Research

Oracle announced the April 2011 CPU this week, with just a few moderate security issues for the database. Most DBAs monitor Oracle’s Critical Patch Updates (CPU) and are already familiar with the Common Vulnerability Scoring System (CVSS). For those of you who are not, it’s a method of calculating the relative risk of software and hardware vulnerabilities, resulting in a score that describes the potential severity of the vulnerability if an attacker were to exploit the problem. The scores are provided to help IT and operations teams decide what to patch and when. Vendors are cagey about providing vulnerability information – under the belief that any information helps attackers create exploits – so CVSS is a compromise to help customers without overly helping adversaries. Oracle uses CVSS scoring to categorize vulnerabilities, and publishes the scores with the quarterly release of their CPUs. When Oracle database vulnerabilities are found, they provide the raw data fed into the scoring system to generate the score included with the patch announcement. Most of the DBA community is not happy with the CVSS system, as it provides too little information to make informed decisions. The scoring methodology of assembling ‘base metrics’ with time and environmental variables is regarded as fuzzy logic, intended to obfuscate the truth more than to help DBAs understand risk. The general consensus is that risk scores have low value, but anything with a high score warrants further investigation. Google and 3rd party researchers become catalysts for patching decisions. Still, it’s better than nothing, and most DBAs are simply too busy to make much fuss about it, so there is little more that quiet grumbling in the community. Things seem a bit different with the April 2011 CPU. One of the bugs (CVE-2010-0903) was very similar in nature and exploit method to the last Oracle patch release (CVE-2011-0806), but had a dramatically lower risk score. The modification to the CVSS security score was based on Oracle’s modification to the CVSS scoring system to include a ‘Partial+’ impact metric. I have not spoken to anyone at Oracle about this, so maybe they have a threat model that demonstrates an attacker cannot get out of the compromised database, but I doubt it. It looks like an attempt to “game the system” by producing lower risk scores. Why do I say that? Because a ‘Partial’ reference makes sense if the scope of a vulnerability is localized to a very small part of the database. If it’s the entire database – which is what ‘Partial+’ indicates – pwnage is complete. Lowering of CVSS scores by saying the compromise is ‘Partial+’, instead of ‘Complete’ deliberately(?) misunderstands the way attackers work. Once they get a foot in the door they will automatically start looking for what to attack next. To reduce the risk score you would need to understand what else would be exposed by exploiting this vulnerability. Most people in IT – if they do a threat analysis at all – do it from the perspective of before the exploit. Few fully consider the scope of potential damage if the database were compromised and used against you. I can’t see how ‘Partial+’ makes things better or provides more accurate reporting, but it’s certainly possible the Oracle team has some rationale for the change I have not thought of. To me, though Partial+ means a database is an attacker platform for launching new attacks. And if you have been following any of the breach reports lately, you know most involve a chain of vulnerabilities and weaknesses strung together. Does this change make sense to you? Share:

I want to discuss deployment tradeoffs in Database Activity Monitoring, focusing on advantages and disadvantages of hardware appliances. It might seem minor, but the delivery model makes a big first impression on customers. It’s the first difference they notice when comparing DAM products, and it’s impressive – those racks of blinking whirring 1U & 2U machines, neatly racked, do stick with you. They cluster in groups in your data center, with lots of cool lights, logos, and deafening fans. Sometimes called “pizza boxes” by the older IT crowd, these are basic commodity computers with 1-2 processors, memory, redundant power supplies, and a disk drive or two. Inexpensive and fast, appliances are more than half the world’s DAM deployments. When choosing between solutions, first impressions make a huge difference to buying decisions, and this positive impression is a big reasons appliances have been a strong favorite for years. Everything is self-contained and much of the monitoring complexity can be hidden from view. Basic operation and data storage are self-contained. System sizing – choosing the right processor(s), memory, and disk are the vendor’s concern, so the customer doesn’t have to worry about it or take responsibility (even if they do have to provide all the actual data…). Further cementing the positive impression, the initial deployment is easier for an average customer, with much less work to get up and running. And what’s not to like? There are several compelling advantages to appliances, namely: Fast and Inexpensive: The appliance is dedicated to monitoring. You don’t need to share resources across multiple applications (or worry another application will impact monitoring), and the platform can be tailored to its task. Hardware is chosen to fit the requirements of the vendor’s code; and configuration can be tuned to well-known processor, memory, and disk demands. Stripped-down Linux kernels are commonly used to avoid unneeded OS features. Commodity hardware can be chosen by the vendor, based purely on cost/performance considerations. When given equal resources, appliances performed slightly better than software simply because they have been optimized by the vendor and are unburdened by irrelevant features. Deployment: The beauty of appliances is that they are simple to deploy. This is the most obvious advantage, even though it is mostly relevant in the short term. Slide it into the rack, connect the cables, power it up, and you get immediate functionality. Most of the sizing and capacity planning is done for you. Much of the basic configuration is in place already, and network monitoring and discovery are available without little to no effort. The box has been tested; and in some cases the vendor pre-configures policies, reports, and network settings before to shipping the hardware. You get to skip a lot of work on each installation. Granted, you only get the basics, and every installation requires customization, but this makes a powerful first impression during competitive analysis. Avoid Platform Bias: “We use HP-UX for all our servers,” or “We’re an IBM shop,” or “We standardized on SQL Server databases.” All the hardware and software is bundled within the appliance and largely invisible to the customer, which helps avoid religious wars configuration and avoids most compatibility concerns. This makes IT’s job easier and avoids concerns about hardware/OS policies. DAM provides a straightforward business function, and can be evaluated simply on how well it performs that function. Data Security: The appliance is secured prior to deployment. User and administrative accounts need to be set up, but the network interfaces, web interfaces, and data repositories are all set up by the vendor. There are fewer moving parts and areas to configure, making appliances more secure than their software counterparts when they are delivered, and simplifying security management. Non-relational Storage: To handle high database transaction rates, non-relational storage within the appliance is common. Raw SQL queries from the database are stored in flat files, one query per line. Not only can records be stored faster in simple files, but the appliance itself avoids have the burden of running a relational database. The tradeoff here is very fast storage at the expense of slower analysis and reporting. A typical appliance-based DAM installation consists of two flavors of appliances. The first and most common is small ‘node’ machines deployed regionally – or within particular segments of a corporate network – and focused on collecting events from ‘local’ databases. The second flavor of appliance is administration ‘servers’; these are much larger and centrally located, and provide event storage and command and control interfaces for the nodes. This two-tier hierarchy separates event collection from administrative tasks such as policy management, data management, and reporting. Event processing – analysis of events to detect policy violations – occurs either at the node or server level, depending on the vendor. Each node sends (at least) all notable events to its upstream server for storage, reporting, and analysis. In some configurations all analysis and alerting is performed at the ‘server’ layer. But, of course, appliances are not perfect. Appliance market share is being eroded by software and software-based “virtual appliances”. Appliances have been the preferred deployment model for DAM for the better part of the last decade, but may not be for much longer. There are several key reasons for this shift: Data Storage: Commodity hardware means data is stored on single or redundant SATA disks. Some compliance efforts require storing events for a year or more, but most appliances only support up 90 days of event storage – and in practice this is often more like 30-45 days. Most nodes rely heavily on central servers for mid-to-long-term storage of events for reports and forensic analysis. Depending on how large the infrastructure is, these server appliances can run out of capacity and performance, requiring multiple servers per deployment. Some server nodes use SAN for event storage, while others are simply incapable of storing 6-12 months of data. Many vendors suggest compatible SIEM or log management systems to handle data storage (and perhaps analysis of ‘old’ data). Virtualization: You can’t deploy a physical appliance in a virtual network. There’s no TAP or SPAN

The last two nights, we have celebrated Passover. Basically, we have a big dinner commemorating the escape of our forefathers from bondage and slavery in Egypt. At least that’s how the story goes, although I wasn’t there, so I maintain a healthy skepticism regarding burning bushes, parting seas, and plagues. But the point remains whether or not the stories are true. It’s really an excuse to party with friends and family, and enjoy some time together outside the craziness of day-to-day existence. I’m not unique in having a pretty hectic existence. For instance, the twins play baseball/softball, which means we were at the field both Saturday and Sunday, for a total of 5 games. Combined with the oldest one preparing for a dance show in a few weeks, we hardly had time to hit the head all weekend. But a close friend had a birthday party to celebrate her 40th Friday, so we had to take a break and celebrate. I did not squander the opportunity, and got rather festive with the help of some vanilla rum. OK, it might have been a lot of vanilla rum. If you find my liver, feel free to mail it back to Securosis Central. Adrian the mailman likes that kind of care package. Many of us don’t intentionally party enough. So I actually appreciate the religious holidays interspersed throughout the year. For me it’s not about the dogma, or whether what we are celebrating actually happened or not. And most of the time we don’t spontaneously start throwing food at each other. It’s about turning off the distractions and focusing on family and friends, if only for a night or two. We actually talk, as opposed to planning the next day’s activities. We eat (too much) and until you’ve experienced it, you can’t appreciate a Manischewitz Concord Grape hangover. A lot of our personal history is tied to these holiday celebrations, providing stories we tell for a lifetime. Like when – despite Mom’s stern warning not to get dirty – I fell into a stream behind my babysitter’s house, fancy corduroy pants and all. It was great fun but Mom was not amused. I think she’s still fuming. And it didn’t even involve Concord Grape. We can even make the wacky traditions fun. For instance, on Passover the kids hunt for a piece of Matzoh hidden in the house (it’s called the Afikomen), and if they find it they get a couple bucks. Which is huge progress, because I was lucky to get a piece of chocolate from my grandfather back in the day. Given this year’s bounty ($2 for each kid), and my oldest daughter’s big spending plans, she was very concerned that I wouldn’t make good on my financial obligations. I’m afraid I didn’t help the situation when I mentioned my new policy of charging $2 per month for rent. Imagine that – I can be difficult sometimes. Obviously I made good on the gift, but not before I had her unknowingly play back one of my favorite movie scenes. I asked her to say “I want my $2” about 10 times, and she didn’t understand why I was rolling on the floor. Too bad it was a school night, or I would’ve made her get on her bike and chase me around the neighborhood screaming “I want my $2.” Really, that’s not bad parenting, is it? Some folks figure they are Better Off Dead than suffering through yet another family holiday. But not me – I can make almost any occasion a big party. And I do. -Mike Photo credits: “La Tomatina / Spain, Bunol” originally uploaded by flydime I would be negligent if I didn’t call attention to a major milestone that one of us hits today. That’s right, the baby of the bunch, the rich mogul turns 40. Today. I’d say that’s old, but I still have 2+ years on him, and a lot more gray hair. Rich is taking a vacation day (as he should) and my hope is that he’ll take a step back to appreciates all he has and has done over the past 4 decades. He has a great wife and kids, he’s building a great business, and he’s one of the top dogs in this little game we play. So when you have your nightcap, after a typically hard day in the trenches of security, raise your glass to Rich and know that the next 40 will be better than the last. Incite 4 U Understand the real threat: Given all the (justified) bluster around the Verizon Data Breach Report, we can’t forget the need to understand what’s really at risk and how it is most likely to be compromised. Ax0n does a great job of reminding us by talking about the real insider threat, reminiscing about the hoops he’s had to jump through in order to remotely manage a server (legitimately, apparently). Then he contrasts that against the fact that other folks take the company’s most sensitive data outside on laptops and USB keys, posing a much more serious risk than a conscientious admin trying to fix things from home. Especially when the internal controls make life hard for people who don’t care about security. His point is that we need to match the controls (and security rhetoric) to the threat, and make sure it’s not onerous to drive creative folks to find a way around security. Remember, most folks believe security is not their job – it’s yours. You can make the case that it’s everyone’s job and you wouldn’t be wrong. But sales guys have to meet their quota each quarter, and that’s more important than meeting your rules. – MR DBIR poop commences: It took about a nanosecond, but as Rich predicted, the Verizon Data Breach Investigations Report is already being misquoted and misinterpreted. More breaches being investigated does not necessarily mean there were more breaches, but that’s the poop already hitting the wire. I understand the rush to get an article live, but they should at least read some of the report before editorializing. The general public

Today Verizon released the 2011 Data Breach Investigations Report: our single best source of actual incident data in the security industry, based on comprehensive metrics gathered during hundreds of incident investigations. In the coming weeks there won’t be any shortage of stories on, and analysis of, the DBIR. Rather than rehashing all the talking points we expect other sources to cover well, we will instead focus on actionable guidance based on the report. We will focus on how to read the DBIR, what it teaches us, and how should it change what you do. How to read the DBIR With so much data it’s all too easy to get lost in the numbers. It’s also very easy to lose context and misinterpret what’s in there. First let’s cover the four most important trends: The industrialization of attacks: There is an industry encompassing many actors, from coders to attackers to money launderers. They use automated tools and manage themselves and their operations as businesses – including use of independent contractors. Like any other business, these folks want to maximize profits and minimize risk, and the results of the 2011 DBIR show their work towards these goals – especially compared with the 2009 and 2010 DBIRs. Financial attacks focused on leveraged activities such as credit card skimming, point of sale attacks, and ACH fraud: This ties in with the first point: instead of spending massive resources for high risk/high gain (Gonzalez-style attacks), attackers are hammering the financial system’s weak points with significant automation to broaden scope and expand their scale. All forms of attack are up by all threat actors: If someone writes (or tweets) that APT is a myth or IP loss isn’t a problem based on this report, kick them in the nuts. Hard. Twice. Law enforcement really does catch some of the bad guys: 1,200 arrests over the past several years by the Secret Service alone. Many of these bad guys/gals attack small business. We could use more, given the scale of the problem, but law enforcement is having an impact. I will add my own interpretation, which I have separated from the direct DBIR trends: Successful financial attacks (more often than not) target smaller organizations, whereas complex IP (intellectual property) attacks focus (more often than not) on larger or specialized organizations. So for the first time we see a type of market segmentation by attackers. Using automated systems against weak targets and riding the associated economies of scale can be very lucrative, and it’s not surprising to see these targets multiply. But that doesn’t mean bigger companies, more sophisticated about security, are in the clear. We also see an increase in sophisticated attacks focusing on IP, although these numbers are not as obvious in the DBIR data. And now highlights and where to focus your reading, in no particular order: There was a large increase in the number of incidents investigated in 2010. Even accounting for sampling bias, this is still significant. 141 breaches were evaluated in 2009, and 761 in 2010. Yes, sports fans, that’s a 5x multiple. Such a massive increase skews the trend data, so you need to understand that percentage increases and decreases may obscure important information. For example, there was a significant decline in the percentage of attacks involving SQL injection, yet the actual quantity of reported SQL injection attacks actually increased dramatically. There are more small and medium businesses in the world than large ones. So we should see more attacks against them, and the data skews in that direction this year. As stated clearly in the report and in our briefing, the increased number of incidents is mostly due to massive growth in two attack forms: compromise of remote management tools for point of sale (POS) systems in hospitality and retail, and ATM and credit card skimmers (including employees using handheld skimmers). This data came from the Secret Service and we don’t know if it is means the bad guys have found a new focus, or the Secret Service is paying more attention to these attacks. Either way, the increase is significant. Anecdotal evidence from other sources does seem to indicate attackers are increasingly focused on these areas, especially against smaller companies and outlets. Most of the headlines will focus on the massive drop in lost records from 361 million in 2008, to 144 million in 2009, to 4 million in 2010. You should mostly ignore this. The large numbers were highly likely due to a small number of incidents involving massive quantities of records. As the DBIR itself states, Albert Gonzales alone was responsible for tens (possibly hundreds) of millions of records lost over this time period. Pull out those few distorting large campaigns, and the general trend in lost records evens out. The trend shows more bad guys hitting smaller targets. Your risk of being attacked successfully is greater if you are in a targeted industry, such as hospitality and retail. Each incidence of lost intellectual property was typically counted as a single lost record. So IP theft is inherently ranked much lower in studies like the DBIR than credit card breaches, which always involve more records per incident. But the F-14’s avionics schematics probably command a slightly higher value than a single credit card… The VERIS framework used to collect the data uses a multiple-select system. So if 5 attack methods were used in an single attack, each method is counted. They try to make this clear in the report and don’t misinterpret these findings like most of the armchair analysts (including vendors pushing their own agendas) probably will. For example, SQL injection dropped considerably as an overall percentage of attacks… but if you normalize the data to factor in the large number of skimmers and remote management breaches, injection probably climbs back to the top 3. Figure 6 on page 15 is the most important in the entire report. It shows that most attacks involve hacking and malware against user devices. Network sniffing is barely a blip. Physical attacks are also a major vector (mostly skimming, according to our briefing and the report), but

In a world full of TLAs (three letter acronyms), none resonates for security people as strongly as FUD. Or Fear, Uncertainty, and Doubt for you n00bs. Many of us rail at the offensive use of FUD in security sales. But let’s take a step back and acknowledge that security is like insurance. With very rare exceptions, security doesn’t help anyone sell more stuff. It doesn’t really help companies operate more efficiently. It’s basically about controlling downside risk. So it’s like insurance. You don’t buy health insurance because you want to. It doesn’t add anything to your life. It prevents you from going belly up if you have some catastrophic issue. It can maybe cut your medical bills if you are chronically ill or injury prone. But clearly you buy insurance because you feel you need to, not because you want to. Insurance brokers (at least all those I’ve dealt with) also leverage FUD in their sales cycle. They paint the picture of downside risk, which always involves preying on some fear of getting hurt, sick, etc. If I had a crystal ball and knew I (or anyone in my family) wouldn’t get sick, I’d drop health insurance like a hot potato. And your senior management is in exactly the same boat. If they thought there was no risk of losing protected data or intellectual property, you’d be out on your ass. So there will always be some level of FUD in our activities as security folks. I talked about using FUD as an end user a few years back, as well as more recently. So there can be legitimate uses of FUD to create urgency and provide a catalyst for funding. But let’s stay focused on security vendors using FUD to get you to buy their stuff. I realize it’s part of the game and I have accepted that. I don’t like it, but I accept it. But that doesn’t mean all FUD is created equal. So let’s attempt to break FUD down into a couple categories and (with your help) understand the impact of each type of FUD on the sales cycle. In this post, I’ll break down the categories of FUD we see most frequently. I started this discussion last week on Twitter, and got some great feedback. Hopefully we’ll get some more feedback on the blog (You! Yes, you! Get over to the blog and add some comments!) and come to some consensus about which kinds of FUD are common in practice. Then we’ll put together a survey to see if we can get some level of understanding about what is acceptable FUD vs. unacceptable. Dare I say it – maybe even useful FUD. In a perfect world, all our friends in the vendor community would take this feedback to heart and stop slinging bad FUD. Oy, such optimism. So here goes (in no particular order): Attack du jour press release: You know what I’m talking about here because these press releases show up in your inbox just about every day. This is the “you can stop StuxNet with our box” type release, where the vendor is trying to capitalize on some external event to get you to answer the phone. Similar to getting a call for travel insurance just after an airliner goes down. Threat reports: Almost every vendor has some kind of research capability now, so these reports basically list out which attacks and/or vulnerabilities they are seeing. Maybe they throw in some trend analysis as well. The idea is to keep your attention on common attacks, which are then addressed by the vendor’s widget or service. Breach reports: These reports are different from threat reports in that the objective is to actually study breaches – in an attempt to pinpoint both the breach’s impact and root causes. With this analysis a vendor/service provider hopes to educate potential customers on what causes breaches and how to address the risks (hopefully with their own products/services). Of course, the Verizon Data Breach report is the granddaddy of this kind of analysis. Check out Rich’s analysis of the 2010 report. Vendor surveys/peer group FUD: If you are a CISO, you get probably a dozen calls/emails a week to fill out one survey or another. Do you do this? Have you suffered from that? The vendors and researchers (like Ponemon) then assemble the data to build a case about what the masses are doing, or more likely aren’t doing. James McGovern accurately called this peer group FUD because it tries to trigger action by pointing out that either buddies friends are (or aren’t) doing something specific, and therefore you should. This also applies to the Security Benchmarking research I’m doing right now. Making security/compliance easy: One of my personal favorites: you still see vendors market events and position products with promises that using their gear will make either security or compliance (or both!) easy. And if you aren’t using their gear, your life is unnecessarily hard. Sponsored lab tests: You tend to see this kind of FUD during the sales cycle, when a vendor tries to convince you they are great and the competitor is crap, because the vendor paid some guy in a lab to run a test to which demonstrated something attractive about the vendor’s product or service. Some publications also run lab tests which straddle the line. It’s rare for money to directly change hands, but there can be backroom ad-buying hijinx. Our legal budget is rather limited so I won’t name names – these folks tend to be rather litigious – but you know who I’m talking about. Competitor sniping: Don’t you love it when vendors come in, and spend more time talking about why their competitors suck than about why they are good and how they can help you? Yeah, I hate that too. That’s competitor sniping in all its seedy glory. Cost of breach/attack analysis: We also see folks (like Larry Ponemon) who have built great businesses doing more targeted surveys, trying to understand what these security/compliance/breach issues actually cost companies. Clearly the idea is to derive an objective number that you (the practitioner) can use internally to talk about how bad it would be if something unfortunate were to happen. Yes, this

If you don’t already have attackers in your environment you will soon enough, so we have been spending a lot of time with clients figuring out how to respond in this age of APT (Advanced Persistent Threat) attackers and other attacks you have no shot at stopping. You need to detect and respond more effectively. We call this philosophy “React Faster and Better”, and have finally documented and collected our thoughts on the topic. Here are a couple excerpts from the paper to give you a feel for the issue and how we deal with it: Incident response is near and dear to our philosophy of security – it’s impossible to prevent everything (we see examples of this in the press every week), so you must be prepared to respond. The sad fact is that you will be breached. Maybe not today or tomorrow, but it will happen. We have made this point many times before (and it has even happened to us, indirectly). So response is more important than any specific control. But it’s horrifying how unsophisticated most organizations are about response. In this paper we’ll focus on pushing the concepts of incident response past the basics and addressing gaps in how you respond relative to today’s attacks. Dealing with advanced threats requires advanced tools. React Faster and Better is about taking a much broader and more effective approach on dealing with attacks – from what data you collect, to how you trigger higher-quality alerts, to the mechanics of response/escalation, and ultimately to remediation and cleaning activities. This is not your grandpappy’s incident response. To be clear, a lot of these activities are advanced. That’s why we recommend you start with our Incident Response Fundamentals from last year to get your IR team and function in decent shape. Please be advised that we have streamlined the paper a bit from the original blog series, cutting some of the more detailed information on setting up response tiers. We do plan to post the more complete paper at some point over the next couple months, but in the meantime you can refer back to the RFAB index of posts for the full unabridged version. A special thanks to NetWitness for sponsoring the research. Download: React Faster and Better: New Approaches for Advanced Incident Response (PDF) Share:

So you have defined your peer groups and analysis and spent a bunch of time communicating what you found to your security program’s key stakeholders. Now it’s time to shift focus internally. One of the cool things about security metrics and benchmarks is the ability to analyze trends over time and use that data to track progress against your key goals. Imagine that – managing people and programs based on data, not just gut feel. Besides being able to communicate much more authoritatively how you are doing on security, you can also focus on continuously improving your activities. This is a good thing to do – particularly if you want to keep your job. We will harp on the importance of consistency in gathering data and benchmarks over a long period of time, and then getting sustained value from the benchmark by using it to mark progress toward a better and more secure environment. Programs and feedback loops We don’t want to put the cart ahead of the horse, so let’s start at a high level, with describing how to structure the security program so it’s focused on improvement rather than mere survival. Here are the key steps: Define success (and get buy-in up the management stack) Distill success characteristics into activities that will result in success Quantify those activities, determine appropriate metrics, and set goals for those metrics Set objectives for each activity and communicate those objectives Run your business; gather your metrics Analyze metrics; report against success criteria/objectives Identify gaps, address issues, and reset objectives accordingly Wash, rinse, repeat Digging deeply into security program design and operation would be out of scope, so we’ll just refer you to Mike’s methodology on building a security program: The Pragmatic CSO. Communicating to the troops In our last post, on Benchmarking Communication Strategies, we talked about communicating with key stakeholders in the security process, and a primary constituency is your security team. Let’s revisit that discussion and its importance. Your security team needs to understand the process, how benchmark data will be used to determine success, and what the expectations will be. Don’t be surprised to experience some push-back on this new world order, and it could be quite significant. Just put yourself in your team’s shoes for a moment. For most of these folks’ careers they have been evaluated on a squishy subjective assessment of effectiveness and effort. Now you want to move them to something more quantified, where they can neither run nor hide. Top performers should not be worried – at all. That’s a key point to get across. So exercise some patience in getting folks heads in the right spot, but remember that you aren’t negotiating here. Part of the justification for investing (rather significantly) in metrics and benchmarks is to leverage that data in operations. You can’t do that if the data isn’t used to evaluate performance – both good and bad. It’s not a tool, it’s a lifestyle Another point to keep in mind is that this initiative isn’t a one-time thing. It’s not something you do for an assessment, and then forget it in a drawer the moment the auditor leaves the building. Benchmarking, done well, becomes a key facet of managing your security program. This data becomes your North Star, providing a way to map out objectives and ensure you stay on course to reach them. We have seen organizations start with metrics as a means to an end, and later recognize that they can change everything about how operational efforts are managed, perceived, and supported within the organization. The lack of security data has hindered acceptance of benchmarking in the security field, but it’s time to revisit that. As per usual, there are some caveats to data-driven management. No one size fits all. We see plenty of cultural variation, which may require you to take a less direct path to the benchmark promised land. But there can be no question about the effectiveness of quantifying activity, compared to not quantifying it. If you have gotten this far, successfully implemented this kind of benchmark, and institutionalized it as a management tool, you are way ahead of the game. But what’s next? Digging into deeper and more granular metrics, such as the metrics we defined as part of our Project Quant research. So we will discuss that next. Share:

Just in case you had nothing to do over the weekend, I came up with some homework to catch you up on our Security Benchmarking series. We’re clicking right along and think the content is kickass. So check it out, comment, and let us know if we are smoking crack. Introduction Security Metrics (from 40,000 feet) Collecting Data Systematically Sharing Data Safely Defining Peer Groups and Analyzing Data Communications Strategies Continuous Improvement We’ll be wrapping the series up next week with 3 more posts. So please contribute while you have the chance. Share:

The simple fact is that most folks senior security folks came from the technical side of the house. They started as competent (if not studly) sysadmins or security administrators, drew the short straw, and ended up with management responsibility. But very few of these folks ever studied management, gone through management training, or done anything but learned on the job. This creates a situation where senior security folks spend a lot of time doing stuff, but not enough time talking about it. The huge disconnect is inadequate communication of both success and failure up and down the management stack to key security stakeholders. In fact, the Pragmatic CSO methodology originated largely to help technical folks figure out how to deal with their management responsibilities. The inability to communicate to key stakeholders will absolutely kill a benchmarking program because benchmarking entails ongoing incremental effort to gather metrics, as well as to compare against benchmarks and perform analysis. The benchmark must provide additional value, which must be communicated in order to make the effort worthwhile. As we all know, nothing really happens by itself. You need to build a systematic communications/outreach effort to leverage the benchmark data, specifically targeting a number of constituencies important to the success of any security practitioner. Let’s dig into how that’s done, because it’s a critical success factor for any benchmarking initiative. Understanding your audience The first rule of communications is to do it consistently and repetitively by telling them what you are going to say, saying it, and then telling them what you just said. It sounds silly, but given today’s over-saturated environment where the typical C-level exec has the attention span of a 2-year-old, you don’t have a choice. Effective communications requires more than just talking a lot – you need to tailor your message to the audience. This is something security folks have always stunk at. If you’ve ever uttered the words “AV coverage” or “firewall rules” in a management meeting you know what I mean. Senior management If there is one thing you should appreciate about senior management, it’s that they are fairly predicable. Their interests involve things that directly impact revenues/expenses. Period. They don’t want to know the details of how you do something unless it’s off the rails. They want to know the bottom line and whether/how it will impact their ability to get paid their full bonus at the end of the year. So we focus on incident data and budget efficiency. They want to know whether incidents have impacted availability and thus cost them money. They need to know about disclosures, with an eye towards brand damage. And they need to know how you do relative to peers – if only make themselves feel better that their competitors probably won’t be getting those bonuses this year either. Getting time with senior folks is challenging. So you’ll be doing well if you can get quarterly face time to go through the metrics/results/benchmarks. At a minimum you need to make your case annually ahead of budgeting, but that is not really frequent enough to get sufficient attention to successfully execute on your program. Finally, how can benchmark data help you with these folks? You can use the fact that in terms of overhead functions most senior managers are lemmings – if everybody else is doing it (whatever it is), they will be likely to follow suit. It’s an ugly job, but someone has to do it. CIO Odds are you report in through the technology stack, which means you’ll spend some time with the CIO. This is a good thing, but keep in mind that the CIO’s primary goal is to look good to senior management. We all know that security issues can make him/her look very bad. So we can focus on what interests senior management: incidents and budget efficiency. But with the CIO you should add high-level operational trending data, which highlights issues and/or shows progress on efficiency. Given the spend on security, the CIO needs to pay attention to and increase efficiency. How often should you be communicating with the CIO? Hopefully monthly, if not more often. We know it’s hard to book time around golf outings with the big systems, storage, and networking vendors. But you still need access and face time to make sure there is a clear understanding of where the security program is and what needs to be addressed. Benchmark data helps substantiate the need for specific projects/investments, driven either by peer group adoption or efficiency/effectiveness gaps. Again, your opinion about what’s important and needed is interesting, but not necessarily relevant. Having data to substantiate your arguments makes the discussion much easier. IT Ops teams Brown stuff tends to flow downhill, so your pals in IT ops tend to focus on looking good to the CIO. You need their support to execute on any kind of security program, because ops can make it protection difficult, and that would be a problem for you and the CIO. But ops isn’t interested in the same things as senior managers. You need to focus those discussions on areas where changes or activities depend on operational resources. As with all things operational, it’s about increasing efficiency and reducing error, so we want data which highlighting issues, gaps, and/or areas to improve. Ops folks may not appreciate being told they may need to do things differently. This is another place where benchmark data can be your ace in the hole. By showing relative performance and ability to execute on operational processes, the data substantiates your arguments and helps avoid you having to go back to the CIO to complain “Ops sucks and makes our life hard!” and hoping the CIO will make them play nice. Security team As valuable as benchmark data is for telling a better story to stakeholders and key influencers of the security program, the benchmark data is also a key management tool for your own security team. We all want our groups to work better and improve continuously – as we

It’s tax day. You don’t have time to read this. I don’t have time to write it. Actually, my accountant is taking care of my taxes (I don’t trust myself with them). What’s really sucking down my time is preparing all the hands-on portions of the Cloud Security Alliance training. For the second time. We decided to split the class into two days, which means I have the opportunity to both tune the material and add new material. The cloud security portions of this are actually pretty straightforward – the harder part is scripting all the instances and configurations to focus the students on the important security bits without them having to learn things like MySQL, UNIX command lines (since, you know, auditor types will be in the class) and so on. That means I get to figure out all the scripting. Which isn’t a big deal, except I’m working with programs I don’t really deal with on a day to day basis. So there’s a lot of learning involved, and things that used to be instinctive when I was working as an admin now involve multiple web searches and mistakes to get correct. And little things like figuring out the mechanics of running a private cloud for 40 students on a single laptop and still providing some hands-on, as opposed to just an instructor demo. But I’m loving it. So go away and do your taxes. I need to play. On to the Summary: Webcasts, Podcasts, Outside Writing, and Conferences Adrian’s Dark Reading post on Cloud DB Security. Rich and Adrian quoted on our DBQuant press release. The Network Security Podcast, episode 237. Favorite Securosis Posts Adrian Lane: Database Trends. Mike Rothman: Our insanely comprehensive database security framework. No one else does this kind of research. It’s awesome to see it in its entirety. And we provide it at no cost. You’re welcome. David Mortman: Database Trends. Rich: Software vs. Appliance: Understanding DAM Deployment Tradeoffs. Other Securosis Posts Security Benchmarking, Going Beyond Metrics: Defining Peer Groups and Analyzing Data. Security Benchmarking, Going Beyond Metrics: Communications Strategies. Incite 4/13/2011: Jonesing for Air. Favorite Outside Posts Mike Rothman: Security vendors should face the music, even if they hate the tune. Bill Brenner nails it. Even when a review goes south, there are ways to handle it. Scorched earth on a well-respected testing house isn’t a winning strategy. David Mortman: How Dropbox sacrifices user privacy for cost savings. reppep: Cloud validation: 8 hours of 10,000-core computation for $8k. Okay, it’s still not for everybody, but this demonstrates that “cloud computing” does have a point. Adrian Lane: Russian Security Service proposes ban on Gmail, Skype, Hotmail. Skype a threat to National Security? Government’s the same all over. Research Reports and Presentations Measuring and Optimizing Database Security Operations (DBQuant). Woo hoo!!! Network Security in the Age of Any Computing. The Securosis 2010 Data Security Survey. Monitoring up the Stack: Adding Value to SIEM. Network Security Operations Quant Metrics Model. Network Security Operations Quant Report. Understanding and Selecting a DLP Solution. White Paper: Understanding and Selecting an Enterprise Firewall. Top News and Posts Veris Community Project Update The Web’s Trust Issues. Private records of 3.5 million people exposed by Texas. Hack attack spills web security firm’s confidential data. Adobe to Patch Flash Zero Day on Windows, Mac on Friday. DOJ Shuts Down Botnet, Disables Infected Systems Share: