Research

SLmageddon V12. Polar Vortices. Ebola. APT123. We live in an era when every week it seems some massive new vulnerability, exploit, or attack is going to take down society. This week Rich, Mike, and Adrian tackle the endless progression of bad news; and how to maintain focus when everyone wants you to save the children. As a side note, if you haven’t seen or read about #feministhackerbarbie on Twitter… oh my, you need to. The audio-only version is up too. Share:

Securing enterprise applications is hard work. These are complex platforms, with lots of features and interfaces, reliant on database support, and often deployed across multiple machines. They leverage both code provided by the vendor, as well as hundreds – if not thousands – of supporting code modules produced specifically for the customer’s needs. This make every environment a bit different, and acceptable application behavior unique to every company. This is problematic because during our research we found that most organizations rely on security tools which work on the network fringes, around applications. These tools cannot see inside an application to fully understand its configuration and feature set, nor do they understand application-layer communication. This approach is efficient because a generic tool can see a wide variety of threats, but misses subtle misuse and most serious misconfigurations. We decided to discuss some of our findings. But to construct an entire application security program for enterprise applications would require 100 pages of research, and still fail to provide complete coverage. Many firms have had enterprise applications from Oracle and SAP deployed for a decade or more, so we decided to focus on areas where the security problems have changed, or where tools and technology have superseded approaches that were perfectly acceptable just a couple years ago. This research paper spotlight these problem areas and offers specific suggestions for how to close the security gaps. Here is an except: Supply chain management, customer relationship management, enterprise resource management, business analytics, and financial transaction management, are all multi-billion dollar application platforms unto themselves. Every enterprise depends upon them to orchestrate core business functions, spend tens of millions of dollars on software and support. We are beyond explaining why enterprise applications need security to protect these investments – it is well established that insiders and persistent adversaries target these applications. Companies invest heavily in these applications, hardware to run them, and teams to keep them up and running. They perform extensive risk analysis on their business implications and the costs of downtime. And in many cases their security investments are a byproduct of these risk profiles. Application security trends in the 1-2% range of total application investment, so we cannot say large enterprises don’t take security seriously – they spend millions and hire dedicate staff to protect these platforms. That said, their investments are not always optimal – enterprises may bet on solutions with limited effectiveness, without a complete understanding of the available options. It is time for a fresh look. In this research paper, Building an Enterprise Application Security program, we will take a focused look at the major facets in an enterprise application security program, and make practical suggestions on how to improve efficiency and effectiveness of your security program. Or goal is to discuss specific security and compliance use cases for large enterprise applications, highlight gaps, and explain some application-specific tools to address these issues. This will not be an exhaustive examination of enterprise application security controls, rather a spotlight common deficiencies with the core pillars of security controls and products. We would like to thank Onapsis for licensing this research. They reached out to us on this topic and asked to back this effort, which we are very happy about, because support like this enables us to keep doing what we do. You can download a copy of the research in our research library or download it directly: Securing Enterprise Applications. As always, if you have questions or comments, please drop us a line! Share:

Thus ends the busiest four weeks I have had since joining Securosis. A few conferences – AWS Re:Invent was awesome – a few client on-site days, meeting with some end customers, and about a half dozen webcasts, have together left me gasping for air. We all need a little R&R here and the holidays are approaching, so Firestarters and blog posts will be a bit sporadic. Technically it is still Friday, so here goes today’s (slightly late) summary. I am ignorant of a lot of things, and I thought this one was odd enough that I would ask more knowledgable people in the community for assistance in explaining how this works. The story starts like this: A few months ago the new Lamborghini Huracan was introduced. Being a bit of a car weenie I went to the web site – http://huracan.lamborghini.com – in a Safari browser to see some pictures of the new car. Nice! I wish I could afford one – not that I would drive it much. I would probably just stare at it in the garage. Regardless, I had never been to the Lamborghini web site before. So I was a little surprised the next morning when I opened up a new copy of Firefox, which was trying to make a request to http://media.lamborghini.com. WTF? As I started to dig into this, I saw it was a repeating pattern. I visited http://www.theabsolutesound.com, and when I opened my newly installed Aviator browser, it tried to connect to http://media.theabsolutesound.com. Again, I had never been to that site in the Aviator browser, but recently visited it from FF. Amazon Web services, Tech Target, and a dozen or so requests to connect to media.sitename.com or files.sitename.com popped up. But the capper was a few weeks later, when my computer tried to send the same request to media.theabsolutesound.com from an email client! That is malware behavior, likely adware! So is this behavior part of an evercookie Flash/Java exploit through persistent data? I had Java disabled and Flash set to prompt before launch, so I thought a successful cross-browser attack via those persistence methods was unlikely. Of course it is entirely possible that I missed something. Anyway, if you know about this and would care to explain it – or have a link – I would appreciate an education on current techniques for browser/user tracking. I am clearly missing something. As a side note, as I pasted the huracan.lamborghini.com link into my text editor to wrote this post, an Apple services daemon tried to send a packet to gs-loc.apple.com with that URL in it. Monitor much? If you don’t already run an outbound firewall like Little Snitch, I highly recommend it. It is a great way to learn who sends what where and completely block lots of tracking nonsense. Puppy names. Everybody does it: before you get a new puppy you discuss puppy names. Some people even buy a book, looking for that perfect cute name to give their snugly little cherub. They fail to understand their mistake until after the puppy is in their home. They name the puppy from the perspective of prepuppy normal life. Let me save you some trouble and provide some good puppy names for you, ones more appropriate for the post-puppy honeymoon: “Outside!” – the winner by a landslide. “Drop-It!” “Stinky!” “No, no, no!” “Bad!” “Not again!” “Stop!” “OWW, NO!” “Little bastard” “Come here!” “Droptheshoe!” “AAhhhhrrrr” “F&%#” or the swear word of you choice. Trust me on this – the puppy is going to think one of these is their name anyway, so starting from this list saves you time. My gift to you. On to the Summary: Webcasts, Podcasts, Outside Writing, and Conferences Adrian on Secure Agile Development, via SANS Adrian on Pragmatic WAF Management Securosis Posts Ticker Symbol: HACK. Incite 11/12/2014: Focus. Building an Enterprise Application Security Program: Recommendations. Changing Pricing (for the first time ever). Monitoring the Hybrid Cloud: Emerging SOC Use Cases. Favorite Outside Posts Mike Rothman: Open Whisper Systems partners with WhatsApp to provide end-to-end encryption. The future will be encrypted. Even WhatsApp! Much to the chagrin of the NSA… Rich: Secure Agile Development. Think like a Developer. Maybe I have been spending too much time coding lately, but I love this concept. Needless to say we have lately been spending a lot of time on this area. Adrian Lane: Experimental Videogame Consoles That Let You Make One Move a Day. In a world of instant gratification, getting back to a slow pace is refreshing and awesome. Research Reports and Presentations Securing Enterprise Applications. Secure Agile Development. Trends in Data Centric Security White Paper. Leveraging Threat Intelligence in Incident Response/Management. Pragmatic WAF Management: Giving Web Apps a Fighting Chance. The Security Pro’s Guide to Cloud File Storage and Collaboration. The 2015 Endpoint and Mobile Security Buyer’s Guide. Analysis of the 2014 Open Source Development and Application Security Survey. Defending Against Network-based Distributed Denial of Service Attacks. Reducing Attack Surface with Application Control. Top News and Posts Microsoft patches critical bug that affects every Windows version since 95 Google Removes SSLv3 Fallback Support From Chrome Nasty Security Bug Fixed in Android Lollipop 5.0 Amazon Web Services releases key management service U.S. Marshals Using Fake, Airplane-based Cell Towers Facebook’s ‘Privacy Basics’ Is A Privacy Guide You May Actually Want To Read Hiding Executable Javascript in Images That Pass Validation UPnP Devices Used in DDoS Attacks Share:

I think the financial equivalent of jumping shark is Wall Street creating an ETF based on your theme. If so, cybersecurity has arrived. The ISE Cyber Security Index provides a benchmark for investors interested in tracking companies actively involved in providing technology and services that are designed to protect data, networks, hardware, software, and other cyber-dependent devices from unauthorized access and attacks. The index includes twenty-nine constituent companies, including VASCO Data Security International Inc. (ticker: VDSI), Palo Alto Networks Inc. (ticker: PANW), Symantc Corp. (ticker: SYMC), Juniper Networks Inc. (ticker: JNPR), FireEye Inc. (ticker: FEYE), and Splunk Inc. (ticker: SPLK). Before you invest your life savings in ETFs, listen to Vanguard founder Jack Bogle: “The ETF is like the famous Purdy shotgun that’s made over in England. It’s great for big game hunting, and it’s great for suicide.” Two interesting things to look at in ETFs are fees and weighting. The fees on this puppy look to be 0.75% – outlandishly high. For comparison Vanguard’s Dividend Growth ETF has a 0.1% fee. It is true that with foreign ETFs the fees are higher (to access foreign markets), but I do not know why HACK should have such a high fee – the shares they list are liquid and widely traded. Foreign issues themselves do not seem to dictate such a lavish expense ratio. As of October 30, 2014, the Underlying Index had 30 constituents, 6 of which were foreign companies, and the three largest stocks and their weightings in the Underlying Index were VASCO Data Security International, Inc. (8.57%), Imperva, Inc. (6.08%), and Palo Alto Networks, Inc. (5.49%). I cannot tell how it is weighted but if they follow the weighting on ISE then investors will wind up almost 10% into Vasco. The largest members of the index, per ISE, are: Vasco: 9.17% Imperva: 7.57% Qualys: 5.48% Palo Alto: 5.35% Splunk: 5.18% Infoblox: 5.04% That is near 40% in the top six holdings – pretty concentrated. The old school way to index is to weight by market capitalization, but that has been shown to be imperfect because size alone does not determine quality. The preferred weighting for the last few years (since Rob Arnott’s work) has been by value, which bases the percentage of each holding on value metrics like P/E. There is considerable evidence that this works much better than market cap. But we still have a problem: many tech companies, especially new ones, have no earnings! From reverse engineering the index membership it looks like they are using Price/Sales for weighting. For example: Vasco has a Price/Sales ratio 6.1. Palo Alto has a P/S ratio of 13.5. Vasco has about twice the weighting of Palo Alto because it is about twice as cheap on a Price to Sales basis. This is probably not best way to do it, but it is probably the best available way because market cap is flawed and would miss all the upstarts. Due to lack of earnings value metrics are a non-starter. The weightings appear roughly right per Price/Sales, but I could not get the numbers to work precisely. It is possible they are using an additional weighting factor like Relative Strength. Needless to say, this is all in the spirit of “As the Infosec Industry Turns…” and not financial advice of any kind. This is not a recommendation to buy, sell, or hold any of the issues mentioned. In the meantime remember the fees, and this from Jack Bogle: “Performance comes and goes but cost goes on forever.” HACK SEC filing Share:

Interruption is death for a writer. At least it is for me. I need to get into a flow state, where I’m locked in and banging words out. With my travel schedule and the number of calls I make even when not traveling, finding enough space to get into flow has been challenging. Very challenging. And it gets frustrating. Very frustrating. There is always some shiny object to pay attention to. A press release here. A tweet fight there. Working the agenda for a trip two weeks from now. Or something else that would qualify as ‘work’, but not work. Then achiever’s anxiety kicks in. The blog posts that get pushed back day after day, and the conflicts with projects needing to get started. I have things to do, but they don’t seem to get done. Not the writing stuff anyway. It’s a focus thing. More accurately a lack of focus thing. Most of the time I indulge my need to read NFL stories or do some ‘research’. Or even just to think big thoughts for a little while. But at some point I need to write. That is a big part of the business, and stuff needs to get done. So I am searching for new ways to do that. I shut down email. That helps a bit. I don’t answer the phone and don’t check Twitter. That helps too. Maybe I will try a new writing app that basically shuts down all the other apps. Maybe that will help ease the crush of the overwhelming to-do list. Of course my logical mind knows you just start writing. That I need to stop with the excuses and just write. I know the first draft is going to be crap, especially if it’s not flowing. I know that the inbound emails can wait a few hours. I know my Twitter timeline will be there after the post is live on the site. Yet my logical mind loses, as I just stare at the screen for a few more minutes. Then check email and Twitter. Again. Oy. Then I go into my pipeline tracker and start running numbers for the impact of not writing on my wallet. That helps. Until it doesn’t. We have had a good year, so the monkey brain wonders whether it’s not really a bad idea to just sandbag some of the projects and get 2015 off to a roaring start. But I still need to write. Then at some point, I just write. The excuses fall away. The words start to flow, and even make some sense. I get laser focused on the research that needs to get done, and it gets done. The blog fills up with stuff, and balance is restored to my universe. And I resign myself to just carrying around my iPad when I really need to write, because it’s harder to multi-task on that platform. I’ll get there. It’ll just take a little focus. –Mike Photo credit: “Focus” originally uploaded by Michael Dales The fine folks at the RSA Conference posted the talk Jennifer Minella and I did on mindfulness at the conference this year. You can check it out on YouTube. Take an hour and check it out. Your emails, alerts and Twitter timeline will be there when you get back. Securosis Firestarter Have you checked out our new video podcast? Rich, Adrian, and Mike get into a Google Hangout and.. hang out. We talk a bit about security as well. We try to keep these to 15 minutes or less, and usually fail. October 27 – It’s All in the Cloud October 6 – Hulk Bash September 16 – Apple Pay August 18 – You Can’t Handle the Gartner July 22 – Hacker Summer Camp July 14 – China and Career Advancement June 30 – G Who Shall Not Be Named June 17 – Apple and Privacy May 19 – Wanted Posters and SleepyCon May 12 – Another 3 for 5: McAfee/OSVDB, XP Not Dead, CEO head rolling Heavy Research We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, with our content in all its unabridged glory. And you can get all our research papers too. Network Security Gateway Evolution Introduction Monitoring the Hybrid Cloud: Evolving to the CloudSOC Emerging SOC Use Cases Introduction Building an Enterprise Application Security Program Recommendations Security Gaps Use Cases Introduction Security and Privacy on the Encrypted Network The Future is Encrypted Newly Published Papers Secure Agile Development Trends in Data Centric Security Leveraging Threat Intelligence in Incident Response/Management The Security Pro’s Guide to Cloud File Storage and Collaboration The 2015 Endpoint and Mobile Security Buyer’s Guide Open Source Development and Application Security Analysis Advanced Endpoint and Server Protection The Future of Security Incite 4 U Master of the Obvious: Cloud Edition: On my way to the re:Invent conference I read the subhead of a FUD-tastic eWeek article: IT Losing the Battle for Security in the Cloud, which is “More than two-thirds of respondents to a Ponemon Institute survey say it’s more difficult to protect sensitive data in the cloud using conventional security practices.” Um. This is news? The cloud is different! So if you want to secure it you need to do so differently. The survey really shows that most folks have no idea what they are talking about, expected in the early adoption phase of any technology. It is not actually necessarily harder to protect resources in the cloud. I just laugh and then cry a bit, as I realize the amount of education required for folks to understand how to do things in the cloud. I guess that is opportunity for guys like us, so I won’t cry too long… – MR Here we go again: There are a half dozen tokenization working groups proposing standards by my count. Each has vagueness baked into its published specification – many intentionally,

Our goal for this series is not to cover the breadth and depth of an entire enterprise application security program – most of you have that covered already. Instead it is to identify the critical gaps at most firms and offer recommendations for how to close them. We have covered use cases and pointed out gaps; now it’s time to offer recommendations for how to address the deficiencies. You will notice many of the gaps noted in the previous section are byproducts of either a) attackers exposing soft spots in security; or b) innovation with the cloud, mobile, and analytics changing the boundaries of what is possible. Core Program Elements Identity and Access Management: Identity and authorization mapping form your critical first line of defense for application security. SAP, Oracle, and other enterprise application vendors offer identity tools to link to directory services, help with single sign-on, and help map authorizations – key to ensuring users only get data they legitimately need. Segregation of duties is a huge part of access control programs, and your vendor likely covers most of your needs from within the platform. But there is an over-reliance on basic services, and while many firms have stepped up to integrate multiple identity stores with federated identity, attackers have shown most enterprises need to improve in some areas. Passwords: Passwords are simply not very good as a security control, and password rotation has never been proven to actually increase security; it turns out to actually be IT overhead for compliance’s sake. Phishing has proven effective for landing malware on users’ machines, enabling subsequent compromises, so we recommend two-factor authentication – at least for all administrative access. 2-factor is commonly available and can be integrated out-of-band to greatly increase the security of privileged accounts. Mobile: Protecting your users running your PCs on your network behind your firewalls is simply old news. Mobile devices are a modern – and prevalent – interface to enterprise applications. Most users don’t wait for your IT department to make policy or supply devices – they go buy their own and start using them immediately. It is important to consider mobile as an essential extension of the traditional enterprise landscape. These ‘new’ devices demand special consideration for how to deploy identity outside your network, how to _de-_provision users who have leave, and whether you need to quarantine data or apps on mobile devices. Cloud or ‘edge’ identity services, with token-based (typically SAML or OpenID) identity and mobile application management, should be part of your enterprise application security strategy. Configuration and Vulnerability Management: When we discussed why enterprise applications are different we made special mention several deficiencies in assessment products – particularly their ability to collect necessary information and lack of in-depth policies. But assessment is still one of the most powerful tools at your disposal, and generally the mechanism for validating 65% of security and compliance policies. It helps automate hundreds of repetitive, time-consuming, and highly technical system checks. We know it sounds cliche, but this really does save compliance and security teams time and money. These tools come with the most common security and compliance policies embedded to reduce custom development, and most provide a mechanism for non-technical stakeholders to obtain the technical data they need for reporting. You probably have something in place already, but there is a good chance it misses a great deal of what tools designed specifically for your application could acquire. We recommend making sure your product can obtain data, both inside and outside the application, with a good selection of policies specific to your key applications. A handful of generic application policies are a strong indicator that you have the wrong tool. Data Encryption: Most enterprise applications were designed and built with some data encryption capabilities. Either the application embeds its own encryption library and key management system, or it leverages the underlying database encryption engine to encrypt specific columns – or entire schemas – of data. Historically there have been several problems with this model. Many firms discovered that despite encrypted data, database indices and transaction logs contained and leaked unencrypted information. Additionally, encrypted data is stored in binary format, making it very difficult to calculate or report across. Finally, encryption has created performance and latency issues. The upshot is that many firms either turned encryption off entirely or removed it on temporary tables to improve performance. Fortunately there is an option which offers most of the security benefits without the downsides: transparent data encryption. It works underneath the application or database layer to encrypt data before it is stored on disk. It is faster that column encryption, transparent so no application layer changes are required, and avoids the risk of accidentally leaking data. Backups are still protected and you are assured that IT administrators cannot view readable data from disk. We recommend considering products from several application/database vendors and some third-party encryption vendors. Firewalls & Network Security: If you are running enterprise applications, you have firewalls and intrusion detection systems in place. And likely you also have next-generation firewalls, web application firewalls, and/or data loss prevention systems protecting you applications. Because these investments are already paid for and in place, they tend to be the default answer to any application security question. The law of the instrument states that if all you have is a hammer, everything looks like a nail. The problem is that these platforms are not optimal for enterprise application security, but they are nonetheless considered essential because every current security job falls to them. Unfortunately they do a poor job with application security because most of them were designed to detect and address network misuse, but they do not understand how enterprise applications work. Worse, as we shift ever more toward virtualization and the cloud, physical networks go away, making them less useful in general. But the real issue is that a product which was not designed to understand the application cannot effectively monitor its use or function. We recommend looking at

This is a corporate news post, so skip it if all you want is our usual snarky security analysis. For the first time since starting Securosis we are increasing our prices. Yes, it has been over seven years without any change in pricing for our services. The new prices are only a modest bump, and also streamlined to remove the uncertainty of travel expenses on engagements. Call it ego, but we think we are a heck of a bargain. This only affects speaking/strategy days and retainers. Papers, Securosis Project Accelerator workshops, and one-off projects aren’t changing. Strategy day pricing stays the same at $6,000, but we are adding in $1,000 for travel expenses and will no longer bill travel separately (total of $7,000 for a strategy day or speaking engagement which involves travel). Webcasts stay the same, at $5,000 if we don’t need to travel. Our retainer rates are increasing slightly, around $2-3K each, with $2,000 also being added to our Platinum plan to cover the travel for the two included strategy days: $10K for Silver. $15K for Gold. $25K for Platinum. The new pricing goes into effect immediately for all new clients and renewals. As a reminder, for our papers we offer licenses, not sponsorship, so nothing has changed there. Securosis Project Accelerators (our focused end-user workshops for SaaS providers, enterprise cloud security, security management, network security, and database/big data security) are still $10,000. We do have some other workshops in the… works for next year, so if you are interested in another topic just ask. If you have any other questions, just go ahead and email. Service levels remain the same. You can only blame yourselves for keeping us so darn busy. Share:

In the introduction to our series on Monitoring the Hybrid Cloud we went through all the disruptive forces which are increasingly complicating security monitoring. These include the accelerating move to cloud computing and expanding access via mobile devices. Those new models require much greater automation, and significantly less visibility and control over the physical layer of the technology stack. So you need to think about monitoring a bit differently. This starts with getting a handle on the nuances of monitoring, depending on where applications run, so we will discuss monitoring both IaaS (Infrastructure as a Service) and SaaS (Software as a Service). Not that we discriminate against PaaS (Platform as a Service), but it is similar enough to IaaS that the concepts presented are similar. We will also talk about private clouds because odds are you haven’t been able to unplug your data center, so you need to provide an end-to-end view of the infrastructure you use, including both technology you control (in your data center) and stuff you don’t (in the cloud). Monitoring IaaS The biggest and most obvious challenge in monitoring Infrastructure as a Service is the difference in visibility because you don’t control the physical stack. So you are largely restricted to logs provided by your cloud service provider. We see pretty good progress in the depth and granularity available from these cloud log feeds, but you still get much less detail than from devices in your data center. You also cannot tap the network to get actual traffic (packet capture). IaaS vendors offer abstracted networking so many networking features you have come to rely on aren’t available. Depending on the maturity of your security program and incident response process, you may not be doing much packet capture on your environment now, but either way it is no longer an option now in the cloud. We will go into more detail later in this series, but one workaround is to run all traffic through a cloud-based choke point for collection. In essence you perform a ‘man-in-the-middle’ attack on your own network traffic to regain a semblance of the visibility inside your own data center, but that sacrifices much of the architectural flexibility drawing you to the cloud in the first place. You also need to figure out where to both aggregate collected logs (both from the cloud service and from specific instances) and where to analyze them. These decisions hinge on a number of factors including where the technology stacks run, the kinds of analysis to perform, and what expertise is available on staff. We will tackle specific architectural options in our next post. Monitoring SaaS If monitoring IaaS offers a ‘foggy’ view compared to what you see in your own data center, Software as a Service is ‘dark’. You see what the SaaS provider shows you, and that’s it. You have access to neither the infrastructure running your application, nor the data stores that house your data. So what can you do? You can take solace in the fact that many larger SaaS vendors are starting to get the message from angry enterprise clients, and providing an activity feed you can pull into your security monitoring environment. It won’t provide visibility into the technology stack, but you will be able to track what your employees are doing within the service – including administrative changes, record modifications, and login history. Keep in mind that you will need to figure out thresholds and actions to alert on, mostly likely by taking a baseline of activity and then looking for anomalies. There are no out-of-the-box rules to monitor SaaS. And as with IaaS you need to figure out the best place to aggregate and analyze data. Monitoring a Private Cloud Private clouds virtualize your existing infrastructure in your own data center, so you get full visibility, right? Not exactly. You will be able to tap the network within the data center for additional visibility. But without proper access and instrumentation within your private cloud you cannot see what is happening within the virtualized environment. As with IaaS, you can route network traffic within your private cloud through an inspection point, but again that would reduce flexibility substantially. The good news is that many existing security monitoring platforms are rapidly adding the ability to monitor within virtual collection points which run in a variety of private cloud environments. We will address alternatives to extend your existing monitoring environment later in this series. SLAs are your friend As we teach in the CCSK (Certificate of Cloud Security Knowledge) course, you really don’t have much leverage to demand access to logs, events, or other telemetry in a cloud environment. So you will want to exercise whatever leverage you have during the procurement process; document specific logs, access, etc. in your agreements. You will find that some cloud providers (the smaller ones) are much more willing to be contractually flexible than the cloud gorillas. So you will need to decide whether the standard level of logging from the big guys is sufficient for the analysis you need. The key is that once you sign an agreement, what you get is what you get. You will be able to weigh in on product roadmaps and make feature requests, but you know how that goes. CloudSOC If a large fraction of your technology assets have moved into the cloud there is a final use case to consider: moving the collection, analysis, and presentation functions of your monitoring environment into the cloud as well. It may not make much sense to aggregate data from cloud-based resources, and then move the data to your on-premise environment for analysis. More to the point, it is cheaper and faster to keep logs and event data in low-cost cloud storage for future audits and forensic analysis. So you need to weigh the cost and latency of moving data to your in-house monitoring system against running monitoring and analytics in the cloud, in light of the varying pricing models for cloud-based

We continue to investigate the practical use of Threat Intelligence (TI) within your security program. After tackling how to Leverage Threat Intel in Security Monitoring, we now turn our attention to Incident Response and Management. In this paper we go deep into how your existing incident response and management processes can (and should) integrate adversary analysis and other threat intelligence sources, to help narrow down the scope of your investigations. We have also put together a snappy process map depicting how IR/M looks when you factor in external data. To really respond faster you need to streamline investigations and make the most of your resources. That starts with an understanding of what information would interest attackers. From there you can identify potential adversaries and gather threat intelligence to anticipate their targets and tactics. With that information you can protect yourself, monitor for indicators of compromise, and streamline your response when an attack is (inevitably) successful. You will have incidents. If you can respond to them faster and more effectively that’s a good thing, right? Integrating Threat Intel into the IR process is one way to do that. We’d like to thank Cisco and Bit9 + Carbon Black for licensing the content in this paper. We are grateful that our clients see the value of supporting objective research to educate the industry. Without forward-looking organizations you would be on your own… or paying up to get behind the paywall of big research. Check out the paper’s landing page, or download it directly: Leveraging Threat Intelligence in Incident Response/Management (PDF). Share:

Security teams are tightly focused on bringing security to applications, and meeting compliance requirements in the delivery of applications and services. On the other hand job #1 for software developers is to deliver code faster and more efficiently, with security a distant second. Security professionals and developers often share responsibility for security, but finding the best way to embed security into the software development lifecycle (SDLC) is not an easy challenge. Agile frameworks have become the new foundation for code development, with an internal focus on ruthlessly rooting out tools and techniques that don’t fit this type of development. This means secure development practices, just like every other facet of development, must fit within the Agile framework – not the other way around. This paper offers an outline for security folks to understand development teams’ priorities and methodologies, and practical ways to work together within the Agile methodology. Here is an excerpt: Over the past 15 years, the way we develop software has changed completely. Development processes evolved from Waterfall, to rapid development, to extreme programing, to Agile, to Agile with Scrum, to our current darling: DevOps. Each evolutionary step was taken to build better software by improving the software building process. And each step embraced changes in tools, languages, and systems to encourage increasingly agile processes, while discouraging slower and more cumbersome processes. The fast flux of development evolution gradually deprecated everything that impeded agility … including security. Agile had an uneasy relationship with security because its facets which promoted better software development (in general) broke existing techniques for building security into code. Agile frameworks are the new foundation for code development, with an internal focus on ruthlessly rooting out tools and techniques that don’t fit the model. So secure development practices, just like every other facet of development, must fit within the Agile framework – not the other way around. We are also proud that Veracode has asked to license this content; without support like this we could not bring this quality research to you free of charge without registration. As with all our research, if you have questions or comments we encourage you to comment on the blog so open discussion can help the community. For a copy of the research download the PDF, or get a copy from our research library page on Secure Agile Development. Share: