Research

You didn’t think you would need to wait long for a Snowden reference, did you? Well, you know we Securosis guys like to keep you in suspense. But without further ado, it’s time. Snowden time! CryptoZoology The biggest noisemaker at RSA this year – besides Rothman – will be everyone talking about the NSA revelations. Everyone with a bully pulpit (which is basically everyone) will be yelling about how the NSA is all up in our stuff. Self-aggrandizing security pundits will be preaching about how RSA took a bribe, celebrating their disgust by speaking in the hallways and at opportunistic splinter conferences, instead of at the RSA podia. DLP, eDiscovery, and masking vendors will be touting their solutions to the “insider threat” with Snowden impersonators (as discussed in APT0). Old-school security people will be mumbling quietly in the corners of the Tonga Room, clutching drinks with umbrellas in them, saying “I told you so!” One group who will be very, very quiet during the show: encryption vendors. They will not be talking about this! Why? Because they really can’t prove their stuff is not compromised, and in the absence of proof, they have already been convicted in the security star chamber. Neither Bruce Schneier nor Ron Rivest will be pulling proofs of non-tampering out of magic math hats. And even if they could, the security industry machine isn’t interested. There is too much FUD to throw. What’s worse is that encryption vendors almost universally look to NIST to validate the efficacy of their solutions – now that NIST is widely regarded as a pawn of the NSA, who can provide assurance? I feel sorry for the encryption guys – it will be a witch hunt! The real takeaway here is that IT is – for the first time – questioning the foundational technologies data security has been built upon. And it has been a long time coming! Once we get past Snowden and NSA hype, the industry won’t throw the baby out with the bathwater, but will continue to use encryption – now with contingency plans, just in case. Smart vendors should be telling customers how to adjust or swap algorithms if and when parts of the crypto ecosystem becomes suspect. These organizations should also be applying disaster recovery techniques to encryption solutions, just in case. Share:

There is no stopping the train now that it’s rolling. Here is the final key theme that we expect to see at the show, and yes it’s all about the cloud. And yes, I managed to work a Jimmy Buffett lyric into the piece. Rich 1, Internet 0. Cloud Everything. Again. We’re Bored Now. The cloud first appeared in this illustrious guide a mere three or four years ago. The first year it was all hype – with no products, few vendors realized that cloud computing had nothing at all to do with NOAA, and plenty of security pros thought they could just block the cloud at the firewall. The following year was all cloud washing, as booths branded themselves with more than sticky notes saying “We Heart Cloud,” but again, almost nobody did more than wrap a custom-hardware-accelerated platform onto a commodity hypervisor. But the last year or so we saw glimmers of hope, with not only a few real (okay, virtual) products, cloud curious security pros starting to gain a little experience, and more honest to goodness native cloud products. (Apologies to the half-dozen cloud native vendors who have been around for more than a few years, and don’t worry, we know who you are.) We honestly hoped to drop the cloud from our key themes, but this is one trend with legs. More accurately, cloud computing is progressing nicely through the adoption cycle, deep into the early mainstream. The problem is that many vendors recognize the cloud will affect their business, but don’t yet understand exactly how, and find themselves more in tactical response mode. They have products, but they are mostly adaptations of existing tools rather than the ground-up rebuilds that will be required. There are more cloud native tools on the market now, but the number is still relatively small, and we will still see massive cloud washing on the show floor. While we’re at it, we may was well lump in Software Defined Networking, though ‘SDN-washing’ doesn’t really roll off the tongue. Two areas you will see hyped on the show floor which provides real benefits are Security as a Service (SECaaS – say it loud and love it), and threat intelligence. Vendors may be slow to rearchitect their products to protect native cloud infrastructure and workloads, but they are doing a good job of pushing their own products into the cloud, and collective intelligence breaks some of the information sharing walls that have held security back for decades. But here is all you need to know about what you will see across the show – big financial institutions are all kicking around various cloud projects. The sharks smell the money, unlike in previous years when it was about looking good for the press and early adopters. In the immortal words of the great sage Jimmy Buffett, “Can you feel them circling honey, can you feel them schooling around? You got fins to right, fins to the left, and you’re the only game in town.” Share:

Sitting at my feet is the brand spanking new Kindle I ordered for XX1. It arrived before the snow and ice storm hits the ATL, so we got pretty lucky. She’s a voracious reader and it has become inefficient (and an ecological crime) to continue buying her paper books. She has probably read the Harry Potter series 5 or 6 times, and is constantly giving me new lists of books to buy. She has books everywhere. She reads on the bus. She gets in trouble because sometimes she reads in class. It’s pretty entertaining that the Boss and I need to try to discipline her, when her biggest transgression is reading in class. I kind of want to tell the teacher that if they didn’t suck at keeping the kid’s attention, it wouldn’t be a problem. But I don’t. I have used the Kindle app on my iOS devices for a couple years. I liked it but my older iPads are kind of heavy, so it wasn’t a very comfortable experience to prop on my chest and read. I also had an issue checking email and the Tweeter late at night. So I bought a Kindle to just read. And I do. Since I got it my reading has increased significantly. Which I think is a good thing. So I figured it was time to get XX1 a Kindle too. The Boss was a bit resistant, mostly because she likes the tactile feeling of reading a book and figured XX1 should too. Once we got past that resistance, I loaded up the first Divergent book onto my Kindle and let her take it for a test drive. I showed her two features, first the ability to select a word and see it in the dictionary. That’s pretty awesome – how many kids do you know who take the time to write down words they don’t know and look them up later? I also showed her how to highlight a passage. She was sold. A day and half later, she was ready for book 2 in the Divergent series. Suffice it to say, I loaded up book 3 as well, preemptively. Of all the vices my kids have, reading is probably okay. Before I go to bed tonight I will set up her new device and load up a bunch of books I have which I think she’ll like. We will be snowed in for at least a day, so they will give her something to do. The over/under in Vegas is that she reads two books over the next couple days. I’m taking the over. What’s really cool is that in a few years, she will hardly remember carrying a book around. That will seem so 2005. Just like it seems like a lifetime ago that I loaded up 40-45 CDs to go on a road trip in college (or cases of cassette tapes when I was in high school). Now I carry enough music on my phone to drive for about 3 weeks, and never hear the same song twice. It’s the future, and it’s pretty cool. –Mike Photo credit: “Stack of Books” originally uploaded by Indi Samarajiva Firestarter Have you checked out our new video podcast? Rich, Adrian, and Mike get into a Google Hangout and, well, hang out. We talk a bit about security as well. We try to keep these less than 15 minutes, and usually fail. Feb 10 – Mass Media Abuse Feb 03 – Inevitable Doom Jan 27 – Government Influence Jan 20 – Target and Antivirus Jan 13 – Crisis Communications 2014 RSA Conference Guide We’re at it again. For the fifth year wea re putting together a comprehensive guide to what you need to know if you will be in San Francisco for the RSA Conference at the end of February. We will also be recording a special Firestarter video next week, because you obviously cannot get enough of our mugs. Key Themes Key Theme: Retailer Breaches Key Theme: Big Data Security Key Theme: APT0 And don’t forget to register for the Disaster Recovery Breakfast Thursday, 8-11 at Jillian’s. Heavy Research We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, where you can get all our content in its unabridged glory. And you can get all our research papers too. The Future of Information Security Implications for Cloud Providers Implications for Security Vendors What it means Six Trends Changing the Face of Security A Disruptive Collision Introduction Leveraging Threat Intelligence in Security Monitoring Quick Wins with TISM The Threat Intelligence + Security Monitoring Process Revisiting Security Monitoring Benefiting from the Misfortune of Others Advanced Endpoint and Server Protection Assessment Introduction Newly Published Papers Defending Data on iOS 7 Eliminating Surprises with Security Assurance and Testing What CISOs Need to Know about Cloud Computing Defending Against Application Denial of Service Security Awareness Training Evolution Firewall Management Essentials Continuous Security Monitoring Incite 4 U Hot or Not: We spend a ton of time working with security startups (and lately cloud startups looking for security help). So we will be the first to admit we don’t know all of them, and it can sometimes be hard to evaluate broad market perception – our instincts and research are good but we don’t do quantitative market surveys. Justin Somaini just published his personal survey results on security startups and issues and it’s pretty interesting. (Full disclosure: Justin is Chief Trust Officer at Box, who is licensing a paper of ours). Justin got 500 responses from people rating the perceived value of every security startup he could find, and also teased out a bit on perceived top security issues. I’m sure there is survey bias, but if you want a sense of which startups have the best recognition this is a great start, and Justin published all the results in the open, just the way we like it. (Note to Mike: I call dibs on the new prospect list.). – RM Attacks are

In this week’s Firestarter we talk about the Book of Mormon (the play, not the other thing), biking while intoxicated, and the ongoing predilection of mass media to abuse the truth about security for ratings. Because, NBC and Sochi. And we have a question. Please drop us a line in the comments or on Twitter if you’d like us to also post the Firestarter as an audio-only podcast. Share:

As we continue posting the key themes we expect to see at this year’s RSA Conference, it’s time hit the source of all things FUD: recent retailer breaches. Security marketing is driven by catalysts, to create urgency, to buy products and services. There have been plenty so far this year, and we will hear all about them at the show. It POSitively Sucks to be in Retail Just when you were getting numb to all the angst around the NSA, Target got thoroughly owned via a busted web server accessed via third-party credentials that gave attackers access to all their POS systems and lots of other goodies on their internal networks. So clearly this year we will hear lots of rumblings about retailers and their inability to secure anything. At least brick and mortar retailers have great margins, no online competition, and limited attack surface, right? At first we thought this kind of attack was the return of Gonzales and his band of merry wireless hackers. But actually that was an outside-in attack, where the attackers gained presence through stores and then moved into the data center. This is the opposite. They gained presence through the corporate network and then moved out to stores. Although the end result was the same: 70+ million credit cards and other personal information exposed. Even better, these attackers waited until the holidays, when the card brands relax their fraud protections a bit, to start monetizing the cards. So they maximized their ability to steal stuff. Now that’s innovation, folks. I guess PCI 4.0 will have specify that all ROCs go into hiatus from Black Friday to New Year’s Day. But the points you will hear this year will be typical FUD-laden nonsense. “Buy this box and everything will be all right.” That focuses on the wrong issue. As we mentioned in a recent Firestarter, it’s not the compromise that’s disturbing – it’s the fact that they penetrated so deeply and exfiltrated so much information without being noticed. And if your new shiny business plan involves building 10,000 stores and aggregating 100 million credit cards, maybe you should start working on a different idea or hire some security rock stars onto the founding team. Share:

I have been working on this one quietly for a while. It is a massive update to my previous paper on iOS security. It turns out Apple made a ton of very significant changes in iOS 7. So many that they have upended how we think of the platform. This paper digs into the philosophy behind Apple’s choices, details the security options, and then provides a detailed spectrum of approaches for managing enterprise data on iOS. It is 30 pages but you can focus on the sections that matter to you. I would like to thank WatchDox for licensing the content, which enables us to release it for free. Normally we publish everything as a blog series, but in this case I had an existing 30-page paper to update and it didn’t make sense to (re-)blog all the content. So you might have noticed me slipping in a few posts on iOS 7 recently with the important changes. I can do another revision if anyone finds major problems. And with that, here is the landing page for the report. And here is the direct download link: Defending Data on iOS 7 (PDF) And lastly, the obligatory outline screenshot: Share:

Normally we like to blame the victim, but in this case we need to thank them. From the WSJ, the swap to Chip and PIN will happen by October 2015. Here is the key point: Part of the October 2015 deadline in our roadmap is what’s known as the ‘liability shift.’ Whenever card fraud happens, we need to determine who is liable for the costs. When the liability shift happens, what will change is that if there is an incidence of card fraud, whichever party has the lesser technology will bear the liability. So if a merchant is still using the old system, they can still run a transaction with a swipe and a signature. But they will be liable for any fraudulent transactions if the customer has a chip card. And the same goes the other way – if the merchant has a new terminal, but the bank hasn’t issued a chip and PIN card to the customer, the bank would be liable. None of this affects online transactions, though. Share:

  It’s that time of year. The security industry is gearing up for the annual pilgrimage to San Francisco for the RSA Conference. For the fifth year your pals at Securosis are putting together a conference guide to give you some perspective on what to look for and how to make the most of your RSA experience. We will start with a few key themes for the week, and then go into deep dives on all our coverage areas. The full guide will be available for download next Wednesday, and we will post an extended Firestarter video next Friday discussing the Guide. Without further ado, here is our first key theme. APT0 Last year the big news at the RSA Conference was Mandiant’s research report outing APT1 and providing a new level of depth on advanced attacks. It seemed like every vendor at the show had something to say about APT1, but the entire conference was flowing in Mandiant’s wake. They should have called the report “How to increase your value by a couple hundred million in 12 short months”, but that’s another story for another day. In 2014 Edward Snowden put on his Kevin Mandia costume and identified the clear predecessor to the APT1 group. That’s right, the NSA is APT0. Evidently the NSA was monitoring and hacking things back when the APT1 hackers were in grade school. We expect most vendors will be selling spotlights and promises to cut through the fog of the NSA disclosures. But getting caught up in FUD misses the point: Snowden just proved what we have always known. It is much harder to build things than to break them. Our position on APT0 isn’t much different than on APT1. You cannot win against a nation-state. Not in the long term, anyway. Rather than trying to figure out how much public trust in security tools has eroded, we recommend you focus on what matters: how to protect information in your shop. Are you sure an admin (like Snowden) can’t access everything and exfiltrate gigabytes of critical data undetected? If not you have some work to do. Keep everything in context at the show. Never forget that the security marketing machine is driven by high-profile breaches as a catalyst for folks who don’t know what they are doing to install the latest widget selling the false hope of protection. And the RSA Conference is the biggest security marketing event of the year. So Snowden impersonators will be the booth babes of 2014.   Share:

As we continue posting our key themes for the 2014 RSA Conference, let’s dig a bit into big bata, because you won’t be hearing anything about it at the show… After-School Special: It’s Time We Talked – about Big Data Security The RSA Conference floor will be packed full of vendors talking about the need to secure big data clusters, and how the vast stores of sensitive information in these databases are at risk. The only thing that can challenge “data velocity” into a Hadoop cluster is the velocity at which FUD comes out the mouth of a sales droid. Sure, potential customers will listen intently to this hot new trend because it’s shiny and totally new. But they won’t actually be doing anything about it. To recycle an overused analogy, big data security is a little like teen sex: lots of people are talking about it, but not that many are actually doing it. Don’t get us wrong – companies really are using big data for all sorts of really cool use cases including analyzing supply chains, looking for signs of life in space, fraud analytics, monitoring global oil production facilities, and even monitoring the metadata of the entire US population. Big data works! And it provides advanced analysis capabilities at incredibly low cost. But rather than wait for your IT department to navigate their compliance mandates and budgetary approval cycles, your business users slipped out the back door because they have a hot date with big data in the cloud. Regardless of whether those users understand the risks, they are pressing forward. This is where your internal compliance teams start to sound like your parents telling you to be careful and not to go out without your raincoat on. What users hear is that the audit/compliance teams don’t want them to have any fun because it’s dangerous. The security industry is no better, and the big data security FUD is sure to come across like those grainy old public service films you were forced to watch in high school about something-something-danger-something… and that’s when you fell asleep. We are still very early in our romance with big data, and your customers (yes, those pesky business users) don’t want to hear about breaches or discuss information governance as they explore this new area of information management. Share:

I love writing. Except when I hate it. When people ask what I do for a living, I almost never say ‘writer’. I’m an analyst, who occasionally dabbles as a tech journalist, but pumps out more words in typical a year than many professional writers. When the muse is in my corner and the words flow smooth and swift like molten chocolate (sorry, need dessert), the process is incredibly gratifying. I can sometimes pop off a thousand words an hour and walk away deeply satisfied, with perhaps some light editing. That doesn’t really happen a lot since I had kids. More often I plan out a wonderful schedule with plenty of leisure time to settle into the words, build my story (because even tech pieces are stories), and enlighten readers with my content and wit. Then I don’t sleep, I lose a couple days to sick kids or other randomness, and hope beyond hope I can snag a few hours in a coffee shop, pace my caffeine intake perfectly, and maybe, just maybe, finish up before my deadline is so far past that the client forgets my name. Writing on deadline is tough – especially when family, illness, and the ongoing needs of running a business continually conspire to interfere with any plans. It doesn’t help to be a genetic procrastinator of such accomplishment that, in your formal college record, there is a note saying, “don’t cut him any breaks, he manipulates the system too much”. (It’s true – I saw the note in my physical file). Take this Summary. I am writing it in a hotel room in Toronto after a really rough couple weeks defined by illness (my own and one of my kids), right after a rough couple months going back to the holidays. There have been ear infections, stomach bugs, general sniffles, and 9-day fevers. I two stomach bugs 6 weeks, once on the day I needed to fly out to teach a cloud security class. Somehow, through all this, I managed to nail my target deadlines on the Future of Security series, a non-security article for a new publication (for me), and complete a good chunk of my RSA planning. I owe two different conferences four presentations (total), need to launch 2 papers in the next week, and add two more modules to my RSA demo code (overkill, but I would really like to pull it off). But I wouldn’t really have it any other way. Oh sure, I’d like less pressure, but look what I get to do on a daily basis… And running at this pace for so long has turned me into an honest-to-gosh writer, even outside the technology domain. I have written for The Magazine and soon The Loop – not even on security or technology! I was paid to tell stories, and that is deeply satisfying. And while I can’t say everything I write for Securosis excites me equally, some of my recent work has been very rewarding. I never set out to be a writer. And while I have no intention of writing the Great American Novel, I feel pretty lucky to get paid to write words read by thousands. It’s pretty special, and never something I take for granted. Even tonight. Locked in a sparse hotel room with a sniffly nose and an early wakeup call. I do, however, have cookies. On to the Summary: Webcasts, Podcasts, Outside Writing, and Conferences Rich quoted on the Yahoo email issue by the AP. Favorite Securosis Posts Mike Rothman: Security’s Future: Implications for Security Vendors. Lots of security vendors will keep their heads in the sand about the fundamental changes happening and how they will impact security. Don’t say we didn’t warn you… David Mortman: Security’s Future: What it Means (Part 3). Other Securosis Posts Incite 2/5/2014: Super Dud. Firestarter: Inevitable Doom. Security’s Future: Implications for Cloud Providers. Security’s Future: What it Means (Part 3). Security’s Future: Six Trends Changing the Face of Security. Quick Wins with TISM. TISM: The Threat Intelligence + Security Monitoring Process. Favorite Outside Posts Mike Rothman: Russell Brand: my life without drugs. You can’t understand addiction unless you’ve been there. Chilling view into the mind of an addict from Russell Brand. Mike Rothman: Kansas teen uses 3-D printer to make hand for boy. Who says we aren’t living in the future? And to think the kid did such an amazing thing using a 3D printer in a public library. Just amazing! David Mortman: Who owns the data in the Internet of Things? Adrian Lane: Think SQLi is old news? The PR hype machine got tired of talking about it, but the problem never went away. Diana Kelley beat me to the punch on this, and did a great job of explaining what to do about it. Rich: Brian Krebs with more Target details. Bad guys came in via an HVAC contractor. I believe it was a small exhaust port, right below the main port. Research Reports and Presentations Eliminate Surprises with Security Assurance and Testing. What CISOs Need to Know about Cloud Computing. Defending Against Application Denial of Service Attacks. Executive Guide to Pragmatic Network Security Management. Security Awareness Training Evolution. Firewall Management Essentials. A Practical Example of Software Defined Security. Continuous Security Monitoring. API Gateways: Where Security Enables Innovation. Identity and Access Management for Cloud Services. Top News and Posts Senate grills Target CFO on data breach Verizon Wages War on Netflix. Technically on Amazon AWS, although Netflix is the obvious target. Adobe pushes out-of-band patch for Flash. Target moving to Chip and PIN after attack. I’m in Canada and they look at me like I’m a freaking savage every time I have to swipe my credit card. But hey, we have PCI. No Comment of the Week this time – sorry. Share: