Yes, people, the disclosure debate is still alive and kicking. But now it is basically a pissing match between two of the largest tech companies. With Google setting rigid deadlines, and Microsoft stuck on their rigid schedule, who will win? Grab the popcorn as we talk about egos, internal inconsistencies, and why putting the user first is so damn hard. Share:
In our last Firestarter for this year, Mike, Adrian, and I take on some of the latest security predictions for 2015. Needless to say, we aren’t impressed. We do, however, close out with some trends we are seeing which are likely to play out next year, and are MOST DEFINITELY NOT PREDICTIONS. One warning: despite a lack of Guinness, we use some bad words, so let’s just brand this NSFW. Unless your workplace is like ours – then go for it. Lastly, here are links to the predictions we called out (the only ones we found – feel free to mention more in the comments): Websense. Which we didn’t read because you need to register to see them. Trend Micro. Home of the legal disclaimer in case you get hacked after believing their predictions. Kaspersky. A hard one to rip because we have friends there. Netwrix. Yeah, we don’t know who they are either. Vormetric. Another company we like, but we haz to play fair. My 2011 security predictions. I keep renewing them every year, without change. Still mostly holding up – I estimate I hit 70-80% accuracy for 2014. Share:
SSLmageddon V12. Polar Vortices. Ebola. APT123. We live in an era when every week it seems some massive new vulnerability, exploit, or attack is going to take down society. This week Rich, Mike, and Adrian tackle the endless progression of bad news; and how to maintain focus when everyone wants you to save the children. As a side note, if you haven’t seen or read about #feministhackerbarbie on Twitter… oh my, you need to. Share:
Adrian is out, so Rich and Mike cover the latest Amazon Web Services news as their big re:Invent conference closes in. We start with the new Frankfurt datacenter, and how a court case involving Microsoft could kill off the future of all US-based cloud companies (it’s always the little things). Then we discuss directory services in the cloud, and how this indicates increasing cloud adoption and maturity at a pace we really haven’t ever seen before. Share:
Mike, Adrian, and I start off a little rough around the edges, but eventually get to the point. Travel is taking its toll so we won’t be able to keep our usual weekly schedule, but we will stay as close as possible – until I run off to Amsterdam for a week, for Black Hat Europe. We catch up on the inane for a few minutes, before jumping into a discussion of the bash vulnerability and disclosure debacle. We agree it is often valuable to analyze an event after the initial shock waves (See what I did there? Shellshock? Shock waves?). Today we focus on the deeper implications and how the heck a disclosure could be so bungled. Plus a little advice on where to focus your patching efforts. Share:
We continue to investigate the practical uses of threat intelligence (TI) within your security program. After tackling how to Leverage Threat Intel in Security Monitoring, now we turn our attention to Incident Response and Management. In this paper, we go into depth on how your existing incident response and management processes can (and should) integrate adversary analysis and other threat intelligence sources to help narrow down the scope of your investigation. We’ve also put together a snappy process map depicting how IR/M looks when you factor in external data as well. To really respond faster you need to streamline investigations and make the most of your resources. That starts with an understanding of what information would interest attackers. From there you can identify potential adversaries and gather threat intelligence to anticipate their targets and tactics. With that information you can protect yourself, monitor for indicators of compromise, and streamline your response when an attack is (inevitably) successful. You will have incidents. If you can respond to them faster and more effectively, that’s a good thing right? We believe integrating Threat Intel into the IR process is a way to do that. We’d like to thank Cisco, Bit9+Carbon Black, and Intel Security/McAfee for licensing the content in this paper. We’re grateful that our clients see the value of supporting objective research to educate the industry. Without the forward looking organizations, you’d be on your own… or paying up to get behind the paywall of big research. Download Leveraging Threat Intelligence in Incident Response/Management (PDF) Share:
After our little Black Hat and DEF CON induced hiatus, the boys are back to talk about the latest vendor suing Gartner. Yes, there is a Gartner Tax. No, it isn’t what you think. No, there is no pay for play. Yes, there are better ways to handle this. Yes, end users love Magic Quadrants no matter how much you trash talk them. And yeah, somehow we know a bit about how all this works from all sides. Share:
In the latest Firestarter, Rich, Mike, and Adrian discuss the latest controversial research to hit the news from HOPE and Black Hat. We start with a presentation by Jonathan Zdziarski on data recoverable using forensics on iOS. While technically accurate, we think the intent he ascribes intent to Apple shows a deeply flawed analysis. We then discuss a talk removed from Black Hat on de-anonymizing Tor. In this case it seems the researchers didn’t really understand the legal environment around them. Both cases are examples of great research gone a little awry. And Rich talks about a snowball fight with a herd of elk. These things happen. Share:
This week we kept it simple with two topics. First up, China’s accusations that iOS and iDevices are a security risk. Mike’s at the Jersey Shore, Rich is in Boulder, and Adrian is… baking in Phoenix in between tree-killing monsoons. This week we kept it simple with two topics. First up, China’s accusations that iOS and iDevices are a security risk. Which they should know, since they are all built there. Second is a discussion on security careers. How to break in, and what hiring managers should really look for. Share:
Totally Transparent Research is the embodiment of how we work at Securosis. It’s our core operating philosophy, our research policy, and a specific process. We initially developed it to help maintain objectivity while producing licensed research, but its benefits extend to all aspects of our business.
Going beyond Open Source Research, and a far cry from the traditional syndicated research model, we think it’s the best way to produce independent, objective, quality research.
Here’s how it works:
In essence, we develop all of our research out in the open, and not only seek public comments, but keep those comments indefinitely as a record of the research creation process. If you believe we are biased or not doing our homework, you can call us out on it and it will be there in the record. Our philosophy involves cracking open the research process, and using our readers to eliminate bias and enhance the quality of the work.
On the back end, here’s how we handle this approach with licensees:
Here is the language we currently place in our research project agreements:
“Content will be created independently of LICENSEE with no obligations for payment. Once content is complete, LICENSEE will have a 3 day review period to determine if the content meets corporate objectives. If the content is unsuitable, LICENSEE will not be obligated for any payment and Securosis is free to distribute the whitepaper without branding or with alternate licensees, and will not complete any associated webcasts for the declining LICENSEE. Content licensing, webcasts and payment are contingent on the content being acceptable to LICENSEE. This maintains objectivity while limiting the risk to LICENSEE. Securosis maintains all rights to the content and to include Securosis branding in addition to any licensee branding.”
Even this process itself is open to criticism. If you have questions or comments, you can email us or comment on the blog.
