Login  |  Register  |  Contact
Friday, November 07, 2014

New Research Paper: Secure Agile Development

By Adrian Lane

Security teams are tightly focused on bringing security to applications, and meeting compliance requirements in the delivery of applications and services. On the other hand job #1 for software developers is to deliver code faster and more efficiently, with security a distant second. Security professionals and developers often share responsibility for security, but finding the best way to embed security into the software development lifecycle (SDLC) is not an easy challenge.

Agile frameworks have become the new foundation for code development, with an internal focus on ruthlessly rooting out tools and techniques that don’t fit this type of development. This means secure development practices, just like every other facet of development, must fit within the Agile framework – not the other way around. This paper offers an outline for security folks to understand development teams’ priorities and methodologies, and practical ways to work together within the Agile methodology. Here is an excerpt:

Over the past 15 years, the way we develop software has changed completely. Development processes evolved from Waterfall, to rapid development, to extreme programing, to Agile, to Agile with Scrum, to our current darling: DevOps. Each evolutionary step was taken to build better software by improving the software building process. And each step embraced changes in tools, languages, and systems to encourage increasingly agile processes, while discouraging slower and more cumbersome processes.

The fast flux of development evolution gradually deprecated everything that impeded agility … including security. Agile had an uneasy relationship with security because its facets which promoted better software development (in general) broke existing techniques for building security into code. Agile frameworks are the new foundation for code development, with an internal focus on ruthlessly rooting out tools and techniques that don’t fit the model. So secure development practices, just like every other facet of development, must fit within the Agile framework – not the other way around.

We are also proud that Veracode has asked to license this content; without support like this we could not bring this quality research to you free of charge without registration. As with all our research, if you have questions or comments we encourage you to comment on the blog so open discussion can help the community.

For a copy of the research download the PDF, or get a copy from our research library page on Secure Agile Development.

—Adrian Lane

Summary: Comic Book Guy

By Rich

Rich here.

I only consistently read comic books for a relatively short period of my life. I always enjoyed them as a kid but didn’t really collect them until sometime around high school. Before that I didn’t have the money to buy them month to month. I kept up a little in college, but I probably had less free capital as a freshman than in elementary school. Gas money and cheap dates add up crazy fast.

Much to my surprise, at the ripe old age of forty-something, I find myself back in the world of comics. It all started thanks to my kids and Netflix. Netflix has quite the back catalog of animated shows, including my all-time favorite, Spider-Man and His Amazing Friends. You know: Iceman and Firestar. I really loved that show as a kid, and from age three to four it was my middle daughter’s absolute favorite.

Better yet, my kids also found Super Hero Squad; a weird and wonderful stylized comedy take on Marvel comics that ran for two seasons. It was one of those rare shows loaded with jokes targeting adults while also appealing to kids. It hooked both my girls, who then moved on to the more serious Avengers Assemble, which covered a bunch of the major comics events – including Secret Invasion, which ran as a season-long story arc.

My girls love all the comics characters and stories. Mostly Marvel, which is what I know, but you can’t really avoid DC. Especially Wonder Woman. Their favorite race is the Super Hero Run where we all dress in costumes and run a 5K (I run, they ride in the Helicarrier, which civilians call a “jog stroller”). When it comes to ComiCon, my oldest will gut me with a Barbie if I don’t take her.

The there are the movies. The kids are too young to see them all (mostly just Avengers), but I am stunned that the biggest movies today are all expressions of my childhood dreams. Good comic book movies? With plot lines that extend a decade or more? And make a metric ton of cash? Yes, decades. In case you hadn’t heard, Disney/Marvel announced their lineup through 2019. 2-3 films per year, with interlocking television shows on ABC and Netflix, all leading to a 2-film version of the Infinity Wars. My daughter wasn’t born when Iron Man came out, and she will be 10 when the final Avengers (announced so far) is released.

Which is why I am back on the comics. Because I am **Dad*, and while I may screw up everything else, I will sure as hell make sure I can explain who the Skrull are, and why Thanos wants the Infinity Gems. I am even learning more about the Flash, and please forgive me, Aquaman.

There are few things as awesome as sharing what you love with your kids, and them sharing it right back. I didn’t force this on my kids – they discovered comics on their own, and I merely encouraged their exploration. The exact same thing is happening with Star Wars, and in a year I will get to take my kids to see the first new film with Luke, Leia, and Han since I was a kid.

My oldest will even be the same age I was when my father took me to Star Wars for the first time. No, those aren’t tears. I have allergies.

On to the Summary:

Webcasts, Podcasts, Outside Writing, and Conferences

Favorite Securosis Posts

  • Mike Rothman: Friday Summary: Halloween. Adrian and Emily get (yet) another dog. ;-)
  • Rich: We are still low on posts, so I will leave it at that and tell you to read all of them this week :)

Other Securosis Posts

Favorite Outside Posts

  • Mike Rothman: Don’t Get Old. I like a lot of the stuff Daniel Miessler writes. I don’t like the term ‘old’ in this case because that implies age. I think he is talking more about being ‘stuck’, which isn’t really a matter of age.
  • Rich: How an Agile Development Process Fits into the Security User Story. This is something I continue to struggle with as I dig deeper into Agile and DevOps. There is definitely room for more research into how to integrate security into user stories, and tying that to threat modeling. Maybe a project I should take up over the holidays.
  • Adrian Lane: Facebook, Google, and the Rise of Open Source Security Software. It’s interesting that Facebook is building this in-house. And contributing to the open source community. But remember they bought PrivateCore last year too. So the focus on examining in-memory processes and protecting memory indicates their feelings on security. Oh, and Rich is quoted in this too!

Research Reports and Presentations

Top News and Posts

—Rich

Wednesday, November 05, 2014

Building an Enterprise Application Security Program: Security Gaps

By Adrian Lane

This post will discuss the common security domains with enterprise applications, areas where generalized security tools lack the depth to address application and database specific issues, and some advice on how to fill in the gaps. But first I want to announce that Onapsis has asked to license the content of this research series. As always, we are pleased when people like what we write well enough to get behind our work, and encourage our Totally Transparent Research style. With that, on with today’s post!

Enterprise applications typically address a specific business function: supply chain management, customer relations management, inventory management, general ledger, business performance management, and so on. They may support thousands of users, tie into many other application platforms, but these are specialized applications with very high complexity. To understand the nuances of these systems, the functional components that comprise an application, how they are configured, and what a transaction looks like to that application takes years of study. Security tools also often specialize as well, focusing on a specific type of analysis – such as malware detection – and applying it in particular scenarios such as network flow data, log files, or binary files. They are generally designed to address threats across IT infrastructure at large; very few move up the (OSI) stack to look at generic presentation or application layer threats. And fewer still actually have any knowledge of specific application functions to understand a complex platform like Oracle’s Peoplesoft of SAP’s ERP systems.

Security vendors pay lip service to understanding the application layer, but their competence typically ends at the network service port. Generic events and configuration data outside applications may be covered; internals generally are not. Let’s dig into specific examples:

Understanding Application Usage

The biggest gap and most pressing need is that most monitoring systems do not understand enterprise applications. To continuously monitor enterprise applications you need to collect the appropriate data and then make sense of it. This is a huge problem because data collection points vary by application, and each platform speaks a slightly different ‘language’. For example platforms like SAP speak in codes. To monitor SAP you need to understand SAP operation codes such as T-codes, and there are a lot of different codes. Second you need to know where to collect these requests – application and database log files generally do not provide the necessary information. As another example most Oracle applications rely heavily on stored procedures to efficiently process data within the database. Monitoring tools may see a procedure name and a set of variables in the user request, but unless you know what operation that procedure performs, you have no idea what is happening. Again you need to monitor the connection between the application platform and the database because audit logs do not provide a complete picture of events; then you need to figure out what the query, code, or procedure request means.

Vendors who claim “deep packet inspection” for application security skirt understanding how the application actually works. Many use metadata (including time of day, user, application, and geolocation) collected from the network, possibly in conjunction with something like an SAP code, to evaluate user requests. They essentially monitor daily traffic to develop an understanding of ‘normal’, then attempt to detect fraud or inappropriate access without understanding the task being requested. This is certainly helpful for compliance and change management use cases, but not particularly effective for fraud or misuse detection. And it tends to generate false positive alerts. Products designed to monitor applications and databases actually understand their targeted application, and provide much more precise detection and enforcement. Building application specific monitoring tools is difficult and specialized work. But when you understand the application request you can focus your analysis on specific actions – order entry, for example – where insider fraud is most prevalent. This speeds up detection, lessens the burden of data collection, and makes security operations teams’ job easier.

Application Composition

Throughout this research we use the term ‘database’ a lot. Databases provide the core storage, search, and data management features for applications. Every enterprise application relies on a database of some sort. In fact databases are complex applications themselves. To address enterprise application security and compliance you must address many issues and requirements for both the and the application platforms.

Application Deployments

We seldom see two instances of the same application deployed the same. They are tailored to each company’s needs, with configuration and user provisioning to support specific requirements. This complicates configuration and vulnerability scanning considerably. What’s more, application and database assessment scans are very different from typical OS and network assessments, requiring different evaluation criteria to assess suitability. The differences lie in both how information is collected, and the depth and breadth of the rule set. All assessment products examine software revision levels, but generic assessment tools stop at list vulnerabilities and known issues, based exclusively on software versions. Understanding an application’s real issues requires a deeper look. For example test and sample applications often introduce back doors into applications, which attackers then exploit. Software revision level cannot tell you what risks are posed by vulnerable modules; only a thorough analysis of a full software manifest can do that. Separation of duties between application, database, and IT administrators cannot be determined by scanning a network port or even hooking into LDAP – it requires interrogation of applications and persistent data storage. Network configuration deficiencies, weak passwords and public accounts, all easily spotted by traditional scanners – provided they have a suitable policy to check – but scanners do not discover data ownership rights, user roles, whether auditing is enabled, unsafe file access rights, or dozens of other well-known issues.

Data collection is the other major difference. Most assessment scans offer a basic network port scanner – for cases where agents are inappropriate – to interrogate the application. This provides a quick, non-invasive way to discover basic patch information. Application assessment scanners look for application specific settings, both on disk and within the database. These scans may be initiated by an agent on the application platform, or from a remote host over SSL/TLS. We call these “credentialed scans” because they require access to the file system or database, or to both. But to gather a complete picture of configuration settings, you need to collect information from the file system and database as well. This enables application assessment tools to fully address vendor best practices, industry best practices, and any ad hoc security or compliance rules the enterprise wants to validate. Generic assessment tools can cover about one-third of the total picture. Application and database assessment scanners get 70-100% depending on how they collect data and the policy set.

Application Patch Cycles

If you have an iPhone – or any Apple product, really – you will notice there is an update to one or more apps every single day. Enterprise applications are the opposite, which is unfortunate because their need is greater and the stakes are much higher. Many of you reading this know your enterprise applications run three to six months behind on security patches. If you are running big Oracle databases or SAP, odds are you are closer to 12 months behind. It’s not that IT is ignoring the problem, or fails to understand that these patches address critical security issues, it’s that the likelihood – and financial impact – of crashing the application is so well understood. Security patches rushed out the door have a bad habit of doing just that. It costs a lot of money to recover from such a failure, and all other IT work stops until the system is back online. The likelihood of an attacker breaching the system is not nearly so clear and any estimate of potential damage is at best a guess, so a security risk analysis cannot drive organization to patch quickly. Instead IT does what it has always done: iteratively test the patch installer, then applications, on a series of test and pre-production systems, until they are satisfied they can safely roll the patch into production.

There are many potential workarounds for this problem, but the traditional approaches are all flawed. Feature removal, reduced Internet connectivity, blocking, manual process intervention, and prayer are all approaches we have heard. The good news is that some firms are speeding up the patching process by leveraging disruptive trends in IT: virtualization and the cloud. Some are using “canary testing”, where the load balancer splits production traffic between patched and unpatched servers, with full switchover after the patch is vetted live. Others leverage the cloud or virtualization to spin up two sets of production servers, both patched and unpatched, and quickly rollback to unpatched systems in case of failure. These new approaches are not yet widely embraced.

Application and Database Logs

As mentioned earlier, database and application logs are typically not designed for security – they are primarily intended for IT personal to help understand performance issues and errors. They often omit important events including administrative activity, or provide a subset of the data such as before-and-after values for a transaction. They often lack filtering options to gather the subset of information you need – perhaps specific to a user or a transaction type – so you may be drinking from a proverbial firehose. In many cases the log file format can be set to syslog, so SIEM and log management systems can collect the data, but they often lack understanding of application-specific event data. But the real issue is performance – application logging typically increase platform overhead by 10-20%, and native database logging by 20-40%. This is simply a non-starter for many companies.

If you are running SAP or Oracle enterprise applications, we can be confident that you have many security tools at your disposal. Most vendors offer a combination of basic logging, identity, and encryption services to go along with published best security practices. But even vendor tools fail to address some of these deficiencies. In many cases the provided solutions were never designed for security at all, being intended to highlight errors or performance issues. To effectively monitor, assess, and audit enterprise applications you will likely need to either build your own tools or leverage third-party products to supplement what you already have. Platform vendors know how to collect the correct information from their platforms, but gear their solutions to experts with their systems: system administrators. Auditors, security professionals, and even IT administrators often lack the technical depth to leverage these tools. And as we mentioned earlier, the “best practices” vendors provide leave out a lot of helpful information, and do not recommend tools or services not available from the vendor.

Our next post will discuss how to assemble a complete program.

—Adrian Lane

Incite 11/5/2014: Be Like Water

By Mike Rothman

You want it and you want it now. So do I. Whatever it is. We live in an age of instant gratification. You don’t need to wait for the mailman to deliver letters – you get them via email. If you can’t wait the 2 days for Amazon Prime shipping, you order it online and pick it up at one of the few remaining brick and mortar stores. Record stores? Ha! Book stores? Double ha!! We live in the download age. You want it, you buy it (or not), and you download it. You have it within seconds.

But what happens when you don’t get what you want or (egads!) when you have to wait? You are disappointed. We all are. We get locked into that thing. It’s the only outcome we can see. Maybe it’s a thing, maybe it’s an activity. Maybe it’s a reaction from someone, or more money, or a promotion. It could be anything, but you want it and you get pissy when you don’t get it – now!

Be Like Water -- Bruce Lee

The problem comes down to attachment. Disappointment happens when you don’t get the desired outcome in the timeframe you want. Disappointment leads to unhappiness, which leads to sickness, and so it goes. I have made a concerted effort to stop attaching myself to specific outcomes. Sure, there are goals I have and things I want to achieve. But I no longer give myself a hard time when I don’t attain them. I don’t consider myself a failure when things don’t go exactly as I plan. At least I try not to…

But I was struggling to find an analogy to rely on for this philosophy, until earlier this week. I was in a discussion in a private Facebook group, and I figured out the concept in a way I can easily remember and rely on when my mind starts running amok.

I think many of us fall into the trap of seeing a desirable outcome and getting attached to that. I know I do. I’m trying to flow like water. Water doesn’t care where it ends up. It goes along the path the provides the least resistance at any given time. Not that we don’t need resistance from time to time to grow, rather we need to be flexible to adapt to the reality of the moment.

Be like water. Water takes the shape of whatever vessel it’s in. Water flows. Water has no predetermined goal and can change form as needed. As the waves crash they show the awesome power of harnessed water. The analogy also works for me because I like being by the water, and the sound of water calms me. But I am not the only one who likes the water. Bruce Lee figured this out way before me and talked about it in this classic interview.

Maybe the concept works for you, and maybe it doesn’t. It’s fine either way for me – I’m not attached to a particular outcome…

–Mike

Photo credit: “The soothing sound of flowing water” originally uploaded by Ib Aarmo


The fine folks at the RSA Conference posted the talk Jennifer Minella and I did on mindfulness at the conference this year. You can check it out on YouTube. Take an hour and check it out. Your emails, alerts and Twitter timeline will be there when you get back.


Securosis Firestarter

Have you checked out our new video podcast? Rich, Adrian, and Mike get into a Google Hangout and.. hang out. We talk a bit about security as well. We try to keep these to 15 minutes or less, and usually fail.


Heavy Research

We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, with our content in all its unabridged glory. And you can get all our research papers too.

Monitoring the Hybrid Cloud: Evolving to the CloudSOC

Building an Enterprise Application Security Program

Security and Privacy on the Encrypted Network

Secure Agile Development

Newly Published Papers


Incite 4 U

  1. Shiny attack maps for everyone: I hand it to Bob Rudis and Alex Pinto for lampooning vendors’ attack maps. They have issued an open source attack map called IPew, which allows you to build your own shiny map to impress your friends and family. As they describe it, ‘IPew is an open source “live attack map” simulation built with D3 (Datamaps) that puts global cyberwar just a URL or git clone away for anyone wanting to display these good-for-only-eye-candy maps on your site.’ Humor aside, visualization is a key skill, and playing around with their tool may provide ideas for how you can present data in a more compelling way within your own shop. So it’s not all fun and games, but if you do need some time to decompress, set IPew to show the Internet having a bad day… War Games FTW. – MR

  2. Not for what you think: Occasionally we need to call BS on a post, and Antone Gonsalves on Fraudster Protection for Websites qualifies. His claim is that IBM’s patented new technology can detect fraud by monitoring a user’s interaction with their browser, examining the duration between clicks and how they scroll. The concept is that you understand what a user does normally, so anything different is fraud. What could go wrong? The fundamental problem is that hackers don’t use browsers – at least nothing like an average user’s browser. This press release was obviously created by a guy who thinks all hackers wear ski masks to work. The use cases for this type of technology are marketeers wanting to watch customers use their web sites (to figure out and optimize click streams), and law enforcement looking for a better determination of who is behind the keyboard. It is a type of malware. For security it is surprisingly bad because of false positives – in the same way financial trading models completely fail under any unusual circumstances, which is why this approach failed in 2004 when it first made the rounds. – AL

  3. Outsourcing responsibility: Raj Samani and Brian Honan’s post about the (In)Security of Cloud Computing on the Wired Blog is thought provoking. They are conflating all the varieties of cloud computing together, despite several key nuances. Though it is true that ultimately the responsibility for data protection resides with you – not a cloud provider. Whether it is malware targeting a SaaS provider, or a social engineering attack trying to gain a foothold in your cloud environment, a cloud provider will do whatever they do, and you will still be responsible. We have said for years that you can outsource almost anything – except accountability. So ask questions, do your diligence, and get comfortable with the fact that you will have less visibility (at least initially) and control over the cloud infrastructure. But not forever – as the cloud matures we are betting that cloud security will leapfrog what is possible to secure traditional infrastructure. But that is a discussion for another day. – MR

  4. Quietly important: Microsoft’s latest additions to the Azure cloud are very important – not because of IOT Streaming Analytics, but because they provide all of the infrastructure needed to produce a security event analysis and analytics platform within the cloud. Stream analytics provides a way to insert real-time security analytics and anti-fraud services into the cloud technology stack; the data factory aggregates data to pipe into SIEM, log management, and data warehouses. Microsoft is positioning their data factory and event hubs to be the ultimate repository, but customers are likely to demand the opposite, choosing Hadoop or whatever platform best serves their analytics requirements – exactly what NoSQL excels at. But this core infrastructure is critical for enterprises looking to move to the cloud. – AL

  5. Get your pen test on: We have been vociferous supporters of penetration testing for a long time. Obviously folks who know what they are doing cost money. And you should be testing on an ongoing basis anyway. Maybe you bought a tool (or fired up Metasploit), but you may not know where to start. Fortunately for you Stephen Haywood has decided he is less of a promoter and more of a tester, and open sourced his Beginner’s Guide to Pentesting. I checked out the Table of Contents (and plan to read it over the holidays) and it is a good overview of the things you will need to pen test your own stuff. Including intelligence gathering and reconnaissance, wireless testing, web app testing, and phishing. You will still need to work to actually figure out how it works, but Stephen’s book provides a basis to guide your experimentation, so send some beer to thank him for the effort. You can send that beer to our main Securosis address and we’ll make sure he gets it… LOL. – MR

—Mike Rothman

Tuesday, November 04, 2014

Monitoring the Hybrid Cloud: Evolving to the CloudSOC [New Series]

By Mike Rothman

As we wrote in The Future of Security, we believe the collision of cloud computing and mobility will disrupt and transform security. We started documenting the initial stages of the transformation, so we now turn our attention to how controls will be implemented as the technology space moves to an automated and abstracted reality. That may sound like science fiction, but these technologies are here now, and it is only beginning to become apparent how automation and abstraction will ripple outward, transforming the technology environment.

Change is hard, and we face a distinct lack of control over a number of areas, which is enough to give most security folks a panic attack. From an access standpoint IT can no longer assume ownership and/or the ability to control devices. Consumption occurs on user-owned devices, everywhere, and often not through corporate-controlled networks. This truly democratizes access to critical information. IT organizations must accept no longer controlling the infrastructure either. In fact they don’t even know how the underlying systems are constructed – servers and networks are virtual. Compute, storage, and networking now reside outside the direct control of staff. You cannot just walk down to the data center to figure out what’s going on.

As these two megatrends collide, security folks are caught in the middle. The ways we used to monitor devices and infrastructure no longer work. Not to the same degree, anyway. There are no tap points, and it is now prohibitively inefficient to route traffic through central choke points for inspection. Security monitoring needs to change fundamentally to stay relevant in the cloud age.

Our new blog series, Monitoring the Hybrid Cloud: Evolving to the CloudSOC, we will dig into the new use cases you will need to factor into your security monitoring strategy, and discuss the emerging technologies that can help you cope. Finally we will discuss migration, because you will be dealing with legacy infrastructure for years to come, so your environment will truly be a hybrid.

The Cloud Is Different

For context on this disruptive innovation we borrow from our Future of Security paper to describe how and why the cloud is different. And just in case you think these changes don’t apply to you, forget it. Every major enterprise we talk with today uses cloud services. Even some of the most sensitive and highly regulated industries, including financial services, are exploring more extensive use of public cloud computing. We see no technical, economic, or even regulatory issues seriously slowing this shift. The financial and operational advantages are simply too strong.

Defining ‘Cloud’: Cloud computing is a radically different technology model – it is not simply the latest flavor of outsourcing. The cloud uses a combination of abstraction and automation to achieve previously impossible levels of efficiency and elasticity. This, in turn, creates new business models and alters the economics of technology delivery and consumption.

Cloud computing fundamentally disrupts traditional infrastructure because it is more responsive, more efficient, and potentially more resilient and cost effective than the status quo. Public cloud computing is even more disruptive because it enables organizations to consume only what they need without overhead, while still rapidly adapting to changing needs at effectively infinite scale.

Losing Physical Control: Many of today’s security controls rely on knowing and managing the physical resources that underpin our technology services. This is especially true for security monitoring, but let’s not put the cart before the horse. The cloud breaks this model by virtualizing resources (including entire applications) into resource pools managed over the network. We give up physical control to standard network interfaces, effectively creating a new management plane. The good news is that centralized control is built into the model. The bad news is this is likely to destroy the traditional security controls you rely on. At minimum most of your existing operational processes will change fundamentally.

A New Emphasis on Automation: The cloud enables extreme agility, such as servers that exist only for minutes – automatically provisioned, configured, and destroyed without human interaction. Entire data centers can be spun up and operational with just a few lines of code. Scripts can automate what used to take IT staff weeks to set up physically. Application developers can check in a piece of code, which then runs through a dozen automated checks and is pushed into production on a self-configuring platform that scales to meet demand. Security can leverage these same advantages, but the old bottlenecks and fixed inspection points – including mandated human checks – are gone because a) they cannot keep up and b) architecting them in would slow everthing else down.

The cloud’s elasticity and agility also enable new operational models such as DevOps, which blurs the lines between development and operations, to consolidate historically segregated management functions, in orer to improve efficiency and responsiveness. Developers take a stronger role in managing their own infrastructure through heavy use of programming and automation through easily accessible APIs. DevOps is incredibly agile and powerful, but it contains the seeds of possible disaster for both security and availability, because DevOps condenses and eliminates many application development and operations check points.

Legacy Problems Fade: Some security issues which have plagued practitioners for decades are no longer issues in the cloud. The dynamic nature of cloud servers can reduce the need for traditional patching – you can launch a new fully up-to-date server and shift live traffic to and from it with API calls. Network segmentation becomes the default, as all new instances are in fixed security groups. Centralizing resources improves our ability to audit and control, while still offering ubiquitous access.

Monitoring Needs to Change

The entire concept of monitoring depends on seeing things. We need the ability to pull logs and events from the network and security devices protecting your environment. What happens when you don’t have access to those devices? Or they don’t work like the devices you are familiar with in your traditional data center? You need to reconsider your approach to security monitoring.

Later in this series we will talk about architectures and techniques to address this lack of visibility and device access, but for now suffice it to say that we we will need to instrument the other parts of the technology stack where we do have access.

But the fact is that it will take 10-15 years to fully realize the promise of cloud computing for the masses. We will need to support both traditional infrastructure and cloud-based resources for the foreseeable future. So one of your success criteria moving forward will be an ability to straddle both worlds and provide an end-to-end view of what’s happening – regardless of where the infrastructure and data actually reside.

Throughout this series we will harp on the need for coexistence and consistency to reflect this hybrid reality. You will need to ensure that your monitoring infrastructure supports an elegant migration to the cloud, without compromising your ability to monitor or manage.

This is where the CloudSOC terminology comes into play. We aren’t saying you will move your entire existing SIEM and other monitoring technologies to the cloud now – or perhaps ever. But you will have a monitoring infrastructure component in the cloud sooner than later, so you need to start thinking about how to architect your monitoring environment – to both take advantage of the inherent capabilities of cloud computing, and also monitor the infrastructure that resides in the cloud.

The Age of Analytics

Many of the requirements we identified in our SIEM 2.5 paper are still very much in play. These include detecting advanced malware attacks and figuring out whether mobile devices are accessing the right information within the environment. Those challenges are exacerbated by the need to monitor the hybrid cloud. Cloud systems generate plenty of event data, and technology exists that can perform advanced analytics on vast amounts of information, but these capabilities lag behind the latest threats, so you will need to carefully reconsider how to detect attacks in new environments. The only thing you can count on is that there will be more security data to analyze, so ensure your monitoring environment can scale and provide advanced analytics.

Compliance Confusion

Finally, we need to acknowledge compliance. It is not yet clear how compliance will affect cloud adoption. We don’t think any regulation will be able to derail the cloud juggernaut, but it would be naive to expect assessors to just sign off on protected data being moved into shared environments without proper controls and oversight. That puts security monitoring squarely on the critical path for moving these key functions to the cloud.

So the only clarity is that monitoring needs to be able to provide end-to-end visibility of all protected assets and data… regardless of whether the data resides in a traditional data center, a private cloud, or public cloud infrastructure. So compliance needs to address all these environments. Your assessor couldn’t care less whether you buy and provision servers yourself or spin them up using cloud auto-scaling. If devices can access protected or sensitive data, you need to be able to substantiate controls.

With that we are off and running with Monitoring the Hybrid Cloud. We would like to thank IBM Security Systems as the initial licensee. We wouldn’t be surprised if some other folks come onboard later on as we flesh out this series. Our next post will dig into some key use cases which are impacted by the hybrid cloud.

—Mike Rothman

Friday, October 31, 2014

Friday Summary; October 31, 2014

By Adrian Lane

I was at Intel’s Focus conference earlier this week. Intel basically held a McAfee coming-out party, and announced that the security practices of both firms will henceforth be run under the single umbrella of Intel Security. Not much to report on that, but I spoke to more customers at this event than at any other vendor event. And they were chatty, which is nice. But something is troubling me. Do you know what they did not mention as a problem? Mobile. Nope. The biggest surprise of the week was hearing security practitioners and CISOs talk about the threat of the IoT (Internet of Things), without even mentioning mobile. I am still surprised, because a) mobile is really here, b) security of mobile data is a problem on most devices, c) mobile app controls and spotty authentication are still an issue, and d) the market has yet to embrace a good model for control. IoT does not even feel real yet, but the security practitioners I heard speak are currently dealing with threats to Point of Sale terminals, medical devices, cars, and a whole bunch of devices we have used for a long time, but where the current generation includes sophisticated processors and Internet connectivity. Still, IoT is your biggest concern? Really?


This will be the one of the shorter Friday Summaries I have written because … it’s here. The puppy I predicted would be landing in my home has arrived. Early, in fact. I am sure it’s because the breeder was exhausted by him. He is slightly ornery, possessed of limitless energy, and fearless. Which means he is into everything all the time. Say hello to ‘Satchmo’:

Satchmo

I don’t usually talk about my pets much on this blog, but it has been years since we had a new puppy in the house, and you forget all the lifestyle changes that come with a new puppy. Plus he’s very cute, and seems to get along with everyone great. He has only been here a short time but he’s worn me out. And my wife. And my adult Boston. And everything else that lives here … except the Boxer. Boxers never get tired, so I think the rest of us are going to take a nap while those two play.

Nose to nose

Happy Halloween all! Halloween on a Friday is the best, so have fun!

On to the Summary:

Webcasts, Podcasts, Outside Writing, and Conferences

Favorite Securosis Posts

  • Adrian Lane: Incite 10/29/2014: Short Memory. I am actually FAV-ing my “Card of the Sith” Incite in this week’s post.
  • Rich: [Building an Enterprise Application Security Program New Series. Ho boy, is this a big topic. Adrian jumps into one of the most painful issues for enterprises to deal with: internal apps.
  • Mike Rothman: Firestarter: It’s All in the Cloud. I had fun recording this week’s Firestarter. Though we did miss Adrian. There was no one to keep Rich and me on track!

Other Securosis Posts

Favorite Outside Posts

  • Adrian Lane: Challenges With Randomness In Multi-tenant Linux Container Platforms. Containers seem to have caught fire, and I expect them to be the ‘struts’ of this generation. But stressing any hot new approach turns up systemic flaws. A good discussion by James Bayer.
  • Rich: Facebook Open Sources Host Monitoring Tool, Increases Internet Defense Prize. This is interesting. I did an interview on the tool, based on a high-level description (trust me – I warned the reporter I would need to see it working for a real assessment). It sounds like a Chef/Puppet competitor. But this gathers different information, which is more security relevant, and then enables you to query it like a database. That is very interesting. Might have to play with it!
  • Mike Rothman: SHE’S A WRECK. What a courageous post by aloria, baring her issues with brutal honesty and candor. Thankfully she made it through, but understand that her bipolar disorder is a daily battle. Rarely do we get to see the people behind the avatars, the unvarnished challenge of being imperfect and human. as we all are.
  • Pepper: AT&T, Verizon Using ‘Perma-Cookies’ to Track Customer Web Activity. I didn’t think I needed a VPN but I am now considering paying for Cloak.

Research Reports and Presentations

Top News and Posts

Blog Comment of the Week

This week’s best comment goes to Pat Bitton, in response to Old School.

I always hark back to the operating code for dBase II and WordStar both fitting on a single 360K floppy.

—Adrian Lane

Thursday, October 30, 2014

Building an Enterprise Application Security Program: Use Cases

By Adrian Lane

This post will discuss security and compliance use cases for an enterprise application security program. The following are the main issues enterprises need to address with enterprise application management, in no particular order. None of these drivers are likely to surprise you. But skimming the top-line does not do the requirements justice – you also need to understand why enterprise applications offer different challenges for data collection and analysis, to fully appreciate why off-the-shelf security tools leave coverage gaps.

Compliance

Compliance with Sarbanes-Oxley and the Payment Card Industry Data Security Standard (PCI-DSS) remain the primary drivers for security controls for enterprise applications. Most compliance requirements focus on baselining ‘in-scope’ applications – essentially configuration assessments – to ensure known problem areas are periodically verified as compliant. Compliance controls typically focus on issues of privileged user entitlements (what they can access), segregation of duties, prompt application of security patches, configuring the application to promote security, and consistency across application instances. These assessment scans demonstrate that each potential issue has a documented policy, that the policy is regularly tested, and that the company can produce a report history to show compliance over time. The audience for this data is typically the internal audit team, and possibly third-party auditors.

Change management & policy enforcement

Beyond external compliance requirements enterprises adopt their own policies to reduce risk, improve application reliability, and reduce potential for fraud. These policies ensure that system and IT administrators perform their jobs – both to catch mistakes and to help detect administrative abuse of assigned privileges. Examples include removal of unneeded modules which contain known vulnerabilities, tracking all administrative changes, alerting on – and possibly blocking – use of inappropriate management tools, disabling IT administrators’ access to application data, and detecting users or permissions which could provide ‘backdoor’ access to the system. All of which means these policies are specific to an individual organization, are more complex, and require a great deal more than application assessment to verify. Effective enforcement requires a combination of assessment, continuous monitoring, and log file analysis. And let’s not beat around the bush – these policies are established to keep administrators – of IT, databases, and applications – honest. The audience for these reports is typically internal audit, senior IT management, automated change management systems, and the security group.

Security

A debate has raged for 15 years about whether the greatest threat to IT is external attackers or malicious insiders. For enterprise applications the distinction is less than helpful – both groups pose serious threats. Further muddying the waters, external parties seek privileged access, so they may be functioning as privileged insiders even when that is an impersonation. Beyond attack detection, common security use cases include quarterly ‘reconciliation’ review, watching for ad hoc operations, requests for sensitive data at inappropriate times or from suspicious locations, and even general “what the heck is going on?” visibility into operations. These operations are commonly performed by users or application administrators. Of all the use cases we have listed, identifying suspicious acts in a sea of millions of normal transactions is the most difficult. More to the point, while compliance and policy enforcement are preventive operations, security is the domain of monitoring usage in near-real time. These features are not offered within the application or supporting database platform, but provided through external tools – often from the platform vendor.

Transaction verification

As more enterprise applications serve external users through web interfaces, the problem of fraud growing. Every web-facing service faces spoofing, tampering, and non-repudiation attacks, and often (and worst) SQL injection. When successful these attacks can create bogus transactions, take partial control of the supporting database, and cause errors. But unlike general security issues, these attacks are designed to create fraudulent transactions and constructed to look like legitimate traffic. How companies detect these situation varies – some firms have custom macros or procedures that look for errors after the fact, while others use third-party monitoring and threat intelligence services to detect attacks as they occur. These tools are designed to detect users who attempt to make the application behave in an unusual manner – relying on metadata, heuristics, and user/device attributes to uncover misuse by application users.

Use of sensitive information

Most enterprises monitor the use of sensitive information. This may be for compliance, as with payment data access or sensitive personal information, or it may be part of a general security policy. Typical policies cover IT administrators accessing data files, users issuing ad hoc queries, retrieval of “too much” information, or any examination of restricted data elements such as credit card numbers. All the other listed use cases are typically targeted at specific user or administrative roles, but policies for information usage apply to all user groups. They are constructed to define uses cases which are not acceptable, and alert or block them. These controls may exist as part of the application logic, but are typically embedded into the database logic (such as through stored procedures), or provided by a third-party monitoring/masking tool deployed as a reverse proxy for the database.

The next post will detail how enterprise applications differ from other platforms, and how those differences create security gaps for off-the-shelf tools.

—Adrian Lane

Apple Security and Privacy Updates

By Rich

I realize I have been slacking off posting here at Securosis, but thanks to a string of big event thingies, I thought I should link to a bunch of recent Apple security and privacy articles I posted over at TidBITS (mostly) and Macworld.

I do probably need to write up the bit where local apps that are iCloud enabled seem to save document drafts on iCloud once you start writing, as opposed to when you save the documents in iCloud. This means any open drafts, in many text editors, load data into the cloud even if you only want to save them locally. Apple states they remove this data once you save the file to your local drive, but it is a bizarre design decision from a company that has made so many security and privacy improvements recently.

So, um, don’t open up a TextEdit window and paste your temporary (or permanent!) passwords in it, unless you save the file someplace local first.

Now on to the articles:

  • First is an older Macworld article, Why Apple Really Cares About Your Privacy. This one predated Apple’s big public privacy push, and is the key piece that ties the rest of these together. Basically, Apple is using privacy against Google (and to a lesser degree certain other competitors) because the differences in business models makes it difficult for anyone else to differentiate on privacy to the same degree. This is an excellent alignment of economics to improve security and privacy, and I expect it to define a lot of what we see in the coming years.

The next three articles show how Apple is following through on its privacy messaging within products:

  • To start Apple dramatically improved the data security of iOS, much to the chagrin of folks in law enforcement. You likely read this all over the place, but this piece ties together a lot of context I didn’t see in other articles. Also, as an emergency responder, my arguments cannot be dismissed with the “if you only saw what we see” argument. I have seen more than my fair share of horrible things, including horrible things happening to children, so I get it. But that is no excuse to sacrifice fundamental civil liberties. Part of the problem is that some people in law enforcement are so used to getting access to whatever they need for an investigation that they see it as a legal right, and don’t understand that today’s technologies cannot include lawful access capabilities without deeply compromising security.

  • Next up I wrote a piece detailing how Spotlight Suggestions handles privacy. While less of a big picture issue, this highlights the steps Apple is taking to harden their pro-privacy stance down to low-level feature design. Not that they always get it right – as illustrated by that iCloud issue.

  • This next piece also relates to privacy, but is more about the business landscape Apple is working within. I discussed the real reason some merchants are blocking Apple Pay. Many of you understand the reasons merchants hate credit card companies (Hello, PCI!), and Apple is merely caught in the middle. For the record, I wish we would get half as many comments on Securosis articles as on this one!

One last article ties the series up (even though it wasn’t the last one published) and serves as a good bookend to the privacy piece:

  • The last piece is the most important for the long term. You Are Apple’s Greatest Security Challenge. Yes, Apple made mistakes with the celebrity photo thefts. Mistakes that those of us in cloud security are very familiar with. But, to their credit, they also deal with a scale and scope very few organizations need to consider. Including some key differences from Google, who has been doing a better job on this front. It is a very nuanced issue, and the decisions Apple makes here will have profound repercussions for the ecosystem.

That’s it for now. It seems there is Apple-related security news every week. A lot of the headlines are total BS, like the article a few years back claiming a major security flaw in iPhones, when it was really a problem in every GSM phone on the planet. But that doesn’t get page views, and Apple security has become the “if it bleeds, it leads” of the tech world.

—Rich

Wednesday, October 29, 2014

Incite 10/29/2014: Short Memory

By Mike Rothman

Sometimes a short memory is very helpful. Of course as you get older, it may not be a choice. But old guy issues aside, there are times you need to forget what just happened and move on to the next thing. Maybe it’s a deal you lost, or a project you couldn’t get funded, or a bungled response to an incident. If you live to fight another day then you need to learn, put it in the past, and move forward.

The Boy learned that lesson a few weeks back playing tennis. He’s a decent player and was teamed with his friend in a doubles match. The other kids were pretty good but our team sprinted out to a 7-2 lead. The first to 8 wins. He has it in the bag, right? They dropped the next game, so it was 7-3. Not a problem. Then it was 7-5 and the Boy started to panic. I could see it. He was on the verge of breaking down.

win

And the thing about tennis is that coaches (and parents) cannot get involved during the match. So besides a few hand signals I sent his way to calm down, there wasn’t anything I could do other than see him come apart at the seams. His partner was panicking as well, especially as the score went to 7-6, and then ultimately 7-7. You could see the Boy and his partner were broken. They dropped 5 games in a row and lost their confidence.

It was hard to watch. Really hard. For a guy used to controlling most of his environment, it was brutal to be so powerless. But this wasn’t about me. It’s about him. The Boy served in that next game and held serve. He hit a couple of winners and got his mojo back. You could see the confidence return. They dropped the next game and went into a tiebreaker. The first to 7 would win the match.

They split the first two points on the opponents’ serve, so that was a mini break. The Boy then held their serve, so it was 3-1. Then they broke again. 5-1. The other team scrapped and they had a few good rallies, but the Boy and his partner prevailed 7-3. He was happy but could only shake his head about blowing such a huge lead.

I pulled him aside and said this illustrates a number of very important lessons. First about fighting through. They didn’t give up, and they persevered to get the win. I was very proud of them for that. But the real lesson I wanted to communicate was the importance of having a short memory. The fact that he hit a bad shot doesn’t mean he’s a bad player. He needs to trust his training and the work he put in. He can’t lose confidence, and needs to just move on to the next thing. It is not productive to get lost in his own head – he needs to understand the battle is less important than the war, and to know the difference.

Of course the lesson wasn’t about tennis. It was about life. But I don’t need to tell him that. Not yet, anyway…

–Mike

Photo credit: “The Bryan Brothers” originally uploaded by Boss Tweed


The fine folks at the RSA Conference posted the talk Jennifer Minella and I did on mindfulness at the conference this year. You can check it out on YouTube. Take an hour and check it out. Your emails, alerts and Twitter timeline will be there when you get back.


Securosis Firestarter

Have you checked out our new video podcast? Rich, Adrian, and Mike get into a Google Hangout and.. hang out. We talk a bit about security as well. We try to keep these to 15 minutes or less, and usually fail.


Heavy Research

We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, with our content in all its unabridged glory. And you can get all our research papers too.

Building an Enterprise Application Security Program

Security and Privacy on the Encrypted Network

Secure Agile Development

Newly Published Papers


Incite 4 U

  1. Card of the Sith: Thanks to Chris Pepper for pointing out CurrentC Is The Big Retailers’ Clunky Attempt To Kill Apple Pay And Credit Card Fees. In a nutshell, a large group of merchants – including Rite Aid, CVS, Walmart, Target, K-Mart, and Kohl’s – are putting together a “mobile payment” app to avoid paying credit card processing fees. Rather than extend a small loan like a credit card, CurrentC will pull money directly and immediately from your bank account. Yes, those very same firms who vigorously market your personal data – and keep getting breached by hackers – now want to build their own payment system and on top of direct access to your bank account. What could possibly go wrong? The biggest issue is one of the very real benefits of credit cards: limited liability in case of fraud. If someone gets hold of your credit card or breaches the payment system, your liability is sharply limited. Your bank account has no such protection, would likely be drained, and you’d be out the money. Debit cards are somewhere in the middle – they have protections but not nearly as strong as real credit cards. The icing on this steaming pile of customer unfriendliness is that these merchants won’t accept ApplePay – essentially a secure way to use your credit card, which is exactly what the merchants want to get away from. CurrentC promises to deliver the merchants from credit card transaction fees, PCI-DSS security requirements, and liability – all with direct access to your money. Customers get all the liability, most of the hassle (the checkout process promises to be painful for both purchases and clerks), and less security. Somewhere Darth Sidious is laughing at the fiendish genius of it all. – AL

  2. It’s about the relationships: Just in case you were still under the misapprehension that the CISO job is about technical chips, it’s not. Dark Reading has a good profile of RSA’s new CISO, Janet Levesque. Her path was similar to mine, starting as a COBOL programmer (old school!). But I went into networking and then security. She became an auditor and then ended up doing security. She also did a dotcom and turned off the lights (been there, done that). But here is the killer quote: “Levesque says the company was most interested in hiring her because of her relationship-building skills – something that has become more important for RSA as it expands its hosting services business, and for CISOs across the board as companies outsource more of their IT functions.” As you climb the ladder on the security team, understand that your success criteria and skills must evolve as well. – MR

  3. Security wisdom? Where can I buy that? Martin McKeay has a good point in The Knowledge Pyramid on securityintelligence.com. He starts with “The marketing treadmill around security intelligence and big data the last few years really annoys me.” Yes! It bugs me too! Martin begins building the pyramid with data, placing information (analysis of that data) next. Above that is intelligence, which provides context of what that information means to you. On top Martin places wisdom, which connects disparate information – mostly via experience. That’s why SkyNet is not going to displace your SOC staff any time soon. Sure, there are things you can analyze in a more automated fashion, but even very qualified alerts need to triage and validate. But here’s the issue: wisdom, in the form of experienced security practitioners, is hard to come by. That’s why every conversation reminds me of the security skills gap, which continues to grow. – MR

  4. Driving business: Amazon has opened a new data center in Germany, and it appears likely they picked it as their second EU location because of stronger data protection laws in Germany. It’s not that Amazon’s security is driving customers to them, but firms that want cloud services need a provider who can guarantee their data will remain local and secure from foreign governments (specifically the US). Some EU nations won’t allow citizen data to travel across national boundaries – encrypted or not – due to fear that keys will be compromised. This constrains many companies to doing business with local cloud providers, and Amazon appears to be stepping into a market with pent-up demand. Couple that with allowing customers to manage their own encryption keys, and it won’t matter if a secret court orders Amazon to divulge data archives – they can simply (and honestly) explain that the information is encrypted, and Amazon cannot decrypt it. Security concerns over spying will continue to drive IT buying decisions for a long time. – AL

  5. Analyst 101: There is nothing like a former analyst teaching folks how to deal with analysts. Being out of the machine provides some perspective on how it can be done better. In his first post for a new series, Aneel Lakhani provides an introduction to the types of analysts and what they do. It’s close enough to provide a feel for how the business works. I caution you not to draw conclusions about firms due to their funding model. Or perhaps you can, but be ready to make exceptions – there are firms which cannot be bought (like us), even though we advise and license content to vendors. Aneel offers a good description: “Fundamentally, what analysts do is information arbitrage.” That’s about right. I prefer the term “information broker”, but it’s the same thing. I’ll follow the series and mention it again if there is anything else of value in there. – MR

—Mike Rothman

Tuesday, October 28, 2014

New Research Paper: Trends in Data Centric Security

By Adrian Lane

The concept of Data Centric Security is not new, but its advantages are only now becoming clear. As customers embrace disruptive technologies – cloud, mobile, NoSQL – where the availability and effectiveness of security controls are in question, Data Centric Security is an approach to securing data regardless of where it is moved. DCS is a way to leverage these new technologies without compromising data security, integrity, or compliance.

This research was prompted by increasingly frequent inquiries about how to secure “big data” clusters. The cost, complexity, and lack of packaged solutions have left many people looking for options. You can compartmentalize NoSQL servers so only a select few people and applications can access them, but then you fail to fully leverage the investment – which makes isolation a non-starter in most scenarios. That is the potential of Data Centric Security: it focuses security controls on data rather than servers or supporting infrastructure. This way the database is securely available to everyone who can use it legitimately.

This research delves into what Data Centric Security is, the challenges it addresses, and technologies to support customer use cases. We hope you find this research useful, and consider DCS as an alternative to traditional infrastructure security.

I am incredibly happy to announce that Intel Services has agreed to license this research paper – which you can download here (PDF) or visit the research library landing page here – and that we will also present a webcast on Data Centric Security, tentatively scheduled for November 18th, 2014. Sign up if you are interested. Thanks again to Intel for their support of this research!

—Adrian Lane

Monday, October 27, 2014

Firestarter: It’s All in the Cloud

By Rich

Adrian is out, so Rich and Mike cover the latest Amazon Web Services news as their big re:Invent conference closes in. We start with the new Frankfurt datacenter, and how a court case involving Microsoft could kill off the future of all US-based cloud companies (it’s always the little things). Then we discuss directory services in the cloud, and how this indicates increasing cloud adoption and maturity at a pace we really haven’t ever seen before.

The audio-only version is up too.

—Rich

Building an Enterprise Application Security Program [New Series]

By Adrian Lane

Over the last couple months I have had many similar conversations on enterprise application security: customers identify gaps in their security program, are unaware of the availability of certain types of solutions, or simply don’t believe that certain solutions deliver their advertised value. But I expect issues when speaking to a company who wants to implement advanced security on a Hadoop database, where technology simply may not exist to deliver the security and performance required. It is altogether different when talking about SAP or Oracle financials. These are mature platforms, often in place for more than a decade, so you would expect every aspect to be covered. Surprisingly that is often not the case.

There are many reasons for these security gaps. Companies often invest in generic assessment or configuration analysis tools, which don’t actually provide an in-depth view of application configuration settings or best practices. Perhaps they were told their SIEM would collect all application logs but they don’t contain the necessary information to evaluate user actions, or they are simply too verbose to collect. The application vendors all provide lists of security best practices, but don’t list anything they do not sell, nor advise customers to uninstall unneeded components to reduce attack surface. Security teams know little about how application platforms work so they cannot independently identify which deployment models would work, and IT staff is not likely to volunteer suggestions that will require them to do more work. Finally, the largest issue is that many approaches are simply unsuitable for large enterprise applications because they will break the application, limit usability, or degrade performance, none of which are acceptable. These issues contribute to security and compliance gaps at most firms.

Supply chain management, customer relationship management, enterprise resource management, business analytics, and financial transaction management, are all multi-billion dollar application platforms unto themselves. We are beyond explaining why enterprise applications need security to protect these investments – it is well established that insiders and persistent adversaries target these applications. Companies invest heavily in these applications, hardware to run them, and teams to keep them up and running. They perform extensive risk analysis on their business implications and the costs of downtime. And in many cases their security investments are a byproduct of these risk profiles. Application security trends in the 1-2% range of total application investment, but I cannot say large enterprises don’t take security seriously – they spend millions and hire dedicate staff to protect these platforms. That said, their investments are not always optimal – enterprises may bet on solutions with limited effectiveness, without a complete understanding of the available options. It is time for a fresh look.

To fill some of these gaps we are starting a new series on Building an Enterprise Application Security program. We spend a lot of time on advanced technologies on the Securosis blog: variants of monitoring, auditing, assessment, threat management, application security, and so on – but we have never pulled all these facets together for companies to assemble into an enterprise application security program. Or goal is to discuss specific security and compliance use cases for large enterprise applications, highlight gaps, and explain some application-specific tools to address these issues. This will not be an exhaustive examination of enterprise application security controls, nor an examination of generic security platforms – instead we will offer a focused summary of the most common deficiencies, with suggestions for what to do about them. The remainder of this series will cover the following:

Needs: Use Cases

  • Compliance (SOX, PCI, etc.) and internal audit reporting
  • Transaction verification
  • Use of sensitive information
  • Security (insider and external threats)
  • Change management & policy enforcement

Gaps: What Works and What Doesn’t

  • Why enterprise applications are different
  • SAP: special issues with this poster child for enterprise applications
  • Security and compliance gaps with IAM, encryption, and data encryption
  • Inventory, discovery, and assessment
  • Network monitoring deficiencies
  • Conventional application and database layer protection
  • Skills and priorities

Program Elements

  • Assessment: discovery and configuration analysis
  • Patching and configuration management (environment, application, database, & modules)
  • Application and database monitoring
  • Management frameworks and policy enforcement
  • Logging, auditing, and compliance reports
  • Additional recommendations

Our next post will discuss use cases and problems firms need to address, which we will use to frame our subsequent discussion of security gaps.

—Adrian Lane

Old School (Computer)

By Mike Rothman

Lots of folks talk lovingly about their first computers. Mine was a Timex Sinclair I ran through my 10” black-and-white TV. But that wasn’t the first computer I played with. My Dad was pretty early into the word processing world as part of his law practice. So when we went to the computer show down in NYC and checked out all the new wares, I was like a kid in a candy store.

When he lugged home the Kaypro II, I thought it was the coolest thing ever. And evidently a significant productivity enhancer, especially hooked up to that old daisy wheel printer. You remember those, right?

Kaypro and Zork FTW

So when I saw Throwback Thursday: Kaypro II Stole My Heart on InformationWeek, it was a nostalgic moment.

The Kaypro II, released in 1982, featured two 5¼-inch double-density floppy-disk drives, 64 KB of RAM, and ran Digital Research’s CP/M operating system. Weighing in at 29 pounds, it and other PCs like it were dubbed transportables or, more cheekily, luggables.

Luggable LOL. Though I do remember my Dad lugging the Kaypro between his condo and the office, so I guess it was transportable. And mention of the 9” green (monochrome) CRT made me smile as well.

Of course my kids will have no grasp of what the early days of personal computing were really like. They are bitching about their old iPod touches that won’t run iOS 8. And they are right – technology is moving so fast that a 5-year-old device is severely limited.

But old folks (or at least survivors of that early computer age) like me remember. And we laugh. Because the progress we have seen over the past 30 years is really incredible. Yet it’s only beginning. I cannot even imagine what things will look like in another 30 years.

Photo credit: “untitled” originally uploaded by Marcin Wichary

—Mike Rothman

Friday, October 24, 2014

Summary: Roamin’

By Rich

Rich here.

Last night I arrived home around 11pm from the totally awesome SecTor conference in Toronto. It took about 11 hours to wend my way home through the air system, which has a certain beauty.

Yeah, I took it to 11.

Before that I was home for a couple days, during one of which we took the kids to the local aquarium-in-the-outlet-mall to meet the Octonauts. Yes, we have one of those. Yes, if your kids are of a certain age, they know the Octonauts. And yes, the Octonauts have a totally awesome Star Trek TOS vibe, and I weirdly learn cool stuff – like how freaky vampire squids are – from watching it. I won’t link – I want you to have the pleasure of searching for “vampire squid” and then not sleeping.

Before that I was in Amsterdam for 5 days. With my wife but without kids. I spent two of those days teaching the cloud security class for Black Hat, and the two free days touring around with her. Amsterdam reminds me of New Orleans in spots, which means it’s fun, and then it’s smelly. I have never been into the hedonistic stuff but I love cool historical cities. Especially without the kids.

Assuming they have beer.

Before that is a blur; it probably involved airplanes. Next week I head to Houston for Camp DevOps. I really like those events – so much so that I will spend 6 hours on a plane for what is normally an under-2-hour flight. One problem with traveling so much is that I struggle to find time to set up the next trip, so I got hammered with insane prices. I am unwilling to spend over $1K to fly from Phoenix to Houston, so I got a middle seat on Delta, routed through Salt Lake and Atlanta. Yay team.

After that, I can’t talk about it, but the week after that is Amazon re:Invent. I’m not speaking there, but even if you use other cloud providers re:Invent is a must-attend event. Okay, it helps if you use AWS, but still, there is a ton of great info, some of it generalized.

So there you have it. I am wicked jetlagged from too many time zones in too short a time, but when you work for yourself you can’t gripe too much about being busy. And, you know, 5 days in Amsterdam with my wife & my kids, so I should really just shut up and not complain.

On a different note, you may have noticed some weirdness with our site recently. We had a conflict between our super-secure hosting architecture and an underlying component update we couldn’t totally nail down. It got so bad we moved to a slightly-less-secure host temporarily, which fixed the problem. I am actually rearchitecting the entire deployment (with our developer contractors) to take advantage of all the cloud security and DevOps research I have been working on, but that move will take a little time. We apologize sincerely, and at some point I will provide a more detailed writeup.

On to the Summary:

Webcasts, Podcasts, Outside Writing, and Conferences

I guess this is why I didn’t post much on our own site. Need to work on that.

Favorite Securosis Posts

  • Adrian: Running Man. Mike. Running. Running distance !?! I … {head explode}.
  • Rich: I guess I need to kneecap Mike. He’s stealing my thunder. I’ve done some half marathons, and no f###### way I will let him beat me to doing a marathon.

Other Securosis Posts

Favorite Outside Posts

Research Reports and Presentations

Top News and Posts

—Rich

Wednesday, October 22, 2014

Incite 10/21/2014: Running Man

By Mike Rothman

There were always reasons I wasn’t a runner. I was too big and carried too much weight. I was prone to knee pain. I never had good endurance. I remember the struggle when I had to run 3 miles as a pledge back in college. I finished, but I was probably 10 minutes behind everyone else. Running just wasn’t for me. So I focused on other methods of exercise. I lifted weights until my joints let me know that wasn’t a very good idea. Then I spent a couple years doing too many 12-ounce curls and eating too many burritos. For the past few years I have been doing yoga and some other body weight training.

But it was getting stale. I needed to shake things up a bit. So I figured I’d try running. I had no idea how it would go, given all my preconceived expectations that I couldn’t be a runner. I mentioned it to a friend and he suggested I start with a run/walk program espoused by Jeff Galloway. I got his 5K app and figured I’d work up to that distance over the summer. I started slowly during my beach vacation. Run 2 minutes, walk 1 minute. Then I ran 3 minutes, etc. Before I knew it, I had worked up to 3 miles.

At some point my feet started hurting. I knew it was time to jettison my 5-year-old running shoes and get a real pair. I actually went to the running store with the boy and got fitted for shoes. It made a world of difference. I was running 3 days a week and doing yoga another 3 days.

run!

I was digging it. Though over the summer it wasn’t that hard. I’d get out early before it got too hot and just run. After conquering the 5K I figured I’d work up to a 10K, so I started another training program to build up to that distance. I made it to the 6-mile mark without a lot of fuss. Even better, I found myself in cool places for work and I’d run there. It’s pretty okay to start the day with a run along Boulder Creek or the Embarcadero. Life could be worse.

I was routinely blowing past the suggested distance in the 10K program. I banged out almost 7 miles on one run and wasn’t totally spent. That’s when it hit me. Holy crap, I’m a runner. So I decided to run a half marathon in March. I figured that was plenty of time to get ready and a couple buddies committed to run with me. I did 8 miles and then 10 miles. Just to see if I could, and I could.

Then I thought, what the hell am I waiting for? My sister-in-law is running a half in early November and she is just working up to 10 miles. I signed up to run a half this Thanksgiving. I even paid $15 for the race t-shirt (it’s a free race, so the shirt was extra). That’s in about a month and I’ll be ready. If there is one thing I have learned from this, it’s that who I was doesn’t dictate what I can accomplish. I can overcome my own perceptions and do lots of things I didn’t think I could, including running.

–Mike

Photo credit: “Day 89 – After the Run” originally uploaded by slgckgc


The fine folks at the RSA Conference posted the talk Jennifer Minella and I did on mindfulness at the conference this year. You can check it out on YouTube. Take an hour and check it out. Your emails, alerts and Twitter timeline will be there when you get back.


Securosis Firestarter

Have you checked out our new video podcast? Rich, Adrian, and Mike get into a Google Hangout and.. hang out. We talk a bit about security as well. We try to keep these to 15 minutes or less, and usually fail.


Heavy Research

We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, with our content in all its unabridged glory. And you can get all our research papers too.

Security and Privacy on the Encrypted Network

Secure Agile Development

Trends in Data Centric Security

Newly Published Papers


Incite 4 U

  1. Attitude > technical chops: It seems every day someone bitches to me about the difficulty in finding good people to staff the security function. Thom Langford thinks a lot of folks are looking in the wrong places, and that good potential security folks may already be in your organization – just not doing security. Thom added an executive assistant to the security team and it has worked out well for him because of her attitude and understanding of how to get things done within the organization. “Technology and hard skills are things that can be taught in relatively short periods of time; attitude is something that takes a lot longer to learn, decades even.” Actually, a lot of folks never learn the right attitude. But all the same, when you face a skills shortage you need to grow your own, and the right folks may already be right in front of you. – MR

  2. No shared secrets: I confess I get most of my iOS security knowledge from Rich, who reviews pretty much all things Apple from a security perspective, but I ran across a really good post on naked security which describes iOS 8.1 security fixes. Beyond addressing vulnerabilities for the POODLE, Apple closed a hole by no longer allowing Bluetooth devices to connect unencrypted, making it much harder to spoof communication with the device. Next they fixed a threat that let someone who got hold of your device gain access to an encrypted file without knowing your passcode. We don’t often see the whole of Apple’s strategy to use encryption pretty much everywhere, use encryption keys only accessible to you, and not to share data or trust with third parties… including Apple and law enforcement. Which is the right way to do things. – AL

  3. How to get the CISO seat: Uh, don’t. Okay, all kidding aside some folks do aspire to sit in the senior security seat of an organization. This Dark Reading article goes through some of the trends, like it’s easier to get a CISO job if you have already been one (duh). And CISSP isn’t a necessary certification (my friends JJ and Dave may not be happy to hear that). Also CISOs are more likely to have a technical background. Which is curious because it is not really a technical position any more. My suggestion is to learn about the business. Understand how security helps achieve corporate goals. Get some quick wins for projects you lead. And then wait. Within 18 months the current CISO will be gone, and then you can fill in while they try to recruit from the outside. During that window, get some more quick wins and then roll out a strategy for a more effective security program. Even if you don’t get that job you will be ready to put your hat in the ring for other CISO jobs. But always remember to have your resume up to date – it’s not like CISO offers much job security. – MR

  4. Pull along: We have said on this blog many times that the only way to improve user security is to first make any new technology easier, and then sneak better security in with it. MasterCard realizes this too, as shown by their announcement of embedded fingerprint scanners on credit cards. The “easier to use” part is using a fingerprint scan to replace a PIN. Well, that and the fact that you no longer need to run it through a card swipe device – instead you just hold the card somewhere near the terminal for authentication. If this looks similar to Apple Pay without an iDevice, you’re right – user experience will be very similar, with the same merchant terminals. Again, none of this technology is new, but for the first time the US market has a shared vision of how to push security forward by making it easier for users to pay, with multiple options for providers. And who knows – maybe eventually we won’t need to replace cards every three months after the latest credit card data breach… – AL

  5. Another day, another retail breach. Staples, come on down! Krebs does it again. He discloses the Staples breach, leveraging his sources in the banking industry. Those folks would know, even if the organization doesn’t. Was it the same kind of malware? Don’t know. The same set of attackers? Don’t know. Brian’s sources believe it was a bunch of stores in the northeast. I’m sure we’ll know soon enough. Though you have to wonder now if we should switch to tracking retailers who haven’t lost credit card data… How long will it be before whitelisting is baked into these embedded Windows POS terminals? – MR

—Mike Rothman