Research

Rich here. When I hurt my knee running right before Thanksgiving everyone glanced at my brace and felt absolutely compelled to tell me how much “getting old sucks”. Hell, even my doctor commiserated as he discussed his recent soccer injury. The only problem is I first hurt me knee around junior high, and in many way’s it’s been better since I hit my 40’s than any other time I can remember. As a kid my mom didn’t want me playing football because of my knees (I tried soccer for a year in 10th grade, hurt it worse, then swapped to football to finish up high school). I wore a soft brace for most of my martial arts career. I’ve been in physical therapy so many times over the past three decades that I could write a book on the changing treatment modalities of chondromalacia patellae. I had surgery once, but it didn’t help. As a lifetime competitive athlete, running has always been part of my training, but distance running was always a problem. For a long time I thought a 10K race was my physical limit. Training for more than that really stressed the knee. Then I swapped triathlon for martial arts, and realized the knee did much better when it wasn’t smashing into things nearly every day.   Around that time my girlfriend (now wife) signed us up for a half-marathon (13.1 miles). I nearly died, but I made it. Over the subsequent decade I’ve run more of them and shaved 45 minutes off my PR. The older I get, the better my times for anything over a couple miles, and the longer distances I can run. But there’s one goal that seemed impossible – the full marathon. 26.2 miles of knee pounding awesomesauce. Twice as far as the longest race I ever ran. My first attempt, last year, didn’t go so well. Deep into my training program I developed plantar fasciitis, which is a fancy way of saying “my foot was f-ed up”. So I pushed my plans back to a later race, rehabilitated my foot… and got stomach flu the week before the last race of the year before Phoenix weather went “face of the sun” hot. A seriously disheartening setback after 6 months training. I made up for it with beer. Easier on the foot. A few months later an email popped up in my inbox letting me know registration for the Walt Disney World Marathon opened the next day. My wife and I looked at it, looked at each other, and signed up before the realistic parts of our brains could stop us. Besides, the race was only a month after we would be there with the kids, so we felt justified leaving them at home for the long weekend. I built up a better base and then started a 15-week custom program. Halfway through, on a relatively modest 8-mile run in new shoes, I injured my achilles tendon and had to swap to the bike for a couple weeks. Near the peak of my program, on a short 2-mile run and stretch day, I angled my knee just the wrong way, and proceeded to enjoy the pleasure of reliving my childhood pain. Three weeks later the knee wasn’t better, but I could at least run again. But now I was training in full-on panic mode, trying to make up for missing some of the most important weeks of my program. My goal time went out the window, and I geared down into a survival mindset. Yes, by the time I lined up at the race start I had missed 5 of 15 weeks of my training program. Even my wife missed a few weeks thanks to strep throat (which I also caught). To add insult to injury, it was nearly 70F with 100% humidity. In December. At 5:35am. You know what happened next? We ran a friggin’ marathon. Yes, at times things hurt. I got one nasty blister I patched up at an aid station. My headphones crapped out. I stopped at every single water station thanks to the humidity, and probably should have worn a bathing suit instead of running shorts. But overall it wasn’t bad. Heck, I enjoyed most of the race. I didn’t really start hurting until mile 17, and my pace didn’t fully crack until mile 22. Disney puts on a hell of a race, with distracting entertainment along the entire course. Thanks to the humidity it was the slowest Disney marathon in the 23-year history of the event. Even then, my time wasn’t embarrassing, and I finished in the top 20% or so (at a time that isn’t even close to getting into Boston or New York). I didn’t feel terrible. My wife also finished up in the front third of the pack, and we spent the afternoon walking around Disney World (slowly). We felt really good the next day, other than my darn knee. The one that held up for all 26.2 miles. The one that will be better in a week or two. I checked off a bucket list item and completed something I thought was impossible. Something I told myself my entire life I couldn’t do. There is nothing more satisfying than proving yourself wrong. Except, perhaps, doing it again. On to the Summary: Webcasts, Podcasts, Outside Writing, and Conferences It isn’t security related, but Rich participated in Apple in 2015: The Six Colors report card. Securosis Posts Incite 1/13/2016: Permitted. SIEM Kung Fu: Fundamentals [New Series]. Incite 1/6/2016 – Recharging. Incite 12/15/2015: Looking Forward. Building a TI Program: Success and Sharing. Threat Detection Evolution [New Paper]. Building Security Into DevOps [New Paper]. Favorite Outside Posts Rich: How Hackers Took Down a Power Grid. A well-balanced article that points to the Ukraine as another canary in a coal mine. Mike: Dave Barry’s 2015 Year in Review: Dave Barry has a pretty good gig. Write one column a year, and it better be funny. Good thing it always is, and the 2015 edition

I’m not sure how it happened, but XX1 turned 15 in November and got her driver’s permit. Wait, what?!?! That little girl can now drive. Like, legally? WTF? Clearly it is now January, and I am still in shock that 15 years has passed by in the blink of an eye. Now it’s on me to teach her to drive. She’ll take a driver’s ed course in February, so that will help and give her some practical experience with someone who actually drives with teenagers for a living. Is that on the list of worst jobs? Second to elephant cage cleaner at the zoo, driving with inexperienced drivers seems like my version of hell on earth. Then I remembered back to when I learned to drive. My Dad had a ‘72 Bug for me that he drove around. He picked me up and drove me to the local town pool parking lot. He taught me how to balance the clutch (yes, it was a stick shift) and start, stop, drive in a straight line, and turn. I recall him being extraordinarily patient as I smoked the clutch and stalled out 10 times. But after a while I got the hang of it.   Then he said, “OK Mike. Drive home.” WHAT? I was kind of in shock. It was maybe 3 miles to my house, but it was 3 miles of real road. Road with other drivers on it. I almost crapped my pants, but we got home in one piece. Dad would let me drive most places after that, even on the highway and on bridges. He remained incredibly patient, even when I stalled 10 times on a slight incline with about 50 cars behind me sitting on their horns. Yup, crapped my pants that time too. I remember that like it was yesterday, but it was 31 years ago. Damn. So before winter break I took XX1 out to the parking lot of the library. She got into the driver’s seat and I almost crapped my pants. You getting the recurring theme here? She had no idea what she was doing. I have an automatic transmission, so she didn’t have to worry about the clutch, but turning the car is a learned skill, and stopping without giving me whiplash was challenging for a little while. She did get the hang of it, but seeing her discomfort behind the wheel convinced me that my plan of having her drive home (like my Dad did to me) wouldn’t be a great idea. Neither for her self-esteem nor my blood pressure. She’ll get the hang of it, and I have to remember that she’s different than me and I’m a different teacher than my Dad. We’ll get her driving at her pace. After she takes the driver’s ed class I’ll have her start driving when she’s with me. Before we know it, she’ll have 25-30 hours behind the wheel. But I’m not taking any chances. I plan on sending her to an advanced driving school. My cousin sent me a link to this great program in NC called B.R.A.K.E.S, which provides a 4-hour defensive driving workshop specifically for teens. I’m also going to take her to a Skip Barber racing class or something similar, so she can learn how to really handle the car. Sure it’s expensive, but she’s important cargo, commanding a two-ton vehicle, so I want to make sure she’s prepared. But I have to understand this is a metaphor for the rest of her life. As parents we can prepare her to the best of our ability. Then we need to let her loose to have her own experiences and learn her lessons. She can count on our support through the inevitable ups and downs. My little girl is growing up. –Mike Photo credit: “International Driving Permit” from Tony Webster The fine folks at the RSA Conference posted the talk Jennifer Minella and I did on mindfulness at the 2014 conference. You can check it out on YouTube. Take an hour. Your emails, alerts, and Twitter timeline will be there when you get back. Securosis Firestarter Have you checked out our new video podcast? Rich, Adrian, and Mike get into a Google Hangout and… hang out. We talk a bit about security as well. We try to keep these to 15 minutes or less, and usually fail. Dec 8 – 2015 Wrap Up and 2016 Non-Predictions Nov 16 – The Blame Game Nov 3 – Get Your Marshmallows Oct 19 – re:Invent Yourself (or else) Aug 12 – Karma July 13 – Living with the OPM Hack May 26 – We Don’t Know Sh–. You Don’t Know Sh– May 4 – RSAC wrap-up. Same as it ever was. March 31 – Using RSA March 16 – Cyber Cash Cow March 2 – Cyber vs. Terror (yeah, we went there) February 16 – Cyber!!! February 9 – It’s Not My Fault! January 26 – 2015 Trends January 15 – Toddler Heavy Research We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, with our content in all its unabridged glory. And you can get all our research papers too. SIEM Kung Fu Fundamentals Building a Threat Intelligence Program Success and Sharing Using TI Gathering TI Introduction Network Security Gateway Evolution Introduction Recently Published Papers Threat Detection Evolution Building Security into DevOps Pragmatic Security for Cloud and Hybrid Networks EMV Migration and the Changing Payments Landscape Applied Threat Intelligence Endpoint Defense: Essential Practices Cracking the Confusion: Encryption & Tokenization for Data Centers, Servers & Applications Security and Privacy on the Encrypted Network Monitoring the Hybrid Cloud Best Practices for AWS Security The Future of Security Incite 4 U Security as a business problem: The more things change, the more they stay the same. NetworkWorld’s Overcoming stubborn execs for security sake took me back to 2006, right before I wrote the Pragmatic CSO. Senior management doesn’t get it? Yup. Mid-managers want to circumvent the rules? Yup. On and on it goes, and we run on the hamster wheel for

Another SIEM blog series? Really? Why are we still talking about SIEM? Isn’t that old technology? Hasn’t it been subsumed by new and shiny security analytics products and services? Be honest – those thoughts crossed your mind, especially because we have published a lot of SIEM related research over the past few years. We previously worked through the basics of the technology and how to choose the right SIEM for your needs. A bit over a year ago we looked into how to monitor hybrid cloud environments. The fact is SIEM has become somewhat of a dirty word, but that’s ridiculous. Security monitoring needs to be a core, fundamental, aspect of every security program. SIEM – in various flavors, using different technologies and deployment architectures – is how you do security monitoring. So it’s not about getting rid of the technology – it’s more about how to get the most out of your existing investment, and ensuring you can handle the advanced threats facing organizations today. But we understand how SIEM got its bad name. Early versions of the technology were hard to use, and required significant integration just to get up and running. You needed to know what attacks you were looking for, and unfortunately most adversaries don’t send attack playbooks ahead of time. Operating an early SIEM required a ninja DBA, and even then queries could take hours (or days for full reports) to complete. Adding a new use case with additional searches and correlations required an act of Congress and a truckload of consultants. It’s not surprising organizations lost their patience with SIEM. So the technology was relegated to generating compliance reports and some very simple alerts, while other tools were used to do ‘real’ security monitoring. But as with most other areas of security technology, SIEM has evolved. Security monitoring platforms now support a bunch of additional data types, including network packets. The architectures have evolved to scale more efficiently and have integrated fancy new ‘Big Data’ analytics engines to improve detection accuracy, even for attacks you haven’t seen before. Threat intelligence is integrated into the SIEM directly, so you can look for attacks on other organizations before they are launched at you. So our new SIEM Kung Fu series will streamline our research to focus on what you need to know to get the most out of your SIEM, and solve the problems you face today by increasing your capabilities (the promised Kung Fu). But first let’s revisit the key use cases for SIEM and what is typically available out of the box with SIEM tools.     Alerting The original use case for SIEM was security alert reduction. IDS and firewall devices were pumping out too many alerts, and you needed a way to figure out which of them required attention. That worked for a little while, but then adversaries got a lot better and learned to evade many of the simple correlations available with first-generation SIEM. Getting actionable alerts from your SIEM is the most important use case for the technology. Many different techniques are used to detect these attacks. You can hunt for anomalies that kinda-sorta look like they could be an attack or you can do very sophisticated analytics on a wide variety of data sources to detect known attack patterns. What you cannot do any more is depend on simple file-based detection, because modern attacks are far more complicated. You need to analyze inbound network traffic (to find reconnaissance), device activity (for signs of compromise), and outbound network traffic (for command and control / botnet communications) as well. And that’s a simplified view of how a multi-faceted attack works. Sophisticated attacks require sophisticated analysis to detect and verify. Out of the box a SIEM offer a number of different patterns to detect attacks. These run the gamut from simple privilege escalation to more sophisticated botnet activity and lateral movement. Of course these built-in detections are generic and need to be tuned to your specific environment, but they can give you a head start for finding malicious activity in your environment. This provides the quick win which has historically eluding many SIEM projects, and builds momentum for continued investment in SIEM technology. SIEM technology has advanced to the point where it can find many attacks without a lot of integration and customization. But to detect advanced and targeted attacks by sophisticated adversaries, a tool can only get you so far. You need to evolve how you use security monitoring tools. You cannot just put a shiny new tool in place and expect advanced adversaries to go away. That will be our area of focus for the later posts in this series. Forensics Once you have determined an attack is under way – or more accurately, once you have detected one of the many attacks happening in your environment – you need to investigate the attack and figure out the extent of the damage. We have documented the incident response process, especially within the context of integrating threat intelligence, and SIEM is a critical tool to aggregate data and provide a platform for search and investigation. Out of the box a SIEM will enable responders to search through aggregated security data. Some tools offer visualizations to help users see anomalous activity, and figure out where certain events happened in the timeline. But you will still need a talented responder to really dig into an attack and figure out what’s happening. No tool can take an incident response from cradle to grave. So the SIEM is not going to be the only tool your incident responders use. But in terms of efficiently figuring out what’s been compromised, the extent of the damage, and an initial damage assessment, the SIEM should be a keystone of your process. Especially given the ability of a SIEM to capture and analyze network packets, providing more granularity and the ability to build a timeline of what really happened during the attack. Compliance Finally, the SIEM remains instrumental for generating compliance reports, which are still a

The last time I took 2 weeks off was probably 20 years ago. As I write that down, it makes me sad. I’ve been been running pretty hard for a long time. Even when I had some forced vacations (okay, when I got fired), I took maybe a couple days off before I started focusing on the next thing. Whether it was a new business or a job, I got consumed by what was next almost immediately. I didn’t give myself any time to recharge and heal from the road rash that accumulated from one crappy job after another. Even when things are great, like the past 6 years working with Rich and Adrian, I didn’t take a block of time off. I was engaged and focused and I couldn’t wait to jump into the next thing. So I would. I spent day after day during the winter holidays as the only person banging away at their laptop at the coffee shop while everyone else was enjoying catching up with friends over Peppermint Mocha lattes. recharge I rationalized that I could be more productive because my phone wasn’t ringing off the hook and I wasn’t getting my normal flow of email. There wasn’t much news being announced and my buddies weren’t blogging at all. So I could just bang away at the projects I didn’t have time for during the year. Turns out that was nonsense. I was largely unproductive during winter break. I read a lot, spent time thinking, and it was fine. But it didn’t give me a chance to recharge because there was no separation. The truth is I didn’t know how to relax. Maybe I was worried I wouldn’t be able to start back up again if I took that much time away. It turns out the projects that didn’t get done during the year didn’t get done over break because I didn’t want to do them. So they predictably dragged on through winter break and then into the next year. That changed this year. I’m just back from two weeks pretty much off the grid. I took a week away with my kids. We went to Florida and checked out a Falcons game in Jacksonville, the Kennedy Space Center in Cape Canaveral, and Universal Studios in Orlando. We were able to work in some family time in South Florida for Xmas before heading back to Atlanta. I stayed on top of email, but only to respond to the most urgent requests. All two of them. I didn’t bring my laptop, so if I couldn’t take care of it on my iPad, it wasn’t getting done. Then I took a week of adult R&R on the beach in Belize. I’m too cheap to pay for international cellular roaming, so my connectivity was restricted to when I could connect to crappy WiFi service. It was hard to check email or hang out in our Slack room during a snorkeling trip or an excursion down the Monkey River. So I didn’t. And the world didn’t end. The projects that dragged through the year didn’t get done. But they weren’t going to get done anyway and it was a hell of a lot more fun to be in Belize than a crappy coffee shop pretending to work. I came back from the time off recharged and ready to dive into 2016. We’ve got a lot of strategic decisions to make as the technology business evolves towards cloud-everything and we have to adapt with it. I don’t spend a lot of time looking backwards and refuse to judge myself for not unplugging for all those years. But I’ll tell you, there will be more than one period of time where I’ll be totally unplugged in 2016. And I’ll be a hell of a lot more focused and productive when I return. –Mike Photo credit: “Recharging Danbo Power” from Takashi Hososhima The fine folks at the RSA Conference posted the talk Jennifer Minella and I did on mindfulness at the 2014 conference. You can check it out on YouTube. Take an hour. Your emails, alerts, and Twitter timeline will be there when you get back. Securosis Firestarter Have you checked out our new video podcast? Rich, Adrian, and Mike get into a Google Hangout and… hang out. We talk a bit about security as well. We try to keep these to 15 minutes or less, and usually fail. Dec 8 – 2015 Wrap Up and 2016 Non-Predictions Nov 16 – The Blame Game Nov 3 – Get Your Marshmallows Oct 19 – re:Invent Yourself (or else) Aug 12 – Karma July 13 – Living with the OPM Hack May 26 – We Don’t Know Sh–. You Don’t Know Sh– May 4 – RSAC wrap-up. Same as it ever was. March 31 – Using RSA March 16 – Cyber Cash Cow March 2 – Cyber vs. Terror (yeah, we went there) February 16 – Cyber!!! February 9 – It’s Not My Fault! January 26 – 2015 Trends January 15 – Toddler Heavy Research We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, with our content in all its unabridged glory. And you can get all our research papers too. Building a Threat Intelligence Program Success and Sharing Using TI Gathering TI Introduction Network Security Gateway Evolution Introduction Recently Published Papers Threat Detection Evolution Building Security into DevOps Pragmatic Security for Cloud and Hybrid Networks EMV Migration and the Changing Payments Landscape Applied Threat Intelligence Endpoint Defense: Essential Practices Cracking the Confusion: Encryption & Tokenization for Data Centers, Servers & Applications Security and Privacy on the Encrypted Network Monitoring the Hybrid Cloud Best Practices for AWS Security The Future of Security Incite 4 U Cloud vs. on-prem. Idiotic discussions continue: Do me a favor and don’t read this article trying to get to the bottom of whether the public cloud or on-prem

In last week’s Incite I looked backwards at 2015. As we close out this year (this will be the last Incite in 2015), let me take a look forward at what’s in store for 2016. Basically I don’t have any clue. I could lie to you and say I’ve got it all figured out, but I don’t. I fly by the seat of my pants pretty much every day of my life. And any time I think I have things figured out, I get a reminder (usually pretty harsh) that I don’t know squat. One thing I’m comfortable predicting is that things will be changing. Because they always do. Some years the change is very significant, like in 2015. Other years less so. But all the same, change is constant in my world. We’re going to do some different things at Securosis next year. We are very pleased with how we have focused our research toward cloud security, and plan to double down on that in 2016. We’ll roll out some new offerings, though I’m not exactly sure when or what they’ll be. We have a ton of ideas, and now we have to figure out which of them make the most sense, because we have more ideas than time or resources. Rich, Adrian, and I will get together in January and make those decisions – and it will involve beer. Personally, I’ll continue my path of growth because well, growth. That includes trying new things, traveling to new places, and making new friends. I’m not going to set any goals besides that I want to wake up every morning, maintain my physical health, and continue my meditation and spiritual practices. My kids are at an age where they need my presence and guidance, even though they will likely not listen, because teenagers know everything. Which basically means I’ll also need to be there to pick them up when they screw things up (and they will), and try to not say I told you so too many times. I’ll also tell my story of transformation through the year. I’m not ready to do that yet, but I will because it’s an interesting story and I think it will resonate with some of you. It also ensures that I will remember as time marches on. I spent some time earlier in the year reading through old Incites and it was a great reminder of my journey. Overall I’m very excited about 2016 and continuing to live with a view toward potential and not limitations. I’m focused on making sure those I love know they are special every single day. I’m committed to being happy where I am, grateful for how I got here, and excited for what is to come. I’ll ring in the New Year in a tropical paradise, and play the rest by ear. All of us at Securosis are grateful for your support, and we wish you a healthy and happy 2016. –Mike Photo credit: “looking forward to” from Elizabeth M The fine folks at the RSA Conference posted the talk Jennifer Minella and I did on mindfulness at the 2014 conference. You can check it out on YouTube. Take an hour. Your emails, alerts, and Twitter timeline will be there when you get back. Securosis Firestarter Have you checked out our new video podcast? Rich, Adrian, and Mike get into a Google Hangout and… hang out. We talk a bit about security as well. We try to keep these to 15 minutes or less, and usually fail. Dec 8 – 2015 Wrap Up and 2016 Non-Predictions Nov 16 – The Blame Game Nov 3 – Get Your Marshmallows Oct 19 – re:Invent Yourself (or else) Aug 12 – Karma July 13 – Living with the OPM Hack May 26 – We Don’t Know Sh–. You Don’t Know Sh– May 4 – RSAC wrap-up. Same as it ever was. March 31 – Using RSA March 16 – Cyber Cash Cow March 2 – Cyber vs. Terror (yeah, we went there) February 16 – Cyber!!! February 9 – It’s Not My Fault! January 26 – 2015 Trends January 15 – Toddler Heavy Research We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, with our content in all its unabridged glory. And you can get all our research papers too. Building a Threat Intelligence Program Success and Sharing Using TI Gathering TI Introduction Network Security Gateway Evolution Introduction Recently Published Papers Threat Detection Evolution Building Security into DevOps Pragmatic Security for Cloud and Hybrid Networks EMV Migration and the Changing Payments Landscape Applied Threat Intelligence Endpoint Defense: Essential Practices Cracking the Confusion: Encryption & Tokenization for Data Centers, Servers & Applications Security and Privacy on the Encrypted Network Monitoring the Hybrid Cloud Best Practices for AWS Security The Future of Security Incite 4 U Good deed for the holidays: You too can help make software security better! OWASP, the Open Web Application Security Project, is developing a new set of secure coding guidelines for software developers. This document will be a great aid to developers who want to get up to speed on secure coding. It offers a succinct set of code examples – in most of the widely used programming languages – which address the top ten security coding flaws. And what developer doesn’t love easy to understand code examples? But wait, there’s more! This effort is truly open, so you get to participate in building the guidelines: the document I referenced is open for public comments and direct editing! So if you think the document is missing something, or there are better examples to be offered, or you think something is wrong, you can improve it. Do a good deed for the holidays and contribute. – AL Happy Holidays. Let’s make some crap up… It’s the holiday season. So obviously we will be subjected to everyone’s predictions of what’s in store for 2016. As you can tell from our last FireStarter of the year, we don’t buy into predictions. But the IDC folks don’t have any issue making things up. Their

To wrap up our series on Building a Threat Intelligence Program (Introduction; Gathering TI; Using TI), we need to jump back to the beginning for a bit. How do you define success of the program? More importantly, how can you kickstart the program with a fairly high-profile success to show the value of integrating external data into your defenses, and improve your security posture? That involves getting a quick win and then publicizing it. Quick Win The lowest-hanging fruit in threat intel is using it to find an adversary already in your environment who you didn’t know about. Of course it would be better if you didn’t have an active adversary within your defenses, but that is frankly an unlikely scenario. The reality is that some devices in your environment are already compromised – it’s a question of whether you know about them. You are already doing security monitoring (you can thank compliance for that), so it’s just a matter of searching your existing repository of security data for indicators from your threat feeds. Any log aggregation or SIEM platform will perform a search like this. Of course it’s a manual process, and that’s fine for right now – you’re just looking for a quick win. Once you complete the search one of two things happens. Perhaps you found an active adversary you didn’t know about. You can drop the proverbial mic at this point – you have proven the value of external threat intel clearly. But before you spend a lot of time congratulating yourself, you have an incident response to get moving. Obviously you’ll document it, and be able to tell a compelling story of how TI was instrumental in identifying the attack earlier than you would have discovered it otherwise. If you don’t find a smoking gun you’ll need to be a little more creative. We suggest loading up a list of known bad IP addresses into your egress firewall and looking for the inevitable traffic to those sites, which may indicate C&C nodes or other malicious activity. The value isn’t as pronounced as finding an active adversary, but it illustrates your new ability to find malicious traffic sooner using a TI feed. Keep in mind that the Quick Win is just that. It’s shows short-term value for an investment in threat intel. This can (and should) take place within any proof of concept you run with TI vendors during procurement. If you aren’t getting immediate value, either you are using the wrong data source and/or tool, or you already had a strong security posture and will likely get better short-term value from another project. Sustained Success We didn’t call this series “Getting a Quick Win with TI”, so we need to expand our aperture a bit and focus on turning the quick win into sustainable success. Of course you accomplish this by examining your process from a process-centric perspective. There are three main aspects of building out the program from the success of a quick win: Operationalizing TI: We covered this in depth in our last post on Using TI. We suggest starting by integrating the TI into your security monitoring environment. Once that is operational you can add additional use cases, such as integrating into your perimeter gateways and egress filters for proactive blocking, as well as leveraging the data within your incident response process. Evaluating TI Sources: This is a key aspect of optimizing your program. You cannot just assume the data source(s) you selected now will provide the same impact over time. Things change, including adversaries and TI providers. You are under constant scrutiny for how your security program is performing, so your TI vendors (actually all your vendors) will be under similar scrutiny. You should be able to close the loop by tracking TI, to alerts, to blocked or identified attacks, by instrumenting your security environment to track this data. Some commercial TI platforms offer this information directly, but alternately you could build it into your SIEM or other controls. Selling the Value: Senior executives, including your CIO, have a lot of things to deal with every day. You cannot count on them remembering much beyond the latest fire to appear in the inbox today. So you need to systematically produce reports that show the value of TI. This should be straightforward, usings your instrumentation for evaluating TI sources. This is another topic to cover in your periodic meetings with senior management. Especially when the renewal is coming up and you need to keep the funding. Executing on a successful security program requires significant planning and consistent execution. You cannot afford to focus only on the latest attack or incident (although you also need to do some of that), but must also also think and act strategically; here a programmatic approach offers huge dividends. If you really want to magnify your impact, you’ll need to move beyond tactical day-to-day security battles, and implement a program for both TI and security activities in general. Sharing The success of threat intelligence hinges upon organizations sharing information about adversaries and tactics, so everyone can benefit from surviving attacks. For years this information sharing seemed like an unnatural act to enterprises. A number of threat intelligence vendors emerged to fill the gap, gathering data from a variety of open and proprietary sources. But we see a gradual growth in willingness of organizations to share information with other organizations of similar size or within an industry. Of course threat information can be sensitive, so sharing with care and diligence are critical aspects of a threat intelligence program. The first decision point for sharing is to define the constituency to share information with. This can be a variety of organizations, including: ISAC: Many the larger industries are standing up their own Information Sharing and Analysis Centers (ISAC), either as part of an industry association or funded by the larger companies in the industry. These ISACs are objective and exist to provide a safe place to collect and share industry threat information, and also offer value-added data analysis. If there is an ISAC for your industry,

Most organizations have realized that threat prevention has limitations, so we have seen renewed focus on threat detection. But like most other security markets, the term threat detection has been distorted to cover almost everything. So we figure it’s time to clarify what threat detection is and how it is evolving to deal with advanced attacks, sophisticated adversaries, and limited resources.   From the paper: Not to worry – we haven’t become the latest security Chicken Little, warning everyone that the sky is falling. Mostly because it fell a long time ago, and we have been picking up the pieces ever since. It can be exhausting to chase alert after alert, never really knowing which are false positives and which indicate real active adversaries in your environment. Something has to change. We need to advance the practice of detection, to provide better and more actionable alerts. This requires thinking more broadly about detection, and starting to integrate the various different security monitoring systems in use today. Our Threat Detection Evolution paper starts by reviewing security data collection, including both internal and external data sources that can facilitate detection efforts. Next we discuss how to use that data ti reliably figure out what is an attack. We wrap up by going through th process, using a quick wins scenario to show the concepts in action. We would like to thank AlienVault for licensing the content in this paper. Our unique Totally Transparent Research model allows us to do objective and useful research and still make ends meet, so you should thank them too. The landing page for the paper is here. Direct download: Threat Detection Evolution (PDF) Share:

We are pleased to announce the launch of our latest research paper, on Building Security Into DevOps. We expect DevOps to fundamentally change the practice of software development over the next decade, and with it how we handle application security. From the report: The following graphic reflects our conversations, with development and security practitioners, on where they are successfully deploying security testing tools in a DevOps framework. The callouts map the types of tests being conducted at specific phases of CI & CD. Keep in mind that it’s early days for DevOps and the orchestration of security tools – basically what works where – is far from settled. More importantly, many security tools were built before these concepts of rapid and automated deployment existed; older products are too slow, some could not focus their tests on new code, and still others did not offer API support. Which is another way of saying not all tools are created equal, so you’ll need to evaluate for both performance and API integration capabilities as well as code coverage capabilities.   A special thanks to Veracode for licensing this content. As usual everything was written completely independently, using our Totally Transparent Research process. It is only thanks to licenses that we are able to give this research away free. You can download a free copy of the white paper in our research library, or grab a copy directly: Building Security Into DevOps (PDF). Share:

As a guy who pretty much always looks forward, I still find it useful at the end of each calendar year to look backwards and evaluate where I am in life and what (if anything) I want to focus on in the coming year. 2015 has been a very interesting year, both personally and professionally. I’m at an age where transformation happens, and that has been a real focus for me. I’ve spent a long time evaluating every aspect of my life and making changes, some small and some very significant. Trying to navigate those changes gracefully requires focus and effort. From a business perspective, it’s a pretty good time to be in the security industry. You have seen a slowdown in our blog activity over the past couple months because our business continues to evolve and we’ve been doing a lot more work out of the public eye. We’ve been called in to do a lot more strategic advisory, and we’re even starting to do security architecture work for some enterprise organizations, typically around cloud initiatives. We’re also increasingly being called into diligence efforts for companies considering acquisitions, and investors considering putting large sums of money to work in this space. These are pretty intense gigs and that usually means more external projects lag a bit. We also aren’t sure how long the good times will continue to roll, so we usually jump on diligence projects. Personally, suffice it to say things are substantially different for me, though I’m not going to go into detail at this point. Different is scary for most people, but I’ve always embraced change, so my challenge is more about having the patience to let the world around me adapt. My kids continue to amaze me with how they are growing into fantastic people, and this past year they’ve navigated new schools and additional workload with minimum drama and angst. You can’t entirely avoid drama and angst (not as a teenager anyway), but their Mom and I are proactive about making them aware of the drama. Physically I’m still working my program, running two half marathons and continuing my yoga practice. I’m making many new friends who provide different perspectives on life, and I’ve been able to fulfill a need for social activity I didn’t even know I had. As I look back at 2015, I realize that the signs of significant disruption were there both personally and professionally. It has been a long road, and I finally feel that my world is opening up and I’m moving toward my potential, away from my self-imposed limitations. I’m really excited for what’s next. All is see ahead is blue sky. As I wrap up the Incite next week, I’ll ruminate a little into what the path ahead looks like. –Mike Photo credit: “Emu (Dromaius novaehollandiae) looking backwards at Auckland Zoo” from Wikimedia Commons The fine folks at the RSA Conference posted the talk Jennifer Minella and I did on mindfulness at the 2014 conference. You can check it out on YouTube. Take an hour. Your emails, alerts, and Twitter timeline will be there when you get back. Securosis Firestarter Have you checked out our new video podcast? Rich, Adrian, and Mike get into a Google Hangout and… hang out. We talk a bit about security as well. We try to keep these to 15 minutes or less, and usually fail. Dec 8 – 2015 Wrap Up and 2016 Non-Predictions Nov 16 – The Blame Game Nov 3 – Get Your Marshmallows Oct 19 – re:Invent Yourself (or else) Aug 12 – Karma July 13 – Living with the OPM Hack May 26 – We Don’t Know Sh–. You Don’t Know Sh– May 4 – RSAC wrap-up. Same as it ever was. March 31 – Using RSA March 16 – Cyber Cash Cow March 2 – Cyber vs. Terror (yeah, we went there) February 16 – Cyber!!! February 9 – It’s Not My Fault! January 26 – 2015 Trends January 15 – Toddler Heavy Research We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, with our content in all its unabridged glory. And you can get all our research papers too. Building Security into DevOps The Role of Security in DevOps Tools and Testing in Detail Security Integration Points The Emergence of DevOps Introduction Building a Threat Intelligence Program Using TI Gathering TI Introduction Network Security Gateway Evolution Introduction Recently Published Papers Pragmatic Security for Cloud and Hybrid Networks EMV Migration and the Changing Payments Landscape Applied Threat Intelligence Endpoint Defense: Essential Practices Cracking the Confusion: Encryption & Tokenization for Data Centers, Servers & Applications Security and Privacy on the Encrypted Network Monitoring the Hybrid Cloud Best Practices for AWS Security Securing Enterprise Applications Secure Agile Development The Future of Security Incite 4 U R marks the spot: NetworkWorld ran a great article examining how the Verizon Data Breach report folks use R to do the analysis and generate the charts in their widely read report. I personally haven’t played with statistical programs since I was in college, but there is an increasing need for math people (although we call them data scientists now) to perform the analysis to mine through all of that security data and figure out what’s going on. I tell many younger folks, who ask what they should focus on, to dust off their programming/scripting skills – security automation is coming. The other thing I now suggest is for the math-inclined to study a lot more statistics and get to know these kinds of tools. The future is here and it seems to require math (so says the writer). – MR Pre-owned: If you’re wondering how the credit card you just got two weeks ago already got popped, here is on possible answer. Samy Kamkar demonstrated that AmEx-based new card numbers are predictably generated from the previous numbers allowing crackers to guess the number of the next card they issue you. If you’re an application developer, this is why you need to be careful with sequence generators – they tend

Rich, Mike, and Adrian highlight the big trends from the year and where our expectations were right and wrong. We teeter on the brink of predictions, but manage to pull ourselves back from falling into that chasm of idiocy. Mostly. We cover a fair bit of ground, but the main trends are the weirdnesses on the investment and M&A side of the security industry, breaches, the faster than expected adoption of cloud computing, and the changing regulatory environment. This is likely our last Firestarter for the year, and our posting volume will be lower as we all cram in those last few projects. We sincerely want to thank everyone watching and reading for your continued support. It lets us try out best to “do good work” while feeding our families. We are a very lucky band over here. Watch or listen: Share: