Securosis

Research

The Endpoint Security Management Buyer’s Guide

This paper provides a strategic view of Endpoint Security Management, addressing the complexities caused by malware’s continuing evolution, device sprawl, and mobility/BYOD. The paper focuses on periodic controls that fall under good endpoint hygiene (such as patch and configuration management) and ongoing controls (such as device control and file integrity monitoring) to detect unauthorized activity and prevent it from completing. The crux of our findings involve use of an endpoint security management platform to aggregate the capabilities of these individual controls, providing policy and enforcement leverage to decrease cost of ownership, and increasing the value of endpoint security management. This excerpt says it all: This excerpt says it all: Keeping track of 10,000+ of anything is a management nightmare. With ongoing compliance oversight and evolving security attacks against vulnerable endpoint devices, getting a handle on managing endpoints becomes more important every day. We will not sugarcoat things. Attackers are getting better – and our technologies, processes, and personnel have not kept pace. It is increasingly hard to keep devices protected, so you need to take a different and more creative view of defensive tactics, while ensuring you execute flawlessly – because even the slightest opening provides opportunity for attackers. We thank Lumension Security for licensing this research, and enabling us to distribute it at no cost to readers. Direct Download (PDF): Securosis Endpoint Security Management Buyer’s Guide Share:

Share:
Read Post

Understanding and Selecting Data Masking Solutions

Understanding and Selecting Data Masking Solutions, our newest paper, covers use cases, features, and deployment models; it also outlines how masking technologies work. We started the research to understand big changes we saw happening with masking products, with many new customer inquires for use cases not traditionally associated with data masking. We wanted to discuss these changes and share what we see with the community. This work is the result of dozens of conversations with vendors, customers, and security professionals over the last 18 months, discussed openly on the blog during our development process. Our goal has been to ensure the research addresses common questions from both technical and non-technical audiences. We did our best to cover the business applications of masking in a non-technical, jargon-free way. Not everyone who is interested in data security has a black belt in data management or security, so we geared the first third of the paper to problems you can reasonably expect to solve with masking technologies. Those of you interested in the nut and bolts need not fear – we drill into the myriad of technical variables later in the paper. We hope you find it useful! Very few data security technologies can simultaneously protect data while preserving its usefulness. Data is valuable because we use it to support business functions – its value is in use. The more places we can leverage data to make decisions the more valuable it is. But as we have seen over the last decade, data propagation carries serious risks. Credit card numbers, personal information, health care data, and good old-fashioned intellectual property are targets for attackers who steal and profit from other people’s information. To lessen the likelihood of theft, and reduce risks to the business, it’s important to eliminate both unwanted access and unnecessary copies of sensitive data. The challenge is how to accomplish these goals without disrupting business processes and applications. Data masking is a tool that helps you remove risk without breaking the business! Finally, we’d like to thank our sponsors: IBM and Informatica! Attachments UnderstandingMasking_FinalMaster_V3.pdf [1.2MB] Share:

Share:
Read Post

Evolving Endpoint Malware Detection: Dealing with Advanced and Targeted Attacks

We’ve been spending a lot of time recently doing research on malware, both the tactics of the attackers and understanding the next wave of detection approaches. That’s resulted in a number of reports, including network-based approaches to detect malware at the perimeter, and the Herculean task of decomposing the processes involved in confirming an infection, analyzing the malware, and tracking its proliferation in our Malware Analysis Quant. But those approaches largely didn’t address what’s required to detect malware on the devices themselves, and block the behaviors we know are malicious. So we’ve written up the Evolving Endpoint Malware Detection report to cover how the detection techniques are changing, why it’s important to think about behavior in a new way, and why context is your friend if you want to both keep the attackers at bay and your users from wringing your neck. This excerpt sums up the paper pretty effectively: The good news is that endpoint security vendors recognized their traditional approaches were about as viable as dodo birds a few years back. They have been developing improved approaches – the resulting products have reduced footprints requiring far less computing resources on the device, and are generally decent at detecting simple attacks. But as we have described, simple attacks aren’t the ones to worry about. So we will investigate how endpoint protection will evolve to better detect and hopefully block the current wave of attacks. We would like to thank Trusteer for licensing the content in this paper, and keep in mind that your work is never done. The bad guys (and gals) will continue innovating to steal your data, so your detection techniques will need to evolve as well. Download: Evolving Endpoint Malware Detection (PDF) Share:

Share:
Read Post

Implementing and Managing a Data Loss Prevention Solution

Data Loss Prevention (DLP) is one of the farthest reaching tools in the security arsenal. A single DLP platform touches endpoints, network, email servers, web gateways, storage, directory servers, and more. There are more potential integration points than just about any other security tool – with the possible exception of SIEM. And then we need to build policies, define workflow, and implement blocking… all based on nebulous concepts like “customer data” and “intellectual property”. It is no wonder many organizations are intimidated by the prospect of implementing a large DLP deployment. But on our 2010 survey indicates that over 40% of organizations use some form of DLP. Fortunately, implementing and managing DLP isn’t nearly as difficult as many security professionals expect. Over the nearly 10 years we have covered the technology – speaking with hundreds of DLP users – we have collected countless tips, tricks, and techniques for streamlined and effective deployments… which we have compiled into straightforward processes designed to ease the common pain points. Implementing and Managing a Data Loss Prevention Solution (v 1.0) PDF Share:

Share:
Read Post

Understanding and Selecting a Database Security Platform

Understanding and Selecting a Database Security Platform This paper examines business requirements for securing databases; it also discusses how these requirements are addressed by assessment, discovery, monitoring, auditing, and blocking technologies. DSP is the next evolution after Database Activity Monitoring (DAM), integrating several new technologies into a unified platform for compliance and security, which identifies and reports on transactions that fail to meet business best practices. There are a wide variety of ways to collect information in and around relational databases, and still more to analyze and report on those findings, so this research digs into the nuts and bolts to present a comparative analysis of the technology options available – along with how they address end user requirements. This research is recommended for use in conjunction with other application security tools; because many web and traditional applications rely on database technology to store, manage, and report on data – linking compliance and security requirements. by Adrian Lane and Rich Mogull. (Version 2.0, May 2012) Attachments Understanding_and_Selecting_DSP_Final.pdf [699KB] Share:

Share:
Read Post

Report: Understanding and Selecting a Database Security Platform

Understanding and Selecting a Database Security Platform This paper examines business requirements for securing databases; it also discusses how these requirements are addressed by assessment, discovery, monitoring, auditing, and blocking technologies. DSP is the next evolution after Database Activity Monitoring (DAM), integrating several new technologies into a unified platform for compliance and security, which identifies and reports on transactions that fail to meet business best practices. There are a wide variety of ways to collect information in and around relational databases, and still more to analyze and report on those findings, so this research digs into the nuts and bolts to present a comparative analysis of the technology options available – along with how they address end user requirements. This research is recommended for use in conjunction with other application security tools; because many web and traditional applications rely on database technology to store, manage, and report on data – linking compliance and security requirements. by Adrian Lane and Rich Mogull. (Version 2.0, May 2012) Attachments Understanding_and_Selecting_DSP_Final.pdf [699KB] Share:

Share:
Read Post

Vulnerability Management Evolution: From Tactical Scanner to Strategic Platform

Organizations have traditionally viewed vulnerability scanners as tactical products, largely commoditized and only valuable around audit time. How useful is a 100-page vulnerability report to an operations person trying to figure out what to fix next? Although those 100-page reports make auditors smile, as they offer a nice listing of audit deficiencies to address in the findings of fact. But the tide is definitely turning. We see a clear shift from a largely compliance-driven orientation to a more security-centric view. We document this evolution to a vulnerability/threat management platform in our new Vulnerability Management Evolution paper. No organization, including the biggest of the big, has enough resources. So you need to make tough choices. Things won’t all be done when they need to be. Some things won’t get done at all. So how do you choose? Unfortunately most organizations don’t choose at all. They do whatever is next on the list, without much rhyme or reason determining where things land on it. It’s the path of least resistance for a tactically oriented environment. Oil the squeakiest wheel. Keep your job. It’s all very understandable, but not very effective. Optimally, resources are allocated and priorities set based on their value to the business. In a security context, that means the next thing done should reduce the most risk to your organization. We would like to thank all our sponsors for supporting our research, including nCircle, Qualys, Rapid7, and Tenable. As long as compliance is in play you will need to scan for vulnerabilities. At least make use of a more functional platform to do that and more. Download: Vulnerability Management Evolution Attachments Securosis-Vulnerability-Management-Evolution_FINAL-multi.pdf [462KB] Share:

Share:
Read Post

Watching the Watchers: Guarding the Keys to the Kingdom (Privileged User Management)

Most organizations focus on the attackers out there – which means they may miss attackers who have the credentials and knowledge to do real damage. These are “privileged users”, and far too many organizations don’t do enough to protect themselves from that group. By the way – this doesn’t necessarily require a malicious insider. It is very possible (if not plausible) that a privileged user’s device might gets compromised, giving an attacker access to the administrator’s credentials. A bad day all around. So we wrote a paper called Watching the Watchers: Guarding the Keys to the Kingdom describing the problem and offering ideas for solutions. A compromised P-user can cause all sorts of damage and so needs to be actively managed. Let’s now talk about solutions. Most analysts favor models to describe things, and we call ours the Privileged User Lifecycle. But pretty as the lifecycle diagram is, first let’s scope it to define beginning and ending points. Our lifecycle starts when the privileged user receives escalated privileges, and ends when they are no longer privileged or leave the organization, whichever comes first. We would like to thank Xceedium for sponsoring this research. Check the paper out – we think it’s a great overview of an issue every organization faces. At least those with administrators. Download Watching the Watchers: Guarding the Keys to the Kingdom Attachments Securosis_Watching-the-Watchers_FINAL.pdf [497KB] Share:

Share:
Read Post

Network-Based Malware Detection: Filling the Gaps of AV

We know it’s a shock, but your endpoint protection suite isn’t doing a good enough job of blocking malware attacks. So the industry has resorted additional layers of inspection, detection, and even protection to address its shortcomings. One place focus is turning, which is seeing considerable innovation, is the network. We see a new set of devices and enhancements to existing perimeter platforms, focused on detecting and blocking malware. A paragraph from Network-Based Malware Detection: Filling the Gaps of AV says it best: We have been doing anti-virus for years and it hasn’t worked. Malware detection moving forward is about really understanding what the files are doing, and then determining whether that behavior is bad. By leveraging the collective power of the network we can profile bad stuff much more quickly. With the advancement of network security technology we can start to analyze those files before they make their way onto our devices. Can we actually prevent an attack? Under the right circumstances, yes. If you need more detail on what’s in the paper check out its table of contents: We would like to thank Palo Alto Networks for sponsoring this research, and making sure you can read it for a remarkably fair price. Download Network-Based Malware Detection: Filling the Gaps of AV Attachments Securosis_Network-basedMalwareDetection_FINAL.pdf [174KB] Share:

Share:
Read Post

Tokenization Guidance Analysis: Jan 2012

Our discussion of the PCI Council’s Tokenization Information Supplement. Tokenization Guidance (PDF) Attachments TokenGuidanceImg.png [354KB] TokenizationGuidanceAnalysis_Jan_2012.pdf [1.1MB] Share:

Share:
Read Post

Totally Transparent Research is the embodiment of how we work at Securosis. It’s our core operating philosophy, our research policy, and a specific process. We initially developed it to help maintain objectivity while producing licensed research, but its benefits extend to all aspects of our business.

Going beyond Open Source Research, and a far cry from the traditional syndicated research model, we think it’s the best way to produce independent, objective, quality research.

Here’s how it works:

  • Content is developed ‘live’ on the blog. Primary research is generally released in pieces, as a series of posts, so we can digest and integrate feedback, making the end results much stronger than traditional “ivory tower” research.
  • Comments are enabled for posts. All comments are kept except for spam, personal insults of a clearly inflammatory nature, and completely off-topic content that distracts from the discussion. We welcome comments critical of the work, even if somewhat insulting to the authors. Really.
  • Anyone can comment, and no registration is required. Vendors or consultants with a relevant product or offering must properly identify themselves. While their comments won’t be deleted, the writer/moderator will “call out”, identify, and possibly ridicule vendors who fail to do so.
  • Vendors considering licensing the content are welcome to provide feedback, but it must be posted in the comments - just like everyone else. There is no back channel influence on the research findings or posts.
    Analysts must reply to comments and defend the research position, or agree to modify the content.
  • At the end of the post series, the analyst compiles the posts into a paper, presentation, or other delivery vehicle. Public comments/input factors into the research, where appropriate.
  • If the research is distributed as a paper, significant commenters/contributors are acknowledged in the opening of the report. If they did not post their real names, handles used for comments are listed. Commenters do not retain any rights to the report, but their contributions will be recognized.
  • All primary research will be released under a Creative Commons license. The current license is Non-Commercial, Attribution. The analyst, at their discretion, may add a Derivative Works or Share Alike condition.
  • Securosis primary research does not discuss specific vendors or specific products/offerings, unless used to provide context, contrast or to make a point (which is very very rare).
    Although quotes from published primary research (and published primary research only) may be used in press releases, said quotes may never mention a specific vendor, even if the vendor is mentioned in the source report. Securosis must approve any quote to appear in any vendor marketing collateral.
  • Final primary research will be posted on the blog with open comments.
  • Research will be updated periodically to reflect market realities, based on the discretion of the primary analyst. Updated research will be dated and given a version number.
    For research that cannot be developed using this model, such as complex principles or models that are unsuited for a series of blog posts, the content will be chunked up and posted at or before release of the paper to solicit public feedback, and provide an open venue for comments and criticisms.
  • In rare cases Securosis may write papers outside of the primary research agenda, but only if the end result can be non-biased and valuable to the user community to supplement industry-wide efforts or advances. A “Radically Transparent Research” process will be followed in developing these papers, where absolutely all materials are public at all stages of development, including communications (email, call notes).
    Only the free primary research released on our site can be licensed. We will not accept licensing fees on research we charge users to access.
  • All licensed research will be clearly labeled with the licensees. No licensed research will be released without indicating the sources of licensing fees. Again, there will be no back channel influence. We’re open and transparent about our revenue sources.

In essence, we develop all of our research out in the open, and not only seek public comments, but keep those comments indefinitely as a record of the research creation process. If you believe we are biased or not doing our homework, you can call us out on it and it will be there in the record. Our philosophy involves cracking open the research process, and using our readers to eliminate bias and enhance the quality of the work.

On the back end, here’s how we handle this approach with licensees:

  • Licensees may propose paper topics. The topic may be accepted if it is consistent with the Securosis research agenda and goals, but only if it can be covered without bias and will be valuable to the end user community.
  • Analysts produce research according to their own research agendas, and may offer licensing under the same objectivity requirements.
  • The potential licensee will be provided an outline of our research positions and the potential research product so they can determine if it is likely to meet their objectives.
  • Once the licensee agrees, development of the primary research content begins, following the Totally Transparent Research process as outlined above. At this point, there is no money exchanged.
  • Upon completion of the paper, the licensee will receive a release candidate to determine whether the final result still meets their needs.
  • If the content does not meet their needs, the licensee is not required to pay, and the research will be released without licensing or with alternate licensees.
  • Licensees may host and reuse the content for the length of the license (typically one year). This includes placing the content behind a registration process, posting on white paper networks, or translation into other languages. The research will always be hosted at Securosis for free without registration.

Here is the language we currently place in our research project agreements:

Content will be created independently of LICENSEE with no obligations for payment. Once content is complete, LICENSEE will have a 3 day review period to determine if the content meets corporate objectives. If the content is unsuitable, LICENSEE will not be obligated for any payment and Securosis is free to distribute the whitepaper without branding or with alternate licensees, and will not complete any associated webcasts for the declining LICENSEE. Content licensing, webcasts and payment are contingent on the content being acceptable to LICENSEE. This maintains objectivity while limiting the risk to LICENSEE. Securosis maintains all rights to the content and to include Securosis branding in addition to any licensee branding.

Even this process itself is open to criticism. If you have questions or comments, you can email us or comment on the blog.