Research

This is a bit of a different post for me. One exercise in the CCSK Enhanced Class which we are developing for the Cloud Security Alliance is to encrypt a block storage (EBS) volume attached to an AWS instance. There are a few different ways to do this but we decided on Trend Micro’s SecureCloud service for a couple reasons. First of all, setting it up is something we can handle within the time constraints of the class. The equivalent process with TrueCrypt or some other native encryption services within our AWS instance would take more time than we have, considering the CCSK Enhanced class is only one day and covers a ton of material. The other reason is that it supports my preferred architecture for encryption: the key server is separate from the encryption engine, which is separate from the data volume. This is actually pretty complex to set up using free/open source tools. Finally, they offer a free 60-day trial. The downside is that I don’t like using a vendor-specific solution in a class since it could be construed as endorsement. So please keep in mind that a) there are other options, and b) the fact that we use the tool for the class doesn’t mean this is the best solution for you. Ideally we will rotate tools as the class develops. For example, Porticor is a new company focusing on cloud encryption, and Vormetric is coming out with cloud-focused encryption. I think one of the other “V” companies is also bringing a cloud encryption product out this week. That said, SecureCloud does exactly what we need for this exercise. Especially since it’s SaaS based, which makes setting it up in the classroom much easier. Here’s how it works: The SaaS service manages keys and users. There is a local proxy AMI you instantiate in the same availability zone as your main instances and EBS volumes. Agents for Windows Server 2008 or CentOS implement the encryption operations. When you attach a volume, the agent requests a key from the proxy which communicates with the SaaS server. Once you approve the operation the key is sent back to the proxy, and then the agent, for local decryption. The keys are never stored locally in your availability zone, only used at the time of the transaction. You can choose to manually or automatically allow key delivery based on a variety of policies. This does, for example, give you control of multiple instances of the same image connecting to the encrypted volume on a per-instance basis. Someone can’t pull your image out of S3, run it, and gain access to the EBS volume, because the key is never stored with the AMI. This is my preferred encryption model to teach – especially for enterprise apps – because it separates out the key management and encryption operations. The same basic model is the one most well-designed applications use for encrypting data – albeit normally at the data/database level, rather than by volume. I’ve only tested the most basic features of the service and it works well. But there are a bunch of UI nits and the documentation is atrocious. It was much harder to get this up and running the first time than I expected. Now for the meat. I’m posting this guide mostly for our students so they can cut and paste command lines, instead of having to do everything manually. So this is very specific to our class; but for the rest of you, once you run through the process you should be able to easily adjust it for your own requirements. Hopefully this will help fill the documentation gaps a bit… but you should still read Trend’s documentation, beacuse I don’t explain why I have you do all these steps. This also covers 2 of the class exercises because I placed some of the requirements we need later for encryption into the first, more basic, exercise: CCSK Enhanced Hands-on Exercises Preparation (Windows only) If you are a Windows user you must download an ssh client and update your key file to work with it. Download and run http://www.chiark.greenend.org.uk/~sgtatham/putty/latest/x86/putty-0.60-installer.exe. Go to Start > Program Files > PuTTY > PuTTYgen Click File, select *.*, and point it to your _name_.PEM key file. Click okay, and then Save Key, somewhere you will remember it. Download and install Firefox from http://mozilla.org. Create your first cloud server In this exercise we will launch our first AMI (Amazon Machine Image) Instance and apply basic security controls. Steps Download and install ElasticFox: http://aws.amazon.com/developertools/609?_encoding=UTF8&jiveRedirect=1. Log into the AWS EC2 Console: https://console.aws.amazon.com/ec2/home. Go to Account, then Security Credentials. Note your Access Keys. Direct link is https://aws-portal.amazon.com/gp/aws/developer/account/index.html. Click X.509 Certificates. Click Create a new Certificate. Download both the private key and certificate files, and save them where you will remember them. In Firefox, go to Tools > ElasticFox. Click Credentials, and then enter your Access Key ID and Secret Access Key. Then click Add. You are now logged into your account. If you do not have your key pair (not the certificate key we just created, but the AWS key you created when you set up your account initially) on your current system, you will need to create a new key pair and save a copy locally. To do this, click KeyPairs and then click the green button to create a new pair. Save the file where you will remember it. If you lose this key file, you will no longer be able to access the associated AMIs. Click Images. Set your Region to us-east-1. Paste “ami-8ef607e7” into the Search box. You want the CentOS image. Click the green power button to launch the image. In the New Instance(s) Tag field enter CCSK_Test1. Choose the Default security group, and availability zone us-east-1. Click Launch. ElasticFox will switch to the Instances tab, and your instance will show as Pending. Right-click and select Connect to Instance. You will be asked to open the Private Key File you saved when you set

It’s just a couple days until RSA Conference 2011. Is this your first time attending the security conference in San Francisco? Having attended for a few years now I can safely say that there are some things you should take into account before you show up. First of all, download the Securosis Guide to RSA 2011 (PDF) or (ePub). Next you need a plan. After you have completed registration, which I assume by this point you have, consider your options. When you arrive on site at the Moscone Center give yourself a good amount of time to get through registration and badge pickup. The conference folks manage a good job of processing people through, but there will be a lot of people. Give yourself enough time. Next up, what to see? There is far too much content to expect to see it all. As a result you need a plan for which talks to attend. RSA has a daily planner on its site that can help. This is a helpful resource, but it doesn’t entirely do it for me. I want something tailored to my interests. Thankfully, RSA has created a tool for that. Behold the personal scheduler! I should point out that you must be logged into the RSA Conference site to access that tool. So next ask yourself why you are coming to RSA. What are you there to learn? Or are you taking a break on the company dime? I know some of you are doing just that; I’ve seen it before. So be honest with yourself. Which tracks interest you? There are quite a few this year: Application and Development Business of Security Cloud Security (new for 2011) Cryptography Data Security Governance & Risk Compliance Hackers & Threats Hot Topics Industry Experts Law Policy & Government Professional Development Sponsor Case Studies Strategy & Architecture Technology Infrastructure (also new) Not to mention some great talks like these and programs like e10+ for more experienced attendees. That’s a lot to choose from, so I would suggest you do your homework and be sure to check into the talks before you arrive. It would be a shame to find that you’ve landed smack in the middle of an hour-long lecture on widgets when you’re more interested in grapple grommets. Then there is the shark tank: the convention floor. Sweet mother, this is one massive collection of vendors. All of them are hunting for your dollars. That’s the name of the game. They’re not all there just to hand out free t-shirts. These folks work for a living. Take some time to speak with them and get to know their products. You can show up in a suit and be swarmed, or conversely, dress down if you want to blend into the background. The most important thing to remember for the convention floor is to wear a comfortable pair of shoes. No, really. The first time I went to RSA my back was out of commission for several days afterwards. That said, enjoy your time at the conference and bring along your favourite headache remedy. After you’re done with the vendor parties don’t forget to show up for the Securosis Disaster Recovery Breakfast Thursday morning – and be sure to RSVP. Share:

With great pleasure we post the 2nd annual Securosis Guide to the RSA Conference, 2011 edition. Last year’s guide we built as an experiment, but it has now effectively become an encyclopedia of all things RSA. As you’ve been seeing all week, we list out our key themes and then break down each major section of the industry. In this complete version we include vendor lists for each section and a comprehensive vendor list (with URLs) for easy reference during the show. Rich summed it up best – it’s not really an RSA Guide, it’s more “What’s coming in the next year of security”, which happens to be published in time for RSA. Below are links to both PDF and ePub versions. I loaded the Guide onto my iPad this morning and it looks great, so you may want to do that as well (in iBooks you may need to select the PDF tab). Enjoy and tell your friends. It’s free. Let’s just hope it doesn’t show up verbatim in the World’s #1 Hacker’s next book. PDF version: Securosis-GuidetoRSAC2011.pdf ePub version: Securosis-GuidetoRSAC2011.epub PS: Vendors, if you are looking for a nice giveaway for one last blast to your prospect lists to give away all those valuable expo passes, feel free to distribute the Guide. No fees, no nothing. It’s our little Valentine’s Day gift to you. Share:

Security Management Compliance is still driving most of what happens from a management standpoint, which is why have a specific compliance section below. On the security management front, there was still plenty of activity in 2010. But most customers continued to feel the same way: underwhelmed. It’s still very hard to keep control of much of anything, which is problematic as the number of devices and amount of sensitive data grow exponentially. Good times. Good times. What We Expect to See There are a couple areas of interest at the show for security management: The (Not) Easy Button: Given the absolutely correct perspective of customers that security management is too complex, difficult, ponderous, and lots of other negative descriptors, we expect vendors to focus on ease of use for many of these security management tools (especially SIEM/Log Management). Don’t believe them. They continue to sell false hope. To be fair, the tools are much improved. Interfaces are better. User experience is tolerable. But it’s still not easy. 
So spend some time in the booth checking out interfaces. How you set up rules, analyze data, and generate reports. Make the demo dude go into excruciating detail on how things really get done with the tool. Remember, anything you select, you will need to live with. So do your homework and choose wisely. The next act for scanners: Vulnerability management is so 2005. But tack on some kind of cloud stuff and it’s, uh, 2007? The new new shiny object is configuration auditing/policy compliance. Which actually makes sense because you need to scrutinize the device to check for vulnerabilities, so why not just assess the configuration while you are at it. And just as with vulnerability scanning, the question will be whether you do it on-site or via a cloud service. Or both, because we expect most vendors to offer both. MSS comes of age: The good news is that folks finally realize it’s not novel to monitor firewalls or IPS themselves, and combined with consolidation of pretty much all the big players, this means MSS isn’t a big deal anymore. So the big vendors with big booths will be talking about their monitoring (and even management) services. If you still have 5 folks parsing firewall alerts, check out these offerings. At minimum it will be interesting to get a sense of how efficiently you do things internally. Just make sure you understand exactly what the service and support model is, because when alerts start firing you don’t want to be dialing the main number of a $100 billion telco. Start-up X, a Big IT company: Big IT, with its big management stacks and big professional services teams, will be at RSAC in force. Maybe they’ll even have a story for how all the crap they’ve bought over the past year makes Big IT finally relevant in the security space. You’ll see HP and IBM (and EMC and Cisco and Juniper) in 5-6 different booths each, because companies they acquired had already committed to exhibit in this year’s show. They should have one of those passport programs, just to make sure you visit all their booths to win an iPad or something like that. Compliance Compliance isn’t merely a major theme for the show, it’s also likely the biggest driver of your security spending. But that doesn’t mean folks don’t want to minimize the cost and hassle of compliance, so scope reduction will be a major theme that we hear throughout the show. While there’s no such thing as a compliance solution, many security technologies play major roles in helping achieve and maintain compliance. What We Expect to See With compliance we will see a mix of regulation-focused messages and compliance-specific technologies: PCI & Tokenization: The Payment Card Industry Data Security Standard (PCI-DSS) is the single regulation that generates the most attention, and a lot of the growth for security and compliance spending. And frankly, especially within the retail and finance verticals, companies are looking to reduce costs and minimize PCI audits. It’s viewed as little more than a tax on the business so they want to at least reduce — if not eliminate — the expense. At the show this year, we expect you’ll hear and see a lot about tokenization. This approach substitutes credit card numbers stored at a merchant site with a harmless, well, token. It only represents the credit card transaction, so a stolen token cannot be used to commit fraud. At the show, focus on the sessions where savvy users talk about how they reduce the scope of PCI audits along with the associated costs of securing credit card data using this approach. While only a handful of tokenization vendors will be at the show, many of the payment processors have partnered with technology providers to offer tokenization as a managed service. Expect to see plenty of interest and discussion on this topic, and long lines at select vendor booths. There’s an App for That: Expect to see vendors offer neat iPhone and iPad apps for their management and reporting products. Sure, reports and dashboards are popular with vendors because they bring the eye candy sales teams want to demonstrate product value. But what’s cooler than a fancy dashboard? A fancy new iPhone. Put the two together and it’s like two great eye-candies that go great together! It’s going to be a big hit. Not just because anyone really wants to take that FISMA report with them in their pocket; it’s because IT, sales, and marketing all secretly lust after the new toy. It’s the thought of catching a spring training game while configuring SIEM policies. Does it make you more productive? Maybe. But having your IT products running on the toy justifies the purchase of both. Yeah, anywhere, anytime access is pretty cool too, but it’s like getting two for one. Expect to see this everywhere! GRC Oopsie: Last year we expected to see a lot of collateral about GRC: Governance, Risk, and Compliance. And we

We keep pretty busy schedules at RSA every year. But the good news is we do a number of speaking sessions and make other appearances throughout the week. Here is where you can find us: Speaking Sessions DAS-106: Everything You Ever Wanted to Know about DLP – Rich (Tuesday, Feb 15, 1pm) CLD-108: Private and Government Sectors: Why are Agencies Hesitant to Adopt Cloud? – Rich moderates (Tuesday, Feb 15, 3:40pm) DAS-203: Cutting through the Data Loss Prevention Confusion: DLP Myths Busted – Rich (Wednesday, Feb 16, 11:10am) P2P-203A: Evolving Perimeter(s): Protecting the Stuff That’s Really Important – Mike (Wednesday, Feb 16, 11:10am) BUS-303: Putting the Fun in Dysfunctional – How the Security Industry Really Works – Rich and Mike (Thursday, Feb 17, 11:10am) AND-304: Agile Development, Security Fail – Adrian (Thursday, Feb 17, 1pm) EXP-402: Cloudiquantanomidatumcon: The Infra/Info-Centric Debate in the Cloud – Rich and Chris Hoff (Friday, Feb 18, 10:10am) Other Events e10+: Rich and Mike are the hosts and facilitators for the RSA Conference’s e10+ program targeting CISO types. That’s Monday morning from 8:30 to noon. America’s Growth Capital Conference: Mike will be moderating a panel on the future of network security at the AGC Conference with folks from Cisco, Juniper, Palo Alto, Packet Motion, and Fidelis. This session is Monday at 2:15pm. Security Blogger Meet up: Securosis will be at the 4th annual Security Blogger Meet up at the classified location. You need to have a blog and be pre-registered to get in. Disaster Recovery Breakfast: Once again this year Securosis will be hosting the Disaster Recovery Breakfast on Thursday, Feb 17 between 8 and 11 with help from our friends at Threatpost and Schwartz Communications. RSVP and enjoy a nice quiet breakfast with plenty of food, coffee, recovery items (aspirin & Tums), and even the hair of the dog for those of you not quite ready to sober up. Holding court at the W: If you are up for late night hijinx – and like to laugh at stumbling, bumbling security industry folks – show up at the W’s lobby bar after the parties break up. It’s always a good time and you are very likely to see one or all of us Securosis folks there getting into trouble. And accepting drink donations. Fortinet Panels: Mike will also be moderating the Security Mythbusting: Blowing up the Security Hype panels at Fortinet’s booth (#923) Tuesday and Wednesday from 1:30-2pm. Travel safe and we’ll see you at RSA… Share:

When we say application security, for we generally mean web application security. We probably could have cheated and simply reposted last year’s guide to application security and still been close. Yes, application security is still a nascent market. Last year the focus was anti-exploitation to prevent code injection attacks, and the value provided by integrating assessment and web application firewall technologies. While the threats remain the same, there are some new twists which deserve attention. What We Expect to See Code Review Services: Strapping security onto the network layer and hoping it catches your application vulnerabilities is a band-aid at best, and companies that produce applications know this. With HP’s acquisition of Fortify a few months ago, Microsoft’s announcement of Attack Surface Analyzer, and IBM’s acquisition of Ounce Labs in 2009, it’s clear that the world’s major software providers know this as well. And they are looking to capitalize on the movement. Third party source code review services are on the rise, and most web development teams now use either white-box or black-box testing in their certification processes. “Building security in” is an increasingly common mantra for development teams, and there is tremendous opportunity to sell security products and services into this nascent market. Most development teams are just now learning about secure coding techniques, threat modeling, and how to build unit-based security tests to run alongside their functional tests. We expect to see many vendors offering tools, education, and services that foster secure code everywhere from design to post-deployment. Not just pre-and-post deployment checkers and firewalls, but security offerings for every single step in the development lifecycle. Buyer Shift: “What?” you say. I am not selling to the IT manager? Not here you are not. IT plays a part, but the buying center is shifting to the development team for web application security technologies. And that’s a very different conversation, with a much different set of requirements and use cases the vendor needs to address. OWASP As the Guiding Light: Publicity concerning application security issues is growing. OWASP — the Open Web Application Security Project — provides a Top 10 list of the most common threats to applications. And it’s a good rundown of sneaky, underhanded tricks attackers use to compromise web applications for fun and profit. Even better, it’s backed by measurable statistics so it’s not all conjecture and innuendo. This list is driving many companies’ marketing campaigns, and the alignment of their service offerings as well. How well any given vendor protects applications from these threats is open for debate, but the fact that they are responding to the most common threat vectors we see today is very good news. Web application vulnerabilities represent a significant threat to organizations as web services are an integral part of business operations, and the push for more SaaS and cloud based services means attackers have an increasing number of potential targets. As if you haven’t had enough cloud on a stick, up next are our thoughts on endpoint security, and then virtualization and cloud security in the RSA Guide. I know, you can’t wait. Share:

2010 was a fascinating year for cloud computing and virtualization. VMWare locked down the VMSafe program, spurring acquisition of smaller vendors in the program with access to the special APIs. Cloud computing security moved from hype to hyper-hype at the same time some seriously interesting security tools hit the market. Despite all the confusion, there was a heck of a lot of progress and growing clarity. And not all of it was from the keyboard of Chris Hoff. What We Expect to See For virtualization and cloud security, there are four areas to focus on: Innovation cloudination: For the second time in this guide I find myself actually excited by new security tech (don’t tell my mom). While you’ll see a ton of garbage on the show floor, there are a few companies (big and small) with some innovative products designed to help secure cloud computing. Everything from managing your machine keys to encrypting IaaS or SaaS data. These aren’t merely virtual appliance versions of existing hardware/software, but ground-up, cloud-specific security tools. The ones I’m most interested in are around data security, auditing, and identity management. Looking SaaSy: Technically speaking, not all Software as a Service counts as cloud computing, but don’t tell the marketing departments. But this is another area that’s more than mere hype- nearly every vendor I’ve talked with (and worked with) is looking at leveraging cloud computing in some way. Not merely because it’s sexy, but since SaaS can help reduce management overhead for security in a bunch of ways. And since all of you already pay subscription and maintenance licenses anyway, pure greed isn’t the motivator. These offerings work best for small and medium businesses, and reduce the amount of equipment you need to maintain on site. They also may help with distributed organizations. SaaS isn’t always the answer, and you really need to dig into the architecture, but I’ve been pleasantly surprised at how well some of these services can work. VMSafe cracking: VMWare locked down its VMSafe program that allowed security vendors direct access to certain hypervisor functions via API. The program is dead, except the APIs are maintained for any existing members in the program. This was probably driven by VMWare wanting to control most of the security action, and they forced everyone to move to the less-effective VShield Zones system. What does this mean? Anyone with VMSafe access has a leg up on the competition, which spurred some acquisitions. Everyone else is a bit handcuffed in comparison, so when looking at your private cloud security (on VMware) focus on the fundamental architecture (especially around networking). Virtual appliances everywhere: You know all those security vendors that promoted their amazing performance due to purpose-built hardware? Yeah, now they all offer the same performance in virtual (software) appliances. Don’t ask the booth reps too much about that though or they might pull a Russell Crowe on you. On the upside, many security tools do make sense as virtual appliances. Especially the ones with lower performance requirements (like management servers) or for the mid-market. We guarantee your data center, application, and storage teams are looking hard at, or are already using, cloud and virtualization, so this is one area you’ll want to pay attention to despite the hype. And that’s it for today. Tomorrow will wrap up with Security Management and Compliance, as well as a list of all the places you can come heckle me and the rest of the Securosis team. And yes, Mike will be up all night assembling this drivel into a single document to be posted on Friday. Later… Share:

I think we’ve taken this instant gratification thing a bit too far. Do you remember in the olden days, when you didn’t know what you were getting for your birthday? Now we get no surprises, pretty much as a society. The combination of a 24-hour media cycle, increasingly outsourced manufacturing, and loose lips ensures that nothing remains a secret for long. I remember the day IBM announced the hostile acquisition of Lotus back in 1994. I was at META at the time, and we were hosting a big conference of our clients. No one knew the deal was coming down and there was genuine surprise. We had a lot to talk about at that conference. Nowadays we hear about every big deal weeks before it hits. Every layoff. Every divestiture. It’s like these companies have their board rooms bugged. Or some folks in these shops have loose lips. And what about our favorite consumer gadgets? We already know the iPad 2 isn’t going to be much of an evolution. It’ll have a camera. And maybe a faster processor and more memory. How do we know? Because Apple has to make millions of these things in China ahead of the launch. Of the 200,000 people who work in that factory, someone is going to talk. And they do. Probably for $20. Not to mention all the companies showing off cases they needed a head-start on. So there is no surprise about anything in consumer electronics anymore. But this weekend I hit my limit. You see, I love the Super Bowl. It’s my favorite day of the year. I host a huge party for my friends and I like the commercials. You always get a chuckle when you see a great commercial. It’s a surprise. Remember the Bud Bowl? Or Jordan and Bird’s shooting contest? Awesome. But no more surprises. I saw a bunch of the commercials on YouTube last week. You have to love VW’s Darth Vader commercial, but the novelty had worn off by the time the game started. I know you try to create buzz by moving up your big reveal (it’s been happening at the RSA Conference for years), but enough is enough. We try to teach the kids the importance of keeping secrets. We talk freely in our house (probably a bit too freely) and we’ve gotten bitten a few times when one of the kids spill the beans. But they are kids and we used those experiences to reinforce the need to keep what someone tells you in confidence. But they are in the middle of a world where no one can keep a secret. Which once again forces us to hammer home the age-old refrain: “Do as we say, not as they do…” And no, I’m not telling you about our super sekret project. Unless you are from the WSJ, that is. -Mike Photo credits: “Loose Lips” originally uploaded by fixedgear Big Head Alert Well, it wasn’t enough for me to offer up free refreshments to those meeting up at the Security Blogger’s Party at RSA, in exchange for a vote for most entertaining blog. But the accolades keep rolling in. Yours truly has been nominated for the Best Security Blogger award by the fine folks at SC Magazine. I’m listed with folks like Hoff (does he even blog anymore?) and Bruce Schneier, so I can’t complain. Although the Boss did call the handyman this morning – it seems we need a few doors expanded in the house for my expanding head. Yes, I’m kidding. I’m fortunate to surround myself with people who remind me of my place on the totem pole every day. Yeah, the bottom. I’ll be the last guy to say I’m the best at anything, but I certainly do appreciate being noticed for doing what I love. You can vote. And no, I haven’t contracted with RSnake to game the vote. Not yet, anyway. Incite 4 U PR writing a check your defenses can’t cash: That title came from a Twitter exchange I had earlier this week about the HBGary Federal hack. Basically the CEO of this company talked smack about penetrating and exposing a hacker group and… wait for it… lo and behold they eviscerated him. As Krebs describes, it was a good hack. These Anonymous guys don’t screw around. And that’s the point. Just like our friend the World’s #1 Hacker, if you talk smack you will get hurt. The folks from HBGary are very smart. And even if they could detonate malware (using their own damn device), a determined attacker will find your weak spot. And more often than not it’s the human capital who drinks your coffee, uses your toilet paper, and maybe even gets something done, sometimes. So basically here is a message to everyone out there: STFU. These stupid PR games and testosterone-laden boasts of hacking this or hacking that show you as nothing more than a “big hat, no cattle” hacker. The folks who really can don’t have to talk about it. And odds are they’ll stay anonymous. – MR The Endpoint Is the Network: One of the wacky things about cloud computing is that it royally screws up so many of the existing security controls. Network monitors, firewalls, vulnerability assessment, and even endpoint agent management all sort of go nuts when you start moving machines around randomly in the fluff of the cloud. To work consistently your security controls need to track the virtual machines, no matter where they pop up. I’m just getting caught up, but CloudPassage looks interesting. It uses an agent and security management plane to consistently apply controls as machine instances move around, even in hybrid models. Yes, we now have to dump everything back into the endpoint we built all that ASIC-based hardware for. Sorry. – RM Looking in the Mirror: Rocky DeStefano posted a nice table of common SIEM evaluation criteria on the visiblerisk blog. This is a handy set of RFI questions that companies looking to

In 2010, there was broad acknowledgement that most of the endpoint protection deployed was more about passing PCI (yes, it’s still a requirement) than actually stopping attacks. Unfortunately, at the show we’ll continue to hear about all the advances happening in malware detection, and we’ll laugh again. The traditional signature-based model is broken, no matter how many clouds we see inserted into the mix. But with the AV cash cow continuing to moo uncontrollably, the industry will continue trying to convince customers to maintain their investments. So the real question is: who will show some type of innovation in terms of endpoint malware detection. Anyone? Anyone? Bueller? Bueller? What We Expect to See There are some areas of interest at the show for endpoint security: You get what you pay for (or do you?): Given the clear issues around endpoint malware detection, we’ll be hearing a lot from the Free AV crowd. They’ll be talking about the hundreds of millions of folks who use the free engines, just before they try to upsell you to their paid offerings. The reality is that you need management, because these tools involve deploying software agents to many endpoints. But you should pay the least amount possible. So see who seems the hungriest on the show floor. If they aren’t foaming at the mouth, they likely aren’t hungry enough to win your business. Cloudy with a chance of hyperbole: You will also hear a lot about cloud signatures and crowd sourcing to address the limitations of the traditional AV signature model. To be clear, moving a lot of signatures to the cloud is a good thing. But it’s not an answer. The model of matching bad stuff is still broken, and no amount of cloudy stuff will change that. The idea of crowd sourcing is interesting so check out the folks, like Sourcefire/Immunet and Webroot/PrevX, who are doing this in practice. Ask them how they shorten the window from the time an issue is discovered to distributing an update to the rest of the network. This is yet another option to keep the broken AV model running a bit longer. AWL MIA: What you probably won’t see a lot of is application white listing (AWL). Why? Because the technology remains a niche. It is a core aspect of our Positivity security model, but both perception and reality are still slowing deployment of AWL. Not that the handful of vendors offering these solutions won’t be trying to make some noise. But they have no chance to stand out against the status quo, which represents billions in revenue and spends like drunken sailors at RSA. But this remains an important technology, so you should search out the vendors who offer it and learn how they are working to address the deployment and scaling issues. Signs of the iPocalypse: You will see a lot of vendors giving away iPads and iPhones. Why not? If you don’t have one, you want one. If you already have one, you want another one. Or ten. But the reality is these devices are big, and consumerization is taking root. That means you need to figure out how to control them. OK, maybe not control, but at least manage. So check out the configuration management folks and those with specific mobile technologies to reign in the chaos. OK, maybe not reign in, but at least ensure that when they get lost (and they will), you won’t be in career jeopardy. Man(ning) up: One of the other major stories in 2010 was WikiLeaks, spearheading by Bradley Manning, your friendly neighborhood data leaker. So you’ll hear a lot of vendors talking about the importance of controlling USB ports and doing content control/analysis on the endpoint. Try to figure out how they scale. Try to understand how they classify sensitive data and actually do anything without killing the performance of the endpoint. Yeah, it would be good to figure out whether and how they can play nice with any DLP/device control technologies you already have implemented. We’ve hit the halfway point in our RSA Guide posts. I know you are waiting with baited breath for the Virtualization and Cloud section, but patience is a virtue. That post will be up later today. Share:

In our last post, we covered the first level of incident response: validating and filtering the initial alert. When that alert triggers and your frontline personnel analyze the incident, they’ll either handle it on the spot or gather essential data and send it up the chain. These roles and responsibilities represent a generalization of best practices we have seen across various organizations, and your process and activities may vary. But probably not too much. Tier 2: Respond and contain The bulk of your incident response will happen within this second tier. While Tier 1 deals with a higher number of alerts (because they see everything), anything that requires any significant response moves quickly to Tier 2, where an incident manager/commander is assigned and the hard work begins. In terms of process, Tier 2 focuses on the short-term, immediate response steps: Size-up: Rapidly scope the incident to determine the appropriate response. If the incident might result in material losses (something execs need to know about), require law enforcement and/or external help, or require specialized resources such as malware analysis, it will be escalated to Tier 3. The goal here is to characterize the incident and gather the information to support containment. Contain: Based on your size-up, try to prevent the situation from getting worse. In some cases this might mean not containing everything, so you can continue to observe the bad guys until you know exactly what’s happening and who is doing it, but you’ll still do your best to minimize further damage. Investigate: After you set the initial incident perimeter, dig in to the next level of information to better understand the full scope and nature of the incident and set up your remediation plan. Remediate: Finish closing the holes and start the recovery process. The goal at this level is to get operations back up and running (and/or stop the attack), which may involve workarounds or temporary measures. This is different than a full recovery. If an incident doesn’t need to escalate any higher, at this level you’ll generally also handle the root cause analysis/investigation and manage the full recovery. This depends on on resources, team structure, and expertise. The Team If Tier 1 represent your dispatchers, Tier 2 are the firefighters who lead the investigation. They are responsible for more-complex incidents that involve unusual activity beyond simple signatures, multi-system/network issues, and issues with personnel that might result in HR/legal action. Basically, any kind of non-trivial incident ends up in the lap of Tier 2. While these team members may still specialize to some degree, it’s important for them to keep a broad perspective because any incident that reaches this level involves the complexity of multiple systems and factors. They focus more on incident handling and less on longer, deeper investigations. Primary responsibilities: Primary incident handling. More advanced investigations that may involve multiple factors. For example, a Tier 1 analyst notes egress activity; and the Tier 2 analyst then takes over and coordinates a more complete network analysis; as well as checking endpoint data where the egress originated, to identify/characterize/prioritize any exfiltration. This person has overall responsibility for managing the incident and pulling in specialist resources, as needed. They are completely dedicated to incident response. As the primary incident handlers, they are responsible for quickly characterizing and scoping the incident (beyond what they got from Tier 1), managing containment, and escalating when required. They are the ones who play the biggest role in closing the attacker’s window of malicious opportunity. Incidents they manage: Multi-system/factor incidents and investigations of personnel. Incidents are more complex and involve more coordination, but don’t require direct executive team involvement. When they escalate: Any activities involving material losses, potential law enforcement involvement, or specialized resources; and those requiring an all-hands response. They may even still play the principal management and coordination role for these incidents, but at that point senior management and specialized expertise needs to be in the loop and potentially involved. The Tools These responders have a broader skill set, but generally rely on a variety of monitoring tools to classify and investigate incidents as quickly as possible. Most people we talk with focus more on network analysis at this level because it provides the broadest scope to identify the breadth of the incident via “touch points” (devices involved in the incident). They may then delve into log analysis for deeper insight into events involving endpoints, applications, and servers; although they often work with a platform specialist – who may not be formally part of the incident response team – when they need deeper non-security expertise. Full packet capture (forensics): As in a Tier 1 response, the network is the first place to look to scope intrusions. The key difference is that in Tier 2 the responder digs deeper, and may use more specialized tools and scripts. Rather than looking at IDS for alerts, they mine it for indications of a broader attack. They are more likely to dig into network forensics tools to map out the intrusion/incident, as that provides the most data – especially if it includes effective analysis and visualization (crawling through packets by hand is a much slower process, and something to avoid at this level if possible). As discussed in our last post, simple network monitoring tools are helpful, but not sufficient to do real analysis of incident data. So full package capture is one of the critical pieces in the response toolkit. Location-specific log management: We’re using this as a catch-all for digging into logs, although it may not necessarily involve a centralized log management tool. For application attacks, it means looking at the app logs. For system-level attacks, it means looking at the system logs. This also likely involves cross-referencing with authentication history, or anything else that helps characterize the attack and provide clues as to what is happening. In the size-up, the focus is on finding major indicators rather than digging out every bit of data. Specialized tools: DLP, WAF, DAM, email/web security gateways, endpoint