Research

Understanding and Selecting a Database Security Platform This paper examines business requirements for securing databases; it also discusses how these requirements are addressed by assessment, discovery, monitoring, auditing, and blocking technologies. DSP is the next evolution after Database Activity Monitoring (DAM), integrating several new technologies into a unified platform for compliance and security, which identifies and reports on transactions that fail to meet business best practices. There are a wide variety of ways to collect information in and around relational databases, and still more to analyze and report on those findings, so this research digs into the nuts and bolts to present a comparative analysis of the technology options available – along with how they address end user requirements. This research is recommended for use in conjunction with other application security tools; because many web and traditional applications rely on database technology to store, manage, and report on data – linking compliance and security requirements. by Adrian Lane and Rich Mogull. (Version 2.0, May 2012) Attachments Understanding_and_Selecting_DSP_Final.pdf [699KB] Share:

Understanding and Selecting a Database Security Platform This paper examines business requirements for securing databases; it also discusses how these requirements are addressed by assessment, discovery, monitoring, auditing, and blocking technologies. DSP is the next evolution after Database Activity Monitoring (DAM), integrating several new technologies into a unified platform for compliance and security, which identifies and reports on transactions that fail to meet business best practices. There are a wide variety of ways to collect information in and around relational databases, and still more to analyze and report on those findings, so this research digs into the nuts and bolts to present a comparative analysis of the technology options available – along with how they address end user requirements. This research is recommended for use in conjunction with other application security tools; because many web and traditional applications rely on database technology to store, manage, and report on data – linking compliance and security requirements. by Adrian Lane and Rich Mogull. (Version 2.0, May 2012) Attachments Understanding_and_Selecting_DSP_Final.pdf [699KB] Share:

Organizations have traditionally viewed vulnerability scanners as tactical products, largely commoditized and only valuable around audit time. How useful is a 100-page vulnerability report to an operations person trying to figure out what to fix next? Although those 100-page reports make auditors smile, as they offer a nice listing of audit deficiencies to address in the findings of fact. But the tide is definitely turning. We see a clear shift from a largely compliance-driven orientation to a more security-centric view. We document this evolution to a vulnerability/threat management platform in our new Vulnerability Management Evolution paper. No organization, including the biggest of the big, has enough resources. So you need to make tough choices. Things won’t all be done when they need to be. Some things won’t get done at all. So how do you choose? Unfortunately most organizations don’t choose at all. They do whatever is next on the list, without much rhyme or reason determining where things land on it. It’s the path of least resistance for a tactically oriented environment. Oil the squeakiest wheel. Keep your job. It’s all very understandable, but not very effective. Optimally, resources are allocated and priorities set based on their value to the business. In a security context, that means the next thing done should reduce the most risk to your organization. We would like to thank all our sponsors for supporting our research, including nCircle, Qualys, Rapid7, and Tenable. As long as compliance is in play you will need to scan for vulnerabilities. At least make use of a more functional platform to do that and more. Download: Vulnerability Management Evolution Attachments Securosis-Vulnerability-Management-Evolution_FINAL-multi.pdf [462KB] Share:

Most organizations focus on the attackers out there – which means they may miss attackers who have the credentials and knowledge to do real damage. These are “privileged users”, and far too many organizations don’t do enough to protect themselves from that group. By the way – this doesn’t necessarily require a malicious insider. It is very possible (if not plausible) that a privileged user’s device might gets compromised, giving an attacker access to the administrator’s credentials. A bad day all around. So we wrote a paper called Watching the Watchers: Guarding the Keys to the Kingdom describing the problem and offering ideas for solutions. A compromised P-user can cause all sorts of damage and so needs to be actively managed. Let’s now talk about solutions. Most analysts favor models to describe things, and we call ours the Privileged User Lifecycle. But pretty as the lifecycle diagram is, first let’s scope it to define beginning and ending points. Our lifecycle starts when the privileged user receives escalated privileges, and ends when they are no longer privileged or leave the organization, whichever comes first. We would like to thank Xceedium for sponsoring this research. Check the paper out – we think it’s a great overview of an issue every organization faces. At least those with administrators. Download Watching the Watchers: Guarding the Keys to the Kingdom Attachments Securosis_Watching-the-Watchers_FINAL.pdf [497KB] Share:

We know it’s a shock, but your endpoint protection suite isn’t doing a good enough job of blocking malware attacks. So the industry has resorted additional layers of inspection, detection, and even protection to address its shortcomings. One place focus is turning, which is seeing considerable innovation, is the network. We see a new set of devices and enhancements to existing perimeter platforms, focused on detecting and blocking malware. A paragraph from Network-Based Malware Detection: Filling the Gaps of AV says it best: We have been doing anti-virus for years and it hasn’t worked. Malware detection moving forward is about really understanding what the files are doing, and then determining whether that behavior is bad. By leveraging the collective power of the network we can profile bad stuff much more quickly. With the advancement of network security technology we can start to analyze those files before they make their way onto our devices. Can we actually prevent an attack? Under the right circumstances, yes. If you need more detail on what’s in the paper check out its table of contents: We would like to thank Palo Alto Networks for sponsoring this research, and making sure you can read it for a remarkably fair price. Download Network-Based Malware Detection: Filling the Gaps of AV Attachments Securosis_Network-basedMalwareDetection_FINAL.pdf [174KB] Share:

We have been saying for years that you can’t assume your defenses are sufficient to stop a focused and targeted attacker. That’s what React Faster and Better is all about. But say you actually buy into this philosophy: what now? How do you figure out the bad guys are in your house? And more importantly how they got there and what they are doing? The network is your friend because it never lies. Attackers can do about a zillion different things to attack your network, and 99% of them depend on the network in some way. They can’t find another target without using the network to locate it. They can’t attack a target without connecting to it. Furthermore, even if they are able to compromise the ultimate target, the attackers must then exfiltrate the data. So they need the network to move the data. Attackers need the network, pure and simple. Which means they will leave tracks, but you will see them only if you are looking. We’re happy to post this paper based on our Applied Network Security Analysis series. Check out the table of contents: We would like to thank Solera Networks for sponsoring the research. Without our sponsors we couldn’t provide content on the blog for free or post these papers. Download Applied Network Security Analysis: Moving from Data to Information Attachments Securosis_Applied_Network_Security_Analysis-FINAL.pdf [185KB] Share:

“We read the guidance but we don’t know what falls out of scope!” is the universal merchant complaint. “Where are the audit guidelines?” is the second most common criticism. On August 12, 2011, the PCI task force driving the study of tokenization published an “Information Supplement” called the PCI DSS Tokenization Guidelines. The merchant community was less than thrilled. The problem is that the PCI document is sorely lacking in actual guidance. Even the section on “Maximizing PCI DSS Scope Reduction” is a collection of broad security generalizations rather than practical advice. After spending the better part of two weeks on this wishy-washy paper we propose a better title, “Begrudging Acknowledgement of Tokenization Without Guidance”. But we are here to fix that, filling the gaps they left. This is the white paper the PCI Council should have written, addressing merchants’ pressing questions and providing pragmatic advice on how to implement a tokenization solution. The paper is the product of hundreds of hours of research and about a hundred phone calls to various merchants, payment processors, tokenization vendors, and qualified assessors. We make many controversial assertions but we stand by them – we have vetted the content through interviews in discussions with every expert we could reach. And we have subjected our analysis to open scrutiny by the payment community through our Totally Transparent Research process. We include an overview analysis for merchants and auditors, as well as a step by step guide which works through all the PCI DSS requirements which are directly affected when using tokens to replace primary account numbers. We would like to thank Elavon, Liaison, Prime Factors, and Protegrity for sponsoring this research. Download: TokenGuidance-Securosis-Final.pdf Attachments TokenGuidance-Securosis-Final.pdf [1.5MB] Share:

Is it time? Are you waving the white flag? Has your SIEM failed to meet expectations despite significant investment? If you are questioning whether your existing product or service can get the job done, you are not alone. You likely have some battle scars from the difficulty of managing, scaling, and actually doing something useful with SIEM. Given the rapid evolution of SIEM/Log Management offerings – and the evolution of requirements, with new application models and this cloud thing – you should be wondering whether a better, easier, and less expensive solution meets your needs. Security Management 2.0: Time to Replace Your SIEM? takes a brutally candid look at triggers for considering a new security management platform, walks through each aspect of the decision, and presents a process to migrate – if the benefits outweigh the risks. This includes figuring out what your requirements are, whether your existing platform can meets them, and if not how to select a new platform to make sure you don’t make the same mistakes again. Here is the table of contents, so you can get an idea of the depth of the paper. As you can see, it’s pretty comprehensive. We would like to thank Dell Secureworks, Nitro Security, Q1 Labs, and Tenable Network Security for sponsoring the research. Download: Security Management 2.0: Time to Replace Your SIEM? Attachments SecurityManagement2.0_FINAL-Multi.pdf [498KB] Share:

What should you do right now? That’s one of the toughest questions for any security professional to answer. The list is endless, the priorities clear as mud, the risk of compromise ever present. But doing nothing is never the answer. We have been working with practitioners to answer that question for years, and we finally got around to documenting some of our approaches and concepts. That’s what “Fact-Based Network Security: Metrics and the Pursuit of Prioritization” is all about. We spend some time defining ‘risk’, trying to understand the metrics that drive decisions, working to make the process a systematic way to both collect data and make those decisions, and understanding the compliance aspects of the process. Finally we go through a simple scenario that shows the approach in practice. Here’s an excerpt from the introduction, just to whet your appetite a bit: Security programs at most businesses are about as mature as a pimply-faced teenager, which is problematic given the current state of security. Attackers only have to get it right once, and some of them now hack more for Lulz than financial gain. How do you defend against an adversary who is more interested in pantsing you than stealing your stuff? But not all attackers fall into that category. You may also deal with state-sponsored adversaries – with virtually unlimited resources. So you need to choose your activities wisely and optimize every bit of available resource just to stay in the same place. Unfortunately, far too many organizations don’t choose wisely. These organizations treat network security like Whack-a-Mole. Each time a mole pops above the surface, they try to smack it down. Usually that mole squeals loudest, regardless of its actual importance. But this means they spend a large chunk of time trying to satisfy certain people, hoping to get them to stop calling – and unfortunately that is much more about annoyance and persistence than the actual importance of their demands. Sound familiar? Responding to the internal squeaky wheels clearly isn’t a good enough prioritization scheme. Neither is the crystal ball, hocus pocus, or any other unscientific method. Clearly there must be a better way. We would like to thank RedSeal Networks for sponsoring this research. Download: Fact-Based Network Security: Metrics and the Pursuit of Prioritization (PDF) Attachments Securosis_Fact-BasedNetworkSecurity_FINAL.pdf [183KB] Share:

How do you answer the inevitable question “Are we good at security?” If you are like most organizations, you stutter quite a bit and then fall back to either irrelevant numbers (like AV or patch coverage) or a qualitative assessment – “We had 2 incidents last month, down from 5 the prior month prior”. Either way, the answer isn’t what management needs, or deserves. In this paper we focus on security metrics as the foundation, but more importantly on how to leverage a security benchmark to provide a useful basis for comparison. A brief excerpt from the Executive Summary makes the distinction clear: A key aspect of maturing our security programs must be the collection of security metrics and their use to improve operational processes. Even those with broad security metrics programs still have trouble communicating the relative effectiveness of their efforts – largely because they have no point of comparison. Thus when talking about the success/failure of any security program, without an objective reference point senior management has no idea if your results are good. Or bad. Enter the Security Benchmark, which involves comparing your security metrics to a peer group of similar companies. If you can get a fairly broad set of consistent data (both quantitative and qualitative), then compare your numbers to that dataset, you can get a feel for relative performance. Obviously this is very sensitive data, so due care must be exercised when sharing it, but the ability to transcend the current and arbitrary identification of problem areas as ‘red’ (bad), ‘yellow’ (not so bad), or ‘green’ (a bit better) enables us to finally have some clarity on the effectiveness of our security programs. Additionally, the metrics and benchmark data can be harnessed internally to provide objectives and illuminate trends to improve key security operations. Those of you who embrace quantification gain an objective method for making decisions about your security program. This paper makes a case for why and how this should be done. We would like to thank nCircle for sponsoring the research. Download: Security Benchmarking: Going Beyond Metrics (PDF) Attachments Securosis_SecurityBenchmarking_FINAL.pdf [199KB] Share: