Research

Over the past year or so we have done a bunch of research into denial of service attacks, at both the application and network levels. Tactics are one thing, but we usually start with adversary analysis. You know: who wants to pop your environment and steal your stuff. Or maybe just knock you down so you can’t get up. Not that this is news, but shakedown via DDoS is still alive and well. And even the mass media is catching on, as evidenced by this BBC article. This quote from the CEO of CloudFlare describes the attack is language even I can understand. In the physical world, you could think of it as a sit-in, or if you had all of your friends going to a store, fill the entire space and not actually buy anything. So what do you do? Do you pay the ransom? I suspect many organizations do. Over and over again. Can you fight? Yup. There are a ton of services out there that can help defend you against a DDoS. Some are enterprise-capable, with all sorts of networking kung fu to move traffic into their scrubbing centers at the onset of the attack. Others provide this service as part of a CDN or performance optimization service. Either way, if you have an important site that can’t go down, you need to make sure you protect it from 21st century mobsters, doing the 21st-century equivalent of throwing a brick through your window. How you doin’? Photo credit: “The Godfather” originally uploaded by Alex Eylar   Share:

One of the noteworthy activities coming out of BlackHat/DEF CON was the open letter to the auto industry from I am the Cavalry espousing 5 principles for making the computers in cars safer – before someone gets hurt. As our pal Josh Corman says in a CSO article on the initiative: “This initiative is not only about finding bugs,” Corman said. It’s about building relationships between researchers, industry and government, which is much harder, he said. [sic] It is indeed all about the relationships. Researchers (most notably Charlie Miller and Chris Valasek) have hacked the crap out of cars, because all these fancy car tech systems are just computers with WiFi and/or Bluetooth. Egads! Of course they can be hacked. The question is whether auto makers will get ahead of the issue. The principles are pretty straightforward. Things like building security in, having independent researchers try to break it, updating software remotely, and isolating important stuff (such as the steering system and power train). This isn’t brain surgery and some auto makers (notably Tesla) are hiring teams to do a lot of this research on their own cars. I applaud the efforts of the Cavalry and other organizations which work to build these relationships and progress based on mutual interest, without an adversarial relationship. There was a bunch of trolling on Twitter earlier this week, which was largely about the futility of these movements. Just because it’s hard doesn’t mean it’s not worth doing. Of course security will get better in cars and other areas where connectivity is expected (like medical devices). It can happen via productive discussions with organizations like the Cavalry. Or it can happen after someone dies, when Congress gets involved to grandstand and hijack the conversation. The choice lies with industry. We’ll see how it goes. Photo credit: “cavalry charge” originally uploaded by The U.S. Army Share:

Oddly enough my big takeaway from the Black Hat security conference was not about security – it was about innovation. It seems many of the disruptive trends we have been talking about are finally taking hold, finding mainstream acceptance and recognition. We have been talking about cloud computing for a long time – Rich has been teaching cloud security for four years now – but people seem to be really ‘getting’ it. It takes time for the mainstream to fully embrace new technologies, and only then do we see disruption fully take effect. It is as if you need to step fully into the new environment before what’s really possible takes shape and starts to manifest itself. Fo example, when the Internet hit big in 1996 or so, we talked about how this would hurt “brick and mortar” retail, but it was a good 7 to 10 years before that reality fully manifested. Only then did the change take full effect, and few industries were left untouched. We are just now reaching that point with the cloud, mobile, and NoSQL databases, and getting here has been exciting! When I talk about security analytics it is nearly impossible for me to do so without first talking about NoSQL and the value of “big data”. NoSQL enables me to inexpensively scale up to collect all the data I need. NoSQL allows me to easily pull new and complex data types for analysis. NoSQL facilitates more programmatic use of stored data, and my choice of NoSQL architecture lets me tailor a solution to analytics or real-time response. Security analytics is the goal, and you don’t need to have NoSQL, but the disruptive innovation of NoSQL makes it better and cost-effective. NoSQL has been around for a long time, but the possibilities for security analytics are only being widely considered now that most firms have taken their first steps into the new world. The same is true for DevOps, which is the culmination of several technology advancements reinforcing each other. The API economy is making the cloud, mobile, and various other services accessible. It is being driven by development teams who need to be more agile and efficient. DevOps offers virtual on-demand resources. DevOps does not depend on the cloud, but the cloud makes it better. This evolution of several pieces has suddenly created something bigger than the sum of its parts. Even better, all these new technologies build in security components. I was more amazed to see disruptive innovation manifest, but there were significant efforts to build security into each of these trends. Life will be very interesting over the next 4-5 years. On to the Summary: Webcasts, Podcasts, Outside Writing, and Conferences Mike quoted on context-aware security in SearchNetworking. Mike quoted in coverage of Wendy Nather as a “Power Player” in IT Security. Wendy is awesome and one of our favorite people in the industry. Mike couldn’t be happier to be quoted. Mike’s “Change Agent”: Trusted Information Systems. Mike did a blog post/video for Digital Guardian naming a “change agent” with an impact on how security has evolved… Check it out. Adrian and Mort talk Big Data with George Hulme. Mort quoted in “Communicating at the speed of DevOps”. Favorite Securosis Posts Mike Rothman: Suing Gartner. I’m surprised I didn’t get more comments on this post. Kind of counter-intuitive. Unless maybe it’s not and everyone else figured out that NetScout is grandstanding before I did… Adrian Lane: Butterflies. Morphing. It’s this week’s theme. Dave Lewis: Trolling Mass Media. Other Securosis Posts It’s not a problem until someone dies…. Cloud File Storage and Collaboration: Additional Security Features. Friday Summary, August 1, 2014: Productivity Metrics edition. Favorite Outside Posts Mike Rothman: Mark Twain’s Top 9 Tips for Living a Kick-Ass Life. Adrian Lane: Military Companies Brace for Rules on Monitoring Hackers. It’s one thing to disclose a breach to a partner – it’s another to let the partner conduct the forensic analysis. Most firms don’t trust their business partners enough to give them unfettered access to their systems. And the government has many interests outside supplier agreements. We will see how this shakes out. James Arlen: SEC failed to guard sensitive information. Dave Lewis: Weak Passwords: Mel Brooks Warned Us. David Mortman: Multipath TCP speeds up the internet so much that security breaks. <– Ooops. AKA stateful firewalls break multi-homed BGP if you don’t architect correctly…. Research Reports and Presentations The 2015 Endpoint and Mobile Security Buyer’s Guide. Analysis of the 2014 Open Source Development and Application Security Survey. Defending Against Network-based Distributed Denial of Service Attacks. Reducing Attack Surface with Application Control. Leveraging Threat Intelligence in Security Monitoring. The Future of Security: The Trends and Technologies Transforming Security. Security Analytics with Big Data. Security Management 2.5: Replacing Your SIEM Yet? Defending Data on iOS 7. Eliminate Surprises with Security Assurance and Testing. Top News and Posts Espionage programs linked to spying on former Soviet targets. Dan Geer’s Blackhat Keynote. The Lie Behind 1.2 Billion Stolen Passwords. Is Amazon Web Services Really Down and Out? Facebook Buys Security Firm PrivateCore. 8 Patterns For Continuous Code Security. Safari for OS X gets “click-to-own” security holes patched. Tenn. Firm Sues Bank Over $327K Cyberheist via Krebs. Last Hacker Standing, Episode IV – The Last Hope. Martin’s new podcast. Snowden says NSA was responsible for 2012 Syrian internet blackout. Dead Simple Encryption. Forget encryption: Why won’t anyone build an open-source key manager? Security Kahuna Podcast: Las Vegas Edition. ERP: Protecting the pipeline by focusing on business-critical platforms. Improving Malware Detection in Firefox. Share:

A couple weeks ago we went to see the kids at camp on visiting day. They have so much fun, learn new skills, and grow as individuals at camp – despite being away from the watchful eyes of their parental units. Go figure – let your kids spread their wings, and they do. One of the new skills both XX2 and the Boy tried out was waterskiing. So during visiting day they get to show off for the folks. So we walk down to the lake, and have a few minutes before the kids get into the water. I sit down in a nice white gazebo next to the lake. Up flies a butterfly to perch on the rail right next to me. It’s basically just staring at me. No fear. No need to go anywhere else. Just hanging out. I bust out my camera and take a few pictures. The butterfly doesn’t move. My dad comes over and takes a few pictures – butterfly still doesn’t move. I don’t think much of it, and then we go see the kids ski. XX2 even gives us a wave as she motors on by. The Boy does get up on the skis. For about 4-5 seconds. Guess he can work on that some more next summer. Then I was at Black Hat last week, and it was crazy how much the conference has changed over the past 5 years. The hallway booths are now an exhibit hall. The audience is much larger, and now a bunch of senior security folks show up as well. It reflects the crazy growth of the security business. Though it seems many hands-on practitioners still attend, which is the key to maintaining the show’s value. During my meetings at Black Hat I was constantly talking about the change that is coming to security. We have been thinking a lot about what the future of security looks like, and we have some ideas. We will be right on some things, and wrong on others. But things will change. That much I can guarantee. On Monday we put the kids back on the bus for another year of school. Lots of change happening at school as well. The twins are now broken up into 4 groups this year, with different teachers to specialize by subject. And there is a new principal in the elementary school, so no telling what else will change. Then I can reflect on my own physical and mental evolution over the past few years. Lots of change there too. You seeing a theme here? The only constant is change. Then the butterfly from visiting day flew back into my consciousness. Butterflies represent change. Starting life as a caterpillar, molting, and then emerging as a butterfly: a perfect representation of everything. Constantly changing and growing into something new. You cannot stop change. Just like you cannot force a caterpillar to remain a caterpillar. You can resist but that will not end well. Change always wins. So embrace it. Lean into it. Don’t fear it. Treat every change as an opportunity to grow. Because that’s what it is… –Mike Photo credit: “Butterfly eye – canon 550d” originally uploaded by @Doug88888 The fine folks at the RSA Conference posted the talk Jennifer Minella and I did on mindfulness at the conference this year. You can check it out on YouTube. Take an hour and check it out. Your emails, alerts and Twitter timeline will be there when you get back. Securosis Firestarter Have you checked out our new video podcast? Rich, Adrian, and Mike get into a Google Hangout and.. hang out. We talk a bit about security as well. We try to keep these to 15 minutes or less, and usually fail. July 22 – Hacker Summer Camp July 14 – China and Career Advancement June 30 – G Who Shall Not Be Named June 17 – Apple and Privacy May 19 – Wanted Posters and SleepyCon May 12 – Another 3 for 5: McAfee/OSVDB, XP Not Dead, CEO head rolling May 5 – There Is No SecDevOps April 28 – The Verizon DBIR April 14 – Three for Five March 24 – The End of Full Disclosure Heavy Research We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, with our content in all its unabridged glory. And you can get all our research papers too. The Security Pro’s Guide to Cloud File Storage and Collaboration Additional Security Features Core Security Features Overview and Baseline Security Introduction Leveraging Threat Intelligence in Incident Response/Management Quick Wins The (New) Incident Response & Management Process Model Threat Intelligence + Data Collect = Responding Better Really Responding Faster Introduction Trends in Data Centric Security Deployment Models Tools Introduction Use Cases Understanding Role-based Access Control Advanced Concepts Introduction NoSQL Security 2.0 Understanding NoSQL Platforms Introduction Newly Published Papers The 2015 Endpoint and Mobile Security Buyer’s Guide Open Source Development and Application Security Analysis Advanced Endpoint and Server Protection Defending Against Network-based DDoS Attacks Reducing Attack Surface with Application Control Leveraging Threat Intelligence in Security Monitoring The Future of Security Security Management 2.5: Replacing Your SIEM Yet? Defending Data on iOS 7 Incite 4 U If I ran the zoo: Dan Geer provided keen insight on several critical computer-related public policy debates during his keynote at BlackHat last week, and posted his full full talk. On net neutrality he provided the simplest – and sanest – solution I have heard to date. Dan suggests making network carriers choose to be either just a telco passing bits, or an ISP working at the content layer. If they are inspecting content, then they can decide what to throttle (such as Netflix), but that requires accepting liability for content as a “content carrier”. On the other hand, bit pushers neither throttle nor inspect – they just let the content flow. Dan put his considerable

It happens every couple years. Some vendor is really pissed at their placement in the Magic Quadrant, and they decide to sue Gartner and make it right. Inevitably the suit involves the words pay to play, and the vendor thinks they will be the company to make things right in the world. They will get justice for all those companies relegated to the loser niche quadrant. They will unmask the evil analysts for the shakedown artists they are. The latest is NetScout, who filed a suit recently claiming all sorts of stuff. “Gartner is not independent, objective or unbiased,” NetScout claimed in its lawsuit, “and its business model is extortionate by its very nature. Its substantial success is due to the worst kept secret in the IT industry: Gartner has a ‘pay-to-play’ business model that by its design rewards Gartner clients who spend substantial sums on its various services by ranking them favorably in its influential Magic Quadrant research reports and punishes technology companies that choose not to spend substantial sums on Gartner services.” Of course they are wrong. On a number of fronts. First the pay to play angle. Rich covered that a while back, so go see his arguments. Secondly, the MQ is Gartner’s opinion. An opinion can be biased. It can be wrong. It can be anything. None of those things are illegal. But maybe NetScout already knows this. What if they know this is a battle they cannot win? Maybe they don’t expect to win a legal verdict. They should be worried about winning deals in the field, and how a poor placement in the MQ impacts that. This legal action might actually be cover for their reps. Let me explain a bit. When you have to deal with a crappy MQ, you go into spin mode quickly. You have to distribute information to your sales force and partners about why Gartner is wrong. How they missed things and don’t understand the market. It’s a big pain in the butt, and it has sales folks running scared because they know every competitor will be using Gartner and the MQ to put their company into a box. But what if your sales reps could go to customers, saying they vehemently disagree with Gartner’s findings. So much so that they felt forced to legal action. Would that help? Will it make a difference? The biggest issue is generally getting your sales force to tell a consistent message, so having everyone talk about the suit certainly gets everyone on the same page. And better to come off as aggressive and willing to fight for leadership, rather than embarrassed and defensive. Some customers will respond well to that, and keep NetScout in the deal. A lot of others can’t give less of a crap, and will toss them out because in their organization it’s too hard to buy products without the MQ stamp of approval. NetScout was going to lose all those latter deals anyway – now maybe they stand a chance in the others. Though probably not. So what will happen? NetScout will lose the suit. In fact it will likely be dismissed with prejudice, and NetScout will likely have to cover Gartner’s legal fees. Because how can you win a lawsuit over someone’s clearly stated opinion? It’s not like they are making libelous statements. But NetScout might see a net gain because they will stay in deals longer. At least some deals. And if they close one deal they would have lost, they are likely to cover their legal fees. So maybe they are smart and looking at this suit as a sales & marketing expense. Or maybe they are knuckleheads who actually expect some kind of favorable outcome from this legally nonsensical suit. Either way, they got a lot more folks talking about NetScout. Public relations for the win! Photo credit: “Sue the Bastards” originally uploaded by Lloyd Doppler Share:

At Black Hat last week, it became apparent just how mainstream our little part of the world has become. And it’s not so little any more, either. When 2 of the top 5 articles on cnn.com are related to cyber we have hit the big time. But that also means promoters and other shysters will start showing up in even greater numbers to capitalize on the media hype machine looking for any kind of news to drive page views. So when the Internet blew up Monday with news of 1.2 billion credentials and a crapton of emails being stolen, everyone in the business just shrugged. What’s another billion stolen credentials between friends, right? Thankfully not everyone was at Black Hat, and some reporters who actually report questioned the findings. Here is an awesome and more detailed post unveiling the over-promotion and tactics underlying the findings. It seems like something Greg Evans 2.0 would do – including bigger numbers. And thankfully folks jumped on the protection racket offer to charge folks $120/year to ‘protect’ them, whatever that means. You also gotta love the way this guy tried to get folks to share their passwords to check if they were stolen (h/t to HD Moore for that one). LOL. The song remains the same. Don’t believe everything you read. Don’t be surprised when more and more shysters start showing up to get their 10 minutes in the sun. And the mass media will continue to provide and fuel the engine. They certainly won’t let the truth get in the way of a few million page views. Photo credit: “Troll” originally uploaded by Doug Wildman Share:

This is part 4 of our Security Pro’s Guide to Cloud File Storage and Collaboration (file sync and share). The full paper is available on GitHub as we write it. See also part 1, part 2, and part 3. Additional Security Features The core security features are a baseline which enterprise and business customers should look for when selecting a service for their organization, but the various services also offer a plethora of additional security features. Providers see this as a way to entice enterprise users onto their services, show advantages over traditional storage infrastructure, and create competitive differentiation. So security is used as both a competitive baseline and a differentiator, which is why we see new capabilities appear consistently. The odds are high this report won’t cover everything available by the time you read it. Universal search and investigation support As we described earlier, most cloud storage providers track all files, offer content search, and track every user and every device that accesses each file, including who viewed it in a web browser, downloaded a copy, or synced it with a computer or mobile device. That single central control point enables fairly powerful security capabilities. Worried a document leaked? Find all copies and the entire access history. An obvious caveat applies: once a file leaves the service it isn’t tracked, but at least you have a starting point to identify where it went. This is often one of the more difficult first steps in any leak/breach/abuse investigation, because traditional storage products rarely track this level of detail. Enhancing this is full content indexing and search. This isn’t purely a security feature, but enables you to search your entire cloud storage repository for keywords or other specific content. Some providers offer options for more advanced searches, particularly regular expressions. This is also useful for non-security reasons, so we expect indexing and searching capabilities to increase over time, but make sure you understand what your provider supports now. Another limitation is that providers don’t support every possible document type. For example, the odds are low that your CAD file format is supported today. Typically standard Office and text formats are supported – check with potential providers rather than assuming. Client-managed encryption All enterprise-class cloud storage providers encrypt data in their backend, but they manage the keys and can thus technically see your content. There are now third-party security vendors who encrypt cloud data using different approaches, and some cloud storage vendors are adapting their architectures to allow customers to encrypt directly within the service, but control their own keys. This is a different approach than using a third-party tool. Your cloud provider still handles the encryption in their backend but you have your own encryption keys. There are two major options: The cloud platform endpoint agents handle encryption operations synchronized with your enterprise key store. For this to work they need to include the capability in both workstation and mobile agents, and a mechanism for integrating key distribution. The cloud platform manages encryption in their backend, but opens mechanisms for enterprise users to provision and manage their own keys. There are a few ways to handle this technically, but typically it involves a Hardware Security Module (HSM) that is located in the cloud provider’s data center yet managed by the client, in a client data center, or at a infrastructure cloud provider. The important part is that the customer rather than the cloud provider, is the only one who can manage keys. Technically they are exposed in the cloud provider’s data center during cryptographic operations, but if architected correctly the risk of key exposure can be minimized. We won’t be surprised to see other approaches develop over time, but these are the two we know are on the market or soon will be. In both cases the customer needs their own key management infrastructure. One major warning: encrypting data with your own key breaks most or all collaboration features and any indexing/search, because the cloud provider cannot read your content. So it is something you should generally limit to your most sensitive data. Apply it to everything, and you may see users try to circumvent encryption so they can take advantage of platform features you do not support. Data Loss Prevention Full-text indexing and search, combined with a complete audit log of all activity associated with a file, meets our definition for basic content-aware DLP. In addition, a cloud provider can offer real-time monitoring of all content based on search terms, and tie them to enforcement policies. For example, a cloud storage provider could quarantine a file and alert an administrator any time a credit card number is found. This enables enterprise-wide content policies for the entire cloud storage platform. More advanced rules can apply by user or group, restricting only certain activities – perhaps “never share a file with PII or this keyword in it externally”, or any other combination of analysis and rules, such as device restrictions. DLP combines full content indexing and search with persistent policies for near-real time content-aware protection. The market for integrated DLP is still extremely young, and when available its features tend to be limited. Third party integration can provide more capability, and as with everything else we expect to see capabilities expand at a reasonable pace. In discussions with clients this seems to be a popular requirement, which will continue to push the market along. DRM/IRM Digital Rights Management, also known as Information Rights Management, is defined as encrypting data and then limiting its usage through rights policies. For example allowing someone to view a file but not email or print it. Cloud file storage and collaboration services often include in-browser readers, and granular rights policies, they can enable a limited version of DRM. Set a policy so a file can only be viewed in a browser and never downloaded, and you can restrict activity. But to be truly considered DRM the service should include in-browser protections against actions like Copy and screen

There is no free lunch. We need to be reminded of that over and over again. Apparently the Australian government wants to mandate telcos store customer data for 2 years. This is ostensibly to combat terrorism. The telcos don’t like this, so their PR spinsters are talking about how this would cost $500-700M/year, and those costs would be passed onto consumers to the tune of about $100/year. They even referred to this as a “surveillance tax”. FUD-tastic! Got to hand it to those spinsters – they know how to create a frenzy. Even better, the government is trying to extinguish the flames with calming statements like: “the public should not be concerned that there’s going to be gross misuse”. and even better: “I cannot understand why it is correct for all your privacy to be invaded for a commercial purpose, and not for me to do so to save your life,” ROFL. It is not okay for our privacy to be invaded by anyone. I guess these guys never learned that two wrongs don’t make a right. And then they have the voice of reason, who happens to be a dude indicted by the US for leaking info on the NSA. This guy mentions that collecting and retaining all that consumer data creates a huge and irresistible target for hackers. No kidding. What could possibly go wrong with any of this? At least I got my belly laugh in this Thursday morning. Photo credit: Shepard Fairey in London: Big Brother Is Watching YOU originally uploaded by tim rich and lesley katon Share:

I read Jim Bird’s blog consistently because he talks about stuff that interests me. He has a ton of experience and his posts are thought-provoking. And every couple months I totally disagree with him, which makes reading his stuff all the more fun. This week is one of those times, with Devops isn’t killing developers – but it is killing development and developer productivity. I think Jim flat-out misses the mark on this one. The metrics we use to measure productivity are broken. Always have been – stuff like number of lines of code and velocity. Software development metrics have always been crap. Do you really believe more code is better? Isn’t the goal to deliver quality products which include robustness, satisfaction of requirements, security, and so on? Measurements like velocity are made-up and irrelevant to our real needs. They don’t actually tell us what productivity is – all they do provide a trending indicator which sometimes tells us a change we made to the process is having an effect. If we had something better we would use it, but most development metrics are surrogates for real measures because we don’t have any good yardsticks for producing quality code. Which leads to the second point: DevOps spotlights just how broken these metrics are. It is specious to consider developer productivity as going down when the focus of developers and IT has changed to include test orchestration, deployment, and systems management. Developers scripting Chef, Puppet, Bamboo, or whatever are still working productively. Orchestration scripts are code – they are not wasting time handling operations. Writing tests scripts is still work (which developers typically don’t like) and part of the job. The goal is to automate tasks so you don’t need to manually repeat them over and over. DevOps is not the same thing Continuous Deployment. Continuous Deployment is part of it, but not the whole enchilada. DevOps allows developers to be more responsive to customer requests – not because they are chained to a pager answering support calls, but because automation and the infrastructure-first approach enables them to be. Sure, you can screw up priorities and clog the swim lanes with the wrong tasks, but that is a management issue – not a DevOps problem. I agree that not all developers like having to assume more programmatic orchestration of IT operations, and they aren’t necessarily good at it. But the key shift to take note of is that IT staff had better learn to program, or they will have a tough time finding work. The key to DevOps is automation, which means code and scripts… which is why IT needs more developer-centric skills. On to the Summary: Webcasts, Podcasts, Outside Writing, and Conferences Adrian and Mort talk Big Data with George Hulme. Mort quoted in Communicating at the speed of DevOps. Dave Lewis: Digital Supply Chain (In)Security. Favorite Securosis Posts Gunnar: The Identity Cheese Shop. Direct from the ivory tower of identity architecture. David Mortman: Big Brother’s Price Tag. Adrian Lane: The DevOps-y Future of Security Engineering. Mike Rothman: Recruiting Across the Spectrum. Yup, this is mine. But I wanted to highlight it again because I think it’s an important discussion to have. We will need to start thinking unconventionally if security is going to scale to meet demand. Other Securosis Posts Incite 7/30/2014: Free Fall. All Good Things. The 2015 Endpoint and Mobile Security Buyer’s Guide [Updated Paper]. Favorite Outside Posts David Mortman: Multipath TCP speeds up the internet so much that security breaks. <– Ooops. Stateful firewalls break multi-homed BGP if you don’t architect correctly…. Dave Lewis: Canadian intelligence sweeps often intercept private data, spy document reveals. Adrian Lane: Banks Gain Scale with Cloud Issuance & Host Card Emulation. Kaushik Roy clearly articulates some of the issues around HCE and secure elements that have slowed mobile payments and mobile identity for the last few years. And I agree with his thrust that HCE will win out as banks adopt it to reduce fraud and have a viable roadmap for coming EMV standards. Mike Rothman: Symantec Endpoint Protection 0day. The guys at Offensive Security found a little issue with SYMC’s endpoint agent, allowing for privilege escalation. Though we shouldn’t beat up on Symantec too badly – it could have been anyone’s agent. These tools are supposed to reduce attack surface, right? Research Reports and Presentations The 2015 Endpoint and Mobile Security Buyer’s Guide. Analysis of the 2014 Open Source Development and Application Security Survey. Defending Against Network-based Distributed Denial of Service Attacks. Reducing Attack Surface with Application Control. Leveraging Threat Intelligence in Security Monitoring. The Future of Security: The Trends and Technologies Transforming Security. Security Analytics with Big Data. Security Management 2.5: Replacing Your SIEM Yet? Defending Data on iOS 7. Eliminate Surprises with Security Assurance and Testing. Top News and Posts 0-days found in Symantec Endpoint Protection. Android “FakeID” security hole causes a pre-BlackHat stir. Google’s Android Has a Fake-ID Problem. CIA Admits Guilt, Apologizes for Accessing Senate Computers. Improving Malware Detection in Firefox. Vormetric And Rackspace Partner To Offer Encryption Services On Rackspace Cloud. Hackers Plundered Israeli Defense Firms that Built ‘Iron Dome’ Missile Defense System via Krebs. Digital Supply Chain Security: Partner Networks. Russia wants Apple and SAP’s source code over spying concerns. Incident Response Metrics. Breach index: Encryption used in 23 percent of Q2 incidents. Share:

We have talked a lot about how this cloud thing and the associated DevOps revolution will fundamentally reshape security. Probably not tomorrow, or even the day after that. But before you know it, everything you thought you knew about security will have changed. Rich documented a bunch of our thinking in his Future of Security paper, so you can start there. As with most new disruptive innovations, there are likely other folks already where you want to be – it is good to learn from them. So I was very interested in slides from Zane Lackey (who used to run security engineering for Etsy), from his talk on how to build a modern security engineering organization. A few key points from his presentation: Etsy pushed code into production up to 30 times a day. They surfaced security information to everyone, not just security folks. Communication is key to getting folks to work with security, rather than working around security. Expand your team by offering bug bounties. Use penetration tests to figure out how hackers will achieve their goals – not to just prove that your app can be pwned. Overall it is a good deck, which serves as a good reminder that our world is changing. Understand how, or wait to get run over. Share: