Research

Holy crap! The RSA Conference starts on Monday. Which means… you don’t have much time left to register for the 7th annual Disaster Recovery Breakfast.*   Once again we have to provide a big shout out to our DRB partners, MSLGROUP, Kulesa Faul, and LEWIS PR. We’re expecting a crapton of folks to show up at the breakfast this year, and without their support there would be no breakfast for you.   As always, the breakfast will be Thursday morning 8-11 at Jillian’s in the Metreon. It’s an open door – come and leave as you want. We will have food, beverages, and assorted recovery items (non-prescription only) to ease your day. See you there. To help us estimate numbers, please RSVP to rsvp (at) securosis (dot) com. *But don’t get nuts if you forget to RSVP – the bouncers will let you in… Right, there are no bouncers. Share:

As you’ve seen over the past week, we’ve been reposting our RSAC Guide here. That’s because the RSA Conference folks allowed us to post it on their blog first. Yes, they are nuts, but we aren’t going to complain. We also take all that raw content and format it into a snazzy PDF with a ton of meme goodness. So you can pop the guide onto your device and refer to it during the show. Without further ado, we are excited to present the entire RSA Conference Guide 2015 (PDF). Just so you can get a taste of the memish awesomeness of the published RSAC Guide, check out this image. Plenty of folks are first finding out about Securosis through the RSAC blog. So we figured it would be good to provide some perspective on what we do and how we do it.   Pontification FTW. And in case you want to check out the coverage area deep dives (which will go up on the Securosis blog next week), check out the RSAC blog posts: Overview Cloud Security Data Security Network Security Endpoint Security Identity and Access Management Security Management Share:

I’ve been on the road a bit lately, and noticed discussions keep working around to the general health of our industry. I’m not sure whether we’re good or just lucky, but we security folk find ourselves in the middle of a maelstrom of activity. And that will only accelerate over the next week, as many of us saddle up and head to San Francisco for the annual RSA Conference. We’ve been posting our RSA Conference Guide on the RSA Conference blog (are they nuts?) and tomorrow we’ll post our complete guide with all sorts of meme goodness. The theme of this year’s Disaster Recovery Breakfast is be careful what you wish for. For years we have wanted more internal visibility for security efforts. We wanted to engage with senior management about why security is important. We wanted to get more funding and resources to deal with security issues. But now it’s happening. CISO types are being called into audit committee meetings and to address the full board (relatively) frequently. Budget is being freed up, shaken loose by the incessant drone of the breach of the day. We wanted the spotlight and now we have it. Oh crap.   And investors of all shapes and sizes want a piece of cybersecurity. We’ve been engaged in various due diligence efforts on behalf of investors looking at putting money to work in the sector. You see $100MM funding rounds for start-ups. WTF is that about? A friend told me his successful friends call him weekly asking to invest in security companies. It’s like when you get stock tips from a cabbie (or Uber driver), it’s probably time to sell. That’s what this feels like. But security will remain a high-profile issue. There will be more breaches. There will be additional innovative attacks, probably hitting the wires next week, when there is a lot of focus on security. Just like at Black Hat last year. Things are great, right? The security juggernaut has left the dock and it’s steaming full speed ahead. So why does it feel weird? You know, unreal? Part of it is the inevitable paranoia of doing security for a long time. When you are constantly trying to find the things that will kill you, it’s hard to step back and just appreciate good times. Another part is that I’ve lived through boom and bust cycles before. When you see low-revenue early-stage start-ups acquired in $200MM+ and $50MM+ funding rounds for, you can’t help but think we are close to the top of the boom. The place to go from there is down. Been there, done that. I’m still writing off my investment tax losses from the Internet bubble (today is Tax Day in the US). But you know what? What’s the use in worrying? I’m going to let it play out and do a distinctly atypical thing and actually enjoy the boom. I was too young and naive to realize how much fun the Internet boom was on the way up. I actually believed that was the new normal. Shame on me if I can’t enjoy it this time around. I’ll be in SF next week with a huge smile on my face. I will see a lot of friends at RSAC. Rich, Adrian, and I will offer a cloud security automation learning lab and JJ and I will run a peer-to-peer session on mindfulness. I’ll have great conversations with clients and I’m sure I’ll fill the pipeline for the next couple months with interesting projects to work on. I’ll also do some damage to my liver. Because that’s what I do. These halcyon days of security will end at some point. There is no beanstalk that grows to the sky. But I’m not going to worry about that now. I’ll ride through the bust, whenever it comes. We all will. Because we’re security people. We’ll be here when the carpetbaggers have moved on to the next hot sector promising untold riches and easy jobs. We’ll be here after the investors doing stupid deals wash out and wonder why they couldn’t make money on the 12th company entering the security analytics business. We’ll be here when the next compliance mandate comes and goes, just like every other mandate. We’ll be here because security isn’t just a job. It’s a calling. And those who have been called ride through the booms and the busts. Today is just another day of being attacked by folks who want to steal your stuff. –Mike Photo credit: “Explosion de ballon Polyptyque“_ originally uploaded by Mickael Have you registered for Disaster Recovery Breakfast VII yet? What are you waiting for. Check out the invite and then RSVP to rsvp (at) securosis.com, so we know how much food to get… The fine folks at the RSA Conference posted the talk Jennifer Minella and I did on mindfulness at the 2014 conference. You can check it out on YouTube. Take an hour and check it out. Your emails, alerts and Twitter timeline will be there when you get back. Securosis Firestarter Have you checked out our new video podcast? Rich, Adrian, and Mike get into a Google Hangout and.. hang out. We talk a bit about security as well. We try to keep these to 15 minutes or less, and usually fail. March 31 – Using RSA March 16 – Cyber Cash Cow March 2 – Cyber vs. Terror (yeah, we went there) February 16 – Cyber!!! February 9 – It’s Not My Fault! January 26 – 2015 Trends January 15 – Toddler December 18 – Predicting the Past November 25 – Numbness October 27 – It’s All in the Cloud October 6 – Hulk Bash September 16 – Apple Pay August 18 – You Can’t Handle the Gartner July 22 – Hacker Summer Camp Heavy Research We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, with our content in all its unabridged glory. And you can get all our research papers too. Network-based Threat Detection Overcoming the Limits of Prevention Applied Threat Intelligence Building a TI Program Use Case #3, Preventative

Compliance. It’s a principle driver for security spending, and vendors know this. That’s why each year compliance plays a major role in vendor messaging on the RSA show floor. A plethora of companies claiming to be “the leader in enterprise compliance products” all market the same basic message: “We protect you at all levels with a single, easy-to-use platform.” and “Our enterprise-class capabilities ensure complete data security and compliance.” Right. The single topic that best exemplifies our fitness meme is compliance. Most companies treat compliance as the end goal: you hold meetings, buy software, and generate reports, so you’re over the finish line, right? Not so much. The problem is that compliance is supposed to be like a motivational poster on the wall in the break room, encouraging you to do better – not the point itself. Buying compliance software is a little like that time you bought a Chuck Norris Total Gym for Christmas. You were psyched for fitness and harbored subconscious dreams it would turn you into a Chuck Norris badass. I mean, c’mon, it’s endorsed by Chuck Friggin’ Norris! But it sat in your bedroom unused, right next to the NordicTrack you bough a few years earlier. By March you hadn’t lost any weight, and come October the only thing it was good for was hanging your laundry on, so your significant other posted it on Craigslist. The other side of the compliance game is the substitution of certifications and policy development for the real work of reducing risk. PCI-DSS certification suggests you care about security but does not mean you are secure – the same way chugging down 1,000-calorie fruit smoothies makes you look like you care about fitness but won’t get you healthy. Fitness requires a balance of diet and exercise over a long period; compliance requires hard work and consistent management towards the end goal over years. Your compliance requirements may hinge on security, privacy, fraud reduction or something else entirely, but success demands a huge amount of hard work. So we chide vendors on their yearly claims about compliance-made-easy, and that the fastest way to get compliant is buy this vendors class-leading product. But this year we think it will be a little more difficult for vendors, because there is a new sheriff in town. No, it’s not Chuck Norris, but a new set of buyers. As with every period of disruptive innovation, developers start to play a key role in making decisions on what facilities will be appropriate with newer technology stacks. Big Data, Cloud, Mobile, and Analytics are owned by the fitness freaks who build these systems. Think of them as the leaner, meaner P90X fitness crowd, working their asses off and seeing the results of new technologies. They don’t invest in fancy stuff that cannot immediately show its worth: anything that cannot both help productivity and improve reliability isn’t worth their time. Most of the value statements generated by the vendor hype machine look like Olivia Newton-John’s workout gear to this crowd – sorely out of date and totally inappropriate. Still, we look forward to watching these two worlds collide on the show floor. Share:

In the United States there’s a clearly defined line between amateur and professional athletes. And in our wacky world of American sports we have drafts, statistics, hefty contracts, trophies, and rings to demonstrate an athlete’s success. In other sports and other parts of the world, the lines between amateur and pro athletes can be a bit murky. Take rugby, for example, where club teams compete in a bracket system to earn their spot up (or down) the ranks of European rugby series. Imagine the Seahawks moving down to a lesser series next season as a result of their 2015 Superbowl loss, and you start to understand the blurred lines of some professional athletes. But in the security world the pressure runs both ways. Our entire profession no longer needs to prove the world has a security problem – the headlines scream it nearly every day. And while some people still think they are playing club security, it turns out they moved up to the World Cup and never really noticed. In the matter of only a few years, our entire industry rocketed into the majors, like it or not. And to further muddle our metaphor, no fair few armchair quarterbacks are in the big leagues and now need to put up or shut up. All right, maybe we pushed that a little too far. Here’s the situation: information security is on the front lines of protecting our economies and infrastructure. It’s a level of validation many security professionals have wanted for years, but now that it’s here it exposes personal and professional weaknesses. There is massive demand for pragmatic security pros who can get the job done, but not enough of us to fill all the positions. It is a scarcity that must be filled, despite the skills shortage. This creates a revolving door as people pop up to positions of trust, fail to meet the requirements, and get pushed back down. You’ll see this skills shortage play out throughout the conference. On the floor it will show as more and more companies offer services and emphasize automation and reduction of operational costs. In presentations it will manifest as professional development and making do with less. Behind all of it is the challenge: how can you go pro and stay there? The answer isn’t easy, but it isn’t a mystery. Follow our going pro advice, and your rankings will soar. Seek these five I’s to “Go Pro” at RSA: Integration: Create more value by connecting data points for automated actions and defense. You’ll see a lot of talks and solutions touting integration this year at RSA. Seek out and soak in anything that could help your environment. Iteration: Explore continuous improvement through DevOps and Agile methodologies. Things that build security in, rather than trying to protect things from the outside. Intelligence: Effectively applying threat intelligence will boost your abilities. Out of the 350 breakout sessions at RSA this year, it seems like 178 involve threat intelligence, so you have plenty of opportunity. As Michael Jordan says, “Talent wins games, but teamwork and intelligence wins championships.” Innovation: Show you can go pro by sifting through marketing fluff and find the real innovation at RSA. Oh yeah, it’s there, hiding in the haystack, and around the perimeter of the show floor. Information: Don’t just consume it – give it back. Just remember that data is valued more than opinion. Opinions are like… well, you know the saying. RSA is the Goliath of information security conferences. Despite our critical raised brows at many of the vendors’ sugar-coated crap, the truth is there’s a huge opportunity to learn and teach throughout the week. If you can’t find some value on your path to going pro – that’s your problem. Share:

Have you heard a vendor tell you about their old product, which now protects the Internet of Things? No, it isn’t a pull-up bar, it’s an Iron Bar Crossfit (TM) Dominator! You should be mentally prepared for the Official RSA Conference IoT Onslaught (TM). But when a vendor asks how you are protecting IoT, there’s really only one appropriate response: “I do not think that means what you think it means.” Not that there aren’t risks for Internet-connected devices. But we warned you this would hit the hype bandwagon, way back in 2013’s Securosis Guide to RSAC: We are only at the earliest edge of the Internet of Things, a term applied to all the myriad of devices that infuse our lives with oft-unnoticed Internet connectivity. This wonʼt be a big deal this year, nor for a few years, but from a security standpoint we are talking about a collection of wireless, Internet-enabled devices that employees wonʼt even think about bringing everywhere. Most of these wonʼt have any material security concerns for enterprise IT. Seriously, who cares if someone can sniff out how many steps your employees take in a day (maybe your insurance underwriter). But some of these things, especially the ones with web servers or access to data, are likely to become a much bigger problem. We’ve reached the point where IoT is the most under- or mis-defined term in common usage – among not just the media, but also IT people and random members of the public. Just as “cloud” spent a few years as “the Internet”, IoT will spend a few years as “anything you connect to the Internet”. If we dig into the definitional deformation you will see on the show floor, IoT seems to be falling into two distinct classes of product: (a) commercial/industrial things that used to be part of the Industrial Control world like PLCs, HVAC controls, access management systems, building controls, occupancy sensors, etc.; and (b) products for the consumer market – either from established players (D-Link, Belkin, etc.) or complete unknowns who got their start on Kickstarter or Indiegogo. There are real issues here, especially in areas like process control systems that predate “IoT” by about 50 years, but little evidence that most of these products are actually ready to address the issues, except for the ones which have long targeted those segments. As for the consumer side, like fitness bands? Security is risk management, and that is so low on their priority list that it is about as valuable as a detoxifying foot pad. We aren’t dismissing all consumer product risks, but worry about your web apps before your light bulbs. At RSAC this year we will see ‘IoT-washing’ in the same way that we have seen ‘cloud-washing’ over the last few years – lots of mature technology being rebranded as IoT. What we won’t see is any meaningful response to consumer IoT infiltration in the business. This lack of meaningful response nicely illustrates the other kinds of change we still need in the field: security people who can think about and understand IPv6, LoPAN, BLE, non-standard ISM radios, and proprietary protocols. Sci-Fi writers have told us what IoT is going to look like – everything connected, all the time – so now we’d better get the learning done so we can be ready for the change that is already underway, and make meaningful risk decisions, not based on fear-mongering. Share:

DevOps is one of the hottest trends in all of IT – sailing over every barrier in front of it like a boardercross racer catching big air on the last roller before the drop to the finish. (We’d translate that, but don’t want to make you feel too old and out of touch). We here at Securosis are major fans of DevOps. We think it provides opportunities for security and resiliency our profession has long dreamed of. DevOps has been a major focus of our research, and even driven some of us back to writing code, because that’s really the only way to fully understand the implications. But just because we like something doesn’t mean it won’t get distorted. Part of the problem comes from DevOps itself: there is no single definition (as with the closely related Agile development methodology), and it is as much as a cultural approach as a collection of technical tools and techniques. The name alone conveys a sense of de-segregation of duties – the sort of thing that rings security alarm bells. We now see DevOps discussed and used in nearly every major enterprise and startup we talk with, to varying degrees. DevOps is a bit like extreme sports. It pushes the envelope, creating incredible outcomes that seem nearly magical from the outside. But when it crashes and burns it happens faster than that ski jumper suffering the agony of defeat (for those who remember NBC’s Wide World of Sports… it’s on YouTube now – look it up, young’ns). Extreme sports (if that term even applies anymore) is all about your ability to execute, just like DevOps. It’s about getting the job done better and faster to improve agility, resiliency, and economics. You can’t really fake your way through building a continuous deployment pipeline, any more than you can to backflip a snowmobile (really, we can’t make this stuff up – YouTube, people). We believe DevOps isn’t merely trendy, it’s our future – but that doesn’t mean people who don’t fully understand it won’t try to ride the wave. This year expect to see a lot more DevOps. Some will be good, like the DevOps.com pre-RSA day the Monday before the conference starts. And vendors updating products to integrate security assessment into that continuous deployment pipeline. But expect plenty bad too, especially presentations on the ‘risks’ of DevOps that show someone doesn’t understand it doesn’t actually allow developers to modify production environments despite policy. As for the expo floor? We look forward to seeing that ourselves… and as with anything new, we expect to see plenty of banners proclaiming their antivirus is “DevOps ready”. Posers. Share:

This year at RSA we will no doubt see the return of Big Data to the show floor. This comes along with all the muscle confusion that it generates – not unlike Crossfit. Before you hoist me to the scaffolding or pummel me with your running shoes, let’s think about this. Other than the acolytes of this exercise regimen, who truly understands it? Say “Big Data” out loud. Does that hold any meaning for you, other than a shiny marketing buzzword and marketing imagery? It does? Excellent. If you say it three times out loud a project manager will appear, but sadly you will still need to fight for your budget. Last year we leveraged the tired (nay, exhausted) analogy of sex in high school. Everyone talks about it but… yeah. You get the idea. Every large company out there today has a treasure trove of data available, but they have yet to truly gain any aerobic benefit from it. Certainly they are leveraging this information but who is approaching it in a coherent fashion? Surprisingly, quite a few folks. Projects such as the Centers for Disease Control’s data visualizations, Twitter’s “Topography of Tweets”, SETI’s search for aliens, and even Yelp’s hipster tracking map. They all leverage Big Data in new and interesting ways. Hmm, SETI and Yelp should probably compare notes on their data sets. These are projects happening, often despite the best intentions of organizational IT security departments. Big Data is here, and security teams need to get their collective heads around the situation rather than hanging about doing kipping pull-ups. As security practitioners we need to find sane ways to tackle the security aspects of these projects, to help guard against inadvertent data leakage as they thrust forward with their walking lunges. One thing we recommend is ahike out on the show floor to visit some vendors you’ve never heard of. There will be a handful of vendors developing tools specifically to protect Big Data clusters, and some delivering tools to keep sensitive data out of Big Data pools. And your Garmin will record a couple thousand more steps in the process. Second, just as many Big Data platforms and features are built by the open source community, so are security tools. These will be under-represented at the show, but a quick Google search for Apache security tools will find more options. Your internal security teams need to be aware of the issues with big data projects while striking a balance supporting business units. That will truly lead to muscle confusion for some. If you’re looking for the Big Data security purveyors, they will most likely be the ones on the show floor quietly licking wounds from their workout while pounding back energy drinks. Share:

The Security Bonk For better or worse, a bunch of the Securosis team have become endurance athletes. Probably more an indication of age impacting our explosiveness, and constant travel impacting our respective waistlines, than anything else. So we’re all too familiar with the concept of ‘bonking’: hitting the wall and capitulating. You may not give up, but you are just going through the motions. Sound familiar to you security folks? It should. You get bonked over the head with hundreds or thousands of alerts every day. You can maybe deal with 5, and that’s a good day. So choosing the right 5 is the difference between being hacked today and tomorrow. This alert fatigue will be a key theme at RSA Conference 2015. You’ll see a lot of companies and sessions (wait, there are sessions at RSA?) talking about more actionable alerts. Or increasing the signal to noise ratio. Or some similarly trite and annoying terminology for prioritization. These vendors come at the problem of prioritization from different perspectives. Some will highlight shiny new analytical techniques (time for the Big Data drinking game!) to help you figure out which attack represents the greatest risk. Others will talk about profiling your users and looking for anomalous behavior. Yet another group will focus on understanding the adversary and sharing information about them. All with the same goal: to help you optimize limited resources before you reach the point of security bonk. To carry the sports analogy to the next step, you are like the general manager of a football team. You’ve got holes all over your roster (attack surface) and you need to stay within your salary cap (budget). You spend a bunch of money on tools and analytics to figure out how to allocate your resources, but success depends more on people and consistent process implementation. Unfortunately people are a major constraint, given the limited number of skilled resources available. You can get staffers through free agency (expensive experienced folks who generally want long-term deals) or draft and develop talent, which takes a long time. And in two years, if your draft picks don’t pan out or your high-priced free agents decide to join a consulting firm, you get fired. Who said security wasn’t like life? Or the football life, anyway! Share:

Every year we like to start the RSA Guide with review of major themes you will most likely see woven through presentations and marketing materials on the show floor. These themes are a bit like channel-surfing late-night TV – the words and images themselves illustrate our collective psychology more than any particular needs. It is easy to get excited about the latest diet supplement or workout DVD, and all too easy to be pulled along by the constant onslaught of finely-crafted messaging, but in the end what matters to you? What is the reality behind the theme? Which works? Is it low-carb, slow-carb, or all carb? Is it all nonsense designed to extract your limited financial resources? How can you extract the useful nuggets from the noise? This year we went a little nutty, and decided to theme our coverage with a sports and fitness flavor. It seemed fitting, considering the growth of security – and the massive muscle behind the sports, diet, and fitness markets. This year Jennifer Minella leads off with our meta theme, which is also the conference theme: change. –Rich Share: