Research

After being on the road for what seems like a long time (mostly because it was), I will be doing two webcasts next week which you should check out. Disruption Ahead: How Tectonic Technology Shifts Will Change Network Security. Next Tuesday (April 1 at 11 am ET) I will be applying our Future of Security concepts to the network security business. Tufin’s Reuven Harrison will be riding shotgun and we will have a spirited Q&A after my talk to discuss some of the trends he is seeing in the field. Register for this talk. Security Management 2.5: Replacing your SIEM Yet? On Wednesday, April 2 at 11 am ET I will be covering our recent SIEM 2.5 research on a webcast with our friends at IBM. I will be honing in on the forensics and security analytics capabilities of next-generation SIEM. You can register for that event as well. See you there, right? UPDATE: I added the links. Driver error. Share:

There is no easy way to say this. I violated a vow I made years ago. It wasn’t a spur of the moment thing. I have been considering how to do it, without feeling too badly, for a few weeks. The facts are the facts. No use trying to obscure my transgression. I cheated. If I’m being honest, after it happened I didn’t feel bad. Not for long anyway.   This past weekend, I ate both steak and bacon. After deciding to stop eating meat and chicken almost 6 years ago. Of course there is a story behind it. Basically I was in NYC celebrating a close friend’s 45th birthday and we were going to Peter Luger’s famous steakhouse. Fish isn’t really an option, and the birthday boy hadn’t eaten any red meat for over 20 years. Another guy in the party has never eaten bacon. Never! So we made a pact. We would all eat the steak and bacon. And we would enjoy it. It was a one night stand. I knew it would be – it meant nothing to me. I have to say the steak was good. The bacon was too. But it wasn’t that good. I enjoyed it, but I realized I don’t miss it. It didn’t fulfill me in any way. And if I couldn’t get excited about a Peter Luger steak, there isn’t much chance of me going back back to my carnivorous ways. Even better, my stomach was okay. I was nervously awaiting the explosive alimentary fallout that goes along with eating something like a steak after 6 years. Although the familiar indigestion during the night came back, which was kind of annoying – that has been largely absent for the past 6 years – but I felt good. I didn’t cramp, nor did I have to make hourly trips to the loo. Yes, that’s too much information, but I guess my iron stomach hasn’t lost it. To be candid, the meat was the least of my problems over the weekend. It was the Vitamin G and the Saturday afternoon visit to McSorley’s Old Ale House that did the damage. My liver ran a marathon over the weekend. One of our group estimated we might each have put down 2 gallons of beer on Saturday. That may be an exaggeration, but it may not be. I have no way to tell. And that’s the way it should be on Boys’ Weekend. Now I get to start counting days not eating meat again. I’m up to 5 days and I think I’ll be faithful for a while… –Mike Photo credit: “NoHo Arts District 052309” originally uploaded by vmiramontes Securosis Firestarter Have you checked out our new video podcast? Rich, Adrian, and Mike get into a Google Hangout and.. hang out. We talk a bit about security as well. We try to keep these to 15 minutes or less, and usually fail. March 19 – An Irish Wake March 11 – RSA Postmortem Feb 21 – Happy Hour – RSA 2014 Feb 17 – Payment Madness Feb 10 – Mass Media Abuse Feb 03 – Inevitable Doom Jan 27 – Government Influence Jan 20 – Target and Antivirus Jan 13 – Crisis Communications 2014 RSA Conference Guide In case any of you missed it, we published our fifth RSA Conference Guide. Yes, we do mention the conference a bit, but it’s really our ideas about how security will shake out in 2014. You can get the full guide with all the memes you can eat. Heavy Research We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, with our content in all its unabridged glory. And you can get all our research papers too. Defending Against Network Distributed Denial of Service Attacks Introduction Advanced Endpoint and Server Protection Quick Wins Detection/Investigation Prevention Assessment Introduction Newly Published Papers Reducing Attack Surface with Application Control Leveraging Threat Intelligence in Security Monitoring The Future of Security Security Management 2.5: Replacing Your SIEM Yet? Defending Data on iOS 7 Eliminating Surprises with Security Assurance and Testing What CISOs Need to Know about Cloud Computing Incite 4 U Palo Alto Does Endpoints: It was only a matter of time. After the big FireEye/Mandiant deal and Bit9/Carbon Black, Palo Alto Networks needed to respond. So they bought a small Israeli start-up named Cyvera for $200 million! And I thought valuations were only nutty in the consumer Internet market. Not so much. Although no company can really have a comprehensive advanced malware story without technology on the network and endpoints. So PANW made the move, and now they need to figure out how to sell endpoint agents, which are a little bit different than boxes in the perimeter… – MR Payment Tokenization Evolution: EMVCo – the Visa, Mastercard, and Europay ‘standards’ organization, has released the technical architecture for a proposed Payment Tokenisation Specification, which will alter payment security around the globe over the coming years. The framework is flexible enough to both enable Near Field Communication (NFC, aka mobile payments) and help combat Card Not Present fraud – the two publicly cited reasons for the card brands to create a tokenization standard in parallel with promotion of EMV-style “smart cards” in the US. The huge jump in recent transactional fraud rates demands some response, and this looks like a good step forward. The specification does not supersede use of credit card numbers (PAN) for payment yet, but would enable merchants to support either PAN or tokens for payment. And this would be done either through NFC – replacing a credit card with a mobile device – or via wallet software (either a mobile or desktop application). For those of you interested in the more technical side of the solution, download the paper and look at the token format! They basically create a unique digital certificate for each transaction, which embeds merchant and payment network data, and wrapped it with a signature. And somewhere in the back office the payment gateways/acquirer (merchant bank) or third-party service will manage a token vault. More to come – this warrants detailed posts. –

Last week we held a wake for Windows XP. This week we continue that trend, as we discuss the end of yet era – coincidentally linked to XP. Last week the venerable Thunderdome of security lists bid adieu, as the Full Disclosure list suddenly shut down. And yes, this discussion is about more than just one email list going bye-bye. The audio-only version is up too. Share:

Researching and writing about identity and access management over the last three years has made one thing clear: This is a horrifically fragmented market. Lots and lots of vendors who assemble a bunch of pieces together to form a ‘vision’ of how customers want to extend identity services outside the corporate perimeter – to the cloud, mobile, and whatever else they need. And for every possible thing you might want to do, there are three or more approaches. Very confusing. I have had it in mind for several months to create a diagram that illustrates all the IAM features available out there, along with how they all link together. About a month ago Gunnar Peterson started talking about creating an “identity mosaic” to show how all the pieces fit together. As with many subjects, Gunnar and I were of one mind on this: we need a way to show the entire IAM landscape. I wanted to do something quick to show the basic data flows and demystify what protocols do what. Here is my rough cut at diagramming the current state of the IAM space (click to enlarge):   But when I sent over a rough cut to Gunnar, he responded with: “Only peril can bring the French together. One can’t impose unity out of the blue on a country that has 265 different kinds of cheese.” – Charles de Gaulle Something as basic as ‘auth’ isn’t simple at all. Just like the aisles in a high-end cheese shop – with all the confusing labels and mingled aromas, and the sneering cheese agent who cannot contain his disgust that you don’t know Camembert from Shinola – identity products are unfathomable to most people (including IT practitioners). And no one has been able to impose order on the identity market. We have incorrectly predicted several times that recent security events would herd identity cats vendors in a single unified direction. We were wrong. We continue to swim in a market with a couple hundred features but no unified approach. Which is another way to say that it is very hard to present this market to end users and have it make sense. A couple points to make on this diagram: This is a work in progress. Critique and suggestions encouraged. There are many pieces to this puzzle and I left a couple things out which I probably should not have. LDAP replication? Anyone? Note that I did not include authorization protocols, roles, attributes, or other entitlement approaches! Yes, I know I suck at graphics. Gunnar is working on a mosaic that will be a huge four-dimensional variation on Eve Mahler’s identity Venn diagram, but it requires Oculus Rift virtual reality goggles. Actually he will probably have his kids build it as a science project, but I digress. Do let us know what you think. On to the Summary: Webcasts, Podcasts, Outside Writing, and Conferences Mort quoted in Network World. Favorite Securosis Posts Mike Rothman: Firestarter: An Irish Wake Most of us chose this one: Jennifer Minella Is Now a Securosis Contributing Analyst. Other Securosis Posts Incite 3/18/2014: Yo Mama! Webinar Tomorrow: What Security Pros Need to Know About Cloud. Defending Against Network Distributed Denial of Service Attacks [New Series]. Reminder: We all live in glass houses. New Paper: Reducing Attack Surface with Application Control. Favorite Outside Posts A Few Lessons From Sherlock Holmes. Great post here about some of the wisdom of Sherlock that can help improve your own thinking. Gunnar: Project Loon. Cloud? Let’s talk stratosphere and balloons – that’s what happens when you combine the Internet with the Montgolfiers Adrian Lane: It’s not my birthday. I was going to pick Weev’s lawyers appear in court by Robert Graham as this week’s Fav, but Rik Ferguson’s post on sites that capture B-Day information struck an emotional chord – this has been a peeve of mine for years. I leave the wrong date at every site, and record which is which, so I know what’s what. Gal Shpantzer: Nun sentenced to three years, men receive five. Please read the story – it’s informative and goes into sentencing considerations by the judge, based on the histories of the convicted protesters, and the requests of the defense and prosecution. One of them was released on January 2012 for a previous trespass. At Y-12… David Mortman: Trust me: The DevOps Movement fits perfectly with ITSM. Yes, trust him. He’s The Real Gene Kim! Research Reports and Presentations Reducing Attack Surface with Application Control. Leveraging Threat Intelligence in Security Monitoring. The Future of Security: The Trends and Technologies Transforming Security. Security Analytics with Big Data. Security Management 2.5: Replacing Your SIEM Yet? Defending Data on iOS 7. Eliminate Surprises with Security Assurance and Testing. What CISOs Need to Know about Cloud Computing. Defending Against Application Denial of Service Attacks. Executive Guide to Pragmatic Network Security Management. Top News and Posts 110,000 WordPress Databases Exposed. Whitehat Security’s Aviator browser is coming to Windows. Missing the (opportunity of) Target. PWN2OWN Results. Symantec CEO fired. The official ‘CEO Transition’ Press Release. This Is Why Apple Enables Bluetooth Every Time You Update iOS. Threat Advisory: PHP-CGI At Your Command. IBM says no NSA backdoors in its products. Google DNS Hijack. 14% of Starbucks transactions are now made with a mobile device. And what the heck is a “Chief Digital Officer”? New Jersey Boy Climbs to Top of 1 World Trade Center. Are Nation States Responsible for Evil Traffic Leaving Their Networks? Full Disclosure shuts down. NSA Program monitors content of all calls. Country details not provided. Share:

We are always pretty happy-go-lucky around here, but some days we are really happy. Today is one of those days. As you probably grasped from the headline, we are insanely excited to announce that Jennifer ‘JJ’ Minella is now a Contributing Analyst here at Securosis. JJ has some of the deepest technical and product knowledge of anyone we know, on top of a strong grounding as a security generalist. As a security engineer she has implemented countless products in various organizations. She is also a heck of a good speaker/writer, able to translate complex topics into understandable chunks for non-techie types. There is a reason she worked her way up to the executive ranks. JJ also has one of the most refined BS sensors in the industry. Seems like a good fit, eh? This is actually a weird situation because we always wanted to have her on the team but figured she was too busy to ask. Mike and JJ even worked together for months on their RSA presentation. It was classic over-analysis – she didn’t hesitate when we finally brought it up. Okay, probably over beers at RSA, which is how a lot of our major decisions are made. JJ joins David Mortman, Gunnar Peterson, James Arlen, Dave Lewis, and Gal Shpantzer as a contributor. Mike, Adrian, and I feel very lucky to have such an amazing group of security pros practically volunteer their time to work with us and keep the research real. Share:

It’s really funny and gratifying to see your kids growing up. Over the weekend XX1 took her first solo plane trip. I checked her in as an unaccompanied minor, and she miraculously got TSA Pre-check. Of course that didn’t mean I did with my gate pass. So the TSA folks did their darndest to maintain the security theater, and swabbed my hands and feet. We had some time so I figured we’d hang out in the airline club. Not so much. I have access to the SkyClub via my AmEx Platinum card, but evidently I have to be flying. So we got turned away at the door. Really? Total fail, Delta. And your club receptionist was mean. But I had XX1 with me, so I mumbled some choice words under my breath and just let her mention that person wasn’t nice. Then the gate agent called for her, and after a quick goodbye… Okay, not so quick – no goodbye is quick with XX1 – she headed down the jetway and was gone. Of course I got dispatches every 10 minutes or so via text. So I knew when her bag was in the overhead bin, when she got a refreshment, how much she was enjoying Tower Heist on the iPad, when the plane was loaded, and finally when she had to shut down her phone. She made it to her destination in one piece, and met Grandma at the gate. Another milestone achieved.   Then on Saturday morning I had the pleasure of taking the boy to breakfast. His sports activities (tennis and LAX) weren’t until afternoon so we had some boy time. As we were chatting I asked him about his friends. He then launched into a monologue about how all his friends tell Yo Mama! jokes now. He even had some pretty funny ones ready to go. He asked me if I had heard of those kinds of jokes. I just had to chuckle. You know those kids today – they invented everything. Though how they get their material is radically different. It seems they get the jokes on YouTube and then tell them to each other the next day at school. I had to actually read joke books to get my material and my delivery wasn’t very good. It seems to be in good fun, for now. I remember getting into fights with kids over those kinds of jokes, mostly because they weren’t really intended to be joking. And it’s a bit strange to think the Boss is the Mama in question, and at some point he may need to defend her honor. Although the Boy is pretty mild-mannered and very popular, so it’s hard to envision someone telling a joke to get a rise out of him. All the same, the kids are growing up. And unaccompanied plane rides and Yo Mama! jokes are all part of the experience. –Mike Photo credit: “Yo Mama’s Sign” originally uploaded by Casey Bisson Securosis Firestarter Have you checked out our new video podcast? Rich, Adrian, and Mike get into a Google Hangout and.. hang out. We talk a bit about security as well. We try to keep these to 15 minutes or less, and usually fail. March 11 – RSA Postmortem Feb 21 – Happy Hour – RSA 2014 Feb 17 – Payment Madness Feb 10 – Mass Media Abuse Feb 03 – Inevitable Doom Jan 27 – Government Influence Jan 20 – Target and Antivirus Jan 13 – Crisis Communications 2014 RSA Conference Guide In case any of you missed it, we published our fifth RSA Conference Guide. Yes, we do mention the conference a bit, but it’s really our ideas about how security will shake out in 2014. You can get the full guide with all the memes you can eat. Heavy Research We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, with our content in all its unabridged glory. And you can get all our research papers too. Advanced Endpoint and Server Protection Quick Wins Detection/Investigation Prevention Assessment Introduction Newly Published Papers Reducing Attack Surface with Application Control Leveraging Threat Intelligence in Security Monitoring The Future of Security Security Management 2.5: Replacing Your SIEM Yet? Defending Data on iOS 7 Eliminating Surprises with Security Assurance and Testing What CISOs Need to Know about Cloud Computing Incite 4 U Pwn to Pwn: Our friend Mike Mimoso has a great summary of the annual Pwn2Own contest at CanSecWest. This is the one where prizes are paid out to researchers who can crack browsers and other high-value targets (all picked ahead of time, with particular requirements). The exploits are bought up and later passed on to the affected vendors. As usual, all the products were cracked, but the effort required seems higher and higher every year. This level of exploitation is beyond your usual script kiddie tactics, and it’s nice to see the OS and browser vendors make practical security advances year after year. On the downside, BIOS and firmware hacking are going beyond scary. I really feel bad I haven’t made it to CanSecWest (usually due to work conflicts so close to RSA), but I think I need to make it a priority next year. It’s a great event, and a powerful contributor to the security community. – RM PCI is relevant. Really. It’s just those careless retailers: I’m in the air right now so I can’t check the TripWire folks’ interview with the PCI Standards Council’s Bob Russo at RSA, but some of the quotes I have seen are awesome. “People are studying for the test. Passing the compliance assessment and then leaving things open. They’re being careless,” said Bob Russo. Man, that is awesome. The standards are great – the retailers are just careless. Really? To be clear, Target was careless, but nowhere in the PCI standards do I see anything about locking down third-party access to non-protected information. Or having a network-based malware detection device to detect malware before it exfiltrates data. How about this one? “Russo said it

We originally recorded this episode on St. Patty’s Day and thought it would be nice to send off Windows XP with a nice Irish wake, but Google had a hiccup and our video was stuck in Never Never Land for an extra day. To be honest, we thought we lost it, so no complaints. But yes, the end is nigh, all your coffee shops are going to be hacked now that XP is unsupported, yadda yadda yadda… Share:

Hey everyone, I mentioned it on Twitter but also wanted to post it here. Tomorrow I will be giving a webinar on What Security Pros Need to Know About Cloud, based on the white paper I recently released. CloudPassage is sponsoring the webinar, but, as always, the content is our objective view. You can register online, and we hope to see you there… Share:

Forrester’s Rick Holland makes a great point in the epic Target Breach: Vendors, You’re Not Wrestlers, And This Isn’t The WWE post. Epic mostly because he figured out how to work the WWE and a picture of The Rock into a security blog post. Rick’s irritation with competitors trying to get a leg up on FireEye based on their presence in Target’s network is right on the money. Vendors who live in glass houses shouldn’t throw stones. It didn’t take long; I’ve already started hearing FireEye competitors speaking out against their competitor’s role in the Target breach. As I mentioned above, this wasn’t a technology failure: FireEye detected the malware. This was a people/process/oversight failure.   We all live in glass houses and karma is a bitch. But more to the point, if you think I take as fact anything written about a security attack in the mainstream business press, you’re nuts. If Krebs writes something I believe it because he knows what he’s doing. Not that no other reporters have enough technical credibility to get it right, there are. But without the full and complete picture of an attack, trying to assign blame is silly. Clearly in Target’s case there were many opportunities to detect the malware and perhaps stop the breach. They didn’t, and they are suffering now. Their glass house is shattered. But this could happen to any organization at any time. And to think otherwise is idiotic. So think twice before thinking that would never happen to you. Never is a long time. Photo credit: “Going into the Glass House” originally uploaded by Melody Joy Kramer Share:

Back in 2013, volumetric denial of service (DoS) attacks targeting networks were all the rage. Alleged hacktivists effectively used the tactic first against Fortune-class banks, largely knocking down major banking brands for days at a time. But these big companies adapted quickly and got proficient at defending themselves, so attackers then bifurcated their attacks. On one hand they went after softer targets like public entities (the UN, et al) and smaller financial institutions. They also used new tactics to take on content delivery networks like CloudFlare with multi-hundred-gigabyte attacks, just because they could. In our Defending Against Denial of Service Attacks research we described network-based DoS attacks: Network-based attacks overwhelm the network equipment and/or totally consume network capacity by throwing everything including the kitchen sink at a site – this interferes with legitimate traffic reaching the site. This volumetric type of attack is what most folks consider Denial of Service, and it realistically requires blasting away from many devices, so current attacks are called Distributed Denial of Service (DDoS). If your adversary has enough firepower it is very hard to defend against these attacks, and you will quickly be reminded that though bandwidth may be plentiful, it certainly isn’t free. Application-based attacks are different – they target weaknesses in web application components to consume all the resources of a web, application, or database server to effectively disable it. These attacks can target either vulnerabilities or ‘features’ of an application stack to overwhelm servers and prevent legitimate traffic from accessing web pages or completing transactions. The motivation for these attacks hasn’t changed much. Attackers tend to be either organized crime factions stealing money via ransom attacks, or hacktivists trying to make a point. We do see a bit of competitor malfeasance and Distributed DoS (DDoS) to hide exfiltration activities, but those don’t seem to be primary use cases any more. Regardless of motivation, attackers now have faster networks, bigger botnets, and increasingly effective tactics to magnify the impact of DDoS attacks, forcing most organizations to devote attention to implementing plans to mitigate these attack. After digging deeper into the application side of denial of service in Defending Against Application Denial of Service Attacks, we now turn our attention to the network side of the house. We are pleased to start this new series, entitled Defending Against Network Distributed Denial of Service Attacks. As with all our public research, we will build the series using our Totally Transparent Research model. Before we get going we would like to thank A10 Networks, as they have agreed to potentially license this research at the end of the project. It’s Getting Easier If anything, it is getting easier to launch large-scale network-based DDoS attacks. There are a few main reasons: Bot availability: It’s not like fewer devices are being compromised. Fairly sophisticated malware kits are available to make it even easier to compromise devices. As a result there seem to be millions of (predominately consumer) devices compromised daily, adding to the armies which can be brought to bear in DoS attacks. Faster consumer Internet: With a bandwidth renaissance happening around the world, network speeds into homes and small offices continue to climb. This enables consumer bots to blast targets with growing bandwidth, and this trend will continue as networks get faster. Cloud servers: It is uncommon to see 50mbps sustained coming from a consumer device. But that is quite possible at the server level. Combine this with the fact that cloud servers (and management consoles) are Internet-facing, and attackers can now use compromised cloud servers to blast DDoS targets as well. This kind of activity is harder to detect because these servers should be pumping out more traffic. Magnification: Finally, attackers are getting better at magnifying the impact of their attacks, manipulating protocols like DNS and ICMP which can provide order-of-magnitude magnification of traffic hitting the target site. This makes far better use of attacker resources, allowing them to use each bot sporadically and with more lightly (in terms of bandwidth) to better hide from detection. Limitations of Current Defenses Before we dive into specifics of how these attacks work we need to remind everyone why existing network and security devices aren’t particularly well-suited to DDoS attacks. It’s not due to core throughput – we see service provider network firewalls processing upwards of 500gbps of traffic, and they are getting faster rapidly. But the devices aren’t architected to deal with floods of legitimate traffic from thousands of devices. Even with NGFW capabilities providing visibility into web and other application traffic; dealing with millions of active connection requests can exhaust link, session, and application handling capacity on security devices, regardless of their maximum possible throughput. IPS devices are in the same boat, except that their job is harder because they are actively looking for attacks and profiling activity to find malicious patterns. So they are far more compute-intensive, and have an even harder time keeping pace with DDoS bandwidth. In fact many attackers target firewalls and IPS devices with DDoS attacks, knowing the devices typically fail closed, rendering the target network inoperable. You should certainly look to service providers to help deal with attacks, first by over-provisioning your networks. This is a common tactic for networking folks: throw more bandwidth at the problem. Unfortunately you probably can’t compete with a botmaster leveraging the aggregate bandwidth of all their compromised hosts. And it gets expensive to provision enough unused bandwidth to deal with a DDoS spike in traffic. You can also look at CDNs (Content Delivery Networks) and/or DoS scrubbing service. Unfortunately CDN offerings may not offer full coverage of your entire network and are increasingly DDoS targets themselves. Scrubbing centers can be expensive, and still involve downtime as you shift traffic routes to the scrubbing center. Finally, any scrubbing approach is inherently reactive – you are likely to already be down by the time you learn you have a problem. Further complicating things is the fundamental challenge of simply detecting the onset of a DDoS attack. How can you tell the difference between a temporary spike in traffic and a full-on blitzkrieg on your