Research

Endpoint Security is a pretty broad topic. Most folks associate it with traditional anti-virus or even the newfangled endpoint security suites. In our opinion, looking at the issue just from the perspective of the endpoint agent is myopic. To us, endpoint security is as much a program as anything else. In this paper we discuss endpoint security from a fundamental blocking and tackling perspective. We start with identifying the exposures and prioritizing remediation, then discuss specific security controls (both process and product), and also cover the compliance and incident response aspects. If you are trying to understand how to comprehensively protect your endpoint devices, this paper will provide a great perspective and allow you to put all your defenses into context. We assembled this document from the Endpoint Security Fundamentals series posted to the blog in early April, all compiled together, professionally edited, and prettified. Special thanks to Lumension Security for licensing the report. Download: Endpoint Security Fundamentals (PDF) Attachments Securosis_EndpointSecurityFundamentals_v2.1.pdf [190KB] Share:

This paper includes descriptions of major database encryption and tokenization technologies, a decision tree to help determine which type of encryption is best for you, and example use cases drawn from real world deployments. If you are considering any database encryption or tokenization project, this paper should save you hours of research and architecture development time. Understanding and Selecting a Database Encryption or Tokenization Solution Version 1.0 (PDF, 516KB) You can see the history in the original blog posts, starting with Introduction To Database Encryption – The Reboot! and ending with Database Encryption, Part 7: Wrapping Up. Attachments Securosis_Understanding_DBEncryption.V_.1_.pdf [502KB] Share:

Two of the most common criticisms of Data Loss Prevention (DLP) that comes up in user discussions are a) its complexity and b) the fear of false positives. Security professionals worry that DLP is an expensive widget that will fail to deliver the expected value – turning into yet another black hole of productivity. But when used properly DLP provides rapid assessment and identification of data security issues not available with any other technology. We don’t mean to play down the real complexities you might encounter as you roll out a complete data protection program. Business use of information is itself complicated, and no tool designed to protect that data can simplify or mask the underlying business processes. But there are steps you can take to obtain significant immediate value and security gains without blowing your productivity or wasting important resources. In this paper we highlight the lowest hanging fruit for DLP, refined in conversations with hundreds of DLP users. These aren’t meant to incorporate the entire DLP process, but to show you how to get real and immediate wins before you move on to more complex policies and use cases. Download: Low Hanging Fruit: Quick Wins with Data Loss Prevention Previous Versions: Download: Low Hanging Fruit: Quick Wins with Data Loss Prevention Attachments QuickWins_with_DLP.v.2.pdf [300KB] QuickWins_with_DLP.v_.1_.pdf [285KB] Share:

Our goal with this paper is to help customers cut through the marketing fluff, and spotlight the differentiators between current database assessment platforms and the previous generation of DBA tools. While we discuss the individual functional components that constitute assessment platforms, don’t get scared off by the technical discussions. We also cover business justification and compliance for those who are not responsible for managing databases, but need information from the database to do their jobs. We did our best to address questions that will be posed by the different groups who are interested in database assessment technologies. Database Assessment is distinctly different than other forms of platform and network assessment you may already be familiar with. This is partially due to the complexity of the database itself, and also because assessment provides information to multiple audiences besides the database administrators (DBAs). Databases require specialized skills to manage and secure. As database threats evolve – and as we see a continuing growth of compliance requirements relevant to data and database infrastructure – most admins are reliant on assessment support for specialized security and compliance policies. These topics are outside the core job skills of the average DBA. Assessment tools have evolved into full-fledged enterprise class products that not only address underlying vulnerability and patch management issues; but a complete range of security, compliance, and operational tasks. We are also including a comment area for you to participate with comments, recommendations, and critiques. As we anticipate periodic updates to the content, we recommend that you periodically revisit this section for updates. As always, we research and write the content, and sponsors choose to participate only after the content was made publicly available on the blog. We would like to thank Application Security Inc. (AppSec), Imperva, and Qualys for their sponsorship of this paper. (Version 1.0, February 2010) Understanding and Selecting a Database Assessment Solution (PDF) Attachments Understanding_DB_Assessment_v1.pdf [317KB] Share:

Our goal with this paper is to help customers cut through the marketing fluff, and spotlight the differentiators between current database assessment platforms and the previous generation of DBA tools. While we discuss the individual functional components that constitute assessment platforms, don’t get scared off by the technical discussions. We also cover business justification and compliance for those who are not responsible for managing databases, but need information from the database to do their jobs. We did our best to address questions that will be posed by the different groups who are interested in database assessment technologies. Database Assessment is distinctly different than other forms of platform and network assessment you may already be familiar with. This is partially due to the complexity of the database itself, and also because assessment provides information to multiple audiences besides the database administrators (DBAs). Databases require specialized skills to manage and secure. As database threats evolve – and as we see a continuing growth of compliance requirements relevant to data and database infrastructure – most admins are reliant on assessment support for specialized security and compliance policies. These topics are outside the core job skills of the average DBA. Assessment tools have evolved into full-fledged enterprise class products that not only address underlying vulnerability and patch management issues; but a complete range of security, compliance, and operational tasks. We are also including a comment area for you to participate with comments, recommendations, and critiques. As we anticipate periodic updates to the content, we recommend that you periodically revisit this section for updates. As always, we research and write the content, and sponsors choose to participate only after the content was made publicly available on the blog. We would like to thank Application Security Inc. (AppSec), Imperva, and Qualys for their sponsorship of this paper. (Version 1.0, February 2010) Understanding and Selecting a Database Assessment Solution (PDF) Attachments Understanding_DB_Assessment_v1.pdf [317KB] Share:

This report represents the current findings of the Project Quant open patch management project. The report will be updated as the research continues and we refine the model. Please see the project site for more information. Click here for Version 1.0 of the report, released July 27, 2009 Attachments ProjectQuant.v1_.pdf [1.1MB] Share:

This document includes our analysis of the Project Quant open patch management survey. The survey is an ongoing project, and we will continue to release updated analysis and data as new responses are available. You can participate by clicking this link to take the survey. Click here for the current survey analysis report. We will be releasing the raw results the week of August 3rd once we have time to anonymize the results. We are sorry we couldn’t get them up immediately, but we’re currently deep in preparation for issuing the final report and the Black Hat security conference. Attachments quant-survey-report-072709.pdf [874KB] Share:

Web Application Security is an incredibly difficult undertaking, and one of the papers we are most proud of is this one: Building a Web Application Security Program (attached below). Web Applications not only have many of the same threats and issues as traditional applications, but by their nature, have a whole additional set of issues to worry about as well. They require a different approach and analysis, and we hope that you will follow the use cases and adapt the technologies and process improvements suggested to meet your organizational needs. As the science of web application security is advancing very quickly, and as the attacks against web applications and platforms continues to evolve, our approach and recommendations will change. As we anticipate periodic updates to the content, we recommend that you periodically re-visit this section for alterations and amendments. This pages is provided to allow you a place to participate with comments, recommendations or critiques in the comment fields below. As always, we research and write the content, and sponsors choose to participate only after the content was made publicly available on the blog. We would like to thank Core Security, Imperva and Qualys for their sponsorship of this paper. (Version 1.0, July 2009) Building a Web Application Security Program. (PDF) Attachments WebAppSec_Programv1.pdf [1.3MB] Share: