Securosis

Research

Yes Chris, It’s a Circle Jerk of Pain

Hoff owned me. In an email he claimed he pwned me, but he totally didn’t earn that p. Apparently I’m slightly late to the game in talking about hyperjackstacks (we’re back on virtualization, in case I lost you). That’s something I’m totally willing to concede, especially since I’m more of a data and applications guy. Chris agrees that this is an important issue, but then asks: Ultimately though, I think that the point of response boils down to the definition of the mechanisms used in the detection of a malicious VMM/HV. I ask you Rich, please define a “malicious” VMM/HV from one steeped in goodness. Umm, one that does bad stuff? Like sniff data, mess with things? Du o, I’m a little buzzed right now from some good organic wine. Thomas explained things a little better and I think we hit a bit of agreement. Basically, the concern is that if someone compromises the hypervisor somehow, they can do all sorts of badness. Thomas, in the comments to his post, shows how one potential solution is to nudge the hypervisor aside and run checks against it (while you’re unvirutalized, I just made up a word). But I think the real solution is something Hoff mentions that I also mentioned in my post, albeit without the proper name: Intel TXT ensures that virtual machine monitors are less vulnerable to attacks that cannot be detected by today’s conventional software-security solutions. By isolating assigned memory through this hardware-based protection, it keeps data in each virtual partition protected from unauthorized access from software in another partition. Yep- dump the problem to hardware. I think that’s where we’re headed, so all this debate serves as a friendly reminder to our big chip manufacturing brethren that probably don’t pay attention to any of our blogs. But then the bad guys will compromise the hardware, and we’ll defend against that, and then… you get the circle jerk of pain reference yet? Like everything, it’s always an arms race. Good news is I think this is one of the more manageable problems we face, and the work of Thomas and Joanna will go a long way towards nudging the vendors to reduce our pain. Can I talk about DLP again now? Share:

Share:
Read Post

New Feature: LiveChat

Got questions? Think I might know the answer? Just bored and need someone to pretend to be your friend? All you have to do is look on the sidebar and click on the LiveChat link. If you’re running AIM, that will connect you to the account I’ve set up to support the site. This is a bit of an experiment and feedback is welcome. If you aren’t running AIM, let me know in the comments what IM provider you prefer. And no, I won’t pretend to be… something… to satisfy any of your twisted fantasies. This is for security stuff only, okay? Share:

Share:
Read Post

DLP Is A Feature, CMF (Or Whatever We’ll Call It) Is A Solution

Here I am, just off the bench after six months of watching from the sidelines, and when I’m still two feet away from the darn batter’s box Hoff lets loose with a hundred mile per hour fastball right at my head. Thanks Chris, it’s not like you didn’t know exactly when I’d be back at bat. I really suggest you go read both of Chris’ posts, but here’s a snippet so I have something to work off of: Known by many names, what I describe as content monitoring and protection (CMP) is also known as extrusion prevention, data leakage or intellectual property management toolsets. I think for most, the anchor concept of digital rights management (DRM) within the Enterprise becomes glue that makes CMP attractive and compelling; knowing what and where your data is and how its distribution needs to be controlled is critical. The difficulty with this technology is the just like any other feature, it needs a delivery mechanism. Usually this means yet another appliance; one that’s positioned either as close to the data as possible or right back at the perimeter in order to profile and control data based upon policy before it leaves the “inside” and goes “outside.” I made the point previously that I see this capability becoming a feature in a greater amalgam of functionality; I see it becoming table stakes included in application delivery controllers, FW/IDP systems and the inevitable smoosh of WAF/XML/Database security gateways (which I think will also further combine with ADC’s.) I see CMP becoming part of UTM suites. Soon. First a little bad news; I mostly agree with Hoff, and this is such a big subject I’m only going to cover part of it today. Consider this the first part of a multipart series on DLP/CMF/CMP. Today I’ll cover a little bit of history and what I look for when figuring out if the latest widget is just a feature of something else, or likely to be a stand alone solution. What most people call DLP started about 5-6 years ago as an extra feature of about the only Acceptable Use Enforcement product on the market- Vericept. Vericept monitored network communications, mostly as a sniffer near the gateway, to detect things like porn, gambling, sexual harassment, and “hacker” research. A lot of people tried to position it as a network forensics tool, but instead of full packet capture it just looked for policy violations and recorded that traffic. It also came with usable business reports, not just lists of IP addresses and packets. Vericept could also detect things like credit card and social security numbers leaving the organization. Vontu, Vidius (later PortAuthority and now Websense), and Tablus started becoming more visible, each with their own somewhat unique approach to the problem. Vontu cleaned up in the early years by really focusing on the business problem of preventing data leaks and building a tool the business guys could grok. Once Reconnex, Fidelis, and a few others appeared the marketing machines really started cranking and bringing more attention to the entire space. In 2005 Vontu had a big lead in a small market, but the competition learned fast and became MUCH more competitive in 2006, after more than a few management changes. Early on we had a hard time naming this space. Not just us analyst types, but the vendors themselves. I even had a phone call with two of the bigger ones in 2003 or 2004 where myself and two competitive marketing managers tried to hash it out. I went with the term “Content Monitoring and Filtering” because I felt the core technology was about a lot more than just leak prevention. New technologies pop up all the time and sometimes it’s hard to figure out which will succeed, fail, or succeed as part of something else. I ask one simple question to place my bets on something being a feature vs. a solution: What’s the business problem, and does the technology solve it? If not, what percentage of the problem does it solve? Okay, I cheat, because this is hard. Something like, “it blocks USB ports” isn’t a business problem; at least not with a capital B. This is also where we tend to see all the BS business-speak like “holistic” and “synergy”. I should probably do some posts just on this alone, so let’s look at DLP. The business problem for DLP is, “tell me where my sensitive information is and help me protect it”. Chris is correct- Data Loss Prevention is just a feature focused on one part of the problem. Monitoring data moving through the perimeter is a throwaway. The DRM part, which all DLP solutions will eventually include, is also a throwaway; let someone else do that part. Content scanning and classification for storage, email integration, internal network monitoring, and so on are all just features somebody can put into something else. The product, and I really like Chris’s Content Monitoring and Protection term, is the policy management server, content analysis, and workflow and reporting tool. It’s the central console for managing all these enforcement points that will be part of UTM, endpoints, and everything else. Today the “DLP” vendors need to build most of this themselves since it’s hard to sell a product when you have to tell your client to buy 20 other components from other vendors. This isn’t part of UTM because the people setting the policies for content and dealing with enforcement aren’t the same as those dealing with inbound threats. This isn’t part of Application Firewalls, Application Delivery Controllers, or database security gateways because those are also managed by different teams, with different responsibilities. Actually, those tools are going to consolidate into a database and application security stack, while DLP evolves into a Content Monitoring and Protection solution. We’re solving the problem of identifying and protecting sensitive content being used by our employees (and other insiders). Those responsible for solving this problem often include non-technical types like corporate legal, risk, and compliance. The problem is different

Share:
Read Post

Going Where the Weather Suits My Soul

If you’re reading this, I’m no longer a Gartner analyst. For the past 7 years or so I’ve had the best experience of my professional (and often personal) career. The product of a bad acquisition and short stint in consulting, Gartner gave a young unknown hothead the opportunity to become an industry analyst. I tried my best to run with it. Seems to have worked out okay. Gartner was an amazing experience; I learned more than I possibly imagined when I started, and any success I have in this industry is in large part the product of Big Daddy G. I learned everything from presentation and writing skills, to defending my analysis, to how to analyze in the first place. And that’s not including the massive amount of knowledge imparted by thousands of client conversations and (yes) vendor briefings. Gartner also showed me the world. Before G, I’d been to Mexico; now I’ve been to probably two dozen countries on every continent except Antarctica. I suppose some of you reading this expect me to be disgruntled, but aside from the usual gripes of any long-term employee I have nothing but good things to say. Gartner is as successful as they are for a reason. And no, I’m not just blowing smoke in case my future plans implode- it was a great job and a great company. So why am I leaving? I’m just too darn young and foolish. As positive an experience as Gartner has been, I feel like I’ve gone as far as I can as an analyst. I’m still young, don’t have kids yet, and if I’m going to take a risk now is the time. I’ve been feeling unchallenged and know there’s a lot more in this big world to experience. Back around February I decided to start poking around, but quickly realized there was no way to effectively job hunt while maintaining my integrity as an analyst. A little over 2 weeks ago, thanks to selling my old condo in Boulder, I found the financial freedom to take a little risk. I resigned without a parachute. As of this evening, I’m now out on my own as an independent consultant. I’m the founder, owner, and sole employee of Securosis, L.L.C. I don’t know exactly where all this will end up. Maybe I’ll get that perfect offer. Maybe I’ll stay independent. Long-term I just want to comfortably support my family, travel less, and Do Good Things. I have every intention on staying in the security industry- it’s worked since I was 18, why stop now? I don’t need the big score, just a good race. Thanks to some industry friends I already have some good contracts to start, and despite my initial fears feel pretty good that things are headed in the right direction. The best news (I hope) for you readers is that the blog is back! This time I’m only representing myself, and can write without restriction. I also plan on some other surprises, so stay tuned. It’s been a great run so far; I can’t wait to see what the second lap has to offer. (Post title inspired by Jimmy Buffet covering Harry Nilsson) Share:

Share:
Read Post

Australia Report: Now Tell Me Why We Can’t Have Healthcare Like This?

Like many frequent travelers, I tend to rely on sleeping pills to help me out with the jetlag. One 30 pill prescription for Ambien CR usually lasts me about 9 months, and definitely gets the job done. Unfortunately, it doesn’t make me any smarter. I accidentally left my little friends at my last hotel, and with a tight travel schedule there’s no way they’ll catch up to me. Fortunately, I’m in Australia. The concierge at the hotel pointed me to the doctor’s office across the street. I walked in and they apologized that there would be a long wait- maybe an entire 30 minutes. This is without an appointment people; my last personal doc usually kept me waiting AT LEAST that long even WITH an appointment. The appointment itself was short, but since I don’t have the national healthcare I had to pay for the visit and the prescription they gave me on the spot. Only $68 for the visit and pills, and it would have been free if I lived here. (Yes, this particular trip is nasty enough it was worth the price). This is the second time I’ve had to use the healthcare system while traveling here and my last experience was pretty much the same, except I was actually sick then. We watched Sicko a few weeks ago and it really hammered home how messed up our system is. Experiencing healthcare in other countries only reinforces our disfunction. Only 6 days till home! Share:

Share:
Read Post

Securosis- Now with SSL!

For those that are interested, you can now browse and post comments by going to https://securosis.com. The cert may show up at securiosis.com, which was the original (short lived) name of this domain. I’m working on getting that fixed. Please let me know if you experience any problems. I also tweaked a bunch of other settings and features on the site. Share:

Share:
Read Post

Oh, the Drama!

I’m on the 40 minute flight from Phoenix to Vegas for two back-to-back conferences any reader of this blog better already know about. As usual, the drama is already starting with rumors, innuendo, on-stage battles between presentations, the ever-elusive hunt for the next *-gate, and the always popular feats of strength. But I’m not going to talk about that. Drama is one of those nebulous concepts slightly more elusive than porn; sure, you know it when you see it, but unlike porn you have a hard time noticing when you’re in it. Let’s be honest, we’ve all been in the middle of more than a little drama in our lives. The problem with drama is that it doesn’t benefit anyone except the press, and maybe some sadistic bystanders. It certainly doesn’t benefit those involved. Drama raises emotions, lowers reason, and devastates credibility. It’s hard to take someone seriously when they get all “woe is me” on you. I remember one of the more dramatic incidents I responded to in an ambulance. A woman ran over a child outside of a school. She more just bumped the kid with a couple ton car than any actual running-over, and while serious, it was clear the kid was going to be okay. The woman? A friggin’ mess. Hysterical screaming, ranting, and full-body-rending spasms that completely distracted everyone from the kid on the ground who needed medical attention. That drama reduced the care the kid received, at least until we showed up, ended up requiring a second ambulance for the woman (not the cheapest mode of transport in the world), and did nothing but make a serious incident even worse. Another rescue drama was one of the more heart-wrenching calls I ever responded to, with a far worse outcome. I was responding on a mountain rescue call for someone lost in an avalanche. His hiking partner was a total freak-job, evading the truth (out of guilt) and recruiting his college friends to engage in their own private search (big no no). At one point I remember flying up a snow-covered trail, closed due to avalanche danger, in a Jeep driven by a park ranger with an even less-developed sense of self preservation than I have to help the Sheriff’s Officers remove the individual. In the end, the victim wasn’t in the avalanche and probably died of exposure a mile or so away before the first rescuer showed up. The drama of the survivor and his changing stories did nothing more than pull valuable resources from where they needed to be, and destroyed his credibility. To this day I’m convinced his ego killed his partner. Sure, these are extreme examples, but in each case those involved lost credibility and respect while distracting both bystanders and those there to fix the problems from the real issues. In a less-extreme example I’m still embarrassed for some of my own attempts for an Academy Award for Best Victim in a Drama for a couple of bad breakups in college. I let the drama take over, and to this day my friends still occasionally remind me of those antics when I need to be put in my place. Leave the drama for entertainment. When another industry engages in it, all it does is hurt the credibility of those directly involved, and anyone associated with them. It’s hard, but we need to sometimes divest ourselves of emotions and let the facts and events play themselves out. Share:

Share:
Read Post

Heading to Vegas Next Week

If you read this, you know why. Arriving Tuesday, departing Monday. Probably at Hotel Paris since I didn’t get my stuff together in time. Share:

Share:
Read Post

Things You Really Don’t Like To Hear

Dentist: You shouldn’t feel any pain. Me: Great. Dentist: Now close your eyes to keep the debris out. Me: What? Ah, yet another one of those painful maintenance tasks. The follow up instructions tell me no alcohol tonight, and no drinking from a straw. Which sucks, because that totally blows my usual Thursday night routine. Share:

Share:
Read Post

Totally Transparent Research is the embodiment of how we work at Securosis. It’s our core operating philosophy, our research policy, and a specific process. We initially developed it to help maintain objectivity while producing licensed research, but its benefits extend to all aspects of our business.

Going beyond Open Source Research, and a far cry from the traditional syndicated research model, we think it’s the best way to produce independent, objective, quality research.

Here’s how it works:

  • Content is developed ‘live’ on the blog. Primary research is generally released in pieces, as a series of posts, so we can digest and integrate feedback, making the end results much stronger than traditional “ivory tower” research.
  • Comments are enabled for posts. All comments are kept except for spam, personal insults of a clearly inflammatory nature, and completely off-topic content that distracts from the discussion. We welcome comments critical of the work, even if somewhat insulting to the authors. Really.
  • Anyone can comment, and no registration is required. Vendors or consultants with a relevant product or offering must properly identify themselves. While their comments won’t be deleted, the writer/moderator will “call out”, identify, and possibly ridicule vendors who fail to do so.
  • Vendors considering licensing the content are welcome to provide feedback, but it must be posted in the comments - just like everyone else. There is no back channel influence on the research findings or posts.
    Analysts must reply to comments and defend the research position, or agree to modify the content.
  • At the end of the post series, the analyst compiles the posts into a paper, presentation, or other delivery vehicle. Public comments/input factors into the research, where appropriate.
  • If the research is distributed as a paper, significant commenters/contributors are acknowledged in the opening of the report. If they did not post their real names, handles used for comments are listed. Commenters do not retain any rights to the report, but their contributions will be recognized.
  • All primary research will be released under a Creative Commons license. The current license is Non-Commercial, Attribution. The analyst, at their discretion, may add a Derivative Works or Share Alike condition.
  • Securosis primary research does not discuss specific vendors or specific products/offerings, unless used to provide context, contrast or to make a point (which is very very rare).
    Although quotes from published primary research (and published primary research only) may be used in press releases, said quotes may never mention a specific vendor, even if the vendor is mentioned in the source report. Securosis must approve any quote to appear in any vendor marketing collateral.
  • Final primary research will be posted on the blog with open comments.
  • Research will be updated periodically to reflect market realities, based on the discretion of the primary analyst. Updated research will be dated and given a version number.
    For research that cannot be developed using this model, such as complex principles or models that are unsuited for a series of blog posts, the content will be chunked up and posted at or before release of the paper to solicit public feedback, and provide an open venue for comments and criticisms.
  • In rare cases Securosis may write papers outside of the primary research agenda, but only if the end result can be non-biased and valuable to the user community to supplement industry-wide efforts or advances. A “Radically Transparent Research” process will be followed in developing these papers, where absolutely all materials are public at all stages of development, including communications (email, call notes).
    Only the free primary research released on our site can be licensed. We will not accept licensing fees on research we charge users to access.
  • All licensed research will be clearly labeled with the licensees. No licensed research will be released without indicating the sources of licensing fees. Again, there will be no back channel influence. We’re open and transparent about our revenue sources.

In essence, we develop all of our research out in the open, and not only seek public comments, but keep those comments indefinitely as a record of the research creation process. If you believe we are biased or not doing our homework, you can call us out on it and it will be there in the record. Our philosophy involves cracking open the research process, and using our readers to eliminate bias and enhance the quality of the work.

On the back end, here’s how we handle this approach with licensees:

  • Licensees may propose paper topics. The topic may be accepted if it is consistent with the Securosis research agenda and goals, but only if it can be covered without bias and will be valuable to the end user community.
  • Analysts produce research according to their own research agendas, and may offer licensing under the same objectivity requirements.
  • The potential licensee will be provided an outline of our research positions and the potential research product so they can determine if it is likely to meet their objectives.
  • Once the licensee agrees, development of the primary research content begins, following the Totally Transparent Research process as outlined above. At this point, there is no money exchanged.
  • Upon completion of the paper, the licensee will receive a release candidate to determine whether the final result still meets their needs.
  • If the content does not meet their needs, the licensee is not required to pay, and the research will be released without licensing or with alternate licensees.
  • Licensees may host and reuse the content for the length of the license (typically one year). This includes placing the content behind a registration process, posting on white paper networks, or translation into other languages. The research will always be hosted at Securosis for free without registration.

Here is the language we currently place in our research project agreements:

Content will be created independently of LICENSEE with no obligations for payment. Once content is complete, LICENSEE will have a 3 day review period to determine if the content meets corporate objectives. If the content is unsuitable, LICENSEE will not be obligated for any payment and Securosis is free to distribute the whitepaper without branding or with alternate licensees, and will not complete any associated webcasts for the declining LICENSEE. Content licensing, webcasts and payment are contingent on the content being acceptable to LICENSEE. This maintains objectivity while limiting the risk to LICENSEE. Securosis maintains all rights to the content and to include Securosis branding in addition to any licensee branding.

Even this process itself is open to criticism. If you have questions or comments, you can email us or comment on the blog.