoint does not crash much, but new implementations do. There is nothing like seeing a product working in your own environment. If there is more than one vendor in play – and there usually is – then bake-offs can be useful to determine the best fit. But we generally do not recommend bake-offs with more than two vendors. Many vendors take widely different conceptual approaches to IAM problems, and in-depth evaluations are too demanding to perform more than once or twice. Start with an initial review, against our checklist, to weed out unsuitable candidates. Then use a proof of concept to test viability and/or a bake-off to compare a couple similar candidates. Share:

As if the IBM Security Systems folks weren’t busy enough with the RSA Conference last week, they flew directly from San Francisco to Vegas for their annual Pulse Conference. Sure it’s a lot of back-patting and antennae rubbing, but there is usually a good nugget or two from their customer presentations. In this photo one of IBM’s companies highlights 7 reasons it is important to decide on the initial use cases for your SIEM before you buy it. I particularly like a few of them: 1. “Help with vendor selection – evaluate competitive SIEMs against use case criteria and forms requirements for purchase.” When I was in the SIEM space, trying to push 7-figure purchases, it was much easier when we could dictate the terms of the proof of concept (PoC). We’d test stuff we knew would work well, and that competitors couldn’t match. Of course that didn’t necessarily involve solve the customer’s problem. Oh, well. Enterprises should be driving the criteria for purchase and the PoC, and you do that by defining the initial set of use cases that drove the funding of the project anyway. 4. “Companies considering a SIEM should build a use case portfolio before even looking at a technology.” 6. “Understand quick wins/short term successes vs. long term roadmap (where do you want to be in two years).” I cannot tell you how many conversations I have had with folks looking at SIEM, who couldn’t tell me specifically what problem they were trying to solve. The initial use cases are really table stakes for SIEM procurement. It is critical not to choose a technology that will prevent you from doing things (like packet capture) in the future, as your program and needs evolve. But if you don’t have a clear idea what you want to do first, you are very unlikely to succeed. Share:

I think I’m finally waking up. After a week at RSA where I basically don’t sleep – not all bad, mind you – it takes a while to recover. In fact Monday might as well not have happened – I certainly got nothing done. It was not for lack of trying, but I was simply part of the zombie apocalypse – but I don’t want brains, just some Captain Crunch and sleep. Today I had the ‘Oh crap!’ realization – I promised people things last week, and I need to deliver. As much as I’d like to shuffle this stuff onto Rich, he has got a new baby and won’t take my calls. Something about taking it easy and enjoying time with the family. On the subject of the RSA Conference, I have to confess I’m not usually surprised by trends at RSA. If you read out pre-RSAC stuff, you noticed it was clear to us that Big Data and malware were going to take center stage, and those trends did not disappoint. But we are never quite sure whether we are going to run into grumpy vendors spewing forth about their dissatisfaction with foot traffic, booth space, and the lack of quality leads. This year … none of that. In fact most vendors told me traffic was up and, more importantly, prospects were seeking them out. They were happy. It certainly made the week a lot more fun, but happy are a bit like Mike Rothman’s smile – rare and it makes me nervous. The other thing that really surprised me was that every single vendor seemed to be asking for help locating talent. Penetration testers, product managers, marketing managers, engineering managers, researchers – you name it. But I am not aware of any seasoned security people who are looking – quite the opposite. I did not anticipate the security industry hiring so heavily, but that’s a good thing, and another sign that things are humming along. Let the good times roll. You know what else surprised me? The force field surrounding the Huawei booth. Okay, maybe there was no actual force field, but people walking the show floor acted like there was. They kept a curious 2-3’ distance from the booth. Maybe their schwag sucked. Or perhaps it was Huawei’s lack of booth babes. Or maybe people are pissed about the Mandiant report and think of Huawei as part of that whole fiasco. I don’t really know, but most vendors were humming with activity, yet the half-dozen times I went by their booth they were noticeably un-busy. –Adrian On to the Summary: Webcasts, Podcasts, Outside Writing, and Conferences Our own ‘Mark’ Rothman’s DR post: You’re A Piece Of Conference Meat. snort Adrian’s Pragmatic Database Security Presentation. Favorite Securosis Posts Adrian Lane: Karmic Balance. I have witnessed 25 years of shenanigans, and it has turned out that most wrongs met their karmic opposite at some point. David Mortman: Flash! And it’s gone…. Mike Rothman: Karmic Balance. Yeah, I’m a homer for favoriting my own Incite this week. But it sums up what I’m about. Like most folk I have been scarred and battered and bruised. But I try to make those negatives into positives whenever I can. Other Securosis Posts Understanding Cloud IAM: Buyers Guide. Use cases are your friends. Isolating the Security Skills Gap. Be Careful What You Wish for…Now You’re CISO. Announcing the CCSK UK Train the Trainer Class in April. New Paper: Network-based Threat Intelligence. Friday Summary, RSA Edition: March 1, 2012. Favorite Outside Posts Dave Lewis: Time Stamp Bug in Sudo Could Have Allowed Code Entry. Gunnar: Google services should not require real names – Vint Cerf. Two years back Bob Blakley brought us on a quick tour of the weak points of Google requiring real names, in a word: insane. Adrian Lane: Creating and Validating a Sock Puppet. Everyone should have a couple of these. They come in handy. David Mortman: Barn Doors. “Mobile is just an amplification of all the insecure practices you and your company have been using for decades.” – Sing it, sister! Mike Rothman: Cisco CEO: We’re All In On Internet Of Everything. In the NSS (No Sh*t Sherlock) list this week, Cisco decides it’s in their best interest to drive “The Internet of Things.” Duh. But as we wrote in the RSAC Guide, the Internet of Things is something to keep an eye on. Check it out for the hype, but stay around because there will be all sorts of devices connecting to your stuff. Project Quant Posts Network-based Threat Intelligence: Searching for the Smoking Gun. Understanding and Selecting a Key Management Solution. Building an Early Warning System. Implementing and Managing Patch and Configuration Management. Defending Against Denial of Service (DoS) Attacks. Securing Big Data: Security Recommendations for Hadoop and NoSQL Environments. Tokenization vs. Encryption: Options for Compliance. Pragmatic Key Management for Data Encryption. Top News and Posts Appsec at RSA 2013: nice recap. Oracle Issues Emergency Java Update via Krebs. Details of the February 22nd 2013 Windows Azure Storage Disruption HP Exec: We’re Investing $1 Billion in Big Data This Year Understanding iOS passcode security The Phoenix Project Critics: Substandard crypto needlessly puts Evernote accounts at risk Evernote plans two-factor authentication following last week’s hack Recent 10-Ks mentioning “cyber” incidents Java malware spotted using stolen certificate Google+ Can Be A Social Network Or The Name Police – Not Both Blog Comment of the Week This week’s best comment goes to Matt, in response to Attribution Meh. Indicators YEAH! if for no other reason than becausae he put a lot of thought and effort into it. The greatest significance can be found in this report’s overarching message to China: we see you and we’re doing something about it. This may well represent the catalyst for major geopolitical change. The value of this report is that it will likely disrupt the adversary’s operational capability for some time as corporations bolster defenses. The adversary is no longer a vague term referring to an unknown group somewhere in the world. We’re talking about the government of China. We’re talking about disrupting their

We all knew the Flash was fast. But it seems Apple has made Flash so fast you can’t even use it on your Macs. Well, actually, they put some new protections in to ensure only the latest version of Flash runs on Mac OS X 10.6 and later. In response to frequent exploits being leveraged against the popular Adobe software, Apple has introduced a safeguard that gives Safari users no option but to keep Flash up to date. “When attempting to view Flash content in Safari, you may see this alert: ‘Blocked Plug-in,’” said an Apple notice. From there, Safari users will be able to download the latest version of Flash. Similar to the way Mozilla is working to save us from ourselves, Apple is now getting into the game. How long before the OS and browser makers totally dictate the updating process for plug-ins they can run? Of course that creates an even higher wall around the garden, and the toolbelt community will squeal like stuck pigs. Well, they can configure Gatekeeper not to protect them. For everyone else, it looks like offering help keeping devices updated is a good thing. Photo credits: Flash Before Your Eyes originally uploaded by JD Hancock Share:

My career has been turbulent at times. I know that’s shocking to those of you who know me personally. When I was invited not to come to work at my last job in VA, I already had a good position at a hot start-up in Atlanta lined up. They were well aware of my situation, and once I was a free agent the deal got done quickly. I had one real estate agent selling a house in VA, and another looking for property in Atlanta. Full speed ahead. Then I got the strangest call from my “new” CEO. He said they did a final reference check and a past boss pretty much drove a shiv into my gut. WTF? So now the sure thing in Atlanta wasn’t so sure. And even better, if this guy was talking me down in VA, my odds of getting another job if Atlanta fell through weren’t so good. So I went into damage control mode. I wasn’t going to go down like a lamb, so I came out swinging. I called in every favor I had. I created dissension at my former employer by having folks in all parts of the organization talk to the Atlanta company confidentially to provide a different viewpoint. If I was going to investigate other occupations, it was going to be on my terms. Not because some whackjob CEO was trying to cover his behind as he lost control of his company. And you know what? I got the job. The good guys won. My friends stepped up for me bigtime, and I never forgot that. I promised myself that if I ever knew anyone else getting similarly screwed, I’d do everything in my power to help them. Everything. I’d return the favor when I had the opportunity. A few weeks ago I had lunch with a friend, who told me a story eerily similar to mine. He got caught in the crossfire of a regime change and received the blackball treatment that happens when backchannel chatter is more important than demonstrable accomplishments. My blood was boiling. I knew what I had to do. So at RSA last week I looked for an opportunity to do it. Thankfully one of my clients mentioned he was looking for the skill set my friend possessed. I jumped and put his name into the hat. I also mentioned his predicament and personally vouched for my guy. I called in a favor and asked my client to give him a chance. I don’t know if it’ll work out, but my guy is in the game and that’s all I asked. And when my friend called yesterday to thank me, I smiled. It was a really big smile. Like some type of karmic balance returned to the world, if only for a few minutes. I smiled because I remember being in that spot. I remember how powerless I felt. How a control freak had no control. And I remember how relieved I felt when I learned those folks stepped up for me. But most of all, it felt really good to be able to keep that promise I made to myself all those years ago. My friend asked what he could do for me. My answer was absolutely nothing. This wasn’t about me. It was about righting a wrong and doing the right thing. But I did tell him to pay it forward. Someday he’ll meet someone in the same position and he needs to help. And he will. –Mike TIP A DRINK TO RICH: Let’s all congratulate Rich and his wife Sharon for the successful launch of their latest joint project. The latest addition to the team, Ryan Mogull, was born Sunday night. Rich will be taking some time with the family for the rest of the week, but should be back in the saddle soon. And yes, we are shopping for a Securosis onesie. Photo credits: Switchbox karma originally uploaded by stuart anthony Upcoming Cloud Security Training Interested in Cloud Security? Are you in EMEA (or do you have a ton of frequent flyer miles)? Mike will be teaching the CCSK Training class in Reading, UK, April 8-10. Sign up now. Heavy Research We’re back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, where you can get all our content in its unabridged glory. And you can get all our research papers too. Email-based Threat Intelligence Industrial Phishing Tactics Understanding Identity Management for Cloud Services Architecture and Design Integration Newly Published Papers Network-based Threat Intelligence: Searching for the Smoking Gun Understanding and Selecting a Key Management Solution Building an Early Warning System Implementing and Managing Patch and Configuration Management Defending Against Denial of Service Attacks Incite 4 U Give a security hobo a pair of shoes: Really great post by Bob Rudis about what he’s calling Security Hobos, the truly small businesses that really have no idea what they need to do. But we have an opportunity to make a difference, like the cop who gave the homeless guy in NYC a pair of boots. Bob points out that these are the kinds of business that put their POS software on the only machine in the business. And yes, that machine will get popped and it will be bad. But rather than just railing about how these folks create problems, Bob makes some actual suggestions for how to help. Do things like speak at your Chamber of Commerce and search out small businesses to offer advice. I talked about returning karmic balance above, and this is another great opportunity to do it. Don’t expect anything in return – do it because it’s the right thing to do. – MR Driving competition: Amazon Web Services (AWS) rolled out a monitoring tool called Trusted Advisor. It is positioned as a performance and security tool, leveraging the intelligence Amazon gathers to help customers tune their environments. Like traditional IT tools playing at security, it’s really operational metrics and tools masquerading as security features. It’s just

It looks like Ray Umerley had a good time at the RSA Conference. Besides seeing pics on the Tweeter of him at the Ju Jitsu gathering, he took some time to document his thoughts about what he saw at the show (RSA Conference 2013: My Takeways). Ray covers security intelligence, and how as you collect more security data, it becomes more important that it be used within a security/risk management program. He points out that we need more quality people in the information security field. I’m going to go out on two limbs here: we need quality people regardless of certification, those with the aptitude, passion, and intellect to excel across multiple security disciplines but also more security people who can apply the business and soft skills to develop into effective leaders. I really feel our resource gap is in the latter more than the former. I question the effectiveness of many of the traditional CISO/CSO and whether we as a profession have evolved to meet the needs and expectations of our organizations. Can I hear an amen? That’s exactly right. We don’t need more bodies. Okay, maybe a few more bodies. But what we really need are quality folks. Inquisitive souls who love learning, but who also have the temperament to handle a job with murky success criteria (at best). Then Ray moves on to flesh out the leadership gap, as well. The security industry is oftentimes very insular, difficult to break into some of the cliques, and we have a frustrating habit of eating our young. What we need to do is continue to nurture and foster a pipeline of security neophytes and intermediates and help them develop into multi-disciplinary security professionals. We as an industry need to continue sharing what we know and paying it forward. Obviously we can’t find enough qualified folks to meet the need, so we need to train them. If you are staff constrained and you don’t have a plan (aside from sending n00bs to a week-long SANS course) to develop your folks in a very structured fashion, you’re doing it wrong. Share:

Hat tip to our pals at TripWire, who do a good job of leveraging the security community to generate interesting and entertaining content. They have a guy named David Spark who roams around the floor at trade shows like RSA and captures video. A recent video asked, What would you do if you became CISO? Responses ranged from “fall off the wagon and drink heavily” to “ask for more budget” to “give myself a big-ass raise.” I definitely like that last one. But an ongoing theme involved updating your resume. That’s pretty funny. Who said security folks are pessimists? Of course the first thought that entered my mind was to grab the hemlock. But after that faded I’d go buy some guy’s book on being a Pragmatic CSO (hint, hint). I guess my advice is to forget almost everything you knew about technology. The position you’re now in is about persuasion and influence. It’s not about configuring firewalls or squeezing another $2-3 per device out of your endpoint protection vendor. There are some entertaining responses in the video, so check it out and get a few laughs. Then get back to work. Things don’t protect themselves, do they? Share:

Clearly the world is not enough. So I’ll be getting my 007 on in the UK in early April to deliver our Cloud Security Training. We have recently updated the curriculum to the Cloud Security Alliance Guidance V3.0, and I have to say it kicks butt. Many of the hands-on exercises have been overhauled, and if you are looking to get familiar with cloud security you will want to check out this class. I am personally training because part of this class will be a third day to train the next group of CCSK curriculum instructors. As authors of the training curriculum, we are the only folks who can train and certify instructors, so a couple times a year we deliver the courses ourselves, live and in person. The CSA is making a fairly serious investment in the CCSK, as evidenced by their recent announcement naming HP as a Master Training Partner. So if you do training, or would like cloud security to be a larger part of your business, getting certified as a CCSK trainer would be a good thing. If you want to become certified to teach, you need to attend one of these courses. And even if you aren’t interested in teaching, it’s also a good opportunity to get trained by the folks who built the course. You can get details and sign up for the training in Reading, UK, April 8-10. Here is the description of each of the 3 days of training: There is a lot of hype and uncertainty around cloud security, but this class will slice through the hyperbole and provide students with the practical knowledge they need to understand the real cloud security issues and solutions. The Certificate of Cloud Security Knowledge (CCSK) – Basic class provides a comprehensive one day review of cloud security fundamentals and prepares them to take the Cloud Security Alliance CCSK certification exam. Starting with a detailed description of cloud computing, the course covers all major domains in the latest Guidance document from the Cloud Security Alliance, and the recommendations from the European Network and Information Security Agency (ENISA). The Basic class is geared towards security professionals, but is also useful for anyone looking to expand their knowledge of cloud security. (We recommend attendees have at least a basic understanding of security fundamentals, such as firewalls, secure development, encryption, and identity management). The CCSK-Plus class builds upon the CCSK Basic class with expanded material and extensive hands-on activities with a second day of training. The Plus class (on the second day) enhances the classroom instruction with real world cloud security labs! Students will learn to apply their knowledge as they perform a series of exercises, as they complete a scenario bringing a fictional organization securely into the cloud. This second day of training includes additional lecture, although students will spend most of their time assessing, building, and securing a cloud infrastructure during the exercises. Activities include creating and securing private clouds and public cloud instances, as well as encryption, applications, identity management, and much more. The CCSK Instructor workshop adds a third day to train prospective trainers. More detail about how to teach the course will be presented, as well as a detailed look into the hands-on labs, and an opportunity for all trainers to present a portion of the course. Click here for more information on the CCSK Training Partner Program (PDF). We look forward to seeing you there. Share: