Securosis

Research

Using RSA

The RSA Conference is the biggest annual event in our industry (really – there are tens of thousands of people there). But bigger doesn’t mean everything is better, and it can be all too easy to get lost in the event and fail to get value out of it. Even if you don’t attend, this is the time of year a lot of security companies focus on, which affects everything you see and read – for better and worse. This week we discuss how we get value out of the event, and how to find useful nuggets in the noise. From skipping panels (except Mike’s, of course) to hitting some of the less-known opportunities like Learning Labs and the Monday events, RSA can be very useful for any security pro, but only if you plan. Share:

Share:
Read Post

Endpoint Defense: Essential Practices

We’ve seen a renaissance of sorts regarding endpoint security. To be clear, most of solutions in the market aren’t good enough. Attackers don’t have to be advanced to make quick work of the endpoint protection suites in place. That realization has created a wave of innovation on the endpoint that promises to provide a better chance to prevent and detect attacks. But the reality is far too many organizations can’t even get the fundamentals of endpoint security. But the fact remains that many organizations are not even prepared to deal with unsophisticated attackers. You know, that dude in the basement banging on your stuff with Metasploit. Those organizations don’t really need advanced security now – their requirements are more basic. It’s about understanding what really needs to get done – not the hot topic at industry conferences. They cannot do everything to fully protect endpoints, so they need to start with essentials. In our Endpoint Defense: Essential Practices paper, we focus on what needs to be done to address the main areas of attack surface. We cover both endpoint hygiene and threat management, making clear what should be a priority and what should not. It’s always useful to get back to basics sometimes, and this paper provides a way to do that for your endpoints. We would like to thank Viewfinity for licensing the content in this paper. Our licensees allows us to provide our research for no cost and still pay our mortgages, so we should all thank them. Download: Endpoint Defense: Essential Practices (PDF) Share:

Share:
Read Post

Cracking the Confusion: Encryption and Tokenization for Data Centers, Servers, and Applications

Today we see encryption growing at an accelerating rate in data centers, for a confluence of reasons. A trite way to summarize them is “compliance, cloud, and covert affairs”. Organizations need to keep auditors off their backs; keep control over data in the cloud; and stop the flood of data breaches, state-sponsored espionage, and government snooping (even by their own governments). Thanks to increasing demand we have a growing range of options, as vendors and even free and Open Source tools address this opportunity. We have never had more choice, but with choice comes complexity – and outside your friendly local sales representative, guidance can be hard to come by. For example, given a single application collecting an account number from each customer, you could encrypt it in any of several different places: the application, the database, or storage – or use tokenization instead. The data is encrypted (or substituted), but each place you might encrypt raises different concerns. What threats are you protecting against? What is the performance overhead? How are keys managed? Does it all meet compliance requirements? This paper cuts through the confusion to help you pick the best encryption options for your projects. In case you couldn’t guess from the title, our focus is on encrypting in the data center: applications, servers, databases, and storage. Heck, we will even cover cloud computing (IaaS: Infrastructure as a Service), although we covered it in depth in another paper. We will also cover tokenization and discuss its relationship with encryption. We would like to thank Vormetric for licensing this paper, which enables us to release it for free. As always, the content is completely independent and was created in a series of blog posts (and posted on GitHub) for public comment. Download the full paper. Share:

Share:
Read Post

Cyber Cash Cow

Last week we saw a security company hit the $2.4B valuation level. Yes, that’s a ‘B’, as in billion. This week we dig into the changing role of money and investment in our industry, and what it might mean. We like to pretend keeping our heads down and focusing on defense and tech is all that matters, but practically speaking we need to keep half an eye on the market around us. It not only affects the tools at our disposal, but influences the entire course of our profession. Share:

Share:
Read Post

Cyber vs. Terror (yeah, we went there)

Last week the US Director of National Intelligence said cyberattacks are a greater risk than terrorism. This week we debate what that means, and whether terminology is getting so muddled that it becomes meaningless. Plus we rip into Rich’s post claiming security people need to stop thinking of themselves as warriors, and start thinking like spies. Share:

Share:
Read Post

Cyber!!!

Last week President Obama held a cybersecurity summit out in the Bay Area. He issued a new executive order and is standing up a new threat sharing center. This is in response to ongoing massive attacks such as the Anthem breach and (as we heard this weekend) hundreds of millions stolen in bank thefts. But what does it all mean to security pros and the industry? The truth is, not much in our day-to-day (yet), but you certainly had better pay attention.   Share:

Share:
Read Post

It’s Not My Fault!

Rich, Mike, and Adrian each pick a trend they expect to hammer us in 2015. Then they talk about it, probably too much. From threat intel to tokenization to SaaS security. And oh, we did have to start with a dig at the Pats. Cheating? Super Bowl? Really? Come on now. Share:

Share:
Read Post

Security and Privacy on the Encrypted Network

We have been writing extensively about the disruption currently hitting security, driven by cloud computing and mobility. Our Inflection: The Future of Security research directly addresses the lack of visibility caused by these macro trends. At the same time great automation and orchestration promise to enable security to scale to the cloud, in terms of both scale and speed. Meanwhile each day’s breach du jour in the mass media keeps security topics at the forefront, highlighting the importance of protecting critical information. These trends mean organizations have no choice but to encrypt more traffic on their networks. Encrypting the network prevents adversaries from sniffing traffic to steal credentials and ensures data moving outside the organization is protected from man-in-the-middle attacks. So we expect to see a much greater percentage of both internal and external network traffic to be encrypted over the next 2-3 years. Our Security and Privacy on the Encrypted Network paper tackles setting security policies to ensure that data doesn’t leak out over encrypted tunnels, and that employees adhere to corporate acceptable use policies, by decrypting traffic as needed. It also addresses key use cases and strategies for decrypting network traffic, including security monitoring and forensics, to ensure you can properly alert on security events and investigate incidents. We included guidance on how to handle human resources and compliance issues because increasing fraction of network traffic is encrypted. We would like to thank Blue Coat for licensing the content in this paper. Without our licensees you’d be paying Big Research big money to get a fraction of the stuff we publish, free. Download: Security and Privacy on the Encrypted Network (PDF) Share:

Share:
Read Post

2015 Trends

Rich, Mike, and Adrian each pick a trend they expect to hammer us in 2015. Then we talk about it, probably too much. From threat intel to tokenization to SaaS security. And oh, we did have to start with a dig on the Pats. Cheating? Super Bowl? Really? Come on now. Share:

Share:
Read Post

Monitoring the Hybrid Cloud: Evolving to the CloudSOC

This cloud thing is going to have major repercussions on how you protect technology assets over time. But what does that even mean? We start this paper by defining how and why the cloud is different, and then outline a number of trends we expect to come to fruition as described in our The Future of Security paper. Then we look at how security monitoring functions need to evolve, as an increasing amount of technology infrastructure runs in the cloud. An excerpt from the introduction sums this up nicely. As the mega-trends of mobility and cloud computing collide, security folks find themselves caught in the middle. The techniques used to monitor devices and infrastructure no longer work. There are no tap points, and it is often prohibitively inefficient to route cloud traffic through inspection choke points. Security monitoring needs to change fundamentally to stay relevant – even viable – in this cloud age. Although the industry isn’t going to shut down all of our data centers overnight. Not everything is moving whole hog into the private cloud or over to a SaaS-based service. So you will need to exist in purgatory between traditional data center technologies and cloud computing for a while. Thus you need to revisit your active controls and your security monitoring functions. Monitoring the Hybrid Cloud: Evolving to the CloudSOC describes and assesses the new cloud use cases you need to factor into your security monitoring strategy, and discusses emerging technologies which can help you cope. Finally we will discuss coexistence and migration to a system to monitor the hybrid cloud because the existing stuff will be around for a while. We would like to thank IBM Security for licensing the content. Without our licensees you would be paying a king’s ransom to read our research. Download: Monitoring the Hybrid Cloud: Evolving to the CloudSOC Share:

Share:
Read Post

Totally Transparent Research is the embodiment of how we work at Securosis. It’s our core operating philosophy, our research policy, and a specific process. We initially developed it to help maintain objectivity while producing licensed research, but its benefits extend to all aspects of our business.

Going beyond Open Source Research, and a far cry from the traditional syndicated research model, we think it’s the best way to produce independent, objective, quality research.

Here’s how it works:

  • Content is developed ‘live’ on the blog. Primary research is generally released in pieces, as a series of posts, so we can digest and integrate feedback, making the end results much stronger than traditional “ivory tower” research.
  • Comments are enabled for posts. All comments are kept except for spam, personal insults of a clearly inflammatory nature, and completely off-topic content that distracts from the discussion. We welcome comments critical of the work, even if somewhat insulting to the authors. Really.
  • Anyone can comment, and no registration is required. Vendors or consultants with a relevant product or offering must properly identify themselves. While their comments won’t be deleted, the writer/moderator will “call out”, identify, and possibly ridicule vendors who fail to do so.
  • Vendors considering licensing the content are welcome to provide feedback, but it must be posted in the comments - just like everyone else. There is no back channel influence on the research findings or posts.
    Analysts must reply to comments and defend the research position, or agree to modify the content.
  • At the end of the post series, the analyst compiles the posts into a paper, presentation, or other delivery vehicle. Public comments/input factors into the research, where appropriate.
  • If the research is distributed as a paper, significant commenters/contributors are acknowledged in the opening of the report. If they did not post their real names, handles used for comments are listed. Commenters do not retain any rights to the report, but their contributions will be recognized.
  • All primary research will be released under a Creative Commons license. The current license is Non-Commercial, Attribution. The analyst, at their discretion, may add a Derivative Works or Share Alike condition.
  • Securosis primary research does not discuss specific vendors or specific products/offerings, unless used to provide context, contrast or to make a point (which is very very rare).
    Although quotes from published primary research (and published primary research only) may be used in press releases, said quotes may never mention a specific vendor, even if the vendor is mentioned in the source report. Securosis must approve any quote to appear in any vendor marketing collateral.
  • Final primary research will be posted on the blog with open comments.
  • Research will be updated periodically to reflect market realities, based on the discretion of the primary analyst. Updated research will be dated and given a version number.
    For research that cannot be developed using this model, such as complex principles or models that are unsuited for a series of blog posts, the content will be chunked up and posted at or before release of the paper to solicit public feedback, and provide an open venue for comments and criticisms.
  • In rare cases Securosis may write papers outside of the primary research agenda, but only if the end result can be non-biased and valuable to the user community to supplement industry-wide efforts or advances. A “Radically Transparent Research” process will be followed in developing these papers, where absolutely all materials are public at all stages of development, including communications (email, call notes).
    Only the free primary research released on our site can be licensed. We will not accept licensing fees on research we charge users to access.
  • All licensed research will be clearly labeled with the licensees. No licensed research will be released without indicating the sources of licensing fees. Again, there will be no back channel influence. We’re open and transparent about our revenue sources.

In essence, we develop all of our research out in the open, and not only seek public comments, but keep those comments indefinitely as a record of the research creation process. If you believe we are biased or not doing our homework, you can call us out on it and it will be there in the record. Our philosophy involves cracking open the research process, and using our readers to eliminate bias and enhance the quality of the work.

On the back end, here’s how we handle this approach with licensees:

  • Licensees may propose paper topics. The topic may be accepted if it is consistent with the Securosis research agenda and goals, but only if it can be covered without bias and will be valuable to the end user community.
  • Analysts produce research according to their own research agendas, and may offer licensing under the same objectivity requirements.
  • The potential licensee will be provided an outline of our research positions and the potential research product so they can determine if it is likely to meet their objectives.
  • Once the licensee agrees, development of the primary research content begins, following the Totally Transparent Research process as outlined above. At this point, there is no money exchanged.
  • Upon completion of the paper, the licensee will receive a release candidate to determine whether the final result still meets their needs.
  • If the content does not meet their needs, the licensee is not required to pay, and the research will be released without licensing or with alternate licensees.
  • Licensees may host and reuse the content for the length of the license (typically one year). This includes placing the content behind a registration process, posting on white paper networks, or translation into other languages. The research will always be hosted at Securosis for free without registration.

Here is the language we currently place in our research project agreements:

Content will be created independently of LICENSEE with no obligations for payment. Once content is complete, LICENSEE will have a 3 day review period to determine if the content meets corporate objectives. If the content is unsuitable, LICENSEE will not be obligated for any payment and Securosis is free to distribute the whitepaper without branding or with alternate licensees, and will not complete any associated webcasts for the declining LICENSEE. Content licensing, webcasts and payment are contingent on the content being acceptable to LICENSEE. This maintains objectivity while limiting the risk to LICENSEE. Securosis maintains all rights to the content and to include Securosis branding in addition to any licensee branding.

Even this process itself is open to criticism. If you have questions or comments, you can email us or comment on the blog.