Research

Back when I managed people (and yes, it seems like a lifetime ago), I subscribed to the Gallup management concepts. Productivity is based on employee engagement, and employees are much more engaged when they are doing things they are good at. The book First, Break All the Rules was eye-opening – I have spent my entire career to date trying to make my weaknesses less weak, and not trying to improve my strengths. So I took Gallup’s original StrengthsFinder test and discovered back in 2002 that my top 5 strengths were Strategic, Input, Achiever, Command, and Focus. So my attempts to start a technology company at that point made a lot of sense. Those are the skills you’d like an early stage CEO to be strong int. But looking back at my subsequent experiences as VP Marketing for a number of companies, it is not surprising I wasn’t happy or particularly successful, given the different skills required for that position. The initial data gathering/learning phase of my VP Marketing jobs played to my ‘input’ strength. And building communications and product plans were great for my ‘strategic’ capabilities. But everything else about the job, including the day to day grind, the whac-a-mole of managing PR and lead generation programs, and the challenge of keeping high-strung sales folks happy, didn’t play to my strengths. Not at all. As I mentioned last week, recently hitting the likely halfway point of my life got me thinking. I believe I am a different person than I was back in 2002. Life and the inevitable road rash you acquire do that to you. I wondered how much my strengths had changed. So I took the new version of StrengthsFinder – and lo and behold, 3 out the 5 were different. Now my top 5 strengths are Strategic, Relator, Achiever, Activator, and Ideation. Keeping strategic and achiever weren’t surprising – I have always been like that. Nor was being an activator, which is someone who starts projects and gets things moving. Likewise ideation goes hand in hand with my strategic bent and allows me to come up with a number of different ideas for how to solve problems. All these fit well with my chosen occupation as an independent analyst. Without a firm grasp of strategy and a bunch of creative ideas, my value is limited. My activator and achiever talents make sure things get done, especially powered by a lot of coffee. But the relator talent surprised me. The description of this talent is: “People who are especially talented in the Relator theme enjoy close relationships with others. They find deep satisfaction in working hard with friends to achieve a goal.” Huh. Close relationships? Really? My internal perception of myself has always been as a standoffish introvert who doesn’t really care about people. In fact, I tell stories about how I shouldn’t be working with people, which is why having partners on the other side of the country is perfect. But now that I think about it, I enjoy nothing more than rolling up my sleeves and getting to work with people I respect and like. One of the key criteria for anyone wanting to become a Securosis contributor is whether we like to drink beer with them. These folks aren’t just my colleagues – they are my friends. I can see why this makes sense (for me) now, and how it makes me better at what I do. Best of all, I have a gig which allows me to play to my strengths. It’s not like I had an evil plan to find a career that highlights my talents. I stumbled into research when I was in my early 20’s. But 20+ years later, I can appreciate my good fortune. –Mike Photo credit: “Lifting heavy weight, I am the power man. originally uploaded by snow Heavy Research We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, where you can get all our content in its unabridged glory. And you can get all our research papers too. Security Awareness Training Evolution Why Bother? Defending Against Application Denial of Service Introduction Newly Published Papers Firewall Management Essentials Continuous Security Monitoring API Gateways Threat Intelligence for Ecosystem Risk Management Dealing with Database Denial of Service Identity and Access Management for Cloud Services The 2014 Endpoint Security Buyer’s Guide The CISO’s Guide to Advanced Attackers Incite 4 U The limo job: If you can’t get in through the front door, you might as well come in through the limo service. At least that’s the tactic taken by the APT to get into Kevin Mandia’s stuff. It turns out they probably used real intelligence officers to discover Kevin’s preferred limo company, broke in, then sent him a fake receipt with a malicious payload. That’s some ingenious hacking and requires some boots on the ground. Obviously a guy as well-trained as Kevin will smell something fishy when he gets a receipt for a trip he didn’t take. But you have to wonder what else are they looking at? He knew becoming the public face of exposing Chinese hacking activity would have repercussions, and now I guess we are seeing them. – MR Not all leaks sink the boat: A while ago we did some work with a client who was worried about an impending source code leak (no, you don’t know about it – it’s not that one in the news). They were trying to figure out the best way to handle it from both a PR and IR standpoint. These guys had their stuff together, and went through an intense process to protect both customers and their brand. (No, it wasn’t Symantec – they flubbed it). Adobe is living that nightmare right now, and boy did the Wall Street Journal miss the mark in their trolling for clicks. Losing source code doesn’t necessarily correlate to increased customer risk. To

On Tuesday – that’s tomorrow for you working this Columbus day – Gunnar Peterson and I will be taking about API gateways with Intel’s Travis Broughton. We will run this webcast as an open discussion, and focus on the practical questions and issues of using API gateways. Our goal is to focus on end-user questions we have been getting, so bring your questions too – we plan to be very interactive. You can sign up here: API Gateways: Where Security Enables Innovation. On Wednesday at 9am Pacific, I will also be finishing up the series on Identity and Access Management for Cloud services. This segment will guide you on how to put the implementation strategy together with some vendor evaluation tips, helping you put together a process to help get what you need during selection. You can get the full research paper and the first two recorded webcasts on the Symplified site. And at 10am Pacific Wednesday, Mike Rothman will present on Taking a Hard Look at Your Vulnerability Management Program. In this webcast, Mike will revisit our “Vulnerability Management Evolution” research and discuss how to take a hard look at your VM environment. He will also touch on scenarios where you should consider moving to a new platform. As always, pragmatic and Incite-ful. Share:

Attackers appear to have compromised tens of thousands of Web sites using a security weakness in sites powered by the forum software vBulletin, security experts warn. vBulletin is the the most popular forum platform out there. It runs many, or most, of the sites your admins and developers peruse for technical advice and questions. Now tens of thousands of those sites are hosting malware. Hope you have some web filtering capable of detecting and blocking the flood. This is the very definition of a watering hole attack, as much as I hate that stupid marketing term. Share:

You may have noticed our posting was down a bit this week. Okay, pretty much non-existent. But take a look at the links in this Summary for what we have been reading and thinking about. This is turning out to be the busiest end-of-year I can remember for us. We always compress some things in Q4 as people use up end-of-year budget, but this year it is really hitting hard… and I am absolutely loving it. I have 3 papers to finish up before the end of the year, all of them on topics I am extremely interested in. Plus travel nearly every week. It will, of course, run me into the ground, but it looks like there will be plenty of time to remind the kids what I look like over the holidays, when I can bribe them. Our one post this week was Mike’s Incite, Youth is Wasted on the Young. While that is true, in my case I think age is wasted on the middle-aged. I didn’t barge out of college with a checklist of life goals quite like Mike. My graduation was more of a whimper. I spent 8 years as an undergrad, starting off in aerospace engineering and Navy ROTC with a clear path to being an astronaut, leaving as an itinerant paramedic and IT pro with a degree in history and an almost-finished second major in molecular biology. I don’t, for an instant, feel that I wasted my youth, missed opportunities, or failed to work to my peak potential. I needed to develop a lot as a person, like everyone, but managed to mostly avoid the deep pains and frustrations that Mike seems to have encountered. This wasn’t some genius superpower, but some incredible acts of fortune that brought amazing friends into my life to help me along. Martial arts also played a major role by developing self-awareness. That said, I did have a couple doozies, especially involving the finer gender, but nothing that didn’t launch me into something even more interesting. Age is wasted on the middle-aged because I have nearly as much enthusiasm, see just as much opportunity, but lack the freedom to pursue it as aggressively. I am not willing to risk my family’s lifestyle and home, and so am forced to proceed at a more methodical pace – which annoys the hell out of my 27-year-old self-image. But I don’t look at this with regret. I took full advantage of the opportunities I had at 27, and while I sometimes itch for more in my 40s, I know exactly what I would have to sacrifice to achieve them quickly, and I prefer this life. Besides, I am still egotistical enough to think I will achieve all my goals in time. And don’t go thinking I’m all zen or anything. Some of this bugs the hell out of me on a daily basis, but not to the point where I freak out over it. I suppose that’s progress… and sleep deprivation. On to the Summary: Webcasts, Podcasts, Outside Writing, and Conferences Adrian’s DR post on Evasion Techniques And Sneaky DBAs. Favorite Securosis Posts Adrian Lane: Youth is wasted on the young. The ‘halfway’ point realization is a sobering thought. No Other Securosis Posts this Week Favorite Outside Posts Adrian Lane: EMV vs the UPT, Can We Fix the #FAIL? Branden Williams points out one of the many reasons Chip and Pin is a long way off in the US. David Mortman: Identity Management and Its Role in Security Strategy of Enterprise Environments. Gal Shpantzer: Is the Affordable Health Care Website Secure? Probably not. James Arlen: SecTor 2013: Are there limits to ethical hacking? Mike Rothman: The Lie in the Network. Thought provoking post by the Rev. Baker about how we can’t count on the network for security and have to look at the issue differently. I will cover this in a longer post next week but it’s worth reading now. And I look forward to the next few posts to check out some of his ideas. Research Reports and Presentations A Practical Example of Software Defined Security. Continuous Security Monitoring. API Gateways: Where Security Enables Innovation. Identity and Access Management for Cloud Services. Dealing with Database Denial of Service. The 2014 Endpoint Security Buyer’s Guide. The CISO’s Guide to Advanced Attackers. Defending Cloud Data with Infrastructure Encryption. Network-based Malware Detection 2.0: Assessing Scale, Accuracy and Deployment. Quick Wins with Website Protection Services. Top News and Posts Forrester Contradicts Verizon Report, Says Insider Threat Leads Data Breaches. Call me skeptical. Alleged ‘Dread Pirate Roberts’ Heads to New York in Silk Road Case Nordstrom Finds Cash Register Skimmers Make your own Enigma Replica. Perfect high school project! Microsoft pays out $100,000 bounty for Windows 8.1 bug. Google’s Schmidt: Android more secure than iPhone. Not. Blog Comment of the Week This week’s best comment goes to louis vuitton belts, in response to about a dozen blog posts: You write well This has to be our most persistent and impressed reader ever. It’s really nice he or she feels this way about our work. Please keep the support coming – I’m sure we will approve one of your comments soon. Share:

  We all know and love the firewall. The cornerstone of every organization’s network security defense, firewalls enforce access control policies and determine what can and cannot enter your network. But, like almost every device you have had for a while, you take them for granted and perhaps don’t pay as much attention as you need to. Until a faulty rule change opens up a hole in your perimeter large enough to drive a tanker through. Then you get some religion about more effectively managing these devices. Things are getting more complicated as next-generation functionality brings a need to define and manage application policies; new devices and infrastructure evolution make it difficult to know what is allowed and what isn’t. The issues around managing firewalls can be summed up in an excerpt from our newest paper: Like a closet in your house, if you don’t spend time sorting through old stuff it can become a disorganized mess, with a bunch of things you haven’t used in years and no longer need. This metaphor fits the firewall like a glove, so we decided to get back to our network security roots to document the essentials to automating management of firewalls. We explain the need for a strong automated change management process, the importance of optimizing the rule base, and the benefits of managing access risk. It should serve as a good primer on how to improve the operational excellence of your network security controls. We would like to thank Firemon for licensing the research and supporting what we do. You cannot get rid of firewalls, and if anything their importance is increasing daily. So you might as well get better at managing them, and that’s what this research is all about. Check out the FME landing page in our research library, or download the Firewall Management Essentials paper directly. Share:

A couple years ago, when I decided to lose weight and change my eating habits, I did it with a view to living until I was at least 90. That was the number I envisioned, and given my family history, it should be achievable. So as I celebrated my 45th birthday this week, it was strange to realize that I’m close to halfway done. WTF? How did that happen? It seems just like yesterday I was loading up the U-Haul for the trek to relocate to DC after college to start my adult life. That yesterday was 24 years ago. I drove that speed limited truck (it wouldn’t go faster than 60) with all my worldly possessions down the 95 with all these expectations. I was going to do this, and do that, and achieve this, and basically become the master of all I survey. No plan survives contact with the enemy, and mine was no exception. I certainly had the energy and the drive, but I didn’t understand the game. I was too young to have any perspective. All I wanted to be was an adult, and have my own money and buy my own stuff and be responsible for myself. It took 24+ years of screwing things up to finally appreciate how the old saying: “Youth is wasted on the young” is absolutely correct. The young don’t know how to harness their capabilities. They don’t know what they don’t know. Which is obvious every time I chat with kids just entering the job markets. I love their energy and idealism, but I shake my head at their sense of entitlement. Mostly I’m excited for them to learn stuff the way I learned it – the hard way. That’s really the only way to learn, and these kids will do great things in the few instances when they aren’t screwing up. But 24+ years later, I can appreciate that process and understand that I had to go through the good, the bad, and the ugly to end up where I am today. Which is right where I should be. So as I enter the second half of my life, I am thankful for the first half. It gave me an opportunity to figure some things out, especially about myself and what’s important to me. I don’t worry so much any more about fitting in or living up to others’ expectations. I’m young enough to still do a lot of stuff, but old enough to kind of know what I’m doing. And that’s a good place to be. –Mike Photo credit: Youth on the Move in Volos 12, originally uploaded by EU Social Heavy Research We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, where you can get all our content in its unabridged glory. And you can get all our research papers too. Defending Against Application Denial of Service Introduction Firewall Management Essentials Quick Wins Managing Access Risk Optimizing Rules Change Management Introduction Newly Published Papers Continuous Security Monitoring API Gateways Threat Intelligence for Ecosystem Risk Management Dealing with Database Denial of Service Identity and Access Management for Cloud Services The 2014 Endpoint Security Buyer’s Guide The CISO’s Guide to Advanced Attackers Incite 4 U Keep it simple, get it right: I am often highly critical of Poneman Institute reports because their methodology is often flawed, especially using surveys to estimate losses for intellectual assets that can’t really be quantified. But their latest Cost of Cybercrime report moves in the right direction. This time it only counts direct costs related to incident response, not some wild-ass guess at the value of stolen files. I do believe these costs can be quantified, although the odds are many organizations lack the maturity and tracking to really be consistent about what it really costs to clean up a mess. But Ponemon kept a tight scope, with clear definitions, and noted that costs rose 18% (total, not per incident). One reason cited may be the increasing numbers and sophistication of attacks, but I suspect better detection incidents is a larger factor. – RM Down the river of payments: The card brands very publicly announced a global tokenization proposal to make shopping “simpler and safer”, which they promise to release real soon now. But, with significantly less press coverage, on-line retailer Amazon went one step better – by extending Amazon’s existing payment infrastructure to other retail sites. Amazon customers will leverage their Amazon account, including payment and shipping preferences, when they buy from participating retailers. That is Payment as a Service (PAYaaS), people! Participating merchants will no longer need to manage and secure the payment process, or user accounts and passwords, so they will not need to slog through PCI requirements. Amazon makes money on each transaction. Users benefit from a single account and password, and only need to trust Amazon (who already provides a very good user experience) with their account & payment information. – AL 3 Keys to security survival: Great overview in Dark Reading of how the core imperatives of a CISO continue to change given the Inevitability of Attacks. The article covers an Interop presentation by Blackstone’s CISO, Jay Leek, and describes three mindset and strategic shifts. The first is to get better visibility into threats and attacks. You also need better intelligence about attacks and attackers. And finally you need a planned response rather than just reacting to the latest attack du jour. It is right on the money so check out the article when you can. And keep in mind that this doesn’t mean you need to dump all your preventative controls. It just means you need to do a better job of being prepared to respond. – MR Assume the worst: We have been saying for years that you should assume your environment has been breached, or will be, and define your defensive controls around that.

I was never a big fan of the Rolling Stones. Heard them on the radio all the time growing up but never bought any of their stuff. It was good but not good enough to spend my hard-earned money. Recently a friend, a hardcore Stones addict, convinced me I needed some in my music collection. A couple clicks on Amazon, and three days later I had a big box of music waiting for me when I got back from the Splunk conference. In need of a little rest after a hectic few weeks, I cracked open the package and gave it a listen. And WTF? This is not what I heard on the radio. This song is hardcore blues. The next song is honky-tonk. Then rock and roll, followed by some delta blues. Singer, guitarist, and drummer all changing styles with each song like each one was a style they had played all their lives. This is amazing. Different, but (ahem) I liked it! The band as I heard it on the radio growing up is not the band on CDs and records. There is depth here. Versatility. Ingenuity. What I thought is not what they are. Their popularity suddenly makes sense. The songs played on radio and streaming services do a disservice to the band, and fail to capture special aspects of what they are (and were) about. So this morning I realized the answer to a simple question, which I have been hearing for years without a good answer. The question is most often asked as “We are evaluating SIEM solutions but this vendor Splunk came up. Who are they and what do they do?” The security community primarily knows them as an almost-SIEM platform. They do more than log management, but less than SIEM. And that is accurate – most of the security press talks about Splunk in that grey area between SIEM and LM, but fails to explain what’s going on or why the platform is popular. What you have read in the press and seen in… let’s call them “Supernatural Quadrangles” for the sake of argument… does not capture what is going on or how this platform fits into the enterprise. Yes, I said enterprise. This came up because Splunk was kind enough to invite me to their conference in Las Vegas this week to catch up on recent platform enhancements and speak with some of their customers. I don’t get paid to go, in case you’re wondering, but it is worth spending a couple days speaking with customers and hearing what they are really doing. The customer conversations were the optimistic variety I expected, but the keynote was something else entirely. Their CEO talked about mining the data feeds from aircraft and trains to help optimize safety and efficiency. About getting telemetry from mobile endpoints to gauge app reliability. I heard user stories about using the platform as a basis for consumer buying trend analysis and fraud analytics. This is not security – this s generalized analytics, applied to all different facets of the business. Even weirder was the enthusiastic fanboi audience – security customers normally range from mildly disgruntled to angry protagonist. These people were happy to be there and happy with the product – and the open bar was not yet open. Wendy Nather and I did a quick survey of the crowd and discovered that we were not among a security audience – it was IT Operations. Splunk’s core is a big data platform. That means it stores lots of data, with analytics capabilities to mine that data. And like most big data platforms, you can apply those capabilities to all sorts of different business – and security – problems. It is a Swiss Army Knife for all sorts of stuff, with security as the core use case. To understand Splunk you need to know that in addition to security it also does IT analytics, and is applicable to general business analytics problems. Another similarity to “Big Data” platforms is that many commercial and open source projects extend its core functionality. The only security platform I know of with a similar level of contributions is Metasploit. Again, it’s not SIEM. It is not the ideal choice for most enterprise security buyers who want everything nicely packaged together and want fully automated analytics. Correlation and enrichment are not built into Splunk. Enterprises need reports and to ensure that their controls are running, so anything different is often unacceptable. They don’t want to rummage around in the data, or tweak queries – they need results. Well, that’s not Splunk. Not out of the box. Splunk is more flexible because it is more hands-on. It offers more use cases, with a cost in required customization. Those are the tradeoffs. There is no free lunch. A few years ago I mocked Splunk’s “Enterprise Security Module”. I said that it did not contain what enterprise security centers want, they did not understand enterprise security buyers, and they didn’t offer what those buyers demand in a security platform. Yeah, in case you were wondering, I failed charm school. Splunk has gotten much closer in features and functions over three years, but it is still not a SIEM. In some ways that is a good thing – if you are just looking to plug in a SIEM, you are missing their value proposition. Splunk pivoted vertically to leverage their capabilities across a broader set of analysis problems, rather wage trench warfare with the rest of the event management market. The majority of people I spoke with from larger enterprise belonged to operations teams. At those firms, if security uses the product, they piggy-back off the Ops installation, leveraging additional security features. The other half of customers I spoke with were security team members at mid-sized firms, applying the platform to highly diverse security use cases and requirements. To understand why Splunk has so many vocal advocates and protagonists you need to broaden your definition of a security platform.

A few months back I did a series of posts demonstrating a proof of concept for implementing some basic software defined security (using AWS, Chef, and Ruby). This ended up being the basis for my KickaaS Security with APIs and Cloud talk at Black Hat. I decided to release it as a white paper. Because I think there are too many trees in the world, and this will encourage you to print it out. Or buy a tablet – doesn’t matter to me. Landing Page: A Practical Example of Software Defined Security Direct Download (PDF) In all seriousness, I hope you like it; and that this white paper, with complete content from the posts, is useful to you. Share:

Brian Krebs breaks another story: Prosecutors in New York today said that federal agencies have taken over the Silk Road, a sprawling underground Web site that has earned infamy as the “eBay of drugs.” On Tuesday, federal agents in San Francisco arrested the Silk Road’s alleged mastermind. Prosecutors say 29-year-old Ross William Ulbricht, a.k.a “Dread Pirate Roberts” (DPR), will be charged with a range of criminal violations, including conspiracy to commit drug trafficking, and money laundering. And on hiring a hit man (seriously): On March 31, DPR began haggling over the price, responding: “Don’t want to be a pain here, but the price seems high. Not long ago, I had a clean hit done for $80k. Are the prices you quoted the best you can do? I would like this done asap as he is talking about releasing the info on Monday.” I wonder if Benedict Cumberbatch will play DPR in the movie? Compelling read. Nothing to do with IT security unless you plan on hosting an illegal site, but fascinating. Share:

Threatpost has another good piece on exploit disclosure (I swear I still read other sites). This is the other side of vulnerability disclosure, where you need to decide on releasing exploit details based on factors such as detecting live exploits in the field. A quote from a talk by Tom Cross from Lancope and Holly Stewart from Microsoft: “If there’s nothing you can tell the users to do, there’s not a lot of point in disclosing the exploits,” he said. “It depends on the level of exploitation, the geographic distribution, is a patch available, when will it be if it’s not. If the answer is to tell people not to use a piece of software that’s necessary to do business, the reality is that’s not going to happen.” It’s also true that the decision is not always solely in the hands of the vendor or even the researcher who discovered the vulnerability. In some cases, a third party security company may notice exploit attempts against a previously unknown vulnerability and take the step of notifying customers. Vulnerability disclosure often seems more about philosophy and ego. Exploit disclosure is far more complex, with even farther-reaching implications. Exploit disclosure makes vulnerability disclosure look like a kid’s game. Share: