Research

21 days. It doesn’t seem like a long time. In the day to day grind of my routine, 3 weeks is nothing. I basically blink and that much time passes. But when your kids are away at camp it is a long time. For us day 21 is a lifesaver because it’s the first visiting day. So last weekend we packed up the car and made the trek to Pennsylvania to see the kids. For 21 days, we were in parental purgatory. We wait and we worry and we look at pictures and we make up all sorts of stories about what the kids are doing, based on thos pictures and a couple 2-sentence letters. That’s what parents do. So after 21 days, we finally get to compare reality to our made-up vision of what they are doing. Just to give you a little flavor for the kinds of letters we receive, XX2 wrote this missive to her Grandma (slightly edited for readability, but not much): Grandma, Please send make-up. I need lipstick and eyeshadow and hairspray. I’ve had to borrow from the other girls. I’m helpless without makeup. Love, XX2 Helpless?!? What a character. Though we had a decision to make – to send the make-up or not. Of course we sent her make-up. Actually, the Boss was very surprised because at home I’m very anti-makeup. My kids are beautiful without needing to look like street walkers. But they are at camp to find themselves. To do the things they want to do, without their parents micromanaging every move. Even if it involves wearing make-up – so be it. The good news is the kids are doing great. Really great. Even the Boy, who is away for the first time. His counselors said he was quiet for the first two weeks, while he figured out which end was up. But now that he’s comfortable with everyone, he’s pretty talkative. The girls are camp pros by now, and they are having the time of their lives. XX2 got a big part in the play, and XX1 has made the Boss very happy by being in the middle of every picture she’s in and flashing a huge smile. In another 21 days, we’ll return to camp for the second visiting day and to pick up the girls. Then we’ll do the long drive back to GA and get back into the routine of school and activities. For us, the next 21 days will be agonizingly slow. For them, they will pass in the blink of an eye. And they’ll enjoy every second of it. –Mike Photo credits: Welcome to Camp originally uploaded by Altus Wilder Incite 4 U Security vs. Convenience: This post on scaling by one of the Dropbox ops guys was very interesting. Counter-intuitively adding “fake” load prematurely only to remove the extra load when you run out of capacity is an interesting tactic to buy some time. Also the ideas of actually testing the edge cases and logging all sorts of stuff (even if you don’t know how you’ll use the data) will help to put our scaling efforts in perspective when we have Nexus scaling problems, that is. But it’s the last paragraph that is pretty problematic (and explains how privacy issues and obfuscation happen). He says that “security is really important for Dropbox,” but then goes into a riff on making trade-offs based on how important security is to the service. Let’s be clear, security isn’t important to any emerging service until they screw something up. Then security is very important. Which is why trying to build a security program in an organization that’s never had a security problem can be the Impossible Dream (h/t to Don Quixote). – MR Cry havoc and let slip the honeypots of war:: Playing defense all the time is a real pain in the behind. No one enjoys just sitting there until some dumb ass wielding Metasploit comes by and owns you. At the same time, never underestimate the marketing power of the latest security meme. One of these hot topics is the concept of active defense, which can technically mean a whole host of things as described by Chris Hoff in his latest post (that also references one of my posts). As this conversation picks up I think it’s important to remember that these principles, and even sometimes technologies, have been around for a while. The problem has often been they lack the automation to make them truly useful. Too complex, too manual. That’s starting to change, and I think most organizations will adopt active defenses fairly soon. As for Chris’ OODA loop reference… well let’s just say I have more to write on that. – RM Browser Security is more than sandboxing: Reading the Which Browser is Safest on nakedsecurity I was non-plussed as there are several important ways to judge browser security not even discussed in the post. Sandboxing is certainly one element, but there is no discussion of XSS or CSRF. And there are the reputation based protections, to detect things like malware and bad certificates. Perhaps more importantly, there is still no real equivalent to NoScript on Chrome or IE, which is the last reason I continue to cling to Firefox while most people I know have long since moved to Chrome. Then there is the rest of the privacy side of the equation. Ironic that someone on nakedsecurity is discussing browser security when their site source cross-links to eight or so other sites and feeds your browser with another 8 ghost cookies. As bad as Firefox is, at least my add-ons allow me to block most of the data I don’t want sites having on me and my browser. – AL The challenge of asymmetry: Greg Ferro summarize the issues of doing security pretty effectively in Basics:Threat Asymmetry and Security Posture. Yes, it’s a pretty simple concept, but when you spend all day in your reversing tool or knee deep in PCAP files, sometimes

Our friend Richard Stiennon put his promotional engine in gear this week to push his new book, UP and to the RIGHT. So my Twitter stream has been blown up by all sorts of folks praising Richard’s work. Which is great for Richard. I know what kind of commitment is required to write a book and what’s involved in self-publishing one. Including the Herculean task of getting your buddies to write glowing reviews and generating buzz in the echo chamber. Richard is a good analyst. He has seen the process of vendor ranking from both sides, as both the analyst and the vendor. If someone is going to write a book about optimizing a vendor’s position on the Magic Quadrant, it should be Richard. If you just fell off the turnip truck and have no idea how analyst relations works, then maybe you need a book to teach you what to do. But it has been a long time since I’ve talked to someone at a high level within a enterprise class security vendor who doesn’t understand how the process works. In terms of disclosure, I haven’t read Richard’s book and I’m not going to. I’ve lived Richard’s book. So has Rich (from the analyst side) and Adrian (from the vendor side). So maybe Richard has new nuggets of wisdom for all of us. But let me save you all a little time and tell you vendor folks the two steps to a better ranking on any of the analyst charts. Step 1: SELL. MORE. STUFF. TO. ENTERPRISE. CUSTOMERS. Step 2: Go back to Step 1. It’s not really any more complicated than that. Of course you can spend a zillion dollars on subscription services and analyst days and conference sponsorships. That may move your dot a little bit. But it won’t move your dot a lot. The only thing that will truly shift your ranking is customer success. That’s what most folks don’t understand. Or don’t want to understand. Lots of vendors (strangely correlated with those in the ‘loser’ quadrant) continue to hide behind the pay for play bogeyman, figuring they aren’t ranked better because the big competitor spends a bunch more money on analyst services. That’s rubbish. In my experience, it doesn’t work that way. And by the way, marketing professionals can’t fix a busted product or a company and finagle a better ranking. Analysts (even the bad ones) involved in an MQ or Wave project talk to a lot of people. They hear the good and the bad. Calling in favors to get your good customers to call the analyst (‘unprompted’) and tell them good things may help. But not if the ratio of calls talking about replacing your gear to those good calls is 4:1. Believe me, I’ve tried. I’m not going to minimize the importance of spending time building rapport with the analyst who covers your company. Oh, by the way, you may actually learn something if you spend half a second listening to what the analyst says about what’s happening in your market. As opposed to spinning like a nuclear centrifuge for the entire meeting. Talk to them quarterly. Keep them updated on what’s going on with your company. On your success and your failures. They are going to hear about your failures anyway, so you may as well be honest. If you have a compelling vision that aligns with how they see the world, then these briefings may move your dot a little to the right. But not a lot. I’m sure there is a lot of great stuff in Richard’s book. But nothing in a book is going to help you sell more stuff to the end users who Gartner and Forrester are talking to every day. If those folks aren’t looking at your product or service, and if they aren’t deploying it, you have no shot. You deserve to be in the loser quadrant. And no number of strategy days is going to change that. Photo credit: “Magic Quadrant Fruits White” originally uploaded by Jinho Jung Share:

The summer conference season has begun, and for those of us living in Phoenix, going to conferences is a great way to get out July’s blast furnace heat. I’m heading out tomorrow to the Cloud Identity Summit in Vail, Colorado. I’m not speaking – just going to hang out and learn. And there is a lot to lean about with new developments in identity management. Many of the basic tools are not actually new – SAML has been around for about a decade – but the rate of product evolution in this field is frankly staggering. How products are being deployed for cloud and mobile – and how authentication, authorization, and provisioning work together in these environments – are new. I expect to see wholesale changes in how we use and consume identity in the coming years – be it cloud, mobile, or whatever. So we have decided we need to increase coverage in this area, to aid IT in understanding how to approach identity management projects, and to dig into some of the technical details of how developers should approach implementation. Rich and I will be doing a lot of blogging on this topic in the coming months, and Gunnar Peterson and I plan to publish research on the ins and outs of cloud identity late this summer, so stay tuned. My goal is to do a little blogging while I’m there, about what’s new and interesting. If you plan to attend let me know so we can meet up! Share:

Adrian here, and happy Friday the 13th! It’s been a week since Independence day, and it feels like it’s been a month. Mike wanted us to comment on our feelings about Independence Day and what freedom means to us. For me that was easy. As as I usually do, I worked on Independence Day. Always. It’s not a day off. To me, taking time off is anathema to independence. I celebrate independence by working, because working is what earns me the right to be free. I’m long past the age of military service to my country, so I serve it by trying to build and contribute. And at this moment I feel very lucky to have the opportunity to work and make a living, and great business partners to work with. There is always a boatload of stuff to do here at Securosis, so I have been quietly ‘celebrating’ my independence by finishing up a bunch of writing. It may sound weird, but that’s just me. It’s also odd, given the amount of writing, that what makes the Friday Summaries fun is that I get to write about whatever captures my interest. This week it’s something that popped up in a Fast Company article, The Many Pivots of Justin.tv, a couple weeks ago. The comment that has been running through the back of my mind is “Free and easy streaming poses a particular threat to sports, whose broadcast rights are so valuable, and so perishable”. Content security was one of my first challenges in security, and has proven unsolvable. I think it’s absolutely fascinating, how technology keeps changing this debate over and over again before our eyes, and to me that quote captures the essence of the entire content security battle. The value of sporting events is ephemeral. Most people won’t watch a game after they know the results, and vanishingly few events have a shelf life longer than a few days. But in order for companies to make money from that content, they need to get it to the consumer – and that is the problem. It’s one of the very first things I learned in security: You can protect digital media, or you can use digital media. It’s one or the other. Try to do both, and you are only as secure as your least trustworthy audience member. So when you send a sporting event to 200,000,000 people, someone will do something you don’t like. You know, record a game, or show sports at a bar. It’s probably difficult to remember, but professional sports are broadcast free of charge. Every week, in every major US city, professional sports games are broadcast over radio and television. These are available free of charge. When cable TV and satellite providers came along, they offered a more reliable picture, and some additional channels, for a fee. They would love for you to forget that there are free broadcasts, and that you are really paying for the distribution network that moves someone else’s content – which may or may not be freely available elsewhere. I bring that up because streaming live sporting events over the Internet is just the technology challenge du jour to closed systems such as satellite and cable TV. Tomorrow it could be iPhones. If 30 years ago rabbit ears had been 1,000 times more sensitive, there would be no cable networks today. If suddenly Sutro Tower in San Francisco was broadcasting at 200,000,000 Watts, you would likely see Bay Area sporting events everywhere in the country – free of charge. And despite over-the-air broadcasts being the de facto model 30 years ago, either technology advancement I described could be legal or illegal today – depending on the wishes of the content owner. Ultimately, if content is being used in a way its creator does not approve of, that’s copyright infringement. If they approve of it, as with Slingbox, it’s okay. If it’s Justin.tv or anyone else, they don’t. The difference is in control. While copyright laws make sense logically, when you physically broadcast media, right or wrong, you lose control. Consumable media cannot effectively be secured. It’s a losing game, but one with huge money at stake. As a content producer myself, I totally back the rights of the people who produce television – especially sporting events. What bothers me is the deep levels of greed from the people who run the distribution channels – who all believe they are losing money to ‘pirates’, and are attempting to criminalize what’s broadcast for free over the air, because they think they are being cheated. They’re all thinking that those 27 million viewers on Justin.tv must be their audience and so they are all mentally dividing up the same pile of virtual money they should be earning. But in reality it’s a new audience, one that only exists with a combination of lower cost and higher convenience. What broadcasters should be doing is looking for a way to monetize the broadcasts before content creators go direct to consumers. You know, like local over-the-air broadcasters did with advertising? They should be thanking Justin.tv for building a market for them to take advantage of, and looking for ways to charge advertisers for the feeds going out. This will be a recurring battle for the next, well, forever. Technology will advance. People will innovate. Markets will evolve to become more efficient. And people who want their sports will look for the best, cheapest, and most satisfying way to get it. On to the Summary: Webcasts, Podcasts, Outside Writing, and Conferences Rich quoted on iOS Security. Adrian’s Let’s Ask “Why?” at Dark Reading. Mike’s Dark Reading Column: Flame’s impact on Patching. Adrian’s 15 Ways to Get More From Log Files on Dark Reading. Favorite Securosis Posts Mike Rothman: Q1 Vendor Newsletter. We launched a quarterly newsletter for our vendor retainer clients. Here’s the inaugural piece, and it kicks butt. The recently completed Q2 version is even better (hint, hint)… Rich: Mike’s latest on endpoint malware

As long last (OK, maybe not that long), we have assembled the Evolving Endpoint Malware Detection series and packaged it as a paper. You can check out the landing page to find out more, but this description sum it up: The good news is that endpoint security vendors recognized their traditional approaches were about as viable as dodo birds a few years back. They have been developing improved approaches – the resulting products have reduced footprints requiring far less computing resources on the device, and are generally decent at detecting simple attacks. But as we have described, simple attacks aren’t the ones to worry about. So we will investigate how endpoint protection will evolve to better detect and hopefully block the current wave of attacks. We would like to thank Trusteer for licensing the content in this paper, and keep in mind that your work is never done. The bad guys (and gals) will continue innovating to steal your data, so your detection techniques need to evolve as well. Direct Download: Evolving Endpoint Malware Detection (PDF) For those of you interested in the raw material, here are the posts that made up the series: Control Lost Behavioral Indicators Providing Context Controls, Trade-offs and Compromises Share:

Last week we celebrated Independence Day in the US. It’s a day when we reflect on the struggles of our forefathers establishing the country, the sacrifices of the Revolutionary War, and what Freedom means to us all. Actually, most folks gorge on BBQ, drink a ton of beer, and light fireworks imported from China. Which I guess is another interpretation of freedom. I thought it would be great for each of us Securosis guys to describe what Freedom means to us for last week’s Incite. Alas, the best laid plans got derailed when it got to be late on Tuesday and I wanted to start my holiday. No Incite for you. Adrian put everything in context by remarking, “You are free not to do it.” Nice. But here’s the deal – I take freedom for granted, and if you live in a free society, you probably do too. I don’t think about the struggles involved in maintaining a free society. A couple times a year (you know, Memorial Day), I remember the brave military folks away from their families making sure my biggest issue is which Starbucks I choose to write at that day. The Boss and I try to impress upon the kids how lucky they are to live in a free environment. They learn about the Holocaust to see the worst in people. They’ll also read and hear about other oppressive regimes, and be thankful for where they were born. But if I’m being honest with myself, I haven’t felt free for most of my life. A conversation I had recently with Mike Dahn reinforced that. I was captive to my own expectations. Regardless of the fact that I could do anything (besides break the law, I guess), I always felt a responsibility to do what was expected of me. I compared myself to some vision of what I should be. What I should achieve. But that vision was only in my head. It wasn’t like my folks told me what to do. All those expectations made me feel like a failure, even though I achieved quite a lot. That epiphany became the impetus for my Happyness talk. I wasn’t until I let go of those self-inflicted expectations that I’ve been able to make strides toward being happy. Of course, I have good days and not so good days, like everyone else. But tossing my own expectations has given me the freedom to live my life – not anyone else’s. Not setting specific goals means I can enjoy the journey, not fixate on how far I have left to go. The US celebrates Independence once a year. But I get to celebrate my own Independence every day. And I don’t plan on taking it for granted. –Mike Photo credits: Independence, Oregon originally uploaded by Doug Kerr Incite 4 U It’s not the message, it’s how you say it: Sometimes you read something that hits very close to home. Bejtlich’s perspective on the importance of how you deliver the message resonated. The Boss chides me all the time about the fact that no matter what I’m saying, the kids shut down because I’m barking at them. “But they don’t listen! I need to get their attention,” I respond. And she just laughs. No matter what I say, they only hear more yelling. So when Rob Westervelt said a panel at an April security conference got contentious, clearly the folks in the audience didn’t get the message. It’s not that any of the panelists were wrong, but if you don’t package the message in a way that will get through to the other party, there is no wrong or right. Only wrong. So keep that in mind next time you present to business folks or chastise a user for doing something stupid. – MR The cloud is down. No it isn’t. Yes it is: Last week there was another cloudastrophe when Amazon AWS had an outage in their main US data center. The root cause was a combination of weather and a failure in their emergency power procedures. I don’t overly blame them, since it’s really hard to effectively test every scenario like that. But it’s a reminder that not only can the cloud go down, but it can be difficult to architect availability for such a complex system. Extremely difficult, as Netflix shared in a killer post discussing why they went down. Now, for the record, this was a major personal disaster because my 3 year old couldn’t watch “the Apple TV” (which also had a “rough morning” Tuesday due to low bandwidth). This isn’t a security failure but it does highlight the complexity of fully moving to cloud and how that impacts fundamental design and DR/BC scenario planning. Security is no different than availability and we are all going to learn some of these lessons together the hard way. – RM No access, no problem: Brandon Williams asks how do we arm small and medium businesses (SMB) for the change in threat landscape with the switch to EMV cards? His premise is that if the EMV credit card format comes to the US, we expect to see a shift from “card present” to “card not present” (i.e., Internet sales) fraud, mirroring the trend in Europe. The cards are harder to forge, the terminals perform some validation, and the infrastructure supports real point to point encryption instead of the mockery we’ve seen for the last decade or so. But does that mean SMB is at a disadvantage? I don’t think that’s the case. The terminals are expensive, but SMBs have lower overall switching costs to EMV. By combining it with tokenization, they have removed sensitive data from their environments, and pushed much of the liability back on payment processors by not being privy to payment data. Logically there is little difference between an Internet sale and an EMV transaction – payment gateways offer plug-ins and edge tokenization services perform equivalently to EMV without a card reader. As the merchant

We send a quarterly newsletter out to vendor clients as part of our retainer program. Here’s the introduction, which describes how we view the newsletter: Welcome to our inaugural vendor newsletter. This is where we talk about all the things we see during the course of our daily research. Trends, analysis, data, and whatever we think will help you – at least the stuff we can share! As industry analysts we see the good, bad, and ugly of everything from pitches, collateral, and messaging, to how products are used and abused in the field. Our goal for these pages is to highlight what works, what doesn’t, and give you insight into what we’re seeing out there, including the latest trends and data. Sometimes we will use this space to call out folks, but all in good fun – and always with the goal of educating everyone about what we think works. We’ll also highlight good stuff when we see it – don’t worry… this won’t be all snark. Yup, it’s the newsletter you’d expect us to write. We sent out the first version at the end of Q1, so we figure enough time has lapsed that we can share it with everyone. You can download the full newsletter (PDF) and check it out. As if you needed another reason to become a retainer client… Share:

Rich here. I’m starting to think I might be dealing with a bit of burnout. No, not the “security burnout” that keeps cropping up on Twitter and in blog posts, but a bit of a personal burnout. I just find myself lacking a bit of general enthusiasm and creativity that usually keeps me plowing away at a productive rate. This burnout doesn’t have anything to do with security. I still freaking love our profession, even if some of our debates are getting a bit stale. We are long past the early days of the social dialog created by blogs, Twitter, and podcasts. So our discussions lack a certain freshness as we beat postmortem horse after postmortem horse. It also isn’t related to my job, which is freaking awesome. Aside from the usual advantages of working for myself, I have a flexibility I still can’t believe is possible. It stuns me that our business model works, because we seem to be doing everything independent analyst firms supposedly cannot get away with. Seriously, it doesn’t make sense – not that I’m complaining. Plus, how many analysts get to manage software projects and build technical labs? Personal life? All is good there. Awesome wife and kids. I get to race triathlons despite a full time job and young kids. Although I won’t lie – I could get out of the house a little more (aside from my workouts). A little social interaction somewhere other than a security conference won’t hurt. But as I write this I realize what the problem might be. I am seriously freaking tired. Bone weary, can barely function from day to day tired. The culprit? A cute little three year old and her younger sister who have taken to waking us up at 5am every day. For 3 years. And they demand constant attention every waking hour. I know I’m far from the first to go through this, and those of you with older kids can stop grinning with the superiority of someone who managed to swim to shore after the Titanic went down. I’d appreciate it if you would just quietly enjoy my pain and keep it to yourself. Aside from the lack of sleep, I also realized that Securosis has now been in business almost exactly five years. It all started in a Margaritaville during Black Hat when I got the word my condo in Boulder had sold and I now had enough financial runway to survive for 6 months. Ask Chris Hoff – he was there and didn’t believe me when I said I was resigning from Gartner the following Monday (he also hooked me up with my first project, which didn’t hurt). I had wanted to do something different for a while, and that cash cushion was exactly what I needed. But 5 years is 5 years and I am fully willing to admit that some of the enthusiasm of that first year has worn off. It isn’t new or different anymore, even though I get to do new and different things almost daily. Okay – so I’ve identified two problems, and I’m not the kind of person to sit back and wait for change. Step 1 is getting one of those “okay to wake” clocks for the kiddo. They have lights that change color when it’s okay to get out of the room in the morning. The thought of sleeping in until 6am consistently is more exciting than… well, pretty much anything. Seriously, far more exciting than even my various teenage male fantasies. After that? Time to pull a Rothman and get out of the house and work at coffee shops a bit more. I love the cats, but they don’t give a crap about oracle padding attacks or cloud APIs. I need to get a little creative with the research and writing again, and that probably means slowing down the day to day distraction schedule and turning off RSS and Twitter. Those two things and launch our damn SaaS product finally. I’m pretty sure every day will be new and interesting again when I suddenly have to support customers and start acting like a software company. Oh, heck, just watching Rothman’s head explode when he realizes he’s a vendor again will give me at least a month or two of daily amusement. And if that comes with 8 hours of sleep and a good workout every day? So much the better. On to the Summary: Webcasts, Podcasts, Outside Writing, and Conferences Rich’s monstrous sandboxing article at TidBITS. Adrian’s 15 Ways to Get More From Log Files on Dark Reading. Mike’s monthly Dark Reading blog: Time to deploy the FUD weapon?. Rich in a New York Times blog on Apple. Favorite Securosis Posts Rich: Mike’s Can You Stop a Targeted Attack?. Mike: Returning the favor, Rich’s Thoughts on Active Defense, Intrusion Deception, and Counterstrikes. Mike (again): Answering Questions about Sandboxing, Gatekeeper, and the Mac App Store – It’s not really an internal post but Rich wrote it, so it counts. A great overview of what Mountain Lion adds from a security standpoint. Adrian: And here I thought Empty Nest was the best post for the analysis. Other Securosis Posts Incite 6/27/2012: Empty Nest. Understanding and Selecting Data Masking: Buyer’s Guide. Favorite Outside Posts Rich: Dennis Fisher’s LeBron James, Advanced Attackers and the Best Man Theory. Nails it, and boy does Dennis show off his background as a sports writer! Mike: Nora Ephron’s 1996 Wellesley Commencement Speech. A must-read, especially if you have daughters. Brutally honest about herself, her life, and the state of society back in 1996. Adrian: From a security standpoint, Rich’s monstrous sandboxing article at TidBITS was a really good read, but the most thought provoking was The Many Pivots of Justin.TV – a couple weeks old but I just ran across it. Project Quant Posts Malware Analysis Quant: Index of Posts. Malware Analysis Quant: Metrics – Monitor for Reinfection. Malware Analysis Quant: Metrics – Remediate. Malware Analysis Quant: Metrics – Find

The question of stopping targeted attacks has been on my mind for a while. Of course my partners and I have to suffer through far too many vendor briefings where they claim to stop an APT with fairy dust and assorted other black magic. But honestly, it is a legitimate and necessary question. Ever since Google came clean a few years back about Aurora, and everyone then acknowledged the persistent, likely state-sponsored attacker as a class of adversaries, vendors have been APT-washing their stuff trying to convince anyone who would sit still that their run-of-the-mill IPS or endpoint protection product had a chance. Basically this rash act was necessary to keep the cash cow hemorrhaging money, even in the face of mediocre (or worse) efficacy of existing controls. But here is the thing these vendors missed. Very few of the adversaries most organizations face are advanced or persistent. Most are today’s version of script kiddies trying to smash and grab their way out of the despondency of their existence. It’s much easier and more lucrative than robbing a bank, after all. So most existing controls still have some role to play in tomorrow’s defense. But we all know existing controls are not sufficient. Yet targeted attacks do exist, and the legitimately advanced attackers are now targeting further afield to achieve their objectives. They are attacking the supply chains of their targets to gain deeper footholds, earlier. And now that we have a better idea of the tactics they are using, we start to see offerings built very specifically for these kinds of attacks. I won’t say we’re seeing real innovation yet, but lots of vendors are learning and evolving their offerings to factor in this new class of attacker. Unfortunately it’s still way too early to get a feel for whether real innovation is happening (or will happen), or whether this is just a classier version of APT-washing. Regardless of what happens on the prevention side, you still need to monitor the hell out of your stuff. As Mandiant described in a blog post that has since disappeared from their site (wonder if they’re now doing work for Global Payments, hmmmm), the folks at Global Payments evidently found the first breach themselves by monitoring their egress traffic and seeing stuff they didn’t like leaving their network. Was it too late? Of course. But it’s a hell of a lot better to catch it yourself than to hear from your payment processor or the FBI that you have a ‘problem’. We will see a lot of new stuff, as everybody tries to get ahead of attacks – even targeted ones. But it’s career-limiting to plan on stopping them; so we still push investment in monitoring, forensics, and response – even in the presence of new and innovative protections. Or is “Can you stop a targeted attack?” the wrong question to even ask? Photo credit: “Bullseye” originally uploaded by bitsofreality Share:

Be quiet. Be vewy vewy quiet. Now listen. What do you hear? Listen very closely. Do you hear anything? No? That’s exactly the point. The Boss and I woke up yesterday morning to the sound of nothing. No grumbling about having to get ready for school. No kvetching about ill-fitting bathing suits, and no asking for this play date or that activity. No crappy Disney Tween shows blaring from the TV. No nothing. The house is quiet. On Sunday we put the kids on the bus for sleepaway camp. Barbarians that we are, we ship the kids off to Pennsylvania every summer. The girls go for 6 weeks. The Boy is going for 4 weeks, as it’s his first summer away. So for the first time since XX1 was born, we will have the house to ourselves for longer than a day. Will we miss the kids? Of course. We huddle around the laptop every night and look for pictures posted on the camp website. We dutifully write them letters every day. Well actually, we type the letters into a website, which then prints a copy for delivery to them. We’ll trudge off to the mailbox every day, hoping we got a letter. But we will also enjoy the time they are away. We’re going to see Earth, Wind and Fire tonight – and we don’t have to worry about arranging for a baby sitter. We may take a long weekend at a nearby resort. Or we might not. We can sleep late. We can work late. We can go to the pool at 2pm if we feel like it. We can BBQ on Wednesday, and I could party on Friday night, knowing that I don’t have to wake up early to take a kid to a game or activity. Best of all, I can spend quality time with the Boss without the constant crushing pressure of being the involved parents of active kids. We don’t have to worry about who’s making lunches, or picking up from the dance studio, or folding the laundry. Two adults don’t really generate that much laundry. These quiet times also prepare us for the inevitable, when the kids leave the nest. Lots of parents forget to have their own relationship because they are too busy managing the kids. Not us – for here on, our nest will be empty every summer. We are painfully aware that the kids are with us for a short time, and then they will live their own lives. And 6 weeks every summer is a big chunk of their summer vacation. Like everything, it’s a trade-off. Ultimately the decision is easy for us. They learn independence and how to function as part of a group, without their parents telling them what to do. We take very seriously our responsibility to prepare our kids to prosper in the wide world, and I don’t think there is a better place to apply the skills we teach them than at summer camp. It’s also great for the kids. On the first day we have seen the boy at the pool, at the lake doing paddle boats, at the firing range, playing basketball, and watching some kind of show put on by the counselors. That was one day. So as barbaric as it may seem to send our kids away for that long, there is no other place they’d rather be every summer. And that’s a win/win in my book. –Mike Photo credits: Empty Nest originally uploaded by Kristine Paulus Heavy Research We’re back at work on a variety of blog series, so here is a list of the research currently under way. Remember you can get our Heavy Feed via RSS, with all our content in its unabridged glory. And you can get all our research papers too. Understanding and Selecting Data Masking Buyer’s Guide Use Cases Pragmatic Key Management Choosing Your Key Management Strategy The Four Enterprise Key Management Strategies Evolving Endpoint Malware Detection Controls, Trade-offs and Compromises Providing Context Incite 4 U Blue Horseshoe loves threat intelligence: For a long time, the reactive approach to doing security worked well enough. But the past few years, not so much. So large organizations, with significant security infrastructure, have started to try to learn a bit about attackers before they attack. Wait, what? You mean an intel type function, which requires investment? Yup. So not only are we seeing a re-emergence of vulnerability trackers like iDefense, but also some new business models based on using intelligence to deceive attackers (as described in Dark Reading), or buying up zero-days to share with the good guys (Aaron Portnoy’s new shop, Exodus Intelligence). We love content, and cannot be happier that we’re finally seeing security content valued on its own merits – not just as part of a widget. – MR The future of software: We see continuing evidence in support of the assertion made by Red Monk’s founder Stephen O’Grady: Large software firms will be making money with software rather than from software. And I totally agree with that statement! While the main thrust of the post is to argue that Microsoft’s share price has suffered from poor choices in direction and lack of innovation, the really interesting aspects highlight the competitive forces within the software industry. In part it’s the transition from desktop, to web app, to mobile app, but it’s also about growing adoption of Software as a Service (SaaS) and what I consider the real long-term direction for back office applications: Platform as a Service (PaaS). Many of his observations are solid, but the dim picture he paints for Microsoft and other software vendors fails to account for their mobile and PaaS efforts, or the pricing pressures these larger software vendors will inflict on the rest of the market when they start offering the entire back office stack – including hardware and service – for a single price. Apple’s – and to a lesser extent Google’s – more consumer-oriented cloud service models