Research

We have been saying for years that you can’t assume your defenses are sufficient to stop a focused and targeted attacker. That’s what React Faster and Better is all about. But say you actually buy into this philosophy: what now? How do you figure out the bad guys are in your house? And more importantly how they got there and what they are doing? The network is your friend because it never lies. Attackers can do about a zillion different things to attack your network, and 99% of them depend on the network in some way. They can’t find another target without using the network to locate it. They can’t attack a target without connecting to it. Furthermore, even if they are able to compromise the ultimate target, the attackers must then exfiltrate the data. So they need the network to move the data. Attackers need the network, pure and simple. Which means they will leave tracks, but you will see them only if you are looking. We’re happy to post this paper based on our Applied Network Security Analysis series. Check out the table of contents: We would like to thank Solera Networks for sponsoring the research. Without our sponsors we couldn’t provide content on the blog for free or post these papers. Download Applied Network Security Analysis: Moving from Data to Information Attachments Securosis_Applied_Network_Security_Analysis-FINAL.pdf [185KB] Share:

“We read the guidance but we don’t know what falls out of scope!” is the universal merchant complaint. “Where are the audit guidelines?” is the second most common criticism. On August 12, 2011, the PCI task force driving the study of tokenization published an “Information Supplement” called the PCI DSS Tokenization Guidelines. The merchant community was less than thrilled. The problem is that the PCI document is sorely lacking in actual guidance. Even the section on “Maximizing PCI DSS Scope Reduction” is a collection of broad security generalizations rather than practical advice. After spending the better part of two weeks on this wishy-washy paper we propose a better title, “Begrudging Acknowledgement of Tokenization Without Guidance”. But we are here to fix that, filling the gaps they left. This is the white paper the PCI Council should have written, addressing merchants’ pressing questions and providing pragmatic advice on how to implement a tokenization solution. The paper is the product of hundreds of hours of research and about a hundred phone calls to various merchants, payment processors, tokenization vendors, and qualified assessors. We make many controversial assertions but we stand by them – we have vetted the content through interviews in discussions with every expert we could reach. And we have subjected our analysis to open scrutiny by the payment community through our Totally Transparent Research process. We include an overview analysis for merchants and auditors, as well as a step by step guide which works through all the PCI DSS requirements which are directly affected when using tokens to replace primary account numbers. We would like to thank Elavon, Liaison, Prime Factors, and Protegrity for sponsoring this research. Download: TokenGuidance-Securosis-Final.pdf Attachments TokenGuidance-Securosis-Final.pdf [1.5MB] Share:

Is it time? Are you waving the white flag? Has your SIEM failed to meet expectations despite significant investment? If you are questioning whether your existing product or service can get the job done, you are not alone. You likely have some battle scars from the difficulty of managing, scaling, and actually doing something useful with SIEM. Given the rapid evolution of SIEM/Log Management offerings – and the evolution of requirements, with new application models and this cloud thing – you should be wondering whether a better, easier, and less expensive solution meets your needs. Security Management 2.0: Time to Replace Your SIEM? takes a brutally candid look at triggers for considering a new security management platform, walks through each aspect of the decision, and presents a process to migrate – if the benefits outweigh the risks. This includes figuring out what your requirements are, whether your existing platform can meets them, and if not how to select a new platform to make sure you don’t make the same mistakes again. Here is the table of contents, so you can get an idea of the depth of the paper. As you can see, it’s pretty comprehensive. We would like to thank Dell Secureworks, Nitro Security, Q1 Labs, and Tenable Network Security for sponsoring the research. Download: Security Management 2.0: Time to Replace Your SIEM? Attachments SecurityManagement2.0_FINAL-Multi.pdf [498KB] Share:

What should you do right now? That’s one of the toughest questions for any security professional to answer. The list is endless, the priorities clear as mud, the risk of compromise ever present. But doing nothing is never the answer. We have been working with practitioners to answer that question for years, and we finally got around to documenting some of our approaches and concepts. That’s what “Fact-Based Network Security: Metrics and the Pursuit of Prioritization” is all about. We spend some time defining ‘risk’, trying to understand the metrics that drive decisions, working to make the process a systematic way to both collect data and make those decisions, and understanding the compliance aspects of the process. Finally we go through a simple scenario that shows the approach in practice. Here’s an excerpt from the introduction, just to whet your appetite a bit: Security programs at most businesses are about as mature as a pimply-faced teenager, which is problematic given the current state of security. Attackers only have to get it right once, and some of them now hack more for Lulz than financial gain. How do you defend against an adversary who is more interested in pantsing you than stealing your stuff? But not all attackers fall into that category. You may also deal with state-sponsored adversaries – with virtually unlimited resources. So you need to choose your activities wisely and optimize every bit of available resource just to stay in the same place. Unfortunately, far too many organizations don’t choose wisely. These organizations treat network security like Whack-a-Mole. Each time a mole pops above the surface, they try to smack it down. Usually that mole squeals loudest, regardless of its actual importance. But this means they spend a large chunk of time trying to satisfy certain people, hoping to get them to stop calling – and unfortunately that is much more about annoyance and persistence than the actual importance of their demands. Sound familiar? Responding to the internal squeaky wheels clearly isn’t a good enough prioritization scheme. Neither is the crystal ball, hocus pocus, or any other unscientific method. Clearly there must be a better way. We would like to thank RedSeal Networks for sponsoring this research. Download: Fact-Based Network Security: Metrics and the Pursuit of Prioritization (PDF) Attachments Securosis_Fact-BasedNetworkSecurity_FINAL.pdf [183KB] Share:

How do you answer the inevitable question “Are we good at security?” If you are like most organizations, you stutter quite a bit and then fall back to either irrelevant numbers (like AV or patch coverage) or a qualitative assessment – “We had 2 incidents last month, down from 5 the prior month prior”. Either way, the answer isn’t what management needs, or deserves. In this paper we focus on security metrics as the foundation, but more importantly on how to leverage a security benchmark to provide a useful basis for comparison. A brief excerpt from the Executive Summary makes the distinction clear: A key aspect of maturing our security programs must be the collection of security metrics and their use to improve operational processes. Even those with broad security metrics programs still have trouble communicating the relative effectiveness of their efforts – largely because they have no point of comparison. Thus when talking about the success/failure of any security program, without an objective reference point senior management has no idea if your results are good. Or bad. Enter the Security Benchmark, which involves comparing your security metrics to a peer group of similar companies. If you can get a fairly broad set of consistent data (both quantitative and qualitative), then compare your numbers to that dataset, you can get a feel for relative performance. Obviously this is very sensitive data, so due care must be exercised when sharing it, but the ability to transcend the current and arbitrary identification of problem areas as ‘red’ (bad), ‘yellow’ (not so bad), or ‘green’ (a bit better) enables us to finally have some clarity on the effectiveness of our security programs. Additionally, the metrics and benchmark data can be harnessed internally to provide objectives and illuminate trends to improve key security operations. Those of you who embrace quantification gain an objective method for making decisions about your security program. This paper makes a case for why and how this should be done. We would like to thank nCircle for sponsoring the research. Download: Security Benchmarking: Going Beyond Metrics (PDF) Attachments Securosis_SecurityBenchmarking_FINAL.pdf [199KB] Share:

For Database Activity Monitoring, the deployment model directly effects performance, management, cost, and how well the technology serves your requirements. Appliances, software, and virtual appliances are the three basic deployment models for DAM. While many security platforms offer these same deployment models, what you have learned with firewalls or intrusion detection systems does not apply here – DAM is unique in the way it collects, processes, and ultimately manages information. This white paper provides an in-depth analysis of the tradeoffs between appliance, software, and virtual appliance implementations of Database Activity Monitoring. Each model includes particular advantages that make it a perfect fit for some environments, and completely unsuitable for others. Worse, the problems are not always clear until deployed into a production environment. The differences become more pronounced when monitoring virtual servers and cloud services, further clouding complicating direct comparisons. This paper is designed to help you make an informed decision on which model is right for your organization based upon operational, security, and compliance requirements. DAM Software vs. Appliance Tradeoffs paper (PDF) Attachments Appliance_vs_Software-DAM_Tradeoffs.pdf [177KB] Share:

Four years ago, when we initially developed the Data Security Lifecycle, we mentioned a technology we called File Activity Monitoring. At the time we saw it as similar to Database Activity Monitoring, in that it would give us the same insight into file usage as DAM provides for database access. The technology did not actually exist, but it seemed like a very logical next step from DLP and DAM. Over the last couple years the first FAM products have entered the market, and although market demand is nascent, numerous discussions with a variety of organizations show that interest and awareness are growing. FAM addresses a problem which many organizations are now starting to tackle, and the time is right to dig into the technology and learn what it provides, how it works, and what to look for. Understanding and Selecting a File Activity Monitoring Solution (PDF) Special thanks to Imperva for licensing this report. Attachments Understanding_and_Selecting_FAM.v.1.pdf [298KB] Share:

If you don’t already have attackers in your environment you will soon enough, so we have been spending a lot of time with clients figuring out how to respond in this age of APT (Advanced Persistent Threat) attackers and other attacks you have no shot at stopping. You need to detect and respond more effectively. We call this philosophy “React Faster and Better”, and have finally documented and collected our thoughts on the topic. Here are a couple excerpts from the paper to give you a feel for the issue and how we deal with it: Incident response is near and dear to our philosophy of security – it’s impossible to prevent everything (we see examples of this in the press every week), so you must be prepared to respond. The sad fact is that you will be breached. Maybe not today or tomorrow, but it will happen. We have made this point many times before (and it has even happened to us, indirectly). So response is more important than any specific control. But it’s horrifying how unsophisticated most organizations are about response. In this paper we’ll focus on pushing the concepts of incident response past the basics and addressing gaps in how you respond relative to today’s attacks. Dealing with advanced threats requires advanced tools. React Faster and Better is about taking a much broader and more effective approach on dealing with attacks – from what data you collect, to how you trigger higher-quality alerts, to the mechanics of response/escalation, and ultimately to remediation and cleaning activities. This is not your grandpappy’s incident response. To be clear, a lot of these activities are advanced. That’s why we recommend you start with our Incident Response Fundamentals from last year to get your IR team and function in decent shape. Please be advised that we have streamlined the paper a bit from the original blog series, cutting some of the more detailed information on setting up response tiers. We do plan to post the more complete paper at some point over the next couple months, but in the meantime you can refer back to the RFAB index of posts for the full unabridged version. A special thanks to NetWitness for sponsoring the research. Download: React Faster and Better: New Approaches for Advanced Incident Response (PDF) Attachments Securosis-RFAB_FINAL.pdf [199KB] Share:

The Database Security Operations Quant research project – Database Quant for short – was launched to develop an unbiased metrics model to describe the costs of securing database platforms. In the process we developed the most in-depth database security program framework we can find, as well as all the key metrics to measure database security efforts. Our goal is to provide organizations with a tool to better understand the security costs of configuring, monitoring, and managing databases. By capturing quantifiable and precise metrics that describe the daily activities database administrators, auditors, and security professionals, we can better understand the costs associated with security and compliance efforts. Database Quant was developed through independent research and community involvement, to accurately reflect all the substantive efforts that comprise a database security program. Executive Summary (PDF) The Full Report (PDF) Attachments Database_Security_Operations.v.1.pdf [1.1MB] Database_Security_Operations.v.1.pdf [1.1MB] Share:

We all know of the inherent challenges that mobile devices and the need to connect to anything from anywhere present to security professionals. We’ve done some research on how to start securing those mobile devices, and now we have continued broadening that research with a look to a network-centric perspective on these issues. Let’s set the stage for this paper: Everyone loves their iDevices and Androids. The computing power that millions now carry in their pockets would have required a raised floor and a large room full of big iron just 25 years ago. But that’s not the only impact we see from this wave of consumerization, the influx of consumer devices requiring access to corporate networks. Whatever control you thought you had over the devices in the IT environment is gone. End users pick their devices and demand access to critical information within the enterprise. Whether you like it or not. And that’s not all. We also have demands for unfettered access from anywhere in the world at any time of day. And though smart phones are the most visible devices, there are more. We have the ongoing tablet computing invasion (iPad for the win!); and a new generation of workers who demand the ability to choose their computers, mobile devices, and applications. Even better, you aren’t in a position to dictate much of anything moving forward. It’s a great time to be a security professional, right? In this paper, we focus on the network architectures and technologies that can help you protect critical corporate data given that you are required to provide users with access to critical and sensitive information on any device, from anywhere, at any time. A special thanks to ForeScout for sponsoring the research. Download: Network Security in the Age of Any Computing: Risks and Options to Control Mobile, Wireless, and Endpoint Devices Attachments Securosis_NetworkSecurityMobileDevices_FINAL.pdf [453KB] Share: