Login  |  Register  |  Contact
Wednesday, April 08, 2015

RSAC Guide 2015: DevOpsX Games

By Rich

DevOps is one of the hottest trends in all of IT – sailing over every barrier in front of it like a boardercross racer catching big air on the last roller before the drop to the finish. (We’d translate that, but don’t want to make you feel too old and out of touch).

We here at Securosis are major fans of DevOps. We think it provides opportunities for security and resiliency our profession has long dreamed of. DevOps has been a major focus of our research, and even driven some of us back to writing code, because that’s really the only way to fully understand the implications.

But just because we like something doesn’t mean it won’t get distorted. Part of the problem comes from DevOps itself: there is no single definition (as with the closely related Agile development methodology), and it is as much as a cultural approach as a collection of technical tools and techniques. The name alone conveys a sense of de-segregation of duties – the sort of thing that rings security alarm bells. We now see DevOps discussed and used in nearly every major enterprise and startup we talk with, to varying degrees.

DevOps is a bit like extreme sports. It pushes the envelope, creating incredible outcomes that seem nearly magical from the outside. But when it crashes and burns it happens faster than that ski jumper suffering the agony of defeat (for those who remember NBC’s Wide World of Sports… it’s on YouTube now – look it up, young’ns).

Extreme sports (if that term even applies anymore) is all about your ability to execute, just like DevOps. It’s about getting the job done better and faster to improve agility, resiliency, and economics. You can’t really fake your way through building a continuous deployment pipeline, any more than you can to backflip a snowmobile (really, we can’t make this stuff up – YouTube, people). We believe DevOps isn’t merely trendy, it’s our future – but that doesn’t mean people who don’t fully understand it won’t try to ride the wave.

This year expect to see a lot more DevOps. Some will be good, like the DevOps.com pre-RSA day the Monday before the conference starts. And vendors updating products to integrate security assessment into that continuous deployment pipeline. But expect plenty bad too, especially presentations on the ‘risks’ of DevOps that show someone doesn’t understand it doesn’t actually allow developers to modify production environments despite policy. As for the expo floor? We look forward to seeing that ourselves… and as with anything new, we expect to see plenty of banners proclaiming their antivirus is “DevOps ready”.



RSA Guide 2015: Get Bigger (Data) Now!!!

By Dave Lewis

This year at RSA we will no doubt see the return of Big Data to the show floor. This comes along with all the muscle confusion that it generates – not unlike Crossfit. Before you hoist me to the scaffolding or pummel me with your running shoes, let’s think about this. Other than the acolytes of this exercise regimen, who truly understands it? Say “Big Data” out loud. Does that hold any meaning for you, other than a shiny marketing buzzword and marketing imagery? It does? Excellent. If you say it three times out loud a project manager will appear, but sadly you will still need to fight for your budget.

Last year we leveraged the tired (nay, exhausted) analogy of sex in high school. Everyone talks about it but… yeah. You get the idea. Every large company out there today has a treasure trove of data available, but they have yet to truly gain any aerobic benefit from it. Certainly they are leveraging this information but who is approaching it in a coherent fashion? Surprisingly, quite a few folks. Projects such as the Centers for Disease Control’s data visualizations, Twitter’s “Topography of Tweets”, SETI’s search for aliens, and even Yelp’s hipster tracking map. They all leverage Big Data in new and interesting ways. Hmm, SETI and Yelp should probably compare notes on their data sets.

These are projects happening, often despite the best intentions of organizational IT security departments. Big Data is here, and security teams need to get their collective heads around the situation rather than hanging about doing kipping pull-ups. As security practitioners we need to find sane ways to tackle the security aspects of these projects, to help guard against inadvertent data leakage as they thrust forward with their walking lunges. One thing we recommend is ahike out on the show floor to visit some vendors you’ve never heard of. There will be a handful of vendors developing tools specifically to protect Big Data clusters, and some delivering tools to keep sensitive data out of Big Data pools. And your Garmin will record a couple thousand more steps in the process. Second, just as many Big Data platforms and features are built by the open source community, so are security tools. These will be under-represented at the show, but a quick Google search for Apache security tools will find more options.

Your internal security teams need to be aware of the issues with big data projects while striking a balance supporting business units. That will truly lead to muscle confusion for some. If you’re looking for the Big Data security purveyors, they will most likely be the ones on the show floor quietly licking wounds from their workout while pounding back energy drinks.

—Dave Lewis

Tuesday, April 07, 2015

RSAC Guide 2015: Key Theme: Security Bonk

By Mike Rothman

The Security Bonk

For better or worse, a bunch of the Securosis team have become endurance athletes. Probably more an indication of age impacting our explosiveness, and constant travel impacting our respective waistlines, than anything else. So we’re all too familiar with the concept of ‘bonking’: hitting the wall and capitulating. You may not give up, but you are just going through the motions.

Sound familiar to you security folks? It should. You get bonked over the head with hundreds or thousands of alerts every day. You can maybe deal with 5, and that’s a good day. So choosing the right 5 is the difference between being hacked today and tomorrow. This alert fatigue will be a key theme at RSA Conference 2015. You’ll see a lot of companies and sessions (wait, there are sessions at RSA?) talking about more actionable alerts. Or increasing the signal to noise ratio. Or some similarly trite and annoying terminology for prioritization.

These vendors come at the problem of prioritization from different perspectives. Some will highlight shiny new analytical techniques (time for the Big Data drinking game!) to help you figure out which attack represents the greatest risk. Others will talk about profiling your users and looking for anomalous behavior. Yet another group will focus on understanding the adversary and sharing information about them. All with the same goal: to help you optimize limited resources before you reach the point of security bonk.

To carry the sports analogy to the next step, you are like the general manager of a football team. You’ve got holes all over your roster (attack surface) and you need to stay within your salary cap (budget). You spend a bunch of money on tools and analytics to figure out how to allocate your resources, but success depends more on people and consistent process implementation. Unfortunately people are a major constraint, given the limited number of skilled resources available. You can get staffers through free agency (expensive experienced folks who generally want long-term deals) or draft and develop talent, which takes a long time.

And in two years, if your draft picks don’t pan out or your high-priced free agents decide to join a consulting firm, you get fired. Who said security wasn’t like life? Or the football life, anyway!

—Mike Rothman

RSAC Guide 2015: Key Theme: Change

By Jennifer Minella, Rich

Every year we like to start the RSA Guide with review of major themes you will most likely see woven through presentations and marketing materials on the show floor. These themes are a bit like channel-surfing late-night TV – the words and images themselves illustrate our collective psychology more than any particular needs. It is easy to get excited about the latest diet supplement or workout DVD, and all too easy to be pulled along by the constant onslaught of finely-crafted messaging, but in the end what matters to you? What is the reality behind the theme? Which works? Is it low-carb, slow-carb, or all carb? Is it all nonsense designed to extract your limited financial resources? How can you extract the useful nuggets from the noise?

This year we went a little nutty, and decided to theme our coverage with a sports and fitness flavor. It seemed fitting, considering the growth of security – and the massive muscle behind the sports, diet, and fitness markets. This year Jennifer Minella leads off with our meta theme, which is also the conference theme: change.


This year at RSA the vendors are 18% more engaged, solutions are 22% more secure, and a whopping 73% of products and solutions are new. Or are they? To the untrained eye the conference floor is filled with new and sensational technologies, ripe for consumption – cutting-edge alongside bleeding-edge – where the world comes to talk security. While those percentages may be fabricated horse puckey, the underlying message here is about our perception of — and influence over – real change.

“It’s like deja-vu, all over again,” as Yogi Berra once mused. Flipping through the conference guide, that will be the reaction of observers who have made their way by watching the ebbs and flows of our industry for years. The immediate recognition of companies acquired, products rebranded, and solutions washed in marketing to make them 84% shinier, feeds a skeptical doubt that we are actually making progress through this growth we call ‘change’. So here is our Public Service Announcement: change is not necessarily improvement.

Change can be good, bad, or neutral, but for some reason our human brains crave it when we are at an impasse. When we hit a wall or bonk – when we are frustrated, confused, or just pissed off – we seek change. Not only seek, but force and abuse it. We wield change in unusual and unnatural ways because something that’s crappy in a new and different way is better than the current crappy we already have. At least with change there’s a chance for improvement, right? And there is something to be said for that. Coach John Wooten said “Failure is not fatal, but failure to change might be.” If we keep changing – if we keep taking more shots on goal – eventually we’ll score.

But are we changing the right things? Does reorganizing, rebranding, or reinventing the cloud or the IoT help in a meaningful way? Perhaps, but you are not simply at the mercy of change around you. You, too, can influence change. This year as you walk around the sessions, workshops, and booths at RSA, look for opportunities to change other things. Change your perspective, change your circle of influence, change your approach, or change your habits. Ask questions, meet new people, and consider the unimaginable. We guarantee at least 19% change with a 12% effort, 99% of the time.

by Jennifer Minella, Contributing Analyst

This article first appeared on the RSA Conference blog at http://www.rsaconference.com/blogs

Jennifer Minella, Rich

Friday, April 03, 2015

Friday Summary: April 3, 2013: Getting back in

By Adrian Lane

Running. I started running when I was 9. I used to tag along to exercise class at the local community college with my mom, and they always finished the evening with a couple laps around the track. High school was track and cross country. College too. When my friends and I started to get really fast, there would be the occasional taunting of rent-a-cops, and much hilarity during the chase, usually ending in the pursuers crashing into a fence we had neatly hopped over. Through my work career, running was a staple, with fantastic benefits for both staying healthy and washing away workday stresses.

Various injuries and illness stopped that over the last few years, but recently I have been back at it. And it was … frigging awful and painful. Unused muscles and tendons screamed at me. But after a few weeks that went away. And then I started to enjoy the runs again. Now I find myself more buoyant during the day – better energy and just moving better. It’s a subtle thing, but being fit just makes you feel better in several ways, all throughout the day.

This has been true for several other activities of late — stuff I love to do, but for various reasons dropped. Target shooting is something I enjoy, but the restart was awful. You forget how critical it is to control your breathing. You forget the benefit of a quality load. You forget how the trigger pull feels and how to time the break. I grew up taking two or three fishing trips a year, but had pretty much stopped fishing for the last 10 years – lack of time, good local places to go, and people you wanted to go with. You forget how much fun you can have sitting around doing basically nothing. And you forget how much skill and patience good fishermen bring to the craft.

In this year of restarts, I think the one activity that surprised me most was coding. Our research has swung more and more into the security aspects of cloud, big data, and DevOps. But I can’t expect to fully understand them without going waist-deep to really use them. Like running, this restart was painful, but this was more like being punched in the mouth. I was terrible. I am good at learning new tools and languages and environments, and I expected a learning curve there. The really bad part is that much of what I used to do is now wrong. My old coding methods – setting up servers to be super-resilient, code re-use, aspects of object-oriented design, and just about everything having to do with old-school relational database design, needs to get chucked out the window. I was not only developing slowly, but I found myself throwing code out and reworking to take advantage of new technologies. It would have been faster to learn Hadoop and Dynamo without my relational database background – I needed to start by unlearning decades of training. But after the painful initial foray, when I got a handle on ways to use these new tools, I began to feel more comfortable. I got productive. I started seeing the potential of the new technologies, and how I should really apply security. Then I got happy!

I’ve always been someone who just feels good when I produce something. But over and above that is something about the process of mastering new stuff and, despite taking some lumps, gaining confidence through understanding. Getting back in was painful but now it feels good, and is benefitting both my psyche and my research.

On to the Summary:

Webcasts, Podcasts, Outside Writing, and Conferences

  • In case you missed it, Dave Lewis, JJ, James Arlen, Rich, Mike, and Adrian posted some of our yearly RSA Conference preview on the RSAC Blog. We will post them and the remaining sections on the Securosis blog next week.
  • Mike on Endpoint Defense.

Favorite Securosis Posts

Other Securosis Posts

Favorite Outside Posts

Research Reports and Presentations

Top News and Posts

—Adrian Lane

Wednesday, April 01, 2015

Incite 4/1/2015: Fooling Time

By Mike Rothman

As we started recording the Firestarter Monday Rich announced the date. When he said “March 30”, it was kind of jarring. It’s March 30? How did that happen? Wasn’t it just yesterday we rang in the new year? I guess it was almost 90 yesterdays. Thankfully Rich cut me off as I went down the rabbit hole of wondering where the time went.


Every year is getting shorter, never seem to find the time
Plans that either come to naught or half a page of scribbled lines
Hanging on in quiet desperation is the English way
The time is gone, the song is over, thought I’d something more to say
– Pink Floyd, “Time”

Yup, I’m in one of those moods. You know, the mood where you are digging up Pink Floyd lyrics. Though it’s true – every year does seem to get shorter. It’s hard to find the time to do everything you want to. Everything you plan to. You can’t fool time, even on April Fool’s day. Time just keeps moving forward, which is what we all need to do.

I have become painfully aware of the value of time this year. It seems I have been in a cycle of work, run, yoga, travel, car pools, LAX games, and maybe a little sleep now and again. But when I pick my head up every so often, I see things changing. Right before my eyes. XX1 is no longer a little girl. She’s almost as tall as the Boss and is talking to me about getting her driver’s permit in 6 months. What? My little muncha driving? How can that be?

And people you know unexpectedly pass on. Many of us in the security community knew Michael Hamelin (@hackerjoe), and then over the holidays he was gone. Taken in a freak car accident. It makes you think about how you are using the short amount of time you have. I had a wave of inspiration and posted a few things on Twitter that day.


I’m fortunate to be a mentor, advisor, and friend to lots of folks who come to me for advice and perspective. I talk about courage a lot with these people. The courage to be who you want to be, regardless of who you ‘should’ be. The courage to make changes, if changes are necessary. The courage to get beyond your comfort zone and grow. It’s not easy to be courageous.

Ticking away the moments that make up a dull day
Fritter and waste the hours in an off-hand way
Kicking around on a piece of ground in your home town
Waiting for someone or something to show you the way
– Pink Floyd, “Time”

Many people choose to just march through life, even if they aren’t happy or fulfilled, and that’s okay. But time will move on, regardless of what you decide to do, or not do. If you think things will change without you changing them, you aren’t fooling time. You are only fooling yourself.


Photo credit: “hourglass_cropped“_ originally uploaded by openDemocracy

Have you registered for Disaster Recovery Breakfast VII yet? What are you waiting for. Check out the invite and then RSVP to rsvp (at) securosis.com so we know how much food to get…

The fine folks at the RSA Conference posted the talk Jennifer Minella and I did on mindfulness at the 2014 conference. You can check it out on YouTube. Take an hour and check it out. Your emails, alerts and Twitter timeline will be there when you get back.

Securosis Firestarter

Have you checked out our new video podcast? Rich, Adrian, and Mike get into a Google Hangout and.. hang out. We talk a bit about security as well. We try to keep these to 15 minutes or less, and usually fail.

Heavy Research

We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, with our content in all its unabridged glory. And you can get all our research papers too.

Network-based Threat Detection

Applied Threat Intelligence

Network Security Gateway Evolution

Recently Published Papers

Incite 4 U

  1. Better breach disclosure: I hate it when stuff I use gets breached. I have to change passwords and the like. It’s just a hassle. But it does provide a learning opportunity, if the pwned company will talk about what happened. The latest disclosure darling seems to be Slack. You know, the chat app everyone seems to use. Evidently they had an attacker in their user database and some private information was accessible. Things like email addresses and password hashes. Theor payment and financial information was apparently not accessible (segmentation FTW). Now they don’t know whether user data was actually accessed (but we need to assume it was). Nor do they have any proof passwords were decrypted. But at least they are candid about what they don’t know. And even better, they took action to address the issue. Like turning on two-factor authentication before it was quite ready. And providing a tool for an administrator to log everyone out of the system and force a password reset. As they learn more, we can only hope Slack shares more of the details of this attack. – MR

  2. The wisdom of retailers: Over the last decade I have been involved in two research projects to show how data breaches impacted firm’s brand value and stock prices. And yes, I worked for a security vendor at the time, who had a financial incentive to link them. What did I find? Nothing. The data was inconsistent, bu if anything it suggested breaches and company value were unrelated. Our own Gunnar Peterson has been tracking this topic for as long as I’ve known him, and based solely on stock price, finds that breached companies outperform the market. The Harvard Business Review has done many great case studies on firms that have been breached, going back at least to 2007, but I believe this is the first time the HBR has come out with reasons why data breaches don’t hurt stock prices. But does that mean those retailers with a laissez-faire approach to security were right all along? If breaches are “… an inevitability of doing business …”, does that mean firms should only invest in “cyber insurance” to help pay the costs of cleanup? – AL

  3. Darwin and the WAF: Brian McHenry of F5 calls for the death of WAF as we know it and even references some of Adrian’s and my research. And who says flattery gets you nowhere? Brian’s point is that WAF needs to evolve with the advent of DevOps and more agile development processes, because you can’t tune the WAF to keep up with every application change. He’s right, but it’s a bigger issue than just WAF. Though given Brian is in the WAF business, that is his focus. DevOps and cloud and mobility disrupt the game. You need to rethink security and data protection… or not. As Deming said, “It is not necessary to change. Survival is not mandatory.” It applies to pretty much everything. Technologies, but also processes. If those don’t evolve (and drag technology with it), you’ll be on the endangered species list. But don’t fret – you won’t be lonely. A lot of technologies, vendors and practitioners won’t be able to make the jump. Maybe there is a gig available for a front-end processor engineer. (Old school) – MR

  4. Grab the popcorn: Now that vendors have reassessed their approaches to mobile payments, subsequent to Apple Pay shaking things up, we see new payment products from every corner. Square announced the acquisition of Kili, giving them NFC capabilities. Now merchants using Square can support either card-swipe or NFC transactions. Vodafone will also standardize on NFC communication, but will deliver a SIM card that embeds a secure element to hold the encryption keys needed for secure payment on mobile devices. These secure elements are the preferred choice for carriers, because anyone who wants access must pay the carrier. Unsurprisingly, Visa and Mastercard recently announced they are backing the more open Host Card Emulation approach – effectively a virtual secure hardware element – but now Microsoft has also announced use of HCE for their new Tap To Pay offering on Windows phones. We went from a snail’s pace to hair-on-fire product delivery, which means we can expect implementation flaws and notable hacks during this vendor stampede for market share. – AL

  5. It’s a mobile app – what could possibly go wrong? You all know what a big fan of surveys I am, but sometimes the data makes a point worth making. Without less-than-rigorous math, that is. The Ponemonsters did a survey for IBM which analyzed mobile app security. Basically there isn’t much, which I’m sure is a shock to most of you. In another surprising turn, the rush to get mobile apps out there and to meet customer needs is forcing organizations to take security shortcuts. Really! I know you are shocked. Yes, I took my sarcasm pills today. If there is an upside it is that mobile OSes are inherently better protected than PCs. I did not say fully protected – just better protected. But this is a systemic issue. Why would mobile apps be much different than anything else? Companies feel pressure to ship, they take shortcuts, security suffers. Breach happens, company gets religion. Until next time they have to take a shortcut. Wash, rinse, repeat. And we needed a survey to tell us that? – MR

—Mike Rothman

Tuesday, March 31, 2015

Firestarter: Using RSA

By Rich

The RSA Conference is the biggest annual event in our industry (really – there are tens of thousands of people there). But bigger doesn’t mean everything is better, and it can be all too easy to get lost in the event and fail to get value out of it. Even if you don’t attend, this is the time of year a lot of security companies focus on, which affects everything you see and read – for better and worse. This week we discuss how we get value out of the event, and how to find useful nuggets in the noise. From skipping panels (except Mike’s, of course) to hitting some of the less-known opportunities like Learning Labs and the Monday events, RSA can be very useful for any security pro, but only if you plan.

Watch or listen:


Monday, March 30, 2015

New Paper! Endpoint Defense: Essential Practices

By Mike Rothman


We’ve seen a renaissance of sorts regarding endpoint security. To be clear, most of solutions in the market aren’t good enough. Attackers don’t have to be advanced to make quick work of the endpoint protection suites in place. That realization has created a wave of innovation on the endpoint that promises to provide a better chance to prevent and detect attacks. But the reality is far too many organizations can’t even get the fundamentals of endpoint security.

But the fact remains that many organizations are not even prepared to deal with unsophisticated attackers. You know, that dude in the basement banging on your stuff with Metasploit. Those organizations don’t really need advanced security now – their requirements are more basic. It’s about understanding what really needs to get done – not the hot topic at industry conferences. They cannot do everything to fully protect endpoints, so they need to start with essentials.

In our Endpoint Defense: Essential Practices paper, we focus on what needs to be done to address the main areas of attack surface. We cover both endpoint hygiene and threat management, making clear what should be a priority and what should not. It’s always useful to get back to basics sometimes, and this paper provides a way to do that for your endpoints.


We would like to thank Viewfinity for licensing the content in this paper. Our licensees allows us to provide our research for no cost and still pay our mortgages, so we should all thank them. As always, we developed this paper using our objective Totally Transparent Research methodology.

Visit the Endpoint Defense: Essential Practices landing page in our research library, or download the paper directly (PDF).

—Mike Rothman

Wednesday, March 25, 2015

Network-based Threat Detection: Overcoming the Limitations of Prevention

By Mike Rothman

Organizations continue to invest heavily to block advanced attacks, on both endpoints and networks. Despite all this investment devices continue to be compromised in increasing numbers, and high-profile breaches continue unabated. Something isn’t adding up. It comes down to psychology – security practitioners want to believe that the latest shiny geegaw for preventing compromise will finally work and stop the pain.

Of course we are still waiting for effective prevention, right? So we have been advocating a shift in security spending, away from ineffective prevention and towards detection and investigation of active adversaries within your networks and systems. We know many organizations have spent a bunch of money on detection – particularly intrusion detection, its big brother intrusion prevention, and SIEM.

But these techniques haven’t really worked effectively either, so it’s time to approach the issue with fresh eyes. Our Network-based Threat Detection series will do just that. By taking a new look at detection, not from the standpoint of what we have done and implemented (IDS and SIEM), but what we need to do to isolate and identify adversary activity, we will be able to look at the kinds of technologies needed right now to deal with modern attacks. The times have changed, the attackers have advanced, and our detection techniques for finding adversaries need to change as well.

As always, we wouldn’t be able to publish our research for the awesome price of zero without clients supporting what we do. So we’d like to thank Damballa and Vectra Networks for potentially licensing this content at the end of this series. We will develop the content using our Totally Transparent Research methodology, with everything done in the open and objectively.

Threat Management Reimagined

Let’s revisit how we think about threat management now. As we first documented in Advanced Endpoint and Server Protection, threats have changed so you need to change the way you handle them. We believe threat management needs to evolve as follows:

  1. Assessment: You cannot protect what you don’t know about – that hasn’t changed and isn’t about to. So the first step is to gain visibility into all devices, data sources, and applications that present risk to your environment. Additionally you need to understand the security posture of anything you have to protect.
  2. Prevention: Next try to stop attacks from succeeding. This is where most of the effort in security has been for the past decade, with mixed (okay, lousy) results. A number of new tactics and techniques are modestly increasing effectiveness, but the simple fact is that you cannot prevent every attack. It is now a question of reducing attack surface as much as practical. If you can stop the simplistic attacks you can focus on advanced ones.
  3. Detection: You cannot prevent every attack, so you need a way to detect attacks after they get through your defenses. There are a number of different options for detection – most based on watching for patterns that indicate a compromised device. The key is to shorten the time between when the device is compromised and when you discover it has been compromised.
  4. Investigation: Once you detect an attack you need to verify the compromise and understand what it actually did. This typically involves a formal investigation – including a structured process to gather forensic data from devices, triage to determine the root cause of the attack, and a search to determine how widely the attack spread within your environment.
  5. Remediation: Once you understand what happened you can put a plan in place to recover the compromised device. This might involve cleaning the machine, or more likely re-imaging it and starting over again. This step can leverage ongoing hygiene activities (such as patch and configuration management) because you can and should use tools you already have to reimage compromised devices.

This reimagined threat management process incorporates people, processes, and technology – integrated across endpoints, servers, networks, and mobile devices. If you think about it, there is a 5x4 matrix of all the combinations to manage threats across the entire lifecycle for all device types. Whew! That would be a lot of work (and a really long paper). The good news for this series is that we will focus specifically on network-based detection.

Why Not Prevention?

From reading thus far, you may think we’ve capitulated and just given up on trying to prevent attacks. Not true! We still believe that having restrictive application-centric firewall policies and looking for malware on the ingress pipes is a good thing. Our point is that you can’t assume that your prevention tactics are sufficient. They aren’t.

Adversaries have made tremendous progress in being able to evade intrusion prevention and malware detonation devices (sandboxes). And remember that your devices aren’t always protected by the network perimeter or your other defenses at all times. Employees take the devices outside of the network and click on things. So your devices may come back onto the corporate network infected.

That doesn’t mean these devices don’t catch stuff, but they don’t catch everything. Thus, if you are having trouble understanding the importance of detection; think about it as Plan B. Every good strategist has Plan B (and Plan C, D, and E) and focusing effort on detection gives you a fallback position when your prevention doesn’t get it done.

So in a nutshell, it’s not either prevention or detection. It’s both.

Why Not Existing Monitoring?

You probably already spent a bunch of time and money implementing intrusion detection/prevention and SIEM to monitor those network segments. So why isn’t that good enough? It comes down to a fundamental aspect of IDS and SIEM: you need to know what you are looking for. Basically, you define a set of conditions (rules/policies) to look for typical patterns of attacks in your network traffic or event logs. If an attacker uses a common attack that has already been profiled, and you have added the rule to your detection system, and your device can handle the volumes (because you probably have 10,000 other rules defined in that device) you will be able to find that attack.

But what if the attacker is evading your devices by hiding traffic in a standard protocol and communicating by proxying through a legitimate network? What if they are using a pattern you haven’t seen before? Yep, you’ll miss the attack.

Again, it’s not like you don’t have to monitor your systems and networks anymore. Compliance mandates that you still need your IPS and your SIEM. It’s still critical to collect data and analyze it to find attacks you know about. And to be fair, many IDS/IPS and SIEM platforms are adding more sophisticated analysis to their standard correlation capabilities to improve detection. But these approaches still require a lot of tuning and experimentation to get right, and nobody has time to do everything. Nobody has time to waste on a noisy security monitor.

The Answer Is…

Unfortunately we haven’t found sustainable cold fusion, or a magic bullet that identifies every attack from every adversary every time (cold fusion actually seems a bit more likely). Would be nice though, right? But a couple capabilities have come together to enable better and more accurate detection on the network:

  1. Math: Actually math has been around for a while (yes, that’s sarcasm). But improved ability to find patterns among a variety of data sources has made a big difference in the effectiveness of detection. Vendors call this “Big Data Analytics” and “Machine Learning”. Shiny buzzwords aside, these capabilities improve your ability to find anomalous traffic earlier in the attack chain.
  2. Context: Anomaly detection has been around almost as long as math, but it offered limited value because it threw off a lot of false positives. An anomaly could just as easily be legitimate and malicious, but you had no way to tell the difference without a pretty deep investigation. So being able to evaluate other types of data such as identity and content/payload, and to prioritize anomalies based on which are more likely to be an attack, helps you eliminate now-obvious false positives.

So network-based detection has evolved to the point where you can identify devices that look like they have been compromised. To be clear, this is still suboptimal, because damage has already been done. Our inner security purist still wants to block every attack. But a breach doesn’t happen until exfiltration occurs, and if you are able to respond faster and better you can contain the damage. That’s what better detection is all about.

Our next post will dig into the typical indications of a compromised device. Attackers always leave traces, so by looking for certain things on your network you can find them.

—Mike Rothman

Incite 3/25/2015: Playing it safe

By Mike Rothman

A few weeks back at BSidesATL, I sent out a Tweet that kind of summed up my view of things. It was prompted by an email from a fitness company with the subject line “Embrace Discomfort.” Of course they were talking about the pain of whatever fitness regimen you follow. Not me. To me, comfort is uncomfortable.

Comfort is uncomfortable

I guess I have always been this way. Taking risks isn’t risky from where I sit. In fact playing it safe feels dangerous. Of course I don’t take stupid risks and put myself in harm’s way. At least I don’t any more – now I have a family who depends on me. But people ask me how I have the courage to start new businesses and try things. I don’t know – I just do. I couldn’t really play it safe it I tried.

Not that playing it safe is bad. To the contrary, it’s a yin-yang thing. Society needs risk-takers and non-risk-takers. However you see yourself, make sure you understand and accept it, or it will not end well.

For instance some folks dream of being a swashbuckling entrepreneur, jumping into the great unknown with an idea and a credit card to float some expenses. If you are risk-averse that path will be brutal and disappointing. Even if the venture is successful it won’t feel that way because the roller coaster of building a business will be agonizing for someone who craves stability.

Risk Takers

Similarly if you put an entrepreneur into a big stable company, they will get into trouble. A lot of trouble. Been there, done that. That’s why it is rare to see true entrepreneurs stay with the huge companies that acquire them, after the retention bonuses are paid and the stock is vested. It’s just soul-crushing for swashbucklers to work in place with subsidized cafeterias and large HR departments.

I joked that it was time to leave META Group back in the mid-90s, when we got big enough that there were people specifically tasked with making my job harder. They called it process and financial controls. I called it bureaucracy and stupid paperwork. It didn’t work for me so I started my own company. With neither a subsidized cafeteria nor an HR department. Just the way I like it.


Photo credit: “2012_05_050006 Road to Risk Takers Select Committees” originally uploaded by Gwydion M. Williams

Have you registered for Disaster Recovery Breakfast VII yet? What are you waiting for. Check out the invite and then RSVP to rsvp (at) securosis.com, so we know how much food to get…

The fine folks at the RSA Conference posted the talk Jennifer Minella and I did on mindfulness at the 2014 conference. You can check it out on YouTube. Take an hour and check it out. Your emails, alerts and Twitter timeline will be there when you get back.

Securosis Firestarter

Have you checked out our new video podcast? Rich, Adrian, and Mike get into a Google Hangout and.. hang out. We talk a bit about security as well. We try to keep these to 15 minutes or less, and usually fail.

Heavy Research

We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, with our content in all its unabridged glory. And you can get all our research papers too.

Endpoint Defense Essential Practices

Applied Threat Intelligence

Network Security Gateway Evolution

Newly Published Papers

Incite 4 U

  1. We’re hacking your stuff too, eh! All my Canadian friends are exceedingly nice. I’m sure many of you know our contributors from up North, Dave Lewis and James Arlen, and there aren’t any nicer people. They are cranky security people like the rest of us, but they somehow never seem cranky. It’s a Canadian thing. So when you hear about the Canadians doing what pretty much every other government is doing and hacking the crap out of all sorts of things, you say, “Eh? The Canadians? Really?” Even better, the Canadians are collaborating with the NSA to use social engineering and targeted attacks to “garner foreign intelligence or inflict network damage.” The spinmeisters were spinning hard about the documents being old, blah blah blah. Maybe they need a little Rob Ford action in the cyber department to give us the real low-down. But you know what? I’m sure they were very polite guests and left everything exactly as they found it. – MR

  2. He had me at Manifesto: I love a good manifesto. Nothing gets the blood moving like a call to arms, to rally the troops to do something. My friend Marc Solomon of Cisco advocates for CISOs to write their own manifestoes to get the entire organization thinking about security. I’m not sure how you make security “a growth engine for the business”, but a lot of his other aspirations are good. Things like security must be usable, transparent, and informative. Yup. And security must be viewed as a “people problem,” which really means that if you didn’t have all these pesky employees you would have far fewer security problems. Really it’s a sales document. You (as CISO) are selling the security mindset to your organization, and that is a manifesto worth writing. – MR

  3. E-DDoS coming to a cloud near you: One of the newer attack vectors I highlighted in our denial of service research a couple years ago was an economic denial of service. An adversary can hammer a cloud-based system, driving costs up to the victim’s credit limit. No more credit, no more cloud services. I guess that’s the cloud analogue to “No shoes, no shirt, no dice.” [Dude)…] It seems someone in China doesn’t like that some website allows connectivity to censored websites, so they are blasting them with traffic, costing $30,000/day in cloud server costs. These folks evidently have a lot of credit with Amazon and haven’t been forced to shut down. Yet. Aside from the political reality an attack like this represents, it is a clear example of another more diabolical type of attack. A DDoS that knocks your stuff down may impact sales, but not costs. This kind of attack hits you below the belt: right in the wallet. – MR

—Mike Rothman

Friday, March 20, 2015

Endpoint Defense Essential Practices

By Mike Rothman

The area of security has the most increased focus recently is protecting the endpoint. Once you stop snickering, it makes some sense. For years (or decades, depending on how cynical you want to be) endpoint security was the beneficiary of the compliance driver. Whether the technologies actually protected anything was beside the point. Assessors would show up, and you needed to have AV. Then advanced attackers happened and the industry started innovating, starting with network security, leaving the endpoint largely unprotected.

But that’s no longer a defensible strategy. Endpoints are more likely untethered than not, so these devices are no longer within the corporate perimeter. You could route all traffic through your corporate network, but that defeats the purpose of the cloud and the Internet. We have seen a renaissance of sorts with lots of interesting technologies designed to protect endpoints. We covered many of these developments in our Advanced Endpoint and Server Protection paper.

But the fact remains: many organizations are not even prepared to deal with unsophisticated attackers. You know, that dude in the basement banging on your stuff with Metasploit. Those organizations don’t really need advanced security – their needs are more fundamental. They need to understand what really needs to get done – not the hot topic at industry conferences. They cannot do everything to fully protect endpoints, so they need to start with the essentials.

So this post is all about these Essential Practices of Endpoint Defense. Thanks to our friends at Viewfinity, we will turn this post into a short paper.

Securing Endpoints Is Hard

Why is this still a discussion? Endpoints have been around for decades, and organizations have spent tens of billions of {name your favorite currency} to protect these devices. But every minute more devices are compromised, breaches result, and your Board of Directors wants an explanation of why this keeps happening. Two issues underlie the difficulties of endpoint protection. First, let’s be candid. It’s a software issue – software has defects, which attackers exploit. Second, employees routinely fall for simplistic social engineering attacks, resulting in a software install or clicked link – the beginning of a successful attack.

And you are a target, regardless of the size of your organization. You have something someone else wants to steal, and they will try. Complicating the situation, adversaries continue to automate their reconnaissance and attack efforts. You are not protected by resource constraints – the entire Internet can be scanned for common vulnerabilities daily.

The status quo doesn’t work for our side. We need to take a step back, and look at protecting endpoints with fresh eyes. This provides an opportunity to determine what’s really essential.

Defending Endpoints

As we have alluded, there are two aspects to defending endpoints: hygiene and threat management. They are co-dependent – you cannot just address either on and expect your endpoints to be protected.

Endpoint Defense Yin Yang

  • Endpoint Hygiene: The operational aspects of reducing device attack surface are an integral aspect of endpoint security strategy. You need to ensure you have sufficient capabilities to manage patches and enforce security configuration policies. Additionally, you should ensure employees have the least privilege necessary on each device to prevent privilege escalation, and lock down device ports.

  • Endpoint Threat Management: Advanced attackers are only as advanced as they need to be: they take the path of least resistance. But the converse is also true. When these adversaries need advanced techniques, they use them. Traditional malware defenses such as antivirus don’t stand much chance against a zero-day attack. An effective threat management process incorporates people, processes, and technology.

Now let’s dig into both aspects of endpoint defense to identify these essential practices.

Endpoint Hygiene

Consistent and effective hygiene practices are elusive, both personally (look at your dentist’s fancy car) and within security. It is not a lack of desire – everyone wants to ensure their devices are difficult to compromise. It has been a challenge of operational excellence. To be clear, effective hygiene practices don’t completely protect endpoints, but they certainly make them much harder targets.

The essential practices we lump into the hygiene bucket include:

  • Patch Management
  • Configuration Management
  • Device Control
  • Least Privilege

Patch Management

Patch managers install fixes from software vendors to address vulnerabilities. The most well-known patching process is Microsoft’s monthly Patch Tuesday, when the company issues a variety of software fixes to address defects in its products – many of which could result in system exploitation. Other vendors have adopted similar approaches, with a periodic patch cycle and out-of-cycle patches for more serious issues. Once a patch is issued your organization needs to assess it, figure out which devices need to be patched, and install it within the window specified by policy – typically a few days. A patch management product scans devices, installs patches, and reports on the success or failure of the process. Our Patch Management Quant research provides a detailed view of the patching process, so refer to it for more information.

Configuration Management

Configuration management enables an organization to define an authorized set of configurations for devices. These configurations can control pretty much everything that happens on the device, including: applications installed, device settings, running services, and on-device security controls. Another aspect of configuration management is the ability to assess configurations and identify changes, which is valuable because unauthorized configuration changes may indicate malware execution or an exploitable operational error. Additionally, configuration management can help ease the provisioning burden of setting up and reimaging devices after infection.

Device Control

End users love the flexibility USB ports provide for ‘productivity’. Unfortunately USB doesn’t just enable employees to share music with buddies – it also lets them download your entire customer database onto their phones. It all became much easier once the industry standardized on USB a decade ago. The ability to easily share data has facilitated employee collaboration, while also greatly increasing the risks of data leakage and malware proliferation. Device control technology enables you to enforce policy – both who can use USB ports and how – and capture whatever is copied to and from USB devices. As an active control, monitoring and control over device usage addresses a major risk.

Least Privilege

Employees don’t mean to mess up their devices, for the most part. But allowing them to install software, use new devices like printers, and change endpoint configurations can lead to device exploitation. So eliminating device owners’ ability to manage devices can dramatically reduce attack surface. That said, a lot of endpoint changes are legitimate, so a key aspect of implementing least privilege is ensuring there is a clear process to allow employees to do their jobs. For instance, trusted employees might be able to get a 24-hour grace period for a change, while less sophisticated employees may need to run through an approval process to install new software.

Endpoint Threat Management

We define threat management within the context of dealing with an attack, as a subset of a larger security program – typically the most visible capability. So it’s time to explain the components of threat management.


You cannot protect what you don’t know about – that hasn’t changed and is not about to. So the first step is to gain visibility into all devices, data sources, and applications that present risk to your environment. Additionally you need to understand the security posture of anything you have to protect.

You need to know what you have, how vulnerable it is, and how exposed it is. With this information you can prioritize your exposure and design a set of security controls to protect your assets.

  • Mission Assessment: As we described in our CISO’s Guide to Advanced Attackers, you need to understand what attackers will try to access in your environment, and why. We call this Mission Assessment, and it involves figuring out what’s important in your environment.

  • Discovery: This process finds the endpoints and servers on your network and makes sure everything is accounted for. It includes an ongoing discovery process to shorten the window between something popping up on your network, you discovering it, and figuring out whether it has been compromised.

  • Determine Security Posture: Once you know what’s out there you need to figure out how vulnerable it is. That typically requires some kind of vulnerability scan on the devices you discovered. There are many aspects to vulnerability scanning – at the endpoint, server, and application layers. Check out our Vulnerability Management Evolution research to understand how a vulnerability management platform can help prioritize operational security.

It may not be as sexy as a shiny malware sandbox or advanced detection technology, but these assessment tasks are necessary before you can even start thinking about building a set of controls to prevent attacks. Assessment needs to happen on an ongoing basis because your technology environment is dynamic, and the attacks you see are subject to change as well – sometimes daily.


Next you try to stop attacks from succeeding. This is where most of the effort in security has been for the past decade, with mixed (okay – lousy) results. A number of new tactics and techniques are modestly increasing effectiveness, but the plain fact is that you cannot prevent every attack. It is now a question of reducing your attack surface as much as practical.

  • Traditional Signatures: Signature-based controls are all about maintaining a huge blacklist of known malicious files to prevent from executing.

  • Advanced Heuristics: You cannot depend on matching what a file looks like, so you need to pay close attention to what it does, and profile typical patterns of successful attacks. This is the concept behind the advanced heuristics used to detect malware.

  • Application Control/Whitelisting: Application control implies a default deny posture on devices. You define a set of authorized executables that can run on a device, and block everything else. With a strong policy in place, application control provides true device lockdown – no executables (either malicious or legitimate) can execute without explicit authorization. Check out our Application Control research for a lot more detail on this approach.

  • Isolation: In addition to better profiling malware and searching for indicators of compromise, another prevention technique with growing popularity is isolating executables from the rest of the device by running them in a sandbox. The idea is to spin up a walled garden for a limited set of applications, to shield the rest of the device from anything bad happening within those applications.

Now it’s time for the hard truth. You cannot block all attacks. Adversaries have gotten much better, attack surface has increased dramatically, and you are not going to prevent every attack. Pwnage happens, so what you do next is critical – both to protecting critical information in your environment, and to your success as a security professional.


There are a number of different options for detection – most based on watching for patterns that indicate a compromised device. The key is to shorten the time between when the device is compromised and when you discover it has been compromised.

In the broader sense, detection needs to include finding attacks you missed during execution because:

  1. You didn’t know it was malware at the time – which happens frequently, especially given how quickly attackers innovate. Advanced attackers have stockpiles of unknown exploits (0-days) which they use as needed. So your prevention technology could be working as designed, but still not recognize an attack. There is no shame in that.
  2. The prevention technology missed the attack – This is common because advanced adversaries specialize in evading known preventative controls.

So how can you detect after compromise? Monitor other data sources for indicators that a device has been compromised. Very few organizations have the dubious distinction of being first to see a new ‘advanced’ attack, so you should be able to look for emerging attack indicators, IP and file reputation, etc. as a basis for detecting attacks. This kind of “threat intelligence” enables you to benefit from the misfortune of others, by looking for attacks you haven’t seen yet.

Once you identify a potentially compromised device, you need to verify your suspicion. Verification involves scrutinizing what the endpoint has done recently for indicators of compromise, or other activity that confirms a successful attack.


Once you detect an attack you need to verify the compromise and understand what it actually did. This typically involves a formal investigation – including a structured process to gather forensic data from devices, triage to determine the root cause, and a search to determine how widely the attack spread within your environment.

  • Data Capture: To really investigate a device you need to capture what’s happening on endpoints and servers at a very granular level. This includes file activity, registry changes, privilege escalation, executed programs, network activity, and a variety of other activity on the device.

  • Analytics: Endpoints and servers generate a huge amount of data, so a product needs to perform Big Data style analysis on telemetry data to identify patterns and develop relationships across data sources. Having the data is the first step. Supplementing it with external information to help prioritize focus areas is second. Being able to analyze data to provide useful information to security practitioners and incident responders is the third leg of the device activity monitoring triangle.


Once you understand what happened you can put a plan in place to recover. This might involve cleaning the machine, or more likely reimaging it and starting over again. This step can leverage ongoing hygiene activities (such as patch and configuration management), because you can and should use tools you already have to reimage compromised devices.

It also requires tight integration with the Operations team – most organizations separate out threat management functions from endpoint operations functions. This means integrating systems and ensuring that the handoffs between the security and Ops teams are well-structured and efficient.

Bringing It All Together

The key to making both sides of endpoint defense work well is a common data model. You should be able to integrate and analyze data about endpoints, without moving between systems or only looking at only half the story (either threat management or hygiene). For example if you detect a known malware file on an endpoint you know has been patched to protect it from that compromise, you can move on to other more pressing concerns.

On the other side of the coin, if a different device has known malware installed and recently escalated privileges (as recorded by policy), you know that’s a serious problem; you can immediately quarantine the device by shutting down the network connectivity, then locking down what software it can execute by enforcing a whitelisting policy. Without hygiene and threat management consolidating data into a common view you cannot attain that level of integrated defense.

You do not need to use one solution for everything, but you must be able to integrate data to build a consistent end-to- end view. This might involve sending data to a separate aggregation platform like a SIEM or security analytics product, or ensuring that both your hygiene and threat management vendors can export data to your integration point.


Perfectly defending against endpoint attacks is a pipe dream, so organizations need to shift away from ineffective legacy protection technologies and procedures. Endpoint security has two major components: hygiene and threat management. Neither is sufficient itself – you need to implement and test both to adequately defend endpoints. It is tempting to focus on state-of-the-art defenses to protect against advanced attacks, but without a strong foundation to reduce attack surface and ensure endpoint hygiene, your devices will be compromised.

This is another situation where you need to walk before you can run. Get the essential pieces of the foundation in place, and then layer more advanced prevention and detection technologies onto your foundation. That isn’t what most organizations want to hear, but it’s necessary. If you can’t get the basic functions right you have no chance against an adversary who knows what they are doing.

—Mike Rothman

New! Cracking the Confusion: Encryption & Tokenization for Data Centers, Servers, & Applications

By Rich

Woo Hoo! It’s New Paper Friday!


Over the past month or so you have seen Adrian and myself put together our latest work on encryption. This one is a top-level overview designed to help people decide which approach should work best for datacenter projects (including servers, storage, applications, cloud infrastructure, and databases). Now we have pieced it together into a full paper.

We’d like to thank Vormetric for licensing this content. As always we wrote it using our Totally Transparent Research process, and the content is independent and objective. Download the full paper.

Here’s an excerpt from the opening:

Today we see encryption growing at an accelerating rate in data centers, for a confluence of reasons. A trite way to summarize them is “compliance, cloud, and covert affairs”. Organizations need to keep auditors off their backs; keep control over data in the cloud; and stop the flood of data breaches, state-sponsored espionage, and government snooping (even by their own governments).

Thanks to increasing demand we have a growing range of options, as vendors and even free and Open Source tools address this opportunity. We have never had more choice, but with choice comes complexity – and outside your friendly local sales representative, guidance can be hard to come by.

For example, given a single application collecting an account number from each customer, you could encrypt it in any of several different places: the application, the database, or storage – or use tokenization instead. The data is encrypted (or substituted), but each place you might encrypt raises different concerns. What threats are you protecting against? What is the performance overhead? How are keys managed? Does it all meet compliance requirements?

This paper cuts through the confusion to help you pick the best encryption options for your projects. In case you couldn’t guess from the title, our focus is on encrypting in the data center: applications, servers, databases, and storage. Heck, we will even cover cloud computing (IaaS: Infrastructure as a Service), although we covered it in depth in another paper. We will also cover tokenization and discuss its relationship with encryption.

We would like to thank Vormetric for licensing this paper, which enables us to release it for free. As always, the content is completely independent and was created in a series of blog posts (and posted on GitHub) for public comment.


Summary: Crunch Time

By Rich

I’ve had one conversation about 8 times this week:

“Ready for RSA?”

“Not even close.”

“Yeah, figured it would be better since they pushed it out an extra month, but not so much.”

For those who don’t know, the RSA conference is the biggest event in our industry. Usually it’s in February or March, but this year it’s in April. A full extra month to prep presentations, or marketing material for vendors (my end-user friends who aren’t presenting don’t worry about any of this). Plus there are all the community things, like the Security Blogger’s Meetup, our Disaster Recovery Breakfast, and so on.

Seems like we all just pushed everything back a month, and if anything are even further behind than usual. Or maybe that’s just me, a pathological procrastinator.

So I don’t have time for the usual Summary this week. Especially because we have a ton of projects going on concurrently, and I’m about to start bouncing around the country again for client projects. The travel itself isn’t exciting but the projects themselves are. Most of my trips are to help end-user orgs build out their cloud security strategy and tactics. It’s a big change from Gartner, when I never got to roll up my sleeves and dig in deep. The fascinating bit is the kinds of organizations who are moving to cloud (mostly AWS, because that’s where I’m deepest technically). Instead of being startups these are established companies, some quite large, and a few heavily regulated. I knew we’d get here someday, but I didn’t expect cloud adoption to hit these segments so soon.

Mike and Adrian are just as busy as I am, which is why the blog is so slow, but some new projects are about to hit. We’ve also been working on our annual RSA Guide, which you will start seeing pieces of soon. This year our Contributing Analysts wrote a lot of the content.

But hey, we’ve been around 8+ years and still put up multiple blog posts a week, even when things are ugly. So we have that going for us.

Which is nice.

On to the Summary:

Webcasts, Podcasts, Outside Writing, and Conferences

Favorite Securosis Posts

Other Securosis Posts

Favorite Outside Posts

Research Reports and Presentations

Top News and Posts

Blog Comment of the Week

This week’s best comment goes to Tom, in response to My $500 Cloud Security Screwup–UPDATED.

Great writeup – being able to admit you made a mistake is very hard for some, but we all do, bravo for being up front about it.

AWS (Amazon, in general) has always been really super super reasonable about charges with me – I too have had them reverse a charge (in my case, for Amazon prime that I didn’t really use) that was totally on my own shoulders, without me asking – good on them, it makes me feel very, very comfortable with trusting them to do the right thing. I like to think a big part of it was you posting about this and owning the issue – this is an awesome example of how to handle this sort of situation with integrity and competence.

I suggest the VERY first thing you do with a new AWS account is turn on MFA, make an IAM account, and put the master credentials on a thumb drive in a desk drawer (locked, ideally). Then, use that IAM account to make less-privileged ones, and use those in practice. It is a pain, to be sure, but it is important to lay a good foundation. (I actually have gone further and worked out federated access for our team at work, and ALL credentials that could reasonably be exposed have a very short lifespan – accidentally checked-in creds in code are to our internal auth server, unusable to the real world. It was a pain, but it lets me sleep better.)

You inspire me; I should clean up the federation server and put it out there for others to use.


Wednesday, March 18, 2015

Incite 3/18/2015: Pause

By Mike Rothman

It’s been over a month since I wrote an Incite. It’ is the longest period of downtime since I joined Securosis. I could talk about my workload, which is bonkers right now. But over the years I’ve written the Incite regardless of workload. I could talk about excessive travel, but I haven’t been traveling nearly as much as last year. I could come up with lots of excuses, but as I tell my kids all the time, “I’m not in the excuses business.”

Here’s the reality: I needed a break. I have plenty to write about, but I found reasons not to write. There is a ton of stuff going on in security, so there were many interesting snippets I let fly right on by. But I didn’t write it, and I didn’t really question it. What I needed was what my Tao teacher calls a pause.

Hit the pause button

You could need a pause for lots of reasons. Sometimes you have been running too hard for too long. Sometimes you need to change things up a bit because the status quo makes you unhappy. Sometimes you need some space to recalibrate and figure out what you want to do and where you want to go. Of course, this could be for very little things, like writing the Incite every week. Or very big things. But without taking a pause, you don’t have the space to make objective decisions.

You are reading this, so obviously I am writing the Incite. So during my pause, it became clear that the Incite is an important part of what I do. But it’s bigger than that. It’s an important part of who I am. I have shared the good and the not so good through the years. I have met people who tell me they have experienced what I write about, and it’s helpful for them to commiserate – even if it’s virtual. Some tell me they learn through my Incites, and there is nothing more flattering. But it’s not why I write the Incite.

I write the Incite for me. I always have. It’s a journal of sorts representing my life, my views, and my situation at any given time. Every so often I go back a couple years and read my old stuff. It reminds me of what things were like back then. It’s useful because I don’t spend much time looking backwards. It’s interesting to see how different I am now. Some people journal in private. I do that too. But I have found my public journal is important to me.

The pause is over. I’m pushing Play. In the coming months there will be really cool stuff to share and some stuff that will be hard to communicate. But that’s life. You take the good and the bad without judgement. You move forward. At least I do. So stay tuned. The next few months are going to be very interesting, for so many reasons.


Photo credit: “Pause? 272/265” originally uploaded by Dennis Skley

The fine folks at the RSA Conference posted the talk Jennifer Minella and I did on mindfulness at the 2014 conference. You can check it out on YouTube. Take an hour and check it out. Your emails, alerts and Twitter timeline will be there when you get back.

Securosis Firestarter

Have you checked out our new video podcast? Rich, Adrian, and Mike get into a Google Hangout and.. hang out. We talk a bit about security as well. We try to keep these to 15 minutes or less, and usually fail.

Heavy Research

We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, with our content in all its unabridged glory. And you can get all our research papers too.

Cracking the Confusion

Applied Threat Intelligence

Network Security Gateway Evolution

Newly Published Papers

Incite 4 U

(Note: Don’t blame Rich or Adrian for the older Incite… They got me stuff on time – it just took me a month to post it. You know, that pause I talked about above.)

  1. There are no perfect candidates… There is no such thing as perfect security, so why would there be perfect security candidates? Our friend Andy Ellis, CISO of Akamai, offers a refreshing perspective on recruiting security professionals. Andy focuses on passion over immediate competence. If a person loves what they do they can learn the rest. I think that’s great, especially given the competition for those with the right certifications and keywords on their CVs. Andy also chooses to pay staffers fairly instead of pushing them to find other jobs as their skills increase. Again, very smart given the competition for security staff. The #1 issue we hear from CISO types, over and over, is the lack of staff / recruiting challenge. So you need to find folks in places others aren’t looking, and invest in them – knowing a few will leave for greener pastures at some point. That’s all part of the game. – MR

  2. No love: Another encryption vendor got rolled up recently, with Voltage security acquired by HP. But before you lose your train of thought, with jokes about how HP is where tech companies go to die – yeah, we heard a lot of that in the last 24 hours – note this is occurring with encryption firms of all sizes. In case you missed it, Porticor was acquired by Intuit the week before the HP/Voltage deal. And before that, Safenet to Gemalto, Entrust to Datacard, and Gazzang went to Cloudera. You would think selling data encryption in the age of data breaches would be like giving ice cream to kids on a hot day, but the truth is selling is hard because implementing it is hard. Customers view encryption as a commodity, with one AES variant the same as every other, and complain bitterly about cost and key management headaches. Encryption platforms have matured steadily over the last 10 years, and continually evolved to include format preserving encryption, tokenization, transparent encryption, dynamic masking, key storage, and management, all while integrating with storage systems, apps, applications, cloud services and ‘big data’. The trend is clearly to bake data encryption in, but innovation and growing demand for data security mean this market is far from settled. – AL

  3. Bring Your Own Key: I’m a big fan of the cloud, and of encryption, which is why I’m excited to see Box announce their new Enterprise Key Management product. First a little full disclosure: I have known about this for a while and I done some work with Box (which was not a secret). That said, it isn’t like I get paid more if anyone buys the service from them. I’ve been on record for a few years as not a fan of proxy-based encryption for cloud computing. Shoving an appliance (or service) between your users and the cloud platform so you can encrypt a few fields seems like a kludge prone to breaking application functionality. But almost no providers allow customers to manage their own encryption in a way that can protect against misuse by the provider (or snoops, criminal or government). Box’s EKM enables customers to control their own encryption keys, but all the actual work happens within Box. This reduces the likelihood the application will break. It isn’t necessarily completely subpoena proof, but there is no way for anyone besides you to see your data unless you release the key. Amazon is one of the only other cloud providers supporting customer managed keys, and I really hope this trend grows. But as Mike says, “Hope is not a strategy”, so vote with your dollars if you want more customer-controlled cloud key management. – RM

  4. Vulnerability management, still kicking…: I have voiced my disappointment with the fact that modern product reviews are consistently cursory, and rarely useful for procurement decisions. That doesn’t stop folks like SC Mag from continuing to review products, like their recent Vulnerability Management review. Yes, vulnerability management is still a thing – even if Gartner doesn’t think so anymore. That being said, the major players in the market are changing direction, and they all seem to be going in different directions. One is climbing the stack, another focused on identity, a third morphing into a services driven shop, and yet another preoccupied with executive level dashboards. And yes, they all still scan your stuff and generate long reports of stuff you’ll never get to. Same old, same old. Although as you are looking to renew your product and/or service, it makes sense to actually learn about the longer term strategy of your chosen vendor to ensure it still aligns with what you need. If not, make a change since it’s not like all of the vendors can’t scan your stuff. – MR

  5. Smart cards, disrupted: It’s happening again; the threat of EMV cards. The Smart Card Alliance position is the liability shift for not using EMV will push adoption within mass merchants, while Visa representatives claim 525 million cards will be in the ‘ecosystem’ by the end of 2015. Bull$#!*. For the sake of round numbers say there are about 300 million US citizens – minus those under 18 – which would require each US adult to get two Chip and PIN cards over the next 10 months. Even if the US government issues an ID for every citizen, that milestone is not going to happen. Nor will merchants move fast enough with new terminals to support the cards. I understand the smart card industry’s angst – EMV needs to move or be get over in the US. Apple Pay basically virtualized Chip and PIN for payments, simultaneously showing consumers a model for health and ID cards pushed into mobile devices with less cost and pain. It’s not a new idea by any stretch, but Apple upended a bunch of firms who were positioning for the future. As Apple does from time to time. – AL

  6. Eye of Sauron: Big breaches happen, and no matter what anyone tells you they aren’t going way… ever. The goal of your security program is to minimize the potential damage because it can’t be eliminated. Even with all the high-profile breaches, there’s a lack of motivation for companies, even in regulated industries, to protect their data. Everyone ignored the HIPAA security requirements for years and years, until HITECH put baby teeth in place. But heck, with entirely too many friends still in healthcare, even that threat isn’t enough to be a true catalyst for action. So I’m always interested in events that change the economics of security. Like one of the biggest insurance markets taking a close look at insurer cybersecurity. Nothing may happen here – it isn’t like Elliot Spitzer is back in charge, kicking ass and (er… spanking… no… not going to say it) taking names (no mention of black books either…), but it only takes a couple state regulators in the right markets to move the needle and drive change. – RM

—Mike Rothman

Monday, March 16, 2015

Firestarter: Cyber Cash Cow

By Rich

Last week we saw a security company hit the $2.4B valuation level. Yes, that’s a ‘B’, as in billion. This week we dig into the changing role of money and investment in our industry, and what it might mean. We like to pretend keeping our heads down and focusing on defense and tech is all that matters, but practically speaking we need to keep half an eye on the market around us. It not only affects the tools at our disposal, but influences the entire course of our profession.

Watch or listen: