Research

With all the recent talk about cloud security, I’ve really been struck by the blatant deliberate confusion promulgated by various industry stakeholders. For example, last week around RSA I saw a nonstop stream of press releases containing the word “cloud” for products and services that were merely the same old beloved security tools, now rebranded to ride the froth of the cloud marketing wave. But ‘cloud’ is only the latest example – from NAC to DLP to GRC and other technologies of yore, we see often-deliberate message dilution and confusion so certain poorly-positioned individuals or companies can avoid being left behind by market innovators. We don’t just see this in security; calling yourself “green” is an instantly classic example (hello “green” bottled water), but I do think we see it more in security than other areas of IT. When you think about it, we are probably the farthest reaching area of IT- spanning everything from development to storage to desktops to networking, and as such have a fair bit more running room. You might be able to rebrand your storage solution “green”, but it isn’t like you can call a hard drive a WWAN SAN just to hop on a trend (having been to many non-security conferences, I think this is a reasonably safe statement). And what I’m focusing on today isn’t mere bandwagon hopping, but purposeful efforts by laggards to create confusion in a market and defeat clarity. I call it the Anti-Disambiguation Movement, and it follows a predictable path. The movement is led by vendors, press, and analysts; with end-users (and some innovative vendors) suffering the consequences. Here’s how it works – when a vendor is late to the party, they start issuing a bunch of marketing chaff to distract everyone from the real innovation. This takes a number of forms (which we will talk about in a moment), which result in one of several outcomes (which we’ll also detail). Interestingly enough, I think this tracks very nicely with the Gartner Hype Cycle (I love the Hype Cycle, and am sad I don’t get to use it anymore). Let’s start with the methods (I’d apologize for the language, but you should be used to it by now): The Marketing Cock Block: A large vendor claims that they are bringing a product to market within a nebulous time frame, when they have no existing product in that market. The goal is to Osborne effect any direct competitors or small vendors in the space by creating a belief that the “official” solution from a stable supplier is just around the corner. In some cases the vendor has a product, but it isn’t close to competitive. Example: Microsoft and Cisco with NAC. Neither had a viable solution until relatively recently (and that’s still debatable), but that didn’t even slow down their marketing efforts and interoperability announcements. The PR Territory Piss: A variant of the Cock Block in which the vendor issues extensive press releases on their ownership of a trend, which they may or may not later buy or build into. Example: AV vendors and antispyware. Malicious Confusion: Vendors know they don’t have an offering in that market/trend, so they expand or otherwise deliberately misuse the definition of that trend to include their products under the hot umbrella. The goal isn’t to produce anything for that market, but to create enough confusion that whatever they already had on the shelf can be marketed with today’s cool term. They purposely and maliciously create confusion for their own benefit. Ideally, they even convince some press or analysts to include them in a market list or product evaluation. Example: DLP and USB port blockers, endpoint encryption, and about a dozen other things that have nothing to do with DLP. The Glom-on: A trend starts hitting and clumps of vendors start piling on for the ride, making a subconscious but collective decision to link their market to the trend until the trend/market definition becomes so diluted as to be worthless. Examples: Cloud and information-centric security. The Lemming Roller Coaster: A trend becomes hot, and less-intelligent vendors jump on, usually late, without really knowing where they are headed. The lemming is less deliberate than some of our other examples, and typically the result of a brain dead marketing/PR type. It’s usually smaller companies, and may lead to their death once users figure out the product doesn’t help with that problem, or after they score poorly in magazine/analyst ratings. Examples: Seeing this a lot with DLP and a bit in GRC. Unintelligent Design: Some ass-clown of an analyst invents their own term for something, often issuing some sort of market report, triggering one of the other methods listed above. Examples: The Anti-Disambiguation Movement… and GRC. The result falls into these categories: Death: The trend/market becomes so toxic that it dies, taking the slower companies with it. Example: PKI. Clarity: The ambiguities fade away and clear definitions emerge, although often not until after a few early innovators die. Example: NAC. Redefinition: The term/market is redefined, but doesn’t necessarily resemble its original form. Example: I think cloud security is headed this way. Meaninglessness: The term becomes so diluted it’s essentially worthless, even though there might be some nuggets of truth in there. Example: GRC. I’m having a bit of fun here, but the simple truth is that very often market terms are atrociously abused by laggards, often (deliberately) damaging the real innovation and innovators. Share:

Wanted to post my highlights of the RSA show. Rich and I meant to post daily updates about our experiences during the show, but we were quite literally in meetings or gatherings from 8:30 AM until we went to bed each night. No chance of writing and posting from a secure connection. I have a stack of 70+ business cards sitting here on my desk, and I gave out almost all of the 200 I brought with me. I can barely remember talking to that many people over the course of the week. The weather was awesome. Warm. Actually, very warm. For those of you who don’t get to San Francisco too often, it was about 20 degrees hotter than it was supposed to be Sunday through Wednesday. Rich and I usually stay at a funky little hotel that is close to Moscone; it’s cheap and we are never in the rooms for very long. However the older hotels lack air conditioning. In fact, if you want to get cool air, you open the window. Sleeping in a 90 degree room with big city traffic outside your window does not make for a restful visit. When you combine 15 meetings a day on four hours of sleep, things begin to blur together. But both Rich and I had an awesome time, and spent the entire weekend recovering from sleep deprivation. Best Food: The Venrock party was held at ‘Two’, which is a nice little restaurant off Howard and somewhat hard to spot. The food was simple ‘Cowboy’ fare: barbequed tri-tip – carnitas like shredded pork and roasted chicken, but simply amazing. We were planning on going out to dinner but our plans were promptly discarded when we tasted the food. We ate until they took the trays away. I am going to have to go back there for dinner! Best Party: The Security Bloggers event, if for no other reason that there were so many interesting people there that I talked until my voice gave out. Good friends, good food, good drink, and good fun! Best Presentation: I am probably disqualified from this category, but I am putting out my nomination anyway. I was only able to attend a half dozen presentations, and I knew both the people on stage for my favorite, however there was one clear winner from what I saw. Rich Mogull and Chris Hoff on Disruptive Innovation simply rocked. Biased? Sure. Small sample size? Sure. But on a Friday morning, to fill a conference room and have no one leave is pretty amazing. To cover 160 slides in 50 minutes and make sense is astounding. When it becomes available on the RSA site, you tell me if it was not the best preso! Special mention goes to Brian Chess and Gary McGraw for another interesting Friday talk on secure coding and the release of the Building Security In Maturity Model. http://www.bsi-mm.com/ Attendance: Officially I was told that the numbers were off about 22%. Lots of the vendors along the edges of the exhibitor hall were complaining that they were not getting anyone by their booths, but I have seen that first hand in past years as well. What I did not see were the people with shopping bags loaded with tchotchkes and stuff – instead I saw people legitimately there to see what the vendors offered. Seemed like the people who had company budget to show up were there to learn from the sessions, visit a couple vendors they were interested in speaking with, and that was about it. Not many people looking for innovation, but their existing vendors to get better at what they do, or in some cases, what they are supposed to do. Biggest Surprise: How many of you knew Webroot has a complete email and web security service offering? I cover the space and I did not even know until this week. Kind of a strange time to start, but the service based offerings makes switching very easy to do. And if Postini’s ability to filter spam continues to slide, I think Rich and I will begin looking at other vendors. If we are, I will bet others would consider this as well. Favorite event: First annual Securosis Recovery Breakfast (which will be named The Disaster Recovery Breakfast in the future, thanks Mary Catherine) was a big hit. Jillian’s was really nice to us and gave us the entire restaurant. We had about 70 people show up. No screaming over the noise, no elbow to elbow crowds, lots of chairs and good food. It was different than anything I have been to at RSA, and I am glad Rich had the idea. Relaxing fun, so we will definitely do it again next year. Theme: Security. This may seem obvious to some of you, but it should not be. We have gone through previous years where every vendor was a one stop shop for solving your compliance problems, and we have seen every gadget and appliance marketed to us as the one and only solution for Governance, Risk and Compliance. I expected to see 500 vendors telling me how they could secure the cloud, but I only saw a smattering of that. While I know a very large percentage of revenue is derived from compliance spending, the message was back to security, and I think that is a good thing! The buyers are beginning to see that operational controls, compliance, and security are closely linked needs. Saddest Scene: It’s a security conference. We are security professionals. We read about how easy it is to hack wireless end points, and that man in the middle attacks are sometimes trivial for a skilled hacker, but common traffic sniffing is usually sufficient to gather user accounts and passwords. This is not a big secret. Yet there was always a group of people grouped around the wireless access points, gathering their email and checking their eBay bids. Are you freakin’ nuts? RSA needs its own “Wall of

Hey folks, Just a quick note that we had a few people ask if we were going to hold a meeting on Project Quant out here at RSA. We know it’s last minute, but if you are interested in hearing more about the project and providing some input, we’ve decided to hold a Town Hall meeting right after the Securosis Recovery Breakfast on Wednesday morning at Jillian’s. The breakfast runs until 11, and we’ll gather up all the Quant people right after that and find a quiet corner. The WASC meetup is at 12, so if you plan things right you can probably hang out at Jillian’s all day and never head over to Moscone. Feel free to drop a comment if you think you might show, but otherwise we’ll see you there… Share:

Yesterday, our friends over at Marker Advisors shared some information on what they see on the financial side of the IT security world. Today they follow up with a brief conclusion about how this is playing out. We’ve seen a ton of M&A activity ourselves, and have even written about it before. We’re seeing exactly the same trend- from a valuation standpoint it’s a buyers market, but many sellers are hanging on, hoping for a better exit. I think it will be fascinating to watch this dance play out at RSA this year, and plan on asking Randy and Russ for a follow-on post once we all get back from the show. M&A activity happens in cycles that are directly related to major product buying cycles. In times of slow growth, larger companies that can invest in the future try to project the ‘next big thing’. They then identify and purchase technology / expertise that will hopefully prepare them for the next upswing. The software business has always been one where ‘the rich get richer’. Large companies have the cash and cash flow, the sales organization, and the market presence to use downturns to augment their product lines. We have seen both traditional software companies (ORCL, MFE, SYMC, QSFT, OTEX, CA, BMC) grow via acquisition, as well as nontraditional buyers (IBM, EMC, HPQ) enter the market. As we came out of the 2001 – 2002 slowdown, M&A activity increased materially. However, in the last couple of years, as that cycle waned, combinations slowed. Marker believes another M&A cycle is imminent. Today, we have many interested buyers, but few sellers willing to entertain today’s valuations. Although we are not going to the valuations of 2006 / 2007 anytime soon, they should trend higher in time, and buyers and sellers will meet somewhere in the middle. Smaller public and private organizations desiring to be acquired should be preparing their business for this next M&A wave. How a company reacts and positions itself in the short term will eventually determine whether or not they are one of the prize catches, or one of the throwaways. About Marker Advisors: Marker is a research consultancy firm specializing in the software industry. We work with senior company management as well as sophisticated industry investors to create shareholder value. We provide detailed market intelligence, business and product strategy, and M&A advisory services. Share:

The big news at Securosis this week was the launching of Project Quant! Not only are we excited about working with some of the team members at Microsoft, but we are going to be really pushing the boundaries of our Totally Transparent Research process. Rich has been furiously setting up the infrastructure all week to support the public discourse for the project, and he just got it finished in time for launch. We are grateful that there is a ton of interest out there as we have been getting numerous tweets and email on the subject, and well as a ton of press on the project from eWeek, Dark Reading, ZDNet, and Dennis Fisher at ThreatPost. Jeff Jones posted an announcement on his Security Blog, plus there is coverage by Peter Galli on Microsoft’s Port 25 blog as well! There won’t be a lot of content pushed out next week as we are crazy-busy next week, but this will be a full time effort come May. On the personal side, I got a couple phone calls again this week. You know, the “My computer is doing FOO, and it stopped working” phone call from friends and family. As sure as the sun rises in the morning, I got another call today from a friend who has their machine infected with some form of malware. IE is completely locked, and when they try to use it now, all they get is an advertisement to purchase AV and anti-malware! After a few hours of someone in the family browsing risky sites and downloading music from dubious locations, it looked like they had managed to get infected with something that was not going to easily surrender. It passed the Eye Chart test, but I was not convinced that it was (or was not) Conficker. The next question of course is “How do I fix it?” and my response is “stop doing what you did to get it infected in the first place!” The snappy retort does not make me very popular, but why fix it and have them do it again a week later? Almost immediately I feel bad for them and go ahead and fix it. Most of the people who call use their computer to run their business. This is how they make their living. They are hosed. They will lose two or three days of revenue and piss off their clients if they don’t get back up and running ASAP. Can the virus be removed without permanent damage? Maybe, maybe not. A fresh install is probably the only way to be sure you got it. Serious education on what not to do is what it would take to keep it from happening again. Any way you slice it, this is a painful process. There are a lot of commonalities across this group: They use IE 6.x on Windows. They do not make backups. They do not keep the original software media or software licenses. They use their machines for their business. Their machines run very slowly, and have for a long time. They browse -everywhere-. They have never met an email link they would not click. They download lots of applications and music. They install a lot of free Internet applications just to see what they are. They have never uninstalled a program. They do not run disk cleanup. They have Norton or McAfee. They have malware and adware on the machine. They do online banking. There is no password on the machine. The machine is multi-use by/for all family members. They have never looked at IE settings. They are unaware that there are other browsers. I feel bad half the time, because I cannot fix the problem without a re-install. When I do re-install, getting the computer to where it was before the infection is a full day’s work … spread out over a week or more. Man do I have sympathy for the corporate IT guys who have to put up with this for a living! “Where are my bookmarks?” “Why does the computer do this?” “I can’t print!” “Why is this over here when it used to be over there?” Part of me wants them to feel a little pain, in order for them to appreciate that performing every risky act on your computer has consequences, but what really needs to happen is some education for the home user. I have been on this topic for some time, and I feel fairly strongly about it. Enough so that I even bought “Security Mike’s Guide to Internet Security” when it was still vapo-bookware to loan to family members to raise their awareness. Not that they would have read it before their computer imploded, but it would be there for them as they waited for InstallShield to complete its tasks. I know that security professionals need to help not just the vendors and IT organizations who have security challenges, but the end users as well. I am going to be cherry-picking a bunch of our old posts and putting them into the new Research Library for end user assistance and tips. Certainly not our focus, but something we will continue to build. And now for the week in review: Webcasts, Podcasts, Outside Writing, and Conferences: Martin and Rich on the weekly Network Security Podcast. Rich joined Amrit Williams of BigFix on the Beyond the Perimeter podcast. Favorite Securosis Posts: Rich: Our guest post from Marker Advisors on A Financial Analyst’s Perspective. Adrian: Pin Crackers post, raising some discussion points to Kim Zetter on the Wired Threat Level site in regards to “PIN cracking”. Favorite Outside Posts: Adrian: I liked Ronald McCarthy’s down-to-earth discussion of Ubuntu Security. Rich: Alex’s comments on Project Quant. Don’t worry Alex, we are all armed with ‘Multitools’ and chewing gum! Top News and Posts: An Examination of the Twitter Worm. The Verizion Data Breach report is out. It’s good. Read it when you get the chance, but some of the editorial posts are advised as well,

When I first started Securosis I was a little surprised at the number of due diligence and other investor-related projects that started flowing through the door. At Gartner we couldn’t engage in these kinds of projects (for some very good reasons), but being independent allowed me more flexibility. Since then we’ve continued to work closely with a variety of investment partners and clients. One of our partners is Marker Advisors, a boutique financial analysis and consulting firm here in Phoenix/Scottsdale. We like them for their dead-on analysis, and habit of buying us Mojitos on Friday afternoons. I wish I could tell you some of the stuff these guys are up to, but suffice it to say they have an extremely good pulse on the market. (We also suggest you follow Peter Kuper, who is blogging over at IANS and is another one of our favorite partners). We asked the guys at Marker for their take on the security software market, and they were kind enough to let us post their response. Some of this information is counter-intuitive, and shows why the economy isn’t the only issue the security market faces. We’ve broken it into two parts: # 2008 was a tough year economically, but most software companies discovered ways to grow revenue. The 20 companies we are closest to and favor (what we call our “coverage” list) grew revenue 18% (organically) YoY in 2008; an outstanding performance given both the environment and an overall market that grew at less than half that pace. Our larger “universe” of the 75 software companies we follow grew ~16% (including acquisitions). However, growth in both groups slowed in the 2H08 to ~9% YoY. The big question that needs answering is at what rate will revenue grow in 2009, and then 2010? To best determine this answer, let’s first take a look at why revenue grew last year: New product cycles. The first major new product cycles since 1999/2001 spurred investment in 2006 > 2008. 2008 capped a multi-year reinvestment cycle, as many companies managed to finally complete the move to Web-based technologies (from client server) in most applications/infrastructure, as well as upgrade to the latest generation of IP networking products. Existing vendor spend. Software companies with large customer bases were able to sell these new products (often at a discount) into a market that wanted to spend with existing vendors. Add-ons increase ASPs. New add-on products (product line extensions) helped increase ASPs, as customers looked to improve the productivity and broaden the use of new installations. Support costs increased. Many vendors pushed through 2007/2008 increases in maintenance and support charges, as pricing power shifted back to the vendors (for oh so short a time). International growth. International growth helped overcome a relatively difficult U.S. market. Budget Shifts. Budgets allocations shifted towards our favored sectors – Security, Web Content Management and Virtualization. Weak dollar. The dollar’s weakness pushed growth up in the 2H07 and the first half of 2008. M&A boosts results. Acquisitions in late 2007 and early 2008 boosted 2008 revenue results by a couple of percent. However, most of the factors that made 2008 a solid growth year are no longer present in 2009: We are at the end of this decade’s major product introductions. The next round of innovation appears to be focused on “cloud” computing, not data center computing. As customers evaluate where to install their next server and whether to rent or own software, they will spend less now. The economy will only make it easier to consider this a “transition” year. The large customer bases that were heavily mined throughout 2008 are nearing exhaustion. Although they did not overspend like they did in 2000/2001, they are appropriately stocked. Add-ons are slowing. Add-on products continue to get shipped, but it’s going to be a slow year for innovation. There will be no major new product cycles until 2010-2011. Moreover, the future product cycles will be more cloud-based and subscription priced, so look for evolution in business models. International growth will not be as much assistance in 2009, as EMEA, APAC and China all slow spending. We have picked up a growing number of channel checks that suggest all three regions are now slowing materially. Budgets will shift towards a much smaller set of projects in 2009. If you are a strategic vendor and make the short list, the year will look decent (low double digit growth). If not, it will be a struggle (flat to declining revenue YoY). Security and WCM will continue to outperform, but ratcheted down a full notch. Applications will continue to underperform. Basic infrastructure will be mixed – virtualization will be solid, but communications and networking will be slowed by both “cloud computing” marketing and major vendor “next big thing” sales campaigns. It is no longer clear where organizations should invest… In their own data centers? Or should they outsource basic infrastructure like email, collaboration, and data services to the emerging cloud vendors? Or outsource it to their software vendors’ SaaS offerings? 2009 will be a good time to evaluative these options, while not making a major investment decision. It’s hard to predict the dollar – however, it’s unlikely to provide much tailwind given 1H08’s prolonged weakness. We believe acquisitions will pick up as the year progresses, as potential sellers understand we are in for a rough couple of years and valuations are not coming back strongly. In fact, we think many of the best investment opportunities will come in the form of M&A. In December 2008, Street analysts had 2009 revenue growth at around 9% YoY for our coverage names, and close to that for our universe names. SaaS and virtualization companies have higher expected growth rates, and application companies lower growth rates. Today those same analysts have cut growth projections to around 5% YoY. In examining the quarterly forecasts, it appears investors and analysts are looking for a 2H09 recovery in capital spending. The crux of our question is how could they possibly know

eWeek is reporting that Avinti is being acquired by Marshal8e6 this week. There has not been a lot of news in this sector of late, but this one is a little different, so what exactly do we have here? A web security appliance vendor merged with an email security software vendor, buying another vendor who leverages virtual environments to isolate code behavior. Marshal8e6 is the recent merger of the Mail Marshal email security guys with 8e6, the web security firm. Avinti provides a sort of application Habitrail to monitor code in its natural habitat, watch how it works and (since I am already running with this analogy) spot the evil hamster at play. From Avinti CEO William Kilmer: “Essentially we have a network-based device that would run a series of virtual images that can actually mimic the user’s desktop environment,” Kilmer said in an interview with eWEEK. “We’ll open it up, actually run it, and look for process or look for different signals that would indicate that it’s a virus.” While this is an odd mixture of technologies, the trifecta makes sense for them. Most vendors offer a combined email security and web security offering, and customers expect as much. But with signature based detection of spam and malicious code nearing the end of its useful lifespan, alternative methods of detection are needed and being used. I think in the short term Avinti’s behavior based inspection provides Marshal8e6 a very minor competitive advantage amongst some of their mid-tier competitors, but in the long run the Avinti approach is what is more interesting- providing a flexible ‘playground’ to test or deploy multiple inspection techniques, and I imagine allow the customer to cascade multiple methods at once. It also allows them to scale services on the back end on an as-needed basis with cloud or virtual computing, so if the customer wants to run appliances (software or virtual) they will have the option. Marshal8e6 of course faces the challenge of implementing a unified system and policy management interface for the combined product; all three products needed a refresh regardless, but this will be critical for both keeping existing customers happy and also making the product easy to use. Smaller email/web security firms are in a very tough position given competition from the top vendors, but if they can provide enough breadth of functionality to meet expectations while continuing to innovate, they have a good chance to survive this market. Share:

Really excellent article by Kim Zetter on the Wired Threat Level site in regards to “PIN cracking”, and some of the techniques being employed to gather large amounts of consumer financial data. I know Rich referenced this post earlier today, but since I already wrote about it and have a few other points I think should be mentioned, hopefully you will not mind the duplicated reference. Before I delve into some of the technical points, I want to say that I am not certain if the author desired a little sensationalism to raise interest, or if the security practitioners interviewed were not 100% straight with the author, or if there was an attempt to disguise deployment mistakes by hyping the skills of the attacker, but the headline and some of the contents are misleading. The attackers are not ‘cracking’ the ATM PINs, as the encryption is not what is being attacked here. Rather they are ‘scraping’ the memory of the security devices, looking for unencrypted data or the encryption keys. In this case by grabbing the data when it is unencrypted and vulnerable (in a cryptographic sense if not the physical one) within the Hardware Security Device/Module/Unit for electronic funds transfers, hackers are in essence sniffing unencrypted data. The attack is not that sophisticated, nor is it new, as various eavesdropping methods have been employed for years, but that does not mean that it is easy. Common tactics include altering the device’s operating system or ‘attaching’ to the hardware bus to access keys and passwords stored in memory, thus bypassing intended interfaces and protections. Some devices of this type are even constructed in such a way that physical tampering will destroy the machine and make it apparent someone was attempting to monitor information. Some use obfuscation and memory management technologies to thwart these attacks. Any of these requires a great deal of study and most likely trial and error to perfect. Unless of course you leave the HSM interface wide open, and your devices were infected with malware, and hackers had plenty of time to scan memory locations to find what they wanted. I am going to maintain my statement that, until proven otherwise, this is exactly what was going on with the Heartland breach. For the attack to have compromised as many accounts as they did without penetrating the Heartland facility would require this kind of compromise. It implies that the attackers have access to the HSM, most likely exploiting negligent security of the command and control interface, and infecting the OS with malicious code. Breaking into the hardware or breaking the crypto would have been a huge undertaking, requiring specialized skills and access. Part of the reason for the security speed-bump post was to illustrate that any type of security measure should be considered a hindrance; with enough time, skill and access, the security measure can be broken. Enough hindrances in place can provide good security. Way back when in my security career, we used to perform hindrance surveys of our systems to propose how we might break our own systems, under what circumstances this could be done, and what skills and tools would be required. Breaking into an HSM and scraping memory is a separate and distinct skill from cracking encryption (keys), and different from writing SQL and malware injection code. Each attack has a cost in time and skill required. If you had to employ all of them, it would be very difficult for a team of people to accomplish. Some of the breaches, both public as well as undisclosed breaches I am aware of, have involved exploitation of sloppy deployments, as well as the other basic exploitation techniques. While I agree with Rich’s point that our financial systems are under a coordinated multi-faceted attack, the attackers had unwitting help. Criminals are only slightly less lazy than system administrators. Security people like to talk about thinking like a criminal as a precursor to understanding security, and we pay a lot of lip service to it, but it is really true. We are getting to watch as hackers work through the options, from least difficult to more difficult, over time. Guessing passwords, phishing, and sniffing unencrypted networks are long since pase, but few are actively attacking the crypto systems as they are usually the strongest link in the chain. I know it sounds really obvious to say that attackers are looking at easy targets, but that is too simplistic. Take a few minutes to think about the problem: if your boss paid you to break into a company’s systems, how would you go about it? How would you do it without being detected? When you actually try to do it, the reality of the situation becomes apparent, and you avoid things that are really freakin’ hard and find one or two easy things instead. You avoid things that are easily detectable and being watched. You learn how to leverage what you’re given and figure out what you can get, given your capabilities. When you go through this exercise, you start to see the natural progression of what an attacker would do, and you often see trends which indicate what an attacker will try and why. Despite the hype, it’s a really good article and worth your time. Share:

This is a great day for security researchers, and a bad day for anyone with a bank account. First up is the release of the 2009 Verizon Data Breach Investigations Report. This is now officially my favorite breach metrics source, and it’s chock full of incredibly valuable information. I love the report because it’s not based on bullshit surveys, but on real incident investigations. The results are slowly spreading throughout the blogosphere, and we won’t copy them all here, but a few highlights: Verizon’s team alone investigated cases that resulted in the loss of 285 million records. That’s just them, never mind all the other incident response teams. Most organizations do a crap job with security- this is backed up with a series of metrics on which security controls are in place and how incidents are discovered. Essentially no organizations really complied with all the PCI requirements- but most get certified anyway. Liquidmatrix has a solid summary of highlights, and I don’t want to repeat their work. As they say, Read pages 46-49 of the report and do what it says. Seriously. It’s the advice that I would give if you were paying me to be your CISO. And we’ll add some of our own advice soon. Next is an article on organized cybercrime by Brian Krebs THAT YOU MUST GO READ NOW. (I realize it might seem like we have a love affair with Brian or something, but he’s not nearly my type). Brian digs beyond the report, and his investigative journalism shows what many of us believe to be true- there is a concerted attack on our financial system that is sophisticated and organized, and based out of Eastern Europe. I talked with Brain and he told me, You know all those breaches last year? Most of them are a handful of groups. Here are a couple great tidbits from the article: For example, a single organized criminal group based in Eastern Europe is believed to have hacked Web sites and databases belonging to hundreds of banks, payment processors, prepaid card vendors and retailers over the last year. Most of the activity from this group occurred in the first five months of 2008. But some of that activity persisted throughout the year at specific targets, according to experts who helped law enforcement officials respond to the attacks, but asked not to be identified because they are not authorized to speak on the record. … One hacking group, which security experts say is based in Russia, attacked and infiltrated more than 300 companies – mainly financial institutions – in the United States and elsewhere, using a sophisticated Web-based exploitation service that the hackers accessed remotely. In an 18-page alert published to retail and banking partners in November, VISA described this hacker service in intricate detail, listing the names of the Web sites and malicious software used in the attack, as well as the Internet addresses of dozens of sites that were used to offload stolen data. … Steve Santorelli, director of investigations at Team Cymru, a small group of researchers who work to discover who is behind Internet crime, said the hackers behind the Heartland breach and the other break-ins mentioned in this story appear to have been aware of one another and unofficially divided up targets. “There seem, on the face of anecdotal observations, to be at least two main groups behind many of the major database compromises of recent years,” Santorelli said. “Both groups appear to be giving each other a wide berth to not step on each others’ toes.” Keep in mind that this isn’t the same old news. We’re not talking about the usual increase in attacks, but a sophistication and organizational level that developed materially in 2007-2008. To top it all off, we have this article over at Wired on PIN cracking. This one also ties in to the Verizon report. Another quote: “We’re seeing entirely new attacks that a year ago were thought to be only academically possible,” says Sartin. Verizon Business released a report Wednesday that examines trends in security breaches. “What we see now is people going right to the source … and stealing the encrypted PIN blocks and using complex ways to un-encrypt the PIN blocks.” If you read more deeply, you learn that the bad guys haven’t developed some quantum crypto, but are taking advantage of weak points in the system where the data is unencrypted, even if only in memory. Really fascinating stuff, and I love that we’re getting real information on real breaches. Share:

We spend a lot of time talking about security metrics over here, and I’ve been pretty critical of both overly-broad initiatives that don’t help people get their day to day jobs done, and “fluffy” models that try to put hard numbers on risks/threats and such. Well, it looks like it’s time for me to put up or shut up. I’m pleased to announce our latest metrics project, which we’re currently calling Project Quant. (Yes we need a better name). We were approached by Jeff Jones at Microsoft to help build an independent model to measure the costs and effectiveness of patch management. This will be a hard metrics model, focused on measuring the operational processes associated with patch management. The goal is to provide IT organizations a tool they can use to measure how effective they are, and track that over time. I’m excited about this project for two main reasons: We get to focus on hard, practical metrics people can use to improve operations. We are following a “radical” version of our Totally Transparent Research process to ensure objectivity. We’ve set up a dedicated landing area for the project at http://securosis.com/projectquant where we will be posting all the materials. Here are the bits you might care about: We are soliciting as much participation in the project as possible- including competing vendors, end users of all sizes, consultants, whoever. The project has a deadline of late June, so this won’t drag out indefinitely. The first version may not be perfect, but come the end of June there will be a first version. We really need you to get involved. We’ll be asking for survey participants, reviewers, and just plain ‘ol grumpy commenters to keep us honest, and help produce a useful result. The results will be released under a Creative Commons license in an open format. We have the first two posts up at the landing site. The first, Introducing Project Quant, provides an overview of the project and the research process. The second, Project Quant: Goals delves into the project goals in more detail. This is a pretty huge project, even though it’s laser focused on one single operational area. Hopefully you like the idea, and are interested in participating. Share: