Securosis

Research

RSA Conference Guide 2014 Deep Dive: Cloud Security

In our 2013 RSA Guide we wrote that 2012 was a tremendous year for cloud security. We probably should have kept our mouth shut and remembered all those hype cycles, adoption curves, and other wavy lines because 2013 blew it away. That said, cloud security is still quite nascent, and in many ways losing the race with the cloud market itself, expanding the gap between what’s happening in the cloud and what’s actually being secured in the cloud. The next few years are critical for security professionals and vendors as they risk being excluded from cloud transformation projects, and thus find themselves disengaged in enterprise markets as cloud vendors and DevOps take over security functions. Lead, Follow, or Get the Hell out of the Way 2013 saw cloud computing begin to enter the fringes of the early mainstream. Already in 2014 we see a bloom of cloud projects, even among large enterprises. Multiple large financials are taking tentative steps into public cloud computing. When these traditionally risk-averse technological early adopters put their toes in the water, the canary sings (okay, we know the metaphor should be that the canary dies, but we don’t want to bring you down). Simultaneously we see cloud providers positioning themselves as a kind of security providers. Amazon makes abundantly clear that they consider security one of their top two priorities, that their data centers are more secure than yours, and that they can wipe out classes of infrastructure vulnerabilities to let you focus on applications and workloads. Cloud storage providers are starting to provide data security well beyond what most enterprises can even dream of implementing (such as tracking all file access, by user and device). In our experience Security has a tiny role in many cloud projects, and rarely in the design of security controls. The same is true for traditional security vendors, who have generally failed to adapt their products to meet new cloud deployment patterns. We can already see how this will play out at the show, and in the market. There is a growing but still relatively small set of vendors taking advantage of this gap by providing security far better attuned to cloud deployments. These are the folks to look at first if you are involved in a cloud project. One key to check out is their billing model: do they use elastic metered pricing? Can they help secure SaaS or PaaS, like a cloud database? Or is their answer, “Pay the same as always, run our virtual appliance, and route all your network traffic through it.” Sometimes that’s the answer, but not nearly as often as it used to be. And assess honestly when and where you need security tools, anyway. Cloud applications don’t have the same attack surface as traditional infrastructure. Risks and controls shift; so should your investments. Understand what you get from your provider before you start thinking about spending anywhere else. SECaaS Your SaaS We are getting a ton of requests for help with cloud vendor risk assessment (and we are even launching a 1-day workshop), mostly driven by Software as a Service. Most organizations only use one to three Infrastructure as a Service providers, but SaaS usage is exploding. More often than not, individual business units sign up for these services – often without going through procurement process. A new set of vendors is emerging, to detect usage of SaaS, help integrate it into your environment (predominantly through federated identity management), and add a layer of security. Some of these providers even provide risk ratings, although that is no excuse for not doing your own homework. And while you might think you have a handle on SaaS usage because you block Dropbox and a dozen other services, there are thousands of these things in active use. And, in the words of one risk officer who went around performing assessments: at least one of them is a shared house on the beach with a pile of surfboards out front, an open door, and a few servers in a closet. There are a dozen or more SaaS security tools now on the market, and most of them will be on the show floor. They offer a nice value proposition but implementation details vary greatly, so make sure whatever you pick meets your needs. Some of you care more about auditing, others about identity, and others about security, and none of them really offer everything yet. Workload Security Is Coming “Cloud native” application architectures combine IaaS and SaaS in new highly dynamic models that take advantage of autoscaling, queue services, cloud databases, and automation. They might pass a workload (such as data analysis) to a queue service, which spins up a new compute instance in the current cheapest zone, which completes the work, and then passes back results for storage in a cloud database. Under these new models – which are in production today – many traditional security controls break. Vulnerability assessment on a server that only lives for an hour? Patching? Network IDS, when there is no actual network to sniff? Talk to your developers and cloud architects before becoming too enamored with any cloud security tools you see on the show floor. What you buy today may not match your needs in six months. You need to be project driven rather than product driven because you can no longer purchase one computing platform and use it for everything. That is, again, why we think you should focus on elastic pricing that will fit your cloud deployments as they evolve and change. So an elastic pricing model is often the best indicator that your vendor ‘gets’ the cloud. Barely Legal SECaaS We are already running long, so suffice it to say there are many more security offerings as cloud services, and a large percentage of them are mature enough to satisfy your needs. The combination of lower operational management costs, subscription pricing, pooled threat intelligence, and other analytics, is often better than what you can deploy and manage completely internally. You still need to

Share:
Read Post

RSA Conference Guide 2014 Deep Dive: Identity and Access Management

One of the biggest trends in security gets no respect at RSA. Maybe because identity folks still look at security folks cross-eyed. But this year things will be a bit different. Here’s why: The Snowden Effect Companies are (finally) dealing with the hazards of privilege – a.k.a. Privileged User Access. Yes, we hate the term “insider threat” – we have good evidence that external risks are the real issue. That said, logic does not always win out – many companies are asking themselves right now, “How can I stop a ‘Snowden Incident’ from happening at my company?” This Snowden Effect is getting traction as a marketing angle, and you will see it on the RSA Conference floor because people are worried about their dirty laundry going public. Aside from the marketing hype, we have been surprised by the zeal with which companies are now pursuing technology to enforce Privileged User Access policies. The privileged user problem is not new, but companies’ willingness to incur cost, complexity, and risk to address it is. Part of this is driven by auditors assigning higher risk to these privileged accounts (On a cynical note, we have to wonder, “What’s the matter, big-name audit firm? All out of easy findings?”). But sometimes the headline news does really scare the bejesus out of companies in that vertical (that’s right, we’re looking at you, retailers). Whatever the reason, companies and external auditors are waking up to privileged users as perhaps the largest catalyst in downside risk scenarios. Attackers go after databases because that’s where the data is (duh). The same goes for privileged accounts – that’s where the access is! But while the risk is almost universally recognized, what to do about it isn’t – aside from “continuous improvement”, because hey, everyone needs to pass their audit. One reason the privileged user problem has persisted so long is that the controls often reduce productivity of some of the most valuable users, drive up cost, and generally increase availability risk. Career risk, anyone? But that’s why security folks make the big bucks. High-probability events gets the lion’s share of attention, but lower-probability gut-punch events like privileged user misuse have come to the fore. Buckle up! Nobody cares what your name is! Third-party identity services and cloud-based identity are gaining momentum. The need for federation (to manage customer, employee, and partner identities), and two-factor authentication (2FA) to reduce fraud are both powerful motivators. But we expected last year’s hack of Mat Honan to start a movement away from passwords in favor of certificates and other better user authentication tools. But what we got was risk-based handling of requests on the back end. It is not yet the year of PKI, apparently. Companies are less concerned with logins and more concerned with request context and metadata. Does the user normally log in at this time? From that location? With that app? Is this a request they normally make? Is it for a typical dollar amount? A lot more is being spent on analytics to determine ‘normal’ behavior than on replacing identity infrastructure, and fraud analytics on the back end are leading the way. In fact precious little attention is being paid to identity systems on the front end – even payment processors are discussing third-party identity from Facebook and Twitter for authentication. What could possibly go wrong? As usual cheap, easy, and universally available trump security – for authentication tools, this time. To compensate, effort will need to be focused on risk-based authorization on the back end. Share:

Share:
Read Post

RSA Conference Guide 2014 Deep Dive: Security Management and Compliance

As we continue deep dives into our coverage areas, we now hit security management and compliance. If you don’t like it, SECaaS! We have taken a bunch of calls this year from folks looking to have someone else manage their SIEM. Why? Because after two or three failed attempts, they figure if they are going to fail again, they might as well have a service provider to blame. Though that has put some wind in the sails of the service providers who offer monitoring services, and provided an opening for those who can co-source and outsource the SIEM. Just make sure to poke and prod the providers about how you are supposed to respond to an incident when they have your data. And to be clear… they have your data. Counter Intelligence As we mentioned in the network security deep dive, threat intelligence (TI) is hot. But in terms of security management, many early TI services were just about integrating IP black lists and malware file signatures – not all that intelligent! Now you will see all sorts of intelligence services on malware, botnets, compromised devices, and fraud analytics – and the ability to match their indicators against your own security events. This is not just machine-generated data, but often includes user behaviors, social media analysis, and DoS tactics. Much of this comes from third-party services, whose sole business model is to go out looking for malware and figure out how best to detect and deal with it. These third parties have been very focused on making it easier to integrate data into your SIEM, so keep an eye out for partnerships between SIEM players and TI folks trying to make SIEM useful. Shadow of Malware SIEMs have gotten a bit of a black eye over last couple years – just as vendors were finally coming to terms with compliance requirements, they got backhanded by customer complaints about failures to adequately detect malware. As malware detection has become a principal use case for SIEM investment, vendors have struggled to keep pace – first with more types of analytics, then more types of data, and then third-party threat intelligence feeds. For a while it felt like watching an overweight mall cop chase teenage shoplifters – funny so long as the cop isn’t working for you. But now some of the mall cops are getting their P90X on and chasing the mallrats down – yes, that means we see SIEMs becoming faster, stronger, and better at solving current problems. Vendors are quietly embracing “big data” technologies, a variety of built-in and third-party analytics, and honest-to-goodness visualization tools. So you will hear a lot about big data analytics on the show floor. But as we said in our Security Management 2.5 research, don’t fall into the trap. It doesn’t actually matter what the underlying technology is so long as it meets your needs, at the scale you require. Third time is… the same There hasn’t been much activity around compliance lately, as it got steamrolled by the malware juggernaut. Although your assessors show up right on time every quarter, and you haven’t figured out how to get rid of them quicker yet, have you? We didn’t think so. PCI 3.0 is out but nobody really cares. It’s the same old stuff, and you have a couple years to get it done. Which gives you plenty of time for cool malware detection stuff at the show. The ‘GRC’ meme will be on the show floor, but that market really continues to focus on automating the stuff you need to do, without adding real value to either your security program or your business. A good thing, yes, but not sexy enough to build a marketing program on. Aggregating data, reducing data, and pumping out some reports – good times. If your organization is big enough and you have many moving technology parts (yeah, pretty much everyone), then these technologies make sense. Though odds are you already have something for compliance automation. The question is whether it sucks so bad that you need to look for something else? VM Plateaus You know a market has reached the proverbial summit when the leading players talk about the new stuff they are doing. Clearly the vulnerability management market is there, along with its close siblings configuration management and patch management, though the latter two can be subsumed by the Ops group (to which security folks say: “Good riddance!”). The VM folks are talking about passive monitoring, continuous assessment, mobile devices, and pretty much everything except vulnerability management. Which makes sense because VM just isn’t sexy. It is a zero-sum game, which will force all the major players in the space to broaden their offerings – did we mention they will all be talking ‘revolutionary’ new features? But the first step in a threat management process is “Assessment.” A big part of assessment is discovering and understanding the security posture of devices and applications. That is vulnerability management, no? Of course it is – but the RSA Conference is about the shiny, not useful… Share:

Share:
Read Post

RSA Conference Guide 2014 Deep Dive: Application Security

With PoS malware, banking trojans, and persistent NSA threats the flavors of the month and geting all the headlines, application security seems to get overshadowed every year at the RSA Conference. Then again, who wants to talk about the hard, boring tasks of fixing the applications that run your business. We have to admit it’s fun to read about who the real hackers are, including selfies of the dorks people apparently selling credit card numbers on the black market. Dealing with a code vulnerability backlog? Not so much fun. But very real and important trends are going on in application security, most of which involve “calling in the cavalry” – or more precisely outsourcing to people who know more about this stuff, to jumpstart application security programs. The Application Security Specialists Companies are increasingly calling in outside help to deal with application security, and it is not just the classi dynamic web site and penetration testing. On the show floor you will see several companies offering cloud services for code scanning. You upload your code and associated libraries, and they report back on known vulnerabilities. Conceptually this sounds an awful lot like white-box scanning in the cloud, but there is more to it – the cloud services can do some dynamic testing as well. Some firms leverage these services before they launch public web applications, while others are responding to customer demands to prove and document code security assurance. In some cases the code scanning vendors can help validate third-party libraries – even when source code is not available – to provide confidence and substantiation for platform providers in the security of their foundations. Several small professional services firms are popping up to evaluate code development practices, helping to find bad code, and more importantly getting development teams pointed in the right direction. Finally, there is new a trend in application vulnerability management – no, we are not talking about tools that scan for platform defects. The new approaches track vulnerabilities in much the same way we track general software defects, but with a focus on specific issues around security. Severity, path to exploit, line of code responsible, and calling modules that rely on defective code, are all areas where tools can help development teams prioritize security vulnerability fixes. Exposing Yourself At the beginning of 2013, several small application security gateway vendors were making names for themselves. Within a matter of months the three biggest were acquired (Mashery by Intel, Vordel by Axway, and Layer 7 by CA). Large firms quickly snapping up little firms often signal the end of a market, but in this case it is just the beginning – to become truly successful these smaller technologies need to be integrated into a broader application infrastructure suite. Time waits for no one, and we will see a couple new vendors on the show floor with similar models. You will also see a bunch of activity around API gateways because they serve as application development accelerators. The gateway provides base security controls, release management, and identity functions in a building block platform, on top of which companies publish internal systems to the world via RESTful APIs. This means an application developer can focus on delivery of a good user experience, rather than worrying extensively about security. Even better, a gateway does not care whether the developer is an employee or a third party. That plays into the trend of using third-party coders to develop mobile apps. Developers are compensated according to the number of users of their apps, and gateways track which app serves any given customer. This simple technology allows crowdsourcing apps, so we expect the phenomenon to grow over the next few years. Bounty Hunters – Bug Style Several companies, most notably Google and Microsoft, have started very public “security bug bounty” programs and hackathons to incentivize professional third-party vulnerability researchers and hackers to find and report bugs for cash. These programs have worked far better than the companies originally hoped, with dozens of insidious and difficult-to-detect flaws disclosed quickly, before new code goes live. Google alone has paid out more than $1 million in bounties – their programs has been so successful that they have announced they will quintuple rewards for bugs on core platforms. These programs tend to attract skilled people who understand the platforms and uncover things development teams were totally unaware of. Additionally, internal developers and security architects learn from attacker approaches. Clearly, as more software publishers engage the public to shake down their applications, we will see everyone jumping on this bandwagon – which will provide an opportunity for small services firms to help software companies set up these programs. Share:

Share:
Read Post

Bit9 Bets on (Carbon) Black

In an advanced endpoint and server protection consolidation play, Bit9 and Carbon Black announced a merger this morning. Simultaneously, the combined company raised another $38 million in investment capital to fund the integration, pay the bankers, and accelerate their combined product evolution. Given all the excitement over anything either advanced or cyber, this deal makes a lot of sense as Bit9 looks to fill in some holes in its product line, and Carbon Black gains a much broader distribution engine. But let’s back up a bit. As we have been documenting in our Advanced Endpoint and Server Protection series, threat management has evolved to require assessment, prevention, detection, investigation, and remediation. Bit9’s heritage is in prevention, but they have been building out a much broader platform, including detection and early investigation capabilities, over the past 18 months. But pulling detailed telemetry from endpoints and servers is difficult, so they had a few more years of work to build out and mature their offering. Integrating Carbon Black’s technology gives them a large jump ahead, toward a much broader product offering for dealing with advanced malware. Carbon Black was a small company, and despite impressive technology they were racing against the clock. With FireEye’s acquisition of Mandiant, endpoint forensic and investigation technology is becoming much more visible in enterprise accounts as FireEye’s sales machine pushes the new toy into existing customers. Without a means to really get into that market, Carbon Black risked losing ground and drowning in the wake of the FireEye juggernaut. Combined with Bit9, at least they have a field presence and a bunch of channel relationships to leverage. So we expect them to do exactly that. Speaking of FireEye, the minute they decided to buy Mandiant, the die was cast on the strategic nature of their Bit9 partnership. As in, it instantly became not so strategic. Not that the technology overlapped extensively, but clearly FireEye was going to go its own way in terms of endpoint and server protection. So Bit9 made a shrewd move, taking out one of the main competitors to the MIR (now FireEye HX) product. With the CB technology Bit9 can tell a bigger, broader story than FireEye about prevention and detection on devices for a while. We also like the approach of bundling both the Bit9 and Carbon Black technologies for one price per protected endpoint or server. This way they remove any disincentive to protect devices across their entire lifecycle. They may be leaving some money on the table, but all their competitors require multiple products (with multiple license fees) to provide comparably broad protection. Bundling makes it much easier to tell a differentiated story. We got one question about whether Bit9 is now positioned to go after the big endpoint protection market. Many security companies have dancing fairies in their eyes, thinking of the multiple billions companies spend on endpoint protection that doesn’t work. Few outfits have been able to break the inertia of the big EPP vendors, to build a business on alternative technology. But it will happen at some point. Bit9 now has most of the pieces and could OEM the others pretty cheaply, because it’s not like an AV signature engine or FDE product is novel today. It is too early to tell whether they will go down that path – to be candid they have a lot of runway to sell protection for critical devices, and follow that with detection/investigation capabilities across the enterprise. In a nutshell we are positive on this deal. Of course there are always pesky details to true technical integration and building a consistent and integrated user experience. But Bit9 + CB has a bunch of the pieces we believe are central to advanced endpoint and server protection. Given FireEye’s momentum, it is just a matter of time before one of the bigger network players takes Bit9 out to broaden their own protection to embrace endpoints and servers. Share:

Share:
Read Post

RSA Conference Guide 2014 Deep Dive: Network Security

As we begin deeper dives into our respective coverage areas, we will start with network security. We have been tracking the next generation (NG) evolution for 5 years, during which time it has fundamentally changed the meaning of the perimeter – as we will discuss below. Those who moved quickly to embrace NG have established leadership positions, at the expense of those that didn’t. Players who were leaders 5 short years ago have become non-existent, and there is a new generation of folks with innovative network security approaches to handle advanced attacks. After many years of stagnation, network security has come back with a vengeance. Back to Big Swinging (St)icks The battle for the perimeter is raging right now in network security land. In one corner you have the incumbent firewall players, who believe that because the future of network security has been anointed ‘NGFW’ by those guys in Stamford, it is their manifest destiny to subsume every other device in the perimeter. Of course the incumbent IPS folks have a bit to say about that, and are happy to talk about how NGFW devices keel over when you turn on IPS rules and SSL decryption. So we come back to the age-old battle when you descend into the muck of the network. Whose thing is bigger? Differentiation on the network security front has gone from size of the application library in 2012, to migrating from legacy port/protocol policies in 2013, to who has the biggest and fastest gear in 2014. As they work to substantiate their claims, we see a bunch of new entrants in the security testing business. This is a good thing – we still don’t understand how to read NSS Labs’ value map. Besides the size of the equipment, there is another more impactful differentiation point for NGXX boxes: network-based malware detection (NBMD). All the network security leaders claim to detect malware on the box, and then sling mud about where analysis occurs. Some run analysis on the box (or more often, set of boxes) while others run in the cloud – and yes, they are religious about it. So if you want to troll a network security vendor, tell them their approach is wrong. You will also hear the NGXX folks who continue to espouse consolidation, but not in a UTM-like way because UTM is so 2003. But in a much cooler and shinier NGXX way. No, there is no difference – but don’t tell the marketeers that. They make their money ensuring things are sufficiently shiny on the RSAC show floor. More Bumps (in the Wire) Speaking of network-based malware detection (NBMD), that market continues to be red hot. Almost every organization we speak to either has or is testing one. Or they are pumping some threat intelligence into network packet capture devices to look for callbacks. Either way, enterprises have gotten religion about looking for malware on the way in – before it wreaks havoc. One area where they continue to dawdle, though, is putting devices inline. Hold up a file for a microsecond, and employees start squealing like stuck pigs. The players in this market who offer this capability as a standalone find most of their devices deployed out-of-band in monitor mode. With the integration of NBMD into broader NG network security platforms, the capability is deployed inline because the box is inherently inline. This puts standalone devices at a competitive disadvantage, and likely means there won’t be any standalone players for much longer. By offering capabilities that must be inline (like IPS), vendors like FireEye will force the issue and get their boxes deployed inline. Problem solved, right? Of course going inline requires a bunch of pesky features like fail open, hot standby, load balancing, and redundant hardware. And don’t forget the flack jacket when a device keels over and takes down a Fortune 10 company’s call center. ET Phone Home Another big theme you will see at this year’s RSA is the attack of Threat Intelligence (TI). You know, kind of like when ET showed up all those years ago, got lost, and figured out how to send a network ping zillions of light years with a Fisher Price toy. We are actually excited about how TI offerings are developing – with more data on things like callbacks, IP reputation, attack patterns, and all sorts of other cool indicators of badness. Even better, there is a specific drive to integrate this data more seamlessly into security monitoring and eventually update blocking rules on network security devices in an automated fashion. Of course automatic blocking tends to scare the crap out of security practitioners. Mostly because they saw Terminator too many times. But given the disruption of cloud computing and this whole virtualization thing, security folks will get much more comfortable with having a machine tune their rules, because it’s going to happen fast. There is no alternative – carbon-based units just can’t keep up. Though we all know how that story featuring Skynet turned out, so there will be a clear focus on ensuring false positives are minimized, probably to the point of loosening up the blocking rules just to make sure. And that’s fine – the last thing you want is a T1000 showing up to tell you that sessions you knocked down caused a missed quarter. Network and Endpoints: BFF When it comes to advanced malware, the network and the endpoints are not mutually exclusive. In fact over the past year we have seen integration between endpoint folks like Bit9 and network-based malware detection players such as FireEye and Palo Alto Networks. This also underlies the malware defense stories coming from Sourcefire (now Cisco) and McAfee, and pushed the FireEye/Mandiant acquisition announced in January. You can bet the Mandiant folks were drinking some high-end champagne as they welcomed 2014. There is method to the madness, because network folks need visibility on endpoints. These network detection devices are going to miss at some point, both due to new attack tactics (those notorious 0-days) and devices that escape the comfy confines of the corporate network and

Share:
Read Post

Security Management 2.5: Replacing Your SIEM Yet? [New Paper]

Security Information and Event Management (SIEM) systems create a lot of controversy among security folks – they are a pain but it is an instrumental technology for security, compliance, and operations management. The problem is – given the rapid evolution of SIEM/Log Management over the past 4-5 years – that product obsolescence is a genuine issue. The problems caused by products that have failed to keep pace with technical evolution and customer requirements cannot be trivialized. This pain becomes more acute when a SIEM fails to collect the essential information during an incident – and even worse when it completely fails to detect a threat. Customers spend significant resources (both time and money) on caring for and feeding their SIEM. If they don’t feel the value is commensurate with their investment they will move on – searching for better, easier, and faster products. It is only realistic for these customers to start questioning whether their incumbent offerings make sense moving forward. We are happy to announce the launch our latest research paper: Security Management 2.5. We discuss changing customer demands, and how vendors are altering their platforms to address them. We then provide a detailed process to help determine whether you need to swap providers, and if so how. We would like to thank IBM and McAfee for licensing this research. Support from the community enables us to bring you our Totally Transparent Research free of charge, so we are happy IBM and McAfee chose to license this report. You can get the full paper: Security Management 2.5: Replacing Your SIEM Yet? Share:

Share:
Read Post

RSA Conference Guide 2014 Watch List: DevOps

We have covered the key themes we expect to see at the RSA Conference, so now we will cover a theme or two you probably won’t see at the show (or not enough of, at least), but really should. The first is this DevOps things guys like Gene Kim are pushing. It may not be obvious yet, but DevOps promises to upend everything you know about building and launching applications, and make a fundamental mark on security. Or something I like to call “SecOps”. DevOps, Cloud, and the Death of Traditional IT Recently in one of my cloud security classes I had a developer in attendance from one of those brand-name consumer properties all of you, and your families, probably use. When he writes a code update he checks it in and marks it for production; then a string of automated tools and handoffs runs it through test suites and security checks, and eventually deploys it onto their infrastucture/platform automatically. The infrastructure itself adjusts to client demands (scaling up and down), and the concept of an admin accessing a production server is an anachronism. At the latest Amazon Web Services conference, Adobe (I believe the speaker was on the Creative Cloud team) talked about how they deploy their entire application stack using a series of AWS templates. They don’t patch or upgrade servers, but use templates to provision an entirely new stack, slowly migrate traffic over, and then shut down the old one when they know everything works okay. The developers use these templates to define the very infrastructure they run on, then deploy applications on top of it. Microsoft Office? In the cloud. Your CRM tool? In the cloud. HR? Cloud. File servers? Cloud. Collaboration? Cloud. Email? Cloud. Messaging? Get the picture? Organizations can move almost all (and sometimes all) their IT operations onto cloud-based services. DevOps is fundamentally transforming IT operations. It has its flaws, but if implemented well it offers clear advantages for agility, resiliency, and operations. At the same time, cloud services are replacing many traditional IT functions. This powerful combination has significant security implications. Currently many security pros are completely excluded from these projects, as DevOps and cloud providers take over the most important security functions. Only a handful of security vendors are operating in this new model, and you will see very few sessions address it. But make no mistake – DevOps and the Death of IT will show up as a key theme within the next couple years, following the same hype cycle as everything else. But like the cloud these trends are real and here to stay, and have an opportunity to become the dominant IT model in the future. Share:

Share:
Read Post

Friday Summary: February 14, 2014

Bacon as a yardstick: This year will see the 6th annual Securoris Disaster Recovery Breakfast, and I am measuring attendance in required bacon reserves. Jillian’s at the Metreon has been a more than gracious host each year for the event. But when we order food we (now) do it in increments of 50 people. At the moment we are ordering bacon for 250, and we might need to bump that up! We have come a long way since 2009, when we had about 35 close friends show up, but we are overjoyed that so many friends and associates will turn out. Regardless, we expect a quiet, low-key affair. It has always been our favorite event of the week because of that. Bring your tired, your hungry, your hungover, or just plain conference-weary self over and say ‘Howdy’. There will be bacon, good company, and various OTC pharmaceuticals to cure what ills you. Note from Rich: Actually we had a solid 100 or so that first year. I know – I had to pay the bill solo. Big Spin: More and more firms are spinning their visions of big data, which in turn makes most IT folks’ heads spin. These visions look fine within a constrained field of view, but the problem is what is left unsaid: essentially the technologies and services you will need but which are not offered – and vendors don’t talking about them. Worse, you have to filter through non-standard terminology deployed to support vendor spin – so it’s extremely difficult to compare apples against apples. You cannot take vendor big data solutions at face value – at this early stage you need to dig in a bit. But to ask the right questions, you need to know what you probably don’t yet understand. So the vendor product demystification process begins with translating their materials out of vendor-speak. Then you can determine whether what they offer does what you need, and finally – and most importantly – identify the areas they are not discussing, so you can discover their deficiencies. Is this a pain in the ass? You betcha! It’s tough for us – and we do this all day, for a living. So if you are just learning about big data, I urge you to look at the essential characteristics defined in the introduction to our Securing Big Data Clusters paper – it is a handy tool to differentiate big data from big iron, or just big BS. Laying in wait. I have stated before that we will soon stop calling it “big data”, and instead just call these platforms “modular databases”. Most new application development projects do not start with a relational repository – instead people now use some form of NoSQL. Which should be very troubling to any company that derives a large portion of its revenue from database sales. Is it odd that none of the big three database vendors has developed a big data platform (a real one – not a make believe version)? Not at all. Why jump in this early when developers are still trying to decide whether Couch or Riak or Hadoop or Cassandra or something else entirely is best for their projects? So do the big three database vendors endorse big data? Absolutely. To varying degrees they encourage customer adoption, with tools to support integration with big data – usually Hadoop. It is only smart to play it slow, lying in wait like a giant python, and later swallow the providers that win out in the big data space. Until then you will see integration and management tools, but very tepid development of NoSQL platforms from big relational players. Yes, I expect hate mail on this from vendors, so feel free to chime in. Hunter or hunted? One the Securosis internal chat board we were talking about open security job positions around the industry. Some are very high-profile meat grinders that we wouldn’t touch with asbestos gloves and a 20’ pole. Some we recommend to friends with substantial warnings about mental health and marital status. Others not at all. Invariably our discussion turned to the best job you never took: jobs that sounded great until you go there – firms often do a great job of hiding dirty laundry until after you come on board. Certain positions provide a learning curve for a company: whoever takes the job, not matter how good, fails miserably. Only after the post-mortem can the company figure out what it needs and how to structure the role to work out. Our advice: be careful and do your homework. Security roles are much more difficult than, say, programmer or generic IT staffer. Consult your network of friends, seek out former employees, and look at the firm’s overall financial health for some obvious indicators. Who held the job before you and what happened? And if you get a chance to see Mike Rothman present “A day in the life of a CISO”, check it out – he captures the common pitfalls in a way that will make you laugh – or cry, depending on where you work. On to the Summary: Webcasts, Podcasts, Outside Writing, and Conferences Rich quoted in “Building the security bridge to the Millennials”. Favorite Securosis Posts Dave Lewis: After-School Special: It’s Time We Talked – about Big Data Security. David Mortman: RSA Conference Guide 2014 Watch List: DevOps. Adrian Lane: RSA Conference Guide 2014 Watch List: DevOps. Just a great post. Mike Rothman: RSA Conference Guide 2014 Watch List: DevOps. Sometimes it’s helpful to look into the crystal ball and think a bit about what’s coming. You won’t see that much at the RSAC, but we can at least give you some food for thought. Rich: Bit9 Bets on (Carbon) Black. Mike always does the best deal posts in the industry. Other Securosis Posts Security Management 2.5: Replacing Your SIEM Yet? [New Paper]. Advanced Endpoint and Server Protection: Prevention. Incite 2/12/2014: Kindling. Firestarter: Mass Media Abuse. RSA Conference Guide 2014 Deep Dive: Network Security. RSA Conference Guide 2014 Key Theme: Cloud Everything. RSA Conference Guide 2014 Key Theme: Crypto and Data Protection. RSA

Share:
Read Post

Advanced Endpoint and Server Protection: Prevention

As we return to our Advanced Endpoint and Server Protection series, we are back working our way through the reimagined threat management process. After discussing assessment you know what you have and what risk those devices present to the organization. Now you can design a control set to prevent compromise from happening in the first place. Prevention: Next you try to stop an attack from being successful. This is where most of the effort in security has gone for the past decade, with mixed (okay, lousy) results. A number of new tactics and techniques are modestly increasing effectiveness, but the simple fact is that you cannot prevent every attack. It has become a question of reducing your attack surface as much as practical. If you can stop the simplistic attacks you can focus on more advanced ones. Obviously there are many layers you can and should bring to bear to protect endpoints and servers. Our PCI-centric brethren call these compensating controls. But we aren’t talking about network or application stuff in this series, so we will restrict our discussion to technologies and tactics focused on preventing compromise on endpoints and servers themselves. As we described in 2014 Endpoint Security Buyer’s Guide, there are a number of alternative approaches to protecting endpoints and servers that need to be discussed, compared, and contrasted. Traditional File Signatures You cannot really discuss endpoint prevention without at least mentioning signatures. You remember those, right? They are all about maintaining a huge blacklist of known malicious files to prevent from executing. The Free AV products on the market now typically only use this approach, but the broader endpoint protection suites have been supplementing traditional signature engines with additional heuristics and cloud-based file reputation for years. To expand a bit on file reputation, AV vendors realized a long time ago that it wasn’t efficient to download hashes for every single known malware file to every single protected endpoint. So they took a cloud-based approach which involves keeping a small subset of frequently-seen malware signatures on each device, and if the file cannot be found locally the endpoint agent consults the cloud for a determination on the file. If the file isn’t known by the cloud either it may be uploaded for analysis. This is similar to how cloud-based network-based malware detection works.   But detection of advanced attacks is still problematic if detection is restricted to matching files at runtime. You have no chance to detect zero-day or polymorphic malware attacks, which are both very common. So the focus has moved to other approaches. Advanced Heuristics You cannot rely on matching what a file looks like, so you need to pay much more attention to what it does. This is the concept behind the advanced heuristics used to detect malware in recent years. The issue with early heuristics was having enough context to know whether an executable was taking a legitimate action. Malicious actions were defined generically for each device based on operating system characteristics, so false positives (blocking a legitimate action) and false negatives (failing to block an attack) were both common: a lose/lose scenario. Heuristics have evolved to also recognize normal application behavior. This advance has dramatically improved accuracy because rules are built and maintained at a specific application-level. This requires understanding all the legitimate functions within a constrained universe of frequently targeted applications, and developing a detailed profile of each covered application. Any unapproved application action is blocked. Vendors basically build a positive security model for each application – which is a tremendous amount of work.   That means you won’t see every application profiled with true advanced heuristics, but that would be overkill. As long as you can protect the “big 7” applications targeted most often by attackers (browsers, Java, Adobe Reader, Word, Excel, PowerPoint, and Outlook), you have dramatically reduced the attack surface of each endpoint and server. To use a simple example, there aren’t really any good reasons for a keylogger to capture keystrokes while filling out a form on a banking website. And it is decidedly fishy to take a screen grab of a form with PII on it at the time of submission. These activities would have been missed previously – both screen grabs and reading keyboard input are legitimate operating system functions in specific scenarios – but context enables us to recognize these actions as attacks and stop them. To dig a little deeper let’s list some of the specific types of behavior the advanced heuristics would be looking for: Executables/dependencies Injected threads Process creation System file/configuration/registry changes File system changes OS level functions including print screen, network stack changes, key logging, etc. Turning off protections Account creation and privilege escalation Vendors’ ongoing research ensures their profiles of authorized activities for protected applications remain current. For more detail on these kinds of advanced heuristics check out our Evolving Endpoint Malware Detection research. Of course this doesn’t mean attackers won’t continue to target operating system vulnerabilities, applications (including the big 7), or the weakest link in your environment (employees) with social engineering attacks. But advanced heuristics makes a big difference in the efficacy of anti-malware technology for profiled applications. Application Control Application control entails a default deny posture on devices. You define a set of authorized executables that can run on a device, and block everything else. This provides true device lockdown – no executables (either malicious or legitimate) can execute without being explicitly authorized. We took a deep dive into application control in a recent series (The Double-Edged Sword & Use Cases and Selection Criteria), so we will just highlight some key aspects. Candidly, application control has suffered significant perception issues, mostly because early versions of the technology were thrust into a general-purpose use case, where they significantly impacted user experience. If employees think a security control prevents them from doing their jobs, it will not last. But over the past few years application control has found success in a few use cases where devices can and should be totally locked down. That typically means fixed-function devices such as kiosks and ATMs, as well as servers. Devices where a flexible user experience isn’t an issue. It is possible

Share:
Read Post

Totally Transparent Research is the embodiment of how we work at Securosis. It’s our core operating philosophy, our research policy, and a specific process. We initially developed it to help maintain objectivity while producing licensed research, but its benefits extend to all aspects of our business.

Going beyond Open Source Research, and a far cry from the traditional syndicated research model, we think it’s the best way to produce independent, objective, quality research.

Here’s how it works:

  • Content is developed ‘live’ on the blog. Primary research is generally released in pieces, as a series of posts, so we can digest and integrate feedback, making the end results much stronger than traditional “ivory tower” research.
  • Comments are enabled for posts. All comments are kept except for spam, personal insults of a clearly inflammatory nature, and completely off-topic content that distracts from the discussion. We welcome comments critical of the work, even if somewhat insulting to the authors. Really.
  • Anyone can comment, and no registration is required. Vendors or consultants with a relevant product or offering must properly identify themselves. While their comments won’t be deleted, the writer/moderator will “call out”, identify, and possibly ridicule vendors who fail to do so.
  • Vendors considering licensing the content are welcome to provide feedback, but it must be posted in the comments - just like everyone else. There is no back channel influence on the research findings or posts.
    Analysts must reply to comments and defend the research position, or agree to modify the content.
  • At the end of the post series, the analyst compiles the posts into a paper, presentation, or other delivery vehicle. Public comments/input factors into the research, where appropriate.
  • If the research is distributed as a paper, significant commenters/contributors are acknowledged in the opening of the report. If they did not post their real names, handles used for comments are listed. Commenters do not retain any rights to the report, but their contributions will be recognized.
  • All primary research will be released under a Creative Commons license. The current license is Non-Commercial, Attribution. The analyst, at their discretion, may add a Derivative Works or Share Alike condition.
  • Securosis primary research does not discuss specific vendors or specific products/offerings, unless used to provide context, contrast or to make a point (which is very very rare).
    Although quotes from published primary research (and published primary research only) may be used in press releases, said quotes may never mention a specific vendor, even if the vendor is mentioned in the source report. Securosis must approve any quote to appear in any vendor marketing collateral.
  • Final primary research will be posted on the blog with open comments.
  • Research will be updated periodically to reflect market realities, based on the discretion of the primary analyst. Updated research will be dated and given a version number.
    For research that cannot be developed using this model, such as complex principles or models that are unsuited for a series of blog posts, the content will be chunked up and posted at or before release of the paper to solicit public feedback, and provide an open venue for comments and criticisms.
  • In rare cases Securosis may write papers outside of the primary research agenda, but only if the end result can be non-biased and valuable to the user community to supplement industry-wide efforts or advances. A “Radically Transparent Research” process will be followed in developing these papers, where absolutely all materials are public at all stages of development, including communications (email, call notes).
    Only the free primary research released on our site can be licensed. We will not accept licensing fees on research we charge users to access.
  • All licensed research will be clearly labeled with the licensees. No licensed research will be released without indicating the sources of licensing fees. Again, there will be no back channel influence. We’re open and transparent about our revenue sources.

In essence, we develop all of our research out in the open, and not only seek public comments, but keep those comments indefinitely as a record of the research creation process. If you believe we are biased or not doing our homework, you can call us out on it and it will be there in the record. Our philosophy involves cracking open the research process, and using our readers to eliminate bias and enhance the quality of the work.

On the back end, here’s how we handle this approach with licensees:

  • Licensees may propose paper topics. The topic may be accepted if it is consistent with the Securosis research agenda and goals, but only if it can be covered without bias and will be valuable to the end user community.
  • Analysts produce research according to their own research agendas, and may offer licensing under the same objectivity requirements.
  • The potential licensee will be provided an outline of our research positions and the potential research product so they can determine if it is likely to meet their objectives.
  • Once the licensee agrees, development of the primary research content begins, following the Totally Transparent Research process as outlined above. At this point, there is no money exchanged.
  • Upon completion of the paper, the licensee will receive a release candidate to determine whether the final result still meets their needs.
  • If the content does not meet their needs, the licensee is not required to pay, and the research will be released without licensing or with alternate licensees.
  • Licensees may host and reuse the content for the length of the license (typically one year). This includes placing the content behind a registration process, posting on white paper networks, or translation into other languages. The research will always be hosted at Securosis for free without registration.

Here is the language we currently place in our research project agreements:

Content will be created independently of LICENSEE with no obligations for payment. Once content is complete, LICENSEE will have a 3 day review period to determine if the content meets corporate objectives. If the content is unsuitable, LICENSEE will not be obligated for any payment and Securosis is free to distribute the whitepaper without branding or with alternate licensees, and will not complete any associated webcasts for the declining LICENSEE. Content licensing, webcasts and payment are contingent on the content being acceptable to LICENSEE. This maintains objectivity while limiting the risk to LICENSEE. Securosis maintains all rights to the content and to include Securosis branding in addition to any licensee branding.

Even this process itself is open to criticism. If you have questions or comments, you can email us or comment on the blog.