Research

It is 6:44pm as I write this. Adrian just left after we recorded our first extended Firestarter/Happy Hour. The idea was that he would drive down, we would dial Mike in from Atlanta, talk about RSA stuff, Adrian would leave, and I would finish off work. It was a pretty sweet plan. Right up until some semi rolled over at a major intersection near my house, shutting down both a highway and an arterial surface street. Adrian’s ride was delayed, but the beer wasn’t. My wife was also delayed because she handles daycare pickups (I do dropoffs), but the beer wasn’t. You see where this is headed? I had some wonderful pre-RSA things to talk about today. Mostly how I’m finding that in my hands-on research I am pushing beyond the capabilities of some products I am working with. I am asking for API calls that don’t exist and features that aren’t exposed. And yet. So far I have been mostly able to work around these issues. Oh, your API can’t identify XYZ in AWS? No worries, I can code that up pretty quickly. To be honest, this is really new territory for me as an analyst and as a developer. In my dev days I mostly stuck to one platform and one database, and learned the lines pretty quickly. As analysts we mostly talk to users and vendors to understand how things work – we don’t really have the resources to get hands-on with products, and even if we did, that wouldn’t reflect operational realities (which is why most magazine/whatever writeups are garbage). But now with cloud and DevOps I can dig in and explore tools and technologies to an unprecedented degree. I am learning that some of what I’m trying is pushing the limits, and I get to figure out alternative ways of solving the random problem I picked. I won’t lie – this is a blast. Sure, it’s frustrating to hit a technical issue beyond my capabilities, but it is incredibly satisfying when I learn a significant percentage of them aren’t due to personal failures, but instead limitations of what I am working with. As an analyst that is awesome. There is no better validation that I am on the right track than breaking things, at a fundamental level. And to be honest this is the kind of intellectual curiosity I think defines a security professional. My advantage is that I figured out how to make a living out of writing about stuff, and producing crappy code that could never withstand a production environment. No accountability? Sign me up, baby! At this pint I should probably mention that I am 5 craft brews in, so… er…. I am not responsible for this Summary. That is all. On to the Summary: Webcasts, Podcasts, Outside Writing, and Conferences Mort quoted in Network World. Favorite Securosis Posts Adrian Lane: Deep Dive on Data Security. Mike Rothman: Deep Dive on Cloud Security. Rich kills it in his RSA Conference Guide piece on Cloud Security. He understands how all the pieces fit together. Read it – it will be pretty pertinent over the next couple years. Dave Lewis: After-School Special: It’s Time We Talked – about Big Data Security. David Mortman: RSA Conference Guide 2014 Watch List: DevOps. Rich: The (Full) 2014 Securosis RSA Conference Guide. Sure, we write the pieces, but for the past couple years Mike has pulled it together and added some serious awesome with his mad meme skills. He is really the driver who adds the awesome. Even if you already read the posts, you need to check out the PDF. Especially the IDM section – that’s all I will say. Other Securosis Posts Security Analytics with Big Data Research Paper. Incite 2/19/2014: Outwit, Outlast, OutRSA. Join the Securosis Firestarter Happy Hour: RSA Edition. Firestarter: Payment Madness. RSA Conference Guide 2014 Deep Dive: Endpoint Security. RSA Conference Guide 2014 Deep Dive: Identity and Access Management. RSA Conference Guide 2014 Deep Dive: Security Management and Compliance. RSA Conference Guide 2014 Deep Dive: Application Security. Favorite Outside Posts Adrian Lane: The thing to know about JavaScript. Ad a newbie with Javascript and NodeJS, I found this helpful. Mike Rothman: Wealth Logic founder shares his insights. Pretty much everyone has money pressures one way or another. I really liked this guy’s perspective. This is the money quote: “In other words, the portfolio’s purpose isn’t to produce income, but to be consumed to fuel your life. The goal isn’t to be the richest guy in the graveyard.” Man, that’s good advice. Rich: Target hack cost banks and credit unions more than $200 million. These are the kinds of numbers that move the meter. Gal: Swiss fighters grounded during hijacking as outside office hours. One of those stories that defies commentary. Rich (yup, another one): My hope for the new Cosmos. The original had a profound affect on how I see the world. My kids are probably too young but I will try to force this on them anyway. Research Reports and Presentations Security Analytics with Big Data. Security Management 2.5: Replacing Your SIEM Yet? Defending Data on iOS 7. Eliminate Surprises with Security Assurance and Testing. What CISOs Need to Know about Cloud Computing. Defending Against Application Denial of Service Attacks. Executive Guide to Pragmatic Network Security Management. Security Awareness Training Evolution. Firewall Management Essentials. A Practical Example of Software Defined Security. Top News and Posts Fix it tool available to block Internet Explorer attacks leveraging CVE-2014-0322 Shostack’s got a new book on Threat Modeling Forbes, Kickstarter breached New Whitepaper: Security at Scale: Logging in AWS. Iranian hack of US Navy network was more extensive and invasive than previously reported. RSA Exhibitor Guidelines that Make You Think…. Behind every line item, there is a story. Emergency Adobe Flash Update Handles Zero Day Under Attack. Share:

Yes, you have seen this content because we have been blogging it for 10 days. But you can’t really take our blog with you to the RSA Conference, can you? Oh, smartphone browsers. Never mind.   Anyway, we have spent some time packaging up our key themes and deep dives, breaking the vendors up into logical areas, and listing all the vendors so you know where to find them at the show. We have also gone a bit nuts with the memegenerator, so at minimum the guide should keep you entertained. And just another reminder to RSVP for the DR Breakfast. The entire week will be epic. Start it off right with the 2014 RSA Conference Guide! Download (PDF): The 2014 Securosis RSA Conference Guide Share:

  I am happy to announce the release of a research paper a long time in the making: Security Analytics with Big Data. This topic generates tons of questions from end users, and we get them from large and mid-sized enterprises alike. The goals of this research project were threefold: The research outline Describes what security analytics with big data is and what it looks like Discusses how it is different than past tools and platforms Discusses the main use cases These topics mirror our early discussions around security analytics. Big data is a very new and very disruptive trend, so how we might use big data to help with security problems was interesting to the community as a whole. Answering questions about how to leverage virtually free NoSQL analytics tools to do a better job of detecting security events is important – both for what is possible and to provide a picture of where the industry is heading. The story behind the research But a funny thing happened during the research – during interviews people invariably wanted to know how it works within their environment. Many people did not want to just start evaluating security analytics options – they were keen to leverage existing investments and build on infrastructure they already own. The backstory is relevant because this ended up becoming three contiguous research projects, and then we massaged the content into this final paper to address the full breadth of questions. When I begun this work a year ago I wanted to fully describe the skunkworks projects I was seeing at some small and mid-sized firms. Both security companies and motivated individuals were using multiple NoSQL variants to detect security problems, often either with a new approach or at a unprecedented cost we had not seen before. Those trends are reflected in this research. Along the way I spoke with 20 large enterprises, and I kept getting the same request: “We are interested in security analytics, but we want to blend both the data and analysis with existing investments”. Most of the time these firms were referring to SIEM, but occasionally they had data warehouses with other information they wished to reference as well. That is also reflected in the paper. But when I got to this point, things got a bit odd. Once our research papers are completed we see if companies are interested in licensing our research to educate employees, customers, or the larger IT community. The responses I got were, “This is not in line with our position”, “This research does not reflect what we see”, “This research does not differentiate our solution” and “Our SIEM was big data before there was big data”. The broader scope of this research generated a degree of negative feedback which got me thinking I had totally missed the mark, asked the wrong questions, or simply talked to too few of customers. I spent another 6 months going through new interviews with a broader set of questions, and speaking to more data architects, vendors, and would-be customers. Retracing my steps reaffirmed that the research was on target, and I feel this paper captures the market today. Customer interest and inquiries outpace what the vendor community is prepared to offer, and customers are asking for capabilities outside the vendor storylines. So this paper tells a decidedly different story than what you are likely to hear elsewhere. Recommendations First and foremost, this is a research paper to educate end users on what security analytics with big data is, the value it provides, and how to distinguish big data solutions from pretenders. That is its core value. If you are going to “roll your own” big data security analytics cluster, this research provides a sample of what other firms are doing, architectures they use, and the underlying components they leverage to support their work. It will help you understand what types of data you probably already have at your disposal, and what observations you can derive from it. If you are looking to acquire a big data analytics solution this research will help you understand potential risks in realizing your investment and help with rollout and integration. You can download a copy on its landing page: Security Analytics with Big Data. We hope you find this information helpful, and as always please ask questions or provide feedback on the blog. Share:

No, we aren’t talking about Survivor, which evidently is still on the air. Who knew? This week the band of merry Securosis men are frantically preparing for next week’s RSA Conference. We’ll all descend on San Francisco Sunday afternoon to get ready for a week of, well, work and play. I saw Stiennon tweet about his 50 meetings/briefings, etc. – claiming that’s a new personal record. That’s not #winning. That’s #losing – at least to me. I have way too many meetings scheduled – and that even doesn’t count all the parties I have committed to attending. Pretty much every minute of every day is spoken for. My liver hurts already. RSA is a war of attrition. By Friday when I fly home I am always a mess. A few years ago I ran into Andy Jaquith on the BART train back to the airport afterwards. He tried his best to make conversation, but I had nothing. I could hardly string three words together. I grunted a bit and scrawled a note that I’d call him the following week. I sleep well on Friday night when I get home. And most of Saturday too. I pray to a variety of deities to fend off the con flu. Usually to no avail – the RSA Conference grinds even the hardiest of souls into dust. But I really can’t complain much. As much as I whine about the crazy schedule, the lack of sleep, and the destruction of billions of brain cells, I love the RSA Conference. I get to see so many friends I have made over the past 20 years in this business. I get to see what’s new and exciting in the business, validate some of my research, and pick the brains of many smart folks. We are lucky to meet up with many of our clients and provide our view of the security world. I also find out about many new opportunities do work with those clients, and based on early indications March and April should be very busy indeed. So it’s all good. Based on early RSVPs we expect record numbers at our Disaster Recovery Breakfast Thursday morning. A ton of folks are interested in the talk on mindfulness JJ and I are doing at the show. And the 2014 Security Bloggers Meetup will be bigger and better than ever. Yes, if you can’t tell, I’m really looking forward to the Conference. And I look forward to seeing many of you there. –Mike PS: I learned yesterday that a pillar of the Atlanta security community passed away recently. So I’ll have a drink or ten in honor of Dan Combs. He was a good man. A good security guy. And he will be missed. RIP Dan. It’s just another reminder that our time here is short, so enjoy it, have fun, maximize each day, and live as large as you can. You never know which RSA Conference will be your last… Photo credit: “Survivor Finale” originally uploaded by Kristin Dos Santos Securosis Firestarter Have you checked out our new video podcast? Basically Rich, Adrian, and Mike get into a Google Hangout and, well, hang out. We talk a bit about security as well. We try to keep to less than 15 minutes and usually fail. Feb 17 – Payment Madness Feb 10 – Mass Media Abuse Feb 03 – Inevitable Doom Jan 27 – Government Influence Jan 20 – Target and Antivirus Jan 13 – Crisis Communications 2014 RSA Conference Guide We’re at it again. For the fifth year we are putting together a comprehensive guide to want you need to know if you will be in San Francisco for the RSA Conference at the end of February. The full guide (with tons of memes and other humor that doesn’t translate to the blog) will be available later today. We will also be recording a special Firestarter video on Thursday, since you obviously can’t get enough of our mugs. Look for that on Friday… Key Themes Watch List: DevOps Key Theme: Cloud Everything Key Theme: Crypto and Data Protection Key Theme: Retailer Breaches Key Theme: Big Data Security Key Theme: APT0 Deep Dives Data Security Cloud Security Endpoint Security Identity and Access Management Security Management and Compliance Application Security Network Security And don’t forget to register for the Disaster Recovery Breakfast, 8-11am Thursday, at Jillian’s. Heavy Research We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, where you can get all our content in its unabridged glory. And you can get all our research papers too. The Future of Information Security Implications for Cloud Providers Implications for Security Vendors What it means (Part 3) Six Trends Changing the Face of Security A Disruptive Collision Introduction Leveraging Threat Intelligence in Security Monitoring Quick Wins with TISM The Threat Intelligence + Security Monitoring Process Revisiting Security Monitoring Benefiting from the Misfortune of Others Advanced Endpoint and Server Protection Prevention Assessment Introduction Newly Published Papers Security Management 2.5: Replacing Your SIEM Yet? Defending Data on iOS 7 Eliminating Surprises with Security Assurance and Testing What CISOs Need to Know about Cloud Computing Defending Against Application Denial of Service Security Awareness Training Evolution Firewall Management Essentials Incite 4 U Call it the Llama Clause: Just to get you in the RSA Conference state of mind, check out this great post from the Denim Group folks who are just learning about the nuances of exhibiting at RSA. Yup, there is a “no animals” restriction. Turns out not only can’t you bring a llama, you can’t bring a rhino either. Which is a bummer because a live rhino would be second only to Nir Zuk as booth catnip. You also can’t have loud noises or bad odors. Neither of which seems to be restricted at DEFCON. Apparently they also have a booth babe clause, or at least the right to ban folks unprofessionally or objectionably dressed. By the way, that would seem to be a bit of a subjective measure, no? For those attendees who don’t

When we started the FireStarter we also decided to try a quarterly (or whenever convenient) extended edition that breaks out of our usual 15-minute time limit. We will be recording the very first of these this Thursday at 5pm ET. As usual, we will use Google Hangouts, and I have scheduled it so it shows up on the Securosis page. You can also watch live on YouTube. We will take questions and comments using the Hangouts On Air Q&A tool, and because Google doesn’t like anonymous comments on YouTube any more, we will keep an eye on Twitter (don’t forget – there is a bit of a delay). There will be beer, and you’ll get to see my home tiki bar. Share:

This is our last regular Firestarter before we record our pre-RSA Quarterly Happy Hour. This week, after a few non-sequiturs, we talk about the madness of payment systems. It seems the US is headed towards chip and signature, not chip and PIN like the rest of the world, because banks think American are too stupid to remember a second PIN. Share:

It is possible that 2014 will be the death of data security. Not only because we analysts can’t go long without proclaiming a vibrant market dead, but also thanks to cloud and mobile devices. You see, data security is far from dead, but is is increasingly difficult to talk about outside the context of cloud, mobile, or… er… Snowden. Oh yeah, and the NSA – we cannot forget them. Organizations have always been worried about protecting their data, kind of like the way everyone worries about flossing. You get motivated for a few days after the most recent root canal, but you somehow forget to buy new floss after you use up the free sample from the dentist. But if you get 80 cavities per year, and all your friends get cavities and walk complaining of severe pain, it might be time for a change. Buy us or the NSA will sniff all your Snowden We covered this under key themes, but the biggest data security push on the marketing side is going after one headlines from two different angles: Protect your stuff from the NSA. Protect your stuff from the guy who leaked all that stuff about the NSA. Before you get wrapped up in this spin cycle, ask yourself whether your threat model really includes defending yourself from a nation-state with an infinite budget, or if you want to consider the kind of internal lockdown that the NSA and other intelligence agencies skew towards. Some of you seriously need to consider these scenarios, but those folks are definitely rare. If you care about these things, start with defenses against advanced malware, encrypt everything on the network, and look heavily at File Activity Monitoring, Database Activity Monitoring, and other server-side tools to audit data usage. Endpoint tools can help but will miss huge swaths of attacks. Really, most of what you will see on this topic at the show is hype. Especially DRM (with the exception of some of the mobile stuff) and “encrypt all your files” because, you know, your employees have access to them already. Mobile isn’t all bad We talked about BYOD last year, and it is still clearly a big trend this year. But a funny thing is happening – Apple now provides rather extensive (but definitely not perfect) data security. Fortunately Android is still a complete disaster. The key is to understand that iOS is more secure, even though you have less direct control. Android you can control more visibly, but its data security is years behind iOS, and Android device fragmentation makes it even worse. (For more on iOS, check out our a deep dive on iOS 7 data security. I suppose some of you Canadians are still on BlackBerry, and those are pretty solid. For data security on mobile, split your thinking into MDM as the hook, and something else as the answer. MDM allows you to get what you need on the device. What exactly that is depends on your needs, but for now container apps are popular – especially cross-platform ones. Focus on container systems as close to the native device experience as possible, and match your employee workflows. If you make it hard on employees, or force them into apps that look like they were programmed in Atari BASIC (yep, I used it) and they will quickly find a way around you. And keep a close eye on iOS 7 – we expect Apple to close its last couple holes soon, and then you will be able to use nearly any app in the App Store securely. Cloud cloud cloud cloud cloud… and a Coke! Yes, we talk about cloud a lot. And yes, data security concerns are one of the biggest obstacles to cloud deployments. On the upside, there are a lot of legitimate options now. For Infrastructure as a Service look at volume encryption. For Platform as a Service, either encrypt before you send it to the cloud (again, you will see products on the show floor for this) or go with a provider who supports management of your own keys (only a couple of those, for now). For Software as a Service you can encrypt some of what you send these services, but you really need to keep it granular and ask hard questions about how they work. If they ask you to sign an NDA first, our usual warnings apply. We have looked hard at some of these tools, and used correctly they can really help wipe out compliance issues. Because we all know compliance is the reason you need to encrypt in cloud. Big data, big budget Expect to see much more discussion of big data security. Big data is a very useful tool when the technology fits, but the base platforms include almost no security. Look for encryption tools that work in distributed nodes, good access management and auditing tools for the application/analysis layer, and data masking. We have seen some tools that look like they can help but they aren’t necessarily cheap, and we are on the early edge of deployment. In other words it looks good on paper but we don’t yet have enough data points to know how effective it is. Share:

We are in the home stretch, with only a few more deep dives to post. EPP: Living on Borrowed Time? Every year we take a step back and wonder if this is the year customers will finally revolt against endpoint protection suites and shift en masse to something free, or one of the new technologies focused on preventing advanced attacks. It is so easy to forget how important inertia is to security buying cycles. Combined with the continued (ridiculous) PCI mandate for ‘anti-malware’ (whatever that means), the AV vendors continue to print money. Our friends at 451 Group illustrate this with a recent survey. A whopping 5% of respondents are reducing their antivirus budget, while 13% are actually increasing the budget. Uh, what?!?! Most are maintaining the status quo, so you will see the usual AV suspects with their big RSA Conference booths, paid for by inertia and the PCI Security Standards Council. Sometimes it would be great to have a neutron cluebat to show the mass market the futility of old-school AV… Don’t Call It a Sandbox The big AV vendors cannot afford to kill their golden goose, so innovation is unlikely to come from them. The good news is that there are plenty of companies taking different approaches to detection at the endpoint and server. Some look at file analysis, others have innovative heuristics, and you will also see isolation technologies on the floor. Don’t forget old-school application control, which is making a comeback on the back of Windows XP’s end of life, and the fact that servers and fixed function devices should be totally locked down. We expect isolation vendors to make the most noise at the RSA Conference. Their approach is to isolate vulnerable programs (including Java, browsers, and/or Office suites) from the rest of the device so malware can’t access the file system or other resources to further compromise the device. Whether isolation is via virtualization, VDI, old-school terminal services, or newfangled endpoint isolation (either at the app or kernel level), it is all about accepting that you cannot stop infection, so you need to make sure malware can’t get to anything interesting on the device. These technologies are promising but not yet mature. We have heard of very few large-scale implementations but we need to do something different, so we are watching these technologies closely, and you should too. The Rise of the Endpoint Monitors As we described in the introduction to our Advanced Endpoint and Server Protection series, we are seeing a shift in budget from predominately prevention to detection and investigation functions. This is a great thing in light of the fact that you cannot stop all attacks. At the show we will see a lot of activity around endpoint forensics, driven by hype over the recent FireEye/Mandiant and Bit9/Carbon Black deals, bringing this technology into the spotlight. But there is a bigger theme – what we call “Endpoint Activity Monitoring”. It involves storing very detailed historical endpoint (and server) telemetry, and then searching for indicators of compromise in hopes of identifying new attacks that evade the preventative controls. This allows you to find compromised devices even if they are dormant. Of course if isolation is immature technology, endpoint activity monitoring is embryonic. There are a bunch of different approaches to storing that data, so you will hear vendors poking each other about whether they store on-site or in the cloud. They also have different approaches to analyzing that massive amount of data. But all these technical things obscure the real issue: whether these technologies can scale. This is another technology to keep an eye on at the show. Endpoints and Network: BFF The other side of the coin discussed in our Network Security deep dive is that endpoint solutions to prevent and detect advanced malware need to work with network stuff. The sooner an attack can be either blocked or detected, the better, so being able to do some prevention/detection on the network is key. This interoperability is also important because running a full-on malware analysis environment on every endpoint is inefficient. Being able to have an endpoint or server agent send a file either to an on-premise network-based sandbox or a cloud-based analysis engine provides a better means of determining how malicious the file really is. Of course this malware analysis doesn’t happen in real time, and you usually cannot wait for a verdict from off-device analysis before allowing the file to execute on the device. So devices will still get popped but technology like endpoint activity monitoring, described above, gives you the ability to search for devices that have been pwned using a profile of the malware from analysis engines. Mobile? Most MDM vendors have been bought, so managing these devices is pretty much commodity technology now. Every endpoint protection vendor has a mobile offering they are bundling into their suite. But nobody seems to care. It’s not that these products aren’t selling. They are flying off the virtual shelves, but they are simply not exciting. And if it’s not exciting you won’t hear much about it at the conference. Some new startups will be introducing technologies like mobile IPS, but it just seems like yesterday’s approach to a problem that requires thinking differently. Maybe these folks should check out Rich’s work on protecting iOS, which gets down to the real issue: the data. It seems like the year of mobile malware is coming – right behind the year of PKI. Not that mobile malware doesn’t exist, but it’s not having enough impact to fire the industry up. Which means it will be a no-show at the big show. Share:

In our 2013 RSA Guide we wrote that 2012 was a tremendous year for cloud security. We probably should have kept our mouth shut and remembered all those hype cycles, adoption curves, and other wavy lines because 2013 blew it away. That said, cloud security is still quite nascent, and in many ways losing the race with the cloud market itself, expanding the gap between what’s happening in the cloud and what’s actually being secured in the cloud. The next few years are critical for security professionals and vendors as they risk being excluded from cloud transformation projects, and thus find themselves disengaged in enterprise markets as cloud vendors and DevOps take over security functions. Lead, Follow, or Get the Hell out of the Way 2013 saw cloud computing begin to enter the fringes of the early mainstream. Already in 2014 we see a bloom of cloud projects, even among large enterprises. Multiple large financials are taking tentative steps into public cloud computing. When these traditionally risk-averse technological early adopters put their toes in the water, the canary sings (okay, we know the metaphor should be that the canary dies, but we don’t want to bring you down). Simultaneously we see cloud providers positioning themselves as a kind of security providers. Amazon makes abundantly clear that they consider security one of their top two priorities, that their data centers are more secure than yours, and that they can wipe out classes of infrastructure vulnerabilities to let you focus on applications and workloads. Cloud storage providers are starting to provide data security well beyond what most enterprises can even dream of implementing (such as tracking all file access, by user and device). In our experience Security has a tiny role in many cloud projects, and rarely in the design of security controls. The same is true for traditional security vendors, who have generally failed to adapt their products to meet new cloud deployment patterns. We can already see how this will play out at the show, and in the market. There is a growing but still relatively small set of vendors taking advantage of this gap by providing security far better attuned to cloud deployments. These are the folks to look at first if you are involved in a cloud project. One key to check out is their billing model: do they use elastic metered pricing? Can they help secure SaaS or PaaS, like a cloud database? Or is their answer, “Pay the same as always, run our virtual appliance, and route all your network traffic through it.” Sometimes that’s the answer, but not nearly as often as it used to be. And assess honestly when and where you need security tools, anyway. Cloud applications don’t have the same attack surface as traditional infrastructure. Risks and controls shift; so should your investments. Understand what you get from your provider before you start thinking about spending anywhere else. SECaaS Your SaaS We are getting a ton of requests for help with cloud vendor risk assessment (and we are even launching a 1-day workshop), mostly driven by Software as a Service. Most organizations only use one to three Infrastructure as a Service providers, but SaaS usage is exploding. More often than not, individual business units sign up for these services – often without going through procurement process. A new set of vendors is emerging, to detect usage of SaaS, help integrate it into your environment (predominantly through federated identity management), and add a layer of security. Some of these providers even provide risk ratings, although that is no excuse for not doing your own homework. And while you might think you have a handle on SaaS usage because you block Dropbox and a dozen other services, there are thousands of these things in active use. And, in the words of one risk officer who went around performing assessments: at least one of them is a shared house on the beach with a pile of surfboards out front, an open door, and a few servers in a closet. There are a dozen or more SaaS security tools now on the market, and most of them will be on the show floor. They offer a nice value proposition but implementation details vary greatly, so make sure whatever you pick meets your needs. Some of you care more about auditing, others about identity, and others about security, and none of them really offer everything yet. Workload Security Is Coming “Cloud native” application architectures combine IaaS and SaaS in new highly dynamic models that take advantage of autoscaling, queue services, cloud databases, and automation. They might pass a workload (such as data analysis) to a queue service, which spins up a new compute instance in the current cheapest zone, which completes the work, and then passes back results for storage in a cloud database. Under these new models – which are in production today – many traditional security controls break. Vulnerability assessment on a server that only lives for an hour? Patching? Network IDS, when there is no actual network to sniff? Talk to your developers and cloud architects before becoming too enamored with any cloud security tools you see on the show floor. What you buy today may not match your needs in six months. You need to be project driven rather than product driven because you can no longer purchase one computing platform and use it for everything. That is, again, why we think you should focus on elastic pricing that will fit your cloud deployments as they evolve and change. So an elastic pricing model is often the best indicator that your vendor ‘gets’ the cloud. Barely Legal SECaaS We are already running long, so suffice it to say there are many more security offerings as cloud services, and a large percentage of them are mature enough to satisfy your needs. The combination of lower operational management costs, subscription pricing, pooled threat intelligence, and other analytics, is often better than what you can deploy and manage completely internally. You still need to

One of the biggest trends in security gets no respect at RSA. Maybe because identity folks still look at security folks cross-eyed. But this year things will be a bit different. Here’s why: The Snowden Effect Companies are (finally) dealing with the hazards of privilege – a.k.a. Privileged User Access. Yes, we hate the term “insider threat” – we have good evidence that external risks are the real issue. That said, logic does not always win out – many companies are asking themselves right now, “How can I stop a ‘Snowden Incident’ from happening at my company?” This Snowden Effect is getting traction as a marketing angle, and you will see it on the RSA Conference floor because people are worried about their dirty laundry going public. Aside from the marketing hype, we have been surprised by the zeal with which companies are now pursuing technology to enforce Privileged User Access policies. The privileged user problem is not new, but companies’ willingness to incur cost, complexity, and risk to address it is. Part of this is driven by auditors assigning higher risk to these privileged accounts (On a cynical note, we have to wonder, “What’s the matter, big-name audit firm? All out of easy findings?”). But sometimes the headline news does really scare the bejesus out of companies in that vertical (that’s right, we’re looking at you, retailers). Whatever the reason, companies and external auditors are waking up to privileged users as perhaps the largest catalyst in downside risk scenarios. Attackers go after databases because that’s where the data is (duh). The same goes for privileged accounts – that’s where the access is! But while the risk is almost universally recognized, what to do about it isn’t – aside from “continuous improvement”, because hey, everyone needs to pass their audit. One reason the privileged user problem has persisted so long is that the controls often reduce productivity of some of the most valuable users, drive up cost, and generally increase availability risk. Career risk, anyone? But that’s why security folks make the big bucks. High-probability events gets the lion’s share of attention, but lower-probability gut-punch events like privileged user misuse have come to the fore. Buckle up! Nobody cares what your name is! Third-party identity services and cloud-based identity are gaining momentum. The need for federation (to manage customer, employee, and partner identities), and two-factor authentication (2FA) to reduce fraud are both powerful motivators. But we expected last year’s hack of Mat Honan to start a movement away from passwords in favor of certificates and other better user authentication tools. But what we got was risk-based handling of requests on the back end. It is not yet the year of PKI, apparently. Companies are less concerned with logins and more concerned with request context and metadata. Does the user normally log in at this time? From that location? With that app? Is this a request they normally make? Is it for a typical dollar amount? A lot more is being spent on analytics to determine ‘normal’ behavior than on replacing identity infrastructure, and fraud analytics on the back end are leading the way. In fact precious little attention is being paid to identity systems on the front end – even payment processors are discussing third-party identity from Facebook and Twitter for authentication. What could possibly go wrong? As usual cheap, easy, and universally available trump security – for authentication tools, this time. To compensate, effort will need to be focused on risk-based authorization on the back end. Share: