Research

This paper provides a strategic view of Endpoint Security Management, addressing the complexities caused by malware’s continuing evolution, device sprawl, and mobility/BYOD. The paper focuses on periodic controls that fall under good endpoint hygiene (such as patch and configuration management) and ongoing controls (such as device control and file integrity monitoring) to detect unauthorized activity and prevent it from completing. The crux of our findings involve use of an endpoint security management platform to aggregate the capabilities of these individual controls, providing policy and enforcement leverage to decrease cost of ownership, and increasing the value of endpoint security management. This excerpt says it all: This excerpt says it all: Keeping track of 10,000+ of anything is a management nightmare. With ongoing compliance oversight and evolving security attacks against vulnerable endpoint devices, getting a handle on managing endpoints becomes more important every day. We will not sugarcoat things. Attackers are getting better – and our technologies, processes, and personnel have not kept pace. It is increasingly hard to keep devices protected, so you need to take a different and more creative view of defensive tactics, while ensuring you execute flawlessly – because even the slightest opening provides opportunity for attackers. We thank Lumension Security for licensing this research, and enabling us to distribute it at no cost to readers. Direct Download (PDF): Securosis Endpoint Security Management Buyer’s Guide Share:

Understanding and Selecting Data Masking Solutions, our newest paper, covers use cases, features, and deployment models; it also outlines how masking technologies work. We started the research to understand big changes we saw happening with masking products, with many new customer inquires for use cases not traditionally associated with data masking. We wanted to discuss these changes and share what we see with the community. This work is the result of dozens of conversations with vendors, customers, and security professionals over the last 18 months, discussed openly on the blog during our development process. Our goal has been to ensure the research addresses common questions from both technical and non-technical audiences. We did our best to cover the business applications of masking in a non-technical, jargon-free way. Not everyone who is interested in data security has a black belt in data management or security, so we geared the first third of the paper to problems you can reasonably expect to solve with masking technologies. Those of you interested in the nut and bolts need not fear – we drill into the myriad of technical variables later in the paper. We hope you find it useful! Very few data security technologies can simultaneously protect data while preserving its usefulness. Data is valuable because we use it to support business functions – its value is in use. The more places we can leverage data to make decisions the more valuable it is. But as we have seen over the last decade, data propagation carries serious risks. Credit card numbers, personal information, health care data, and good old-fashioned intellectual property are targets for attackers who steal and profit from other people’s information. To lessen the likelihood of theft, and reduce risks to the business, it’s important to eliminate both unwanted access and unnecessary copies of sensitive data. The challenge is how to accomplish these goals without disrupting business processes and applications. Data masking is a tool that helps you remove risk without breaking the business! Finally, we’d like to thank our sponsors: IBM and Informatica! Attachments UnderstandingMasking_FinalMaster_V3.pdf [1.2MB] Share:

We’ve been spending a lot of time recently doing research on malware, both the tactics of the attackers and understanding the next wave of detection approaches. That’s resulted in a number of reports, including network-based approaches to detect malware at the perimeter, and the Herculean task of decomposing the processes involved in confirming an infection, analyzing the malware, and tracking its proliferation in our Malware Analysis Quant. But those approaches largely didn’t address what’s required to detect malware on the devices themselves, and block the behaviors we know are malicious. So we’ve written up the Evolving Endpoint Malware Detection report to cover how the detection techniques are changing, why it’s important to think about behavior in a new way, and why context is your friend if you want to both keep the attackers at bay and your users from wringing your neck. This excerpt sums up the paper pretty effectively: The good news is that endpoint security vendors recognized their traditional approaches were about as viable as dodo birds a few years back. They have been developing improved approaches – the resulting products have reduced footprints requiring far less computing resources on the device, and are generally decent at detecting simple attacks. But as we have described, simple attacks aren’t the ones to worry about. So we will investigate how endpoint protection will evolve to better detect and hopefully block the current wave of attacks. We would like to thank Trusteer for licensing the content in this paper, and keep in mind that your work is never done. The bad guys (and gals) will continue innovating to steal your data, so your detection techniques will need to evolve as well. Download: Evolving Endpoint Malware Detection (PDF) Share:

Data Loss Prevention (DLP) is one of the farthest reaching tools in the security arsenal. A single DLP platform touches endpoints, network, email servers, web gateways, storage, directory servers, and more. There are more potential integration points than just about any other security tool – with the possible exception of SIEM. And then we need to build policies, define workflow, and implement blocking… all based on nebulous concepts like “customer data” and “intellectual property”. It is no wonder many organizations are intimidated by the prospect of implementing a large DLP deployment. But on our 2010 survey indicates that over 40% of organizations use some form of DLP. Fortunately, implementing and managing DLP isn’t nearly as difficult as many security professionals expect. Over the nearly 10 years we have covered the technology – speaking with hundreds of DLP users – we have collected countless tips, tricks, and techniques for streamlined and effective deployments… which we have compiled into straightforward processes designed to ease the common pain points. Implementing and Managing a Data Loss Prevention Solution (v 1.0) PDF Share:

Understanding and Selecting a Database Security Platform This paper examines business requirements for securing databases; it also discusses how these requirements are addressed by assessment, discovery, monitoring, auditing, and blocking technologies. DSP is the next evolution after Database Activity Monitoring (DAM), integrating several new technologies into a unified platform for compliance and security, which identifies and reports on transactions that fail to meet business best practices. There are a wide variety of ways to collect information in and around relational databases, and still more to analyze and report on those findings, so this research digs into the nuts and bolts to present a comparative analysis of the technology options available – along with how they address end user requirements. This research is recommended for use in conjunction with other application security tools; because many web and traditional applications rely on database technology to store, manage, and report on data – linking compliance and security requirements. by Adrian Lane and Rich Mogull. (Version 2.0, May 2012) Attachments Understanding_and_Selecting_DSP_Final.pdf [699KB] Share:

Understanding and Selecting a Database Security Platform This paper examines business requirements for securing databases; it also discusses how these requirements are addressed by assessment, discovery, monitoring, auditing, and blocking technologies. DSP is the next evolution after Database Activity Monitoring (DAM), integrating several new technologies into a unified platform for compliance and security, which identifies and reports on transactions that fail to meet business best practices. There are a wide variety of ways to collect information in and around relational databases, and still more to analyze and report on those findings, so this research digs into the nuts and bolts to present a comparative analysis of the technology options available – along with how they address end user requirements. This research is recommended for use in conjunction with other application security tools; because many web and traditional applications rely on database technology to store, manage, and report on data – linking compliance and security requirements. by Adrian Lane and Rich Mogull. (Version 2.0, May 2012) Attachments Understanding_and_Selecting_DSP_Final.pdf [699KB] Share:

Organizations have traditionally viewed vulnerability scanners as tactical products, largely commoditized and only valuable around audit time. How useful is a 100-page vulnerability report to an operations person trying to figure out what to fix next? Although those 100-page reports make auditors smile, as they offer a nice listing of audit deficiencies to address in the findings of fact. But the tide is definitely turning. We see a clear shift from a largely compliance-driven orientation to a more security-centric view. We document this evolution to a vulnerability/threat management platform in our new Vulnerability Management Evolution paper. No organization, including the biggest of the big, has enough resources. So you need to make tough choices. Things won’t all be done when they need to be. Some things won’t get done at all. So how do you choose? Unfortunately most organizations don’t choose at all. They do whatever is next on the list, without much rhyme or reason determining where things land on it. It’s the path of least resistance for a tactically oriented environment. Oil the squeakiest wheel. Keep your job. It’s all very understandable, but not very effective. Optimally, resources are allocated and priorities set based on their value to the business. In a security context, that means the next thing done should reduce the most risk to your organization. We would like to thank all our sponsors for supporting our research, including nCircle, Qualys, Rapid7, and Tenable. As long as compliance is in play you will need to scan for vulnerabilities. At least make use of a more functional platform to do that and more. Download: Vulnerability Management Evolution Attachments Securosis-Vulnerability-Management-Evolution_FINAL-multi.pdf [462KB] Share:

Most organizations focus on the attackers out there – which means they may miss attackers who have the credentials and knowledge to do real damage. These are “privileged users”, and far too many organizations don’t do enough to protect themselves from that group. By the way – this doesn’t necessarily require a malicious insider. It is very possible (if not plausible) that a privileged user’s device might gets compromised, giving an attacker access to the administrator’s credentials. A bad day all around. So we wrote a paper called Watching the Watchers: Guarding the Keys to the Kingdom describing the problem and offering ideas for solutions. A compromised P-user can cause all sorts of damage and so needs to be actively managed. Let’s now talk about solutions. Most analysts favor models to describe things, and we call ours the Privileged User Lifecycle. But pretty as the lifecycle diagram is, first let’s scope it to define beginning and ending points. Our lifecycle starts when the privileged user receives escalated privileges, and ends when they are no longer privileged or leave the organization, whichever comes first. We would like to thank Xceedium for sponsoring this research. Check the paper out – we think it’s a great overview of an issue every organization faces. At least those with administrators. Download Watching the Watchers: Guarding the Keys to the Kingdom Attachments Securosis_Watching-the-Watchers_FINAL.pdf [497KB] Share:

We know it’s a shock, but your endpoint protection suite isn’t doing a good enough job of blocking malware attacks. So the industry has resorted additional layers of inspection, detection, and even protection to address its shortcomings. One place focus is turning, which is seeing considerable innovation, is the network. We see a new set of devices and enhancements to existing perimeter platforms, focused on detecting and blocking malware. A paragraph from Network-Based Malware Detection: Filling the Gaps of AV says it best: We have been doing anti-virus for years and it hasn’t worked. Malware detection moving forward is about really understanding what the files are doing, and then determining whether that behavior is bad. By leveraging the collective power of the network we can profile bad stuff much more quickly. With the advancement of network security technology we can start to analyze those files before they make their way onto our devices. Can we actually prevent an attack? Under the right circumstances, yes. If you need more detail on what’s in the paper check out its table of contents: We would like to thank Palo Alto Networks for sponsoring this research, and making sure you can read it for a remarkably fair price. Download Network-Based Malware Detection: Filling the Gaps of AV Attachments Securosis_Network-basedMalwareDetection_FINAL.pdf [174KB] Share: