Securosis

Research

Multicloud: Deployment Structures and Blast Radius

In this, our second Firestarter on multicloud deployments, we start digging into the technological differences between the cloud providers. We start with the concept of how to organize your account(s). Each provider uses different terminology but all support similar hierarchies. From the overlay of AWS organizations to the org-chart-from-the-start of an Azure tenant we dig into the details and make specific recommendations. We also discuss the inherent security barriers and cover a wee bit of IAM. Share:

Share:
Read Post

Making an Impact with Security Awareness Training

If you want your organization to take security awareness training seriously, you need to plan for that. If you don’t know what success looks like you are unlikely to get there. To define success you need a firm understanding of why the organization needs awareness training. We are talking about communicating business justification for security awareness training, and more importantly what results you expect from your organization’s investment of time and resources. The most valuable outcome is to reduce risk, which gives security awareness training its impact on corporate results. It’s reasonable to expect awareness training to result in fewer successful attacks and less loss: risk reduction. Every other security control and investment needs to reduce risk, so why hasn’t security awareness training been held to the same standard? We don’t know either, but the time has come to start thinking about it. To overcome limitations in security awareness training and achieve the desired business objectives, in this paper we introduced the concept of Continuous, Contextual Content (3C) as the cornerstone of the kind of training program which can achieve security initiatives. This approach provides a user-centric concept to deliver the necessary content when they need it, reminding the employee about phishing, not at a random time, but after they’ve clicked on a phishing message. We also cover incentives, content approaches, and metrics to ensure your awareness training program provides sustainable impact. We’d like to thank Mimecast for licensing the content. It’s through the support of forward-thinking companies that use our content to educate their communities that allow us to write what you need to read. As always, our research is done using our Totally Transparent research methodology. This allows us to do impactful research while protecting our integrity. Download the paper here. Share:

Share:
Read Post

Scaling Network Security

Existing network security architectures, based mostly on preventing attacks from external adversaries, don’t reflect the changing dynamics of enterprise networks. With business partners and other trusted parties needing more access to corporate data and the encapsulation of most application traffic in standard protocols (Port 80 and 443), digging a moat around your corporate network no longer provides the protection your organization needs. Additionally, network speeds continue to increase putting a strain on inline network security controls that much scale at the same rate as the networks. Successfully protecting networks require you to scale network security controls while being able to enforce security policies flexibly. By applying context to the security controls used for each connection ensures proper protection without adding undue stress to the controls. The last thing you can do is compromise security in the face of increasing bandwidth. The scaled network architecture involves applying access control everywhere to make sure only authorized connections have access to critical data and implementing security controls where needed, based on the requirements of the application. Moreover, security policies need to change as networks, applications and business requirements change, so the architecture needs to adapt without requiring forklift upgrades and radical overhauls. This Scaling Network Security paper looks at where secure networking started and why it needs to change. We present requirements for today’s networks which will take you into the future. Finally, we go through the architectural constructs we believe can help scale up your network security controls. We’d like to thank Gigamon for licensing the content. It’s through the support of forward-thinking companies that use our content to educate their communities that allow us to write what you need to read. As always, our research is done using our Totally Transparent research methodology. This allows us to do impactful research while protecting our integrity. You can download the paper. Share:

Share:
Read Post

The Future of Security Operations

Security teams are behind the 8 ball. It’s not like the infrastructure is getting less complicated. Or additional resources and personnel are dropping from the sky to save the day. Given that traditional security operations approaches will not scale to meet the requirements of protecting data in today’s complicated and increasingly cloud-based architectures, what to do? Well, we need to think differently. We are entering a new world. One where security is largely built into the technology stacks which run our infrastructure. Where we plan our operational functions and document them in clear runbooks. Where those runbooks are implemented via orchestration and automation within infrastructure without manual intervention. In this paper, we present an approach to allow your security team to focus on what it’s good at, which is basically understanding the attack surface and the adversary’s tactics and design controls and policies to protect the organization from the threats it faces. We’d like to thank IBM Resilient for licensing the content. It’s through the support of companies like IBM that license our content to educate their communities that allow us to we write forward looking research. As always, our research is done using our Totally Transparent research methodology. This allows us to do impactful research, while protecting our integrity. You can download the paper (PDF). Share:

Share:
Read Post

Firestarter: Breacheriffic EquiFail

This week Mike and Rich address the recent spate of operational fails leading to massive security breaches. This isn’t yet another blame the victim rant, but a frank discussion of why these issues are so persistent and so difficult to actually manage. We also discuss the rising role of automation and its potential to reduce these all-too-human errors. Share:

Share:
Read Post

Endpoint Advanced Protection

Innovation comes and goes in security. Back in 2007 network security had been stagnant for more than a few years. It was the same old same old. Firewall does this. IPS does that. Web proxy does a third thing. None of them did their jobs particularly well, all struggling to keep up with attacks encapsulated in common protocols. Then the next generation firewall emerged, and it turned out that regardless of what it was called, it was more than a firewall. It was the evolution of the network security gateway. The same thing happened a few years ago in endpoint security. Mostly because they didn’t have any other options. Organizations were paying boatloads of money to maintain endpoint protection, because PCI-DSS required it. It certainly wasn’t because the software worked well. Inertia took root, and organizations continued to blindly renew their endpoint protection, mostly because they didn’t have any other options. Enterprises seem to have finally concluded that existing Endpoint Protection Platforms (EPP) don’t really protect endpoints sufficiently. We feel that epiphany is better late than never. But we suspect the catalyst for this realization was that the new generation of tools simply does a better job. The Endpoint Advanced Protection (EAP) concept entails integration of many capabilities previously only offered separately, including endpoint hygiene to reduce attack surface, prevention of advanced attacks including memory attacks and malware-less approaches, and much more granular collection and analysis of endpoint telemetry (‘EDR’ technology). This paper discusses EAP and the evolution of the technologies are poised to help protect endpoints from consistently innovating adversaries. We’d like to thank Check Point Software Technologies for licensing the content. We are able to offer objective research built in a Totally Transparent manner because our clients see the benefit of educating the industry. You can download the paper (PDF). Share:

Share:
Read Post

Managed Security Monitoring

Nobody really argues any more about whether to perform security monitoring. Compliance mandates answered that question, and the fact is that without granular security monitoring and analytics you don’t have much chance to detect attacks. But there is an open question about the best way to monitor your environment, especially given the headwinds facing your security team. Given the challenges of finding and retaining staff, the increasingly distributed nature of data and systems that need to be monitored, and the rapid march of technology, it’s worth considering whether a managed security monitoring service makes sense for your organization. Under the right circumstances a managed service presents an interesting alternative to racking and stacking another set of SIEM appliances. This paper covers the drivers for managed security monitoring, the use cases where a service provider can offer the most value, and some guidance on how to actually select a service provider. It’s a comprehensive look at what it takes to select a security monitoring service. We’d like to thank IBM Security, who licensed this content and enables us to provide it to you for, well, nothing. The paper was built using our Totally Transparent Research methodology, to make sure we are writing what needs to be written rather than what someone else wants us to say. You can download the paper (PDF). Share:

Share:
Read Post

Building a Threat Intelligence Program

Threat Intelligence has made a significant difference in how organizations focus resources on their most significant risks. We concluded our Applied Threat Intelligence paper by pointing out that the industry needs to move past tactical TI use cases. Our philosophy demands a programmatic approach to security. The time has come to advance threat intelligence into the broader and more structured TI program to ensure systematic, consistent, and repeatable value. The program needs to address the dynamic changes in indicators and other signs of attacks, while factoring in the tactics the adversaries. Our Building a Threat Intelligence Program paper offers guidance for designing a program and systematically leveraging threat intelligence. This paper is all about turning tactical use cases into a strategic TI capability to enable your organization to detect attacks faster. We would like to thank our awesome licensees, Anomali, Digital Shadows, and BrightPoint Security for supporting our Totally Transparent Research. It enables us to think objectively about how to leverage new technology in systematic programs to make your security consistent and reproducible. Download: Building a Threat Intelligence Program Share:

Share:
Read Post

Shining a Light on Shadow Devices

Being a security professional certainly was easier back in the day before all these newfangled devices had Internet connections. I’m not sure how we became the get off my lawn! guys, but here we are. You probably scan for PCs. Maybe you even have a program to find and monitor mobile devices on your networks (though probably not). But what about printers, physical security devices like cameras, control systems, healthcare devices, and the two dozen or so other types of devices on your networks? There will be billions of devices connected to the Internet over the next few years. They all present attack surface on your technology infrastructure. And you cannot fully know what is exploitable in your environment, because you don’t know about these devices living in the ‘shadows’. Visible devices are only some of the network-connected devices in your environment. There are hundreds, quite possibly thousands, of other devices you don’t know about on your network. You don’t scan them periodically, and you have no idea of their security posture. Each one can be attacked, and might provide an adversary with opportunity to gain presence in your environment. Your attack surface is much larger than you thought. In our Shining a Light on Shadow Devices paper, we discuss the attacks on these devices which can become an issue on your network, along with some tactics to provide visibility and then control to handle all these network-connected devices. These devices are infrequently discussed and rarely factored into discovery and protection programs. It’s another Don’t Ask, Don’t Tell approach, which never seems to work out well. We would like to thank ForeScout Technologies for licensing the content in this paper. Our unique Totally Transparent Research model enables us to think objectively about future attack vectors and speculate a bit on the impact to your organization, without paywalls or other such gates restricting access to research you may need. Download Shining a Light on Shadow Devices (PDF). Share:

Share:
Read Post

Threat Detection Evolution

Most organizations have realized that threat prevention has limitations, so we have seen renewed focus on threat detection. But like most other security markets, the term threat detection has been distorted to cover almost everything. So we figure it’s time to clarify what threat detection is and how it is evolving to deal with advanced attacks, sophisticated adversaries, and limited resources. Not to worry – we haven’t become the latest security Chicken Little, warning everyone that the sky is falling. Mostly because it fell a long time ago, and we have been picking up the pieces ever since. It can be exhausting to chase alert after alert, never really knowing which are false positives and which indicate real active adversaries in your environment. Something has to change. We need to advance the practice of detection, to provide better and more actionable alerts. This requires thinking more broadly about detection, and starting to integrate the various different security monitoring systems in use today. Our Threat Detection Evolution paper starts by reviewing security data collection, including both internal and external data sources that can facilitate detection efforts. Next we discuss how to use that data ti reliably figure out what is an attack. We wrap up by going through th process, using a quick wins scenario to show the concepts in action. We would like to thank AlienVault for licensing the content in this paper. Our unique Totally Transparent Research model allows us to do objective and useful research and still make ends meet, so you should thank them too. Download: Threat Detection Evolution (PDF) Share:

Share:
Read Post

Totally Transparent Research is the embodiment of how we work at Securosis. It’s our core operating philosophy, our research policy, and a specific process. We initially developed it to help maintain objectivity while producing licensed research, but its benefits extend to all aspects of our business.

Going beyond Open Source Research, and a far cry from the traditional syndicated research model, we think it’s the best way to produce independent, objective, quality research.

Here’s how it works:

  • Content is developed ‘live’ on the blog. Primary research is generally released in pieces, as a series of posts, so we can digest and integrate feedback, making the end results much stronger than traditional “ivory tower” research.
  • Comments are enabled for posts. All comments are kept except for spam, personal insults of a clearly inflammatory nature, and completely off-topic content that distracts from the discussion. We welcome comments critical of the work, even if somewhat insulting to the authors. Really.
  • Anyone can comment, and no registration is required. Vendors or consultants with a relevant product or offering must properly identify themselves. While their comments won’t be deleted, the writer/moderator will “call out”, identify, and possibly ridicule vendors who fail to do so.
  • Vendors considering licensing the content are welcome to provide feedback, but it must be posted in the comments - just like everyone else. There is no back channel influence on the research findings or posts.
    Analysts must reply to comments and defend the research position, or agree to modify the content.
  • At the end of the post series, the analyst compiles the posts into a paper, presentation, or other delivery vehicle. Public comments/input factors into the research, where appropriate.
  • If the research is distributed as a paper, significant commenters/contributors are acknowledged in the opening of the report. If they did not post their real names, handles used for comments are listed. Commenters do not retain any rights to the report, but their contributions will be recognized.
  • All primary research will be released under a Creative Commons license. The current license is Non-Commercial, Attribution. The analyst, at their discretion, may add a Derivative Works or Share Alike condition.
  • Securosis primary research does not discuss specific vendors or specific products/offerings, unless used to provide context, contrast or to make a point (which is very very rare).
    Although quotes from published primary research (and published primary research only) may be used in press releases, said quotes may never mention a specific vendor, even if the vendor is mentioned in the source report. Securosis must approve any quote to appear in any vendor marketing collateral.
  • Final primary research will be posted on the blog with open comments.
  • Research will be updated periodically to reflect market realities, based on the discretion of the primary analyst. Updated research will be dated and given a version number.
    For research that cannot be developed using this model, such as complex principles or models that are unsuited for a series of blog posts, the content will be chunked up and posted at or before release of the paper to solicit public feedback, and provide an open venue for comments and criticisms.
  • In rare cases Securosis may write papers outside of the primary research agenda, but only if the end result can be non-biased and valuable to the user community to supplement industry-wide efforts or advances. A “Radically Transparent Research” process will be followed in developing these papers, where absolutely all materials are public at all stages of development, including communications (email, call notes).
    Only the free primary research released on our site can be licensed. We will not accept licensing fees on research we charge users to access.
  • All licensed research will be clearly labeled with the licensees. No licensed research will be released without indicating the sources of licensing fees. Again, there will be no back channel influence. We’re open and transparent about our revenue sources.

In essence, we develop all of our research out in the open, and not only seek public comments, but keep those comments indefinitely as a record of the research creation process. If you believe we are biased or not doing our homework, you can call us out on it and it will be there in the record. Our philosophy involves cracking open the research process, and using our readers to eliminate bias and enhance the quality of the work.

On the back end, here’s how we handle this approach with licensees:

  • Licensees may propose paper topics. The topic may be accepted if it is consistent with the Securosis research agenda and goals, but only if it can be covered without bias and will be valuable to the end user community.
  • Analysts produce research according to their own research agendas, and may offer licensing under the same objectivity requirements.
  • The potential licensee will be provided an outline of our research positions and the potential research product so they can determine if it is likely to meet their objectives.
  • Once the licensee agrees, development of the primary research content begins, following the Totally Transparent Research process as outlined above. At this point, there is no money exchanged.
  • Upon completion of the paper, the licensee will receive a release candidate to determine whether the final result still meets their needs.
  • If the content does not meet their needs, the licensee is not required to pay, and the research will be released without licensing or with alternate licensees.
  • Licensees may host and reuse the content for the length of the license (typically one year). This includes placing the content behind a registration process, posting on white paper networks, or translation into other languages. The research will always be hosted at Securosis for free without registration.

Here is the language we currently place in our research project agreements:

Content will be created independently of LICENSEE with no obligations for payment. Once content is complete, LICENSEE will have a 3 day review period to determine if the content meets corporate objectives. If the content is unsuitable, LICENSEE will not be obligated for any payment and Securosis is free to distribute the whitepaper without branding or with alternate licensees, and will not complete any associated webcasts for the declining LICENSEE. Content licensing, webcasts and payment are contingent on the content being acceptable to LICENSEE. This maintains objectivity while limiting the risk to LICENSEE. Securosis maintains all rights to the content and to include Securosis branding in addition to any licensee branding.

Even this process itself is open to criticism. If you have questions or comments, you can email us or comment on the blog.