Research

It amuses me that folks were shocked by the latest treasure trove of goodies from the HBGary email spool. Basically these folks built custom malware on behalf of their government clients. Ars Technica digs in (with pretty impressive technical depth, I might add) and makes clear what you should already know. We are in the midst of another cold war. This war is not being fought with nuclear warheads, but computer malware. It’s not visible to most people – and, honestly, most people don’t really care. They should, because the new attacks could knock down our power grids, contaminate our water supplies, and basically cause chaos. You all know I’m no Chicken Little – and to be clear I sleep very well at night. I wasn’t even a glimmer in my parents’ eyes when the Cuban Missile Crisis brought us to the brink, but the ramifications of an all-out cyber conflict are similar. Plenty of folks have semantic issues with calling computers attacking each other ‘war’, because no one actually bleeds (directly). And I agree with that, somewhat. Cyber conflict won’t result in a mushroom cloud or tens of thousands vaporized in a split second (not yet anyway), but the potential for indirect damage is real. But to make the point again, I sleep well at night because as much as it hurts to know there are foreign nations in our most critical stuff (yes, APT, I’m talking about you), we are in their stuff as well. Stuxnet, anyone? What makes you think we aren’t in all the major systems of our potential adversaries? Right, that would be a bad assumption. So we have a good old-fashioned standoff. Another Cold War. Mutually assured destruction is a pretty good deterrent to anyone actually initiating a cyber conflict. Why do you think the APT doesn’t bother to cover its tracks? They want us to know they are there. Duh. Back in the days of the original Cold War, the private sector was engaged to improve our warheads, defend against enemy warheads (remember Star Wars?), and come up with other innovations to give us a snowball’s chance of surviving a nuclear conflict. In this Cold War, we have the private sector providing new weapons (read: malware) and new defenses (your very own security industry) to give us a snowball’s chance of surviving a cyber-conflict. HBGary is not unique in this pursuit. Not by a long shot. There are no white hats or black hats in this game. You need to play both offense and defense. And clearly the US does. We never got the opportunity to see any of the Beltway bandits’ mail spools during the last Cold War, but I suspect we’d be similarly nauseated. But with that nausea comes a sense of relief that the best and the brightest (including Greg Hoglund) are working to protect our interests. Now I understand these weapons can just as easily be used against us, but that has always been the case. So I guess my message is to grow up, people. National security (whatever that means) is a messy business. Share:

I think Rich may still be sleep deprived, but on the upside his recap did elicit my loudest laugh of the day. See if you can spot the sentence that caused it. Rich’s Recap I wish I had something witty and insightful to say about the first full day of RSA, but that would involve actually seeing more of the show than my own presentations and the insides of meeting rooms. And while it’s technically the first day of the conference, it’s my third day of entirely too much talking and walking. So here are a few crib notes. Started the day by noticing I was supposed to record a video for a presentation I hadn’t written yet. Resolved post-breakfast-meeting thanks to a convenient coffee shop. Good thing it was on EDRM… not like anyone is using it anyway. I really am starting to see some interesting cloud-specific security tools floating around out there. Yes, there are a bunch of companies that just converted their existing software into virtual appliances, but the ones building from the ground up for cloud are showing some nice innovation. Serious improvement over last year. Gave my DLP talk today. I’ve stared at the same damn DLP slides for so many years now that I just couldn’t bring myself to look at them again. So I shut them off and went commando. I may have freaked some people out. One dude was writing bullet points on a pad and holding them in front of his face. Seems like most people liked it. Maybe. That’s what I’ll tell myself as I try to fall asleep tonight. Had a cloud panel with the worst freaking title in history. Something like “Public and private sectors: why are agencies hesitant to adopt the cloud?” No, seriously, I’m not making this *&%^ up. I figured 2 people might show up, but the room was full and the panel went well. Turns out we had the CISO of eBay, a senior legal counsel for security and privacy at GE, a muckety-muck from NIST, and the CSO of Qualys. Tons of audience questions, many around all the sticky issues of using cloud with some semblance of control. Guess what folks – if you have developers with corporate credit cards, you’re in the cloud. Show floor is full of blinky lights. Loud dudes in suits talking. Free cars. Seriously. I guess security is big business. All this work junk is seriously impeding my ability to consume vast amounts of frothy beverages. Early bed tonight, mostly due to losing my voice and still having 3 presentations to go. –Rich Did you catch it? If not, here it is. A quote that shall live on in infamy (at least if I have anything to do with it): “So I shut them off and went commando. I may have freaked some people out.” I’d say that’s a safe assumption, Rich. Next up we have The Old Man, aka Mike Here are my observations from today: I’m getting old: There was a time I could drink all night and be productive during the day. But those days have passed. It’s getting harder to ramp up my partying, knowing I have a number of panels and even more meetings tomorrow. Yes, I’m old. And the blue-haired booth babes that a nobody vendor had in their booth annoyed me. What the hell? Get off my lawn! RSA is not the real world: I had a conversation with a bunch of investors and needed to remind them that the messaging and solutions pushed at us at RSA are not reflective of the real needs of the market. Not even close. But in the reality distortion field of the Moscone Center it’s easy to forget that most companies don’t even know how many devices they have. Shamans and snake oil salesmen: We don’t make decisions based on data, but generally through a leap of faith. Do you know if your IPS or AV really works? If you said either yes or no, you are wrong. You have no idea. You may have a hunch, but you don’t have the data to actually know. So anything you buy to address an issue is a leap of faith. If you can grok the philosophy of whoever is selling you stuff, then they are shamans. But those are few and far between. Unfortunately most are charlatans selling snake oil backed by ridiculous promises and hyperbole that prey upon the suckers born every minute. And there are plenty of them. This industry sucks at marketing: In tooling around the show floor, I realized the entire industry can’t market worth a crap. Nonstop technical jargon, with stupid parlor tricks like magicians, booth babes, and smoothies focused on standing out from the crowd. How about trying this on for size? Tell customers what you do in simple, problem oriented terms. Nobody gives a shit about the size of your widget or your blinky lights. Other random thoughts: I really shouldn’t be around people for a week straight. Thankfully I’m unarmed. If you are going to drink to excess, STFU before you say something stupid. Folks who can bust your stuff don’t need to tell you that – those who need to boast can look forward to reading their email spool on a torrent. I also decided that if we ever have a SecurosisCon, I will give a keynote in an Elvis suit. And on that note, I’d better go to sleep before someone gets hurt. –Mike That’s right. Stay out of Mike’s way or he will run you down with his walker. Let’s just hope he doesn’t throw out his hip. Again. Share:

It’s worth noting that even sleep-deprived Rich is surprisingly coherent. Rich While the RSA show technically doesn’t start until tomorrow, there’s still a heck of a lot going on. For myself, the worst is actually over. And by “the worst”, I mean there are even odds I will actually sleep tonight. It all started yesterday when we delivered the very first CCSK certification class for the Cloud Security Alliance. I learned three things in the process: Managing other analysts on a project sucks major @$$. We totally need 2 days to cover this content. Heck, with our current slide deck we could easily fill 3-4 days. Running 5 power strips to tables in the Moscone center costs $2,100. Most of that was $157/hr for the box to plug the power strips into. The room only cost $6K for the day. Methinks I have never been so violated in my life. The class went well and we learned a heck of a lot. We still have a ton of work to tune the content and package it, but it was awesome to spend a full day teaching folks and getting feedback, as opposed to the usual analyst stuff. I’m starting to think this “cloud” thing might be big. Today we ran the e10+ program for people with 10+ years in security. I thought we’d delve deeply into technical issues, but they were mostly interested in how to work within their own organizations and prioritize security. To be honest I’m far more comfortable with the pure tech side of things (despite being an analyst), but I do understand that once you hit a certain point in your career the soft skills are more important. One of my favorite bits from the panel was from Richard Bejtlich. He said one of the ways they determine their priorities is to figure out what the bad guys are looking for. I think I’m going to call this “Attacker Driven Data Classification”. It makes a lot of sense: if the bad guys are looking for something, and it isn’t a high priority for you, at minimum you should figure out why they want it. Other than that things are going well. We started showing off the Securosis Nexus, which we will make public fairly soon. With that, it’s time to go to bed. I have two sessions tomorrow (my big DLP presentation and another on cloud and government), plus way too many meetings. Prepping for RSA is always hard, and I hate being away from my family, but it is kind of nice to catch up with folks and be social once (or twice) a year. –Rich Next up, Adrian What’s new is new. Rich and Mike put together this year’s e10+ seminar at RSA. And like most panels that involve Securosis, there were a couple testy moments when some of the participants took exception to Richard Bejtlich’s assertion that compromised data is exposed to the world in greater quantity – with far more public access to the content – than ever before. Some of the audience members felt we were seeing the same attacks over and over, and the threats of today are no different than we saw in 1985. In fact they went so far as to say “the cloud” was not much more than publicly available mainframes. David Mortman wins a prize for his rebuttal: “Yeah, RACF rules!” All kidding aside, I have been in the industry almost that long, and I can say that in some ways this later assertion is true; we still suck at application security, and DoS, non-repudiation, and spoofing work pretty much the same way they did in 1985. How these attacks occur is new, as they exploit both new and old technologies in interesting ways. But the thrust of Richard’s comment is absolutely correct: The speed and quantity of exfiltration is unprecedented. Further, what’s very new is the ability to widely distribute data and make stolen data available for search and inspection. Ten years ago I could push stolen information to FTP servers and hacker sites, but it data was not really accessible to people who did not know where to look for it, or did not understand how to grep through blobs of multi-format data. Now we have Google to do it for us. So what’s old is new again, but in many cases it’s just freakin’ new. –Adrian And now for something completely different: Mike 1) We need toddlers, not Kenyans. No offense to Kenyans, but one of the things that became crystal clear at the e10+ sessions this morning was the disparity of needs between the early adopters of security technologies and everyone else. You see the vendors and talking heads spend all their time talking about strategies to do advanced security against serious adversaries. But most of the world can’t even do the simple n00b blocking and tackling to defeat script kiddies. So basically most of the RSA Conference will be focused on these advanced strategies, which have very little bearing on the vast majority of organizations. It’s like our industry is hiring Kenyans to run a marathon, while everyone else barely walks. Maybe we need schoolteachers. This capabilities gap might be the most significant issue we face as an industry. Yes, even more than APT or WikiLeaks. Now do two shots, because I said both the buzzword bingo keywords. 2) The perimeter is dead. Long live the perimeter: Besides the fireworks of Cisco and Palo Alto screaming at each other during my panel at the America’s Growth Capital conference, we covered some important ground. First off, the perimeter is not dead. But it needs to get a lot smarter and much more distributed. As more stuff moves to the cloud and video clogs our networks, we need to gain visibility and control, working the areas we know we can access. That means applications. The other resonating point was the reality that with the massive bandwidth consumed by video, we need to provide

This is a bit of a different post for me. One exercise in the CCSK Enhanced Class which we are developing for the Cloud Security Alliance is to encrypt a block storage (EBS) volume attached to an AWS instance. There are a few different ways to do this but we decided on Trend Micro’s SecureCloud service for a couple reasons. First of all, setting it up is something we can handle within the time constraints of the class. The equivalent process with TrueCrypt or some other native encryption services within our AWS instance would take more time than we have, considering the CCSK Enhanced class is only one day and covers a ton of material. The other reason is that it supports my preferred architecture for encryption: the key server is separate from the encryption engine, which is separate from the data volume. This is actually pretty complex to set up using free/open source tools. Finally, they offer a free 60-day trial. The downside is that I don’t like using a vendor-specific solution in a class since it could be construed as endorsement. So please keep in mind that a) there are other options, and b) the fact that we use the tool for the class doesn’t mean this is the best solution for you. Ideally we will rotate tools as the class develops. For example, Porticor is a new company focusing on cloud encryption, and Vormetric is coming out with cloud-focused encryption. I think one of the other “V” companies is also bringing a cloud encryption product out this week. That said, SecureCloud does exactly what we need for this exercise. Especially since it’s SaaS based, which makes setting it up in the classroom much easier. Here’s how it works: The SaaS service manages keys and users. There is a local proxy AMI you instantiate in the same availability zone as your main instances and EBS volumes. Agents for Windows Server 2008 or CentOS implement the encryption operations. When you attach a volume, the agent requests a key from the proxy which communicates with the SaaS server. Once you approve the operation the key is sent back to the proxy, and then the agent, for local decryption. The keys are never stored locally in your availability zone, only used at the time of the transaction. You can choose to manually or automatically allow key delivery based on a variety of policies. This does, for example, give you control of multiple instances of the same image connecting to the encrypted volume on a per-instance basis. Someone can’t pull your image out of S3, run it, and gain access to the EBS volume, because the key is never stored with the AMI. This is my preferred encryption model to teach – especially for enterprise apps – because it separates out the key management and encryption operations. The same basic model is the one most well-designed applications use for encrypting data – albeit normally at the data/database level, rather than by volume. I’ve only tested the most basic features of the service and it works well. But there are a bunch of UI nits and the documentation is atrocious. It was much harder to get this up and running the first time than I expected. Now for the meat. I’m posting this guide mostly for our students so they can cut and paste command lines, instead of having to do everything manually. So this is very specific to our class; but for the rest of you, once you run through the process you should be able to easily adjust it for your own requirements. Hopefully this will help fill the documentation gaps a bit… but you should still read Trend’s documentation, beacuse I don’t explain why I have you do all these steps. This also covers 2 of the class exercises because I placed some of the requirements we need later for encryption into the first, more basic, exercise: CCSK Enhanced Hands-on Exercises Preparation (Windows only) If you are a Windows user you must download an ssh client and update your key file to work with it. Download and run http://www.chiark.greenend.org.uk/~sgtatham/putty/latest/x86/putty-0.60-installer.exe. Go to Start > Program Files > PuTTY > PuTTYgen Click File, select *.*, and point it to your _name_.PEM key file. Click okay, and then Save Key, somewhere you will remember it. Download and install Firefox from http://mozilla.org. Create your first cloud server In this exercise we will launch our first AMI (Amazon Machine Image) Instance and apply basic security controls. Steps Download and install ElasticFox: http://aws.amazon.com/developertools/609?_encoding=UTF8&jiveRedirect=1. Log into the AWS EC2 Console: https://console.aws.amazon.com/ec2/home. Go to Account, then Security Credentials. Note your Access Keys. Direct link is https://aws-portal.amazon.com/gp/aws/developer/account/index.html. Click X.509 Certificates. Click Create a new Certificate. Download both the private key and certificate files, and save them where you will remember them. In Firefox, go to Tools > ElasticFox. Click Credentials, and then enter your Access Key ID and Secret Access Key. Then click Add. You are now logged into your account. If you do not have your key pair (not the certificate key we just created, but the AWS key you created when you set up your account initially) on your current system, you will need to create a new key pair and save a copy locally. To do this, click KeyPairs and then click the green button to create a new pair. Save the file where you will remember it. If you lose this key file, you will no longer be able to access the associated AMIs. Click Images. Set your Region to us-east-1. Paste “ami-8ef607e7” into the Search box. You want the CentOS image. Click the green power button to launch the image. In the New Instance(s) Tag field enter CCSK_Test1. Choose the Default security group, and availability zone us-east-1. Click Launch. ElasticFox will switch to the Instances tab, and your instance will show as Pending. Right-click and select Connect to Instance. You will be asked to open the Private Key File you saved when you set

It’s just a couple days until RSA Conference 2011. Is this your first time attending the security conference in San Francisco? Having attended for a few years now I can safely say that there are some things you should take into account before you show up. First of all, download the Securosis Guide to RSA 2011 (PDF) or (ePub). Next you need a plan. After you have completed registration, which I assume by this point you have, consider your options. When you arrive on site at the Moscone Center give yourself a good amount of time to get through registration and badge pickup. The conference folks manage a good job of processing people through, but there will be a lot of people. Give yourself enough time. Next up, what to see? There is far too much content to expect to see it all. As a result you need a plan for which talks to attend. RSA has a daily planner on its site that can help. This is a helpful resource, but it doesn’t entirely do it for me. I want something tailored to my interests. Thankfully, RSA has created a tool for that. Behold the personal scheduler! I should point out that you must be logged into the RSA Conference site to access that tool. So next ask yourself why you are coming to RSA. What are you there to learn? Or are you taking a break on the company dime? I know some of you are doing just that; I’ve seen it before. So be honest with yourself. Which tracks interest you? There are quite a few this year: Application and Development Business of Security Cloud Security (new for 2011) Cryptography Data Security Governance & Risk Compliance Hackers & Threats Hot Topics Industry Experts Law Policy & Government Professional Development Sponsor Case Studies Strategy & Architecture Technology Infrastructure (also new) Not to mention some great talks like these and programs like e10+ for more experienced attendees. That’s a lot to choose from, so I would suggest you do your homework and be sure to check into the talks before you arrive. It would be a shame to find that you’ve landed smack in the middle of an hour-long lecture on widgets when you’re more interested in grapple grommets. Then there is the shark tank: the convention floor. Sweet mother, this is one massive collection of vendors. All of them are hunting for your dollars. That’s the name of the game. They’re not all there just to hand out free t-shirts. These folks work for a living. Take some time to speak with them and get to know their products. You can show up in a suit and be swarmed, or conversely, dress down if you want to blend into the background. The most important thing to remember for the convention floor is to wear a comfortable pair of shoes. No, really. The first time I went to RSA my back was out of commission for several days afterwards. That said, enjoy your time at the conference and bring along your favourite headache remedy. After you’re done with the vendor parties don’t forget to show up for the Securosis Disaster Recovery Breakfast Thursday morning – and be sure to RSVP. Share:

With great pleasure we post the 2nd annual Securosis Guide to the RSA Conference, 2011 edition. Last year’s guide we built as an experiment, but it has now effectively become an encyclopedia of all things RSA. As you’ve been seeing all week, we list out our key themes and then break down each major section of the industry. In this complete version we include vendor lists for each section and a comprehensive vendor list (with URLs) for easy reference during the show. Rich summed it up best – it’s not really an RSA Guide, it’s more “What’s coming in the next year of security”, which happens to be published in time for RSA. Below are links to both PDF and ePub versions. I loaded the Guide onto my iPad this morning and it looks great, so you may want to do that as well (in iBooks you may need to select the PDF tab). Enjoy and tell your friends. It’s free. Let’s just hope it doesn’t show up verbatim in the World’s #1 Hacker’s next book. PDF version: Securosis-GuidetoRSAC2011.pdf ePub version: Securosis-GuidetoRSAC2011.epub PS: Vendors, if you are looking for a nice giveaway for one last blast to your prospect lists to give away all those valuable expo passes, feel free to distribute the Guide. No fees, no nothing. It’s our little Valentine’s Day gift to you. Share:

Security Management Compliance is still driving most of what happens from a management standpoint, which is why have a specific compliance section below. On the security management front, there was still plenty of activity in 2010. But most customers continued to feel the same way: underwhelmed. It’s still very hard to keep control of much of anything, which is problematic as the number of devices and amount of sensitive data grow exponentially. Good times. Good times. What We Expect to See There are a couple areas of interest at the show for security management: The (Not) Easy Button: Given the absolutely correct perspective of customers that security management is too complex, difficult, ponderous, and lots of other negative descriptors, we expect vendors to focus on ease of use for many of these security management tools (especially SIEM/Log Management). Don’t believe them. They continue to sell false hope. To be fair, the tools are much improved. Interfaces are better. User experience is tolerable. But it’s still not easy. 
So spend some time in the booth checking out interfaces. How you set up rules, analyze data, and generate reports. Make the demo dude go into excruciating detail on how things really get done with the tool. Remember, anything you select, you will need to live with. So do your homework and choose wisely. The next act for scanners: Vulnerability management is so 2005. But tack on some kind of cloud stuff and it’s, uh, 2007? The new new shiny object is configuration auditing/policy compliance. Which actually makes sense because you need to scrutinize the device to check for vulnerabilities, so why not just assess the configuration while you are at it. And just as with vulnerability scanning, the question will be whether you do it on-site or via a cloud service. Or both, because we expect most vendors to offer both. MSS comes of age: The good news is that folks finally realize it’s not novel to monitor firewalls or IPS themselves, and combined with consolidation of pretty much all the big players, this means MSS isn’t a big deal anymore. So the big vendors with big booths will be talking about their monitoring (and even management) services. If you still have 5 folks parsing firewall alerts, check out these offerings. At minimum it will be interesting to get a sense of how efficiently you do things internally. Just make sure you understand exactly what the service and support model is, because when alerts start firing you don’t want to be dialing the main number of a $100 billion telco. Start-up X, a Big IT company: Big IT, with its big management stacks and big professional services teams, will be at RSAC in force. Maybe they’ll even have a story for how all the crap they’ve bought over the past year makes Big IT finally relevant in the security space. You’ll see HP and IBM (and EMC and Cisco and Juniper) in 5-6 different booths each, because companies they acquired had already committed to exhibit in this year’s show. They should have one of those passport programs, just to make sure you visit all their booths to win an iPad or something like that. Compliance Compliance isn’t merely a major theme for the show, it’s also likely the biggest driver of your security spending. But that doesn’t mean folks don’t want to minimize the cost and hassle of compliance, so scope reduction will be a major theme that we hear throughout the show. While there’s no such thing as a compliance solution, many security technologies play major roles in helping achieve and maintain compliance. What We Expect to See With compliance we will see a mix of regulation-focused messages and compliance-specific technologies: PCI & Tokenization: The Payment Card Industry Data Security Standard (PCI-DSS) is the single regulation that generates the most attention, and a lot of the growth for security and compliance spending. And frankly, especially within the retail and finance verticals, companies are looking to reduce costs and minimize PCI audits. It’s viewed as little more than a tax on the business so they want to at least reduce — if not eliminate — the expense. At the show this year, we expect you’ll hear and see a lot about tokenization. This approach substitutes credit card numbers stored at a merchant site with a harmless, well, token. It only represents the credit card transaction, so a stolen token cannot be used to commit fraud. At the show, focus on the sessions where savvy users talk about how they reduce the scope of PCI audits along with the associated costs of securing credit card data using this approach. While only a handful of tokenization vendors will be at the show, many of the payment processors have partnered with technology providers to offer tokenization as a managed service. Expect to see plenty of interest and discussion on this topic, and long lines at select vendor booths. There’s an App for That: Expect to see vendors offer neat iPhone and iPad apps for their management and reporting products. Sure, reports and dashboards are popular with vendors because they bring the eye candy sales teams want to demonstrate product value. But what’s cooler than a fancy dashboard? A fancy new iPhone. Put the two together and it’s like two great eye-candies that go great together! It’s going to be a big hit. Not just because anyone really wants to take that FISMA report with them in their pocket; it’s because IT, sales, and marketing all secretly lust after the new toy. It’s the thought of catching a spring training game while configuring SIEM policies. Does it make you more productive? Maybe. But having your IT products running on the toy justifies the purchase of both. Yeah, anywhere, anytime access is pretty cool too, but it’s like getting two for one. Expect to see this everywhere! GRC Oopsie: Last year we expected to see a lot of collateral about GRC: Governance, Risk, and Compliance. And we

We keep pretty busy schedules at RSA every year. But the good news is we do a number of speaking sessions and make other appearances throughout the week. Here is where you can find us: Speaking Sessions DAS-106: Everything You Ever Wanted to Know about DLP – Rich (Tuesday, Feb 15, 1pm) CLD-108: Private and Government Sectors: Why are Agencies Hesitant to Adopt Cloud? – Rich moderates (Tuesday, Feb 15, 3:40pm) DAS-203: Cutting through the Data Loss Prevention Confusion: DLP Myths Busted – Rich (Wednesday, Feb 16, 11:10am) P2P-203A: Evolving Perimeter(s): Protecting the Stuff That’s Really Important – Mike (Wednesday, Feb 16, 11:10am) BUS-303: Putting the Fun in Dysfunctional – How the Security Industry Really Works – Rich and Mike (Thursday, Feb 17, 11:10am) AND-304: Agile Development, Security Fail – Adrian (Thursday, Feb 17, 1pm) EXP-402: Cloudiquantanomidatumcon: The Infra/Info-Centric Debate in the Cloud – Rich and Chris Hoff (Friday, Feb 18, 10:10am) Other Events e10+: Rich and Mike are the hosts and facilitators for the RSA Conference’s e10+ program targeting CISO types. That’s Monday morning from 8:30 to noon. America’s Growth Capital Conference: Mike will be moderating a panel on the future of network security at the AGC Conference with folks from Cisco, Juniper, Palo Alto, Packet Motion, and Fidelis. This session is Monday at 2:15pm. Security Blogger Meet up: Securosis will be at the 4th annual Security Blogger Meet up at the classified location. You need to have a blog and be pre-registered to get in. Disaster Recovery Breakfast: Once again this year Securosis will be hosting the Disaster Recovery Breakfast on Thursday, Feb 17 between 8 and 11 with help from our friends at Threatpost and Schwartz Communications. RSVP and enjoy a nice quiet breakfast with plenty of food, coffee, recovery items (aspirin & Tums), and even the hair of the dog for those of you not quite ready to sober up. Holding court at the W: If you are up for late night hijinx – and like to laugh at stumbling, bumbling security industry folks – show up at the W’s lobby bar after the parties break up. It’s always a good time and you are very likely to see one or all of us Securosis folks there getting into trouble. And accepting drink donations. Fortinet Panels: Mike will also be moderating the Security Mythbusting: Blowing up the Security Hype panels at Fortinet’s booth (#923) Tuesday and Wednesday from 1:30-2pm. Travel safe and we’ll see you at RSA… Share:

When we say application security, for we generally mean web application security. We probably could have cheated and simply reposted last year’s guide to application security and still been close. Yes, application security is still a nascent market. Last year the focus was anti-exploitation to prevent code injection attacks, and the value provided by integrating assessment and web application firewall technologies. While the threats remain the same, there are some new twists which deserve attention. What We Expect to See Code Review Services: Strapping security onto the network layer and hoping it catches your application vulnerabilities is a band-aid at best, and companies that produce applications know this. With HP’s acquisition of Fortify a few months ago, Microsoft’s announcement of Attack Surface Analyzer, and IBM’s acquisition of Ounce Labs in 2009, it’s clear that the world’s major software providers know this as well. And they are looking to capitalize on the movement. Third party source code review services are on the rise, and most web development teams now use either white-box or black-box testing in their certification processes. “Building security in” is an increasingly common mantra for development teams, and there is tremendous opportunity to sell security products and services into this nascent market. Most development teams are just now learning about secure coding techniques, threat modeling, and how to build unit-based security tests to run alongside their functional tests. We expect to see many vendors offering tools, education, and services that foster secure code everywhere from design to post-deployment. Not just pre-and-post deployment checkers and firewalls, but security offerings for every single step in the development lifecycle. Buyer Shift: “What?” you say. I am not selling to the IT manager? Not here you are not. IT plays a part, but the buying center is shifting to the development team for web application security technologies. And that’s a very different conversation, with a much different set of requirements and use cases the vendor needs to address. OWASP As the Guiding Light: Publicity concerning application security issues is growing. OWASP — the Open Web Application Security Project — provides a Top 10 list of the most common threats to applications. And it’s a good rundown of sneaky, underhanded tricks attackers use to compromise web applications for fun and profit. Even better, it’s backed by measurable statistics so it’s not all conjecture and innuendo. This list is driving many companies’ marketing campaigns, and the alignment of their service offerings as well. How well any given vendor protects applications from these threats is open for debate, but the fact that they are responding to the most common threat vectors we see today is very good news. Web application vulnerabilities represent a significant threat to organizations as web services are an integral part of business operations, and the push for more SaaS and cloud based services means attackers have an increasing number of potential targets. As if you haven’t had enough cloud on a stick, up next are our thoughts on endpoint security, and then virtualization and cloud security in the RSA Guide. I know, you can’t wait. Share:

2010 was a fascinating year for cloud computing and virtualization. VMWare locked down the VMSafe program, spurring acquisition of smaller vendors in the program with access to the special APIs. Cloud computing security moved from hype to hyper-hype at the same time some seriously interesting security tools hit the market. Despite all the confusion, there was a heck of a lot of progress and growing clarity. And not all of it was from the keyboard of Chris Hoff. What We Expect to See For virtualization and cloud security, there are four areas to focus on: Innovation cloudination: For the second time in this guide I find myself actually excited by new security tech (don’t tell my mom). While you’ll see a ton of garbage on the show floor, there are a few companies (big and small) with some innovative products designed to help secure cloud computing. Everything from managing your machine keys to encrypting IaaS or SaaS data. These aren’t merely virtual appliance versions of existing hardware/software, but ground-up, cloud-specific security tools. The ones I’m most interested in are around data security, auditing, and identity management. Looking SaaSy: Technically speaking, not all Software as a Service counts as cloud computing, but don’t tell the marketing departments. But this is another area that’s more than mere hype- nearly every vendor I’ve talked with (and worked with) is looking at leveraging cloud computing in some way. Not merely because it’s sexy, but since SaaS can help reduce management overhead for security in a bunch of ways. And since all of you already pay subscription and maintenance licenses anyway, pure greed isn’t the motivator. These offerings work best for small and medium businesses, and reduce the amount of equipment you need to maintain on site. They also may help with distributed organizations. SaaS isn’t always the answer, and you really need to dig into the architecture, but I’ve been pleasantly surprised at how well some of these services can work. VMSafe cracking: VMWare locked down its VMSafe program that allowed security vendors direct access to certain hypervisor functions via API. The program is dead, except the APIs are maintained for any existing members in the program. This was probably driven by VMWare wanting to control most of the security action, and they forced everyone to move to the less-effective VShield Zones system. What does this mean? Anyone with VMSafe access has a leg up on the competition, which spurred some acquisitions. Everyone else is a bit handcuffed in comparison, so when looking at your private cloud security (on VMware) focus on the fundamental architecture (especially around networking). Virtual appliances everywhere: You know all those security vendors that promoted their amazing performance due to purpose-built hardware? Yeah, now they all offer the same performance in virtual (software) appliances. Don’t ask the booth reps too much about that though or they might pull a Russell Crowe on you. On the upside, many security tools do make sense as virtual appliances. Especially the ones with lower performance requirements (like management servers) or for the mid-market. We guarantee your data center, application, and storage teams are looking hard at, or are already using, cloud and virtualization, so this is one area you’ll want to pay attention to despite the hype. And that’s it for today. Tomorrow will wrap up with Security Management and Compliance, as well as a list of all the places you can come heckle me and the rest of the Securosis team. And yes, Mike will be up all night assembling this drivel into a single document to be posted on Friday. Later… Share: