Research

Woo Hoo! It’s New Paper Friday! Over the past month or so you have seen Adrian and myself put together our latest work on encryption. This one is a top-level overview designed to help people decide which approach should work best for datacenter projects (including servers, storage, applications, cloud infrastructure, and databases). Now we have pieced it together into a full paper. We’d like to thank Vormetric for licensing this content. As always we wrote it using our Totally Transparent Research process, and the content is independent and objective. Download the full paper. Here’s an excerpt from the opening: Today we see encryption growing at an accelerating rate in data centers, for a confluence of reasons. A trite way to summarize them is “compliance, cloud, and covert affairs”. Organizations need to keep auditors off their backs; keep control over data in the cloud; and stop the flood of data breaches, state-sponsored espionage, and government snooping (even by their own governments). Thanks to increasing demand we have a growing range of options, as vendors and even free and Open Source tools address this opportunity. We have never had more choice, but with choice comes complexity – and outside your friendly local sales representative, guidance can be hard to come by. For example, given a single application collecting an account number from each customer, you could encrypt it in any of several different places: the application, the database, or storage – or use tokenization instead. The data is encrypted (or substituted), but each place you might encrypt raises different concerns. What threats are you protecting against? What is the performance overhead? How are keys managed? Does it all meet compliance requirements? This paper cuts through the confusion to help you pick the best encryption options for your projects. In case you couldn’t guess from the title, our focus is on encrypting in the data center: applications, servers, databases, and storage. Heck, we will even cover cloud computing (IaaS: Infrastructure as a Service), although we covered it in depth in another paper. We will also cover tokenization and discuss its relationship with encryption. We would like to thank Vormetric for licensing this paper, which enables us to release it for free. As always, the content is completely independent and was created in a series of blog posts (and posted on GitHub) for public comment. Share:

I’ve had one conversation about 8 times this week: “Ready for RSA?” “Not even close.” “Yeah, figured it would be better since they pushed it out an extra month, but not so much.” For those who don’t know, the RSA conference is the biggest event in our industry. Usually it’s in February or March, but this year it’s in April. A full extra month to prep presentations, or marketing material for vendors (my end-user friends who aren’t presenting don’t worry about any of this). Plus there are all the community things, like the Security Blogger’s Meetup, our Disaster Recovery Breakfast, and so on. Seems like we all just pushed everything back a month, and if anything are even further behind than usual. Or maybe that’s just me, a pathological procrastinator. So I don’t have time for the usual Summary this week. Especially because we have a ton of projects going on concurrently, and I’m about to start bouncing around the country again for client projects. The travel itself isn’t exciting but the projects themselves are. Most of my trips are to help end-user orgs build out their cloud security strategy and tactics. It’s a big change from Gartner, when I never got to roll up my sleeves and dig in deep. The fascinating bit is the kinds of organizations who are moving to cloud (mostly AWS, because that’s where I’m deepest technically). Instead of being startups these are established companies, some quite large, and a few heavily regulated. I knew we’d get here someday, but I didn’t expect cloud adoption to hit these segments so soon. Mike and Adrian are just as busy as I am, which is why the blog is so slow, but some new projects are about to hit. We’ve also been working on our annual RSA Guide, which you will start seeing pieces of soon. This year our Contributing Analysts wrote a lot of the content. But hey, we’ve been around 8+ years and still put up multiple blog posts a week, even when things are ugly. So we have that going for us. Which is nice. On to the Summary: Webcasts, Podcasts, Outside Writing, and Conferences Rich at TidBITS on Apple Pay Rich also contributed to a piece on BadUSB and Macs at TidBITS Favorite Securosis Posts Mike: Disaster Recovery Breakfast 2015 – It’s that time of the year. The best breakfast at RSA. RSVP (please) to rsvp (at) securosis (dot) com. Other Securosis Posts Incite 3/18/2015: Pause. Firestarter: Cyber Cash Cow. Take Control of Security for Mac Users. Be Careful What You Wish For, It’s the SEVENTH Annual Disaster Recovery Breakfast. SecDevOps Learning Lab at RSA. Favorite Outside Posts Mortman: Conway’s law revisited – Architectures for an effective IT Mike: NCAA Men’s Tournament Forecast: The Parity Is Over. It’s March Madness time. Check out Nate Silver’s thoughts. Because math. Mike: Richard Branson shares his 10 favorite quotes about embracing change. Change is constant, which is uncomfortable for many. There are some good tips here to help deal with it. Rich: Panda Antivirus Flags Itself As Malware. The title says it all. Can’t make this stuff up. Research Reports and Presentations Security and Privacy on the Encrypted Network. Monitoring the Hybrid Cloud: Evolving to the CloudSOC. Security Best Practices for Amazon Web Services. Securing Enterprise Applications. Secure Agile Development. Trends in Data Centric Security White Paper. Leveraging Threat Intelligence in Incident Response/Management. Pragmatic WAF Management: Giving Web Apps a Fighting Chance. The Security Pro’s Guide to Cloud File Storage and Collaboration. The 2015 Endpoint and Mobile Security Buyer’s Guide. Top News and Posts To prevent another Heartbleed, severe OpenSSL flaw to be patched Stealthy, Persistent DLL Hijacking Works Against OS X Android apps are now reviewed by Google before you can download them Yahoo Previews End-To-End Email Encryption Plug-In Responding to Sony Hack, Senate Advances Major Cybersecurity Bill Some notes on DRAM (#rowhammer) Blog Comment of the Week This week’s best comment goes to Tom, in response to My $500 Cloud Security Screwup–UPDATED. Great writeup – being able to admit you made a mistake is very hard for some, but we all do, bravo for being up front about it. AWS (Amazon, in general) has always been really super super reasonable about charges with me – I too have had them reverse a charge (in my case, for Amazon prime that I didn’t really use) that was totally on my own shoulders, without me asking – good on them, it makes me feel very, very comfortable with trusting them to do the right thing. I like to think a big part of it was you posting about this and owning the issue – this is an awesome example of how to handle this sort of situation with integrity and competence. I suggest the VERY first thing you do with a new AWS account is turn on MFA, make an IAM account, and put the master credentials on a thumb drive in a desk drawer (locked, ideally). Then, use that IAM account to make less-privileged ones, and use those in practice. It is a pain, to be sure, but it is important to lay a good foundation. (I actually have gone further and worked out federated access for our team at work, and ALL credentials that could reasonably be exposed have a very short lifespan – accidentally checked-in creds in code are to our internal auth server, unusable to the real world. It was a pain, but it lets me sleep better.) You inspire me; I should clean up the federation server and put it out there for others to use. Share:

It’s been over a month since I wrote an Incite. It’ is the longest period of downtime since I joined Securosis. I could talk about my workload, which is bonkers right now. But over the years I’ve written the Incite regardless of workload. I could talk about excessive travel, but I haven’t been traveling nearly as much as last year. I could come up with lots of excuses, but as I tell my kids all the time, “I’m not in the excuses business.” Here’s the reality: I needed a break. I have plenty to write about, but I found reasons not to write. There is a ton of stuff going on in security, so there were many interesting snippets I let fly right on by. But I didn’t write it, and I didn’t really question it. What I needed was what my Tao teacher calls a pause. You could need a pause for lots of reasons. Sometimes you have been running too hard for too long. Sometimes you need to change things up a bit because the status quo makes you unhappy. Sometimes you need some space to recalibrate and figure out what you want to do and where you want to go. Of course, this could be for very little things, like writing the Incite every week. Or very big things. But without taking a pause, you don’t have the space to make objective decisions. You are reading this, so obviously I am writing the Incite. So during my pause, it became clear that the Incite is an important part of what I do. But it’s bigger than that. It’s an important part of who I am. I have shared the good and the not so good through the years. I have met people who tell me they have experienced what I write about, and it’s helpful for them to commiserate – even if it’s virtual. Some tell me they learn through my Incites, and there is nothing more flattering. But it’s not why I write the Incite. I write the Incite for me. I always have. It’s a journal of sorts representing my life, my views, and my situation at any given time. Every so often I go back a couple years and read my old stuff. It reminds me of what things were like back then. It’s useful because I don’t spend much time looking backwards. It’s interesting to see how different I am now. Some people journal in private. I do that too. But I have found my public journal is important to me. The pause is over. I’m pushing Play. In the coming months there will be really cool stuff to share and some stuff that will be hard to communicate. But that’s life. You take the good and the bad without judgement. You move forward. At least I do. So stay tuned. The next few months are going to be very interesting, for so many reasons. –Mike Photo credit: “Pause? 272/265” originally uploaded by Dennis Skley The fine folks at the RSA Conference posted the talk Jennifer Minella and I did on mindfulness at the 2014 conference. You can check it out on YouTube. Take an hour and check it out. Your emails, alerts and Twitter timeline will be there when you get back. Securosis Firestarter Have you checked out our new video podcast? Rich, Adrian, and Mike get into a Google Hangout and.. hang out. We talk a bit about security as well. We try to keep these to 15 minutes or less, and usually fail. March 16 – Cyber Cash Cow March 2 – Cyber vs. Terror (yeah, we went there) February 16 – Cyber!!! February 9 – It’s Not My Fault! January 26 – 2015 Trends January 15 – Toddler December 18 – Predicting the Past November 25 – Numbness October 27 – It’s All in the Cloud October 6 – Hulk Bash September 16 – Apple Pay August 18 – You Can’t Handle the Gartner July 22 – Hacker Summer Camp July 14 – China and Career Advancement Heavy Research We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, with our content in all its unabridged glory. And you can get all our research papers too. Cracking the Confusion Encryption Decision Tree Top Encryption Use Cases Additional Platform Features and Options Key Management Encryption Layers Building an Encryption Layer Encryption and Tokenization for Data Centers, Servers, and Applications Applied Threat Intelligence Building a TI Program Use Case #3, Preventative Controls Use Case #2, Incident Response/Management Use Case #1, Security Monitoring Defining TI Network Security Gateway Evolution Introduction Newly Published Papers Security and Privacy on the Encrypted Network Monitoring the Hybrid Cloud Best Practices for AWS Security Securing Enterprise Applications Secure Agile Development Trends in Data Centric Security Leveraging Threat Intelligence in Incident Response/Management The Security Pro’s Guide to Cloud File Storage and Collaboration Advanced Endpoint and Server Protection The Future of Security Incite 4 U (Note: Don’t blame Rich or Adrian for the older Incite… They got me stuff on time – it just took me a month to post it. You know, that pause I talked about above.) There are no perfect candidates… There is no such thing as perfect security, so why would there be perfect security candidates? Our friend Andy Ellis, CISO of Akamai, offers a refreshing perspective on recruiting security professionals. Andy focuses on passion over immediate competence. If a person loves what they do they can learn the rest. I think that’s great, especially given the competition for those with the right certifications and keywords on their CVs. Andy also chooses to pay staffers fairly instead of pushing them to find other jobs as their skills increase. Again, very smart given the competition for security staff. The #1 issue we hear from CISO types, over and over, is the lack of staff / recruiting challenge. So you need to find folks in places others aren’t looking, and invest in them – knowing a few will leave for greener pastures at some point.

Last week we saw a security company hit the $2.4B valuation level. Yes, that’s a ‘B’, as in billion. This week we dig into the changing role of money and investment in our industry, and what it might mean. We like to pretend keeping our heads down and focusing on defense and tech is all that matters, but practically speaking we need to keep half an eye on the market around us. It not only affects the tools at our disposal, but influences the entire course of our profession. Watch or listen: Share:

I spend a lot of time on Apple security, more for personal reasons than anything else. They are the tools I use every day, and where I send most of my friends and family to manage their digital lives, so my investment runs deeper than anything financial. I have been the Security Editor over at TidBITS since about the time I founded Securosis, but I am not the only security expert over there. Joe Kissell has himself written books on the topic, and plenty of articles (mostly at TidBITS and Macworld). Joe is currently writing a Take Control book on Mac security. The Take Control series of books are my favorite hands-on instructional guides, and I have used a fair few myself (Take Control is distinct from TidBITS, but closely related and run by the same team). The first two chapters are available free online at TidBITS. The rest of the chapters become available to TidBITS members as Joe writes them. These books run much deeper than the white papers and articles we post on Securosis. The book a soup-to-nuts hands-on guide for nearly everything you need to know to secure your own Mac. Joe and I have talked about combining efforts for a Securosis/Take Control cross-branded version of the content if we can line up a licensee/sponsorship. If you are interested drop me a line. Share:

There seems to something missing for us Securosis folks now that it’s the beginning of March. After some reflection we realized it’s that dull ache in our livers from surviving yet another RSA Conference. The show organizers had to move the conference to April this year, to ensure a full takeover of San Francisco. Regardless of when the conference is, there is one thing you can definitely count on: the DRB! That’s right – once again Securosis and friends are hosting our RSA Conference Disaster Recovery Breakfast. This is the seventh year for this event, and we are considering delivering a bloody head to Jillian’s in homage to Se7en. Maybe that wouldn’t be the best idea – it might ruin our appetites. Though given how big the DRB has become, we probably should consider tactics to cut back – we pay for insane amounts of bacon. Kidding aside, we are grateful that so many of our friends, clients, and colleagues enjoy a couple hours away from the glitzy show floor and club scene that is now the RSAC. By Thursday, if you’re anything like us, you will be a disaster and need to kick back, have some conversations at a normal decibel level, and grab a nice breakfast. Did we mention there will be bacon? With the continued support of MSLGROUP and Kulesa Faul, as well as our new partner LEWIS PR, we are happy to provide an oasis in a morass of hyperbole, booth babes, and tchotchke hunters. As always, the breakfast will be Thursday morning from 8-11 at Jillian’s in the Metreon. It’s an open door – come and leave as you want. We will have food, beverages, and assorted recovery items (non-prescription only) to ease your day. Yes, the bar will be open – Mike gets very grumpy if a mimosa is not waiting for him on arrival (and every 10 minutes thereafter). Remember what the DR Breakfast is all about. No marketing, no spin, just a quiet place to relax and have muddled conversations with folks you know, or maybe even go out on a limb and meet someone new. After three nights of RSA Conference shenanigans, we are confident you will enjoy the DRB as much as we do. See you there. To help us estimate numbers, please RSVP to rsvp (at) securosis (dot) com. Share:

We were invited to run a two-hour learning lab on a topic of our choice this year at the RSA Conference. I suspect it will surprise… no one… that we chose Pragmatic SecDevOps as our topic. This is a cool opportunity – it gives us a double-length session to mix in presentation, hands-on labs, demonstrations, and group activities. I realize some people roll their eyes when they see these buzzwords, but everything we will present is being used in the real world, often at leading-edge organizations. DevOps really is a thing, it really does affect security, and you really can use it to your advantage in super interesting ways. Here is the official description. Pragmatic SecDevOps Date & Time: Wednesday, April 22, 2015, 10:20am-12:20pm Abstract: As cloud and DevOps disrupt traditional approaches to security, new capabilities emerge to automate and enhance security operations. In this hands-on session attendees will learn pragmatic techniques for leveraging cloud computing and DevOps for improving security. Through a combination of demonstrations and exercises we will work through a string of real-world security automations. We are still finalizing what will make the cut but here are some components we are considering including: An updated (and concise) Pragmatic SecDevOps presentation to start the conversation. A lab to automate embedding host security agents in cloud deployments (e.g., Chef/Puppet) and then use them to enforce security policies. A lab to monitor your cloud security management plane. A group exercise to adapt and embed security architectures to leverage new cloud capabilities. This one is interesting because we will be showing off some leading-edge architectures we are starting to see for DevOps and cloud deployments, which not many security people have been exposed to. A security automation group exercise/hands-on lab where we will give you a library of Ruby methods to mix and match for different security functions. That is a ton of content, and we may not get to all of it. I will streamline some of the labs that I normally have people work through manually in training, but we need to push through more quickly. You need to pre-register to attend, and we will run a webcast in the beginning of April so people can prepare and be ready to participate in the hands-on sections. One nice thing about the Learning Labs is that they happen during the main conference – not the day before or at the end of the week. Please feel free to drop us ideas, preferences, or comments below. We already have a lot of the content, but how we piece it together is still very much open to suggestion. Share:

Rich here. Not to get too personal, but I had a dream about being back on ski patrol last night. Of all the rescue things I did, ski patrol was one of the most satisfying. That probably sounds weird, because it means I was more satisfied picking up people who could afford $80 lift tickets than saving people in the inner city. But each activity brings a different kind of satisfaction, and when it comes to ski patrol, it was all about the independence. I worked patrol part time at Copper Mountain for 5 years. We were pseudo-volunteers who would do everything full-timers did, except drive snowmobiles and throw bombs. Although some of us did get certified to drive (to ferry athletes and photographers at special events) and we could go out on avalanche control – just not light the boom-boom things. Patrol is a physically demanding job. You don’t turn laps all day; if you aren’t on a work mission (fixing trail markers, setting safety gear, etc.), you hang out in one of the patrol buildings until you hear the dispatcher ring the cowbell. Yes, more cowbell. Someone would then snag the 1050 (injured person), get details, grab a rig (toboggan), and go find the patient. It’s all solo after that. You ski (or in my case snowboard) to the patient, assess them, treat them, load them, and then take them to the base to either release or send to the clinic. Help is always available via radio if you need it, such as having a second person grab the tow line on the rig in really nasty conditions (usually a cross-slope traverse on ice), or if you hit CPR levels of badness, but otherwise it is a solo deal. I loved working the back bowls. They were physically much tougher, but the environment was amazing. The main patrol building was called Motel 6, at around 12,000 feet. Just getting to it usually involved a hike. It wasn’t very large, but held a table, couch, and small kitchenette area. If you worked there, you wore an avalanche beacon and carried a shovel. Directly across the bowl from 6 was The Dumpster: two lift shack halves welded together with some crash pads on the floor and walls to sit on. Getting to The Dumpster took about 45 minutes and involved hiking the entire ridge around, topping out over 12,500’. The year I lived in Phoenix and flew back to work weekends… that hurt. One of my most memorable calls was my first solo mission out of 6. Some guy injured his leg down near the bottom. Getting to him with the rig was easy, but getting out more complex. It involved multiple “Doo pulls”. Our snowmobiles were all Ski-Doos, and for a Doo pull, the driver would throw you a tow rope. You cannot safely tie it onto the rig, so you get in between the horns (handlebars) and wrap the end of the rope around one grip in such a way that it will only stay while you keep a firm hold on it. Then you handle steering. Fall, and you will probably get run over before momentum (or your head) stops the rig, after the rope drops off. So I got towed out of the bowl, boarded the patient to my next pickup point, towed up to a better spot to reach the mountain base, and then followed the runs all the way down. It took well over an hour, on a hill I could ride top to bottom in under 10 minutes. I don’t completely understand why this was so much more satisfying than working the ambulance or even a complex, multi-day mountain rescue. Perhaps because there are few cases in emergency services where you can honestly say you were responsible for saving someone. It is almost always a team effort, and real saves are rare. But on patrol I remember the time we were sweeping the hill at the end of the day and I found a girl who had just crashed on one of the big jumps. She wasn’t only unconscious, but she wasn’t breathing. I repositioned her head, opened her airway, and she was fine with a mild concussion. My call. My patient. My strength and skills tested, with an expectation that I wouldn’t need help beyond the occasional tow if gravity wasn’t there to help. Teamwork is deeply satisfying, but it is also nice to know you can handle things yourself. On to the Summary: Webcasts, Podcasts, Outside Writing, and Conferences Adrian on NoSQL security. Gunnar quoted extensively by SearchSecurity on breached companies growing profits. Securosis Posts Firestarter: Cyber vs. Terror (yeah, we went there). Favorite Outside Posts Mike: Gartner: Sony breach is a new breed of attack that needs new responses. Oy! The hyperbole is killing me. Invest in staff and training and you can avoid the problems. Good luck with that. Rich: Oracle extends its adware bundling to include Java for Macs. As I said on Twitter, I don’t think anyone familiar with how Oracle treats enterprise customers is surprised by this. James Arlen: Honest review – CSI:Cyber. Ian Amit, the CyberZohan, makes some remarkably good points about the agonizingly painful CSI:Cyber. More people who think that staring at a console makes for a rewarding career – that is good. And it’s always good to have Dr. Janosz Poha around for when Cyber-Vigo the Cyber-Carpathian comes out and tries to scare Cyber-Avery. JJ: What Successful People Do Within the First 10 Minutes of the Workday. Productivity FTW. Mortman: Intuit Failed at ‘Know Your Customer’ Basics Dave Lewis: The Globe adopts encrypted technology in effort to protect whistle-blowers Research Reports and Presentations Security and Privacy on the Encrypted Network. Monitoring the Hybrid Cloud: Evolving to the CloudSOC. Security Best Practices for Amazon Web Services. Securing Enterprise Applications. Secure Agile Development. Trends in Data Centric Security White Paper. Leveraging Threat Intelligence in Incident Response/Management. Pragmatic WAF Management: Giving Web Apps a Fighting Chance.

Last week the US Director of National Intelligence said cyberattacks are a greater risk than terrorism. This week we debate what that means, and whether terminology is getting so muddled that it becomes meaningless. Plus we rip into Rich’s post claiming security people need to stop thinking of themselves as warriors, and start thinking like spies. Watch or listen:   Share:

Rich here. These days it is hard to swing a cyberstick without hearing a cybergasp of cyberstration at the inevitable cyberbuse of the word “cyber”. To be clear, I think ‘cybersecurity’ is not only an acceptable term, but a particularly suitable one. It is easy to understand and covers aspects of IT security the term “IT security” doesn’t quite describe as well. There are entire verticals which think of IT security as “the stuff in the office” and use other terms for all the other technology that powers their operations. But snapping cyber onto the front of another word can be misleading. Take, for example, cyberwar and cyberwarrior. We are, very clearly, engaged in an ongoing long-term conflict with a myriad of threat actors. And I think there is something that qualifies as cyberwar, and even cyberwarriors. Believe it or not, some people with that skill set work in-theater, under arms, and at risk. But when you dig in this is more a spy’s game than a warrior’s battlefield. Defensive security professionals are engaged more in counterintelligence and espionage than violent conflict, especially because we can rarely definitively attribute attacks or strike back. Personally, as Han Solo once said, “Bring ‘em on, I’d prefer a straight fight to all this sneaking around”, but it isn’t actually up to me. So I find I need to think as much in terms of counterintelligence as straight-up defense. That’s why I love some of the concepts in active defense, such as intrusion deception – because we can design traps and misdirection for attackers, giving ourselves a better chance to detect and contain them. Admit it – you love spy movies. And while you probably won’t get the girl in the end (that’s a joke for whoever saw Kingsman), and you aren’t saving the world, you also probably don’t have to worry about someone sticking bamboo under your fingernails. Until audit season. I have some family in town and ran out of time to do a proper summary, so I shortened things this week. Favorite Securosis Posts Mike: Summary: Three Mini Gadget Reviews… and a Big Week for Security Fails. I like Rich’s reviews. For stuff that I likely won’t get because I’m not a techno-addict. Other Securosis Posts Cracking the Confusion: Encryption Decision Tree. Ticker Symbol: Hack – Updated. Favorite Outside Posts Adrian Lane: The Great SIM Heist. Good story. I think it’s hard for a lot of people to fathom that this type of stuff really happens. Truth is stranger than fiction! Mort: Transcript: NSA Director Mike Rogers vs. Yahoo! on Encryption Back Doors Mike: What APT Is. Bejtlich uploads a piece he wrote for TechTarget a few years ago. A good reminder of what the APT actually is – not what the marketers tell you it is. Pepper: Cybergeddon: Why the Internet could be the next “failed state” Rich: Attribution is the new black…what’s in a name, anyway? Private companies need to stop this. It is becoming an embarrassment to our profession. Gemalto Officials Say SIM Infrastructure Not Compromised. Bullshit. US offers $3m reward for arrest of Russian hacker Evgeniy Bogachev Research Reports and Presentations Security and Privacy on the Encrypted Network. Monitoring the Hybrid Cloud: Evolving to the CloudSOC. Security Best Practices for Amazon Web Services. Securing Enterprise Applications. Secure Agile Development. Trends in Data Centric Security White Paper. Leveraging Threat Intelligence in Incident Response/Management. Pragmatic WAF Management: Giving Web Apps a Fighting Chance. The Security Pro’s Guide to Cloud File Storage and Collaboration. The 2015 Endpoint and Mobile Security Buyer’s Guide. Top News and Posts Secrecy around police surveillance equipment proves a case’s undoing How the NSA’s Firmware Hacking Works Bypassing Windows Security by Modding One Bit New Cache of Snowden docs A 14-year-old hacker caught the auto industry by surprise Share: