Research

Data masking has been around a long time. I have been masking since the early ’90s to create test data from production copies of customer insurance records, as well as to alter database columns before sending database exports out for “data cleansing”. At the time masking was little more than UNIX shell scripts or home grown Perl scripts to alter particular columns in .csv files. A few years later I was giddy with excitement to have my first masking ‘program’, running on a paleolithic version of Windows, which actually had a ‘wizard’ for walking through the process. No, it did not help with extraction of information from a database, but it identified the columns to be altered, provided a list of masks to apply, and dumped an error file when it ran into trouble. That saved a lot of tweaking scripts and manually reviewing dump files. And all this was several years before I heard anyone mention ‘ETL’ (Extract, Transform, Load) because ODBC and JDBC drivers to connect to databases were just arriving on the scene, and nobody had automated bulk loads back into another database. That was still science fiction. Masking products don’t look like that any longer – now they are full-blown data security and management platforms. It feels a bit nostalgic to review data masking technologies, and somewhat surprising to find how far they have evolved into full production-quality enterprise platforms. I have been following data masking for almost two decades, and seen more evolution in the last couple years than over the first dozen. These advancements have come in two forms. First, evolution of the technology in recent years, building the capability to handle just about any type of database or data source, full automation, workflow integration, and a dozen or so data obfuscation techniques. Second, in response to substantial market demand from IT security and compliance departments, the way these tools are used has changed. Increased demands from new buying centers have forced changes in workflow, user interface, and how core capabilities are packaged. It only took a couple public breaches, where production data was easily exfiltrated from unsecured test databases, to drive masking into companies’ production data flows. Compliance requirements such as PCI-DSS cemented the need and are now a principal driver for adoption. The upshot is that most of these tools have seen significant advancement, and now include multiple robust user interfaces to support both technical and non-technical users, as well as pre-packaged solutions for different compliance mandates. Somewhere along the way, masking grew up! I started following this vertical again because we received a number of customer questions, specifically around compliance. We have been seeing steady growth in adoption of masking over the last four years – perhaps 20% YoY – as more customers use masking to reduce information risk. In some ways it’s a more elegant solution than encryption; and for several deployment models masking is cheaper and easier than surrounding sensitive data with layers of security controls such as user rights management, encryption, database security, and various firewall technologies. When you think about securing Big Data, data analytics systems, HIPPA compliance, and using public cloud computing resources, there is plenty of reason to believe masking’s rapid adoption will continue. I have written a lot about masking on the blog, but never a focused research paper; it seems to be time for a thorough explanation of what masking does and how it helps security. So I am excited to launch a new series: Understanding and Selecting Data Masking Solutions. I have designed this series to help would-be buyers understand what to look for in a product, and show existing customers how to leverage their investments to solve emerging problems. I’ll delve into the technology, deployment models, data flow, and management capabilities. I will discuss the four principal use cases and how the technology solves certain compliance and security issues, and close out with a brief buyers’ guide on what features to look for based upon your criteria. The outline follows: Core Features: We’ll define masking, introduce the basic technology, and discuss how it’s applied to data. We will also define the major masking options (shuffling, averaging, substitution, field nulling/redaction, and mathematical transposition) and de-identification methods. And we’ll explain the need for data type & format preservation, uniqueness, and semantic & referential integrity. How It Works: We will examine how masking works, focusing on how data flows through it and how information is secured. We’ll describe different options for sources, destinations, extraction methods, loading options, and where & how masking is performed. We will contrast masking against encryption and tokenization to frame advantages of particular techniques for specific use cases later. Technical Architecture: Deployment models (ETL, in-place, and the various options for dynamic masking), issues, and concerns with each. We will discuss support for files and databases, and how masking integrates with these platforms. We’ll include diagrams to compare and contrast the models. Advanced Features: We’ll cover current trends in data discovery, risk & criticality assessment, and mask validation. We will talk about centralized policy management, data set management, and secure data transfer. We’ll discuss integration with other systems such as trouble ticketing, encryption, tokenization, and DLP for automated workflow. Use Cases: We will outline both traditional and new use cases, bringing together the evolving requirements with ongoing changes to masking technologies, along with how these use cases prompt new deployment models. This section will focus on specific customers requirements that have come up in our research; we’ll also evaluate specific masking alternatives to meet security and compliance mandates. We will cover automated workflows and scripting, as well as use of pre-defined templates for defining masks. We’ll discuss compliance masks and pre-built regulatory options, as well as control reporting. Evaluate Your Needs: We’ll wrap up by mapping out evaluation criteria and a process to guide a customer buying decisions. We will distinguish between “must-have” and “nice-to-have” requirements, compliance, integration, setup, and management. As with all Securosis research projects, we are focused on

Rich and I – with help from Chris Pepper – compiled the Understanding and Selecting a Database Security Platform series into a research paper, and provided it to a number of people for initial review. We got a lot of valuable feedback and observations back. Commenters felt several topics were under-served, they believe others were over-emphasized, and more we failed to mention. We’re not too proud to admit when we’re wrong, or when we failed to capture the essence of customer buying decisions, so we are happy to revisit these topics. We believe their feedback improves the paper quite a bit. In keeping with our Totally Transparent Research process we want all discussions that affect the paper out in the open, so we are posting those comments here for review. If you have additional comments, or responses to anything here, we encourage you to chime in. This series took longer to produce than most of our other research papers, and some readers had trouble following along from beginning to end. For the sake of continuity I have listed all the blog posts: Understanding and Selecting a Database Security Platform: Introduction Defining DSP Core components and the evolution of DAM to DSP Event collection Technical architecture Core features Extended features Administration and management Use cases And for reference, the original Understanding and Selecting a Database Activity Monitoring Solution research paper and the first DAM 2.0 posts offer additional insight. Once we have discussed all the comments and pulled all relevant feedback into the paper, we will release the final version. Share:

Rich here. It amazes me how something completely mundane can be utterly fascinating the first time you experience it. This morning I woke up about 5:45 as I heard my younger daughter waking up herself. If history held, she had been up for a little while and was ready to get out of her crib. Now!!! Nothing new there, and I started the painful process of getting out of bed (I d hammered my bad shoulder a little too much during my swim workout yesterday, leading to a painful night). Here’s the cool bit. Our older daughter (who is only 3) came barging in to tell us her little sister wanted out of the crib. This is the same 3-year-old who was still calling for us to get her out of her toddler bed a mere week or so ago. Oh, she could easily extricate herself, but the habit of yelling for us to get her was deeply ingrained. She’d sit there yelling for one of us while clutching her stuffed animals and blanket, only to hand them over so she could climb out. So I got out of bed, went down the hall to the little one’s open door, and carried her downstairs. Then I noticed big sister’s stuff already there on her spot on the couch. “Have you been up for a while?” “Yes.” “What were you doing?” “I was giving the cat some treats.” This is, relatively speaking, nothing. We all get out of bed ourselves in the morning and start our days. But it was the first time one of our kids got out of bed, took her stuff downstairs, and played with the cat without waking anyone else up. And 20 years from now the odds are I won’t remember it. But damn – for this one moment I was more impressed and proud of this tiny little thing we all do, and all kids do, than any “big” accomplishments (whatever those are). The best part? She’d even put the cat treats away in the drawer. I think I like this parenting thing. Despite the lack of sleep, large amounts of vomit I’m occasionally covered with, and all the interesting places I’ve now gotten to clean shit out or off of. On to the Summary: Webcasts, Podcasts, Outside Writing, and Conferences Mike quoted on cloud security on ServicesAngle. Rich quoted on 10 years of Microsoft’s Trustworthy Computing Initiative. Adrian quoted in SecurityWeek on WAF & SDLC. Adrian quoted in Tech Republic on User Behavior Monitoring.. Favorite Securosis Posts Adrian Lane: FireStarter: Policy Wonks and Pests. Yes, my own post. But as Rich said, this is a huge beef we have and we see it all too often with cloud security. Rich: Okay, we were a little light on blogging this week. I promise to make up for it next week! Other Securosis Posts Incite 2/9/2012: Swimming with Sharks. Favorite Outside Posts Mike Rothman: How to make money online. This post actually isn’t about making money. It’s about being successful in today’s online environment. And Godin is a philosopher king, so ignore his guidance at your own risk. Adrian Lane: Citadel Trojan Outgrowing Its Zeus Origins. Interesting post on the RSA blog about the Citadel Trojan – see how attackers improve their code. Rich: Joss Whedon interview at GQ. I’m sorry, but I’m an intense geek and the fact that some studio tossed Joss $220M (far more than most security companies are worth) just tickles me pink. Research Reports and Presentations Watching the Watchers: Guarding the Keys to the Kingdom. Network-Based Malware Detection: Filling the Gaps of AV. Tokenization Guidance Analysis: Jan 2012. Applied Network Security Analysis: Moving from Data to Information. Tokenization Guidance. Security Management 2.0: Time to Replace Your SIEM? Fact-Based Network Security: Metrics and the Pursuit of Prioritization. Top News and Posts Random network security tip if you are on TV. Amusing. Getting started with OpenStack in your lab. Now where were you when I was building the CCSK class labs? Sigh. Apple hardens Safari and OS X with latest update. FBI warns travelers about hotel Internet connections. Gee, China anyone? Blog Comment of the Week This would have required us to, uh, blog… so no comment this week. Share:

What ever happened to the sit-down family dinner? Maybe it’s just me, but growing up, the only time I really experienced it was watching TV. My Mom worked retail pharmacy, so normally I was pulling something out of the freezer to warm up for my kid brother and myself. And nowadays the only time we sit down for dinner is when we go out to a restaurant. It’s not that we don’t want a sit-down dinner. But we are always carting the kids from one activity to the next, badgering someone to do their homework or get ahead on a project, or maybe letting them play with their friends every so often. We don’t normally stop before 9pm, and that’s on a good day. It is what it is, but I wonder what the impact will be in terms of knowledge transfer. You hear all those high achievers talking about how their parents talked about current events or business or social issues around the dinner table, and that’s how many life lessons were taught. The Boss and I tend to have more one-on-one discussions with the kids about their challenges and interests. I’m all for allowing kids to focus on what they enjoy, but I want to expose them to some of the things I’m passionate about. That’s why we got tickets to the Falcons. By hook or by crook, these kids will be football fans. And I was a little skeptical when the Boss started DVRing “Shark Tank” a few weeks ago. A bunch of rich folks (the ‘sharks’) evaluating business ideas and possibly even investing their own capital. The reality TV aspect made me believe it would be overdramatized and they’d be overly harsh just for ratings. But I gave it a chance because one of the sharks, a guy named Robert Herjavec, was a reseller for CipherTrust back in the day. So I got to tell the kids stories about that crazy Canadian. Truth be told, I was wrong about the show. It was very entertaining, and more importantly it provides a teaching moment for all of us. As you can imagine, I have opinions about pretty much everything. It’s a lot of fun to discuss each of the business ideas, critique their ideas on valuation, pick apart their distribution strategy, and ultimately decide whether that business is a good idea. The best part is the kids got engaged watching. At least for 15-20 minutes, anyway. They are starting to ask good questions. The Boss is now coming up with business ideas almost daily. XX2 seems to have an interest as well. This is a great opportunity to start talking to my family about my other passion: building businesses. Who knows what my kids will end up being or doing? But for them to see entrepreneurs, some with decent ideas, trying to expand their businesses with the passion that only entrepreneurs can muster is terrific. It gives me an opportunity to explain the concepts of raising capital, marketing, selling, distribution, manufacturing, etc. – and they have some concept of what I’m talking about. Maybe they’ll even retain some of this information and pursue some kind of entrepreneurial path. Like their father, their father’s father, and their father’s father’s father before them. Nothing would make me happier. –Mike Photo credits: “Amanda Steinstein swims with the sharks!” originally uploaded by feastoffun.com Heavy Research We’re back at work on a variety of our blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, where you can access all our content in its unabridged glory. Vulnerability Management Evolution Enterprise Features and Integration Evolution or Revolution? Watching the Watchers (Privileged User Management) Clouds Rolling in Integration Understanding and Selecting DSP Use Cases Incite 4 U Don’t leave home without your security umbrella: As the plumber of Securosis, I get to cover the sexy businesses like AV and perimeter firewalls. Thankfully the NGFW movement has made these boxes a bit more interesting, but let’s be candid – folks want to talk about cloud and data protection, not the plumbing. But as Wendy points out, everyone likes to poke fun at these age-old controls, but it would be a bad idea to retire them – they still block the low-hanging fruit. I love her analogy of an umbrella in a hurricane. You don’t throw out the umbrella because you’ll need to stay dry in a hurricane from time to time. Believe it or not, there are still a lot of successful attackers out there who don’t have to drop zero-day attacks to achieve their missions. These “light drizzle” attackers can be stymied even by basic controls. Obviously you don’t stop with the low bar, but you can’t ignore it either. – MR Build it in or test it out: Part 4 of Fergyl Glynn’s A CISO’s guide to Application Security is live at Threatpost. In this post he discusses technology options for security testing; but the series has been a bit of a disappointment – taking a “test it out” approach to application security rather than “build it in”. With the prevalence of web-based apps today CISOs are more interested in build techniques such as Address Space Layout randomization that make many forms of injection attacks much harder, instead of obfuscation techniques that make reverse engineering distributed code more difficult. Besides, the good hackers don’t really work from source, do they? I’d also suggest security regression tests be included to verify old security defects are not re-introduced – you want to prevent old risks from getting back into the code just as much as “Prevent(ing) the introduction of new risks”. I suspect that Glynn’s focus on measurable reduction of threats/risks/vulnerabilities underserves one of the most effective tactics for application security: threat modeling. We can’t quantify the bugs we don’t have thanks to successful prevention, but you should strive for improvement earlier in the development lifecycle. The series has tended to focus on tools

I’ve spent more hours than I can count studying compliance and governance. Reading and re-reading PCI requirements, Sarbanes-Oxley law, theory, and applied theory. Spent mind-numbing hours combing through BASEL and BASEL II docs. I’ve spent many long weeks with external auditors, internal auditors, assessors, risk management personnel, corporate governance officers, and government officials – trying to understand their jobs, their roles, and how the world functions from their perspectives. I’ve spent months mapping those ideas and processes into policy implementations, process modifications, and the rules that actually enforce policies. I’ve written audit reports for these various compliance and policy management frameworks to demonstrate policy compliance and efficacy. When you sell security and risk management software these efforts are necessary, because compliance drives your company’s revenue. So I feel I understand policy and compliance pretty darn well, but I am bothered by the trend toward policy being the focus – at the expense of the task it was originally designed to govern. I got started on this thread during a review of an instructional “how-to” on the secure-software development lifecycle (SDLC). The more I read of this SDLC description, the more I realized that it was not SDLC at all. It was a risk and management process to gauge the effectiveness of the SDLC program. It contained next to nothing on SDLC itself! There were very few instructions on tools, processes, or things you need to know to actually develop under an SDLC – just management and policy oversight. Don’t get me wrong – risk management and development management policies are very important for SDLC. When we track and monitor we get a better idea of whether what we are doing is having a positive effect, weigh the relative merits of different types of security efforts, and over time learn whether we are getting better. But policy and management are not for the sake of policy and management – they only exist to ensure the core effort (in this case SDLC) is actually working. I find that a lot of this stems from people developing policy when they have never done whatever the policies are meant to govern. And sometimes that’s okay. It’s not a requirement that you have developed code, managed teams of developers, or been responsible for process development to comment on SDLC and SDLC governance. But without that experience in whatever practice you are trying to manage, efforts to improve it rarely work out well – the policy mindset does not mesh well with the development mindset. Agile programming even has a name for these people: chickens! From the parable of Chickens and Pigs, the Chickens have lots of input but are not part of the actual process. And developers make this distinction because chickens can be detrimental to the process of developing software. This particular brand of chicken I usually call “policy wonks”, and I am convinced they do at least as much harm as good. I’m pretty pragmatic. I prefer easy over hard, and when it comes down to it I just want to get my work done and move on. In fact all of us at Securosis are this way – Mike so much that he authored the Pragmatic CSO guide that remains in use and gets downloaded pretty much every week. Developers, if I can be so bold as to generalize on the culture as a whole, are usually anti-bureaucracy and anti-policy. It’s whatever works quickly and effectively. And I have this trait in a big way. But after years spent with policy development and compliance, gathering metrics and measuring outcomes, I know they actually are critical. But I keep running into people who only do policy, who only give us the (to steal a phrase from David Mortman) Utopian Policy Ideal, without any consideration whatsoever for actually getting $#)^! done! Policy is to help us avoid repeating mistakes and guide us on how to get work done the way we want to get it done. But it’s not all about policy. Policy is not the work to get done. Are policy and governance important? Hell, yeah! But if we keep spending 50% of our time on this 5% of the picture, we will suck at the other 95% of the stuff that needs to happen in order to get things done. You know – real work. Note from Rich: Adrian asked me to review this before posting so I thought I’d insert a line. This is my single biggest pet peeve in security today. Especially in cloud. Far too many people seem to want to be policy wonks and focus on GRC to the exclusion of actual security. Share:

My conversation started like this: “Do you know where the recorder is?” she asked. “The what?” I replied. “The tape recorder we bought you!” After a long pause, I replied: “You mean the Panasonic cassette tape recorder you bought me in 1974?” “Yes, that one! I want to record myself playing the piano.” My brain froze momentarily, as I processed the many implications of this statement. After another long pause I asked: “Mom, did you really call me up to ask me about a cassette recorder? From the 70’s? And for the record, no, I’ve not seen it in – uh – three decades. I think we threw it out when the batteries corroded the insides. That would have been in the early 80’s.” “Oh, darn!” “If you don’t mind my asking, why not use the computer? Or one of those dictaphones you’ve got scattered around the house. Or your phone should – wait, don’t you have a smartphone?” “No, your father and I do not have cell phones.” This conversation occurred last month. I literally put down the phone after that comment to think about what that meant. They didn’t go all Amish on me, did they? I consider myself a ‘late’ adopter because my first phone that was more than a basic phone was the iPhone 4. I still use email. I have really just started to appreciate Twitter, placed my entire music library on a computer, and started streaming television over WiFi. But I have owned cell phones for 15 years or so. This is a whole different universe of thought and perception. Other than their DVD player and the ‘recent’ upgrade to Windows XP, it seems my parents stopped advancing with technology a long time ago. My wife has a theory that you can tell someone’s ‘heyday’ when you walk into their home, by looking at the period decor. I have got lots of friends who are 10, 15, even 25 years older than me; and it seems to hold true. For my parents it’s velour, brass, and mauve – you do the math. Some people continue to modernize but most just stop at some point. I think that there is an economic component to the lack of change – it’s expensive to just replace things for the sake of modernization. But this is different. An old couch is a long way from not having a cellphone. I grew up hearing about the generation gap, and I mostly ignored the discussion about the digital divide as – in Berkeley at least – it came across as some socialist rant against what was perceived as a technological caste system. But I am starting to see the point, not in the “technological literacy” sense, but more about humans’ willingness to adapt or sample new things, or just try something different. But damn, this is still shocking. And I’m their offspring – could this happen to me too? Is it because you own a device that already does something similar, so you figure “Why buy a new one?” Do you need a robot vacuum cleaner when the Hoover upright still functions? Do you need voicemail when your answering machine still works? If the Mr. Coffee still cranks out brown water, why invest in a single-cup espresso maker with those fancy foil packs? Why replace the refrigerator that’s been working great for 30 years? If IE6 still browses the Internet, why change? Do you need LED lights when you have an incandescent desk lamp? Mom was more comfortable with a cassette tape recorder than any other recording device invented in the last 40 years. She was headed to the store to see if she could find a new one. I told her that her best bet was [snark]Office Max[/snark]. The good news is that I have figured out the perfect Christmas gift – I’ll send them the Patrick Nagel prints I have stored in the garage. On to the Summary: Webcasts, Podcasts, Outside Writing, and Conferences Rich with Nir Zuk on Coming to Grips with Consumerization. Adrian at Dark Reading: Security Bugs And Proofs Of Concept. Written before the TNS poisoning disclosure. Rich mentioned in Entrepreneur.com. Adrian’s paper on User Activity Monitoring. Mike’s PCI: Dead Man(date) Walking? at Dark Reading. Favorite Securosis Posts Mike Rothman: Friday Summary: TSA Edition. Rich nails the issue with airport security in his intro to last week’s Summary. He’s right – more security theater will be coming to an airport near you. Adrian Lane: Stupid Human Tricks: Security Job Interviews. The LiquidMatrix guys are like family, so this is my favorite ‘inside’ post of the week. Guaranteed to make the most cynical security people laugh out loud! Rich: FireStarter: Policy Wonks and Pests. Have I mentioned how little respect I have for people who want to govern things they don’t understand? Other Securosis Posts Incite 5/2/2012: Refi Madness. Vulnerability Management Evolution: Evolution or Revolution? Favorite Outside Posts Mike Rothman: 8 Things To Expect Shopping At Microsoft’s Non-Apple Apple Store. Imitation is the sincerest form of flattery. And then there is copying. If you’ve never been to a Microsoft store, Conan has it nailed. Especially the Zune meet-ups. Should provide your LOL of the day. Adrian Lane: TNS Poison – straight from the researcher. Fascinating tale of FAIL. Rich: Don’t be an evangelist. Okay, I get mentioned in this one, but there really isn’t any place for religion in tech. You need to be able to adapt to the times. Project Quant Posts Malware Analysis Quant: Index of Posts. Malware Analysis Quant: Metrics–Monitor for Reinfection. Malware Analysis Quant: Metrics–Remediate. Malware Analysis Quant: Metrics–Find Infected Devices. Malware Analysis Quant: Metrics–Define Rules and Search Queries. Malware Analysis Quant: Metrics–The Malware Profile. Malware Analysis Quant: Metrics–Dynamic Analysis. Research Reports and Presentations Watching the Watchers: Guarding the Keys to the Kingdom. Network-Based Malware Detection: Filling the Gaps of AV. Tokenization Guidance Analysis: Jan 2012. Applied Network Security Analysis: Moving from Data to Information. Tokenization Guidance. Security Management 2.0: Time to

It all started with an innocent call from my mortgage broker. He started with, “What if I could shave 75 basis points off your note, with no cost to you?” As you might have noticed, I’m a skeptical type of fellow. I asked, “What’s the catch?” He laughed and said, “No catch, I can get you from 4.25% to 3.5% and I’ll pay the costs.” I responded again, “There must be a catch. What am I missing?” He maked some wise remark about Groundhog Day and then told me there really is no catch. I can save a couple hundred bucks a month I’m currently paying the bank. Done. But you see, there was a catch. There is always a catch. The catch this time was having to once again bear witness to the idiocy that is the mortgage process (in the US anyway). So I gather together all the financial information. My broker asks if he needs to send a courier over to pick up the stuff. Nope, an encrypted zip file he can download from Dropbox suffices. That was a lot easier, so maybe it won’t be a total clusterf*** this time. Yeah, I was being too optimistic. I knew things were off the rails last Tuesday when I got copied on an email to my home insurance broker needing a quick verification of the policy ahead of a Friday closing. Uh, what? What Friday closing? Is there a Friday closing? Shouldn’t they have shared that information with me, since I’m pretty sure I have to be there? So we schedule the closing for Friday. About midway through Thursday I get a call asking about a credit inquiry from the idiots who do our merchant account for Securosis. Why they inquired about my personal credit is beyond me, but I had to take some time to fill out their stupid form, explaining that the world consists mostly of idiots and those idiots’ checklists, run personal credit reports for business accounts. Did I mention how much I like checklists? Then I got a call Friday morning. Yes, the day we were supposed to close the note. They need to verify the Boss’s employment. But the Boss works for my company and I’m the managing member and sole officer of my company. They say that’s no good and they need to verify with someone who is not a party to the loan. I respond that there are no officers who aren’t a party to the loan. I figure they understand that and we’re done. Then Rich calls me wondering why he keeps getting calls from a bank trying to verify the Boss’s employment. Argh. I call the bank and explain that the Boss doesn’t work for Securosis and that she works for a separate company (that happens to own a minority share of Securosis). Idiots. At this point, I still haven’t received the settlement statement from the bank. Then I get a call from the closing attorney wondering if I could meet them at a Starbuck’s for the closing Friday night. Sure, but they’ll have to send a babysitter to my house to watch my kids. They didn’t think that was funny. So the lawyer agrees to come to my house to close the note. We go through all the paperwork. I verify that I’m neither committing mortgage fraud nor a terrorist. And yes, I really had to sign papers attesting to both. The lawyer (who does about 15-20 closings a week) can’t recall anyone actually admitting to committing mortgage fraud or being a terrorist, but we sign the documents anyway. And then we are done. Or so we thought. I figured it’s 2012 so I should just wire the money, rather than writing a check to cover the prepaid items like escrow, etc. So I dutifully wake up early Monday morning (in NYC) and log into my bank website to transfer the money. Of course, the web app craps out, I’m locked out of the wire transfer function, and the Boss needs to drop whatever she is doing and head over the bank to wire the money. Yes, that was a pleasant conversation. If getting kicked in the nuts 10 times is your idea of pleasant. But all’s well that ends well. We closed the note and we’ll save a crapload of money over the next 10 years. But man, the process is a mess. These folks give a new meaning to just in time. For those of you looking for someone to manage incidents or fill another role that require an unflappable perspective, maybe check out some of these loan processors. They’d laugh at having to only coordinate legal, forensics, law enforcement, and the ops folks. That would be a day in the park for those folks. Seriously. -Mike Photo credits: “rEEFER mADNESS” originally uploaded by rexdownham Heavy Research We’re back at work on a variety of our blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, where you can access all our content in its unabridged glory. Vulnerability Management Evolution Enterprise Features and Integration Evolution or Revolution? Watching the Watchers (Privileged User Management) Clouds Rolling In Integration Understanding and Selecting DSP Use Cases Incite 4 U Human context: Great summary by LonerVamp on some of our very own Myrcurial’s thoughts at this year’s Schmoocon. There is a lot of stuff in there and I agree with most of it. But the idea that resonated most was “knowledge of analysts vs. knowledge of tools,” as I had that very conversation with 15 Fortune-class CISOs this week. And there was no contest. These folks have budget for tools, they have budget for people, and they are still losing the battle. They can’t find the right people. The right folks understand how the data applies to their environment. They have context, which tools just can’t provide. No matter what a vendor tells you. – MR State of fear:

We have discussed the evolution of vulnerability management from a tactical tool to a much more strategic platform providing decision support for folks to more effectively prioritize security operations and resource allocation. But some vendors may not manage to effectively broaden their platforms sufficiently to remain competitive and fully satisfy their customer requirements. So at some point you may face a replacement decision, or to put it more kindly, a decision of evolution or revolution for your vulnerability/threat management platform. Last year we researched whether to replace your SIEM/Log Management platform. That research provides an in-depth process for revisiting your requirements, re-evaluating your existing tool, making a decision about whether to replace or not, negotiating the deal, and migrating to the new platform. If and when you face a similar decision regarding your vulnerability management platform the process will be largely the same, so check out that research for detail on the replacement process. The difference is that, unlike SIEM platforms, most organizations are not totally unhappy with their current vulnerability tools. And again, in most cases a revolution decision results from the need to utilize additional capabilities available with a competing platform, instead of because the existing tool simply cannot be made to work. The Replacement Decision Let’s start with the obvious: you aren’t really making a decision on the vulnerability management offering – it’s more of a recommendation. The final decision will likely be made in the executive suite. That’s why your process focuses initially on gathering data (quantitative when possible) – because you will need to defend your recommendation until the purchase order is signed. And probably afterwards, especially if a large ‘strategic’ vendor provides your currently VM scanner. This decision generally isn’t about technical facts – especially because there is an incumbent in play, which may be from a big company with important relationships with heavies in your shop. So to make any change you will need all your ducks in a row and a compelling argument. And even then you might not be able to push through a full replacement. In that case the best answer may be to supplement. In this scenario you still scan with the existing tool, but handle the value-add capabilities (web app scanning, attack path analysis, etc.) on the new platform. The replacement decision can be really broken into a few discrete steps: Introspection: Start by revisiting your requirements, both short and long term. Be particularly sensitive to how your adversaries’ tactics are changing. Unfortunately we still haven’t found a vendor of reliable crystal balls, but think about how your infrastructure is provisioned and will be provisioned (cloud computing). What will your applications look like, and who will manage them (SaaS)? How will you interact with your business partners? Most important, be honest about what you really need. It’s important to make a clear distinction between stuff you must have and stuff that would be nice to have. Everything looks shiny on a marketing spec sheet. That doesn’t mean you’ll really use those capabilities. Current Tool Assessment: Does your current product meet your needs? Be careful to keep emotion out of your analysis – most folks get pissed with their existing vendors from time to time. Do some research into the roadmap of your current vendor. Will they support the capabilities you need in the future? If so, when? Do you believe them? Don’t be too skeptical, but if a vendor has a poor track record of shipping new functionality do factor that in. Alternatives and Substitutions: You should also be surveying the industry landscape to learn about other offerings that might meet your needs. It’s okay to start gathering information from vendors – if a vendor can’t convince you their platform will do what you need they have no shot at actually solving your problem. But don’t stop with vendors. Talk to other folks using the product. Talk to resellers and other third parties who can provide a more objective perspective on the technology. Do your due diligence, because if you push for a revolution it will be your fault if it doesn’t meet expectations. Evaluate the Economics: Now that you know which vendors could meet your requirements, what would it cost to get there? How much to buy the software, or is it a service? How does that compare to your current offering? What kind of concessions can you get from the new player to get in the door, and what will the incumbent do to keep your business? Don’t make the mistake of only evaluating the acquisition cost. You should factor in training, integration, and support costs. And understand that you may need to run both offerings in parallel during a migration period, just to make sure you don’t leave a gap in assessment. Document and Sell: At this point your decision will be clear – at least to you. But you’ll need to document what you want to do and why, especially if it involves bringing in another vendor. Depending on the political situation consensus might be required among the folks affected by the decision. And don’t be surprised by pushback if you decide on replacement. You never know who plays golf with whom, or what other big deals are on the table that could have an impact on your project. And ultimately understand that you may not get what you want. It’s an unfortunate reality of life in the big city. Sometimes decisions don’t go your way – no matter how airtight your case is. That’s why we said earlier that you are really only making a recommendation. Many different factors go into a replacement decision for a key technology, and most of them are beyond your control. If your decision is to stay put and evolve the capabilities of your tool into the platform you need, then map out a plan to get there. When will you add the new features? Then you can map out your budgets and funding requests, and work through

Given the general focus on most organizations on the attackers out there, they may miss the attackers that actually have the credentials and knowledge to do some real damage. These are your so-call privileged users and far too many organizations don’t do much to protect themselves from an attack from that community. By the way, this doesn’t necessarily require a malicious insider. Rather it’s very possible (if not plausible) that a privileged user’s device gets compromised, therefore giving the attacker access to the administrator’s credentials. Right, that’s a bad day. Thus we’ve written a paper called Watching the Watchers: Guarding the Keys to the Kingdom to describe the problem and offer some ideas on solutions. A compromised P-user can cause all sorts of damage and so needs to be actively managed. Let’s now talk about solutions. Most analysts favor models to describe things, and we call ours the Privileged User Lifecycle. But pretty as the lifecycle diagram is, first let’s scope it to define beginning and ending points. Our lifecycle starts when the privileged user receives escalated privileges, and ends when they are no longer privileged or leave the organization, whichever comes first. We would like to thank Xceedium for sponsoring the research. Check it out, we think it’s a great overview of an issue facing every organization. At least those with administrators. Download Watching the Watchers: Guarding the Keys to the Kingdom The paper is based on the following posts: Keys to the Kingdom (Introduction) The Privileged User LIfecycle Restrict Access Protect Credentials Enforce Entitlements Monitor Privileged Users Clouds Rolling In Integration Share:

Rich here. I’m writing thi from an airport, so I will eschew my normal ‘personal’ intro and spend a little time on our favorite security show: Airport Screening Follies. (But before I do that, go buy Motherless Children by Dennis Fisher. Dennis is an actual writer, and despite him screwing up an EMT reference it’s a great book (so far… nearly halfway through)). It’s easy to knock the TSA. But like kicking a puppy, it’s also far from satisfying. And while it’s also easy to criticize specific screening techniques, it might be more useful to understand them. Because if we really want our airport traveling experience to change, we need to attack the economics and stop wasting our time focusing on the value of particular security controls, or the failings of a small percentage of the workforce. If we look at the TSA, there are really three levels of people involved (not counting the public): Policymakers (politicians) TSA executives (and high-level appointees) TSA staff Let’s take a moment to look at the dynamics at each level. Politicians only care about being reelected, and don’t want any responsbility for their actions. To them the risk of changing the TSA is that on the off chance something bad, happens they will be excoriated (worst case: not re-elected). The reward for actually changing TSA practices is low, while the reward for posturing is high. In other words: if a politician implements a reduction in security and something bad happens they are likely to be held responsible even if it’s a coincidence; but proposing bills that don’t pass, loudly demanding tigher security (even if their demands are meaningless), and spending complaining to the press, all help them get reelected. So they all talk a lot without doing anything useful. TSA execs – the high-level decision-makers – face the same risks as politicians. Drop a single pointless security ‘control’, and when the next event happens they will be stoned by politicians, press, and the public. There is no cost to them for implementing more security theater, but there is a high risk from removing anything. It’s not an evil mindset, and not one they are necessarily conscious of, but the sad truth is that it is at least as important for them to look like they are doing anything to address every potential visible risk, as to actually stop an attack or improve transportation. TSA staff mostly just want to keep their jobs. One important way to do that is to buy into the security theater. They also want to feel good about their work, so like an AV vendor hyping Mac malware, they believe that even low-value security is important – it’s what they do, day to day. I don’t mean this in an insulting way. There is actually a lot of value in screening, although certain TSA technologies and practices are basically pointless. When you are in the trenches, it is often hard to divest yourself emotionally and to understand the differences objectively. I’m fairly certain that many of our fine readers enforce plenty of IT security theater (especially when it comes to passwords), so you all know what I mean. As a guy who used to hand-search thousands of concert and football attendees, I get it. What about the flying public? The only thing we can control is the political environment, and if we aren’t going to hold our elected officials responsible for their economic foibles we certainly aren’t going to vote based on who will change the TSA. So our politicians really have nothing vested in reducing security theater. We have executives and appointees who see only a downside to reducing it, because public complaints don’t really affect them. And they are motivated to double down when challenged so they seem ‘decisive’ and knowledgeable. Last we have the staffers who just want to keep their jobs and go home without feeling like asses. It’s all risk/reward, and the odds certainly do not favor the flying public. Until the political climate for security theater becomes untenable nothing will change. And that won’t happen as long as we have 24-hour news channels and talk radio. Oh – and this all applies to CISPA, and whatever else is pissing you off today. On to the Summary: Webcasts, Podcasts, Outside Writing, and Conferences Adrian’s paper on User Activity Monitoring. Favorite Securosis Posts Adrian Lane: Vulnerability Management Evolution: Value-Add Technologies. This is the type of graphics we need more of. Mike Rothman: Understanding and Selecting DSP: Use Cases. In case some of the theory behind DSP wasn’t clear, these use cases should clarify things. This was a great series. Rich: Mike’s Privileged User Management paper – this is heating up. Other Securosis Posts Incite 4/25/2012: Drafty Draft. Watching the Watchers: Integration. Vulnerability Management Evolution: Core Technologies. Vulnerability Management Evolution: Value-Add Technologies. Vulnerability Management Evolution: Enterprise Features and Integration. Favorite Outside Posts Mike Rothman: Motherless Children (buy it now!). Our friend Dennis Fisher published a novel. You can buy it on the Kindle and within a week or so you’ll be able to buy a paperback version. I’m getting my copy this weekend. You should too. Mike Rothman: The Mystery of the Flying Laptop. We all get security theater. Nice to see a mass market pub lampoon the idiocy of flying with electronics in the US. Rich: Bill Brenner on the TSA – tying into my intro. Research Reports and Presentations Watching the Watchers: Guarding the Keys to the Kingdom. Network-Based Malware Detection: Filling the Gaps of AV. Tokenization Guidance Analysis: Jan 2012. Applied Network Security Analysis: Moving from Data to Information. Tokenization Guidance. Security Management 2.0: Time to Replace Your SIEM? Fact-Based Network Security: Metrics and the Pursuit of Prioritization. Top News and Posts Mozilla Weighing Opt-In Requirement for Web Plugins. This is already available, if you use the Add-on tool to keep all this stuff turned off. US and China conduct cyber-war games. Hotmail Password Reset Bug Exploited in Wild. Critical 0day in Oracle. Backdoor