Securosis

Research

Get Your Marshmallows

Last week we learned that not only did Symantec mess up managing their root SSL certificates, but they also botched their audit so bad Google may remove them from Chrome and other products. This is just one example in a long history of security companies failing to practice what they preach. From poor code development practices to weak internal controls, the only new thing in this instance is the combination of getting caught, potential consequences, and a lack of wiggle room. Share:

Share:
Read Post

re:Invent Yourself (or else)

A bit over a week ago we were all out at Amazon’s big cloud conference, which is now up to 19,000 attendees. Once again it got us thinking as to how quickly the world is changing, and the impact it will have on our profession. Now that big companies are rapidly adopting public cloud (and they are), that change is going to hit even faster than ever before. In this episode the Securosis team lays out some of what that means, and how now is the time to get on board. Share:

Share:
Read Post

Pragmatic Security for Cloud and Hybrid Networks

One of the bigger issues when migrating to the cloud is translating and extending your existing security controls, especially our old friend, network security. While cloud networking may resemble what we are used to, under the covers it behaves, and is managed, very differently. Over the last few decades we have been refining our approach to network security. Find the boxes, find the wires connecting them, drop a few security boxes between them in the right spots, and move on. Sure, we continue to advance the state of the art in exactly what those security boxes do, and we constantly improve how we design networks and plug everything together, but overall change has been incremental. How we think about network security doesn’t change – just some of the particulars. Until you move to the cloud. While many of the fundamentals still apply, cloud computing releases us from the physical limitations of those boxes and wires by fully abstracting the network from the underlying resources. We move into entirely virtual networks, controlled by software and APIs, with very different rules. Things may look the same on the surface, but dig a little deeper and you quickly realize that network security for cloud computing requires a different mindset, different tools, and new fundamentals. Many of which change every time you switch cloud providers. This report walks you through these differences, and includes specific examples from major cloud providers to show you what it looks like in the real world. Our thanks to Algosec for licensing the research so we can offer it for free. Pragmatic Security for Cloud and Hybrid Networks (pdf) Share:

Share:
Read Post

EMV Migration and the Changing Payments Landscape

October 2015 is the deadline for merchants to adopt EMV-compliant credit card terminals, in exchange for a liability waiver for fraudulent card present transactions. Explaining the EMV shift and payment security is difficult – there is a great deal of confusion about what the shift means, what security it really delivers, and whether it actually offers real benefits for merchants. Part of the problem is that the card brands have chosen to focus all their marketing on a single oversimplified value statement: the liability shift for card present transactions through non-EMV-compliant terminals. But digging into the specifications and working through the rollout process reveals a much larger change underway, with much broader ramifications. Unfortunately the press has failed to realize these implications, so the conversation has focused on liability, and lost sight of what else is going on. We produced this research paper to explain the additional changes underlying the EMV shift, its full impact on merchant security and operations, and where the shift will take the payment ecosystem. The real story is both simpler and more interesting than its coverage to date. Download here Ultimately every paper we write at Securosis has the same core goal: to help security practitioners get their jobs done. It’s what we do. This paper is mostly for those at merchant sites struggling with the rollout and issues it creates. At the end of the paper we offer recommendations for practitioners of EMV and mobile payment; including whether they should adopt EMV terminals and practical considerations to protect themselves from new attack vectors if they do. As always, if you have questions or additional material to add, feel free to post a comment. EMV and the Changing Payment Landscape: download here. Share:

Share:
Read Post

Network-based Threat Detection

The more things change, the more they stay the same. We have been talking about Reacting Faster and Better for years and we will continue to do so, because trying to prevent every attack is and will remain futile. The best path forward is to continue advancing the ability to prevent attacks, while spending as much time on detecting attacks that successfully compromise your defenses. This detection-centric view of the world has been a central theme in our research; it highlights a variety of areas to focus on – including the network, endpoints, and applications. We know many organizations have already spent a bunch of money on detection – particularly intrusion detection, its big brother intrusion prevention, and SIEM. But these techniques haven’t worked effectively either, so now is time to approach the issue with fresh eyes. By taking a new forward look at detection, not from the standpoint of what we have already done and implemented (IDS and SIEM), but instead in terms of what we need to do to isolate and identify adversary activity, we will be able to look at the kinds of technologies needed right now to deal with modern attacks. Times have changed and attackers have advanced, so our detection techniques need to evolve as well. In our Network-based Threat Detection paper, we focus on what kinds of indicators make the most sense to look for on the network, how to prioritize what you find, and then steps to operationalize the process to make detection consistent and reliable. We would like to thank our licensees (in alphabetical order), Damballa, Niara, and Vectra Networks. Our unique licensing model enables us to perform impactful and objective research and still pay our bills, so please thank them too. Download: Network-based Threat Detection (PDF) Share:

Share:
Read Post

Applied Threat Intelligence

Threat Intelligence remains one of the hottest areas in security. With its promise to help organizations take advantage of information sharing, early results have been encouraging. We have researched Threat Intelligence deeply; focusing on where to get TI and the differences between gathering data from networks, endpoints, and general Internet sources. But we come back to the fact that having data is not enough – not now and not in the future. It is easy to buy data but hard to take full advantage of it. Knowing what attacks may be coming at you doesn’t help if your security operations functions cannot detect the patterns, block the attacks, or use the data to investigate possible compromise. Without those capabilities it’s all just more useless data, and you already have plenty of that. Our Applied Threat Intelligence paper focuses on how to actually use intelligence to solve three common use cases: preventative controls, security monitoring, and incident response. We start with a discussion of what TI is and isn’t, where to get it, and what you need to deal with specific adversaries. Then we dive into use cases. We would like to thank Intel Security for licensing the content in this paper. Our licensees enable us to provide our research at no cost and still pay our mortgages, so we should all thank them. Download: Applied Threat Intelligence (PDF) Share:

Share:
Read Post

MAD Karma

Way back in 2004 Rich wrote an article over at Gartner on the serious issues plaguing Oracle product security (the original piece is long down, but here is an article based on it). It lead to a moderately serious political showdown, Rich flying out to meet with Oracle execs, and, eventually, their move to a quarterly patch update cycle (due to the botched patch, not Rich’s article). This week, Oracle’s 25-year veteran CISO Mary Ann Davidson published a blog post decrying customer security assessments of their products. Actually, let me rephrase, she pretty much threatened them with legal action for evaluating Oracle products using tools that look at the application code. Then she belittled security research in general, informed everyone to trust them since they find nearly all the bugs anyway (not that they seem to patch them in a timely fashion), and… you get it. Then, and this is the best part, Oracle pulls the post and basically issued an apology. Which, like, never happens. Thus you probably don’t need us to tell you what this Firestarter is about. The short version is the attitudes and positions expressed in that post are very much in line with Rich’s experiences with the organization, and Mary Ann, over a decade ago. Yeah, this is a fun one. Share:

Share:
Read Post

Living with the OPM Hack

And yep, thanks to his altruistic streak even Rich is affected. We don’t spend much time on blame or the history of it, but more the personal impact. How do you move on once you know much of your most personal information is now out there, you don’t know who has it, and you don’t know how they might want to use it? Share:

Share:
Read Post

We Don’t Know Sh—. You Don’t Know Sh—.

Once again we have a major security story slumming in the headlines. This time it’s Hackers on a Plane, without all the Samuel L goodness. But what’s the real story? It’s time to face the reality that the only people who know are the ones who aren’t talking, and everything else you hear is most certainly wrong Share:

Share:
Read Post

RSAC wrap-up. Same as it ever was.

Do bigger numbers mean we are any better than last year? And how can we possibly balance being an industry, community, and profession simultaneously? Not that we answer any of that, but we can at least keep you entertained for 13 minutes. Share:

Share:
Read Post

Totally Transparent Research is the embodiment of how we work at Securosis. It’s our core operating philosophy, our research policy, and a specific process. We initially developed it to help maintain objectivity while producing licensed research, but its benefits extend to all aspects of our business.

Going beyond Open Source Research, and a far cry from the traditional syndicated research model, we think it’s the best way to produce independent, objective, quality research.

Here’s how it works:

  • Content is developed ‘live’ on the blog. Primary research is generally released in pieces, as a series of posts, so we can digest and integrate feedback, making the end results much stronger than traditional “ivory tower” research.
  • Comments are enabled for posts. All comments are kept except for spam, personal insults of a clearly inflammatory nature, and completely off-topic content that distracts from the discussion. We welcome comments critical of the work, even if somewhat insulting to the authors. Really.
  • Anyone can comment, and no registration is required. Vendors or consultants with a relevant product or offering must properly identify themselves. While their comments won’t be deleted, the writer/moderator will “call out”, identify, and possibly ridicule vendors who fail to do so.
  • Vendors considering licensing the content are welcome to provide feedback, but it must be posted in the comments - just like everyone else. There is no back channel influence on the research findings or posts.
    Analysts must reply to comments and defend the research position, or agree to modify the content.
  • At the end of the post series, the analyst compiles the posts into a paper, presentation, or other delivery vehicle. Public comments/input factors into the research, where appropriate.
  • If the research is distributed as a paper, significant commenters/contributors are acknowledged in the opening of the report. If they did not post their real names, handles used for comments are listed. Commenters do not retain any rights to the report, but their contributions will be recognized.
  • All primary research will be released under a Creative Commons license. The current license is Non-Commercial, Attribution. The analyst, at their discretion, may add a Derivative Works or Share Alike condition.
  • Securosis primary research does not discuss specific vendors or specific products/offerings, unless used to provide context, contrast or to make a point (which is very very rare).
    Although quotes from published primary research (and published primary research only) may be used in press releases, said quotes may never mention a specific vendor, even if the vendor is mentioned in the source report. Securosis must approve any quote to appear in any vendor marketing collateral.
  • Final primary research will be posted on the blog with open comments.
  • Research will be updated periodically to reflect market realities, based on the discretion of the primary analyst. Updated research will be dated and given a version number.
    For research that cannot be developed using this model, such as complex principles or models that are unsuited for a series of blog posts, the content will be chunked up and posted at or before release of the paper to solicit public feedback, and provide an open venue for comments and criticisms.
  • In rare cases Securosis may write papers outside of the primary research agenda, but only if the end result can be non-biased and valuable to the user community to supplement industry-wide efforts or advances. A “Radically Transparent Research” process will be followed in developing these papers, where absolutely all materials are public at all stages of development, including communications (email, call notes).
    Only the free primary research released on our site can be licensed. We will not accept licensing fees on research we charge users to access.
  • All licensed research will be clearly labeled with the licensees. No licensed research will be released without indicating the sources of licensing fees. Again, there will be no back channel influence. We’re open and transparent about our revenue sources.

In essence, we develop all of our research out in the open, and not only seek public comments, but keep those comments indefinitely as a record of the research creation process. If you believe we are biased or not doing our homework, you can call us out on it and it will be there in the record. Our philosophy involves cracking open the research process, and using our readers to eliminate bias and enhance the quality of the work.

On the back end, here’s how we handle this approach with licensees:

  • Licensees may propose paper topics. The topic may be accepted if it is consistent with the Securosis research agenda and goals, but only if it can be covered without bias and will be valuable to the end user community.
  • Analysts produce research according to their own research agendas, and may offer licensing under the same objectivity requirements.
  • The potential licensee will be provided an outline of our research positions and the potential research product so they can determine if it is likely to meet their objectives.
  • Once the licensee agrees, development of the primary research content begins, following the Totally Transparent Research process as outlined above. At this point, there is no money exchanged.
  • Upon completion of the paper, the licensee will receive a release candidate to determine whether the final result still meets their needs.
  • If the content does not meet their needs, the licensee is not required to pay, and the research will be released without licensing or with alternate licensees.
  • Licensees may host and reuse the content for the length of the license (typically one year). This includes placing the content behind a registration process, posting on white paper networks, or translation into other languages. The research will always be hosted at Securosis for free without registration.

Here is the language we currently place in our research project agreements:

Content will be created independently of LICENSEE with no obligations for payment. Once content is complete, LICENSEE will have a 3 day review period to determine if the content meets corporate objectives. If the content is unsuitable, LICENSEE will not be obligated for any payment and Securosis is free to distribute the whitepaper without branding or with alternate licensees, and will not complete any associated webcasts for the declining LICENSEE. Content licensing, webcasts and payment are contingent on the content being acceptable to LICENSEE. This maintains objectivity while limiting the risk to LICENSEE. Securosis maintains all rights to the content and to include Securosis branding in addition to any licensee branding.

Even this process itself is open to criticism. If you have questions or comments, you can email us or comment on the blog.