Research

As we wrote in The Future of Security, we believe the collision of cloud computing and mobility will disrupt and transform security. We started documenting the initial stages of the transformation, so we now turn our attention to how controls will be implemented as the technology space moves to an automated and abstracted reality. That may sound like science fiction, but these technologies are here now, and it is only beginning to become apparent how automation and abstraction will ripple outward, transforming the technology environment. Change is hard, and we face a distinct lack of control over a number of areas, which is enough to give most security folks a panic attack. From an access standpoint IT can no longer assume ownership and/or the ability to control devices. Consumption occurs on user-owned devices, everywhere, and often not through corporate-controlled networks. This truly democratizes access to critical information. IT organizations must accept no longer controlling the infrastructure either. In fact they don’t even know how the underlying systems are constructed – servers and networks are virtual. Compute, storage, and networking now reside outside the direct control of staff. You cannot just walk down to the data center to figure out what’s going on. As these two megatrends collide, security folks are caught in the middle. The ways we used to monitor devices and infrastructure no longer work. Not to the same degree, anyway. There are no tap points, and it is now prohibitively inefficient to route traffic through central choke points for inspection. Security monitoring needs to change fundamentally to stay relevant in the cloud age. Our new blog series, Monitoring the Hybrid Cloud: Evolving to the CloudSOC, we will dig into the new use cases you will need to factor into your security monitoring strategy, and discuss the emerging technologies that can help you cope. Finally we will discuss migration, because you will be dealing with legacy infrastructure for years to come, so your environment will truly be a hybrid. The Cloud Is Different For context on this disruptive innovation we borrow from our Future of Security paper to describe how and why the cloud is different. And just in case you think these changes don’t apply to you, forget it. Every major enterprise we talk with today uses cloud services. Even some of the most sensitive and highly regulated industries, including financial services, are exploring more extensive use of public cloud computing. We see no technical, economic, or even regulatory issues seriously slowing this shift. The financial and operational advantages are simply too strong. Defining ‘Cloud’: Cloud computing is a radically different technology model – it is not simply the latest flavor of outsourcing. The cloud uses a combination of abstraction and automation to achieve previously impossible levels of efficiency and elasticity. This, in turn, creates new business models and alters the economics of technology delivery and consumption. Cloud computing fundamentally disrupts traditional infrastructure because it is more responsive, more efficient, and potentially more resilient and cost effective than the status quo. Public cloud computing is even more disruptive because it enables organizations to consume only what they need without overhead, while still rapidly adapting to changing needs at effectively infinite scale. Losing Physical Control: Many of today’s security controls rely on knowing and managing the physical resources that underpin our technology services. This is especially true for security monitoring, but let’s not put the cart before the horse. The cloud breaks this model by virtualizing resources (including entire applications) into resource pools managed over the network. We give up physical control to standard network interfaces, effectively creating a new management plane. The good news is that centralized control is built into the model. The bad news is this is likely to destroy the traditional security controls you rely on. At minimum most of your existing operational processes will change fundamentally. A New Emphasis on Automation: The cloud enables extreme agility, such as servers that exist only for minutes – automatically provisioned, configured, and destroyed without human interaction. Entire data centers can be spun up and operational with just a few lines of code. Scripts can automate what used to take IT staff weeks to set up physically. Application developers can check in a piece of code, which then runs through a dozen automated checks and is pushed into production on a self-configuring platform that scales to meet demand. Security can leverage these same advantages, but the old bottlenecks and fixed inspection points – including mandated human checks – are gone because a) they cannot keep up and b) architecting them in would slow everthing else down. The cloud’s elasticity and agility also enable new operational models such as DevOps, which blurs the lines between development and operations, to consolidate historically segregated management functions, in orer to improve efficiency and responsiveness. Developers take a stronger role in managing their own infrastructure through heavy use of programming and automation through easily accessible APIs. DevOps is incredibly agile and powerful, but it contains the seeds of possible disaster for both security and availability, because DevOps condenses and eliminates many application development and operations check points. Legacy Problems Fade: Some security issues which have plagued practitioners for decades are no longer issues in the cloud. The dynamic nature of cloud servers can reduce the need for traditional patching – you can launch a new fully up-to-date server and shift live traffic to and from it with API calls. Network segmentation becomes the default, as all new instances are in fixed security groups. Centralizing resources improves our ability to audit and control, while still offering ubiquitous access. Monitoring Needs to Change The entire concept of monitoring depends on seeing things. We need the ability to pull logs and events from the network and security devices protecting your environment. What happens when you don’t have access to those devices? Or they don’t work like the devices you are familiar with in your traditional data center? You need to reconsider your approach to security monitoring.

This post will discuss security and compliance use cases for an enterprise application security program. The following are the main issues enterprises need to address with enterprise application management, in no particular order. None of these drivers are likely to surprise you. But skimming the top-line does not do the requirements justice – you also need to understand why enterprise applications offer different challenges for data collection and analysis, to fully appreciate why off-the-shelf security tools leave coverage gaps. Compliance Compliance with Sarbanes-Oxley and the Payment Card Industry Data Security Standard (PCI-DSS) remain the primary drivers for security controls for enterprise applications. Most compliance requirements focus on baselining ‘in-scope’ applications – essentially configuration assessments – to ensure known problem areas are periodically verified as compliant. Compliance controls typically focus on issues of privileged user entitlements (what they can access), segregation of duties, prompt application of security patches, configuring the application to promote security, and consistency across application instances. These assessment scans demonstrate that each potential issue has a documented policy, that the policy is regularly tested, and that the company can produce a report history to show compliance over time. The audience for this data is typically the internal audit team, and possibly third-party auditors. Change management & policy enforcement Beyond external compliance requirements enterprises adopt their own policies to reduce risk, improve application reliability, and reduce potential for fraud. These policies ensure that system and IT administrators perform their jobs – both to catch mistakes and to help detect administrative abuse of assigned privileges. Examples include removal of unneeded modules which contain known vulnerabilities, tracking all administrative changes, alerting on – and possibly blocking – use of inappropriate management tools, disabling IT administrators’ access to application data, and detecting users or permissions which could provide ‘backdoor’ access to the system. All of which means these policies are specific to an individual organization, are more complex, and require a great deal more than application assessment to verify. Effective enforcement requires a combination of assessment, continuous monitoring, and log file analysis. And let’s not beat around the bush – these policies are established to keep administrators – of IT, databases, and applications – honest. The audience for these reports is typically internal audit, senior IT management, automated change management systems, and the security group. Security A debate has raged for 15 years about whether the greatest threat to IT is external attackers or malicious insiders. For enterprise applications the distinction is less than helpful – both groups pose serious threats. Further muddying the waters, external parties seek privileged access, so they may be functioning as privileged insiders even when that is an impersonation. Beyond attack detection, common security use cases include quarterly ‘reconciliation’ review, watching for ad hoc operations, requests for sensitive data at inappropriate times or from suspicious locations, and even general “what the heck is going on?” visibility into operations. These operations are commonly performed by users or application administrators. Of all the use cases we have listed, identifying suspicious acts in a sea of millions of normal transactions is the most difficult. More to the point, while compliance and policy enforcement are preventive operations, security is the domain of monitoring usage in near-real time. These features are not offered within the application or supporting database platform, but provided through external tools – often from the platform vendor. Transaction verification As more enterprise applications serve external users through web interfaces, the problem of fraud growing. Every web-facing service faces spoofing, tampering, and non-repudiation attacks, and often (and worst) SQL injection. When successful these attacks can create bogus transactions, take partial control of the supporting database, and cause errors. But unlike general security issues, these attacks are designed to create fraudulent transactions and constructed to look like legitimate traffic. How companies detect these situation varies – some firms have custom macros or procedures that look for errors after the fact, while others use third-party monitoring and threat intelligence services to detect attacks as they occur. These tools are designed to detect users who attempt to make the application behave in an unusual manner – relying on metadata, heuristics, and user/device attributes to uncover misuse by application users. Use of sensitive information Most enterprises monitor the use of sensitive information. This may be for compliance, as with payment data access or sensitive personal information, or it may be part of a general security policy. Typical policies cover IT administrators accessing data files, users issuing ad hoc queries, retrieval of “too much” information, or any examination of restricted data elements such as credit card numbers. All the other listed use cases are typically targeted at specific user or administrative roles, but policies for information usage apply to all user groups. They are constructed to define uses cases which are not acceptable, and alert or block them. These controls may exist as part of the application logic, but are typically embedded into the database logic (such as through stored procedures), or provided by a third-party monitoring/masking tool deployed as a reverse proxy for the database. The next post will detail how enterprise applications differ from other platforms, and how those differences create security gaps for off-the-shelf tools. Share:

I realize I have been slacking off posting here at Securosis, but thanks to a string of big event thingies, I thought I should link to a bunch of recent Apple security and privacy articles I posted over at TidBITS (mostly) and Macworld. I do probably need to write up the bit where local apps that are iCloud enabled seem to save document drafts on iCloud once you start writing, as opposed to when you save the documents in iCloud. This means any open drafts, in many text editors, load data into the cloud even if you only want to save them locally. Apple states they remove this data once you save the file to your local drive, but it is a bizarre design decision from a company that has made so many security and privacy improvements recently. So, um, don’t open up a TextEdit window and paste your temporary (or permanent!) passwords in it, unless you save the file someplace local first. Now on to the articles: First is an older Macworld article, Why Apple Really Cares About Your Privacy. This one predated Apple’s big public privacy push, and is the key piece that ties the rest of these together. Basically, Apple is using privacy against Google (and to a lesser degree certain other competitors) because the differences in business models makes it difficult for anyone else to differentiate on privacy to the same degree. This is an excellent alignment of economics to improve security and privacy, and I expect it to define a lot of what we see in the coming years. The next three articles show how Apple is following through on its privacy messaging within products: To start Apple dramatically improved the data security of iOS, much to the chagrin of folks in law enforcement. You likely read this all over the place, but this piece ties together a lot of context I didn’t see in other articles. Also, as an emergency responder, my arguments cannot be dismissed with the “if you only saw what we see” argument. I have seen more than my fair share of horrible things, including horrible things happening to children, so I get it. But that is no excuse to sacrifice fundamental civil liberties. Part of the problem is that some people in law enforcement are so used to getting access to whatever they need for an investigation that they see it as a legal right, and don’t understand that today’s technologies cannot include lawful access capabilities without deeply compromising security. Next up I wrote a piece detailing how Spotlight Suggestions handles privacy. While less of a big picture issue, this highlights the steps Apple is taking to harden their pro-privacy stance down to low-level feature design. Not that they always get it right – as illustrated by that iCloud issue. This next piece also relates to privacy, but is more about the business landscape Apple is working within. I discussed the real reason some merchants are blocking Apple Pay. Many of you understand the reasons merchants hate credit card companies (Hello, PCI!), and Apple is merely caught in the middle. For the record, I wish we would get half as many comments on Securosis articles as on this one! One last article ties the series up (even though it wasn’t the last one published) and serves as a good bookend to the privacy piece: The last piece is the most important for the long term. You Are Apple’s Greatest Security Challenge. Yes, Apple made mistakes with the celebrity photo thefts. Mistakes that those of us in cloud security are very familiar with. But, to their credit, they also deal with a scale and scope very few organizations need to consider. Including some key differences from Google, who has been doing a better job on this front. It is a very nuanced issue, and the decisions Apple makes here will have profound repercussions for the ecosystem. That’s it for now. It seems there is Apple-related security news every week. A lot of the headlines are total BS, like the article a few years back claiming a major security flaw in iPhones, when it was really a problem in every GSM phone on the planet. But that doesn’t get page views, and Apple security has become the “if it bleeds, it leads” of the tech world. Share:

I was at Intel’s Focus conference earlier this week. Intel basically held a McAfee coming-out party, and announced that the security practices of both firms will henceforth be run under the single umbrella of Intel Security. Not much to report on that, but I spoke to more customers at this event than at any other vendor event. And they were chatty, which is nice. But something is troubling me. Do you know what they did not mention as a problem? Mobile. Nope. The biggest surprise of the week was hearing security practitioners and CISOs talk about the threat of the IoT (Internet of Things), without even mentioning mobile. I am still surprised, because a) mobile is really here, b) security of mobile data is a problem on most devices, c) mobile app controls and spotty authentication are still an issue, and d) the market has yet to embrace a good model for control. IoT does not even feel real yet, but the security practitioners I heard speak are currently dealing with threats to Point of Sale terminals, medical devices, cars, and a whole bunch of devices we have used for a long time, but where the current generation includes sophisticated processors and Internet connectivity. Still, IoT is your biggest concern? Really? This will be the one of the shorter Friday Summaries I have written because … it’s here. The puppy I predicted would be landing in my home has arrived. Early, in fact. I am sure it’s because the breeder was exhausted by him. He is slightly ornery, possessed of limitless energy, and fearless. Which means he is into everything all the time. Say hello to ‘Satchmo’: I don’t usually talk about my pets much on this blog, but it has been years since we had a new puppy in the house, and you forget all the lifestyle changes that come with a new puppy. Plus he’s very cute, and seems to get along with everyone great. He has only been here a short time but he’s worn me out. And my wife. And my adult Boston. And everything else that lives here … except the Boxer. Boxers never get tired, so I think the rest of us are going to take a nap while those two play. Happy Halloween all! Halloween on a Friday is the best, so have fun! On to the Summary: Webcasts, Podcasts, Outside Writing, and Conferences Adrian and Chris Eng will talk integrating security into Agile next week. Favorite Securosis Posts Adrian Lane: Incite 10/29/2014: Short Memory. I am actually FAV-ing my “Card of the Sith” Incite in this week’s post. Rich: [Building an Enterprise Application Security Program New Series. Ho boy, is this a big topic. Adrian jumps into one of the most painful issues for enterprises to deal with: internal apps. Mike Rothman: Firestarter: It’s All in the Cloud. I had fun recording this week’s Firestarter. Though we did miss Adrian. There was no one to keep Rich and me on track! Other Securosis Posts Building an Enterprise Application Security Program: Use Cases. Apple Security and Privacy Updates. New Research Paper: Trends in Data Centric Security. Old School (Computer). Favorite Outside Posts Adrian Lane: Challenges With Randomness In Multi-tenant Linux Container Platforms. Containers seem to have caught fire, and I expect them to be the ‘struts’ of this generation. But stressing any hot new approach turns up systemic flaws. A good discussion by James Bayer. Rich: Facebook Open Sources Host Monitoring Tool, Increases Internet Defense Prize. This is interesting. I did an interview on the tool, based on a high-level description (trust me – I warned the reporter I would need to see it working for a real assessment). It sounds like a Chef/Puppet competitor. But this gathers different information, which is more security relevant, and then enables you to query it like a database. That is very interesting. Might have to play with it! Mike Rothman: SHE’S A WRECK. What a courageous post by aloria, baring her issues with brutal honesty and candor. Thankfully she made it through, but understand that her bipolar disorder is a daily battle. Rarely do we get to see the people behind the avatars, the unvarnished challenge of being imperfect and human. as we all are. Pepper: AT&T, Verizon Using ‘Perma-Cookies’ to Track Customer Web Activity. I didn’t think I needed a VPN but I am now considering paying for Cloak. Research Reports and Presentations Trends in Data Centric Security White Paper. Leveraging Threat Intelligence in Incident Response/Management. Pragmatic WAF Management: Giving Web Apps a Fighting Chance. The Security Pro’s Guide to Cloud File Storage and Collaboration. The 2015 Endpoint and Mobile Security Buyer’s Guide. Analysis of the 2014 Open Source Development and Application Security Survey. Defending Against Network-based Distributed Denial of Service Attacks. Reducing Attack Surface with Application Control. Leveraging Threat Intelligence in Security Monitoring. The Future of Security: The Trends and Technologies Transforming Security. Top News and Posts UPnP Devices Used in DDoS Attacks Chip & PIN vs. Chip & Signature Adobe’s e-book reader sends your reading logs back to Adobe–in plain text. *sigh* Automated NoSQL exploitation with NoSQLMap CurrentC for mobile payments and exclusivity CurrentC site hacked Alleged Dropbox hack underlines danger of reusing passwords Blog Comment of the Week This week’s best comment goes to Pat Bitton, in response to Old School. I always hark back to the operating code for dBase II and WordStar both fitting on a single 360K floppy. Share:

Sometimes a short memory is very helpful. Of course as you get older, it may not be a choice. But old guy issues aside, there are times you need to forget what just happened and move on to the next thing. Maybe it’s a deal you lost, or a project you couldn’t get funded, or a bungled response to an incident. If you live to fight another day then you need to learn, put it in the past, and move forward. The Boy learned that lesson a few weeks back playing tennis. He’s a decent player and was teamed with his friend in a doubles match. The other kids were pretty good but our team sprinted out to a 7-2 lead. The first to 8 wins. He has it in the bag, right? They dropped the next game, so it was 7-3. Not a problem. Then it was 7-5 and the Boy started to panic. I could see it. He was on the verge of breaking down. And the thing about tennis is that coaches (and parents) cannot get involved during the match. So besides a few hand signals I sent his way to calm down, there wasn’t anything I could do other than see him come apart at the seams. His partner was panicking as well, especially as the score went to 7-6, and then ultimately 7-7. You could see the Boy and his partner were broken. They dropped 5 games in a row and lost their confidence. It was hard to watch. Really hard. For a guy used to controlling most of his environment, it was brutal to be so powerless. But this wasn’t about me. It’s about him. The Boy served in that next game and held serve. He hit a couple of winners and got his mojo back. You could see the confidence return. They dropped the next game and went into a tiebreaker. The first to 7 would win the match. They split the first two points on the opponents’ serve, so that was a mini break. The Boy then held their serve, so it was 3-1. Then they broke again. 5-1. The other team scrapped and they had a few good rallies, but the Boy and his partner prevailed 7-3. He was happy but could only shake his head about blowing such a huge lead. I pulled him aside and said this illustrates a number of very important lessons. First about fighting through. They didn’t give up, and they persevered to get the win. I was very proud of them for that. But the real lesson I wanted to communicate was the importance of having a short memory. The fact that he hit a bad shot doesn’t mean he’s a bad player. He needs to trust his training and the work he put in. He can’t lose confidence, and needs to just move on to the next thing. It is not productive to get lost in his own head – he needs to understand the battle is less important than the war, and to know the difference. Of course the lesson wasn’t about tennis. It was about life. But I don’t need to tell him that. Not yet, anyway… –Mike Photo credit: “The Bryan Brothers” originally uploaded by Boss Tweed The fine folks at the RSA Conference posted the talk Jennifer Minella and I did on mindfulness at the conference this year. You can check it out on YouTube. Take an hour and check it out. Your emails, alerts and Twitter timeline will be there when you get back. Securosis Firestarter Have you checked out our new video podcast? Rich, Adrian, and Mike get into a Google Hangout and.. hang out. We talk a bit about security as well. We try to keep these to 15 minutes or less, and usually fail. October 27 – It’s All in the Cloud October 6 – Hulk Bash September 16 – Apple Pay August 18 – You Can’t Handle the Gartner July 22 – Hacker Summer Camp July 14 – China and Career Advancement June 30 – G Who Shall Not Be Named June 17 – Apple and Privacy May 19 – Wanted Posters and SleepyCon May 12 – Another 3 for 5: McAfee/OSVDB, XP Not Dead, CEO head rolling Heavy Research We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, with our content in all its unabridged glory. And you can get all our research papers too. Building an Enterprise Application Security Program Introduction Security and Privacy on the Encrypted Network The Future is Encrypted Secure Agile Development Deployment Pipelines and DevOps Building a Security Tool Chain Process Adjustments Working with Development Agile and Agile Trends Introduction Newly Published Papers Trends in Data Centric Security The Security Pro’s Guide to Cloud File Storage and Collaboration The 2015 Endpoint and Mobile Security Buyer’s Guide Open Source Development and Application Security Analysis Advanced Endpoint and Server Protection Defending Against Network-based DDoS Attacks Reducing Attack Surface with Application Control Leveraging Threat Intelligence in Security Monitoring The Future of Security Incite 4 U Card of the Sith: Thanks to Chris Pepper for pointing out CurrentC Is The Big Retailers’ Clunky Attempt To Kill Apple Pay And Credit Card Fees. In a nutshell, a large group of merchants – including Rite Aid, CVS, Walmart, Target, K-Mart, and Kohl’s – are putting together a “mobile payment” app to avoid paying credit card processing fees. Rather than extend a small loan like a credit card, CurrentC will pull money directly and immediately from your bank account. Yes, those very same firms who vigorously market your personal data – and keep getting breached by hackers – now want to build their own payment system and on top of direct access to your bank account. What could possibly go wrong? The biggest issue is one of the very real benefits of credit cards: limited

The concept of Data Centric Security is not new, but its advantages are only now becoming clear. As customers embrace disruptive technologies – cloud, mobile, NoSQL – where the availability and effectiveness of security controls are in question, Data Centric Security is an approach to securing data regardless of where it is moved. DCS is a way to leverage these new technologies without compromising data security, integrity, or compliance. This research was prompted by increasingly frequent inquiries about how to secure “big data” clusters. The cost, complexity, and lack of packaged solutions have left many people looking for options. You can compartmentalize NoSQL servers so only a select few people and applications can access them, but then you fail to fully leverage the investment – which makes isolation a non-starter in most scenarios. That is the potential of Data Centric Security: it focuses security controls on data rather than servers or supporting infrastructure. This way the database is securely available to everyone who can use it legitimately. This research delves into what Data Centric Security is, the challenges it addresses, and technologies to support customer use cases. We hope you find this research useful, and consider DCS as an alternative to traditional infrastructure security. I am incredibly happy to announce that Intel Services has agreed to license this research paper – which you can download here (PDF) or visit the research library landing page here – and that we will also present a webcast on Data Centric Security, tentatively scheduled for November 18th, 2014. Sign up if you are interested. Thanks again to Intel for their support of this research! Share:

Adrian is out, so Rich and Mike cover the latest Amazon Web Services news as their big re:Invent conference closes in. We start with the new Frankfurt datacenter, and how a court case involving Microsoft could kill off the future of all US-based cloud companies (it’s always the little things). Then we discuss directory services in the cloud, and how this indicates increasing cloud adoption and maturity at a pace we really haven’t ever seen before. The audio-only version is up too. Share:

Over the last couple months I have had many similar conversations on enterprise application security: customers identify gaps in their security program, are unaware of the availability of certain types of solutions, or simply don’t believe that certain solutions deliver their advertised value. But I expect issues when speaking to a company who wants to implement advanced security on a Hadoop database, where technology simply may not exist to deliver the security and performance required. It is altogether different when talking about SAP or Oracle financials. These are mature platforms, often in place for more than a decade, so you would expect every aspect to be covered. Surprisingly that is often not the case. There are many reasons for these security gaps. Companies often invest in generic assessment or configuration analysis tools, which don’t actually provide an in-depth view of application configuration settings or best practices. Perhaps they were told their SIEM would collect all application logs but they don’t contain the necessary information to evaluate user actions, or they are simply too verbose to collect. The application vendors all provide lists of security best practices, but don’t list anything they do not sell, nor advise customers to uninstall unneeded components to reduce attack surface. Security teams know little about how application platforms work so they cannot independently identify which deployment models would work, and IT staff is not likely to volunteer suggestions that will require them to do more work. Finally, the largest issue is that many approaches are simply unsuitable for large enterprise applications because they will break the application, limit usability, or degrade performance, none of which are acceptable. These issues contribute to security and compliance gaps at most firms. Supply chain management, customer relationship management, enterprise resource management, business analytics, and financial transaction management, are all multi-billion dollar application platforms unto themselves. We are beyond explaining why enterprise applications need security to protect these investments – it is well established that insiders and persistent adversaries target these applications. Companies invest heavily in these applications, hardware to run them, and teams to keep them up and running. They perform extensive risk analysis on their business implications and the costs of downtime. And in many cases their security investments are a byproduct of these risk profiles. Application security trends in the 1-2% range of total application investment, but I cannot say large enterprises don’t take security seriously – they spend millions and hire dedicate staff to protect these platforms. That said, their investments are not always optimal – enterprises may bet on solutions with limited effectiveness, without a complete understanding of the available options. It is time for a fresh look. To fill some of these gaps we are starting a new series on Building an Enterprise Application Security program. We spend a lot of time on advanced technologies on the Securosis blog: variants of monitoring, auditing, assessment, threat management, application security, and so on – but we have never pulled all these facets together for companies to assemble into an enterprise application security program. Or goal is to discuss specific security and compliance use cases for large enterprise applications, highlight gaps, and explain some application-specific tools to address these issues. This will not be an exhaustive examination of enterprise application security controls, nor an examination of generic security platforms – instead we will offer a focused summary of the most common deficiencies, with suggestions for what to do about them. The remainder of this series will cover the following: Needs: Use Cases Compliance (SOX, PCI, etc.) and internal audit reporting Transaction verification Use of sensitive information Security (insider and external threats) Change management & policy enforcement Gaps: What Works and What Doesn’t Why enterprise applications are different SAP: special issues with this poster child for enterprise applications Security and compliance gaps with IAM, encryption, and data encryption Inventory, discovery, and assessment Network monitoring deficiencies Conventional application and database layer protection Skills and priorities Program Elements Assessment: discovery and configuration analysis Patching and configuration management (environment, application, database, & modules) Application and database monitoring Management frameworks and policy enforcement Logging, auditing, and compliance reports Additional recommendations Our next post will discuss use cases and problems firms need to address, which we will use to frame our subsequent discussion of security gaps. Share:

Lots of folks talk lovingly about their first computers. Mine was a Timex Sinclair I ran through my 10” black-and-white TV. But that wasn’t the first computer I played with. My Dad was pretty early into the word processing world as part of his law practice. So when we went to the computer show down in NYC and checked out all the new wares, I was like a kid in a candy store. When he lugged home the Kaypro II, I thought it was the coolest thing ever. And evidently a significant productivity enhancer, especially hooked up to that old daisy wheel printer. You remember those, right? So when I saw Throwback Thursday: Kaypro II Stole My Heart on InformationWeek, it was a nostalgic moment. The Kaypro II, released in 1982, featured two 5¼-inch double-density floppy-disk drives, 64 KB of RAM, and ran Digital Research’s CP/M operating system. Weighing in at 29 pounds, it and other PCs like it were dubbed transportables or, more cheekily, luggables. Luggable LOL. Though I do remember my Dad lugging the Kaypro between his condo and the office, so I guess it was transportable. And mention of the 9” green (monochrome) CRT made me smile as well. Of course my kids will have no grasp of what the early days of personal computing were really like. They are bitching about their old iPod touches that won’t run iOS 8. And they are right – technology is moving so fast that a 5-year-old device is severely limited. But old folks (or at least survivors of that early computer age) like me remember. And we laugh. Because the progress we have seen over the past 30 years is really incredible. Yet it’s only beginning. I cannot even imagine what things will look like in another 30 years. Photo credit: “untitled” originally uploaded by Marcin Wichary Share:

Rich here. Last night I arrived home around 11pm from the totally awesome SecTor conference in Toronto. It took about 11 hours to wend my way home through the air system, which has a certain beauty. Yeah, I took it to 11. Before that I was home for a couple days, during one of which we took the kids to the local aquarium-in-the-outlet-mall to meet the Octonauts. Yes, we have one of those. Yes, if your kids are of a certain age, they know the Octonauts. And yes, the Octonauts have a totally awesome Star Trek TOS vibe, and I weirdly learn cool stuff – like how freaky vampire squids are – from watching it. I won’t link – I want you to have the pleasure of searching for “vampire squid” and then not sleeping. Before that I was in Amsterdam for 5 days. With my wife but without kids. I spent two of those days teaching the cloud security class for Black Hat, and the two free days touring around with her. Amsterdam reminds me of New Orleans in spots, which means it’s fun, and then it’s smelly. I have never been into the hedonistic stuff but I love cool historical cities. Especially without the kids. Assuming they have beer. Before that is a blur; it probably involved airplanes. Next week I head to Houston for Camp DevOps. I really like those events – so much so that I will spend 6 hours on a plane for what is normally an under-2-hour flight. One problem with traveling so much is that I struggle to find time to set up the next trip, so I got hammered with insane prices. I am unwilling to spend over $1K to fly from Phoenix to Houston, so I got a middle seat on Delta, routed through Salt Lake and Atlanta. Yay team. After that, I can’t talk about it, but the week after that is Amazon re:Invent. I’m not speaking there, but even if you use other cloud providers re:Invent is a must-attend event. Okay, it helps if you use AWS, but still, there is a ton of great info, some of it generalized. So there you have it. I am wicked jetlagged from too many time zones in too short a time, but when you work for yourself you can’t gripe too much about being busy. And, you know, 5 days in Amsterdam with my wife & my kids, so I should really just shut up and not complain. On a different note, you may have noticed some weirdness with our site recently. We had a conflict between our super-secure hosting architecture and an underlying component update we couldn’t totally nail down. It got so bad we moved to a slightly-less-secure host temporarily, which fixed the problem. I am actually rearchitecting the entire deployment (with our developer contractors) to take advantage of all the cloud security and DevOps research I have been working on, but that move will take a little time. We apologize sincerely, and at some point I will provide a more detailed writeup. On to the Summary: Webcasts, Podcasts, Outside Writing, and Conferences eWeek covered Rich’s talk on DevOps at SecTor. Their writeup was great and really captured the core of the talk. eSecurity Planet covered the SecTor Fail Panel. That one also had Mr. Lewis and Mr. Arlen. Rich wrote up Spotlight Suggestions privacy for TidBITS. I guess this is why I didn’t post much on our own site. Need to work on that. Favorite Securosis Posts Adrian: Running Man. Mike. Running. Running distance !?! I … {head explode}. Rich: I guess I need to kneecap Mike. He’s stealing my thunder. I’ve done some half marathons, and no f###### way I will let him beat me to doing a marathon. Other Securosis Posts Hindsight is 20/20. Favorite Outside Posts Adrian: NSA Tech Director Explains Snowden Docs. I don’t know when this was published but it’s fascinating. I usually suspect disinformation attempts but this seems genuine. Mike: 6 Buddhist Principles That Will Help You Be A Better Boss. Yeah, I’m pimping some more mindfulness stuff. But these are good things to think about, regardless of how much time you spend being mindful… Research Reports and Presentations Leveraging Threat Intelligence in Incident Response/Management. Pragmatic WAF Management: Giving Web Apps a Fighting Chance. The Security Pro’s Guide to Cloud File Storage and Collaboration. The 2015 Endpoint and Mobile Security Buyer’s Guide. Analysis of the 2014 Open Source Development and Application Security Survey. Defending Against Network-based Distributed Denial of Service Attacks. Reducing Attack Surface with Application Control. Leveraging Threat Intelligence in Security Monitoring. The Future of Security: The Trends and Technologies Transforming Security. Security Analytics with Big Data. Top News and Posts Updated Windows FTDI Drivers bricking chips Schneier on Crypto Wars II. Google Launches 2FA as part of FIDO Alliance NAT-PMP vuln puts 1.2 million routers at risk. Share: