Login  |  Register  |  Contact


Wednesday, February 03, 2016

Incite 2/3/2016: Courage

By Mike Rothman

A few weeks ago I spoke about dealing with the inevitable changes of life and setting sail on the SS Uncertainty to whatever is next. It’s very easy to talk about changes and moving forward, but it’s actually pretty hard to do. When moving through a transformation, you not only have to accept the great unknown of the future, but you also need to grapple with what society expects you to do. We’ve all been programmed since a very early age to adhere to cultural norms or suffer the consequences. Those consequences may be minor, like having your friends and family think you’re an idiot. Or decisions could result in very major consequences, like being ostracized from your community, or even death in some areas of the world.

In my culture in the US, it’s expected that a majority of people should meander through their lives; with their 2.2 kids, their dog, and their white picket fence, which is great for some folks. But when you don’t fit into that very easy and simple box, moving forward along a less conventional path requires significant courage.


I recently went skiing for the first time in about 20 years. Being a ski n00b, I invested in two half-day lessons – it would have been inconvenient to ski right off the mountain. The first instructor was an interesting guy in his 60’s, a US Air Force helicopter pilot who retired and has been teaching skiing for the past 25 years. His seemingly conventional path worked for him – he seemed very happy, especially with the artificial knee that allowed him to ski a bit more aggressively. But my instructor on the second day was very interesting. We got a chance to chat quite a bit on the lifts, and I learned that a few years ago he was studying to be a physician’s assistant. He started as an orderly in a hospital and climbed the ranks until it made sense for him to go to school and get a more formal education. So he took his tests and applied and got into a few programs.

Then he didn’t go. Something didn’t feel right. It wasn’t the amount of work – he’d been working since he was little. It wasn’t really fear – he knew he could do the job. It was that he didn’t have passion for a medical career. He was passionate about skiing. He’d been teaching since he was 16, and that’s what he loved to do. So he sold a bunch of his stuff, minimized his lifestyle, and has been teaching skiing for the past 7 years. He said initially his Mom was pretty hard on him about the decision. But as she (and the rest of his family) realized how happy and fulfilled he is, they became OK with his unconventional path.

Now that is courage. But he said something to me as we were about to unload from the lift for the last run of the day. “Mike, this isn’t work for me. I happened to get paid, but I just love teaching and skiing, so it doesn’t feel like a job.” It was inspiring because we all have days when we know we aren’t doing what we’re passionate about. If there are too many of those days, it’s time to make changes.

Changes require courage, especially if the path you want to follow doesn’t fit into the typical playbook. But it’s your life, not theirs. So climb aboard the SS Uncertainty (with me) and embark on a wild and strange adventure. We get a short amount of time on this Earth – make the most of it. I know I’m trying to do just that.

Editors note: despite Mike’s post on courage, he declined my invitation to go ski Devil’s Crotch when we are out in Colorado. Just saying. -rich


Photo credit: “Courage” from bfick

It’s that time of year again! The 8th annual Disaster Recovery Breakfast will once again happen at the RSA Conference. Thursday morning, March 3 from 8 – 11 at Jillians. Check out the invite or just email us at rsvp (at) securosis.com to make sure we have an accurate count.

The fine folks at the RSA Conference posted the talk Jennifer Minella and I did on mindfulness at the 2014 conference. You can check it out on YouTube. Take an hour. Your emails, alerts, and Twitter timeline will be there when you get back.

Securosis Firestarter

Have you checked out our video podcast? Rich, Adrian, and Mike get into a Google Hangout and… hang out. We talk a bit about security as well. We try to keep these to 15 minutes or less, and usually fail.

Heavy Research

We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, with our content in all its unabridged glory. And you can get all our research papers too.

Securing Hadoop

SIEM Kung Fu

Building a Threat Intelligence Program

Recently Published Papers

* The Future of Security

Incite 4 U

  1. Evolution visually: Wade Baker posted a really awesome piece tracking the number of sessions and titles at the RSA Conference over the past 25 years. The growth in sessions is astounding (25% CAGR), up to almost 500 in 2015. Even more interesting is how the titles have changed. It’s the RSA Conference, so it’s not surprising that crypto would be prominent the first 10 years. Over the last 5? Cloud and cyber. Not surprising, but still very interesting facts. RSAC is no longer just a trade show. It’s a whole thing, and I’m looking forward to seeing the next iteration in a few weeks. And come swing by the DRB Thursday morning and say hello. I’m pretty sure the title of the Disaster Recovery Breakfast won’t change. – MR

  2. Embrace and Extend: The SSL/TLS cert market is a multi-billion dollar market – with slow and steady growth in the sale of certificates for websites and devices over the last decade. For the most part, certificate services are undifferentiated. Mid-to-large enterprises often manage thousands of them, which expire on a regular basis, making subscription revenue a compelling story for the handful of firms that provide them. But last week’s announcement that Amazon AWS will provide free certificates must have sent shivers through the market, including the security providers who manage certs or monitor for expired certificates. AWS will include this in their basic service, as long as you run your site in AWS. I expect Microsoft Azure and Google’s cloud to follow suit in order to maintain feature/pricing parity. Certs may not be the best business to be in, longer-term. – AL

  3. Investing in the future: I don’t normally link to vendor blogs, but this post by Chuck Robbins, Cisco’s CEO, is pretty interesting. He echoes a bunch of things we’ve been talking about, including how the security industry is people-constrained, and we need to address that. He also mentions a bunch of security issues, s maybe security is highly visible in security. Even better, Chuck announced a $10MM scholarship program to “educate, train and reskill the job force to be the security professionals needed to fill this vast talent shortage”. This is great to see. We need to continue to invest in humans, and maybe this will kick start some other companies to invest similarly. – MR

  4. Geek Monkey: David Mortman pointed me to a recent post about Automated Failure testing on Netflix’s Tech blog. A particularly difficult to find bug gave the team pause in how they tested protocols. Embracing both the “find failure faster” mentality, and the core Simian Army ideal of reliability testing through injecting chaos, they are looking at intelligent ways to inject small faults within the code execution path. Leveraging a very interesting set of concepts from a tool called Molly (PDF), they inject different results into non-deterministic code paths. That sounds exceedingly geeky, I know, but in simpler terms they are essentially fuzz testing inside code, using intelligently selected values to see how protocols respond under stress. Expect a lot more of this approach in years to come, as we push more code security testing earlier in the process. – AL

–Mike Rothman

Monday, November 04, 2013

Microsoft Upends the Bug Bounty Game

By Rich

Microsoft is expanding its $100k bounty program to include incident responders who find and document Windows platform mitigation flaws.

Today’s news means we are going from accepting entries from only a handful of individuals capable of inventing new mitigation bypass techniques on their own, to potentially thousands of individuals or organizations who find attacks in the wild. Now, both finders and discoverers can turn in new techniques for $100,000.

Our platform-wide defenses, or mitigations, are a kind of shield that protects the entire operating system and all the applications running on it. Individual bugs are like arrows. The stronger the shield, the less likely any individual bug or arrow can get through. Learning about “ways around the shield,” or new mitigation bypass techniques, is much more valuable than learning about individual bugs because insight into exploit techniques can help us defend against entire classes of attack as opposed to a single bug – hence, we are willing to pay $100,000 for these rare new techniques.

This is important because Microsoft just turned every target and victim into a potential bug hunter. The pool of people looking for these just increased massively.

Previously only security researchers could hunt these down and win the cash.

Researchers can be motivated to sell bugs to governments or criminals for more then $100k (Windows mitigation exploits are extremely valuable). Some professional response teams like to keep exploit details and indicators of compromise trade secrets, but not every response team is motivated that way.

This alters the economics for attackers, because they now need to be much more cautious in using their most valuable 0day exploits. If they attack the wrong target they are more likely to lose their exploit forever.

As exciting as this is, it still requires a knowledgeable defender who isn’t financially motivated to keep it secret (again, some vendors and commercial IR services). And there are plenty of lower-level attacks that still work. But even with those stipulations the pool of hunters just increased tremendously.


Tuesday, July 09, 2013

Kudos: Microsoft’s App Store Security Policy

By Rich

Today on the Microsoft Security Response Center Blog:

Under the policy, developers will have a maximum of 180 days to submit an updated app for security vulnerabilities that are not under active attack and are rated Critical or Important according to the Microsoft Security Response Center rating system. The updated app must be submitted to the store within 180 days of the first report that reproduces the issue. Microsoft reserves the right to take swift action in all cases, which may include immediate removal of the app from the store, and will exercise its discretion on a case-by-case basis.

But the best part:

If you have discovered a vulnerability in a store application and have unsuccessfully attempted to work with the developer to address it, you can request assistance by contacting secure@microsoft.com.

Clear, concise, and puts users first. My understanding is that Apple is also pretty tight on suspending vulnerable apps, but they don’t have it formalized into visible policy, with a single contact point. If anyone knows Google’s policy (formal or otherwise), please drop it in the comments, but that is clearly a different ecosystem.


Wednesday, June 19, 2013

Microsoft Offers Six Figure Bounty for Bugs

By Rich

From the BlueHat blog, Microsoft’s security community outreach:

In short, we are offering cash payouts for the following programs:

  • Mitigation Bypass Bounty – Microsoft will pay up to $100,000 USD for truly novel exploitation techniques against protections built into the latest version of our operating system (Windows 8.1 Preview). Learning about new exploitation techniques earlier helps Microsoft improve security by leaps, instead of one vulnerability at a time. This is an ongoing program and not tied to any event or contest.

  • BlueHat Bonus for Defense – Microsoft will pay up to $50,000 USD for defensive ideas that accompany a qualifying Mitigation Bypass Bounty submission. Doing so highlights our continued support of defense and provides a way for the research community to help protect over a billion computer systems worldwide from vulnerabilities that may not have even been discovered.

  • IE11 Preview Bug Bounty – Microsoft will pay up to $11,000 USD for critical vulnerabilities that affect IE 11 Preview on Windows 8.1 Preview. The entry period for this program will be the first 30 days of the IE 11 Preview period. Learning about critical vulnerabilities in IE as early as possible during the public preview will help Microsoft deliver the most secure version of IE to our customers.

This doesn’t guarantee someone won’t sell to a government or criminal organization, but $100K is a powerful incentive for those considering putting the public interests at the forefront.


Friday, March 01, 2013

Shattered Windows: the Impact of Attack Automation

By Rich

In 2011, our friend Josh Corman codified “HD Moore’s Law”:

Casual Attacker power grows at the rate of Metasploit

For those who don’t know, Metasploit, created by HD Moore, is a free penetration testing framework (it is now owned by Rapid7, who also sells a commercial version). Metasploit allows an attacker to rapidly combine an exploit with a payload and initiate attacks, dramatically reducing the complexity compared to hand-coding an attack yourself. Unlike other commercial tools such as Immunity Canvas and Core Impact, Metasploit has a large community, and when new vulnerabilities or exploits become public they are typically converted into Metasploit modules extremely quickly (sometimes within hours). Once a module is published, anyone using Metasploit can leverage that attack.

But Metasploit isn’t the only automated attack tool. Criminals have their own toolsets and markets, some of which advertise inclusion of 0-day vulnerabilities (for a price) and include better support than most of the security tools on the market. Being profitable, they fund their own research teams or acquire new exploits on the open market.

Some software vendors have started talking about this in public, as Microsoft outlined in their RSA talk on their response to Flame. Brad Arkin from Adobe has also talked about this and presented hard data on their patch times and public disclosures and exploits. In the article Microsoft didn’t call out Metasploit or the criminal attack tools, but the inference is clear.

  • There is no longer a window to patch when a vulnerability or exploit is discovered, in public or private.*

If it isn’t public, it has already been used in attacks or – thanks to changes in the exploit market – sold to someone who intends to use it in attacks. If it is public, it will be included in attack tools (good and bad) faster than most vendors can create and distribute a patch, or most users can deploy even if the patch is available. Some vulnerabilities are still reported privately to vendors, but we can no longer assume this is the norm, especially for some of the most serious vulnerabilities with high market value.

Cloud computing also affects this in both good and bad ways, but the core principle is the same. If a cloud service is a target they have nearly no time to patch, but when they do they can patch for all users at once (for public clouds).

To be clear, I don’t consider Metasploit or other penetration testing tools ‘bad’. They are extremely important for security professionals to understand and use, but that doesn’t mean they can’t be misused.


Monday, July 18, 2011

Mitigating Software Vulnerabilities

By Adrian Lane

Matt Miller, Tim Burrell, and Michael Howard from the Microsoft Security Engineering Center published a paper last week on Mitigating Software vulnerabilities. In a nutshell, they advocate a set of tactics that limit – or outright block – known and emerging attack techniques. Rather than play catch-up and patch the threat du jour, they outline use cases for the technologies that Microsoft employs within their own products to make it much harder to compromise code with canned attacks.

Over the past decade, Microsoft has developed a variety of exploit mitigation technologies that are designed to make it more difficult for attackers to exploit software vulnerabilities such as buffer overruns. This section enumerates each of the mitigation technologies currently available, and provides answers for common questions that relate to how each technology works, how effective they are, and any important performance or compatibility considerations.

Three basic recommended tactics are:

  1. Generic detection of a hacker’s attempt to subvert a system though exception handler overwrites or running code from within data segments.
  2. Randomizing code or configurations to breaks canned attacks
  3. Employ simple security ‘speed bumps’ that require a little bit of insider knowledge which is difficult for an attacker to acquire.

Two things I like about the paper: First, the tactics approach exploitation protection from a developer’s prospective. This is not a third-party tool or analyzer or bolt-on protection. These tools and complier options are in the context of the development environment, and offer protections a developer has some degree of control over. The more involved the developer is in the security precautions in (or for) their code, the more likely they are to think about how they can protect it. Second, this mindset assumes that code will be under attack and looks for ways to make it more difficult to subvert – rather than desperately hoping the newest mitigation can stop a determined attacker permanently. Understanding that small variations can cause huge headaches for attackers and malware developers is a fundamental insight for defensive development.

While this paper is recommended reading for developers, bring a big cup of coffee. The documents are only about 10 pages, but the terminology is a bit obtuse. For example, “artificial diversity” and “knowledge deficits” are accurate but unfamiliar terms. I am pretty sure there is a better way to say “new invariants”. Still, esoteric vocabulary seems to be this paper’s main vice – slight criticism indeed. Educating developers on a simple set of tactics – built into their development tools – is powerful. The key insight is that you can take away the easy (known) pathways in and out of your code, and make it very expensive for an attacker to break your application. It is just as important to give yourself more time to detect iterative attacks in progress. The paper is well worth your time.

–Adrian Lane

Tuesday, July 14, 2009

Microsoft Patched; Firefox’s Turn

By Rich

While Microsoft releases patches for various vulnerabilities, including the two active zero day attacks, Firefox is being actively exploited.

According to the Mozilla Security Blog, there is a flaw in how Firefox handles JavaScript. We suggest you follow the instructions in that post to mitigate the flaw until they release a patch (which should be soon).

Not that we plan to post every time some piece of software is exploited or patched, but this series seems to… bring some balance to the Force.


Monday, July 13, 2009

Second Unpatched Microsoft Flaw Being Exploited

By Rich

Microsoft released an advisory today that an unpatched vulnerability in the Office Web Components ActiveX control allows an attacker to run arbitrary code as the logged-in user. Worse yet, this is being actively exploited in the wild. Fortunately it is easy to protect against.

For the technical details, please see the SANS Internet Storm Center post, and the official Microsoft advisory.

Here’s the short version and how to protect yourself:

  1. This is a flaw in the spreadsheet ActiveX control that comes with Office. It only works if you visit a malicious link with Internet Explorer, and have a vulnerable version of Office installed (if you have Office, it’s safest to assume you are vulnerable).
  2. This does not affect Outlook, unless you click on an email link that opens Internet Explorer.
  3. It is actively being exploited by bad guys on the Internet, and Microsoft is working on a patch.
  4. If you switch to another browser, you are safe.
  5. If you still need to use IE, you can click on this link for a tool that will help disable the control. Don’t try this if you are on a work computer without talking to IT.

And that’s it – no reason to panic, with plenty of ways to protect yourself. You can now safely ignore all the scary emails you’ll be getting any moment from various security vendors…

(This is unrelated to the other ActiveX 0day that popped up last week and is also being actively exploited).


Friday, May 01, 2009

Friday Summary: May 1, 2009

By Rich

Sometimes the most energizing thing you can do is absolutely nothing.

Last week at RSA was absolutely insane, in a good way. It’s kind of like being a kid and going to summer camp. You get to see all the friends who live in other towns, you all go nuts for a week with minimal supervision, and then everyone staggers home all excited. Between the Recovery Breakfast, 4 official RSA panels, a Jericho panel, my 160+ slide Friday morning session with Chris Hoff, and the nonstop speed-dating during the day, and parties at night, I should really be in much worse shape. But I found this year’s RSA to be incredibly motivating on multiple levels.

First, I think this is absolutely one of the best times to be in information security. Yes, major crap is hitting the fan all over the place, including massive national security, financial, and infrastructure breaches, but security is also hitting the front pages and reaching into the common consciousness. This is exactly the kind of environment true security professionals thrive on – with challenges and opportunities on all sides. As someone who loves the practice and theory of security, I find these challenges to be absolutely energizing and I wouldn’t want to be doing anything else. Well, except for maybe being an astronaut.

Next, RSA was extremely motivating from a corporate standpoint. I won’t say much, but it validated what we’re trying to do, and how we are positioning ourselves.

Finally, it was a very motivating week on a personal level. I used to have friends at work, and acquaintances in the industry. But these days I find some of my closest friends are scattered throughout the world in different jobs. I realized I spend more time interacting with many of you than I do with my local ‘meatspace’ friends outside of the industry. I especially appreciated the group that took me out for my birthday on Monday night – it really eased the pain of spending yet another family event away from my wife and (new) daughter.

After RSA I took 4 days off, and the combination of intensity followed by relaxation was a major recharge, but didn’t leave me much content for this week’s summary. Except stay away from, like, every Adobe product on the planet since they are all full of 0days.

One reminder – if you’d like to get our content via email instead of RSS, please head over and sign up for the Daily Digest (it goes out every night). We’re also thinking of creating a Friday Summary-only version, so let us know if that would be of interest.

And now for the week in review:

Webcasts, Podcasts, Outside Writing, and Conferences

Favorite Securosis Posts

Favorite Outside Posts

Top News and Posts

Blog Comment of the Week

This week’s best comment was from Ant in response to Rich’s post on Security Industry Disambiguation Movement.

Well I mint not have chosen those terms, but I personally* fully endorse the sentiment!

A different problem arises where a perfectly serviceable term is pressed into use in several different but not wholly dissimilar markets, leading to ambiguity and confusion – e.g., identity management, policy management. So… it’s not strictly anti-disambiguation, but it some vendors are guilty of disingenuously using a term which doesn’t apply to them in their market.

– Ant

* i.e., this is not (necessarily) the official view of my employer.


Friday, April 17, 2009

Friday Summary - April 17 2009

By Adrian Lane

The big news at Securosis this week was the launching of Project Quant! Not only are we excited about working with some of the team members at Microsoft, but we are going to be really pushing the boundaries of our Totally Transparent Research process. Rich has been furiously setting up the infrastructure all week to support the public discourse for the project, and he just got it finished in time for launch. We are grateful that there is a ton of interest out there as we have been getting numerous tweets and email on the subject, and well as a ton of press on the project from eWeek, Dark Reading, ZDNet, and Dennis Fisher at ThreatPost. Jeff Jones posted an announcement on his Security Blog, plus there is coverage by Peter Galli on Microsoft’s Port 25 blog as well! There won’t be a lot of content pushed out next week as we are crazy-busy next week, but this will be a full time effort come May.

On the personal side, I got a couple phone calls again this week. You know, the “My computer is doing FOO, and it stopped working” phone call from friends and family. As sure as the sun rises in the morning, I got another call today from a friend who has their machine infected with some form of malware. IE is completely locked, and when they try to use it now, all they get is an advertisement to purchase AV and anti-malware! After a few hours of someone in the family browsing risky sites and downloading music from dubious locations, it looked like they had managed to get infected with something that was not going to easily surrender. It passed the Eye Chart test, but I was not convinced that it was (or was not) Conficker.

The next question of course is “How do I fix it?” and my response is “stop doing what you did to get it infected in the first place!” The snappy retort does not make me very popular, but why fix it and have them do it again a week later? Almost immediately I feel bad for them and go ahead and fix it. Most of the people who call use their computer to run their business. This is how they make their living. They are hosed. They will lose two or three days of revenue and piss off their clients if they don’t get back up and running ASAP. Can the virus be removed without permanent damage? Maybe, maybe not. A fresh install is probably the only way to be sure you got it. Serious education on what not to do is what it would take to keep it from happening again. Any way you slice it, this is a painful process.

There are a lot of commonalities across this group:

  • They use IE 6.x on Windows.
  • They do not make backups.
  • They do not keep the original software media or software licenses.
  • They use their machines for their business.
  • Their machines run very slowly, and have for a long time.
  • They browse -everywhere-.
  • They have never met an email link they would not click.
  • They download lots of applications and music.
  • They install a lot of free Internet applications just to see what they are.
  • They have never uninstalled a program.
  • They do not run disk cleanup.
  • They have Norton or McAfee.
  • They have malware and adware on the machine.
  • They do online banking.
  • There is no password on the machine.
  • The machine is multi-use by/for all family members.
  • They have never looked at IE settings.
  • They are unaware that there are other browsers.

I feel bad half the time, because I cannot fix the problem without a re-install. When I do re-install, getting the computer to where it was before the infection is a full day’s work … spread out over a week or more. Man do I have sympathy for the corporate IT guys who have to put up with this for a living! “Where are my bookmarks?” “Why does the computer do this?” “I can’t print!” “Why is this over here when it used to be over there?” Part of me wants them to feel a little pain, in order for them to appreciate that performing every risky act on your computer has consequences, but what really needs to happen is some education for the home user. I have been on this topic for some time, and I feel fairly strongly about it. Enough so that I even bought “Security Mike’s Guide to Internet Security” when it was still vapo-bookware to loan to family members to raise their awareness. Not that they would have read it before their computer imploded, but it would be there for them as they waited for InstallShield to complete its tasks. I know that security professionals need to help not just the vendors and IT organizations who have security challenges, but the end users as well. I am going to be cherry-picking a bunch of our old posts and putting them into the new Research Library for end user assistance and tips. Certainly not our focus, but something we will continue to build.

And now for the week in review:

Webcasts, Podcasts, Outside Writing, and Conferences:

Favorite Securosis Posts:

Favorite Outside Posts:

  • Adrian: I liked Ronald McCarthy’s down-to-earth discussion of Ubuntu Security.
  • Rich: Alex’s comments on Project Quant. Don’t worry Alex, we are all armed with ‘Multitools’ and chewing gum!

Top News and Posts:

  • An Examination of the Twitter Worm.
  • The Verizion Data Breach report is out. It’s good. Read it when you get the chance, but some of the editorial posts are advised as well, such as …
  • Mortman’s Initial thoughts on the Verizion 2009 DBIR.
  • Thoma Bravo is buying Entrust. For about 1.2x revenue. Entrust has solid products and a fairly stable revenue stream from their government sales. I know the stock is dangerously low, revenues are down, times are tough, but $114M seems low.
  • Backbone Hacking Tools to be Unleashed.
  • Pirate Bay Verdict in: Guilty
  • Microsoft Security Bulletin. Mostly standard fixes, but for me, I have to ask the question: how the %@$! could Wordpad allow remote code to execute under ANY circumstances?
  • Nice article on SC Magazine about hackers who were busted in Romania by Romanian authorities and the FBI for credit card fraud. Must have been getting out of hand if the FBI got involved. Since when do pharmaceutical companies store end user credit card data? Have they begun to sell direct?

Blog Comment of the Week:

This week’s best comment was from ds in response to Rich’s post on Security Inevitabilities:

Despite PCI, we will move off credit card numbers to a more secure transaction system. It may not be chip and PIN, but it definitely wont be magnetic strips.

…and we’ll still have CC Fraud because there won’t be an infrastructure to allow every possible transaction to be a cardholder present equivelant, so we will still need some way for credit card data to be human interpreted and communicated.

–Adrian Lane

Wednesday, April 15, 2009

Announcing Project Quant: New Security Metrics Project (with Microsoft)

By Rich

We spend a lot of time talking about security metrics over here, and I’ve been pretty critical of both overly-broad initiatives that don’t help people get their day to day jobs done, and “fluffy” models that try to put hard numbers on risks/threats and such. Well, it looks like it’s time for me to put up or shut up.

I’m pleased to announce our latest metrics project, which we’re currently calling Project Quant. (Yes we need a better name). We were approached by Jeff Jones at Microsoft to help build an independent model to measure the costs and effectiveness of patch management. This will be a hard metrics model, focused on measuring the operational processes associated with patch management. The goal is to provide IT organizations a tool they can use to measure how effective they are, and track that over time.

I’m excited about this project for two main reasons:

  1. We get to focus on hard, practical metrics people can use to improve operations.
  2. We are following a “radical” version of our Totally Transparent Research process to ensure objectivity.

We’ve set up a dedicated landing area for the project at http://securosis.com/projectquant where we will be posting all the materials. Here are the bits you might care about:

  1. We are soliciting as much participation in the project as possible- including competing vendors, end users of all sizes, consultants, whoever.
  2. The project has a deadline of late June, so this won’t drag out indefinitely. The first version may not be perfect, but come the end of June there will be a first version.
  3. We really need you to get involved. We’ll be asking for survey participants, reviewers, and just plain ‘ol grumpy commenters to keep us honest, and help produce a useful result.
  4. The results will be released under a Creative Commons license in an open format.

We have the first two posts up at the landing site. The first, Introducing Project Quant, provides an overview of the project and the research process. The second, Project Quant: Goals delves into the project goals in more detail.

This is a pretty huge project, even though it’s laser focused on one single operational area. Hopefully you like the idea, and are interested in participating.


Thursday, December 04, 2008

Analysis Of The Microsoft/RSA Data Loss Prevention Partnership

By Rich

By the time I post this you won’t be able to find a tech news site that isn’t covering this one. I know, since my name was on the list of analysts the press could contact and I spent a few hours talking to everyone covering the story yesterday. Rather than just reciting the press release, I’d like to add some analysis, put things into context, and speculate wildly. For the record, this is a big deal in the long term, and will likely benefit all of the major DLP vendors, even though there’s nothing earth shattering in the short term.

As you read this, Microsoft and RSA are announcing a partnership for Data Loss Prevention. Here are the nitty gritty details, not all of which will be apparent from the press release:

  • This month, the RSA DLP product (Tablus for you old folks) will be able to assign Microsoft RMS (what Microsoft calls DRM) rights to stored data based on content discovery. The way this works is that the RMS administrator will define a data protection template (what rights are assigned to what users). The RSA DLP administrator then creates a content detection policy, which can then apply the RMS rights automatically based on the content of files. The RSA DLP solution will then scan file repositories (including endpoints) and apply the RMS rights/controls to protect the content.
  • Microsoft has licensed the RSA DLP technology to embed into various Microsoft products. They aren’t offering much detail at this time, nor any timelines, but we do know a few specifics. Microsoft will slowly begin adding the RSA DLP content analysis engine to various products. The non-NDA slides hint at everything from SQL Server, Exchange, and Sharepoint, to Windows and Office. Microsoft will also include basic DLP management into their other management tools.
  • Policies will work across both Microsoft and RSA in the future as the products evolve. Microsoft will be limiting itself to their environment, with RSA as the upgrade path for fuller DLP coverage.

And that’s it for now. RSA DLP 6.5 will link into RMS, with Microsoft licensing the technology for future use in their products. Now for the analysis:

  • This is an extremely significant development in the long term future of DLP. Actually, it’s a nail in the coffin of the term “DLP” and moves us clearly and directly to what we call “CMP”- Content Monitoring and Protection. It moves us closer and closer to the DLP engine being available everywhere (and somewhat commoditized), and the real value in being in the central policy management, analysis, workflow, and incident management system. DLP/CMP vendors don’t go away- but their focus changes as the agent technology is built more broadly into the IT infrastructure (this definitely won’t be limited to just Microsoft).
  • It’s not very exciting in the short term. RSA isn’t the first to plug DLP into RMS (Workshare does it, but they aren’t nearly as big in the DLP market). RSA is only enabling this for content discovery (data at rest) and rights won’t be applied immediately as files are created/saved. It’s really the next stages of this that are interesting.
  • This is good for all the major DLP vendors, although a bit better for RSA. It’s big validation for the DLP/CMP market, and since Microsoft is licensing the technology to embed, it’s reasonable to assume that down the road it may be accessible to other DLP vendors (be aware- that’s major speculation on my part).
  • This partnership also highlights the tight relationship between DLP/CMP and identity management. Most of the DLP vendors plug into Microsoft Active Directory to determine users/groups/roles for the application of content protection policies. One of the biggest obstacles to a successful DLP deployment can be a poor directory infrastructure. If you don’t know what users have what roles, it’s awfully hard to create content-based policies that are enforced based on users and roles.
  • We don’t know how much cash is involved, but financially this is likely good for RSA (the licensing part). I don’t expect it to overly impact sales in the short term, and the other major DLP vendors shouldn’t be too worried for now. DLP deals will still be competitive based on the capabilities of current products, more than what’s coming in an indeterminate future.

Now just imagine a world where you run a query on a SQL database, and any sensitive results are appropriately protected as you place them into an Excel spreadsheet. You then drop that spreadsheet into a Powerpoint presentation and email it to the sales team. It’s still quietly protected, and when one sales guy tries to email it to his Gmail account, it’s blocked. When he transfers it to a USB device, it’s encrypted using a company key so he can’t put it on his home computer. If he accidentally sends it to someone in the call center, they can’t read it. In the final PDF, he can’t cut out the table and put it in another document. That’s where we are headed- DLP/CMP is enmeshed into the background, protecting content through it’s lifecycle based on central policies and content and context awareness.

In summary, it’s great in the long term, good but not exciting in the short term, and beneficial to the entire DLP market, with a slight edge for RSA. There are a ton of open questions and issues, and we’ll be watching and analyzing this one for a while.

As always, feel free to email me if you have any questions.


Tuesday, November 25, 2008

More On Why I Think Free Microsoft AV Will Be Good For Consumers

By Rich

Last week I talked a bit on the decision by Microsoft to kill OneCare and release a new, free antivirus package later in 2009. Overall, I stated that I believe this will be good for consumers:

I consider this an extremely positive development, and no surprise at all. Back when Microsoft first acquired an AV company I told clients and reporters that Microsoft would first offer a commercial service, then eventually include it in Windows. Antivirus and other malware protections are really something that should be included as an option in the operating system, but due to past indiscretions (antitrust) Microsoft is extremely careful about adding major functionality that competes with third party products.

Not everyone shares my belief that this is a positive development for consumers. Kurt Wismer expressed it best:

i doubt you need to be a rocket scientist to see the parallels between that scenario and what microsoft did back in the mid-90’s with internet explorer, and i don’t think i need to remind anyone that that was actually not good for users (it resulted in microsoft winning the first browser war and then, in the absence of credible competition, they literally stopped development/innovation for years) … what we don’t want or need is for microsoft (or anyone else, technically, though microsoft has the most potential due to their position) to win the consumer anti-malware war in any comparable sense… it’s bad on a number of different levels - not only is it likely to hurt innovation by taking out the little guys (who tend to be more innovative and less constrained by the this is the way we’ve always done things mindset), but it also creates another example of a technological monoculture… granted we’re only talking about the consumer market, but the consumer market is the low-hanging fruit as far as bot hosts go and while it may sound good to increase the percentage of those machines running av (as graham cluley suggests) if they’re all using the same av it makes it much, much easier for the malware author to create malware that can evade it…

That’s an extremely reasonable argument, but I think the market around AV is different. Kurt assumes that there is innovation in today’s AV, and that the monoculture will make AV evasion easier. My belief is that we essentially have both conditions today (low innovation, easy evasion), and the nature of attacks will continue to change rapidly enough to exceed the current capabilities of AV.

An attacker, right now, can easily create a virus to evade all current signature and heuristic based AV products. The barrier to entry is extremely low, with malware creation kits with these capabilities widely available. And while I think we are finally starting to see a little more innovation out of AV products, this innovation is external to the signature based system.

Here’s why I think Morro will be very positive for consumers:

  1. Signature based AV, the main engine I suspect Morro runs on, is no longer overly effective and not where the real innovation will take place.
  2. Morro will be forced to innovate like any AV vendor due to the external pressures of the extensive user base of existing AV solutions, changing threats/attacks, and continued pressure from third party AV.
  3. Morro will force AV companies to innovate more. Morro essentially kills the signature based portion of the market, forcing the vendors to focus on other areas.
  4. The enterprise market will still lean toward third party products, even if AV is included for free in the OS, keeping the innovation pipeline open and ripe to cross back to the consumer market if

Since the threat landscape is ever evolving I don’t think we’ll ever hit the same situation we did with Internet Explorer. Yes, we may have a relative monoculture for signatures, but those are easily evadable as it is.

At a minimum, Morro will expand the coverage of up-to-date signature based AV and force third party companies to innovate. In a best case scenario, this then feeds back and forces Microsoft to innovate. The AV market isn’t like the browser market; it faces additional external pressures that prevent stagnation for very long.

I personally feel the market stagnated for a few years even without Microsoft’s involvement, but it is in the midst of self correcting thanks to new/small vendor innovation, external threats, and customer demand (especially with regards to performance). Morro will only drive even more innovation and consumer benefits, even if it ever fails to innovate itself.


Wednesday, November 19, 2008

The Impact Of Free Antivirus From Microsoft

By Rich

Well, they’ve finally done it. Microsoft announced they will be dropping OneCare and start providing antivirus for free to all Windows users late next year in a product called Morro.

I consider this an extremely positive development, and no surprise at all. Back when Microsoft first acquired an AV company I told clients and reporters that Microsoft would first offer a commercial service, then eventually include it in Windows. Antivirus and other malware protections are really something that should be included as an option in the operating system, but due to past indiscretions (antitrust) Microsoft is extremely careful about adding major functionality that competes with third party products.

The move to free AV for all Windows users helps on two fronts. First, it’s a good way to navigate the antitrust allegations that will likely surface from the consumer AV companies. By not including AV with the default installation of Windows, it keeps the competitive environment open and provides Microsoft a good defense for monopoly allegations. Second, I suspect this will only be available to legitimate, activated copies of Windows, which provides additional incentive to purchase a legal copy and stem a small part of the home piracy market. This won’t matter to the street vendors in China, but will encourage friends and family to buy their own damn copy of Windows.

The major AV companies have long expected this move. Both McAfee and Symantec have been buffering themselves through diversification and acquisition for the past few years. My personal belief was that Symantec acquired Veritas in large part to prepare for the eventual dissolution of the consumer AV market when Microsoft eventually builds it into the OS. Will this hurt? Absolutely, but they probably won’t see any market erosion at all for 2 years, and the real pain will likely only start to hit in around 3 years. This gives them enough time to avoid suddenly losing 40% (don’t quote me on that, I’m on an airplane and just guessing) of profits over 12 months. The real losers will be the consumer-only AV companies with portfolio diversification or a larger enterprise base.

I don’t expect to see material erosion of the enterprise AV market anytime soon. Major vendors like Symantec, McAfee, and Trend are including growing functionality in their endpoint products, and improving central management. These additional features will likely protect their enterprise client base, although there may be some price erosion.

Any consumer oriented AV product will need to seriously innovate to survive once Morro is released. Users won’t be willing to pay the $70-$99 a year AV tax once a viable, easy to download and use, product appears. Microsoft already includes a good firewall in the OS, the Malicious Software Removal Tool, anti-phishing, and other security controls. Vista is much more secure than previous versions of the OS, and it sounds like Windows 7 will actually be usable. This combination means that any consumer “AV” company will need to either protect against new threats not covered by Windows, or offer materially better security than the built in tools. Both situations rely heavily on the threat environment, making accurate predictions difficult. My rough guess is that within 5-7 years most consumer-level Windows users won’t need third party desktop security.

I’m not sure if it will be in WIndows 7, but it’s also clear that it’s inevitable that AV will be included in WIndows.

In summary, this is good for users, will really hurt any consumer-only AV company, will only moderately hurt enterprise and diversified AV companies, and is an extremely positive step.

Unless, of course, they screw it up or the product is crap. Those are always options.

The flight attendant is giving me a nasty look, so it’s time to upload this and turn off my laptop…


Thursday, October 23, 2008

Microsoft Critical Update Today- **Updated- Details Released**

By Rich

If you don’t already know, Microsoft is releasing an out of band critical update today. Rumor is it is not related to the TCP DoS issue, and may involve an 0day with remote code execution.

Here’s the link to the webcast where they will detail what’s going on.

We don’t normally jump on a bandwagon like this, but it sounds like a big one you’ll want to fix ASAP.

UPDATE: Woops- literally 2 minutes after I posted this, Ryan Naraine posted details and a link to the official advisory.

It’s a nasty vulnerability in the Server service that allows remote code execution without authentication. You should already be blocking TCP ports 139 and 445 at the perimeter, so nothing unusual to change on the firewall.

But this is totally wormable, requires no authentication, and allows arbitrary code execution. It’s the evil trinity of vulnerabilities.

You should pay extra attention to your mobile users and friends and family- have them update ASAP since the odds are they aren’t blocking those ports. Don’t get too cocky if you have a firewall- like Slammer it will only take one infected sales dude to plug back in at the office and ruin your day. These are the kinds of vulns NAC is made for.

Also, don’t forget about those virtual versions of Windows running on your Mac.

It looks so easy to exploit, that by the time you read this it’s probably too late :)