Research

The methods by which applications and supporting infrastructure are developed and deployed are undergoing fundamental change. Avoiding the predictable hyperbole, new methods including DevOps and Cloud Computing promise to disrupt most of IT over the next 5-10 years. But embedded infrastructure and legacy applications are not going away. IT professionals need to walk a fine line between delivering critical services at the lowest price for acceptable performance, and doing it quickly and reliably. As usual, security is at the end of the tail being wagged. It’s hard enough to get developers to run a security scan on their code before it’s deployed into production. The idea of integrating security into these integrated development and operational processes (something Rich calls ‘SecOps’) seems like a pipe dream. It may be a dream today, but it needs to become reality sooner rather than later. IT has little choice. Adversaries continue to innovate and improve their tactics at an unprecedented rate. They have clear missions, typically involving exfiltrating critical information or impacting the availability of your technology resources. They have the patience and resources to achieve their missions by any means necessary. And it’s your job to make sure deployment of new IT resources doesn’t introduce unnecessary risk. With this need to move faster and to have more agile infrastructure, it is increasingly difficult to ensure proper testing for infrastructure and applications before they go live. You have all heard the excuses that emerge when something goes wrong with a deployment. We didn’t hit it with that much traffic. We didn’t get around to testing those edge cases. The application wasn’t designed to do that. Ho hum. Just another day in the office, and it’s security’s problem when the new application is compromised, data is lost, or the application falls over under the onslaught of a denial of service attack. It doesn’t need to be this way. Really – it doesn’t. Although in light of common experience, many security folks don’t believe this. The root cause of these issues is surprise. That’s right – when an application goes live (or a major change goes into production), you don’t really know what is about to happen, do you? You haven’t been through a rigorous process to ensure the application (and its infrastructure) is ready for prime time. And calling the application ‘Beta’ won’t save you. If the application has access to critical (regulated) information and is accessible – whether internally or externally – a security mindset is required, along with a way to put the application through its paces. As I wrote in the Pragmatic CSO, Basically you are trying to eliminate surprises. So by doing a full battery of tests before the new system is deployed, you reduce the likelihood that you are missing something that you’ll learn about later – the hard way. Technological disruption is not about to stop. If anything it will accelerate, so we need to get over our idea of a discrete security function maybe doing some testing and/or risk assessment at the tail end of a project. So what can and should security folks do? And how can they get both the development and operations teams on board with the necessary changes to ensure the protection and survivability of the application? To prevent surprise we suggest a security assurance and testing process for ensuring the environment is ready to cope with real traffic and real attacks. This goes well beyond what development organizations typically do to ‘test’ their applications, or ops does to ‘test’ their stacks. It also is different than a risk assessment or a manual pen test. Those “point in time” assessments look at what can happen but aren’t necessarily comprehensive. The testers may find a bunch of issues but not all the issues. So remediation decisions are made with incomplete information about the true attack surface of infrastructure and applications. So that is the topic of our next blog series, titled Eliminating Surprises with Security Assurance and Testing. We will dig into this process, discussing which devices and infrastructure components to test and how to consistently and reliable ensure you are testing the key functions. We will also focus on assuring the readiness and resilience of applications because they are often the path of least resistance for attacks. We would like to thank Ixia for agreeing to potentially license this content at the end of blog series. We will be developing it objectively, using our Totally Transparent Research methodology. We can provide this research to you at this most excellent price because our clients support our unconventional research model. Remember – your adversaries don’t need to hit an arbitrary deadline. They will take the time needed to find the chinks in your armor. Maybe it’s within the application, maybe it’s within the computing stack, maybe it’s the underlying equipment that gets data from one place to another. You can’t eliminate all the defects and security holes in your environment. But you can find out what they are and put a plan together to protect your environment. Deploying a security assurance and testing process to do just that is what this new series is all about. Share:

My friend Shimmy must have taken his nostalgia pills over the long weekend – on Monday he tweeted: Doesn’t it suck getting older I didn’t realize how truly carefree life was All is good here thinking about some new stuff Besides the fact that it’s Twitter-english (half sentences/thoughts to fit into 140 characters, punctuation not required), I disagree with that sentiment. I don’t think it sucks getting older. Aging is awesome. I’m not sure I would recognize my 24-year old self if I ran into him on the street. If I take a rare moment to reflect, almost every aspect of my life is better now. My main gripe is that my body is 20 years older, so my knees ache from time to time and it takes me a bit longer to kick a hangover. But on the list of potential issues, those are pretty minor. There is nothing saying that a carefree life is a better life. Or maybe I just never had a carefree life. When I was younger I was always striving. I had a timetable for success and wanted to hit my dates. A few years ago I dropped the timetable. I could do that because I changed my view of success, which is still evolving as I learn more about myself and what I’m really about. To be fair, there are Saturdays I would like to stay in bed until 2pm like I did 20 years ago. And there was something liberating about fitting pretty much all my possessions into a duffle bag or two. I had nothing to lose. But I don’t buy into the notion that having responsibilities (family, kids, expenses) is worse. In fact all I could think about when I had no responsibilities was my timetable to gain them. I searched for a partner and found the Boss. I worked hard at a number of jobs and then stumbled into research. Same old story. Lots of folks think the grass was greener in the past. Or will be greener in the future. They would rather be anywhere else but here. Any other time but now. Which is a shame. All we have is right now. The past is gone. The future hasn’t happened yet. What I want to do is enjoy the time I have, as long as it lasts. To age gracefully like a good single malt (and I don’t even like scotch). To leverage my experience and help people improve. To connect those I value to resources or knowledge I can access. Just thinking about it gets me fired up about the road ahead. But I shouldn’t beat Shimmy up too badly – he got it right in the last part of his tweet. All is good here. It sure is, brother. I wouldn’t trade my experiences, which have been a critical part of the journey. As I said in Live Right Now: “You could choose to live in the past. We need to be respectful of history, and learn the lessons of those that came before us.” I also said, “Think to the future not in fear and worry, but in hope and grace.” I’m choosing to live right now because I am finally old enough to appreciate the challenges of the alternatives. As Steve Jobs would say, this approach allows you to “Stay Hungry. Stay Foolish.” Which seems pretty carefree to me… –Mike Photo credit: “The Maltman Bowmore 21 Years” originally uploaded by Sven Cipido Heavy Research We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, where you can get all our content in its unabridged glory. And you can get all our research papers too. What CISOs Need to Know about Cloud Computing Adapting Security for Cloud Computing How the Cloud is Different for Security Introduction Defending Against Application Denial of Service Building Protections In Abusing Application Logic Attacking the Application Stack Newly Published Papers Security Awareness Training Evolution Firewall Management Essentials Continuous Security Monitoring API Gateways Threat Intelligence for Ecosystem Risk Management Dealing with Database Denial of Service Identity and Access Management for Cloud Services The 2014 Endpoint Security Buyer’s Guide The CISO’s Guide to Advanced Attackers Incite 4 U Staying focused on the prize: Our pal Wendy posted another terrific rant before the holiday. This time on user feedback in applications. In What’s my name? No, really, what is it?, she talks about how pen testers always gave her a hard time about the feedback given by the login process. With that information, the attacker could infer user IDs, etc. Wendy points out that is by design – if users cannot remember their user names they call the help desk. When they call the help desk it costs money or takes folks away from more important tasks. So yes, you need to balance the obscurity required to make it harder on attackers against the downside of making it harder for legitimate users. Which do you choose? Thought so. She closes with: “If your system can’t withstand attacks by someone who knows a valid username or email address, then you have MUCH bigger problems to solve.” Wendy drops the mic and goes home. – MR Super-unrelated: The PCI DSS 3.0 requirement that firms map the flow of payment card data is really nothing new – identifying what systems contain cardholder data has been part of every DSS specification since the beginning. Mapping the data flow and showing which users and applications have access to that data simply provides a clearer picture of how that data is used so you understand how best to safeguard it. For threat modeling this type of diagram is a must! The key is that it makes the assessor’s job easier to have a map of the systems in scope and subject to review. That does not address the flaw Troy Leach identifies: unknown and unsecured cardholder storage locations

  They say it is better to be lucky than good. I seem to test that theory on a daily basis. Just yesterday I ranted about the need for multi-layer DoS defenses, mostly by poking at a Prolexic white paper advocating the opposite. I alluded to the reality that most customers wouldn’t run all their traffic through a scrubbing center, so they need on-premise defenses as well (so a multi-layer system). What I didn’t specifically say is that if all traffic runs through a processing center, a customer could get pretty full DoS protection. Then Akamai went and bought Prolexic for $370MM in cash, basically to test that concept. The combined entity can (at least on paper) offer DoS protection against both volumetric and application-layer attacks as part of a single service, as long as (and tis is the big qualifier) all traffic is running through the provider… which is Akamai’s normal mode of operation, and fits well with their pricing model. The deal makes sense for perspective both parties. Prolexic gets a parent with deep pockets, which is critical when you need to keep pace with ever-increasing bandwidth available to ever-increasing millions of compromised devices being used as DoS artillery. Prolexic’s investors get out at a reported 7-8x sales multiple, which is generous for a business with significant infrastructure and bandwidth costs impacting profitability. Akamai gets a blue-chip customer base of large enterprises who get hammered by DoS attacks daily. They get some sales folks (hopefully the ones who stay) who understand security. They also get some research, response processes, and know-how to supplement their existing in-house capabilities. Akamai has struggled to make inroads in the security business, so clearly this adds significant momentum and some credibility. They also get to leverage their existing global network as the underlying infrastructure for Prolexic’s services. That takes one of the huge costs of running a DoS service provider – bandwidth – out of the mix. Not that Akamai gets free bandwidth. But given the size of their CDN networks, Prolexic’s bandwidth requirements should be a drop in the bucket. Maybe not even that… Of course I add my usual caveat that even the best paper deals all come down to execution in the end. There are countless ways Akamai could bungle this deal and squander the hammerlock they just bought in enterprise DoS mitigation services. But on the surface this deal makes perfect sense – which is rare for security deals lately. Photo credit: “bath time for pandas” originally uploaded by Second Life Resident Torley Share:

  I guess I shouldn’t be surprised by highly biased marketing campaigns providing bad advice to customers. Normally I let it go (yes, Zen Mike is usually in the house), but not today. I saw Prolexic’s Why a Multi-Layered Security Strategy is Not Ideal for DDoS Mitigation campaign and was a bit perplexed, especially by one statement: The typical IT advice of using multiple tiers of security to build the best defense for protecting networks does not apply to distributed denial of service (DDoS) mitigation. Wrong. As I described in our Defending Against Denial of Service Attacks paper (and the subsequent AppDoS series), attackers use multiple tactics to impact the availability of your applications. So you need to think about how you will deal with volumetric and application-layer attacks. I read Prolexic’s white paper, and I will never get that 15 minutes back. But their main point is that coordinating among many vendors and/or service providers is challenging. So you should use one provider who can do it all. They are correct that it’s hard to coordinate multiple controls across multiple vendors. But isn’t that what security folks do? Oh, you want an Easy Button for security? Good luck with that. Here’s what Prolexic didn’t mention in their paper. They didn’t say that in order to get protection from both network and application-layer attacks, you need to route all your traffic through their network. All of it. All the time. If you wait until you are being blasted or your applications fall down, it’s too late. They don’t mention that increased cost. Of course not – it would make their pitch much less attractive. I am the first to push for simplicity rather than complexity. But the trade-offs need to be disclosed. In this case it is the cost of paying for all your bandwidth going through a service provider. Anyhow, I said my piece. Now I’ll let it go… Photo credit: “cute but wrong” originally uploaded by Gerard Stolk Share:

  Actually, things mostly don’t change. We talk a lot about the dynamic threatscape, advanced attacks, and all sorts of other things that make us feel special. But most of the same tactics that have been owning people and technology for decades are still in play. The mass market doesn’t learn, so they repeat history – over and over and over again. Roger Thompson makes this point on a recent ICSA blog post on Cryptolocker. He reiterates the directions he (and probably the rest of you) have been giving folks for a long time. I told her that Cryptolocker was indeed real and is the criminal’s monetization scheme-du-jour. While it is a real pain if you got nailed by it, basic security practices would keep you perfectly safe. I enumerated those practices for her, and, although we were communicating by typing in a chat program, I could almost hear her smile as she said, “That’s the same advice from twenty years ago.” I realized she was right. The practices are right out of the simple security handbook. You know, things like patching (not just MSFT software nowadays), don’t open unexpected attachments, don’t use admin rights (when you don’t need to), and back up your stuff. Simple. But not many people really do this stuff. And that’s why advanced attackers are only as advanced as they need to be. To be clear, as Roger says, if you are targeted by a truly sophisticated adversary, these simple practices won’t do much. But most of the world isn’t in that situation – fortunately. So getting better at the fundamentals still matters in security. And probably always will. Photo credit: “Dancing Dummy” originally uploaded by Dave Hogg Share:

This should be no surprise because I just pounded through all the posts and put the paper up on GitHub for open review. As of today I am happy to launch the official exec-friendly white paper version of the Executive Guide to Pragmatic Network Security Management. There is a landing page, or you can go directly to the PDF. As a reminder, this paper focuses on managing your network security program – not a particular appliance or tool. It targets those of you with larger or more complex networks – or, really, anyone struggling to manage network security from a big picture perspective. I would like to thank RedSeal Networks for licensing the paper, which is how we get to publish these things for free. Share:

  Dell SecureWorks CTU published a cool research report published today. Joe Stewart and David Shear dug into the marketplace of attackers and found that the market for attack products, tools, and services is thriving. Here are a couple of their more interesting findings: Bank account number with online credentials ($70-130K in account): $300 or less 15,000 infected computer botnet: $250 DDoS attacks: $3-5 per hour; $90-100 per day Exploit kit subscription: $1,500 per year That’s pretty short money for those kinds of services, no? We are dealing with market forces, which means there is plenty of inventory. Yup, lots of credit cards, bank accounts, and bots out there waiting to be used. You know, supply and demand for the win. At least the computer crime folks haven’t screwed with the laws of economics. Not yet, anyway. Photo credit: “Dig for Victory 33” originally uploaded by Aidan “Trig” Brooks Share:

Ah, the holidays. That wonderful time of year when I struggle to attempt to explain to my children why the Christmas decorations are up before Thanksgiving. They are very adamant that Thanksgiving is first, and there really shouldn’t be Xmas decorations yet. Because I agree, and struggle to keep “Burn their houses down!” in my head rather than out loud when I drive past certain neighbors, I really can’t explain. Which is somewhat, well, odd, because I am a bit of a Jewish atheist. I mean really, of all the people on this planet, I am fairly low on the list of ones who should be obsessing about putting up colored lights and fake trees. But the thing is, we American Jews friggin’ love Christmas. Oh, not the religious pieces, those are quite confusing to us, but the general holiday spirit. And by “holiday spirit” I mean TV episodes, reruns of Christmas Vacation, the decorations and music, the endless catalogs that make Sky Mall look like one of those corporate 15-year anniversary gift brochures (you know, filled with demeaning lucite blocks and trashy fake jewelry to reward your many years of slavish dedication to the corporate overlords). But back to the decorations. My wife’s parents’ have neighbors who spent two days putting up their decorations. Actually, I need to correct myself: they spent two days watching the people they paid put up the decorations. Not two hours. Two. Full. Days. I will be the first to admit I have experienced a passing mental dalliance with the concept of paying someone with a much nicer ladder than me to spend an hour or two giving my home a colored LED bodyslam, but it just seems wrong. The whole idea of the holidays is to outdo your neighbors with your own sweat and blood, Clark Griswald style. To relish how your ability to run an extension cord to the second story makes you a better person. Paying someone? That’s the Lance Armstrong of Christmas. Actually, Lance had to cheat because everyone else was – he was just better and meaner at it. Paying someone to put up your lights before Thanksgiving makes you lower than a meth cooker with an ice cream truck. There’s no excuse for it, and I, for one, plan on complaining to my HOA. Which probably won’t help because I live in a different town, but someone needs to know. Sorry. I was going to talk about how awesome the Amazon Web Services concert conference was, but the lights got under my skin. For the record, I can’t remember a more exciting time to be in technology, and thanks to Amazon and other innovators, a truly awesome future is becoming reality. But did I mention those lights? &$%ers. On to the Summary: Favorite Securosis Posts Mike Rothman: CISO’s Guide to the Cloud: Real World Examples. Rich just killed it in this series. Really great research from top to bottom. And stuff not many others are thinking about. Yet. They will. Adrian Lane: Compliance for the Sake of Compliance. If a company can’t implement a security program, there is no security program. Rich: Mike’s You Cannot Outsource Accountability. Ever. Other Securosis Posts Digging into the Underground. Incite 11/20/2013 – Live Right Now. Black Hat Cloud Security Training (Beta) in Seattle Next Month. Defending Against Application Denial of Service: Building Protections in. The CISO’s Guide to the Cloud: Adapting Security for Cloud Computing, Part 2. The CISO’s Guide to the Cloud: Adapting Security for Cloud Computing (part 1). Favorite Outside Posts Mike Rothman: 20 Things You Need to Let Go to Be Happy. Ah, the elusive happiness. For me, happy is a place I visit a couple times a day. Then it passes. But these little tips remind me about why I get unhappy. Mostly because I’m not following this advice. Adrian Lane: 2014 to be an eventful year for SSL. Most people forget that SHA-1 is basic infrastructure, used by just about every single HTTPS/SSL/TLS connection in existence. The deprecation of SHA-1 is not just because it was an NSA contribution via NIST, but it has overstayed its welcome. Larry does a nice job of covering the issues. Mort: What’s my name? No, really, what is it? In other words: a user forgetting their username and/or password is orders of magnitude more likely than user enumeration… Mort (2): Boring Is Good. Rich: AWS vs. CSPs: Hardware Infrastructure. I was at these sessions. It is hard to express the enormity of cloud computing in general, and AWS in particular. They can’t even buy routers big enough to handle the traffic so they have to build their own networking stack and rearchitect everything. Research Reports and Presentations Executive Guide to Pragmatic Network Security Management. Security Awareness Training Evolution. Firewall Management Essentials. A Practical Example of Software Defined Security. Continuous Security Monitoring. API Gateways: Where Security Enables Innovation. Identity and Access Management for Cloud Services. Dealing with Database Denial of Service. The 2014 Endpoint Security Buyer’s Guide. The CISO’s Guide to Advanced Attackers. Top News and Posts Senators back lawsuit against NSA: ‘no evidence’ that bulk phone spying helps national security. Feds Arrest 5 More Suspects in $45 Million Global Bank Heist. The second operating system hiding in every mobile phone. Blog Comment of the Week This week’s best comment goes to Andrew, in response to The CISO’s Guide to the Cloud: Adapting Security for Cloud Computing. ‘We cannot overstate the importance of hardening the management plane. It literally provides absolute control over your cloud deployment – often including all disaster recovery.’ Great point. Information assurance is vital. Managing all the risks related to the usage, processing, storage, and transmission of data needs to be at the core of cloud services. Share:

  Adrian put up an insightful (as opposed to inciteful) column on Dark Reading, pointing out that that Simple Security Is A Better Bet. Though I quibble a bit with the subhead: “Complex security programs are little better than no security”. Of course any subhead taken out of context creates opportunity for misinterpretation. I would reword to say, “Complex security programs done poorly are little better than no security”. But that’s just me. The fact is that any set of security controls chosen needs to be achievable by the organization. Even if that means attack surface remains unaddressed. What choice do you have? Even if it’s the low bar that most compliance mandates prescribe. Adrian does make that point effectively. …it was going to address most of the issues the company had – it was not even fully aware of the issues it needed to address – and it was within its capability to implement. I hate to do this because sometimes it feels like compliance for the sake of compliance. Obviously that’s suboptimal. Just like anyone else, I like to actually solve the problem, rather than just putting band-aid after band-aid on the wound. But pragmatism needs to win the day. Any organization pushing beyond its capabilities (and budget) will have problems because it won’t be able to execute – even worse, it might get a false sense of security. Photo credit: “failure-to-comply” originally uploaded by Brendan Riley Share:

As I mentioned a few weeks ago, XX1 had her Bat Mitzvah recently. It was great to be surrounded for a weekend by almost all the people we care about. And XX1 really stepped up and made us very proud. There are few things more gratifying than seeing your child excel – especially on a big stage in front of a lot of people. Part of the ceremony is a blessing from the parents. Some parents provide an actual blessing. Others tell entertaining stories about the child. I chose to give her some life perspective by distilling what I have learned over the past four decades down into a fairly simple concept. I understand she probably won’t get it for a while, but I’m okay with that. So here goes: I have no doubt you will move with grace to adulthood. In preparation for that transformation, let me share with you what I’ve discovered over the past 45 years. In fact, I believe it’s the secret to life. The secret to life? Wow. I know, it seems kind of deep. So here goes. The secret to life is to LIVE RIGHT NOW. I know it seems kind of underwhelming, but hear me out. Once I explain it a bit, maybe LIVE RIGHT NOW will make sense. You can choose to live in the future. Chasing dreams and aspirations and goals and life plans. You are so busy striving for what you don’t have, you never get around to appreciating what you do have. You’ll need to trust me on that. That doesn’t mean you can’t think to the future… but think to the future not in fear and worry, but in hope and grace. Realize you make the vision of your life a reality based on how you live right now. You could choose to live in the past. We need to be respectful of history, and learn the lessons of those that came before us. But don’t be limited by the past. Learn from your own experiences, especially the challenging ones – then let them go. You have the power to create your own future. A future where you can achieve whatever you set your mind to and become absolutely anything you choose. Never forget that who you ARE doesn’t depend on who you WERE. You can and should be reinventing yourself as you move through life. Don’t let anything or anyone define you. Let your actions right now, in this moment, represent who you are and who you will become. Steve Jobs said it much more elegantly in his awesome Stanford Commencement address, “Your time is limited, so don’t waste it living someone else’s life. Don’t let the noise of others’ opinions drown out your own inner voice. And most important, have the courage to follow your heart and intuition. They somehow already know what you truly want to become.” Understanding this secret doesn’t make it easy. Being yourself, loving yourself, and surrounding yourself with people who appreciate and love YOU for who YOU ARE is very difficult. You’ll face many challenges, make countless tough decisions and you’ll screw things up. That’s all part of this game we call life. Just be true to yourself and everything will be OK. I promise. Always remember your Mom and I will be there to support you – celebrating your accomplishments and helping you rebound from your setbacks. Most of all know that we love you, unconditionally and without bounds. I wanted to finish the speech with a Seinfeld quote, but “NO SOUP FOR YOU!” didn’t seem to fit. Instead I chose a passage from Seinfeld’s book that my father sent to me many years ago when I lost sight of what was important. “Life is truly a ride. We’re all strapped in and no one can stop it. As you make each passage from youth to adulthood to maturity, sometimes you put your arms up and scream, sometimes you just hang on to that bar in front of you. But the ride is the thing. I think the most you can hope for at the end of life is that your hair’s messed, you’re out of breath, and you didn’t throw up.” Strap in girlfriend, it’s a wild ride. –Mike Heavy Research We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, where you can get all our content in its unabridged glory. And you can get all our research papers too. What CISOs Need to Know about Cloud Computing Adapting Security for Cloud Computing How the Cloud is Different for Security Introduction Defending Against Application Denial of Service Building Protections In Abusing Application Logic Attacking the Application Stack Newly Published Papers Security Awareness Training Evolution Firewall Management Essentials Continuous Security Monitoring API Gateways Threat Intelligence for Ecosystem Risk Management Dealing with Database Denial of Service Identity and Access Management for Cloud Services The 2014 Endpoint Security Buyer’s Guide The CISO’s Guide to Advanced Attackers Incite 4 U Sustainable security change: As we come up to the end of the year, countless folks will fall again into the trap of New Year’s resolutions. Something they are going to change for perhaps a few days in January, then it’s right back to the same old habits. Dave Elfering (whose blog is good – you should read it) talks a bit about Leading vs. Managing in the context of creating change. The process he references (from some work by John Kotter), involves the hard work of lining up support, creating a vision, communicating that vision, empowering action, generating short term wins, and consistency of enforcement to ensure the change sticks. This is hard stuff because everyone is constantly dealing with other shiny objects diverting their attention. Dave’s point is that managers can get things done. But it takes a leader to drive lasting change. I think he’s right. – MR Perverse security