Yes, people, the disclosure debate is still alive and kicking. But now it is basically a pissing match between two of the largest tech companies. With Google setting rigid deadlines, and Microsoft stuck on their rigid schedule, who will win? Grab the popcorn as we talk about egos, internal inconsistencies, and why putting the user first is so damn hard. Share:
Amazon Web Services is one of the most secure public cloud platforms available, with deep datacenter security and many user-accessible security features. Building your own secure services on AWS requires properly using what AWS offers, and adding additional controls to fill the gaps. Never forget that you are still responsible for everything you deploy on top of AWS, and for properly configuring AWS security features. AWS is fundamentally different from a virtual datacenter (private cloud), and understanding these differences is key for effective cloud security. This paper covers the foundational best practices to get you started and help focus your efforts, but these are just the beginning of a comprehensive cloud security strategy. You can download the paper here: Security Best Practices for Amazon Web Services (PDF) Special thanks to AlienVault for licensing this content so we can release it for free. Share:
In our last Firestarter for this year, Mike, Adrian, and I take on some of the latest security predictions for 2015. Needless to say, we aren’t impressed. We do, however, close out with some trends we are seeing which are likely to play out next year, and are MOST DEFINITELY NOT PREDICTIONS. One warning: despite a lack of Guinness, we use some bad words, so let’s just brand this NSFW. Unless your workplace is like ours – then go for it. Lastly, here are links to the predictions we called out (the only ones we found – feel free to mention more in the comments): Websense. Which we didn’t read because you need to register to see them. Trend Micro. Home of the legal disclaimer in case you get hacked after believing their predictions. Kaspersky. A hard one to rip because we have friends there. Netwrix. Yeah, we don’t know who they are either. Vormetric. Another company we like, but we haz to play fair. My 2011 security predictions. I keep renewing them every year, without change. Still mostly holding up – I estimate I hit 70-80% accuracy for 2014. Share:
SSLmageddon V12. Polar Vortices. Ebola. APT123. We live in an era when every week it seems some massive new vulnerability, exploit, or attack is going to take down society. This week Rich, Mike, and Adrian tackle the endless progression of bad news; and how to maintain focus when everyone wants you to save the children. As a side note, if you haven’t seen or read about #feministhackerbarbie on Twitter… oh my, you need to. Share:
If you’ve followed this blog for any length of time, you know we have talked about the troubles of integrating security testing and secure code development practices into and Agile development process. Security is trying to manage risks to the organization, including risks introduced by new technologies such as code. Development teams try to deliver quality code faster, which means jettisoning things that slow them down. Both want customers to be happy and deliver new products and services, but underlying goals of risk reduction and maximized efficiency do not inherently mesh, causing friction. This research paper was conceived as a way to help security people understand and better work with development. We explain what development teams are trying to do, how they want to work, and offer pragmatic advice to help mesh the goals of both organizations into a unified process. And on this topic, we really wanted to give back to the community! We’ve included much of what we have learned with secure code development over the last two decades, as well as things we’ve learned from other development teams, CISOs and security vendors, to provide a simple guide on how to promote security in Agile software development teams. We are also proud to announce that Vercode has licensed this content. It’s not every day that a vendor will back a research paper that does not promote or demystify a product category, but it’s an area we felt security — and developers — could use information on. As this research is geared toward helping CISOs and others build a process, it’s decidedly non-product focused, so we are grateful for Veracode’s help in supporting our efforts to bring this research to you. As always, if you have questions or comments, please contact us at info at Securosis with the ‘dot com’ extension, or simply comment on the blog. You can download the paper here Share:
It’s all about the data. You want to make data useful by making it available to users and applications which can leverage it into actionable information. You share data between applications, partners, and analytics systems to derive the greatest business intelligence value possible. But what do you do when you cannot guarantee the security of those systems? How can you protect information regardless of where it moves? One approach is called Data Centric Security, and it is designed to protect data instead of infrastructure. Here is an except from our paper: This is what Data Centric Security (DCS) does: focus security controls on data rather than servers or supporting infrastructure. This approach secures data wherever it moves. The challenge is to implement security controls that do not render it inert. Put another way, you want to derive value from data without leaving it exposed. Sure, we could encrypt everything, but you generally cannot analyze encrypted data. Nor can you expect to securely distribute key management and decryption capabilities everywhere data moves. But you can enable data to be protected everywhere without exposing sensitive information. This research delves into what Data Centric Security is, the challenges it addresses, and the technologies used to support customer use cases. We hope you find this research useful, and see DCS as an alternative to traditional infrastructure security. We would like to thank Intel Services for licensing this research and supporting our Securosis Totally Transparent Research process. Download Trends In Data Centric Security (PDF). Share:
Adrian is out, so Rich and Mike cover the latest Amazon Web Services news as their big re:Invent conference closes in. We start with the new Frankfurt datacenter, and how a court case involving Microsoft could kill off the future of all US-based cloud companies (it’s always the little things). Then we discuss directory services in the cloud, and how this indicates increasing cloud adoption and maturity at a pace we really haven’t ever seen before. Share:
Mike, Adrian, and I start off a little rough around the edges, but eventually get to the point. Travel is taking its toll so we won’t be able to keep our usual weekly schedule, but we will stay as close as possible – until I run off to Amsterdam for a week, for Black Hat Europe. We catch up on the inane for a few minutes, before jumping into a discussion of the bash vulnerability and disclosure debacle. We agree it is often valuable to analyze an event after the initial shock waves (See what I did there? Shellshock? Shock waves?). Today we focus on the deeper implications and how the heck a disclosure could be so bungled. Plus a little advice on where to focus your patching efforts. Share:
We continue to investigate the practical uses of threat intelligence (TI) within your security program. After tackling how to Leverage Threat Intel in Security Monitoring, now we turn our attention to Incident Response and Management. In this paper, we go into depth on how your existing incident response and management processes can (and should) integrate adversary analysis and other threat intelligence sources to help narrow down the scope of your investigation. We’ve also put together a snappy process map depicting how IR/M looks when you factor in external data as well. To really respond faster you need to streamline investigations and make the most of your resources. That starts with an understanding of what information would interest attackers. From there you can identify potential adversaries and gather threat intelligence to anticipate their targets and tactics. With that information you can protect yourself, monitor for indicators of compromise, and streamline your response when an attack is (inevitably) successful. You will have incidents. If you can respond to them faster and more effectively, that’s a good thing right? We believe integrating Threat Intel into the IR process is a way to do that. We’d like to thank Cisco, Bit9+Carbon Black, and Intel Security/McAfee for licensing the content in this paper. We’re grateful that our clients see the value of supporting objective research to educate the industry. Without the forward looking organizations, you’d be on your own… or paying up to get behind the paywall of big research. Download Leveraging Threat Intelligence in Incident Response/Management (PDF) Share:
This research paper provides a detailed approach for effectively deploying, managing, and integrating a Web Application Firewall into your application security program. Our research shows that WAFs have a bad name, not because of any specific technology flaw, but mostly due to mismanagement. So we wrote Pragmatic WAF Management to cover how WAFs work, why some customers fail to derive value, and how to effectively deploy a WAF to secure applications from the increasing variety of web-based attacks. This excerpt summarizes the paper: Every time someone on the Securosis team writes about Web App Firewalls we create a firestorm. The catcalls come from all sides: “WAFs suck,” “WAFs are useless,” and “WAFs are just a compliance checkbox product.” Usually this feedback comes from penetration testers who easily navigate around the WAF during their engagements and other factions who find their situations complicated by the presence of a WAF. The people we’ve spoken with who actively manage WAFs – both employees and third party service providers – acknowledge the difficulty of managing WAF rules and the challenges of working closely with application developers. But at the same time, we constantly engage with dozens of companies dedicated to leveraging WAFs to protect applications. These folks understand how WAFs positively impact their overall application security approaches, and are looking for more value from their investment by optimizing their WAFs to reduce application compromises and risks to their systems. We want to thank Alert Logic for licensing this research. You can download the research paper here Attachments Securosis_Managing_WAF_2014_FINAL.pdf [459KB] Share:
Totally Transparent Research is the embodiment of how we work at Securosis. It’s our core operating philosophy, our research policy, and a specific process. We initially developed it to help maintain objectivity while producing licensed research, but its benefits extend to all aspects of our business.
Going beyond Open Source Research, and a far cry from the traditional syndicated research model, we think it’s the best way to produce independent, objective, quality research.
Here’s how it works:
In essence, we develop all of our research out in the open, and not only seek public comments, but keep those comments indefinitely as a record of the research creation process. If you believe we are biased or not doing our homework, you can call us out on it and it will be there in the record. Our philosophy involves cracking open the research process, and using our readers to eliminate bias and enhance the quality of the work.
On the back end, here’s how we handle this approach with licensees:
Here is the language we currently place in our research project agreements:
“Content will be created independently of LICENSEE with no obligations for payment. Once content is complete, LICENSEE will have a 3 day review period to determine if the content meets corporate objectives. If the content is unsuitable, LICENSEE will not be obligated for any payment and Securosis is free to distribute the whitepaper without branding or with alternate licensees, and will not complete any associated webcasts for the declining LICENSEE. Content licensing, webcasts and payment are contingent on the content being acceptable to LICENSEE. This maintains objectivity while limiting the risk to LICENSEE. Securosis maintains all rights to the content and to include Securosis branding in addition to any licensee branding.”
Even this process itself is open to criticism. If you have questions or comments, you can email us or comment on the blog.
