Research

My kids are getting more sophisticated in their computer usage. I was hoping I could put off the implementation of draconian security controls on their computers for a while. More because I’m lazy and it will dramatically increase the amount of time I spend supporting the in-house computers. But hope is not a strategy, my oldest will be 10 this year, and she is curious – so it’s time. The first thing I did was configure the Mac’s Parental Controls on the kid’s machine. That was a big pile of fail. Locking down email pretty much put her out of business. All her email went to me, even when I whitelisted a recipient. The web whitelist didn’t work very well either. The time controls worked fine, but I don’t need those because the computer is downstairs. So I turned it off Apple’s Parental Controls. I did some research into the parental control options out there. There are commercial products that work pretty well, as well as some free stuff (seems Blue Coat’s K9 web filter is highly regarded) that is useful. But surprisingly enough I agree with Ed over at SecurityCurve, Symantec is doing a good job with the family security stuff. They have not only a lot of educational material on their site for kids of all ages, but also have a service called Norton Online Family. It’s basically an agent you install on your PCs or Macs and it controls web browsing and email, and can even filter outbound traffic to make sure private information isn’t sent over the wire. You set the policies through an online service and can monitor activity through the web site. It’s basically centralized security and management for all your family computers. That’s a pretty good idea. And from what I’ve seen it works well. I haven’t tightened the controls yet to the point of soliciting squeals from the constituents, but so far so good. But it does beg the question of why a company like Symantec would offer something like this for free? It’s not like companies like NetNanny aren’t getting consumers to pay $40 for the same stuff. Ultimately it’s about both doing the right thing in eliminating any cost barrier to protecting kids online, and building the Big Yellow brand. Consumers have a choice with their endpoint security. Yes, the yellow boxes catch your eye in the big box retailers, but ultimately the earlier they get to kids and imprint their brand onto malleable brains, the more likely they are to maintain a favorable place there. My kids see a big orange building and think Home Depot. Symantec hopes they see a yellow box and think Symantec and Internet Security. Though more likely will think: that’s the company that doesn’t let me surf pr0n. As cynical as I am, I join Ed in applauding Symantec, Blue Coat, and all the other companies providing parental control technology without cost. Share:

I spent last weekend at my 20th college reunion. I dutifully flew into Ithaca, NY to see many Cornell friends and (fraternity) brothers. It was a great trip, but I did have an experience that reminded me I’m no spring chicken any more. I guess I could consider the unbelievable hangover I had on Saturday morning as the first indication that I can’t behave like a 20-year-old and expect no consequences. But it gets better. We were closing da Palms on Saturday night and an undergrad called me over because he had about 3/4 of a pitcher left and graciously asked for some help. I scurried over (because who turns down free beer?) and we started chatting. So he asked me, “When did you graduate?” I responded that I was Class of 1990. He looked at me cross-eyed and I figured he was just respecting my beer drinking prowess. Not so much. He then said, “Wow. I was born in 1989.” Uh. This kid was crapping his pants when I graduated from college. I literally have T-shirts that are older than this guy. That put everything into perspective: 20 years is a long time. Of course the campus has changed a lot as well. Lots more buildings, but the biggest change was the ever-present fences. In the last year, there have been numerous suicides on campus. It’s actually very sad that kids today can’t deal with the pressure and have no perspective that whatever it is, and however hard it feels, it will pass. So they jump off any number of bridges overlooking Ithaca’s beautiful gorges. Splat. So the Cornell administration figured one way to stop the jumpers is to put 10-foot-high fences on all the bridges. It now looks more like a detainment camp than an Ivy League university. That’s sad too. Cornell is one of the most beautiful places I’ve ever been. Now not so much. It’s still a campus, it just feels different. Being the engineers many of my friends are, we tried to come up with better solutions. The ideas (after a number of beers, as I recall) ranged from a big airbag on the bottom of the gorge to a high speed blower to keep the jumper suspended in air (like those Vegas rides). We also talked about nets and other ideas, of course none really feasible. I guess I’ll just have to become accustomed to the fences, and remember how things were. With the understanding that like my ability to recover quickly from a night of binge drinking, some things are destined to stay in the past. – Mike. Photo credits: “Fenced In” originally uploaded by Mike Rothman Incite 4 U Getting to know your local Hoover – No, this isn’t about vacuums, but about getting to know your local law enforcement personnel. It seems the FBI is out there educating folks about how and when to get them involved in breaches. The Bureau is also taking a more proactive stance in sharing information with the financials and other corporates. All this is good stuff, and a key part of your incident response plan needs to be interfacing with law enforcement. So defining your organization’s rules of engagement sooner rather than later is a good thing. – MR String theory – Kelly Jackson Higgins had the most interesting post of the past week, covering Dan Kaminsky’s announcement of Interpolique. Actually, the story is mostly a pre-announcement for Dan’s Black Hat presentation in Vegas later this summer, but the teaser is intriguing. The tool that Kaminsky is describing would automatically format code – with what I assume is some type of pre-compiler – making it far more difficult to execute injected code via string variables. The only burden on the developer would be to define strings in such a way that the pre-compiler recognizes them and corrects the code prior to compilation/execution. That and remembering to run the tool. This is different than something like Arxan, which acts like a linker after compilation. Philosophically both approaches sound like good ideas. But Interpolique should be simpler to implement and deploy, especially if Recursion Ventures can embed the technology into development environments. Dan is dead right that “… string-injection flaws are endemic to the Web, cross all languages …” – the real question is whether this stops injection attacks across all languages. I guess we have to wait until Black Hat to find out. – AL Hatfields and McCoys, my ass – Evidently there is a feud between Symantec and McAfee. I guess a VP shot another VP and now the clans have been at war for generations. Computer security changes fundamentally every couple years. And fervent competition is always a good thing for customers. Prices go down and innovation goes up. But to say the AV market is a two-horse race seems wrong. To get back to the Coke vs. Pepsi analogy used in this story, in this market Dr. Pepper and 7Up each have a shot because some customers decide they need a fundamentally different drink. Security is about much more than just the endpoint, and if the Hatfields or McCoys take their eyes off the Microsofts and the HPs, they will end up in the annals of history, like the DECs and the Wangs. – MR Speed may kill… – Sophos is hoping that the security industry has a short memory. They just announced a ‘Live Protection’ offering in their endpoint suite that uses a cloud service to push signature updates. Right, that’s not novel, but they are using speed as the differentiator. So you can get real-time updates. Of course that assumes you won’t have a Bad DAT(e) try to slip your devices a roofie that renders them useless. Needless to say, there is a bunch of marketing hocus-pocus going on here, since Sophos is also talking about their speed gain resulting from not pushing full signature updates, but doing some analysis in the cloud. Ah, calling Dr. Latency – this is something

One of the biggest problems in security is that we rarely have a good sense of which controls actually improve security outcomes. This is especially true for newer areas like data security, filled with tools and controls that haven’t been as well tested or widely deployed as things like firewalls. Thanks to all the great feedback you sent in on our drafts, we are happy to kick off our big data security survey. This one is a bit different than most of the others you’ve seen floating around, because we are focusing more on effectiveness (technically perceived) of controls rather than losses & incidents. We do have some incident-related questions, but only what we need to feed into the effectiveness results. As with most of our surveys, we’ve set this one up so you can take it anonymously, and all the raw results (anonymized, in spreadsheet format) will be released after our analysis. Since we have a sponsor for this one (Imperva), we actually have a little budget and will be giving away a 32gb WiFi iPad to a random participant. You don’t need to provide an email address to take the survey, but you do if you want the iPad. If we get a lot of recipients (say over 200) we’ll cough up for more iPads so the odds stay better than the lottery. Click here to take the survey, and please spread the word. We designed it to only take 10-20 minutes. Even if you aren’t doing a lot with data security, we need your responses to balance the results. With our surveys we also use something called a “registration code” to keep track of where people found out about it. We use this to get a sense of which social media channels people use. If you take the survey based on this post, please use “Securosis”. If you re-post this link, feel free to make up your own code and email it to us, and we will let you know how many people responded to your referral – get enough and we can give you a custom slice of the data. Thanks! Our plan is to keep this open for a few weeks. Share:

We in the security industry tend to lump small and medium businesses together into “SMB”, but there are massive differences between a 20-person retail outlet and even a 100-person operation. These suggestions are specifically for small businesses with limited resources, based on everything we know about the latest threats and security defenses. The following advice is not conditional – there really isn’t any safe middle ground, and these recommendations aren’t very expensive. These are designed to limit the chance you will be hit with attacks that compromise your finances or ability to continue business operations, and we’re ignoring everything else: Update all your computers to the latest operating systems and web browsers – this is Windows 7 or Mac OS X 10.6 as of this writing. On Windows, use at least Internet Explorer 8 or Firefox 3.6 (Firefox isn’t necessarily any more secure than the latest versions of IE). On Macs, use Firefox 3.6. Most small business struggle with keeping malware off their computers, and the latest operating systems are far more secure than earlier versions. Windows XP is nearly 10 years old at this point – odds are most of your cars are newer than that. Turn on automatic updates (Windows Update, or Software Update on Mac) and set them to check and automatically install patches daily. If this breaks software you need, find an alternative program rather than turning off updates. Keeping your system patched is your best security defense, because most attacks exploit known vulnerabilities. But since those vulnerabilities are converted to attacks within hours of becoming public (when the patch is released, if not earlier), you need to patch as quickly as possible. Use a dedicated computer for your online banking and financial software. Never check email on this system. Never use it to browse any Web site except your bank. Never install any applications other than your financial application. You can do this by setting up a non-administrative user account and then setting parental controls to restrict what Web sites it can visit. Cheap computers are $200 (for a new PC) and $700 (for a new Mac mini) and this blocks the single most common method for bad guys to steal money from small businesses, which is compromising a machine and then stealing credentials via a software key logger. Currently, the biggest source of financial losses for small business is malicious software sniffing your online bank credentials, which are then used to transfer funds directly to money mules. This is a better investment than any antivirus program. Arrange with your bank to require in-person or phone confirmation for any transfers over a certain amount, and check your account daily. Yes, react faster is applicable here as well. The sooner you learn about an attempt to move money from your account, the more likely you’ll be able to stop it. Remember that business accounts do not have the same fraud protections as consumer accounts, and if someone transfers your money out because they broke into your online banking account, it is very unlikely you will ever recover the funds. Buy backup software that supports both local and remote backups, like CrashPlan. Backup locally to hard drives, and keep at least one backup for any major systems off-site but accessible. Then subscribe to the online backup service for any critical business files. Remember that online backups are slow and take a long time to restore, which is why you want something closer to home. Joe Kissell’s Take Control of Mac OS X Backups is a good resource for developing your backup strategy, even if you are on Windows 7 (which includes some built-in backup features). Hard drives aren’t designed to last more than a few years, and all sorts of mistakes can destroy your data. Those are my top 5, but here are a few more: Turn on the firewalls on all your computers. They can’t stop all attacks, but do reduce some risks, such as if another computer on the network (which might just mean in the same coffee shop) is compromised by bad guys, or someone connects an infected computer (like a personal laptop) to the network. Have employees use non-administrator accounts (standard users) if at all possible. This also helps limit the chances of those computers being exploited, and if they are, will limit the exploitation. If you have shared computers, use non-administrator accounts and turn on parental controls to restrict what can be installed on them. If possible, don’t even let them browse the web or check email (this really depends on the kind of business you have… if employees complain, buy an iPad or spare computer that isn’t needed for business, and isn’t tied to any other computer). Most exploits today are through email, web browsing, and infected USB devices – this helps with all three. Use an email service that filters spam and viruses before they actually reach your account. If you accept payments/credit cards, use a service and make sure they can document that their setup is PCI compliant, that card numbers are encrypted, and that any remote access they use for support has a unique username and password that is changed every 90 days. Put those requirements into the contract. Failing to take these precautions makes a breach much more likely. Install antivirus from a major vendor (if you are on Windows). There is a reason this is last on the list – you shouldn’t even think about this before doing everything else above. Share:

You all know the story. If you need to know the time, ask the consultant, who will then proceed to tell you the time from your own watch. We all laugh, but there is a lot of truth in this joke – as there usually is. Consultants are a necessary evil for many of us. We don’t have the leeway to hire full time employees (especially when Wall Street is still watching employee rolls like hawks), but we have too much work to do. So we bring in some temporary help to get stuff done. I’ve been a consultant, and the Securosis business still involves some project-oriented work. The problem is that most organizations don’t utilize their consultants properly. My thinking was triggered by a post on infoseccynic.com from 2009 (hat tip to infosecisland) that discusses the most annoying consultants. It’s easy to blame the consultant when things go wrong, and sometimes they are to blame. You tend to run into the dumb, lame, and lazy consultants; and sometimes it’s too late before you realize the consultant is taking you for a ride. Each of the profiles mentioned in the annoying consultant post is one of those. They waste time, they deliberate, and they ride the fence because it usually ends up resulting in more billable hours for them. Having been on both sides of the fence with consultants, here are a few tips to get the most out of temporary resources. Scope tightly – Like it or not, consultants need to be told what to do. Most project managers suck at that, but then get pissed when the consultant doesn’t read their minds. Going into any project: have a tight scoping document, and a process for changes. Fixed price – Contracting for a project at a fixed cost will save you a lot of heartburn. There is no incentive for the consultant to take more time if they are paid the same whether the project takes 5 hours or 10. And if you have specified a process for changes, then there are no surprises if/when the scope evolves. Demand accountability – This gets back to Management 101. Does the consultant do a weekly or daily status report (depending on the project)? Do you read them the riot act when they miss dates? Some consultants will take you for a ride, but only if you let them. Change the horse – Many project managers are scared to get rid of an underperforming consultant. One of the reasons you got temporary help in the first place is to avoid HR issues if it doesn’t work out. Make sure you have a clear ‘out’ clause in the contract, but if it isn’t working, don’t waste time deliberating – just move on. Pay for value – Some folks have very specialized skills and those skills are valuable. But the best folks in the world demand a premium because they’ll get the job done better and faster than someone else. Don’t be penny wise and pound foolish. Get the right person and let them do the work – you’ll save a lot in the long term. Be accountable – Ultimately the success (or failure) of any project lies at the feet of the project manager. It’s about proper scoping, lining up executive support, working the system, lining up the resources, and getting the most out of the project team. When things go wrong, ultimately it’s the project manager’s fault. Don’t point fingers – fix the problem. So go back and look at the annoying consultant profiles mentioned in the post above. If any of those folks are on your project teams, man (or woman) up and take care of business. As I’ve said a zillion times over the years, I’m not in the excuses business. Neither are you. Consultants are a necessary evil, but they can be a tremendous resource if utilized effectively. Share:

If you keep up with the security news at all, you know that on June 9th the email addresses and the device ICC-ID for at least 114,000 3G iPad subscribers were exposed. Leaving aside any of the hype around disclosure, FBI investigations, and bad PR, here are the important bits: We don’t know if bad guys got their hands on this information, but it is safest to assume they did. For most of you, having your email address potentially exposed isn’t a big deal. It might be a problem for some of the famous and .gov types on the list. The ICC-ID is the unique code assigned to the SIM card. This isn’t necessarily tied to your phone number, but… It turns out there are trivial ways to convert the ICC-ID into the IMSI here in the US according to Chris Paget (someone who knows about these things). The IMSI is the main identifier your mobile operator uses to identify your phone, and is tied to your phone number. If you know an IMSI, and you are a hacker, it greatly aids everything from location tracking to call interception. This is a non-trivial problem, especially for anyone who might be a target of an experienced attacker… like all you .gov types. You don’t make phone calls on your iPad, but any other 3G data is potentially exposed, as is your location. Everything you need to know is in this presentation from the Source Boston conference by Nick DePetrillo and Don Bailey.](http://www.sourceconference.com/bos10pubs/carmen.pdf) Realistically, very few iPad 3G owners will be subject to these kinds of attacks, even if bad guys accessed the information, but that doesn’t matter. Replacing the SIM card is an easy fix, and I suggest you call AT&T up and request a new one. Share:

This Monday’s FireStarter prompted a few interesting behind-the-scenes conversations with a handful of security vendors centering on product strategy in the face of the recent acquisitions in Database Activity Monitoring. The questions were mostly around the state of the database activity monitoring market, where it is going, and how the technology complements and competes with other security technologies. But what I consider a common misconception came up in all of these exchanges, having to do with the motivation behind Oracle & IBMs recent acquisitions. The basic premise went something like: “Of course IBM and Oracle made investments into DAM – they are database vendors. They needed this technology to secure databases and monitor transactions. Microsoft will be next to step up to the plate and acquire one of the remaining DAM vendors.” Hold on. Not so fast! Oracle did not make these investments simply as a database vendor looking to secure its database. IBM is a database vendor, but that is more coincidental to the Guardium acquisition than a direct driver for their investment. Security and compliance buyers are the target here. That is a different buying center than for database software, or just about any hardware or business software purchases. I offered the following parallel to one vendor: if these acquisitions are the database equivalent of SIEM monitoring and auditing the network, then that logic implies we should expect Cisco and Juniper to buy SIEM vendors, but they don’t. It’s more the operations and security management companies who make these investments. The customer of DAM technologies is the operations or security buyer. That’s not the same person who evaluates and purchases database and financial applications. And it’s certainly not a database admin! The DBA is only an evaluator of efficacy and ease of use during a proof of concept. People think that Oracle and IBM, who made splashes with Secerno and Guardium purchases, were the first big names in this market, but that is not the case. Database tools vendor Embarcadero and security vendor Symantec both launched and folded failed DAM products long ago. Netezza is a business intelligence and data warehousing firm. Fortinet describes themselves as a network security company. Quest (DB tools), McAfee (security) and EMC (data and data center management) have all kicked the tires at one time or another because their buyers have shown interest. None of these firms are database vendors, but their customers buy technologies to help reduce management costs, facilitate compliance, and secure infrastructure. I believe the Guardium and Secerno purchases were made for operations and security management. It made sense for IBM and Oracle to invest, but not because of their database offerings. These investments were logical because of their other products, because of their views of their role in the data center, and thanks to their respective visions for operations management. Ultimately that’s why I think McAfee and EMC need to invest in this technology, and Microsoft doesn’t. On to the Summary: Webcasts, Podcasts, Outside Writing, and Conferences Adrian’s Dark Reading post: Massachusetts Data Privacy Standard: Comply Or Not? Rich quoted in Entrepreneur Magazine. Mike quoted in Information Security Magazine. Adrian quoted in Open Source Databases Pose Unique Security Challenges. Rich, Zach, and Martin on episode 200 of the Network Security Podcast. Favorite Securosis Posts Rich: Draft Data Security Survey for Review. It’s been a weird week over here, as all of our posts were nuts and bolts for various projects. I got some great feedback on this draft survey, with a few more comments I need to post, but it could also use more review if any of you have the time. Mike Rothman: FireStarter: Get Ready for Oracle’s New WAF. Oracle has a plan. But it’s a secret. Speculating about it is fun. David Mortman: FireStarter: Get Ready for Oracle’s New WAF. Welcome, Oracle, to the first WAFs club. Adrian Lane: One of our meatier Quant Posts: Configure. Other Securosis Posts Incite 6/9/2010: Creating Excitement. Draft Data Security Survey for Review. Friday Summary: June 4, 2010. Favorite Outside Posts Rich: Why sensible people reject the truth. While it isn’t security specific, this article from New Scientist discusses some of the fascinating reasons people frequently reject science and facts which conflict with their personal beliefs. As security professionals our challenges are often more about understaning people than technology. Mike Rothman: Not so much an “E” ticket. Magical ideas about how TSA can be more Mouse-like from Shrdlu. David Mortman: Google Changed Reputation and Privacy Forever. Adrian Lane: Raffael Marty wrote a really good post on Maturity Scale for Log Management and Analysis. Project Quant Posts DB Quant: Secure Metrics, Part 4, Shield. DB Quant: Secure Metrics, Part 3, Restrict Access. DB Quant: Secure Metrics, Part 2, Configure. DB Quant: Secure Metrics, Part 1, Patch. NSO Quant: Monitor Process Map. DB Quant: Discovery Metrics, Part 4, Access and Authorization. Research Reports and Presentations White Paper: Endpoint Security Fundamentals. Understanding and Selecting a Database Encryption or Tokenization Solution. Low Hanging Fruit: Quick Wins with Data Loss Prevention. Top News and Posts Microsoft, Apple Ship Security Updates via Brian Krebs. Mass SQL Injection Attack from our friends over at Threatpost. Good advice: Three things to harden OpenSSH on Linux. Is correlation killing the SIEM market?. Windows Help Centre Vuln and some commentary on disclosure. Digital River sues over data breach. IT lesson from BP disaster. AT&T leaked iPad Owner Data. This one correctly points out that it’s an AT&T breach, rather than pretending it was an Apple problem to scare up traffic. Blog Comment of the Week Remember, for every comment selected, Securosis makes a $25 donation to Hackers for Charity. Usually when a comment starts with “This is a terrific idea …” it gets deleted as blog spam, but not this week, as the best comment goes to DMcElligott, in response to Rich’s Draft Data Security Survey for Review. This is a terrific idea. I am very curious about the results you see from this. My suggestions: In the regulation questions

Is it me or has the term “insider threat” disappeared from security marketing vernacular? Clearly insiders are still doing their thing. Check out a recent example of insider fraud at Bank of America. The perpetrator was a phone technical support rep, who would steal account records when someone called for help. Awesome. Of course, the guy got caught. Evidently trying to sell private sensitive information to an undercover FBI agent is risky. It is good to see law enforcement getting ahead of some issues, but I suspect for every one of these happy endings (since no customers actually lost anything) there are hundreds who get away with it. It’s a good idea to closely monitor your personal banking and credit accounts, and make sure you have an identity theft response plan. Unfortunately it’s not if, but when it happens to you. Let’s put our corporate security hats back on and remember the reality of our situation. Some attacks cannot be defended against – not proactively, anyway. This crime was committed by a trusted employee with access to sensitive customer data. BofA could not do business without giving folks access to sensitive data. So locking down the data isn’t an answer. It doesn’t seem he used a USB stick or any other technical device to exfiltrate the data, so there isn’t a specific technical control that would have made a difference. No product can defend against an insider with access and a notepad. The good news is that insiders with notepads don’t scale very well, but that gets back to risk management and spending wisely to protect the most valuable assets from the most likely attack vectors. So even though the industry isn’t really talking about insider threats much anymore (we’ve moved on to more relevant topics like cloud security), fraud from insiders is still happening and always will. Always remember there is no 100% security, so revisit that incident response plan often. Share:

Reporting and Forensics are the principal products of a SIEM system. We have pushed, prodded, and poked at the data to get it into a manageable format, so now we need to put it to use. Reports and forensic analysis are the features most users work with on a day to day basis. Collection, normalization, correlation and all the other things we do are just to get us to the point where we can conduct forensics and report on our findings. These features play a big part in customer satisfaction, so while we’ll dig in to describe how the technology works, we will also discuss what to look for when making buying decisions. Reporting For those of us who have been in the industry for a long time, the term ‘reporting’ brings back bad memories. It evokes hundreds of pages of printouts on tractor feed paper, with thousands of entries, each row looking exactly the same as the last. It brings to mind hours of scanning these lines, yellow highlighter in hand, marking unusual entries. It brings to mind the tailoring of reports to include new data, excluding unneeded columns, importing files into print services, and hoping nothing got messed up which might require restarting from the beginning. Those days are fortunately long gone, as SIEM and Log Management have evolved their capabilities to automate a lot of this work, providing graphical representations that allow viewing data in novel ways. Reporting is a key capability because this process was just plain hard work. To evaluate reporting features included in SIEM/LM, we need to understand what it is, and the stages of a reporting process. You will notice from the description above that there are several different steps to the production of reports, and depending on your role, you may see reporting as basically one of these subtasks. The term ‘reporting’ is a colloquialism used to encompass a group of activities: selecting, formatting, moving, and reviewing data are all parts of the reporting process. So what is reporting? At its simplest, reporting is just selecting a subset of the data we previously captured for review, focused analysis, or a permanent record (‘artifact’) of activity. Its primary use is to put data into an understandable form, so we can analyze activity and substantiate controls without having to comb through lots of irrelevant stuff. The report comprises the simplified view needed to facilitate review or, as we will discuss later, forensic analysis. We also should not be constrained by the traditional definition of a report, which is a stack of papers (or in modern days a PDF). Our definition of reporting can embrace views within an interface that facilitate analysis and investigation. The second common use is to capture and record events that demonstrates completion of an assigned task. These reports are historic records kept for verification. Trouble-ticket work orders and regulatory reports are common examples, where a report is created and ‘signed’ by both the producer of the report and an auditor. These snapshots of events may be kept within, or stored separately from, the SIEM/LM system. There are a couple basic aspects to reporting that we that we want to pay close attention to when evaluating SIEM/LM reporting capabilities: What reports are included with the standard product? How easy is it to manage and automate reports? How easy is it to create new, ad-hoc reports? What export and integration options are available? For many standard tasks and compliance needs, pre-built reports are provided by the vendor to lower costs and speed up product deployment. At minimum, vendors provide canned reports for PCI, Sarbanes-Oxley, and HIPAA. We know that compliance is the reason many of you are reading this series, and will be the reason you invest in SIEM. Reports embody the tangible benefit to auditors, operations, and security staff. Just keep in mind that 2000 built-in reports is not necessarily better than 100, despite vendor claims. Most end users typically use 10-15 reports on an ongoing basis, and those must be automated and customized to the user’s requirements. Most end users want to feel unique, so they like to customize the reports – even if the built-in reports are fine. But there is a real need for ad-hoc reports in forensic analysis and implementation of new rules. Most policies take time to refine, to be sure that we collect only the data we need, and that what we collect is complete and accurate. So the reporting engine needs to make this process easy, or the user experience suffers dramatically. Finally, the data within the reports is often shared across different audiences and applications. The ability to export raw data for use with third party-reporting and analysis tools is important, and demands careful consideration during selection. People say end users buy interface and reports, and that is true for the most part. We call that broad idea _user experience_m and although many security professionals minimize the focus on reporting during the evaluation process, it can be a critical mistake. Reports are how you will show value from the SIEM/LM platform, so make sure the engine can support the information you need to show. Forensics It was just this past January that I read an “analyst” report on SIEM, where the author felt forensic analysis was policy driven. The report claimed that you could automate forensic analysis and do away with costly forensic investigations. Yes, you could have critical data at your fingertips by setting up policies in advance! I nearly snorted beer out my nose! Believe me: if forensic analysis was that freaking easy, we would detect events in real time and stop them from happening! If we know in advance what to look for, there is no reason to wait until afterwards to perform the analysis – instead we would alert on it. And this is really the difference between alerting on data and forensic analysis of the same data. We need to correlate data from multiple sources and have a

Some businesses are great at creating excitement. Take Apple, for instance. They create demand for their new (and upgraded) products, which creates a feeding frenzy when the public can finally buy the newest shiny object. 2 million iPads in 60 days is astounding. I suspect they’ll move a bunch of iPhone 4 units on June 24 as well (I know I’ll be upgrading mine and the Boss’). They’ve created a cult around their products, and it generates unbelievable excitement whenever there is a new toy to try. Last week I was in the Apple store dropping my trusty MacBook Pro off for service. The place was buzzing, and the rest of the mall was pretty much dead. This was 3 PM on a Thursday, but you’d think it was Christmas Eve from looking at the faces of the folks in the store. Everything about the Apple consumer experience is exciting. You may not like them, you may call me a fanboy, but in the end you can’t argue with the results. Excitement sells. If you have kids, you know all about how Disney creates the same feeling of excitement. Whether it’s seeing a new movie or going to the theme parks, this is another company that does it right. We recently took the kids down to Disneyworld, and it sure didn’t seem like the economy was crap inside the park. Each day it was packed and everyone was enjoying the happiest place on Earth, including my family. One night we stayed at a Disney property. It’s not enough to send a packet of information and confirmations a few months ahead of the trip. By the time you are ready to go, the excitement has faded. So Disney sends an email reminding you of the great time you are about to have a few days before you check in. They give you lots of details about your resort, with fancy pictures of people having a great time. The message is that you will be those people in a few days. All your problems will be gone, because you are praying in the House of the Mouse. Brilliant. I do a lot of business travel and I can tell you I’m not excited when I get to Topeka at 1am after being delayed for 3 hours at O’Hare. No one is. But it’s not like any of the business-oriented hotels do anything to engage their customers. I’m lucky if I get a snarl from the front desk attendant as I’m assigned some room near the elevator overlooking the sewage treatment facility next door. It’s a friggin’ bed and a place to shower. That’s it. It just seems to me these big ‘hospitality’ companies could do better. They can do more to engage their customers. They can do more to create a memorable experience. I expect so little that anything they do is upside. I believe most business travelers are like me. So whatever business you are in, think about how you can surprise your customers in a positive fashion (yes, those pesky users who keep screwing everything up are your customers) and create excitement about what you are doing. I know, we do security. It’s not very exciting when it’s going well. But wouldn’t it be great if a user was actually happy to see you, instead thinking, “Oh, crap, here comes Dr. No again, to tell me not to surf pr0n on the corporate network.”? Think about it. And expect more from yourself and everyone else you do business with. – Mike. Photo credits: “Magic Music Mayhem 3 (Explored)” originally uploaded by Express Monorail Incite 4 U Microsoft cannot fix stupid – The sage Rob Graham is at it again, weighing in on Google’s alleged dictum to eradicate Microsoft’s OS from all their desktops, because it’s too hard to secure. Rob makes a number of good points in the post, relative to how much Microsoft invests in security and the reality that Windows 7 and IE 8 are the most secure offerings out there. But ultimately it doesn’t matter because it’s human error that is responsible for most of the successful attacks. And if we block one path the attackers find another – they are good that way. So what to do? Do what we’ve always done. Try to eliminate the low hanging fruit that makes the bad guy’s job too easy, and make sure you have a good containment and response strategy for when something bad does happen. And it will, whatever OS you use. – MR Fight the good fight – Apparently “Symantec believes security firms should eradicate ‘false positives’ ”. I imagine that this would be pretty high on their list. Somewhere between “Rid the world of computer viruses” and “Wipe out all spam”. And I love their idea of monitoring social network sites such as Facebook and online fora to identify false positives, working tirelessly to eliminate the threat of, what was it again? Yeah, misdiagnosis. In fact, I want to help Symantec. I filled out my job application today because I want that job. Believe me, I could hunt Facebook, Twitter, and YouTube all day, looking for those false positives and misdiagnosis thingies. Well, until the spam bots flood these sites with false reports of false positives. Then I’d have to bring the fight to the sports page for false positive detection, or maybe check out those critical celebrity false positives. It sounds like tough work, but hey, it’s a noble cause. Keep up the good fight, guys! – AL Good intentions – I always struggle with “policy drift”; the tendency to start from a compliant state but lose that over time due to distractions, pressure, and complacency. For example, I’m pretty bad at keeping my info in our CRM tool up to date. That’s okay, because so are Mike and Adrian. As Mathias Thurman writes over at Computerworld, this can be a killer for something crucial like patch management. Mathias describes his difficulties in keeping