Research

As if the IBM Security Systems folks weren’t busy enough with the RSA Conference last week, they flew directly from San Francisco to Vegas for their annual Pulse Conference. Sure it’s a lot of back-patting and antennae rubbing, but there is usually a good nugget or two from their customer presentations. In this photo one of IBM’s companies highlights 7 reasons it is important to decide on the initial use cases for your SIEM before you buy it. I particularly like a few of them: 1. “Help with vendor selection – evaluate competitive SIEMs against use case criteria and forms requirements for purchase.” When I was in the SIEM space, trying to push 7-figure purchases, it was much easier when we could dictate the terms of the proof of concept (PoC). We’d test stuff we knew would work well, and that competitors couldn’t match. Of course that didn’t necessarily involve solve the customer’s problem. Oh, well. Enterprises should be driving the criteria for purchase and the PoC, and you do that by defining the initial set of use cases that drove the funding of the project anyway. 4. “Companies considering a SIEM should build a use case portfolio before even looking at a technology.” 6. “Understand quick wins/short term successes vs. long term roadmap (where do you want to be in two years).” I cannot tell you how many conversations I have had with folks looking at SIEM, who couldn’t tell me specifically what problem they were trying to solve. The initial use cases are really table stakes for SIEM procurement. It is critical not to choose a technology that will prevent you from doing things (like packet capture) in the future, as your program and needs evolve. But if you don’t have a clear idea what you want to do first, you are very unlikely to succeed. Share:

I think I’m finally waking up. After a week at RSA where I basically don’t sleep – not all bad, mind you – it takes a while to recover. In fact Monday might as well not have happened – I certainly got nothing done. It was not for lack of trying, but I was simply part of the zombie apocalypse – but I don’t want brains, just some Captain Crunch and sleep. Today I had the ‘Oh crap!’ realization – I promised people things last week, and I need to deliver. As much as I’d like to shuffle this stuff onto Rich, he has got a new baby and won’t take my calls. Something about taking it easy and enjoying time with the family. On the subject of the RSA Conference, I have to confess I’m not usually surprised by trends at RSA. If you read out pre-RSAC stuff, you noticed it was clear to us that Big Data and malware were going to take center stage, and those trends did not disappoint. But we are never quite sure whether we are going to run into grumpy vendors spewing forth about their dissatisfaction with foot traffic, booth space, and the lack of quality leads. This year … none of that. In fact most vendors told me traffic was up and, more importantly, prospects were seeking them out. They were happy. It certainly made the week a lot more fun, but happy are a bit like Mike Rothman’s smile – rare and it makes me nervous. The other thing that really surprised me was that every single vendor seemed to be asking for help locating talent. Penetration testers, product managers, marketing managers, engineering managers, researchers – you name it. But I am not aware of any seasoned security people who are looking – quite the opposite. I did not anticipate the security industry hiring so heavily, but that’s a good thing, and another sign that things are humming along. Let the good times roll. You know what else surprised me? The force field surrounding the Huawei booth. Okay, maybe there was no actual force field, but people walking the show floor acted like there was. They kept a curious 2-3’ distance from the booth. Maybe their schwag sucked. Or perhaps it was Huawei’s lack of booth babes. Or maybe people are pissed about the Mandiant report and think of Huawei as part of that whole fiasco. I don’t really know, but most vendors were humming with activity, yet the half-dozen times I went by their booth they were noticeably un-busy. –Adrian On to the Summary: Webcasts, Podcasts, Outside Writing, and Conferences Our own ‘Mark’ Rothman’s DR post: You’re A Piece Of Conference Meat. snort Adrian’s Pragmatic Database Security Presentation. Favorite Securosis Posts Adrian Lane: Karmic Balance. I have witnessed 25 years of shenanigans, and it has turned out that most wrongs met their karmic opposite at some point. David Mortman: Flash! And it’s gone…. Mike Rothman: Karmic Balance. Yeah, I’m a homer for favoriting my own Incite this week. But it sums up what I’m about. Like most folk I have been scarred and battered and bruised. But I try to make those negatives into positives whenever I can. Other Securosis Posts Understanding Cloud IAM: Buyers Guide. Use cases are your friends. Isolating the Security Skills Gap. Be Careful What You Wish for…Now You’re CISO. Announcing the CCSK UK Train the Trainer Class in April. New Paper: Network-based Threat Intelligence. Friday Summary, RSA Edition: March 1, 2012. Favorite Outside Posts Dave Lewis: Time Stamp Bug in Sudo Could Have Allowed Code Entry. Gunnar: Google services should not require real names – Vint Cerf. Two years back Bob Blakley brought us on a quick tour of the weak points of Google requiring real names, in a word: insane. Adrian Lane: Creating and Validating a Sock Puppet. Everyone should have a couple of these. They come in handy. David Mortman: Barn Doors. “Mobile is just an amplification of all the insecure practices you and your company have been using for decades.” – Sing it, sister! Mike Rothman: Cisco CEO: We’re All In On Internet Of Everything. In the NSS (No Sh*t Sherlock) list this week, Cisco decides it’s in their best interest to drive “The Internet of Things.” Duh. But as we wrote in the RSAC Guide, the Internet of Things is something to keep an eye on. Check it out for the hype, but stay around because there will be all sorts of devices connecting to your stuff. Project Quant Posts Network-based Threat Intelligence: Searching for the Smoking Gun. Understanding and Selecting a Key Management Solution. Building an Early Warning System. Implementing and Managing Patch and Configuration Management. Defending Against Denial of Service (DoS) Attacks. Securing Big Data: Security Recommendations for Hadoop and NoSQL Environments. Tokenization vs. Encryption: Options for Compliance. Pragmatic Key Management for Data Encryption. Top News and Posts Appsec at RSA 2013: nice recap. Oracle Issues Emergency Java Update via Krebs. Details of the February 22nd 2013 Windows Azure Storage Disruption HP Exec: We’re Investing $1 Billion in Big Data This Year Understanding iOS passcode security The Phoenix Project Critics: Substandard crypto needlessly puts Evernote accounts at risk Evernote plans two-factor authentication following last week’s hack Recent 10-Ks mentioning “cyber” incidents Java malware spotted using stolen certificate Google+ Can Be A Social Network Or The Name Police – Not Both Blog Comment of the Week This week’s best comment goes to Matt, in response to Attribution Meh. Indicators YEAH! if for no other reason than becausae he put a lot of thought and effort into it. The greatest significance can be found in this report’s overarching message to China: we see you and we’re doing something about it. This may well represent the catalyst for major geopolitical change. The value of this report is that it will likely disrupt the adversary’s operational capability for some time as corporations bolster defenses. The adversary is no longer a vague term referring to an unknown group somewhere in the world. We’re talking about the government of China. We’re talking about disrupting their

We all knew the Flash was fast. But it seems Apple has made Flash so fast you can’t even use it on your Macs. Well, actually, they put some new protections in to ensure only the latest version of Flash runs on Mac OS X 10.6 and later. In response to frequent exploits being leveraged against the popular Adobe software, Apple has introduced a safeguard that gives Safari users no option but to keep Flash up to date. “When attempting to view Flash content in Safari, you may see this alert: ‘Blocked Plug-in,’” said an Apple notice. From there, Safari users will be able to download the latest version of Flash. Similar to the way Mozilla is working to save us from ourselves, Apple is now getting into the game. How long before the OS and browser makers totally dictate the updating process for plug-ins they can run? Of course that creates an even higher wall around the garden, and the toolbelt community will squeal like stuck pigs. Well, they can configure Gatekeeper not to protect them. For everyone else, it looks like offering help keeping devices updated is a good thing. Photo credits: Flash Before Your Eyes originally uploaded by JD Hancock Share:

My career has been turbulent at times. I know that’s shocking to those of you who know me personally. When I was invited not to come to work at my last job in VA, I already had a good position at a hot start-up in Atlanta lined up. They were well aware of my situation, and once I was a free agent the deal got done quickly. I had one real estate agent selling a house in VA, and another looking for property in Atlanta. Full speed ahead. Then I got the strangest call from my “new” CEO. He said they did a final reference check and a past boss pretty much drove a shiv into my gut. WTF? So now the sure thing in Atlanta wasn’t so sure. And even better, if this guy was talking me down in VA, my odds of getting another job if Atlanta fell through weren’t so good. So I went into damage control mode. I wasn’t going to go down like a lamb, so I came out swinging. I called in every favor I had. I created dissension at my former employer by having folks in all parts of the organization talk to the Atlanta company confidentially to provide a different viewpoint. If I was going to investigate other occupations, it was going to be on my terms. Not because some whackjob CEO was trying to cover his behind as he lost control of his company. And you know what? I got the job. The good guys won. My friends stepped up for me bigtime, and I never forgot that. I promised myself that if I ever knew anyone else getting similarly screwed, I’d do everything in my power to help them. Everything. I’d return the favor when I had the opportunity. A few weeks ago I had lunch with a friend, who told me a story eerily similar to mine. He got caught in the crossfire of a regime change and received the blackball treatment that happens when backchannel chatter is more important than demonstrable accomplishments. My blood was boiling. I knew what I had to do. So at RSA last week I looked for an opportunity to do it. Thankfully one of my clients mentioned he was looking for the skill set my friend possessed. I jumped and put his name into the hat. I also mentioned his predicament and personally vouched for my guy. I called in a favor and asked my client to give him a chance. I don’t know if it’ll work out, but my guy is in the game and that’s all I asked. And when my friend called yesterday to thank me, I smiled. It was a really big smile. Like some type of karmic balance returned to the world, if only for a few minutes. I smiled because I remember being in that spot. I remember how powerless I felt. How a control freak had no control. And I remember how relieved I felt when I learned those folks stepped up for me. But most of all, it felt really good to be able to keep that promise I made to myself all those years ago. My friend asked what he could do for me. My answer was absolutely nothing. This wasn’t about me. It was about righting a wrong and doing the right thing. But I did tell him to pay it forward. Someday he’ll meet someone in the same position and he needs to help. And he will. –Mike TIP A DRINK TO RICH: Let’s all congratulate Rich and his wife Sharon for the successful launch of their latest joint project. The latest addition to the team, Ryan Mogull, was born Sunday night. Rich will be taking some time with the family for the rest of the week, but should be back in the saddle soon. And yes, we are shopping for a Securosis onesie. Photo credits: Switchbox karma originally uploaded by stuart anthony Upcoming Cloud Security Training Interested in Cloud Security? Are you in EMEA (or do you have a ton of frequent flyer miles)? Mike will be teaching the CCSK Training class in Reading, UK, April 8-10. Sign up now. Heavy Research We’re back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, where you can get all our content in its unabridged glory. And you can get all our research papers too. Email-based Threat Intelligence Industrial Phishing Tactics Understanding Identity Management for Cloud Services Architecture and Design Integration Newly Published Papers Network-based Threat Intelligence: Searching for the Smoking Gun Understanding and Selecting a Key Management Solution Building an Early Warning System Implementing and Managing Patch and Configuration Management Defending Against Denial of Service Attacks Incite 4 U Give a security hobo a pair of shoes: Really great post by Bob Rudis about what he’s calling Security Hobos, the truly small businesses that really have no idea what they need to do. But we have an opportunity to make a difference, like the cop who gave the homeless guy in NYC a pair of boots. Bob points out that these are the kinds of business that put their POS software on the only machine in the business. And yes, that machine will get popped and it will be bad. But rather than just railing about how these folks create problems, Bob makes some actual suggestions for how to help. Do things like speak at your Chamber of Commerce and search out small businesses to offer advice. I talked about returning karmic balance above, and this is another great opportunity to do it. Don’t expect anything in return – do it because it’s the right thing to do. – MR Driving competition: Amazon Web Services (AWS) rolled out a monitoring tool called Trusted Advisor. It is positioned as a performance and security tool, leveraging the intelligence Amazon gathers to help customers tune their environments. Like traditional IT tools playing at security, it’s really operational metrics and tools masquerading as security features. It’s just

It looks like Ray Umerley had a good time at the RSA Conference. Besides seeing pics on the Tweeter of him at the Ju Jitsu gathering, he took some time to document his thoughts about what he saw at the show (RSA Conference 2013: My Takeways). Ray covers security intelligence, and how as you collect more security data, it becomes more important that it be used within a security/risk management program. He points out that we need more quality people in the information security field. I’m going to go out on two limbs here: we need quality people regardless of certification, those with the aptitude, passion, and intellect to excel across multiple security disciplines but also more security people who can apply the business and soft skills to develop into effective leaders. I really feel our resource gap is in the latter more than the former. I question the effectiveness of many of the traditional CISO/CSO and whether we as a profession have evolved to meet the needs and expectations of our organizations. Can I hear an amen? That’s exactly right. We don’t need more bodies. Okay, maybe a few more bodies. But what we really need are quality folks. Inquisitive souls who love learning, but who also have the temperament to handle a job with murky success criteria (at best). Then Ray moves on to flesh out the leadership gap, as well. The security industry is oftentimes very insular, difficult to break into some of the cliques, and we have a frustrating habit of eating our young. What we need to do is continue to nurture and foster a pipeline of security neophytes and intermediates and help them develop into multi-disciplinary security professionals. We as an industry need to continue sharing what we know and paying it forward. Obviously we can’t find enough qualified folks to meet the need, so we need to train them. If you are staff constrained and you don’t have a plan (aside from sending n00bs to a week-long SANS course) to develop your folks in a very structured fashion, you’re doing it wrong. Share:

Hat tip to our pals at TripWire, who do a good job of leveraging the security community to generate interesting and entertaining content. They have a guy named David Spark who roams around the floor at trade shows like RSA and captures video. A recent video asked, What would you do if you became CISO? Responses ranged from “fall off the wagon and drink heavily” to “ask for more budget” to “give myself a big-ass raise.” I definitely like that last one. But an ongoing theme involved updating your resume. That’s pretty funny. Who said security folks are pessimists? Of course the first thought that entered my mind was to grab the hemlock. But after that faded I’d go buy some guy’s book on being a Pragmatic CSO (hint, hint). I guess my advice is to forget almost everything you knew about technology. The position you’re now in is about persuasion and influence. It’s not about configuring firewalls or squeezing another $2-3 per device out of your endpoint protection vendor. There are some entertaining responses in the video, so check it out and get a few laughs. Then get back to work. Things don’t protect themselves, do they? Share:

Clearly the world is not enough. So I’ll be getting my 007 on in the UK in early April to deliver our Cloud Security Training. We have recently updated the curriculum to the Cloud Security Alliance Guidance V3.0, and I have to say it kicks butt. Many of the hands-on exercises have been overhauled, and if you are looking to get familiar with cloud security you will want to check out this class. I am personally training because part of this class will be a third day to train the next group of CCSK curriculum instructors. As authors of the training curriculum, we are the only folks who can train and certify instructors, so a couple times a year we deliver the courses ourselves, live and in person. The CSA is making a fairly serious investment in the CCSK, as evidenced by their recent announcement naming HP as a Master Training Partner. So if you do training, or would like cloud security to be a larger part of your business, getting certified as a CCSK trainer would be a good thing. If you want to become certified to teach, you need to attend one of these courses. And even if you aren’t interested in teaching, it’s also a good opportunity to get trained by the folks who built the course. You can get details and sign up for the training in Reading, UK, April 8-10. Here is the description of each of the 3 days of training: There is a lot of hype and uncertainty around cloud security, but this class will slice through the hyperbole and provide students with the practical knowledge they need to understand the real cloud security issues and solutions. The Certificate of Cloud Security Knowledge (CCSK) – Basic class provides a comprehensive one day review of cloud security fundamentals and prepares them to take the Cloud Security Alliance CCSK certification exam. Starting with a detailed description of cloud computing, the course covers all major domains in the latest Guidance document from the Cloud Security Alliance, and the recommendations from the European Network and Information Security Agency (ENISA). The Basic class is geared towards security professionals, but is also useful for anyone looking to expand their knowledge of cloud security. (We recommend attendees have at least a basic understanding of security fundamentals, such as firewalls, secure development, encryption, and identity management). The CCSK-Plus class builds upon the CCSK Basic class with expanded material and extensive hands-on activities with a second day of training. The Plus class (on the second day) enhances the classroom instruction with real world cloud security labs! Students will learn to apply their knowledge as they perform a series of exercises, as they complete a scenario bringing a fictional organization securely into the cloud. This second day of training includes additional lecture, although students will spend most of their time assessing, building, and securing a cloud infrastructure during the exercises. Activities include creating and securing private clouds and public cloud instances, as well as encryption, applications, identity management, and much more. The CCSK Instructor workshop adds a third day to train prospective trainers. More detail about how to teach the course will be presented, as well as a detailed look into the hands-on labs, and an opportunity for all trainers to present a portion of the course. Click here for more information on the CCSK Training Partner Program (PDF). We look forward to seeing you there. Share:

Hot on the heels of our Building an Early Warning System paper, we have taken a much deeper look at the network aspect of threat intelligence in Network-based Threat Intelligence. We have always held to the belief that the network never lies (okay – almost never), and that provides a great basis on which to build an Early Warning System. This excerpt from the first section sums it up pretty nicely: But what can be done to identify malicious activity if you don’t have the specific IoCs for the malware in question? That’s when we look at the network to yield information about what might be a problem, even if controls on the specific device fail. Why look at the network? Because it’s very hard to stage attacks, move laterally within an organization, and accomplish data exfiltration without using the network. This means attackers leave a trail of bits on the network, which can provide a powerful indication of the kinds of attacks you are seeing, and which devices on your network are already compromised. This paper will dig into these network-based indicators, and share tactics to leverage them to quickly identify compromised devices. Hopefully shortening this detection window will help to contain the damage and prevent data loss. Hit the landing page or you can download the paper directly (PDF) We would like to thank Damballa for licensing the content in this paper. Obviously we wouldn’t be able to do the research we do, or offer it to you folks for this most excellent price, without clients licensing our content. Share:

Rich here, I need to apologize a bit for sending the Summary out a day late. As most of you know, this week is the big annual RSA Conference and we, Securosis, were busy as heck with conference activities. Between e10+, the Security Blogger’s Meetup, the Securosis Disaster Recovery Breakfast, and tons of conference meetings, it is the busiest week of our year. Well, except for me. As many of you know I spent the week here in Phoenix waiting for the birth of my next child. The due date was Monday, and there was no way in hell I was going to take the risk of missing that for a conference. But as you might guess based on the tone of this post, the kid is a no show. It was weird to miss RSA for the first time in many years. I was prepared to miss the social side of the show; as much as I enjoy seeing everyone, a conference is for work and I frequently dodge parties for meetings, to finish slides, or to stay rested. On the business development front I’m the first to admit Mike is a lot better at BD, and he probably closed more business for me than I could have closed myself. It was really nice to sit back and wait for the text messages of people I need to follow up with (thanks Mike!). What I didn’t expect was how much I miss the energy boost. You see, one thing about the nature of our business is that we often work in a vacuum. We advise users and vendors, and maybe get to see the outcomes someday, but we don’t get a lot of direct feedback on our work. This is important not only to ensure we that are on the right track, but it also helps keep us motivated. I don’t get a performance evaluation and bonus at the end of the year if I did well. I am extremely internally motivated. Anyone who works at home, for themselves, has to be or they don’t survive very long. But I’m also human, and we are social creatures. At RSA we get to engage with a much wider range of people than we do in our day-to-day work, and we get face-to-face feedback from people who use our research but don’t necessarily leave comments or feedback. Based on reports from the guys who were out there we are definitely on track, but hearing it isn’t the same as shaking the person’s hand or having breakfast with them. I can’t lie – I really missed that this year. I missed the feedback, good and bad, instead of talking to a blank screen or a captive audience before running to catch a plane. I don’t regret my decision in the slightest – my family is far more important than any of what i just talked about. I like the way Chris Hoff put it during the session we would have presented together had the baby come early, “the cost of missing RSA is a lot less than the cost of a divorce”. And one advantage is that I was here to get the Cloud Security Alliance Nexus launched. The CSA Nexus is a branded version of the Nexus platform we have been developing for two years. We launched with the CSA first because, at our annual internal planning meeting, we decided we needed to rework our content a bit before we go live for Securosis customers. It’s exciting to have actual, paying customers, and to get this thing out of the lab. It’s also weird to be a product manager, not just an analyst. We are going to open up our beta test again after we get a little more server work done, and we are still working out the dates for our official Securosis Nexus launch, but it should be soon. We are making a big bet on this platform, and I suspect getting actual customers in there will more than compensate for missing a few handshakes, head nods, and spilled beers. Note: since everyone was out this week and I was focused on the Nexus launch, this week’s Summary is missing most of the usual sections. Securosis in the news Rich on passwords in Digital Trends. Securosis posts Shattered Windows – the Impact of Attack Automation. Go buy Take Control of Your Passwords. Bit9 Details Breach. About the Security Blogger’s Meetup. Looky here. Adaptive Authentication works… When is a Hack a Breach? The Nexus Is Live with the Cloud Security Alliance! Everything I need to know about security, I learned in kindergarten. The end of MDM (as we know it). Or not. Attribution Meh. Indicators YEAH! Other news More Java 0-day. We are now adding this to the Summary with a weekly script. Botnet shut down live at RSA. AirWatch grabs $200M in funding. We don’t normally cover these things, but that is an insane amount of money. An interview with a ski patroller. Because I really miss ski patrol. Share:

In 2011, our friend Josh Corman codified “HD Moore’s Law”: Casual Attacker power grows at the rate of Metasploit For those who don’t know, Metasploit, created by HD Moore, is a free penetration testing framework (it is now owned by Rapid7, who also sells a commercial version). Metasploit allows an attacker to rapidly combine an exploit with a payload and initiate attacks, dramatically reducing the complexity compared to hand-coding an attack yourself. Unlike other commercial tools such as Immunity Canvas and Core Impact, Metasploit has a large community, and when new vulnerabilities or exploits become public they are typically converted into Metasploit modules extremely quickly (sometimes within hours). Once a module is published, anyone using Metasploit can leverage that attack. But Metasploit isn’t the only automated attack tool. Criminals have their own toolsets and markets, some of which advertise inclusion of 0-day vulnerabilities (for a price) and include better support than most of the security tools on the market. Being profitable, they fund their own research teams or acquire new exploits on the open market. Some software vendors have started talking about this in public, as Microsoft outlined in their RSA talk on their response to Flame. Brad Arkin from Adobe has also talked about this and presented hard data on their patch times and public disclosures and exploits. In the article Microsoft didn’t call out Metasploit or the criminal attack tools, but the inference is clear. There is no longer a window to patch when a vulnerability or exploit is discovered, in public or private.* If it isn’t public, it has already been used in attacks or – thanks to changes in the exploit market – sold to someone who intends to use it in attacks. If it is public, it will be included in attack tools (good and bad) faster than most vendors can create and distribute a patch, or most users can deploy even if the patch is available. Some vulnerabilities are still reported privately to vendors, but we can no longer assume this is the norm, especially for some of the most serious vulnerabilities with high market value. Cloud computing also affects this in both good and bad ways, but the core principle is the same. If a cloud service is a target they have nearly no time to patch, but when they do they can patch for all users at once (for public clouds). To be clear, I don’t consider Metasploit or other penetration testing tools ‘bad’. They are extremely important for security professionals to understand and use, but that doesn’t mean they can’t be misused. Share: