Research

We have been through all the pieces of our advanced incident response method, React Faster and Better, so it is time to wrap up this series. The best way to do that is to actually run through a sample incident with some commentary to provide the context you need to apply the method to something tangible. It’s a bit like watching a movie while listening to the director’s commentary. But those guys are actually talented. For brevity we will use an extremely simple high-level example of how the three response tiers evaluate, escalate, and manage incidents: The alert It’s Wednesday morning and the network analyst has already handled a dozen or so network/IDS/SIEM alerts. Most indicate probing from standard network script-kiddie tools and are quickly blocked and closed (often automatically). He handles those himself, just another day in the office. The network monitoring tool pings an alert for an outbound request on a high port to an IP range located in a country known for intellectual property theft. The analyst needs to validate the origin of the packet, so he looks and sees the source IP is in Engineering. Ruh-roh. The tier 1 analyst passes the information along to a tier 2 responder. Important intellectual property may be involved and he suspects malicious activity, so he also phones the on-call handler to confirm the potential seriousness of the incident. Tier 2 takes over, and the tier 1 analyst goes back to his normal duties. This is the first indication that something may be funky. Probing is nothing new and tier 1 needs to handle that kind of activity itself. But the outbound request very well may indicate an exfiltration attempt. And tracing it back to a device that does have access to sensitive data means it’s definitely something to investigate more closely. This kind of situation is why we believe egress monitoring and filtering are so important. Monitoring is generally the only way you can tell if data is actually leaking. At this point the tier 1 analyst should know he is in deep water. He has confirmed the issue and pinpointed the device in question. Now it’s time to hand it off to tier 2. Note that the tier 1 analyst follows up with a phone call to ensure the hand-off happens and that there is no confusion. How bad is bad? The tier 2 analyst opens an investigation and begins a full analysis of network communications from the system in question. The system is no longer actively leaking data, but she blocks any traffic to that destination on the perimeter firewall by submitting a high priority request to the firewall management team. After that change is made, she verifies that traffic is in fact being blocked. She sets an alert for any other network traffic from that system and calls or visits the user, who predictably denies knowing anything about it. She also learns that system normally doesn’t have access to sensitive intellectual property, which may indicate privilege escalation – another bad sign. Endpoint protection platform (EPP) logs for that system don’t indicate any known malware. She notifies her tier 3 manager of the incident and begins a deeper investigation of previous network traffic from the network forensics data. She also starts looking into system logs to begin isolating the root cause. Once the responder notices outbound requests to a similar destination from other systems on the same subnet, she informs incident response leadership that they may be experiencing a serious compromise. Then she finds that the system in question connected to a sensitive file server it normally doesn’t access, and transferred/copied some entire directories. It’s going to be a long night. As we have been discussing, tier 2 tends to focus on network forensics because it’s usually the quickest way to pinpoint attack proliferation and severity. The first step is to contain the issue, which entails blocking traffic to the external IP – this should temporarily eliminate any data leakage. Remember, you might not actually know the extent of the compromise, but that shouldn’t stop you from taking decisive action to contain the damage as quickly as possible. At this point, tier 3 is notified – not necessarily to take action, but so they are aware there might be a more serious issue. It’s this kind of proactive communication that streamlines escalation between response tiers. Next, the tier 2 analyst needs to determine how much the issue has spread within the environment. So she searches through the logs and finds a similar source, which is not good. That means more than one device is compromised and it could represent a major breach. Worst yet, she sees that at least one of the involved systems purposely connected to a sensitive file store and removed a big chunk of content. So it’s time to escalate and fully engage tier 3. Not that it hasn’t been fun thus far, but now the fun really begins. Bring in the big guns Tier 3 steps in and begins in-depth analysis of the involved endpoints and associated network activity. They identify the involvement of custom malware that initially infected a user’s system via drive-by download after clicking a phishing link. No wonder the user didn’t know anything – they didn’t have a chance against this kind of attack. An endpoint forensics analyst then discovers what appears to be the remains of an encrypted RAR file on one of the affected systems. The network analysis shows no evidence the file was transferred out. It seems they dodged a bullet and detected the command and control traffic before the data exfiltration took place. The decision is made to allow what appears to be encrypted command and control traffic over a non-standard port, while blocking all outbound file transfers (except those known to be part of normal business process). Yes, they run the risk of blocking something legit, but senior management is now involved and has decided this is a worthwhile risk, given the breach in progress. To limit potential data loss through the C&C channels left open, they

In the relatively short period of time I have been on this planet, there are three time periods that really stand out to me as watershed moments in computing technology. The first was the dawn of the personal computing era that conveniently overlapped with the golden age of video arcades. For me it started the day my elementary school teacher introduced us to a Commodore PET, through the first Mac, and tapered off in the late 80s when home computers stopped being an anomaly. I don’t think the excitement I felt was merely the result of being an enthusiastic young male. ASCII porn didn’t really cut it, even for a 14 year old geek. Next was the dot-com era: around the time I should have graduated college if I hadn’t dragged out my undergrad a solid 8 years. In my memories it started when I signed up with my first dial-up ISP and played with Gopher and newsgroups – through the emergence of Mosaic, Netscape, and my first web sites (ugly) – and faded with the dot-com crash and crappy TV studio websites (which still, mostly, suck). Personally I went from paramedic, to PC tech, to sysadmin, to network admin, to developer in these short years. (Fast learner, I guess). The third era? Right now. It started with the dual emergences of the iPhone and Amazon Web Services, and it’s years away from ending. For me the bellwether moments were my first Intel-based MacBook Pro running Parallels (I converted the official Gartner image into a VM to run it there), followed by the iPhone, with a little Dropbox mixed in. The overlapping models of mobility and cloud computing are creating one of the most exciting times to be in technology I can remember. With lower barriers to entry in terms of costs and hardware, and near-ubiquitous accessibility (even accounting for AT&T wireless), I’m more psyched today than even when I built my first little company to make doinky web apps and do a little security consulting. I seriously wish I was out there doing startups, but it’s not quite the time for a career change. When I can spin up 5 different servers, on 5 different operating systems, in 5 minutes for under $5? From my iPad? That kicks so much more ass than making a crappy embossed background for my old ‘professional’ looking site. As for security? Oh my god, is this a freaking awesome time to do what we do. The threats matter, the assets are important, and the opportunities are nearly endless. I realize a lot of people are depressed about the whole industry game and compliance cycle, but that’s a small penalty to pay for the excitement and meaning of our work. You don’t get a seat at the table unless the stakes are high. Life is good. On to the Summary: Webcasts, Podcasts, Outside Writing, and Conferences Video of Rich on MSNBC. He apologizes for the eyebrow thing. Mort cited talking about cloud security at Bsides. Rich quoted at SearchSecurity on cloud. RSA Podcast on Agile development, Security Fail. Protegrity calls Securosis one of their favorite blogs. Data is Safe – Until It’s Not. Apparently Adrian telling the retail sector they suck at security has legs. And fortunately for us WhiteHat Security published data to back up his claim. Clearing The Air On DAM. Adrian’s Dark Reading post. Favorite Securosis Posts Rich: FireStarter: The New Cold War. There seems to be lots of naivete out there. Guess what – they hack us, we hire people to hack them. The world goes on. Mike Rothman & Adrian Lane: What You Really Need to Know about Oracle Database Firewall. Rich calls out marketing buffoonery. FTW. Other Securosis Posts React Faster and Better: Respond, Investigate, and Recover. Could This Be WikiLeaks for the Criminal Computer Underground?. What I Learned at RSAC. Incite 2/23/2011: Giving up. RSA: the Only Difference Between a Rut and a Grave Is the Depth. RSA: We Now Go Live to Our Reporters on the Scene. How to Encrypt Block Storage in the Cloud with SecureCloud. RSA 2011: A Few Pointers. The Securosis Guide to RSA 2011: The Full Monty. Favorite Outside Posts Rich: Gunnar follows the Heartland cash. I haven’t seen anyone else track the financials of a company involved in a major breach so closely. Before we start talking “dollars per record lost”, we need more of this kind of work. Mike Rothman: The obsession with next. Given that next is all we saw at RSA, this was a timely post on the 37Signals blog. Adrian Lane: Russian Cops Crash Pill Pusher Party. Oddly no arrests have been reported, but a great story. Research Reports and Presentations The Securosis 2010 Data Security Survey. Monitoring up the Stack: Adding Value to SIEM. Network Security Operations Quant Metrics Model. Network Security Operations Quant Report. Understanding and Selecting a DLP Solution. White Paper: Understanding and Selecting an Enterprise Firewall. Understanding and Selecting a Tokenization Solution. Security + Agile = FAIL Presentation. Top News and Posts Zeus malware integrating SMS for hacking out of band authentication. More on HBGary Hack. Lion Watch. With new FileVault. When to implement that is an open question. SSDs resistant to erasure. Updated SAFEcode Development Practices. Oracle Releases Database Firewall. Blog Comment of the Week Remember, for every comment selected, Securosis makes a $25 donation to Hackers for Charity. This week’s best comment goes to Shrdlu, in response to What I Learned at RSAC. Nice piece, Adrian–and it was good to meet you too. The general sentiment I heard from vendors I talked to was that the overall mood was better at RSA this year and there were more end-users (as opposed to vendors and partners selling to one another). I can’t form an opinion, as this was my first RSA, but I’ve been to a lot of other conferences and I really didn’t see much difference between this one and other “commercial” ones. That being said, I did see some interesting stuff going on, and I think it’s our job to seek it out and

When Brian Krebs sent me a link to his latest article on illegal pharmacy networks my only response was: Holy friggin’ awesomesauce!!! Brian got his hands on 9GB of financial records for what is likely the world’s biggest online spammer/illegal pharmacy network: In total, these promoters would help Glavmed sell in excess of 1.5 million orders from more than 800,000 consumers who purchased knockoff prescription drugs between May 2007 and June 2010. All told, Glavmed generated revenues of at least $150 million. Brian told me this is merely the first of a lengthy series he is putting together as he digs through the data and performs additional research. This is true investigative reporting, folks. Here’s why I think this could be a watershed moment in computer crime. While this may only be the books for a big criminal pharmacy, it shows all the linkages to other corners of the global criminal networks. Spammers, black hat hackers, SEO, money launderers… it’s probably in there. Especially once Brian correlates with his other sources. He did answer one little question I’ve always had… do they actual send people the little blue pills? Yep. And Brian has the shipping records to prove it. Share:

After you have validated and filtered the initial alert, then escalated to contain and respond to the incident, you may need to escalate for further specialized response, investigation, and (hopefully) recovery. This progression to the next layer of escalation varies more among organizations we have talked with than the others – due to large differences in available resources, skill sets, and organizational priorities, but as with the rest of this series the essential roles are fairly consistent. Tier 3: Respond, Investigate, and Recover Tier 3 is where incident response management, specialized resources, and the heavy hitters reside. In some cases escalation may be little more than a notification that something is going on. In others it might be a request for a specialist such as a malware analyst for endpoint forensics analysis. This is also the level where most in-depth investigation is likely to occur – including root cause analysis and management of recovery operations. Finally, this level might include all-hands-on-deck response for a massive incident with material loss potential. Despite the variation in when Tier 3 begins, the following structure aligns at a high level with the common processes we see: Escalate response: Some incidents, while not requiring the involvement of higher management, may need specialized resources that aren’t normally involved in a Tier 2 response. For example, if an employee is suspected of leaking data you may need a forensic examiner to look at their laptop. Other incidents require the direct involvement of incident response management and top-tier response professionals. We have listed this as a single step, but it is really a self-contained response cycle of constantly evaluating needs and pulling in the right people – all the way up to executive management if necessary. Investigate: You always investigate to some degree during an incident, but depending on its nature there may be far more investigation after initial containment and remediation. As with most steps in Tier 3, the lines aren’t necessarily black and white. For certain kinds of incidents – particularly advanced attacks – the investigation and response (and even containment) are carried out in lockstep. For example, if you detect customized malware, you will need to perform a concurrent malware analysis, system forensic analysis, and network forensic analysis. Determine root cause: Before you can close an incident you need to know why it happened and how to prevent it from happening again. Was it a business process failure? Human error? Technical flaw? You don’t always need this level of detail to remediate and get operations back up and running on a temporary basis, but you do need it to fully recover – and more importantly to ensure it doesn’t happen again. At least not using the same attack vector. Recover: Remediation gets you back up and running in the short term, but in recovery you finish closing the holes and restore normal operations. The bulk of recovery operations are typically handled by non-security IT operations teams, but at least partially under the direction of the security team. Permanent fixes are applied, permanent holes closed, and any restored data examined to ensure you aren’t re-introducing the very problems that allowed the incident in the first place. (Optional) Prosecute or Discipline: Depending on the nature of the incident you may need to involve law enforcement and carry a case through to prosecution, or at least discipline/fire an employee. Since nothing involving lawyers except billing ever moves quickly, this can extend many years beyond the official end of an incident. Tier 3 is where the buck stops. There are no other internal resources to help if an incident exceeds capabilities. In that case, outside contractors/specialists need to be brought in, who are then (effectively) added to your Tier 3 resources. The Team We described Tier 1 as dispatchers, and Tier 2 as firefighters. Sticking with that analogy, Tier 3 is composed of chiefs, arson investigators, and rescue specialists. These are the folks with the strongest skills and most training in your response organization. Primary responsibilities: Ultimate incident management. Tier 3 handles incidents that require senior incident management and/or specialized skills. These senior individuals manage incidents, use their extensive skills for complex analysis and investigation, and coordinate multiple business units and teams. They also coordinate, train, and manage lower level resources. Incidents they manage: Anything that Tier 2 can’t handle. These are typically large or complex incidents, or more-constrained incidents that might involve material losses or extensive investigation. A good rule of thumb is that if you need to inform senior or executive management, or involve law enforcement and/or human resources, it’s likely a Tier 3 incident. This tier also includes specialists such as forensics investigators, malware analysts, and those who focus on a specific domain as opposed to general incident response. When they escalate: If the incident exceeds the combined response capabilities of the organization. In other words, if you need outside help, or if something is so bad (e.g., a major public breach) that executive management becomes directly involved. The Tools These responders and managers have a combination of broad and deep skills. They manage large incidents with multiple factors and perform the deep investigations to support full recovery and root cause analysis. They tend to use a wide variety of specialized tools, including those they write themselves. It’s impossible to list all the options out, but here are the main categories: Network (full packet capture) forensics: You’ve probably noticed this category appearing at all the levels. While the focus in the other response tiers is more on alerting and visualization, at this level you are more likely to dig deep into the packets to fully understand what’s going on for both immediate response and later investigation. If you don’t capture it you can’t analyze it, and full packet capture is essential for the advanced incident response which provides the focus here. Once data is gone you can’t get it back – thus our incessant focus on capturing as much as you can, when you can. Endpoint

I was surprised at the negative tweets and blog posts after the RSA show this year, many by the security professionals at the core of this industry. I have been to RSA most years since 1997. This year, discontent and snarkiness seemed to be running high. “There is nothing new.” “There is no innovation.” “The vendors are all lying.” “These products don’t work as advertised.” “I have seen this presentation before.” “That attack won’t work in ‘the real world’.” I saw nobody excited about the concept of winning a car – what’s up with that!?! You know it’s bad when attendees complain about booth babes – booth babes! – and then go to the Barracuda party. You know who you are. This year, like most years, I learned a lot. I got a great introduction to mobile OS security fron Zach Lanier (Quine) over dinner. I learned a lot about Amazon EC2 and related seurity issues. I learned that a vendor may have lied to me about their key manager. Jeremiah Grossman’s presentation got me thinking about how I can improve my Agile SDL presentation. I learned that CIOs and CISOs are still struggling with the same challenges I did 10 years ago; and falling victim to the same role, organizational, and communication pitfalls. Chris Hoff answered a question on why app level encryption will probably scale better when protecting data in VMs. Talking to attendees, I learned there are a couple technologies that are still giant mysteries to average IT professionals. I learned that far fewer developers have worked within an Agile process than I expected. And by watching security and non-security people, I am still learning what makes a good analyst. Beyond what I learned, there is the whole personal side of it: meeting friends and getting some of the inside stories about security breaches and vendors. I got to meet, face to face, a couple of the people I criticized here, and was relieved that they appreciated my comments and did not take them personally. I got to meet people I admire and respect, including Michael Howard of Microsoft and Ivan Ristic of Qualys. I got to talk Rugged software with a very diverse group of people. But perhaps the biggest single event, and the one I have the most fun at every year for the last four, is the Security Bloggers Awards – where else in the world am I going to attend a professional gathering and see 50 friends in the same room at the same time? I recognize that only about 35% of this is due to sessions and RSA sanctioned events; but all the other training sessions, parties, and people would not be in San Francisco at one time if it was not for the conference. The sheer gravity of the RSA Conference pulls all these people and events together. If you’re not getting something out of the conference, if you are burned out and not learning, look in the mirror. Not every year can you be hit on the head with a career-altering revelation, but there are too many smart people in attendance for you not to come away with lots of new ideas and reshaped perceptions. I am overjoyed that I can still get excited about this profession after 15 years, because there is always something new to learn. Share:

Nothing amuses me more than some nice vendor-on-vendor smackdown action. Well, plenty of things amuse me more, especially Big Bang Theory and cats on YouTube, but the vendor thing is still moderately high on my list. So I quite enjoyed this Dark Reading article on the release of the Oracle Database Firewall. But perhaps a little outside perspective will help. Here are the important bits: As mentioned in the article, this is the first Secerno product release since their acquisition. Despite what Oracle calls it, this is a Database Activity Monitoring product at its core. Just one with more of a security focus than audit/compliance, and based on network monitoring (it lacks local activity monitoring, which is why it’s weaker for compliance). Many other DAM products can block, and Secerno can monitor. I always thought it was an interesting product. Most DAM products include network monitoring as an option. The real difference with Secerno is that they focused far more on the security side of the market, even though historically that segment is much smaller than the audit/monitoring/compliance side. So Oracle has more focus on blocking, and less on capturing and storing all activity. It is not a substitute for Database Activity Monitoring products, nor is it “better” as Oracle claims. Because it is a form of DAM, but – as mentioned by competitors in the article – you still need multiple local monitoring techniques to handle direct access. Network monitoring alone isn’t enough. I’m sure Oracle Services will be more than happy to connect Secerno and Oracle Audit Vault to do this for you. Secerno basically whitelists queries (automatically) and can block unexpected activity. This appears to be pretty effective for database attacks, although I haven’t talked to any pen testers who have gone up against it. (They do also blacklist, but the whitelist is the main secret sauce). Secerno had the F5 partnership before the Oracle acquisition. It allowed you to set WAF rules based on something detected in the database (e.g., block a signature or host IP). I’m not sure if they have expanded this post-acquisition. Imperva is the only other vendor that I know of to integrate DAM/WAF. Oracle generally believes that if you don’t use their products your are either a certified idiot or criminally negligent. Neither is true, and while this is a good product I still recommend you look at all the major competitors to see what fits you best. Ignore the marketing claims. Odds are your DBA will buy this when you aren’t looking, as part of some bundle deal. If you think you need DAM for security, compliance, or both… start an assessment process or talk to them before you get a call one day to start handling incidents. In other words: a good product with advantages and disadvantages, just like anything else. More security than compliance, but like many DAM tools it offers some of both. Ignore the hype, figure out your needs, and evaluate to figure out which tool fits best. You aren’t a bad person if you don’t buy Oracle, no matter what your sales rep tells your CIO. And seriously – watch out for the deal bundling. If you haven’t learned anything from us about database security by now, hopefully you at least realize that DBAs and security don’t always talk as much as they should (the same goes for Guardium/IBM). If you need to be involved in any database security, start talking to the DBAs now, before it’s too late. BTW, not to toot our own horns, but we sorta nailed it in our original take on the acquisition. Next we will see their WAF messaging. And we have some details of how Secerno works. Share:

I’ve been in the security business a long time. I have enjoyed up cycles through the peaks, and back down the slope to the inevitable troughs. One of my observations getting back from RSAC 2011 is the level of sheer frustration on the part of many security professionals today. Frustration with management, frustration with users, frustration with vendors. Basically lots of folks are burnt out and mad at the world. Maybe it’s just the folks who show up at RSA, but I doubt it. This seems to be true across the industry. A rather blunt tweet from 0ph3lia sums up the way lots of you feel: Every day I’m filled with RAGE at this f***ing industry & the fact that I work in it. Maybe I’m just not cut out for the security industry. This is a manifestation of many things. Tight budgets for a few years. The ongoing skills gap. Idiotic users and management. Lying vendors. All contribute to real job dissatisfaction on broad scale. So do you just give up? Get a job at Starbucks or in a more general IT role? Leave the big company and go to a smaller one, or vice versa? Is the grass going to be greener somewhere else? Only you can answer that question. But many folks got into this business over the past 5 years because security offered assured employment. And they were right. There are tons of opportunities, but at a significant cost. I joke that security is Bizarro World, where a good day is when nothing happens. You are never thanked for stopping the attack, but instead vilified when some wingnut leaves their laptop in a coffee shop or clicks on some obvious phish. You don’t control much of anything, have limited empowerment, and are still expected to protect everything that needs to be protected. For many folks, going to work is like lying on a bed of nails for 10-12 hours a day. So basically to be successful in security you need an attitude adjustment. Shack had a good riff on this yesterday. You can’t own the behaviors of the schmucks who work for your company. Not and stay sane. Sure, you may be blamed when something bad happens, but you have to separate blame from responsibility. If you do your best, you should sleep well. If you can’t sleep or are grumpy because security gets no love and you get blame for user stupidity; or because you have to get a new job every 2-3 years; or for any of the million other reasons you may hate doing security; then it’s okay to give up. Your folks and/or your kids will still love you. Promise. I gave up being a marketing guy because I hated it. That’s right, I said it. I gave up. After my last marketing gig ended, I was done. Finito. No amount of money was worth coming home and snapping at my family because of a dickhead sales guy, failed lead generation campaign, or ethically suspect behavior from a competitor. My life is too short to do something I hate. So is yours. So do some soul searching. If security is no good for you, get out. Do something else. Change is good. Stagnation and anger are not. -Mike Photo credits: “happiness is a warm gun” originally uploaded by badjonni Domo Arigato My gratitude knows no bounds regarding winning the “Most Entertaining Security Blog” award at the Social Security Blogger Awards last week. Really. Truly. Honestly. I’ve got to thank the Boss because she’ll kick my ass if I don’t mention her first every time. Then I need to thank Rich and Adrian (and our extended contributor family) who put up with my nonsense every day. But most of all, I need to thank you. Every time you come up to me at a show and tell me you read my stuff (and actually like it), it means everything to me. I’m always telling you that I know how lucky I am. And it’s times like these, and getting awards like this, that make it real for me. So thanks again and I’ll only promise that I’ll keep writing as long as you keep reading. -Mike Incite 4 U Marketecture does not solve security problems: That was my tweet regarding Cisco’s new marketecture SecureX. The good news is that Cisco has nailed the issues – namely the proliferation of mobile devices and the requisite re-architecting of networks to address the onslaught of bandwidth-hogging video traffic. This will fundamentally alter how we provide ingress and egress, and that will require change in our network security architectures. But what we don’t need is more PowerPoints of products in the pipeline, due at some point in the future. And that’s not even adressing the likelihood of data tagging actually working at scale. If Cisco had delivered on any of their other grand marketecture schemes (all of which looked great on paper), I’d have a little more patience, but they haven’t. Maybe Gillis and Co. have taken some kind of execution pill and will get something done. But until then I wouldn’t be budgeting for much. Is there a SKU for a marketecture? Cisco will probably have it first. – MR You can’t secure a dead horse: Well, technically you can secure an actual deceased horse, but you know what I mean. Microsoft is getting ready to release Service Pack 1 for Windows 7, but nearly all organizations I talk with still rely on Windows XP to some degree. You know, the last operating system Microsoft produced before the Trustworthy Computing Initiative. The one that’s effectively impossible to secure. No matter what we do, we can’t possibly expect to secure something that was never built for our current threat environment. We’re hitting the point where the risks clearly outweigh the non-security related justifications. FWIW, my new favorite saying is: “If you are more worried about the security risks of cloud computing and iOS devices than using XP

It amuses me that folks were shocked by the latest treasure trove of goodies from the HBGary email spool. Basically these folks built custom malware on behalf of their government clients. Ars Technica digs in (with pretty impressive technical depth, I might add) and makes clear what you should already know. We are in the midst of another cold war. This war is not being fought with nuclear warheads, but computer malware. It’s not visible to most people – and, honestly, most people don’t really care. They should, because the new attacks could knock down our power grids, contaminate our water supplies, and basically cause chaos. You all know I’m no Chicken Little – and to be clear I sleep very well at night. I wasn’t even a glimmer in my parents’ eyes when the Cuban Missile Crisis brought us to the brink, but the ramifications of an all-out cyber conflict are similar. Plenty of folks have semantic issues with calling computers attacking each other ‘war’, because no one actually bleeds (directly). And I agree with that, somewhat. Cyber conflict won’t result in a mushroom cloud or tens of thousands vaporized in a split second (not yet anyway), but the potential for indirect damage is real. But to make the point again, I sleep well at night because as much as it hurts to know there are foreign nations in our most critical stuff (yes, APT, I’m talking about you), we are in their stuff as well. Stuxnet, anyone? What makes you think we aren’t in all the major systems of our potential adversaries? Right, that would be a bad assumption. So we have a good old-fashioned standoff. Another Cold War. Mutually assured destruction is a pretty good deterrent to anyone actually initiating a cyber conflict. Why do you think the APT doesn’t bother to cover its tracks? They want us to know they are there. Duh. Back in the days of the original Cold War, the private sector was engaged to improve our warheads, defend against enemy warheads (remember Star Wars?), and come up with other innovations to give us a snowball’s chance of surviving a nuclear conflict. In this Cold War, we have the private sector providing new weapons (read: malware) and new defenses (your very own security industry) to give us a snowball’s chance of surviving a cyber-conflict. HBGary is not unique in this pursuit. Not by a long shot. There are no white hats or black hats in this game. You need to play both offense and defense. And clearly the US does. We never got the opportunity to see any of the Beltway bandits’ mail spools during the last Cold War, but I suspect we’d be similarly nauseated. But with that nausea comes a sense of relief that the best and the brightest (including Greg Hoglund) are working to protect our interests. Now I understand these weapons can just as easily be used against us, but that has always been the case. So I guess my message is to grow up, people. National security (whatever that means) is a messy business. Share:

I think Rich may still be sleep deprived, but on the upside his recap did elicit my loudest laugh of the day. See if you can spot the sentence that caused it. Rich’s Recap I wish I had something witty and insightful to say about the first full day of RSA, but that would involve actually seeing more of the show than my own presentations and the insides of meeting rooms. And while it’s technically the first day of the conference, it’s my third day of entirely too much talking and walking. So here are a few crib notes. Started the day by noticing I was supposed to record a video for a presentation I hadn’t written yet. Resolved post-breakfast-meeting thanks to a convenient coffee shop. Good thing it was on EDRM… not like anyone is using it anyway. I really am starting to see some interesting cloud-specific security tools floating around out there. Yes, there are a bunch of companies that just converted their existing software into virtual appliances, but the ones building from the ground up for cloud are showing some nice innovation. Serious improvement over last year. Gave my DLP talk today. I’ve stared at the same damn DLP slides for so many years now that I just couldn’t bring myself to look at them again. So I shut them off and went commando. I may have freaked some people out. One dude was writing bullet points on a pad and holding them in front of his face. Seems like most people liked it. Maybe. That’s what I’ll tell myself as I try to fall asleep tonight. Had a cloud panel with the worst freaking title in history. Something like “Public and private sectors: why are agencies hesitant to adopt the cloud?” No, seriously, I’m not making this *&%^ up. I figured 2 people might show up, but the room was full and the panel went well. Turns out we had the CISO of eBay, a senior legal counsel for security and privacy at GE, a muckety-muck from NIST, and the CSO of Qualys. Tons of audience questions, many around all the sticky issues of using cloud with some semblance of control. Guess what folks – if you have developers with corporate credit cards, you’re in the cloud. Show floor is full of blinky lights. Loud dudes in suits talking. Free cars. Seriously. I guess security is big business. All this work junk is seriously impeding my ability to consume vast amounts of frothy beverages. Early bed tonight, mostly due to losing my voice and still having 3 presentations to go. –Rich Did you catch it? If not, here it is. A quote that shall live on in infamy (at least if I have anything to do with it): “So I shut them off and went commando. I may have freaked some people out.” I’d say that’s a safe assumption, Rich. Next up we have The Old Man, aka Mike Here are my observations from today: I’m getting old: There was a time I could drink all night and be productive during the day. But those days have passed. It’s getting harder to ramp up my partying, knowing I have a number of panels and even more meetings tomorrow. Yes, I’m old. And the blue-haired booth babes that a nobody vendor had in their booth annoyed me. What the hell? Get off my lawn! RSA is not the real world: I had a conversation with a bunch of investors and needed to remind them that the messaging and solutions pushed at us at RSA are not reflective of the real needs of the market. Not even close. But in the reality distortion field of the Moscone Center it’s easy to forget that most companies don’t even know how many devices they have. Shamans and snake oil salesmen: We don’t make decisions based on data, but generally through a leap of faith. Do you know if your IPS or AV really works? If you said either yes or no, you are wrong. You have no idea. You may have a hunch, but you don’t have the data to actually know. So anything you buy to address an issue is a leap of faith. If you can grok the philosophy of whoever is selling you stuff, then they are shamans. But those are few and far between. Unfortunately most are charlatans selling snake oil backed by ridiculous promises and hyperbole that prey upon the suckers born every minute. And there are plenty of them. This industry sucks at marketing: In tooling around the show floor, I realized the entire industry can’t market worth a crap. Nonstop technical jargon, with stupid parlor tricks like magicians, booth babes, and smoothies focused on standing out from the crowd. How about trying this on for size? Tell customers what you do in simple, problem oriented terms. Nobody gives a shit about the size of your widget or your blinky lights. Other random thoughts: I really shouldn’t be around people for a week straight. Thankfully I’m unarmed. If you are going to drink to excess, STFU before you say something stupid. Folks who can bust your stuff don’t need to tell you that – those who need to boast can look forward to reading their email spool on a torrent. I also decided that if we ever have a SecurosisCon, I will give a keynote in an Elvis suit. And on that note, I’d better go to sleep before someone gets hurt. –Mike That’s right. Stay out of Mike’s way or he will run you down with his walker. Let’s just hope he doesn’t throw out his hip. Again. Share:

It’s worth noting that even sleep-deprived Rich is surprisingly coherent. Rich While the RSA show technically doesn’t start until tomorrow, there’s still a heck of a lot going on. For myself, the worst is actually over. And by “the worst”, I mean there are even odds I will actually sleep tonight. It all started yesterday when we delivered the very first CCSK certification class for the Cloud Security Alliance. I learned three things in the process: Managing other analysts on a project sucks major @$$. We totally need 2 days to cover this content. Heck, with our current slide deck we could easily fill 3-4 days. Running 5 power strips to tables in the Moscone center costs $2,100. Most of that was $157/hr for the box to plug the power strips into. The room only cost $6K for the day. Methinks I have never been so violated in my life. The class went well and we learned a heck of a lot. We still have a ton of work to tune the content and package it, but it was awesome to spend a full day teaching folks and getting feedback, as opposed to the usual analyst stuff. I’m starting to think this “cloud” thing might be big. Today we ran the e10+ program for people with 10+ years in security. I thought we’d delve deeply into technical issues, but they were mostly interested in how to work within their own organizations and prioritize security. To be honest I’m far more comfortable with the pure tech side of things (despite being an analyst), but I do understand that once you hit a certain point in your career the soft skills are more important. One of my favorite bits from the panel was from Richard Bejtlich. He said one of the ways they determine their priorities is to figure out what the bad guys are looking for. I think I’m going to call this “Attacker Driven Data Classification”. It makes a lot of sense: if the bad guys are looking for something, and it isn’t a high priority for you, at minimum you should figure out why they want it. Other than that things are going well. We started showing off the Securosis Nexus, which we will make public fairly soon. With that, it’s time to go to bed. I have two sessions tomorrow (my big DLP presentation and another on cloud and government), plus way too many meetings. Prepping for RSA is always hard, and I hate being away from my family, but it is kind of nice to catch up with folks and be social once (or twice) a year. –Rich Next up, Adrian What’s new is new. Rich and Mike put together this year’s e10+ seminar at RSA. And like most panels that involve Securosis, there were a couple testy moments when some of the participants took exception to Richard Bejtlich’s assertion that compromised data is exposed to the world in greater quantity – with far more public access to the content – than ever before. Some of the audience members felt we were seeing the same attacks over and over, and the threats of today are no different than we saw in 1985. In fact they went so far as to say “the cloud” was not much more than publicly available mainframes. David Mortman wins a prize for his rebuttal: “Yeah, RACF rules!” All kidding aside, I have been in the industry almost that long, and I can say that in some ways this later assertion is true; we still suck at application security, and DoS, non-repudiation, and spoofing work pretty much the same way they did in 1985. How these attacks occur is new, as they exploit both new and old technologies in interesting ways. But the thrust of Richard’s comment is absolutely correct: The speed and quantity of exfiltration is unprecedented. Further, what’s very new is the ability to widely distribute data and make stolen data available for search and inspection. Ten years ago I could push stolen information to FTP servers and hacker sites, but it data was not really accessible to people who did not know where to look for it, or did not understand how to grep through blobs of multi-format data. Now we have Google to do it for us. So what’s old is new again, but in many cases it’s just freakin’ new. –Adrian And now for something completely different: Mike 1) We need toddlers, not Kenyans. No offense to Kenyans, but one of the things that became crystal clear at the e10+ sessions this morning was the disparity of needs between the early adopters of security technologies and everyone else. You see the vendors and talking heads spend all their time talking about strategies to do advanced security against serious adversaries. But most of the world can’t even do the simple n00b blocking and tackling to defeat script kiddies. So basically most of the RSA Conference will be focused on these advanced strategies, which have very little bearing on the vast majority of organizations. It’s like our industry is hiring Kenyans to run a marathon, while everyone else barely walks. Maybe we need schoolteachers. This capabilities gap might be the most significant issue we face as an industry. Yes, even more than APT or WikiLeaks. Now do two shots, because I said both the buzzword bingo keywords. 2) The perimeter is dead. Long live the perimeter: Besides the fireworks of Cisco and Palo Alto screaming at each other during my panel at the America’s Growth Capital conference, we covered some important ground. First off, the perimeter is not dead. But it needs to get a lot smarter and much more distributed. As more stuff moves to the cloud and video clogs our networks, we need to gain visibility and control, working the areas we know we can access. That means applications. The other resonating point was the reality that with the massive bandwidth consumed by video, we need to provide