Research

I don’t get this #occupy stuff. Maybe that’s an indication that I’m old. Maybe it means I’m selfish. It could be a sign that I have a lot of competing priorities and they don’t leave me a lot of time. But most of all, it’s because I don’t get it. Really. Should we be pissed off that parasites on the system always seem to walk away with millions of dollars for little added value? Yes. Could we be frustrated with a US governance model that spends more time bickering than getting anything done, while squandering trillions of dollars. Absolutely. But in my best NY accent: “Whaddya gonna do?” I plan to remain intentionally tone deaf regarding all this stuff. Again, maybe that makes me selfish. Maybe I’m more interested in my own comfort and lifestyle than the tens of millions of folks who are screwed by the system. But here is the difference: I have worked for everything I’ve achieved. Everything. Sure I graduated from an Ivy League engineering college. But I got in based on my achievements in high school with very little parental guidance or oversight. My Mom was too busy trying to put food on the table, working in a crappy retail pharmacy, to push me to do my homework. And at the end of the day, my education helped me get my first job. That’s it. Sure I could get pissed off that dumb guys I grew up with joined the right investment banks at the right time and make 7 figures a year now. I could get angry that kids right out of mediocre engineering programs (but with decent connections) end up at one of the Silicon Valley start-ups and win the Google lottery, pulling millions out as cogs in the wheel. Does that mean we should “Occupy Sand Hill Road” and get pissed at how high-tech financiers engineer value from the (at times) unholy alliance between big IT, storied entrepreneurs, and the puppet master VCs that seem to pull all the strings? What’s the use of that? I choose to get up and (as Chris Nickerson says) “do work.” The only thing I can control is how hard I work. I can’t control what anyone else does. I can’t control market swings. I can’t control whether the light of good fortune shines on me at some point. I can (and do) control what I do. And that’s how I’ll rail against the system. I’m totally on board with Larry Walsh’s thoughts on innovation and entrepreneurship. Larry’s quote here is exactly right: “I’m protesting today. I’m calling it “Occupy Work.” I pledge to sit at my desk, service my clients, be productive and innovative, and contribute to the economy. Oh, and I will do it with humility.” He makes a number of great points. Clearly the system(s) need reform. But what is the value of sitting in a park? How is that aiding the collective? How does taking a shot of pepper spray (however appalling) bring light to the issues the protesters want to discuss? It turns the story from corruption and greed to brutality. Obviously we all need to act in a dignified manner (especially law enforcement), but it seems the core message of fighting greed is lost. I saw an old friend last week, and we did get philosophical for a short time. He asked me whether I was scared for the world my children were growing up in. I answered with a resounding no. I still believe that I live in a country where hard work will be recognized. I believe that my kids can become whatever they want, and with enough effort can achieve their dreams. Lots of folks overcome long odds every day to prosper through the force of their own will, regardless of their circumstances. I’m teaching the kids to be self-sufficient and not hope a big company will support and provide for them. Pensions are not guaranteed by a bankruptcy court. Nor is healthcare coverage. I believe in entrepreneurship. I believe in creating your own opportunities, not waiting for someone to give something to you. I believe in the capitalist system and although clearly imperfect, it’s the best thing out there. Maybe I’m naive. Maybe I’m stupid. But I still believe that as long as I focus on what I need to get done every day, things will work out in the end. So rather than spending my time in a pup tent in some public park, like Larry I will occupy work. We all have choice about what we do on a daily basis. The folks Occupying whatever seem to think their approach will result in positive change. Maybe they are right. But either way, I figure the only great equalizer in a capitalist system is hard work. And on this week of Thanksgiving in the US, I’m thankful that I live in an area where I can control my own destiny, which is what I plan to do. Happy Thanksgiving everyone. If you celebrate, enjoy the holiday and be safe. Share:

The San Francisco Chronicle ran an interesting story about a small payment processing firm that is trying to disintermediate credit card companies. But they are doing it the old fashioned way – cutting out the middleman and going direct to banks to move money for them. Dwolla is a start-up payment processor providing person-to-person payment via mobile and social media outlets. Their hook is providing payment at a substantially reduced reduced commission – just twenty-five cents ($0.25) per transaction. Compare that to credit card companies that charge a flat 3%, or PayPal, who changes thirty cents per transaction in addition to 2.9% (less 2.2% for volume sellers). Dwolla’s offering can be viewed as similar to PayPal’s or an ATM transaction, but ATM fees have escalated into the $3-10 range. With mobile payment in its infancy, this space is a greenfield for startups and established players to redefine what’s possible. Credit card companies have been talking up the benefits of mobile payments for years as an easier and more pleasurable shopping experience – but today many of their solutions have not yet been delivered to the market. The promised benefit to merchants is rather nebulous growth in “customer loyalty” and data on purchasing history. Cold hard cash would be preferable, which is why I think many small merchants are going to like Dwolla’s offering. When it comes down to it 3% may not sound like much, but it’s a lot of money for many merchants struggling to be competitive. Popular sentiment doesn’t hurt either, especially in light of consumer dissatisfaction with credit card companies (despite overall credit card use going up), and many halting use of cards because they make spending too easy. As far as security goes, not much information is available on Dwolla’s security model for establishing user identity. What’s described sounds similar to existing models based on a combination device (phone) verification, a password, and location-based services. But it’s not their security model that interests me – it’s that this is one of the first upstarts I have seen really breaking the old mold of how payments are done, and it looks promisingly disruptive. The concept is not new, but it’s one of the first times someone has pulled off the direct-to-bank model and demonstrated a new concept of what mobile payments can be. For banks willing to take some risk on the security and legality of person-to-person or mobile payments, Dwolla offers both a new revenue model and a means to strengthen customer relationships. Keep in mind that many banks offer credit cards expressly to be foremost in the consumer’s mind when looking for auto or home loans – loans being the principal source of bank revenue. While that sounds like a no-brainer, I can tell you from personal experience that most banks won’t touch this concept with a 20’ pole because of the risk to their banking charters in this heavily regulated sector. But the market usually rewards efficiency, and if someone can offer convenient payment services at a reduced cost they are likely to win market share in a hurry. Dwolla sounds like they have a recipe for success. Share:

We have finished and put a little bow around our Security Management 2.0: Time to Replace Your SIEM? paper. So it’s time to post the series index, as well as a link to the completed paper. As always, we couldn’t provide content like this without support from our sponsors. For this project, we would like to thank Dell SecureWorks, Nitro Security, Q1 Labs, and Tenable Network Security. Check out the paper in our research library, or you can download it directly: Security Management 2.0: Time to Replace Your SIEM? Index of Posts Time to Replace Your SIEM? (new series) Platform Evolution Revisiting Requirements Platform Evaluation, Part 1 Platform Evaluation, Part 2 Vendor Evaluation – Culling the Short List Vendor Evaluation – Driving the PoC Security Management 2.0: Making the Decision Security Management 2.0: Negotiation Security Management 2.0: Migration Managed Services in a Security Management 2.0 World Share:

Most of the time, the words flow. I have a thought, and the next thing I know there are hundreds (if not thousands) of words on the screen. I’m a writer, so that shouldn’t be surprising. What may be surprising is that there are times I get writer’s block. Like now. At some point in the early part of the week, I get a flash of inspiration and bang out the Incite. It’s usually the easiest part of my job, but not this week. Now (Tuesday night) is not the time to be blocked. Tuesday nights I work late. XX1 is at dance until 8pm, and when I’m in town I pick her up at the studio. The Boss and I have an arrangement where I can catch up on some of my writing and she handles getting the twins ready for bed, since she takes a class Tuesday nights – so I take over when we get home. So I’m sitting here needing to bang out the Incite, but the words just aren’t flowing. I consult my ongoing list of Incite topics. Nothing strikes my fancy. It’s like taking a look in a full refrigerator, but nothing is appealing. Sure there is food there, but it’s not the right food. I hate that. You probably do as well. So I check Twitter. I move on to another project and make some progress on that. I read some NFL news. But in the back of my mind, I know the Incite still awaits me. It’s not going anywhere, and if it’s not done by the time I have to get XX1, it’s going to be a long night. Sometimes panic sets in. I get anxious when the words aren’t there. That doesn’t help them come any easier, of course. If anything it compounds the issue. Still blocked. I walk around a bit. I stretch. I grab another coffee, so now I’m hyper-caffeinated. That’s not helpful either. Oy, I wish I had some writer’s Drano. That would clear up the blockage, even if it hurts the environment. I start writing (again). I get about two paragraphs in and I hate it. I try to rework the concept. I still hate it. So I delete it. Back to square 1. More anxiety. More checking Twitter. More NFL news. No more progress towards where I need to be. I feel the window starting to close, and know that the Boss will be disappointed, since I’ll be working when we’d normally be catching up and enjoying each other’s company. More anxiety and the cycle starts again. Then it happens. Inspiration strikes. I think, why don’t I write about being blocked? Maybe that topic is only interesting to me, but I have always written the Incite for me, documenting what’s in my mind at any given time. Sometimes it’s even useful to someone else, which is a bonus. I start writing. And the words come. The coffee shop disappears. There is no noise. The rest of the world goes away. And before I know it, I’m done. I should have known the words would come. The words always come. I’m lucky that way. But sometimes my impatience gets the better of me. This was one of those times. And the next time I get blocked, I’ll forget that the words come as my anxiety increases. But now I’ll have this post to remind me. How about that? -Mike Photo credits: “Blockage” originally uploaded by Martin Whitmore Incite 4 U Fresh crop of hackers: Brandjacking is the “web site defacement” news item of the decade. The struggle for ownership of the Internet is fascinating – big corporations respond to threats with the tools they know best: lawsuits, marketing campaigns, and lobbying the government. Pressuring the government to get rid of net neutrality, suing customers who have bad experiences, and attempting to outlaw anonymity are prime examples. But this is a losing fight; both because corporations are targeting their customers and because their lame responses show the weakness of their various positions. For example, Google+ not allowing anonymity in their corner of the Internet is effectively forcing people to wear ID cards – and we know how that story ends. Claiming they won’t allow anonymity because attribution promotes civility is crap – it’s because these firms are pissed off that they can’t control their brand image like they did with TV, radio, and magazine media. Rather than accept criticism – or have faith in the majority of people to understand that many negative comments came from psych patients hopped up on Fruit Loops and pharmaceuticals – they threaten legal action. Then we get firms like Reputation.com because business owners need someone to hold their hands when “The Internet” calls them A-holes. Given anti-corporate sentiment; I think we will see a lot more defacement, hacking, and DoS attacks because we are teaching a generation of kids that hacking gives them control they otherwise lack. China may sponsor and educate hackers, but we’re growing them organically. – AL Congressional insanity: The Stop Online Piracy Act is so crazy that it’s hard to imagine anyone taking it seriously. Which is why it seems to have bipartisan support. It is basically a tool for government and media industry censorship. I’m not exaggerating – I don’t support piracy and I pay for the content I consume, but this bill literally forces software developers to add censorship mechanisms to any proxy software. You know, like VPNs and ssh. It also allows the US government to muck with DNS in ways that have broad potential effects beyond merely targeting “file sharing” sites. Take a look and make your own decision, but this is bad for security… completely aside from free speech. – RM FundamentaLiu sound advice: Sometimes folks turn their noses up when I go through my Endpoint or Network Fundamentals pitch. You mean secure configurations, default deny, and patching? Boooooooring. But as Vinnie Liu points out at Dark Reading, these boring tactics actually

Over the past few weeks we have been inundated by the 24/7 media cycle, endlessly fascinated bythe alleged child abuse by a Penn State football coach. I couldn’t bring myself to read the grand jury findings, as I have a young son and the idea of anyone doing that to The Boy makes my blood boil. Regarding the perpetrator, I’m with Jay Glazer. But we Americans do take that innocent until proven guilty thing pretty seriously, so we need to let the legal system play it out. But the other villains in this story are the Penn State administrators, who evidently looked the other way when presented with enough evidence to demand action. Two of them have been criminally charged, and the president of the university and coaching legend Joe Paterno have been forced out. Of course, we really have no way to know exactly what they knew, but the public sentiment is right: the victims deserved a full and immediate law enforcement investigation. That’s pretty cut and dried. But what when it isn’t so cut and dried? We security folks are privy to lots of stuff. Sometimes inadvertently, sometimes not so inadvertently, we get to see information that indicates impropriety. Maybe it’s a situation of financial shenanigans. Like Enron or any of the other folks cooking the books during the stock market bubbles. Perhaps it’s adultery by someone you know. Maybe it’s organized crime or drug dealing in your neighborhood. Wrong is wrong. All three of those examples are wrong, but they also have different risk profiles for coming forward. Many of the folks complicit in the Enron scandal didn’t say anything because they were worried for their jobs – their livelihoods. But still, when you look at it, the right thing to do is to come forward. Is an organization which clearly disregards financial reporting, and systematically cooks the books, a place you would want to work? On the plus side, if you do blow the whistle, you could receive a windfall. Not that you’d use that as motivation, but as Dad told me when I entered the workforce, “No job is worth compromising your integrity.” He’s right. I love the saying: “A friend helps you move, a real friend helps you move a body.” But is that the case? In our adulterer scenario, do you enable the behavior because of your code of guy (or gal) ethics? Considering the emotional fallout and other ramifications of calling someone out on that, do you just let things go? That’s a decision only you can make, but what’s right is not always easy. And what about the local drug dealer? That one is tough because there is a real risk of retribution. These bad guys don’t value your life nearly so much as you do, and you can’t negotiate with them (Anonymous tried – ask them how that worked out). They leave people they don’t like hanging by their own intestines under bridges. And then they hunt down the families of their enemies. Do you put yourself in the way of clear physical harm? Ah, the decision is less clear now, isn’t it? Of course bullies and other folks rely on the threat of cement overshoes as the only tool to maintain their position. But what’s the best decision, given your need to protect your family? So what do you do? Do you speak up or do you shut up? There really are no universal right or wrong answers here, but a set of imperfect choices – all of which can end poorly. Let us know what you think in the comments. Photo credit: See No Evil originally uploaded by tim ellis Share:

Coupons. Frequent flyer miles. Rebates. Loyalty programs. Member specials. Double coupon days. Frequent buyer programs. Weekly drawings. Big sales events. Seasonal sales. Presidents day sales. Sales tax holiday sales. Going out of business sales. Private clearance sales. 2 for 1 sales. Buy 2 get 1 free. Sometimes it strikes me just how weird commercial promotions are. It’s a sport where nothing is as it seems. We don’t just buy things – we have to make a game out of it. A game slanted against those who don’t follow the rules, don’t care to play, or just plain can’t do math. We don’t base most of our buying decisions on price vs. quality – instead we are always looking for an angle or a deal. We want to “game the system”, so business provides games to feed our habit. ‘Exclusive’ Internet deals. ‘Sticker’ books. Rewards programs. Receipt Bingo. Discount ‘accelerators’. Friends fly free. Nights and weekend minutes. Family plans. Price match guarantee. All while playing classical music (or country music here in the South) and telling you how smart you are. It’s not just retail merchants either. We made mortgages into a game: mortgage brokers, mortgage ‘points’, marketing fund indexes, teaser rates, interest rate buy-backs, variable interest, no-interest, balloon notes, FHA programs, tax credit programs, no-doc, and any other combination of variables that can be shuffled to squeeze you into a deal. Heck, we even get games from our government. Our tax system is essentially a game. There is absolutely no such thing as a straight formula. We are incentivized to find for ways bend the rules without a violation and penalty – especially with the new tax codes – to tweak what you pay. If you know how to leverage the code in your favor, you pay far less. And if you don’t know the rules of the game you pay more. We get distractions like “Secret codes” – announced over the radio. Cute reptiles with Cockney accents which equate buying their product with drinking tea and eating cake. Preferred memberships. Free shipping on orders over $25. Double-discount Wednesdays. Your tenth cup of coffee free. Free gift with purchase. Free credit reports. Trade-ins. Trade-ups. Free upgrades. Get more. Pay less. Bring the kids! You are so very smart to take advantage of our one-time-only 9-year auto lease program with an 70% residual cap! Because, after all, you deserve it! Hey, do I hear Mozart? Our healthcare system is even more of a game than our tax system, but it’s much less obvious, except to people who try to avoid playing by the rules. Pre-existing conditions? Preferred provider networks? Anyone? Ever have a hospital say they can’t tell you what you owe so you have to wait for your bill? That’s because they don’t know. Nobody does. Price is an illusion that only comes into focus when the medical provider determines what your insurance provider(s) will swallow. It’s a game within a game. Don’t believe me? Trying paying for medication or a simple office visit without providing health insurance details. The price quintuples after the fact. And people who don’t play, aka those without health care, know they pay a premium when the get services. It’s a giant shell game, and your motivation to play comes through through cheap copays and the lure of the pre-tax spending set-aside. And you will play the game. After all, you want to be healthy, don’t you? Pay the premiums, follow the process and nobody get’s hurt! I know the basic scam is selling a dream while masking the truth. What I have not figured out is whether all these games are just a by-product of sales people trying to sell the unpalatable – and how they prefer to sell it – or if people have genuinely come to enjoy the game so much they no longer care. Who knows? Maybe it’s both. I know some people who won’t buy if they don’t have a coupon, but the more serious problem is people who always buy when they have a coupon – regardless of need. But people like to play, and it all feels so much more virtuous than roulette or poker. How many of you have a free set of pots from the supermarket? Or a knife set? Or buy gas across the street because they accept your grocery reward card? How many of you shop on double-coupon days? How many loyalty cards are in your wallet? On to the Summary: Webcasts, Podcasts, Outside Writing, and Conferences Rich quoted on SaaS security services. Favorite Securosis Posts Mike Rothman: A Public Call for eWallet Design Standards. Everyone wants a free lunch, even if it’s not even remotely free. Folks will eventually learn the evil plans of these marketing companies (offering said eWallets) the hard way. And I’ll be happy I pay for 1Password to protect all my important info. Adrian Lane: Managed Services in a Security Management 2.0 World. When adopting complex solutions, managed services are a pretty attractive option in terns of risk reduction and skills management. Other Securosis Posts Sucking less is not a brand position. Incite 11/9/11: Childlike Wonder. Breakdown of Trust and Privacy. Applied Network Security Analysis: The Breach Confirmation Use Case. Tokenization Guidance: PCI Requirement Checklist. Friday Summary: November 4, 2011. Favorite Outside Posts Mike Rothman: End of year predictions. One of the only guys who can rival my curmudgeonly ways, Jack Daniel offers some end of year perspective. Like ‘Admitting that “life is a crap shoot” doesn’t get you the respect it should.’ Amen, brother. Adrian Lane: Jobs Was Right: Adobe Abandons Mobile Flash, Backs HTML5. Big news with big security ramifications (i.e., this is good for security too)! Project Quant Posts DB Quant: Index. NSO Quant: Index of Posts. NSO Quant: Health Metrics–Device Health. NSO Quant: Manage Metrics–Monitor Issues/Tune IDS/IPS. NSO Quant: Manage Metrics–Deploy and Audit/Validate. NSO Quant: Manage Metrics–Process Change Request and Test/Approve. NSO Quant: Manage Metrics–Signature Management. Research Reports and Presentations Fact-Based Network Security: Metrics and

I guess if you have been around long enough, you have seen everything over and over again. I felt my age today when I saw yet another (lame) attempt to Move Security from a Cost Center to a Brand Differentiator. How many times have we security folks wished for the day we could get project funding because it helped the business either to make more money or to spend less money? Gosh, that would make life a lot easier. The holy grail has always been to position security as an enabling technology. Unfortunately it just isn’t. The only thing security enables is…uh…nothing. It gets back to assurances, and we security folks can’t make assurances either way. If you spend $X on $widget, maybe it will stop an attack. Maybe it won’t. If you don’t have $widget maybe you won’t even be attacked, so you might as well light a bag of money on fire. It’s like building a house on quicksand. To be fair, in some cases security is table stakes. For example you expect your private data to be protected. In a many cases you will be disappointed, but we don’t really see organizations positioning security as a differentiator. They make those pronouncements to allay our fears and eliminate an obstacle to purchase – not as a buying catalyst. But the most offensive part of the article comes later, in a section that at first seemed kind of logical. But this quote from some guy named Alan Wlasuk almost made me fall out of my chair: “But any company can shine in an industry environment where the majority of their competitors have suffered from confidence destroying security attacks.” Shine? Really? Your suggestion is that companies tells customers to do business with them because they suck less?? That’s how I read Alan’s statement. I’ll admit I clearly didn’t learn too much as a VP Marketing, but I do know it’s a bad idea to position and build campaigns around attributes with little to no longevity. So we should build our brands on being more secure? Unbreakable much? Thanks to our pals at LiquidMatrix for that little chuckle this morning. I thump vendors regularly for trying to run campaigns based on competitor breaches. Like when a token vendor (okay – all of them) tried to capitalize on the RSA token breach by positioning their tokens as more secure, whatever that means. Kicking the competition when they are down comes back to haunt you – we all live in glass housees. Sure enough, some of those very vendors had high profile issues with their own certificate authorities. Karma is a bitch, isn’t it? Take it from someone who has tried to position security as anything but a cost center for close to a decade. It doesn’t work. Your best bet is to realistically show the risk of not doing something, and let business people make their business decisions. And if your marketing folks tell you about this brand spanking new campaign to be launched based on a breach at your competitor, give them my number. I have a clue bat for them. Photo credit: “VISI Black Hat” originally uploaded by delta407 Share:

As we posted the Security Management 2.0 series, we focused heavily on replacing an on-premise option with another on-premise option. We paid a bit of lip service to the managed SIEM/Log Management option, but not enough – the reality is that, under the proper, circumstances a managed service presents an interesting alternative to racking and stacking another set of appliances. So consider this a primer for managed services in the context of our Security Management 2.0 discussion. We will go through the drivers, use cases, and deployment architectures for those considering managed services. And we will provide cautions for areas where a service offering might not meet your expectations. Drivers for Managed Services We have no illusions about the amount of effort required to get a security management platform up and running, or what it takes to keep one current and useful. Many organizations have neither the time nor the resources to implement technology to help automate some of these key functions. So they are trapped on the hamster wheel of pain, reacting without sufficient visibility, but without time to invest in gaining that much-needed visibility into threats without diving deep into raw log files. A suboptimal situation for sure, and one that usually triggers discussions of managed services in the first place. Let’s be a bit more specific about situations where it’s worth a look at managed services. Lack of internal expertise: Even having people to throw at security management may not be enough. They need to be the right people – with expertise in confirming exposures, closing simple issues, and when to pull the alarm and escalate to the investigations team. Reviewing events, setting up policies, and managing the system, all take skills that come with training and time with the product. Clearly this is not a skill set you can just pick up anywhere – finding and keeping talented people is hard – so if you don’t have sufficient sophistication internally, that’s a good reason to check out a service alternative. Scalability of existing platform: You may have a decent platform, but perhaps it can’t scale to what you need for real-time analysis. As we discussed in the Platform Evaluation post, this is common for those deploying first generation database-based SIEM products, who then face a significant and costly upgrade to scale the system. This can also happen to acquisitive organizations, who bring on significant assets and need to integrate management capabilities quickly to get sufficient leverage. With a managed service offering scale is not an issue – any sizable provider is handling billions of events per day. Risk Transference: You have been burned before – that’s why you are looking at alternatives, right? You’re not sure what solution to select for the long haul. Why risk the investment when you can drop that monkey on someone else’s back? This allows you to focus on the functionality you need instead of vendor hyperbole and sniping. Ultimately you only need to be concerned with the application and the user experience, and all that other stuff is the provider’s problem. So selecting a provider becomes effectively an insurance policy to minimize your investment risk. Similarly, if you are worried about your ops team’s ability to keep a broad security management platform up and running, you can transfer operational risk to a safer outside team. Once again, that operational risk goes to the provider, who assumes responsibility for uptime and performance. Geographically dispersed small sites: Managed services also interest organizations which need to support many small locations. Think retail or other distribution-centric organizations, where the central site may have sufficient expertise but there is very little capability at the remote sites. That might work well – particularly if event traffic can be centrally aggregated. But if not, this presents a good opportunity for a service provider who can monitor the remote sites. Round the clock monitoring: Some organizations need to move from a 8-hour/5-day monitoring schedule to a round-the-clock approach. Whether this is driven by a breach, a new regulatory requirement, or some kind of religious awakening in the executive suite, staffing a security operations center (SOC) 24/7 is a huge undertaking. But a service provider can leverage that 24/7 staffing investment across many customers, and might be in a much better position to deliver round-the-clock services. Of course you can’t outsource thinking or accountability, so ultimately the buck stops with the internal team, but under the right circumstances managed services can address skills and capabilities gaps. So let’s dig into a few of the use cases that provide a good fit for managed SIEM or Log Management. Favorable Use Cases Many providers offer a managed SIEM/Log Management platform as the equal of an in-house solution, and that may be the case. Or it might not – depending on the sophistication of the implementation, as well as the capabilities of the provider’s technology and internal processes. Under the right circumstances you can get a managed SIEM offering to do (almost) everything you could with an in-house option, but in reality we very rarely see that. More often we see the following use cases when considering a service alternative: Device Monitoring: You have a ton of network and security devices and you don’t have the resources to properly monitor them. That’s a key situation where managed security management can help. These services are generally architected to aggregate data on your site and ship it to the service provider for analysis and alerting. The provider should have a correlation system to identify issues, and a bunch of analysts who can verify issues quickly and then give you a heads-up. Compliance Reporting: Another no-brainer for a services alternative is basic log aggregation and reporting – typically driven by a compliance requirement. This isn’t a very complicated use case, and it fits well with service offerings. It also gets you out of the business of managing storage and updating reports when a requirement changes. The provider should take care of all that for you.

Heading down into Atlanta last week for the BSides ATL conference, I got into my car and the magic began. I whipped out my magic box and pulled up the address on the Maps app, just to make sure I remembered where it is. Then I fired up Pandora, which dutifully streamed rocking music to my Bluetooth-equipped car stereo. I checked out the NaviGAtor mobile site for real-time traffic data; then I was set and on my way. Wait. What? Think about this for a second. None of what I just described was even possible 4 years ago. I normally just take all this rapid technology evolution for granted, but that day I reflected a bit on how surreal that entire trip was. The idea of having a personalized radio station streaming from the Internet and playing through my car stereo? Ha! Having a fairly accurate map and an idea of traffic before I stumbled into bumper to bumper mayhem? Maybe in a science fiction movie, or something. But no, this stuff happens every day on a variety of smartphones, enabled by fairly ubiquitous wireless Internet connectivity. As another example, Rich just texted me on Monday to let me know he deposited my monthly commission check to our bank from his device, while taking a potty break during a strategy day. Yeah, that’s probably TMI. My bad. Our recently departed leader talked about the sense of “childlike wonder” you get when discovering these applications that enable totally different ways of communicating and living. And it’s true. As I drove down the highway, jamming to my music, with no traffic because I routed around the congestion, I could only marvel at how things have changed. It’s a far cry from my first bag phone. Or that ancient StarTac, which was state of the art, what, five years ago? How can you not be excited by the future? We have only just scratched the surface on how these little computers will change the way we do things. Bandwidth will get broader. Devices will get smarter. Apps will get more capable. And we’ll all benefit. Maybe. It takes a lot of self-control to just enjoy the music while I’m driving. The inclination is to multi-task, at all times. You know, checking Twitter, texting, and catching up on email, in a metal projectile traveling about 70mph, surrounded by other metal projectiles traveling just as fast. That can’t end well. As with everything, there is a downside to this connectivity. It’s hard to just shut down the distractions and think, or to focus enough to stay on the road. It seems the only place I can get some peace is on a plane, and even there I can get WiFi (though I tend not to connect on most flights). The good news is that nothing I do is really that urgent. My Twitter can wait 15 minutes until I stop moving. But it doesn’t mean I don’t have to make a conscious effort to stay focused on the road. I do, and you probably do as well. I guess what is most amazing to me is that my kids have no idea that there was a time when all this stuff didn’t exist. The idea of not being able to text whenever they wanted? Madness. A world without Words with Friends? A time when they could only listen to 10 CDs because that’s all they could carry in their travel bag? They can hardly remember what a CD is. Nor should they. It’s not like when I was a kid I had any concept of a world where we hung out by the radio to get news, sports, entertainment – basically everything. But that’s how my folks grew up. I wonder if someday SkyNet will look back and wonder what things were like before it was self-aware? Oy, that’s a slippery slope. -Mike Photo credits: “Childlike Wonder” originally uploaded by SashaW Incite 4 U Peeking into Dan’s brain: There are a select few folks who really make me think. Like every time I talk to them (which isn’t enough), I have to bring my A game, just to hold a conversation. Dan Geer is one of those folks. So when the Threatpost folks asked Dan about the research agenda in security, he didn’t disappoint. He starts by proposing that we’d need a lot less research if we put into practice what we already know, and that we should research why we don’t do that. Yeah, Dan makes recursive thinking cool. Then there are other nuggets about building systems too complex to effectively manage, the strategic importance of traffic analysis, and the security implications of IPv6. He may not have all those research-grade answers yet, but Dan certainly knows the questions to ask. – MR Johnny doesn’t care: Carnegie Mellon released a research paper called Why Johnny Can’t Opt Out, an examination of tools to thwart online behavioral monitoring, and how users use them. I recommend downloading the paper and taking a quick look at the study – it contains some interesting stuff, but I am a bit disappointed by several aspects. First, the executive summary makes it sound like the tools they surveyed are ineffective, when that’s clearly not the case. They found users were confused by the UIs of the respective products and failed to configure the products correctly. OK, that’s reasonable – most utilities leave a bit to be desired from a user experience standpoint. But not all offerings are like that; for example Ghostery’s setup wizard is dead simple to use, but the data is the data. The other thing that bothered me was not testing NoScript (a fantastic tool!) as another privacy tactic. The final annoyance was their assumption that users do not want privacy tools to hinder usability! WTF? They do understand behavioral advertising is woven into the web’s fabric, right? That “no hindrance” requirement eliminates NoScript, and stymies any effective product, because there’s no way to eliminate certain risks

I try not to cover data privacy much any more, despite being an advocate, because we have already crossed the point of no return. We have allowed just about every piece of our personal data to be available on the Internet, making privacy effectively a dead issue, but in most cases the user makes the choice. But many very large public firms have been promising consumers that carefully protect customer information, and fully anonymize any data before it’s sold. This is bull$&!#. As an example, Visa and Mastercard have been in the news lately, because of the sale of ‘anonymized’ data to marketing firms. True to form, “MasterCard told the Journal that customers have nothing to worry about.” But most firms that collect customer data – Mastercard included – know full well that their marketing partners can and do link purchase histories to specific individuals. Especially when you leave bread crumbs to follow: something like customer ID, or last name and age – either of which serves as a surefire way of pinpointing user identity. And the third party firms can do this because Visa leaves enough information to accommodate linking. We know Mastercard is speaking from both sides of its mouth on this – their own corporate sales presentations to marketing organizations tout this as an advantage. “We have extensive experience partnering with third parties to link anonymized purchased attributes to consumer names and addresses (owned by third party)” This sort of thing may bother you; it may not. But let’s be clear that Mastercard is lying about the practice because they know the majority of the public feels selling their personal data is a betrayal of trust. These slides clearly demonstrate that this isn’t just a simple lie or mistake – it’s a bold-face lie. They have been marketing their concern for user data privacy on one side, and marketing de-anonymization to third party marketers for years. And third party marketing firms pay a lot of money for the data because they know it can be linked to specific card holders. I am especially aggravated by this compromising of user data because Mastercard & Visa don’t just facilitate electronic fund transfers, but they also actively market the trustworthiness of their brands to consumers. Turning around and selling this data, obviously intending for it to be reverse engineered, betrays that trust. As I mentioned recently in a post on Payment Trends and Security Ramifications, the card brands are eager to increase revenue through these third party relationships for targeted ads and affinity marketing. I fully expect to see coupons available via smart cards in the next two years, in an attempt to disintermediate companies like Groupon. And in their rush to profit from profiling, they seem have forgotten that users are tired of these shenanigans. Of course their legal teams say customer privacy comes first, then get defensive when people like me say otherwise, touting their ‘opt-out’ options. But customers can’t really opt out. Not just because the options are hidden on their various sites where no one can find them all. And not just because you’re automatically opted in when you get each card. The deeper problem is this data is always collected, no matter what. It’s hard coded into the systems that process the transactions. Always. It’s simply a question of whether Mastercard chooses to sell customer data – and in light of the above quote it is difficult to trust them. If they want to earn our trust, they should show us sample data and of how it is anonymized. I am willing to bet it cannot stand up to scrutiny. Share: