Securosis

Research

Eliminate Surprises with Security Assurance and Testing

We have always been fans of making sure applications and infrastructure are ready for prime time before letting them loose on the world. It’s important not to just use basic scanner functions either – your adversaries are unlikely to limit their tactics to things you find in an open source scanner. Security Assurance and Testing enables organizations to limit the unpleasant surprises that happen when launching new stuff or upgrading infrastructure. Adversaries continue to innovate and improve their tactics at an alarming rate. They have clear missions, typically involving exfiltrating critical information or impacting the availability of your technology resources. They have the patience and resources to achieve their missions by any means necessary. And it’s your job to make sure deployment of new IT resources doesn’t introduce unnecessary risk. In our Eliminating Surprises with Security Assurance and Testing paper, we talk about the need for a comprehensive process to identify issues – before hackers do it for you. We list a number of critical tactics and programs to test in a consistent and repeatable manner, and finally go through a couple use cases to show how the process would work at both the infrastructure and application levels. To avoid surprise we suggest a security assurance and testing process to ensure the environment is ready to cope with real traffic and real attacks. This goes well beyond what development organizations typically do to ‘test’ their applications, or ops does to ‘test’ their stacks. It also is different from a risk assessment or a manual penetration test. Those “point in time” assessments aren’t necessarily comprehensive. The testers may find a bunch of issues but they will miss some. So remediation decisions are made with incomplete information about the true attack surface of infrastructure and applications. We would like to thank our friends at Ixia for licensing this content. Without the support of our clients, our open research model wouldn’t be possible. Direct Download (PDF): Eliminate Surprises with Security Assurance and Testing Attachments Securosis_SecurityAssuranceTesting_FINAL.pdf [1.0MB] Share:

Share:
Read Post

What CISOs Need to Know about Cloud Computing

One of a CISO’s most difficult challenges is sorting the valuable wheat from the overhyped chaff, and then figuring out what it all means in terms of risk to the organization. There is no shortage of technology or threat trends, and CISOs need to determine which matter and how they impact security. The rise of cloud computing is a legitimate transformation which is fundamentally changing core security practices. Far more than a mere outsourcing model, cloud computing alters the very fabric of our infrastructure, technology consumption, and delivery models. In the long term the cloud and mobile computing are likely to mark a larger shift than the Internet’s apperance. This paper details the critical differences between cloud computing and traditional infrastructure for security professionals, and suggests where to focus security efforts. We show that the cloud doesn’t necessarily increase risks – it shifts them, providing new opportunities for substantial security improvement. There are two versions. The Executive Summary is a two-page overview of the highlights, suitable for passing on to a time-crunched manager. The What CISOs Need to Know About Cloud Computing full report includes the executive summary (formatted differently), followed by the complete paper. We may be biased, but we hope that’s the one you read: Executive Summary: What CISOs Need to Know About Cloud Computing (PDF) Full Report: What CISOs Need to Know About Cloud Computing Special thanks to CloudPassage for licensing this content and making it possible for us to release it for free. Attachments CISO_Cloud_v.1.Complete.pdf [1.7MB] CISO_Cloud_Exec_Summary_v.1.pdf [545KB] Share:

Share:
Read Post

Defending Against Application Denial of Service Attacks

Denial of Service attacks can encompass a number of different tactics, all aimed at impacting the availability of your applications and/or infrastructure. In Defending Against Denial of Service Attacks we described both network-based and application-targeting attacks. In this paper we dig much deeper into application DoS attacks. For good reason – as the paper says: These attacks require knowledge of the application and how to break or game it. They can be far more efficient than just blasting traffic at a network, requiring far fewer attack nodes and less bandwidth. A side benefit of requiring fewer nodes is simplified command and control, allowing more agility in adding new application attacks. Moreover, the attackers often take advantage of legitimate application features, making defense considerably harder. We expect a continued focus on application DoS attacks over time, so we offer both an overview of the common types of attacks you will see and possible mitigations for each one. After reading this paper you should have a clear understanding of how your application availability will be attacked – and more importantly, what you can do about it. We would like to thank our friends at Akamai for licensing this content. Without the support of our clients our open research model wouldn’t be possible. To sum up, here are some thoughts on defense: Defending against AppDoS requires a multi-faceted approach that typically starts with a mechanism to filter attack traffic, either via a web protection service running in the cloud or an on-premise anti-DoS device. The next layer of defense includes operational measures to ensure the application stack is hardened, including timely patching and secure configuration of components. Finally, developers must play their part by optimizing database queries and providing sufficient input validation to make sure the application itself cannot be overwhelmed using legitimate capabilities. Keeping applications up and running requires significant collaboration between development, operations, and security. This ensures not only that sufficient defenses are in place, but also that a well-orchestrated response maintains and/or restores service as quickly as possible. It is not a matter of if but when you are targeted by an Application Denial of Service attack. Direct Download (PDF): Defending Against Application Denial of Service Attacks Attachments Securosis_ApplicationDoS_FINAL.pdf [706KB] Share:

Share:
Read Post

Executive Guide to Pragmatic Network Security Management

Managing network security at scale is not easy, but the organizations that do it best tend to follow a predictable and repeatable pattern. This paper distills those lessons into a pragmatic process designed for larger organizations and those with more complicated networks, such as medium-sized businesses with multiple locations. We don’t claim our process is magical or easy, but it’s certainly easier than any alternatives we are aware of. Even if you only pick out a few tidbits, our process should help you refine and operate your network security more efficiently. This paper for information managers, briefly discusses why network security management can be difficult and highlights the difference between network security management at the program level and managing individual security tools. It details a seven-step pragmatic process to help optimize how you manage network security, especially on large and complex networks. Attachments Pragmatic_Network_Security_Management.pdf [1.0MB] The Executive Guide to Pragmatic Network Security Management (PDF) Share:

Share:
Read Post

Security Awareness Training Evolution

Everyone has an opinion about security awareness training, and most of them are negative. Waste of time! Ineffective! Boring! We have heard them all. And the criticism isn’t wrong – much of the content driving security awareness training is lame. Which is probably the kindest thing we can say about it. But it doesn’t need to be that way. Actually, it cannot remain this way – there is too much at stake. Users remain the lowest-hanging fruit for attackers, and as long as that is the case attackers will continue to target them. Educating users about security is not a panacea, but it can and does help. It’s not like a focus on security awareness training is the flavor of the day for us. We have been talking about the importance of training users for years, as unpopular as it remains. The main argument against security training is that it doesn’t work. That’s just not true. But it doesn’t work for everyone. Like security in general, there is no 100%. Some employees will never get it – mostly because they just don’t care – but they do bring enough value to the organization that no matter what they do (short of a felony) they are sticking around. Then there is everyone else. Maybe it’s 50% of your folks, or perhaps 90%. Regardless of the number of employees who can be influenced by better security training content, wouldn’t it make your life easier if you didn’t have to clean up after them? We have seen training reduce the amount of time spent cleaning up easily avoidable mistakes. The Security Awareness Training Evolution paper discusses how we believe training needs to evolve. It offers ways to improve training content, and ensure the right support and incentives are in place for training to succeed. Here is the table of contents so you can see how the paper breaks down: We would like to thank our friends at PhishMe for licensing this paper. Remember, it is through the generosity of our licensees that you get to read our stuff for this nifty price. Here is another quote from the paper to sum things up: As we have said throughout this paper, employees are clearly the weakest link in your security defenses, so without a plan to actively prepare them for battle you have a low chance of success. It is not about making every employee a security ninja – instead focus on preventing most of them from falling for simplistic attacks. You will still be exploited, but make it harder for attackers so you suffer less frequent compromise. Security-aware employees protect your data more effectively, it’s as simple as that, regardless of what you hear from naysayers. Download: Security Awareness Training Evolution (PDF) Attachments Securosis_SecurityAwarenessTrainingEvolution_FINAL.pdf [288KB] Share:

Share:
Read Post

Firewall Management Essentials

We all know and love the firewall. The cornerstone of every organization’s network security defense, firewalls enforce access control policies and determine what can and cannot enter your network. But, like almost every device you have had for a while, you take them for granted and perhaps don’t pay as much attention as you need to. Until a faulty rule change opens up a hole in your perimeter large enough to drive a tanker through. Then you get some religion about more effectively managing these devices. Things are getting more complicated as next-generation functionality brings a need to define and manage application policies; new devices and infrastructure evolution make it difficult to know what is allowed and what isn’t. The issues around managing firewalls can be summed up in an excerpt from our newest paper: Like a closet in your house, if you don’t spend time sorting through old stuff it can become a disorganized mess, with a bunch of things you haven’t used in years and no longer need. This metaphor fits the firewall like a glove, so we decided to get back to our network security roots to document the essentials to automating management of firewalls. We explain the need for a strong automated change management process, the importance of optimizing the rule base, and the benefits of managing access risk. It should serve as a good primer on how to improve the operational excellence of your network security controls. We would like to thank Firemon for licensing the research and supporting what we do. You cannot get rid of firewalls, and if anything their importance is increasing daily. So you might as well get better at managing them, and that’s what this research is all about. Download: Firewall Management Essentials Attachments Securosis_FirewallManagementEssentials_FINAL.pdf [754KB] Share:

Share:
Read Post

A Practical Example of Software Defined Security

A few months back I did a series of posts on how to leverage Amazon EC2, APIs, Chef, and Ruby to improve security over what you can do with traditional infrastructure. I decided to collect these posts together, clean them up, and release them as a standalone paper. Hopefully you find this interesting. I consider this the future of our industry. A Practical Example of Software Defined Security (PDF) Attachments SDS-Practical-Example.pdf [239KB] Share:

Share:
Read Post

Continuous Security Monitoring

Continuous Monitoring has become an overused and overhyped term in security circles, driven by US Government mandate (now called Continuous Diagnostics and Mitigation). But that doesn’t change the fact that monitoring needs to be a cornerstone of your security program, within the context of a risk-based paradigm. So your pals at Securosis did their best to document how you should think about Continuous Security Monitoring and how to get there. Given that you can’t prevent all attacks, you need to ensure you detect attacks as quickly as possible. The concept of continuous monitoring has been gaining momentum, driven by both compliance mandates (notably PCI-DSS) and the US Federal Government’s guidance on Continuous Diagnostics and Mitigation, as a means to move beyond periodic assessment. This makes sense given the speed that attacks can proliferate within your environment. In this paper, Securosis will help you assemble a toolkit (including both technology and process) to implement our definition of Continuous Security Monitoring (CSM) to monitor your information assets to meet a variety of needs in your organization. We discuss what CSM is, how to do it, and the most applicable use cases we have seen in the real world. We end with a step-by-step list of things to do for each use case to make sure your heads don’t explode trying to move forward with a monitoring initiative. We are indebted to all our licensees for supporting our research and broadening our reach, including Qualys, Tenable Network Security, and Tripwire. We don’t expect you to rebalance security spending between protection and detection overnight, but by systematically moving forward with security monitoring and implementing additional use cases over time, you can balance the scales and give yourself a fighting chance to figure out you have been owned – before it’s too late. Download: Continuous Security Monitoring (PDF) Share:

Share:
Read Post

API Gateways: Where Security Enables Innovation

API gateways are an emerging hot spot in IT services. They offer platforms for companies to selectively leverage IT systems for end user use. But well beyond just slapping a web server in front of an app, gateways both facilitate use of an application and protect it. Gateways enable third party developers, outside your organization, to support different use cases in different environments – such as new applications, mobile apps, and service mash-ups – while allowing you to control security, function, and access to data. They provide a glue layer between your systems and the outside world. This research paper describes API gateways in detail, shows how they are deployed, and provides the key information to select and implement a gateway. Here is an except: API gateways enable developers to build cloud, mobile, and social apps on enterprise data, layered over existing IT systems. That said, API gateways are not sexy. They do not generate headlines like cloud, mobile, and big data. But APIs are the convergence point for all these trends and the crux of IT innovation today. We all know cloud services scale almost too well to believe, at prices that seem to good to be true. But APIs are a key part of what makes them so scalable, universal, and cheap. API mashups bring new ways to collaborate and mobile apps provide fundamentally new front ends. We are commoditizing our IT systems into open services! Of course open, API-driven, multi-tenant environments bring new risks with their new potentials. As Netflix security architect Jason Chan says, securing your app on Amazon Cloud is like rock climbing – Amazon gives you a rope and belays you, but you are on the rock face. You are the one at risk. How do you manage that risk? API gateways play a central role in limiting the cloud’s attack surface and centralizing policy enforcement. We would like to thank Intel for licensing this research. We wouldn’t be able to do the research we do, or offer it to you folks for this most excellent price, without clients licensing our content. If you have comments of questions about this research, please feel free to email us with questions. View Intel’s API Gateway resource center to download the report and view other API related tutorials. Or Download from Securosis: API Gateways, version 1.0. (PDF) Attachments API_Gateways_Enabling_Innovation_FINAL.pdf [1.0MB] Share:

Share:
Read Post

Threat Intelligence for Ecosystem Risk Management

Most folks think the move towards the extended enterprise is very cool. You know, get other organizations to do the stuff your organization isn’t great at. It’s a win/win, right? From a business standpoint, there are clear advantages to building a robust ecosystem that leverages the capabilities of all organizations. But from a security standpoint, the extended enterprise adds a tremendous amount of attack surface. In order to make the extended enterprise work, your business partners need access to your critical information. And that’s where security folks tend to break out in hives. It’s hard enough to protect your networks, servers, and applications while making sure your own employees don’t do anything stupid to leave you exposed. Imagine your risk – based not just on how you protect your information, but also on how well all your business partners protect their information and devices as well. Actually, you don’t need to imagine that – it’s reality. In Threat Intelligence for Ecosystem Risk Management we delve into the risks of the extended enterprise and then present a process to gather information about trading partners to make decisions regarding connectivity and access more fact-based. Many of you are not in positions to build your own capabilities to assess partner networks, but this paper offers perspective on how you would, so when considering external threat intelligence services you will be an educated buyer. Direct Download (PDF): Threat Intelligence for Ecosystem Risk Management We want to thank BitSight Technologies for licensing the content in this paper. The largesse of our licensees enables us to provide our research without cost to you. Share:

Share:
Read Post

Totally Transparent Research is the embodiment of how we work at Securosis. It’s our core operating philosophy, our research policy, and a specific process. We initially developed it to help maintain objectivity while producing licensed research, but its benefits extend to all aspects of our business.

Going beyond Open Source Research, and a far cry from the traditional syndicated research model, we think it’s the best way to produce independent, objective, quality research.

Here’s how it works:

  • Content is developed ‘live’ on the blog. Primary research is generally released in pieces, as a series of posts, so we can digest and integrate feedback, making the end results much stronger than traditional “ivory tower” research.
  • Comments are enabled for posts. All comments are kept except for spam, personal insults of a clearly inflammatory nature, and completely off-topic content that distracts from the discussion. We welcome comments critical of the work, even if somewhat insulting to the authors. Really.
  • Anyone can comment, and no registration is required. Vendors or consultants with a relevant product or offering must properly identify themselves. While their comments won’t be deleted, the writer/moderator will “call out”, identify, and possibly ridicule vendors who fail to do so.
  • Vendors considering licensing the content are welcome to provide feedback, but it must be posted in the comments - just like everyone else. There is no back channel influence on the research findings or posts.
    Analysts must reply to comments and defend the research position, or agree to modify the content.
  • At the end of the post series, the analyst compiles the posts into a paper, presentation, or other delivery vehicle. Public comments/input factors into the research, where appropriate.
  • If the research is distributed as a paper, significant commenters/contributors are acknowledged in the opening of the report. If they did not post their real names, handles used for comments are listed. Commenters do not retain any rights to the report, but their contributions will be recognized.
  • All primary research will be released under a Creative Commons license. The current license is Non-Commercial, Attribution. The analyst, at their discretion, may add a Derivative Works or Share Alike condition.
  • Securosis primary research does not discuss specific vendors or specific products/offerings, unless used to provide context, contrast or to make a point (which is very very rare).
    Although quotes from published primary research (and published primary research only) may be used in press releases, said quotes may never mention a specific vendor, even if the vendor is mentioned in the source report. Securosis must approve any quote to appear in any vendor marketing collateral.
  • Final primary research will be posted on the blog with open comments.
  • Research will be updated periodically to reflect market realities, based on the discretion of the primary analyst. Updated research will be dated and given a version number.
    For research that cannot be developed using this model, such as complex principles or models that are unsuited for a series of blog posts, the content will be chunked up and posted at or before release of the paper to solicit public feedback, and provide an open venue for comments and criticisms.
  • In rare cases Securosis may write papers outside of the primary research agenda, but only if the end result can be non-biased and valuable to the user community to supplement industry-wide efforts or advances. A “Radically Transparent Research” process will be followed in developing these papers, where absolutely all materials are public at all stages of development, including communications (email, call notes).
    Only the free primary research released on our site can be licensed. We will not accept licensing fees on research we charge users to access.
  • All licensed research will be clearly labeled with the licensees. No licensed research will be released without indicating the sources of licensing fees. Again, there will be no back channel influence. We’re open and transparent about our revenue sources.

In essence, we develop all of our research out in the open, and not only seek public comments, but keep those comments indefinitely as a record of the research creation process. If you believe we are biased or not doing our homework, you can call us out on it and it will be there in the record. Our philosophy involves cracking open the research process, and using our readers to eliminate bias and enhance the quality of the work.

On the back end, here’s how we handle this approach with licensees:

  • Licensees may propose paper topics. The topic may be accepted if it is consistent with the Securosis research agenda and goals, but only if it can be covered without bias and will be valuable to the end user community.
  • Analysts produce research according to their own research agendas, and may offer licensing under the same objectivity requirements.
  • The potential licensee will be provided an outline of our research positions and the potential research product so they can determine if it is likely to meet their objectives.
  • Once the licensee agrees, development of the primary research content begins, following the Totally Transparent Research process as outlined above. At this point, there is no money exchanged.
  • Upon completion of the paper, the licensee will receive a release candidate to determine whether the final result still meets their needs.
  • If the content does not meet their needs, the licensee is not required to pay, and the research will be released without licensing or with alternate licensees.
  • Licensees may host and reuse the content for the length of the license (typically one year). This includes placing the content behind a registration process, posting on white paper networks, or translation into other languages. The research will always be hosted at Securosis for free without registration.

Here is the language we currently place in our research project agreements:

Content will be created independently of LICENSEE with no obligations for payment. Once content is complete, LICENSEE will have a 3 day review period to determine if the content meets corporate objectives. If the content is unsuitable, LICENSEE will not be obligated for any payment and Securosis is free to distribute the whitepaper without branding or with alternate licensees, and will not complete any associated webcasts for the declining LICENSEE. Content licensing, webcasts and payment are contingent on the content being acceptable to LICENSEE. This maintains objectivity while limiting the risk to LICENSEE. Securosis maintains all rights to the content and to include Securosis branding in addition to any licensee branding.

Even this process itself is open to criticism. If you have questions or comments, you can email us or comment on the blog.