Research

The summer conference season has begun, and for those of us living in Phoenix, going to conferences is a great way to get out July’s blast furnace heat. I’m heading out tomorrow to the Cloud Identity Summit in Vail, Colorado. I’m not speaking – just going to hang out and learn. And there is a lot to lean about with new developments in identity management. Many of the basic tools are not actually new – SAML has been around for about a decade – but the rate of product evolution in this field is frankly staggering. How products are being deployed for cloud and mobile – and how authentication, authorization, and provisioning work together in these environments – are new. I expect to see wholesale changes in how we use and consume identity in the coming years – be it cloud, mobile, or whatever. So we have decided we need to increase coverage in this area, to aid IT in understanding how to approach identity management projects, and to dig into some of the technical details of how developers should approach implementation. Rich and I will be doing a lot of blogging on this topic in the coming months, and Gunnar Peterson and I plan to publish research on the ins and outs of cloud identity late this summer, so stay tuned. My goal is to do a little blogging while I’m there, about what’s new and interesting. If you plan to attend let me know so we can meet up! Share:

Adrian here, and happy Friday the 13th! It’s been a week since Independence day, and it feels like it’s been a month. Mike wanted us to comment on our feelings about Independence Day and what freedom means to us. For me that was easy. As as I usually do, I worked on Independence Day. Always. It’s not a day off. To me, taking time off is anathema to independence. I celebrate independence by working, because working is what earns me the right to be free. I’m long past the age of military service to my country, so I serve it by trying to build and contribute. And at this moment I feel very lucky to have the opportunity to work and make a living, and great business partners to work with. There is always a boatload of stuff to do here at Securosis, so I have been quietly ‘celebrating’ my independence by finishing up a bunch of writing. It may sound weird, but that’s just me. It’s also odd, given the amount of writing, that what makes the Friday Summaries fun is that I get to write about whatever captures my interest. This week it’s something that popped up in a Fast Company article, The Many Pivots of Justin.tv, a couple weeks ago. The comment that has been running through the back of my mind is “Free and easy streaming poses a particular threat to sports, whose broadcast rights are so valuable, and so perishable”. Content security was one of my first challenges in security, and has proven unsolvable. I think it’s absolutely fascinating, how technology keeps changing this debate over and over again before our eyes, and to me that quote captures the essence of the entire content security battle. The value of sporting events is ephemeral. Most people won’t watch a game after they know the results, and vanishingly few events have a shelf life longer than a few days. But in order for companies to make money from that content, they need to get it to the consumer – and that is the problem. It’s one of the very first things I learned in security: You can protect digital media, or you can use digital media. It’s one or the other. Try to do both, and you are only as secure as your least trustworthy audience member. So when you send a sporting event to 200,000,000 people, someone will do something you don’t like. You know, record a game, or show sports at a bar. It’s probably difficult to remember, but professional sports are broadcast free of charge. Every week, in every major US city, professional sports games are broadcast over radio and television. These are available free of charge. When cable TV and satellite providers came along, they offered a more reliable picture, and some additional channels, for a fee. They would love for you to forget that there are free broadcasts, and that you are really paying for the distribution network that moves someone else’s content – which may or may not be freely available elsewhere. I bring that up because streaming live sporting events over the Internet is just the technology challenge du jour to closed systems such as satellite and cable TV. Tomorrow it could be iPhones. If 30 years ago rabbit ears had been 1,000 times more sensitive, there would be no cable networks today. If suddenly Sutro Tower in San Francisco was broadcasting at 200,000,000 Watts, you would likely see Bay Area sporting events everywhere in the country – free of charge. And despite over-the-air broadcasts being the de facto model 30 years ago, either technology advancement I described could be legal or illegal today – depending on the wishes of the content owner. Ultimately, if content is being used in a way its creator does not approve of, that’s copyright infringement. If they approve of it, as with Slingbox, it’s okay. If it’s Justin.tv or anyone else, they don’t. The difference is in control. While copyright laws make sense logically, when you physically broadcast media, right or wrong, you lose control. Consumable media cannot effectively be secured. It’s a losing game, but one with huge money at stake. As a content producer myself, I totally back the rights of the people who produce television – especially sporting events. What bothers me is the deep levels of greed from the people who run the distribution channels – who all believe they are losing money to ‘pirates’, and are attempting to criminalize what’s broadcast for free over the air, because they think they are being cheated. They’re all thinking that those 27 million viewers on Justin.tv must be their audience and so they are all mentally dividing up the same pile of virtual money they should be earning. But in reality it’s a new audience, one that only exists with a combination of lower cost and higher convenience. What broadcasters should be doing is looking for a way to monetize the broadcasts before content creators go direct to consumers. You know, like local over-the-air broadcasters did with advertising? They should be thanking Justin.tv for building a market for them to take advantage of, and looking for ways to charge advertisers for the feeds going out. This will be a recurring battle for the next, well, forever. Technology will advance. People will innovate. Markets will evolve to become more efficient. And people who want their sports will look for the best, cheapest, and most satisfying way to get it. On to the Summary: Webcasts, Podcasts, Outside Writing, and Conferences Rich quoted on iOS Security. Adrian’s Let’s Ask “Why?” at Dark Reading. Mike’s Dark Reading Column: Flame’s impact on Patching. Adrian’s 15 Ways to Get More From Log Files on Dark Reading. Favorite Securosis Posts Mike Rothman: Q1 Vendor Newsletter. We launched a quarterly newsletter for our vendor retainer clients. Here’s the inaugural piece, and it kicks butt. The recently completed Q2 version is even better (hint, hint)… Rich: Mike’s latest on endpoint malware

As long last (OK, maybe not that long), we have assembled the Evolving Endpoint Malware Detection series and packaged it as a paper. You can check out the landing page to find out more, but this description sum it up: The good news is that endpoint security vendors recognized their traditional approaches were about as viable as dodo birds a few years back. They have been developing improved approaches – the resulting products have reduced footprints requiring far less computing resources on the device, and are generally decent at detecting simple attacks. But as we have described, simple attacks aren’t the ones to worry about. So we will investigate how endpoint protection will evolve to better detect and hopefully block the current wave of attacks. We would like to thank Trusteer for licensing the content in this paper, and keep in mind that your work is never done. The bad guys (and gals) will continue innovating to steal your data, so your detection techniques need to evolve as well. Direct Download: Evolving Endpoint Malware Detection (PDF) For those of you interested in the raw material, here are the posts that made up the series: Control Lost Behavioral Indicators Providing Context Controls, Trade-offs and Compromises Share:

Last week we celebrated Independence Day in the US. It’s a day when we reflect on the struggles of our forefathers establishing the country, the sacrifices of the Revolutionary War, and what Freedom means to us all. Actually, most folks gorge on BBQ, drink a ton of beer, and light fireworks imported from China. Which I guess is another interpretation of freedom. I thought it would be great for each of us Securosis guys to describe what Freedom means to us for last week’s Incite. Alas, the best laid plans got derailed when it got to be late on Tuesday and I wanted to start my holiday. No Incite for you. Adrian put everything in context by remarking, “You are free not to do it.” Nice. But here’s the deal – I take freedom for granted, and if you live in a free society, you probably do too. I don’t think about the struggles involved in maintaining a free society. A couple times a year (you know, Memorial Day), I remember the brave military folks away from their families making sure my biggest issue is which Starbucks I choose to write at that day. The Boss and I try to impress upon the kids how lucky they are to live in a free environment. They learn about the Holocaust to see the worst in people. They’ll also read and hear about other oppressive regimes, and be thankful for where they were born. But if I’m being honest with myself, I haven’t felt free for most of my life. A conversation I had recently with Mike Dahn reinforced that. I was captive to my own expectations. Regardless of the fact that I could do anything (besides break the law, I guess), I always felt a responsibility to do what was expected of me. I compared myself to some vision of what I should be. What I should achieve. But that vision was only in my head. It wasn’t like my folks told me what to do. All those expectations made me feel like a failure, even though I achieved quite a lot. That epiphany became the impetus for my Happyness talk. I wasn’t until I let go of those self-inflicted expectations that I’ve been able to make strides toward being happy. Of course, I have good days and not so good days, like everyone else. But tossing my own expectations has given me the freedom to live my life – not anyone else’s. Not setting specific goals means I can enjoy the journey, not fixate on how far I have left to go. The US celebrates Independence once a year. But I get to celebrate my own Independence every day. And I don’t plan on taking it for granted. –Mike Photo credits: Independence, Oregon originally uploaded by Doug Kerr Incite 4 U It’s not the message, it’s how you say it: Sometimes you read something that hits very close to home. Bejtlich’s perspective on the importance of how you deliver the message resonated. The Boss chides me all the time about the fact that no matter what I’m saying, the kids shut down because I’m barking at them. “But they don’t listen! I need to get their attention,” I respond. And she just laughs. No matter what I say, they only hear more yelling. So when Rob Westervelt said a panel at an April security conference got contentious, clearly the folks in the audience didn’t get the message. It’s not that any of the panelists were wrong, but if you don’t package the message in a way that will get through to the other party, there is no wrong or right. Only wrong. So keep that in mind next time you present to business folks or chastise a user for doing something stupid. – MR The cloud is down. No it isn’t. Yes it is: Last week there was another cloudastrophe when Amazon AWS had an outage in their main US data center. The root cause was a combination of weather and a failure in their emergency power procedures. I don’t overly blame them, since it’s really hard to effectively test every scenario like that. But it’s a reminder that not only can the cloud go down, but it can be difficult to architect availability for such a complex system. Extremely difficult, as Netflix shared in a killer post discussing why they went down. Now, for the record, this was a major personal disaster because my 3 year old couldn’t watch “the Apple TV” (which also had a “rough morning” Tuesday due to low bandwidth). This isn’t a security failure but it does highlight the complexity of fully moving to cloud and how that impacts fundamental design and DR/BC scenario planning. Security is no different than availability and we are all going to learn some of these lessons together the hard way. – RM No access, no problem: Brandon Williams asks how do we arm small and medium businesses (SMB) for the change in threat landscape with the switch to EMV cards? His premise is that if the EMV credit card format comes to the US, we expect to see a shift from “card present” to “card not present” (i.e., Internet sales) fraud, mirroring the trend in Europe. The cards are harder to forge, the terminals perform some validation, and the infrastructure supports real point to point encryption instead of the mockery we’ve seen for the last decade or so. But does that mean SMB is at a disadvantage? I don’t think that’s the case. The terminals are expensive, but SMBs have lower overall switching costs to EMV. By combining it with tokenization, they have removed sensitive data from their environments, and pushed much of the liability back on payment processors by not being privy to payment data. Logically there is little difference between an Internet sale and an EMV transaction – payment gateways offer plug-ins and edge tokenization services perform equivalently to EMV without a card reader. As the merchant

We send a quarterly newsletter out to vendor clients as part of our retainer program. Here’s the introduction, which describes how we view the newsletter: Welcome to our inaugural vendor newsletter. This is where we talk about all the things we see during the course of our daily research. Trends, analysis, data, and whatever we think will help you – at least the stuff we can share! As industry analysts we see the good, bad, and ugly of everything from pitches, collateral, and messaging, to how products are used and abused in the field. Our goal for these pages is to highlight what works, what doesn’t, and give you insight into what we’re seeing out there, including the latest trends and data. Sometimes we will use this space to call out folks, but all in good fun – and always with the goal of educating everyone about what we think works. We’ll also highlight good stuff when we see it – don’t worry… this won’t be all snark. Yup, it’s the newsletter you’d expect us to write. We sent out the first version at the end of Q1, so we figure enough time has lapsed that we can share it with everyone. You can download the full newsletter (PDF) and check it out. As if you needed another reason to become a retainer client… Share:

Rich here. I’m starting to think I might be dealing with a bit of burnout. No, not the “security burnout” that keeps cropping up on Twitter and in blog posts, but a bit of a personal burnout. I just find myself lacking a bit of general enthusiasm and creativity that usually keeps me plowing away at a productive rate. This burnout doesn’t have anything to do with security. I still freaking love our profession, even if some of our debates are getting a bit stale. We are long past the early days of the social dialog created by blogs, Twitter, and podcasts. So our discussions lack a certain freshness as we beat postmortem horse after postmortem horse. It also isn’t related to my job, which is freaking awesome. Aside from the usual advantages of working for myself, I have a flexibility I still can’t believe is possible. It stuns me that our business model works, because we seem to be doing everything independent analyst firms supposedly cannot get away with. Seriously, it doesn’t make sense – not that I’m complaining. Plus, how many analysts get to manage software projects and build technical labs? Personal life? All is good there. Awesome wife and kids. I get to race triathlons despite a full time job and young kids. Although I won’t lie – I could get out of the house a little more (aside from my workouts). A little social interaction somewhere other than a security conference won’t hurt. But as I write this I realize what the problem might be. I am seriously freaking tired. Bone weary, can barely function from day to day tired. The culprit? A cute little three year old and her younger sister who have taken to waking us up at 5am every day. For 3 years. And they demand constant attention every waking hour. I know I’m far from the first to go through this, and those of you with older kids can stop grinning with the superiority of someone who managed to swim to shore after the Titanic went down. I’d appreciate it if you would just quietly enjoy my pain and keep it to yourself. Aside from the lack of sleep, I also realized that Securosis has now been in business almost exactly five years. It all started in a Margaritaville during Black Hat when I got the word my condo in Boulder had sold and I now had enough financial runway to survive for 6 months. Ask Chris Hoff – he was there and didn’t believe me when I said I was resigning from Gartner the following Monday (he also hooked me up with my first project, which didn’t hurt). I had wanted to do something different for a while, and that cash cushion was exactly what I needed. But 5 years is 5 years and I am fully willing to admit that some of the enthusiasm of that first year has worn off. It isn’t new or different anymore, even though I get to do new and different things almost daily. Okay – so I’ve identified two problems, and I’m not the kind of person to sit back and wait for change. Step 1 is getting one of those “okay to wake” clocks for the kiddo. They have lights that change color when it’s okay to get out of the room in the morning. The thought of sleeping in until 6am consistently is more exciting than… well, pretty much anything. Seriously, far more exciting than even my various teenage male fantasies. After that? Time to pull a Rothman and get out of the house and work at coffee shops a bit more. I love the cats, but they don’t give a crap about oracle padding attacks or cloud APIs. I need to get a little creative with the research and writing again, and that probably means slowing down the day to day distraction schedule and turning off RSS and Twitter. Those two things and launch our damn SaaS product finally. I’m pretty sure every day will be new and interesting again when I suddenly have to support customers and start acting like a software company. Oh, heck, just watching Rothman’s head explode when he realizes he’s a vendor again will give me at least a month or two of daily amusement. And if that comes with 8 hours of sleep and a good workout every day? So much the better. On to the Summary: Webcasts, Podcasts, Outside Writing, and Conferences Rich’s monstrous sandboxing article at TidBITS. Adrian’s 15 Ways to Get More From Log Files on Dark Reading. Mike’s monthly Dark Reading blog: Time to deploy the FUD weapon?. Rich in a New York Times blog on Apple. Favorite Securosis Posts Rich: Mike’s Can You Stop a Targeted Attack?. Mike: Returning the favor, Rich’s Thoughts on Active Defense, Intrusion Deception, and Counterstrikes. Mike (again): Answering Questions about Sandboxing, Gatekeeper, and the Mac App Store – It’s not really an internal post but Rich wrote it, so it counts. A great overview of what Mountain Lion adds from a security standpoint. Adrian: And here I thought Empty Nest was the best post for the analysis. Other Securosis Posts Incite 6/27/2012: Empty Nest. Understanding and Selecting Data Masking: Buyer’s Guide. Favorite Outside Posts Rich: Dennis Fisher’s LeBron James, Advanced Attackers and the Best Man Theory. Nails it, and boy does Dennis show off his background as a sports writer! Mike: Nora Ephron’s 1996 Wellesley Commencement Speech. A must-read, especially if you have daughters. Brutally honest about herself, her life, and the state of society back in 1996. Adrian: From a security standpoint, Rich’s monstrous sandboxing article at TidBITS was a really good read, but the most thought provoking was The Many Pivots of Justin.TV – a couple weeks old but I just ran across it. Project Quant Posts Malware Analysis Quant: Index of Posts. Malware Analysis Quant: Metrics – Monitor for Reinfection. Malware Analysis Quant: Metrics – Remediate. Malware Analysis Quant: Metrics – Find

The question of stopping targeted attacks has been on my mind for a while. Of course my partners and I have to suffer through far too many vendor briefings where they claim to stop an APT with fairy dust and assorted other black magic. But honestly, it is a legitimate and necessary question. Ever since Google came clean a few years back about Aurora, and everyone then acknowledged the persistent, likely state-sponsored attacker as a class of adversaries, vendors have been APT-washing their stuff trying to convince anyone who would sit still that their run-of-the-mill IPS or endpoint protection product had a chance. Basically this rash act was necessary to keep the cash cow hemorrhaging money, even in the face of mediocre (or worse) efficacy of existing controls. But here is the thing these vendors missed. Very few of the adversaries most organizations face are advanced or persistent. Most are today’s version of script kiddies trying to smash and grab their way out of the despondency of their existence. It’s much easier and more lucrative than robbing a bank, after all. So most existing controls still have some role to play in tomorrow’s defense. But we all know existing controls are not sufficient. Yet targeted attacks do exist, and the legitimately advanced attackers are now targeting further afield to achieve their objectives. They are attacking the supply chains of their targets to gain deeper footholds, earlier. And now that we have a better idea of the tactics they are using, we start to see offerings built very specifically for these kinds of attacks. I won’t say we’re seeing real innovation yet, but lots of vendors are learning and evolving their offerings to factor in this new class of attacker. Unfortunately it’s still way too early to get a feel for whether real innovation is happening (or will happen), or whether this is just a classier version of APT-washing. Regardless of what happens on the prevention side, you still need to monitor the hell out of your stuff. As Mandiant described in a blog post that has since disappeared from their site (wonder if they’re now doing work for Global Payments, hmmmm), the folks at Global Payments evidently found the first breach themselves by monitoring their egress traffic and seeing stuff they didn’t like leaving their network. Was it too late? Of course. But it’s a hell of a lot better to catch it yourself than to hear from your payment processor or the FBI that you have a ‘problem’. We will see a lot of new stuff, as everybody tries to get ahead of attacks – even targeted ones. But it’s career-limiting to plan on stopping them; so we still push investment in monitoring, forensics, and response – even in the presence of new and innovative protections. Or is “Can you stop a targeted attack?” the wrong question to even ask? Photo credit: “Bullseye” originally uploaded by bitsofreality Share:

Be quiet. Be vewy vewy quiet. Now listen. What do you hear? Listen very closely. Do you hear anything? No? That’s exactly the point. The Boss and I woke up yesterday morning to the sound of nothing. No grumbling about having to get ready for school. No kvetching about ill-fitting bathing suits, and no asking for this play date or that activity. No crappy Disney Tween shows blaring from the TV. No nothing. The house is quiet. On Sunday we put the kids on the bus for sleepaway camp. Barbarians that we are, we ship the kids off to Pennsylvania every summer. The girls go for 6 weeks. The Boy is going for 4 weeks, as it’s his first summer away. So for the first time since XX1 was born, we will have the house to ourselves for longer than a day. Will we miss the kids? Of course. We huddle around the laptop every night and look for pictures posted on the camp website. We dutifully write them letters every day. Well actually, we type the letters into a website, which then prints a copy for delivery to them. We’ll trudge off to the mailbox every day, hoping we got a letter. But we will also enjoy the time they are away. We’re going to see Earth, Wind and Fire tonight – and we don’t have to worry about arranging for a baby sitter. We may take a long weekend at a nearby resort. Or we might not. We can sleep late. We can work late. We can go to the pool at 2pm if we feel like it. We can BBQ on Wednesday, and I could party on Friday night, knowing that I don’t have to wake up early to take a kid to a game or activity. Best of all, I can spend quality time with the Boss without the constant crushing pressure of being the involved parents of active kids. We don’t have to worry about who’s making lunches, or picking up from the dance studio, or folding the laundry. Two adults don’t really generate that much laundry. These quiet times also prepare us for the inevitable, when the kids leave the nest. Lots of parents forget to have their own relationship because they are too busy managing the kids. Not us – for here on, our nest will be empty every summer. We are painfully aware that the kids are with us for a short time, and then they will live their own lives. And 6 weeks every summer is a big chunk of their summer vacation. Like everything, it’s a trade-off. Ultimately the decision is easy for us. They learn independence and how to function as part of a group, without their parents telling them what to do. We take very seriously our responsibility to prepare our kids to prosper in the wide world, and I don’t think there is a better place to apply the skills we teach them than at summer camp. It’s also great for the kids. On the first day we have seen the boy at the pool, at the lake doing paddle boats, at the firing range, playing basketball, and watching some kind of show put on by the counselors. That was one day. So as barbaric as it may seem to send our kids away for that long, there is no other place they’d rather be every summer. And that’s a win/win in my book. –Mike Photo credits: Empty Nest originally uploaded by Kristine Paulus Heavy Research We’re back at work on a variety of blog series, so here is a list of the research currently under way. Remember you can get our Heavy Feed via RSS, with all our content in its unabridged glory. And you can get all our research papers too. Understanding and Selecting Data Masking Buyer’s Guide Use Cases Pragmatic Key Management Choosing Your Key Management Strategy The Four Enterprise Key Management Strategies Evolving Endpoint Malware Detection Controls, Trade-offs and Compromises Providing Context Incite 4 U Blue Horseshoe loves threat intelligence: For a long time, the reactive approach to doing security worked well enough. But the past few years, not so much. So large organizations, with significant security infrastructure, have started to try to learn a bit about attackers before they attack. Wait, what? You mean an intel type function, which requires investment? Yup. So not only are we seeing a re-emergence of vulnerability trackers like iDefense, but also some new business models based on using intelligence to deceive attackers (as described in Dark Reading), or buying up zero-days to share with the good guys (Aaron Portnoy’s new shop, Exodus Intelligence). We love content, and cannot be happier that we’re finally seeing security content valued on its own merits – not just as part of a widget. – MR The future of software: We see continuing evidence in support of the assertion made by Red Monk’s founder Stephen O’Grady: Large software firms will be making money with software rather than from software. And I totally agree with that statement! While the main thrust of the post is to argue that Microsoft’s share price has suffered from poor choices in direction and lack of innovation, the really interesting aspects highlight the competitive forces within the software industry. In part it’s the transition from desktop, to web app, to mobile app, but it’s also about growing adoption of Software as a Service (SaaS) and what I consider the real long-term direction for back office applications: Platform as a Service (PaaS). Many of his observations are solid, but the dim picture he paints for Microsoft and other software vendors fails to account for their mobile and PaaS efforts, or the pricing pressures these larger software vendors will inflict on the rest of the market when they start offering the entire back office stack – including hardware and service – for a single price. Apple’s – and to a lesser extent Google’s – more consumer-oriented cloud service models

The final installment in our masking series closes with a simplified buyer’s guide for product selection. As with most security product buyer’s guides, we offer a fairly involved process to help customers identify their needs and evaluate solutions against each other. These guides address the difficulty of getting all stakeholders to agree on a set of use cases and priorities, which is harder than it sounds. We also offer guidance on avoiding pitfalls and vendor BS. Of course you still need to ensure that your requirements are identified and prioritized before you start testing, but the process with masking technologies is a bit less complicated than with other technologies. The field of vendors has dwindled rapidly for one simple reasons: Customer requirements are narrowly defined along a few principal use cases (test data management, compliance, and database security), so most masking platforms focus their solutions along these lines. Only a couple full-featured platforms provide the necessary deployment models and sufficient database coverage to compete in all cases. But we often see a full-featured platform pitted against others that focus on a single use case, because not every customer needs or wants every possible capability. So don’t focus solely on ‘leaders’ in whatever analyst reports you may read, but cast your net across a wider group of vendors to start your ‘paper’ evaluations. That should give you a better idea of what’s available before you conduct a proof of concept deployment. Define Requirements Over and over again, we see dissatisfaction with security products stemming from a failure to fully understand internal requirements before product selection. We understand that it is impossible to fully evaluate questions such as ease-of-use across an entire organization before a product is in full deployment. But unfortunately, more often the real issue is lack of understanding of both the internal expectations for the product and where the organization is headed. So defining needs and getting input from all stakeholders are necessary for a successful product evaluation and selection. Create selection team: Even small firms have at least the technically-focused security and IT operations groups cooperate during the selection process; but typically different business units, along with risk, audit, and compliance have input as well. Identify the major stakeholders and designate a spokesperson for each group. Define what needs protecting: You need to identify the systems (file servers, databases, etc.) and data types to be protected. Summarize what the data is and how the systems are used, and map desired data flow if possible. Define how data will be protected: Map your protection and compliance needs to the systems, processes, and data from the previous step. Accept input from each stakeholder on the security and compliance requirements for each data type, and the risk or criticality of that data. Design your ideal deployment: Now that you have an understanding of what needs to be protected and how, document the specifics of integration and deployment. Determine what masks are appropriate for each data type, how data flows through your systems, and where your integration points should be. Define tests: Determine how you will verify that vendors meet your requirements. Decide what samples data sources and data types need to be tested. Confirm that adequate resources are available to thoroughly test the system. Pulling an old laptop from a drawer or an older server from a closet to run tests on is a way to ensure failure. Determine and assign responsibilities for who will test and who will evaluate the results. Tier the tests so the most critical elements are tested first, to weed out unworthy products as quickly as possible. Finally, figure how you will validate the efficacy of the masks, and whether they are genuinely producing suitable results. Formalize requirements: At this point you should have a very clear picture of what you need, so it’s time to document some of your requirements for a formal Request For Information (RFI) and Request For Proposals (RFP) to identify which vendors offer appropriate solutions, and then select the ones that best match your requirements for further evaluation. You should also have a good idea of your budget by this point – it will help guide your selection, and may force a phased deployment. Vendor Selection Deployment Architecture: Architecture is key because it determines compatibility with your environment. It also directly correlates with performance, scalability, management, and ease of deployment. Centralized masking servers, distributed deployments, on-database masking, and agents are all options – but which is best depends entirely on your environment and how you want to deploy. So testing your deployment model across sufficient systems is essential for developing a good idea of how well the masking solution fits your environment. Platform coverage: Verify that the vendors support the relational and quasi-relational databases you need, as well as their ability to work with the applications and file servers you wish to integrate with. This is typically the first area where vendors “wash out” of the evaluation, when they don’t adequately support one of your critical platforms. You should review vendors’ published support matrices, but we suggest you also test your critical platforms to make sure they work to your satisfaction. How data is collected and managed varies from vendor to vendor, and how well each solution works with different database types can be an eye-opening comparison. Use, customization, and management: Test the day-to-day tasks of adding data sources, performing discovery, adding masks, and customizing reports. You will be living with this UI and workflow on a daily basis, so ease of use is a major consideration. If the product is annoying during the evaluation process, it is unlikely to become more pleasant with familiarity. Poor user interfaces make administrators less likely to tune the system, and poor workflows are more likely to cause mistakes. Ease of use is rarely listed as an evaluation criterion, but it should weigh heavily in your choice of platform. Scale and performance: Vendor reported performance and real world performance are quite distinct, so you need

I have been wanting to write a bunch of blog posts for the last few weeks. No, not the heavy research work we have been in up to our eyeballs, but about some of the strange and interesting stuff currently been reported. We used to do a lot more commentary and I miss it. I have a little time this Friday, so I though I would comment on a few of the past week’s articles I think warrant discussion – in many ways as interesting for what was not discussed. Here we go: The first was Google saying that the Internet is a Dangerous Place. OK. Why? Actually, “Why Now?” is a better question – Google has been making a lot of noise lately about security and privacy. I have been getting a dozen or so Google Safe Browsing warnings when visiting web sites, where Safe Browsing has supposedly detected ‘malicious’ or unreliable content. The problem is that every single one of the alerts was bogus! If you look at the details of why Safe Browsing thinks the site is bad, you ll find that all the checks Google lists were passed without detecting any unusual certificates, scripts or content. Take a look at the JavaScript or anything else in the page source, and everything looks sound. I instinctively tend to agree with Google’s assertion, but when I look at the basis for their claim, my own experience with Safe Browsing’s complete unreliability makes me question its validity. I don’t think their assertions are based on solid data. Amrit Williams made a similar tweet a couple weeks ago, saying “Chrome should just be called ‘Warning: We believe state-sponsored attackers may be attempting to compromise your account or computer.’”, and The New York Times ran an article on the same subject. My problem is not that I believe or disbelieve the existence of state sponsored censorship, but I don’t understand the recent hype. It appears to be all FUD, but what is the point? Why is Google being so noisy about security and data integrity? The cynic in me believes that they must be positioning security as a value add, or possibly looking for a legal angle to keep data pure – otherwise why the sudden clamor for attention? Which leads to the second post I found very interesting, on Bruce Schneier’s site, called Apple Patents Data-Poisoning. It appears that the US Patent and Trademark Office believed that poisoning profile data was novel and granted Apple’s patent request. In 2004/2005 I used to provide prospective customers for database activity monitoring a demo script to run against competitive products. The script would simply push SQL queries to both real and non-existent databases over the network. None of the queries would execute successfully because they we not actually part of an active database session. But competitors’ network monitors only looked for SQL queries on any known database port – without regard for whether they were actually going to a database – the monitor would capture all this fake activity. I could poison competitors’ logs with bogus activity, or flood it with false positives. It was a terribly effective way to demonstrate how early database monitoring products that watched network activity sucked. But I would never have tried to patent that idea – it feels like trying to patent network packets: good packets and bad packets are just normal network traffic. Similarly I would not patent my attempts to create “False Adrian” by showing non-random but totally bogus interest in products or services to see what sort of anti-profile I can create, a hobby I have been experimenting with on and off since 2006. This seems like a patent awarded for “urinating on the floor”, or anything else that occurs naturally but fails to identify genuine user intent. From an intellectual property standpoint, I hate to think someone could patent something like this. But from a product standpoint, if Google (and other marketing firms) surreptitiously capturing all your activity for profit pisses you off, would you buy an Apple product that poisons your activity trail? I would. A cloud based iRandomizer for browser traffic over an encrypted tunnel would be ideal! Finally, a post on MSNBC said some hacked firms are “fighting back” by hacking the hackers. Forgive me, but ‘Cloudstrike’ has a very Team America feel to it; well-intentioned but wide of the mark. First, there is a big difference between “active defense” and “strike-back” capabilities. Active defense is not an attack against hackers – it is an active scan of activities on the Internet for clues that someone is, or is about to, launch an attack against your site. Something like the CIA or NSA gathering intelligence to detect someone plotting a terrorist attack. Some large firms use this type of service for advance notice, and they hope to get an early start on their response, whatever it is. But “strike back” capabilities are totally different, and the goal of damaging an alleged attacker would certainly be outside the law. I doubt any of these plans will be effective – the New School blog raises the same question in Active Defense: Show Me the Money. The concept seems well intentioned – some of you are probably unaware that a handful of recent electronic attacks against major companies have been accompanied by physical threats against employees. So I get the desire to induce the same fear in hackers, but it seems unlikely to work, and it’s definitely illegal. Really, you can either locate the attacker(s) or you can’t, but if you can you have a good possibility of scaring them with law enforcement. Otherwise you’re pretty much out of luck. I know some attacked firms have conducted reconnaissance and analysis to help law enforcement locate the attacker, but that seems like the reasonable limit of effectiveness for counter-strike computer security. On to the Summary: Webcasts, Podcasts, Outside Writing, and Conferences Rich quoted on the Security Generation Gap. Mike quoted on the “Renaissance Information