Research

Another SIEM blog series? Really? Why are we still talking about SIEM? Isn’t that old technology? Hasn’t it been subsumed by new and shiny security analytics products and services? Be honest – those thoughts crossed your mind, especially because we have published a lot of SIEM related research over the past few years. We previously worked through the basics of the technology and how to choose the right SIEM for your needs. A bit over a year ago we looked into how to monitor hybrid cloud environments. The fact is SIEM has become somewhat of a dirty word, but that’s ridiculous. Security monitoring needs to be a core, fundamental, aspect of every security program. SIEM – in various flavors, using different technologies and deployment architectures – is how you do security monitoring. So it’s not about getting rid of the technology – it’s more about how to get the most out of your existing investment, and ensuring you can handle the advanced threats facing organizations today. But we understand how SIEM got its bad name. Early versions of the technology were hard to use, and required significant integration just to get up and running. You needed to know what attacks you were looking for, and unfortunately most adversaries don’t send attack playbooks ahead of time. Operating an early SIEM required a ninja DBA, and even then queries could take hours (or days for full reports) to complete. Adding a new use case with additional searches and correlations required an act of Congress and a truckload of consultants. It’s not surprising organizations lost their patience with SIEM. So the technology was relegated to generating compliance reports and some very simple alerts, while other tools were used to do ‘real’ security monitoring. But as with most other areas of security technology, SIEM has evolved. Security monitoring platforms now support a bunch of additional data types, including network packets. The architectures have evolved to scale more efficiently and have integrated fancy new ‘Big Data’ analytics engines to improve detection accuracy, even for attacks you haven’t seen before. Threat intelligence is integrated into the SIEM directly, so you can look for attacks on other organizations before they are launched at you. So our new SIEM Kung Fu series will streamline our research to focus on what you need to know to get the most out of your SIEM, and solve the problems you face today by increasing your capabilities (the promised Kung Fu). But first let’s revisit the key use cases for SIEM and what is typically available out of the box with SIEM tools.     Alerting The original use case for SIEM was security alert reduction. IDS and firewall devices were pumping out too many alerts, and you needed a way to figure out which of them required attention. That worked for a little while, but then adversaries got a lot better and learned to evade many of the simple correlations available with first-generation SIEM. Getting actionable alerts from your SIEM is the most important use case for the technology. Many different techniques are used to detect these attacks. You can hunt for anomalies that kinda-sorta look like they could be an attack or you can do very sophisticated analytics on a wide variety of data sources to detect known attack patterns. What you cannot do any more is depend on simple file-based detection, because modern attacks are far more complicated. You need to analyze inbound network traffic (to find reconnaissance), device activity (for signs of compromise), and outbound network traffic (for command and control / botnet communications) as well. And that’s a simplified view of how a multi-faceted attack works. Sophisticated attacks require sophisticated analysis to detect and verify. Out of the box a SIEM offer a number of different patterns to detect attacks. These run the gamut from simple privilege escalation to more sophisticated botnet activity and lateral movement. Of course these built-in detections are generic and need to be tuned to your specific environment, but they can give you a head start for finding malicious activity in your environment. This provides the quick win which has historically eluding many SIEM projects, and builds momentum for continued investment in SIEM technology. SIEM technology has advanced to the point where it can find many attacks without a lot of integration and customization. But to detect advanced and targeted attacks by sophisticated adversaries, a tool can only get you so far. You need to evolve how you use security monitoring tools. You cannot just put a shiny new tool in place and expect advanced adversaries to go away. That will be our area of focus for the later posts in this series. Forensics Once you have determined an attack is under way – or more accurately, once you have detected one of the many attacks happening in your environment – you need to investigate the attack and figure out the extent of the damage. We have documented the incident response process, especially within the context of integrating threat intelligence, and SIEM is a critical tool to aggregate data and provide a platform for search and investigation. Out of the box a SIEM will enable responders to search through aggregated security data. Some tools offer visualizations to help users see anomalous activity, and figure out where certain events happened in the timeline. But you will still need a talented responder to really dig into an attack and figure out what’s happening. No tool can take an incident response from cradle to grave. So the SIEM is not going to be the only tool your incident responders use. But in terms of efficiently figuring out what’s been compromised, the extent of the damage, and an initial damage assessment, the SIEM should be a keystone of your process. Especially given the ability of a SIEM to capture and analyze network packets, providing more granularity and the ability to build a timeline of what really happened during the attack. Compliance Finally, the SIEM remains instrumental for generating compliance reports, which are still a

The last time I took 2 weeks off was probably 20 years ago. As I write that down, it makes me sad. I’ve been been running pretty hard for a long time. Even when I had some forced vacations (okay, when I got fired), I took maybe a couple days off before I started focusing on the next thing. Whether it was a new business or a job, I got consumed by what was next almost immediately. I didn’t give myself any time to recharge and heal from the road rash that accumulated from one crappy job after another. Even when things are great, like the past 6 years working with Rich and Adrian, I didn’t take a block of time off. I was engaged and focused and I couldn’t wait to jump into the next thing. So I would. I spent day after day during the winter holidays as the only person banging away at their laptop at the coffee shop while everyone else was enjoying catching up with friends over Peppermint Mocha lattes. recharge I rationalized that I could be more productive because my phone wasn’t ringing off the hook and I wasn’t getting my normal flow of email. There wasn’t much news being announced and my buddies weren’t blogging at all. So I could just bang away at the projects I didn’t have time for during the year. Turns out that was nonsense. I was largely unproductive during winter break. I read a lot, spent time thinking, and it was fine. But it didn’t give me a chance to recharge because there was no separation. The truth is I didn’t know how to relax. Maybe I was worried I wouldn’t be able to start back up again if I took that much time away. It turns out the projects that didn’t get done during the year didn’t get done over break because I didn’t want to do them. So they predictably dragged on through winter break and then into the next year. That changed this year. I’m just back from two weeks pretty much off the grid. I took a week away with my kids. We went to Florida and checked out a Falcons game in Jacksonville, the Kennedy Space Center in Cape Canaveral, and Universal Studios in Orlando. We were able to work in some family time in South Florida for Xmas before heading back to Atlanta. I stayed on top of email, but only to respond to the most urgent requests. All two of them. I didn’t bring my laptop, so if I couldn’t take care of it on my iPad, it wasn’t getting done. Then I took a week of adult R&R on the beach in Belize. I’m too cheap to pay for international cellular roaming, so my connectivity was restricted to when I could connect to crappy WiFi service. It was hard to check email or hang out in our Slack room during a snorkeling trip or an excursion down the Monkey River. So I didn’t. And the world didn’t end. The projects that dragged through the year didn’t get done. But they weren’t going to get done anyway and it was a hell of a lot more fun to be in Belize than a crappy coffee shop pretending to work. I came back from the time off recharged and ready to dive into 2016. We’ve got a lot of strategic decisions to make as the technology business evolves towards cloud-everything and we have to adapt with it. I don’t spend a lot of time looking backwards and refuse to judge myself for not unplugging for all those years. But I’ll tell you, there will be more than one period of time where I’ll be totally unplugged in 2016. And I’ll be a hell of a lot more focused and productive when I return. –Mike Photo credit: “Recharging Danbo Power” from Takashi Hososhima The fine folks at the RSA Conference posted the talk Jennifer Minella and I did on mindfulness at the 2014 conference. You can check it out on YouTube. Take an hour. Your emails, alerts, and Twitter timeline will be there when you get back. Securosis Firestarter Have you checked out our new video podcast? Rich, Adrian, and Mike get into a Google Hangout and… hang out. We talk a bit about security as well. We try to keep these to 15 minutes or less, and usually fail. Dec 8 – 2015 Wrap Up and 2016 Non-Predictions Nov 16 – The Blame Game Nov 3 – Get Your Marshmallows Oct 19 – re:Invent Yourself (or else) Aug 12 – Karma July 13 – Living with the OPM Hack May 26 – We Don’t Know Sh–. You Don’t Know Sh– May 4 – RSAC wrap-up. Same as it ever was. March 31 – Using RSA March 16 – Cyber Cash Cow March 2 – Cyber vs. Terror (yeah, we went there) February 16 – Cyber!!! February 9 – It’s Not My Fault! January 26 – 2015 Trends January 15 – Toddler Heavy Research We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, with our content in all its unabridged glory. And you can get all our research papers too. Building a Threat Intelligence Program Success and Sharing Using TI Gathering TI Introduction Network Security Gateway Evolution Introduction Recently Published Papers Threat Detection Evolution Building Security into DevOps Pragmatic Security for Cloud and Hybrid Networks EMV Migration and the Changing Payments Landscape Applied Threat Intelligence Endpoint Defense: Essential Practices Cracking the Confusion: Encryption & Tokenization for Data Centers, Servers & Applications Security and Privacy on the Encrypted Network Monitoring the Hybrid Cloud Best Practices for AWS Security The Future of Security Incite 4 U Cloud vs. on-prem. Idiotic discussions continue: Do me a favor and don’t read this article trying to get to the bottom of whether the public cloud or on-prem

In last week’s Incite I looked backwards at 2015. As we close out this year (this will be the last Incite in 2015), let me take a look forward at what’s in store for 2016. Basically I don’t have any clue. I could lie to you and say I’ve got it all figured out, but I don’t. I fly by the seat of my pants pretty much every day of my life. And any time I think I have things figured out, I get a reminder (usually pretty harsh) that I don’t know squat. One thing I’m comfortable predicting is that things will be changing. Because they always do. Some years the change is very significant, like in 2015. Other years less so. But all the same, change is constant in my world. We’re going to do some different things at Securosis next year. We are very pleased with how we have focused our research toward cloud security, and plan to double down on that in 2016. We’ll roll out some new offerings, though I’m not exactly sure when or what they’ll be. We have a ton of ideas, and now we have to figure out which of them make the most sense, because we have more ideas than time or resources. Rich, Adrian, and I will get together in January and make those decisions – and it will involve beer. Personally, I’ll continue my path of growth because well, growth. That includes trying new things, traveling to new places, and making new friends. I’m not going to set any goals besides that I want to wake up every morning, maintain my physical health, and continue my meditation and spiritual practices. My kids are at an age where they need my presence and guidance, even though they will likely not listen, because teenagers know everything. Which basically means I’ll also need to be there to pick them up when they screw things up (and they will), and try to not say I told you so too many times. I’ll also tell my story of transformation through the year. I’m not ready to do that yet, but I will because it’s an interesting story and I think it will resonate with some of you. It also ensures that I will remember as time marches on. I spent some time earlier in the year reading through old Incites and it was a great reminder of my journey. Overall I’m very excited about 2016 and continuing to live with a view toward potential and not limitations. I’m focused on making sure those I love know they are special every single day. I’m committed to being happy where I am, grateful for how I got here, and excited for what is to come. I’ll ring in the New Year in a tropical paradise, and play the rest by ear. All of us at Securosis are grateful for your support, and we wish you a healthy and happy 2016. –Mike Photo credit: “looking forward to” from Elizabeth M The fine folks at the RSA Conference posted the talk Jennifer Minella and I did on mindfulness at the 2014 conference. You can check it out on YouTube. Take an hour. Your emails, alerts, and Twitter timeline will be there when you get back. Securosis Firestarter Have you checked out our new video podcast? Rich, Adrian, and Mike get into a Google Hangout and… hang out. We talk a bit about security as well. We try to keep these to 15 minutes or less, and usually fail. Dec 8 – 2015 Wrap Up and 2016 Non-Predictions Nov 16 – The Blame Game Nov 3 – Get Your Marshmallows Oct 19 – re:Invent Yourself (or else) Aug 12 – Karma July 13 – Living with the OPM Hack May 26 – We Don’t Know Sh–. You Don’t Know Sh– May 4 – RSAC wrap-up. Same as it ever was. March 31 – Using RSA March 16 – Cyber Cash Cow March 2 – Cyber vs. Terror (yeah, we went there) February 16 – Cyber!!! February 9 – It’s Not My Fault! January 26 – 2015 Trends January 15 – Toddler Heavy Research We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, with our content in all its unabridged glory. And you can get all our research papers too. Building a Threat Intelligence Program Success and Sharing Using TI Gathering TI Introduction Network Security Gateway Evolution Introduction Recently Published Papers Threat Detection Evolution Building Security into DevOps Pragmatic Security for Cloud and Hybrid Networks EMV Migration and the Changing Payments Landscape Applied Threat Intelligence Endpoint Defense: Essential Practices Cracking the Confusion: Encryption & Tokenization for Data Centers, Servers & Applications Security and Privacy on the Encrypted Network Monitoring the Hybrid Cloud Best Practices for AWS Security The Future of Security Incite 4 U Good deed for the holidays: You too can help make software security better! OWASP, the Open Web Application Security Project, is developing a new set of secure coding guidelines for software developers. This document will be a great aid to developers who want to get up to speed on secure coding. It offers a succinct set of code examples – in most of the widely used programming languages – which address the top ten security coding flaws. And what developer doesn’t love easy to understand code examples? But wait, there’s more! This effort is truly open, so you get to participate in building the guidelines: the document I referenced is open for public comments and direct editing! So if you think the document is missing something, or there are better examples to be offered, or you think something is wrong, you can improve it. Do a good deed for the holidays and contribute. – AL Happy Holidays. Let’s make some crap up… It’s the holiday season. So obviously we will be subjected to everyone’s predictions of what’s in store for 2016. As you can tell from our last FireStarter of the year, we don’t buy into predictions. But the IDC folks don’t have any issue making things up. Their

To wrap up our series on Building a Threat Intelligence Program (Introduction; Gathering TI; Using TI), we need to jump back to the beginning for a bit. How do you define success of the program? More importantly, how can you kickstart the program with a fairly high-profile success to show the value of integrating external data into your defenses, and improve your security posture? That involves getting a quick win and then publicizing it. Quick Win The lowest-hanging fruit in threat intel is using it to find an adversary already in your environment who you didn’t know about. Of course it would be better if you didn’t have an active adversary within your defenses, but that is frankly an unlikely scenario. The reality is that some devices in your environment are already compromised – it’s a question of whether you know about them. You are already doing security monitoring (you can thank compliance for that), so it’s just a matter of searching your existing repository of security data for indicators from your threat feeds. Any log aggregation or SIEM platform will perform a search like this. Of course it’s a manual process, and that’s fine for right now – you’re just looking for a quick win. Once you complete the search one of two things happens. Perhaps you found an active adversary you didn’t know about. You can drop the proverbial mic at this point – you have proven the value of external threat intel clearly. But before you spend a lot of time congratulating yourself, you have an incident response to get moving. Obviously you’ll document it, and be able to tell a compelling story of how TI was instrumental in identifying the attack earlier than you would have discovered it otherwise. If you don’t find a smoking gun you’ll need to be a little more creative. We suggest loading up a list of known bad IP addresses into your egress firewall and looking for the inevitable traffic to those sites, which may indicate C&C nodes or other malicious activity. The value isn’t as pronounced as finding an active adversary, but it illustrates your new ability to find malicious traffic sooner using a TI feed. Keep in mind that the Quick Win is just that. It’s shows short-term value for an investment in threat intel. This can (and should) take place within any proof of concept you run with TI vendors during procurement. If you aren’t getting immediate value, either you are using the wrong data source and/or tool, or you already had a strong security posture and will likely get better short-term value from another project. Sustained Success We didn’t call this series “Getting a Quick Win with TI”, so we need to expand our aperture a bit and focus on turning the quick win into sustainable success. Of course you accomplish this by examining your process from a process-centric perspective. There are three main aspects of building out the program from the success of a quick win: Operationalizing TI: We covered this in depth in our last post on Using TI. We suggest starting by integrating the TI into your security monitoring environment. Once that is operational you can add additional use cases, such as integrating into your perimeter gateways and egress filters for proactive blocking, as well as leveraging the data within your incident response process. Evaluating TI Sources: This is a key aspect of optimizing your program. You cannot just assume the data source(s) you selected now will provide the same impact over time. Things change, including adversaries and TI providers. You are under constant scrutiny for how your security program is performing, so your TI vendors (actually all your vendors) will be under similar scrutiny. You should be able to close the loop by tracking TI, to alerts, to blocked or identified attacks, by instrumenting your security environment to track this data. Some commercial TI platforms offer this information directly, but alternately you could build it into your SIEM or other controls. Selling the Value: Senior executives, including your CIO, have a lot of things to deal with every day. You cannot count on them remembering much beyond the latest fire to appear in the inbox today. So you need to systematically produce reports that show the value of TI. This should be straightforward, usings your instrumentation for evaluating TI sources. This is another topic to cover in your periodic meetings with senior management. Especially when the renewal is coming up and you need to keep the funding. Executing on a successful security program requires significant planning and consistent execution. You cannot afford to focus only on the latest attack or incident (although you also need to do some of that), but must also also think and act strategically; here a programmatic approach offers huge dividends. If you really want to magnify your impact, you’ll need to move beyond tactical day-to-day security battles, and implement a program for both TI and security activities in general. Sharing The success of threat intelligence hinges upon organizations sharing information about adversaries and tactics, so everyone can benefit from surviving attacks. For years this information sharing seemed like an unnatural act to enterprises. A number of threat intelligence vendors emerged to fill the gap, gathering data from a variety of open and proprietary sources. But we see a gradual growth in willingness of organizations to share information with other organizations of similar size or within an industry. Of course threat information can be sensitive, so sharing with care and diligence are critical aspects of a threat intelligence program. The first decision point for sharing is to define the constituency to share information with. This can be a variety of organizations, including: ISAC: Many the larger industries are standing up their own Information Sharing and Analysis Centers (ISAC), either as part of an industry association or funded by the larger companies in the industry. These ISACs are objective and exist to provide a safe place to collect and share industry threat information, and also offer value-added data analysis. If there is an ISAC for your industry,

Most organizations have realized that threat prevention has limitations, so we have seen renewed focus on threat detection. But like most other security markets, the term threat detection has been distorted to cover almost everything. So we figure it’s time to clarify what threat detection is and how it is evolving to deal with advanced attacks, sophisticated adversaries, and limited resources.   From the paper: Not to worry – we haven’t become the latest security Chicken Little, warning everyone that the sky is falling. Mostly because it fell a long time ago, and we have been picking up the pieces ever since. It can be exhausting to chase alert after alert, never really knowing which are false positives and which indicate real active adversaries in your environment. Something has to change. We need to advance the practice of detection, to provide better and more actionable alerts. This requires thinking more broadly about detection, and starting to integrate the various different security monitoring systems in use today. Our Threat Detection Evolution paper starts by reviewing security data collection, including both internal and external data sources that can facilitate detection efforts. Next we discuss how to use that data ti reliably figure out what is an attack. We wrap up by going through th process, using a quick wins scenario to show the concepts in action. We would like to thank AlienVault for licensing the content in this paper. Our unique Totally Transparent Research model allows us to do objective and useful research and still make ends meet, so you should thank them too. The landing page for the paper is here. Direct download: Threat Detection Evolution (PDF) Share:

We are pleased to announce the launch of our latest research paper, on Building Security Into DevOps. We expect DevOps to fundamentally change the practice of software development over the next decade, and with it how we handle application security. From the report: The following graphic reflects our conversations, with development and security practitioners, on where they are successfully deploying security testing tools in a DevOps framework. The callouts map the types of tests being conducted at specific phases of CI & CD. Keep in mind that it’s early days for DevOps and the orchestration of security tools – basically what works where – is far from settled. More importantly, many security tools were built before these concepts of rapid and automated deployment existed; older products are too slow, some could not focus their tests on new code, and still others did not offer API support. Which is another way of saying not all tools are created equal, so you’ll need to evaluate for both performance and API integration capabilities as well as code coverage capabilities.   A special thanks to Veracode for licensing this content. As usual everything was written completely independently, using our Totally Transparent Research process. It is only thanks to licenses that we are able to give this research away free. You can download a free copy of the white paper in our research library, or grab a copy directly: Building Security Into DevOps (PDF). Share:

As a guy who pretty much always looks forward, I still find it useful at the end of each calendar year to look backwards and evaluate where I am in life and what (if anything) I want to focus on in the coming year. 2015 has been a very interesting year, both personally and professionally. I’m at an age where transformation happens, and that has been a real focus for me. I’ve spent a long time evaluating every aspect of my life and making changes, some small and some very significant. Trying to navigate those changes gracefully requires focus and effort. From a business perspective, it’s a pretty good time to be in the security industry. You have seen a slowdown in our blog activity over the past couple months because our business continues to evolve and we’ve been doing a lot more work out of the public eye. We’ve been called in to do a lot more strategic advisory, and we’re even starting to do security architecture work for some enterprise organizations, typically around cloud initiatives. We’re also increasingly being called into diligence efforts for companies considering acquisitions, and investors considering putting large sums of money to work in this space. These are pretty intense gigs and that usually means more external projects lag a bit. We also aren’t sure how long the good times will continue to roll, so we usually jump on diligence projects. Personally, suffice it to say things are substantially different for me, though I’m not going to go into detail at this point. Different is scary for most people, but I’ve always embraced change, so my challenge is more about having the patience to let the world around me adapt. My kids continue to amaze me with how they are growing into fantastic people, and this past year they’ve navigated new schools and additional workload with minimum drama and angst. You can’t entirely avoid drama and angst (not as a teenager anyway), but their Mom and I are proactive about making them aware of the drama. Physically I’m still working my program, running two half marathons and continuing my yoga practice. I’m making many new friends who provide different perspectives on life, and I’ve been able to fulfill a need for social activity I didn’t even know I had. As I look back at 2015, I realize that the signs of significant disruption were there both personally and professionally. It has been a long road, and I finally feel that my world is opening up and I’m moving toward my potential, away from my self-imposed limitations. I’m really excited for what’s next. All is see ahead is blue sky. As I wrap up the Incite next week, I’ll ruminate a little into what the path ahead looks like. –Mike Photo credit: “Emu (Dromaius novaehollandiae) looking backwards at Auckland Zoo” from Wikimedia Commons The fine folks at the RSA Conference posted the talk Jennifer Minella and I did on mindfulness at the 2014 conference. You can check it out on YouTube. Take an hour. Your emails, alerts, and Twitter timeline will be there when you get back. Securosis Firestarter Have you checked out our new video podcast? Rich, Adrian, and Mike get into a Google Hangout and… hang out. We talk a bit about security as well. We try to keep these to 15 minutes or less, and usually fail. Dec 8 – 2015 Wrap Up and 2016 Non-Predictions Nov 16 – The Blame Game Nov 3 – Get Your Marshmallows Oct 19 – re:Invent Yourself (or else) Aug 12 – Karma July 13 – Living with the OPM Hack May 26 – We Don’t Know Sh–. You Don’t Know Sh– May 4 – RSAC wrap-up. Same as it ever was. March 31 – Using RSA March 16 – Cyber Cash Cow March 2 – Cyber vs. Terror (yeah, we went there) February 16 – Cyber!!! February 9 – It’s Not My Fault! January 26 – 2015 Trends January 15 – Toddler Heavy Research We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, with our content in all its unabridged glory. And you can get all our research papers too. Building Security into DevOps The Role of Security in DevOps Tools and Testing in Detail Security Integration Points The Emergence of DevOps Introduction Building a Threat Intelligence Program Using TI Gathering TI Introduction Network Security Gateway Evolution Introduction Recently Published Papers Pragmatic Security for Cloud and Hybrid Networks EMV Migration and the Changing Payments Landscape Applied Threat Intelligence Endpoint Defense: Essential Practices Cracking the Confusion: Encryption & Tokenization for Data Centers, Servers & Applications Security and Privacy on the Encrypted Network Monitoring the Hybrid Cloud Best Practices for AWS Security Securing Enterprise Applications Secure Agile Development The Future of Security Incite 4 U R marks the spot: NetworkWorld ran a great article examining how the Verizon Data Breach report folks use R to do the analysis and generate the charts in their widely read report. I personally haven’t played with statistical programs since I was in college, but there is an increasing need for math people (although we call them data scientists now) to perform the analysis to mine through all of that security data and figure out what’s going on. I tell many younger folks, who ask what they should focus on, to dust off their programming/scripting skills – security automation is coming. The other thing I now suggest is for the math-inclined to study a lot more statistics and get to know these kinds of tools. The future is here and it seems to require math (so says the writer). – MR Pre-owned: If you’re wondering how the credit card you just got two weeks ago already got popped, here is on possible answer. Samy Kamkar demonstrated that AmEx-based new card numbers are predictably generated from the previous numbers allowing crackers to guess the number of the next card they issue you. If you’re an application developer, this is why you need to be careful with sequence generators – they tend

Rich, Mike, and Adrian highlight the big trends from the year and where our expectations were right and wrong. We teeter on the brink of predictions, but manage to pull ourselves back from falling into that chasm of idiocy. Mostly. We cover a fair bit of ground, but the main trends are the weirdnesses on the investment and M&A side of the security industry, breaches, the faster than expected adoption of cloud computing, and the changing regulatory environment. This is likely our last Firestarter for the year, and our posting volume will be lower as we all cram in those last few projects. We sincerely want to thank everyone watching and reading for your continued support. It lets us try out best to “do good work” while feeding our families. We are a very lucky band over here. Watch or listen: Share:

With the holidays upon us, and the weather in Phoenix at that optimal temperature of 50F warmer than wherever people come from, the migration has begun. The snowbirds are back in Phoenix. And all my relatives want to visit. All pretty much at the same time. As I write this I am recovering from 20 contiguous days of four different groups of friends and relatives staying at my home. Overlapping, I might add. And it was glorious – it was great to see each and every one of them – but I heaved a great sigh of relief when the last party got onto a plane and flew back home. I think I have baked, roasted, toasted, and barbecued every type of food I know how to cook. I’ve been a tour guide across the state – twice over – showing off every interesting place within a three-hour drive. Today’s summary is a toast to all of you who survived Thanksgiving – I am thankful for many things, and I am also thankful this holiday is only once a year. Paul Ford has a thoughtful piece called I Dreamed of a Perfect Database. It nails down the evolutionary track of many of us, who have long straddled the database and software development worlds. As our needs changed there were grass-roots projects to make new types of databases – that did, well, whatever the heck we needed them to do. Cheaper and faster. More data, or maybe more types of data, or maybe a single specific type of data with functions optimized for it. There were some that performed analytics or cube analysis, and some that offered lightning fast in-memory lookups or graph data. We got self-healing, self-organizing, self-indexing clouds of data nodes, with whatever the heck we wanted sitting on top of them. When the Internet boom hit, Oracle was the database of choice. During this last cloudburst we got 250 flavors of NoSQL. But Paul’s dream is getting closer to reality. When you assemble Hadoop with a stack of add on modules, namely Apache Spark, you get pretty close. Want SQL? OK, you can have it. Or MapReduce. Deep analytics or memory-resident lookups. You want it, you can have it. The point is that the demands on databases will always be in flux. Performance and scalability have always been core needs, but how we want to use data will continue to morph. The current generation of databases, typically based off Hadoop, are veritable Swiss Army knives, to be formed and customized as we need them. There has never been a better time to be a database developer! If you run a bug bounty program you know there is a lot more to it than Most people consider when they start. Randy Westergren’s post on his experience with the United Airlines Bug Bounty Program offers some insight into what can happen. For example, when multiple researchers find the same critical flaw, the researchers who do not get paid can – and likely will – go public. Sure, this is bad behavior by the researcher. Your legal team can try to stop it, but you need to plan for this situation before it comes up. Second, it is amazing to me that what in-house developers consider a suitably fast release date for vulnerabilities; but it is often totally unacceptable to the research community. Both are developers by nature, but to one party three months is lightning fast. The other considers that criminally dangerous. You’ll need to set expectations going in. United Airlines was communicative, but in today’s world six months to patch is an eternity. Virtual patching techniques, API gateways, and Continuous Deployment techniques allow many organizations to deal with these issues far more quickly. A bug bounty program is a great way to leverage the community of experts to help you find flaws your in-house team might never discover, but you need to have this effort fully planned out before you start. On to the Summary: Webcasts, Podcasts, Outside Writing, and Conferences Rich quoted on automotive ‘cyber security’ Gunnar’s Security Champions Guide to Web Application via Akamai. Other Securosis Posts Incite 12/2/2015: Grateful Habits. Summary: Boy in the Bubble. Cloud Security Best Practice: Limit Blast Radius with Multiple Accounts. The Blame Game. Summary: Refurbished. Critical Security Capabilities for Cloud Providers. Massive, Very Bad Java 0-Day (and, Sigh, Oracle). Favorite Outside Posts Adrian Lane: Microsoft’s New Threat Modeling Tool. This post is a couple weeks old but I forgot to mention it. Microsoft added tools to their threat modeling approach to catch errors earlier in the process. We talk about the need to find vulnerabilities earlier in the process, and MS is helping to do just that. Mike Rothman: Think Security is Expensive, Insecurity Costs Much More: It’s a hard thing to justify spending on security; this article makes the point that you should do it right the first time. And I’ll even give Tony a pass for mentioning Ponemon. The general point is good. Chris Pepper: Man Uses LifeLock To Track Ex-Wife; Company Didn’t Care Research Reports and Presentations Pragmatic Security for Cloud and Hybrid Networks. EMV Migration and the Changing Payments Landscape. Network-based Threat Detection. Applied Threat Intelligence. Endpoint Defense: Essential Practices. Cracking the Confusion: Encryption and Tokenization for Data Centers, Servers, and Applications. Security and Privacy on the Encrypted Network. Monitoring the Hybrid Cloud: Evolving to the CloudSOC. Security Best Practices for Amazon Web Services. Securing Enterprise Applications. Top News and Posts Mozilla’s Improving Revocation: OCSP Must-Staple and Short-lived Certificates Mark Cuban slams SEC for blocking email privacy reform effort Java 0-day shocker VTech Hack Seven Tips for Personal Online Security DHS Giving Firms Free Penetration Tests Worldwide Cryptography Product Survey Criminals steal $4 million in cash with novel ‘reverse ATM’ attack Share:

A week ago most folks in the US were in food comas from the Thanksgiving feast. Of course this is a great time of year to be grateful for what you have. Whether it’s family, health, work, or anything else. This morning I got a great reminder that expressing gratitude is a habit, which requires daily work – especially for security people. I was doing a speaking gig for a client in Atlanta, and I ran into an old friend who traveled in for the seminar. We were catching up and he mentioned how busy he was and that it was a bit overwhelming. I jumped right in because we at Securosis are pretty busy ourselves. But then I got a flash of awareness and decided I had to break the cycle. I specifically asked whether he remembered 10 years ago when no one cared about security? I certainly do. A lot of you (like Rich, Adrian, and myself) did security before security was cool. You remember talking to blank stares when evangelizing the importance of security. You remember cleaning the same malware off the same person’s device, over and over again, because they just couldn’t understand why they can’t click ads on questionable sites. You also remember looking for a new job when the senior team needed a scapegoat after yet another breach, after they didn’t listen to what you said the first time. It’s a different situation now. Many folks still don’t understand what they need to do, but they don’t really argue about the importance of security any more. Most of us have a bigger issue finding talent to fill open positions, rather than making the case for why any security people are needed. These are things to be grateful for. It turns out that a little gratitude leads to a lot. So if you have any interest, don’t just think about being thankful around the holidays. Start the day by making a list of 2 or 3 things you are grateful for every day. It’s hard to get into the right mindset to get things done, when you wake up overwhelmed by the amount of stuff that needs to get done. So break that cycle too. Think about what’s working in your life. It doesn’t have to be a lot. Just a little thing. Take a small step toward feeling gratitude every day. I do this consistently, every day. It puts me in the right frame of mind. I’m thankful for so many things, but none more than the habits I have established over the past few years, which have made a huge difference in my life. –Mike The fine folks at the RSA Conference posted the talk Jennifer Minella and I did on mindfulness at the 2014 conference. You can check it out on YouTube. Take an hour. Your emails, alerts, and Twitter timeline will be there when you get back. Securosis Firestarter Have you checked out our new video podcast? Rich, Adrian, and Mike get into a Google Hangout and… hang out. We talk a bit about security as well. We try to keep these to 15 minutes or less, and usually fail. Nov 16 — The Blame Game Nov 3 – Get Your Marshmallows Oct 19 – re:Invent Yourself (or else) Aug 12 – Karma July 13 – Living with the OPM Hack May 26 – We Don’t Know Sh–. You Don’t Know Sh– May 4 – RSAC wrap-up. Same as it ever was. March 31 – Using RSA March 16 – Cyber Cash Cow March 2 – Cyber vs. Terror (yeah, we went there) February 16 – Cyber!!! February 9 – It’s Not My Fault! January 26 – 2015 Trends January 15 – Toddler December 18 – Predicting the Past November 25 – Numbness Heavy Research We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, with our content in all its unabridged glory. And you can get all our research papers too. Building Security into DevOps The Role of Security in DevOps Tools and Testing in Detail Security Integration Points The Emergence of DevOps Introduction Building a Threat Intelligence Program Using TI Gathering TI Introduction Network Security Gateway Evolution Introduction Recently Published Papers Pragmatic Security for Cloud and Hybrid Networks EMV Migration and the Changing Payments Landscape Applied Threat Intelligence Endpoint Defense: Essential Practices Cracking the Confusion: Encryption & Tokenization for Data Centers, Servers & Applications Security and Privacy on the Encrypted Network Monitoring the Hybrid Cloud Best Practices for AWS Security Securing Enterprise Applications Secure Agile Development The Future of Security Incite 4 U Can security be fixed? Is it broken? I’ve gotta send a hat tip to my friend Don, who pointed out this article on TechCrunch explaining how Humility, Accountability And Creative Thinking Can Fix IT Security. Really? A lot of the security folks I know are pretty humble and creative. It’s not like they sit around and talk about how great they are while the city is burning. But aside from the clickbait title, there are some decent points in that post. I especially like the idea of killing silver bullet syndrome. There is no single answer for dealing with sophisticated adversaries. I also agree that security will need to evolve as the cloud and mobility continue to take root. Inflection anyone? The article also points out the need to share information, and that’s all about Threat Intelligence. But I still push back on the contention that security is broken. It’s not broken, because that supposes that it can be fixed. I posit that you don’t win security – you just survive to fight another day. – MR Student jobs: It appears the FBI is funding security vulnerability research; not for bug bounties, but to conduct surveillance. Recently they paid University students to hack Tor networks so they could inspect Tor traffic and de-anonymize Tor users. The FBI’s disclosed target could have been tracked financially, and Tor offers law enforcement other means to locate users, which implies (shockingly) their goal was something more than