Everyday I read dozens of articles regarding cyber war, DDoS, cyber espionage, the President's cyber czar (which, as I understand, remains unfilled), a TON of pro and con opinions in the press, and dozens of analyst opinions. This doesn't include vendor pitches and the deluge of advertising aimed at the Information Security dollars that will be spent in the coming years.
I'm going to lay it on the table in the hopes that someone will get it... today is the first of a couple of blogs offering comments about where we are, why we have issues, and hopefully, what we can do about it.
Here's number one... Vendors.
Vendors -companies who sell infosec products -don't get it!
Entrepreneurs want to hype their companies all with the hopes of making their products, companies and books looking better than than they really are will say anything to make it sound like the products are the best thing since sliced bread. In fact, many just don't get it. I can't tell you how many presentations I've sat through, only to ask the hard questions --hard questions about not the 80% of the threats they've built their pitches on, but about the top 20% of the threats that come in through spam, phishing, and drive-bys --all fueled by sophisticated social engineering? Yeah? Whadya gonna do about that?? So vendors, here it is --your products are built on the old threat models. Get with the program. Hire people with recent experience and sell GOOD products rather than products that try to solve EVERY problem. Find the pain point in the market, get really good at it, and fill the hole as best you can. Do your homework! Use a competitive intelligence guru who knows your space and can tell you exactly what your competitors are doing. Please, for the love of God, please, don't come see me without having detailed competitive intelligence in your back pocket. I swear, if I hear one more entrepreneur tell me they don't have any competition I'm gonna puke.. and then kick you out of my office.
Medium sized vendors.. I've got to pick on Security Information Management for a moment. Great idea, but it's making our SOC analysts dumb. They have come to rely on the boob tube with absolutely no idea what's going on the background. These products have turned skilled analysts into movie watchers. What's worse? The vendors have'em hooked like crack whores. Once the licenses are bought, and the SOC works on the SIM/SEM GUI, the company never looks back and will continue to pay over and over and over and over and over. They'll keep coming back for more because the sunk costs are two high to leave behind without without the CISO getting really red faced over the already money spent. Why do I have so many issues with SEM/SIM? Remember the old days when we watched a VT100 screen with IDS logs passing by? We were inundated with information but had no idea which ones were important. Today we have the same issue. How do you know what's important? OK, I'm a pretty seasoned guy, and can (sometimes) tell by looking, but most SOC analysts aren't. They need to know what's bad and what isn't. Then, they need to be able to look deeper. So, SIM guys, make it so! Bells and whistles aren't worth a damn if everything looks important. I can't tell you how many times I walked into the SOC, saw the SEM top ten list on the big screen and asked what was happening with the number one... I always got the same answer ... "It's a false alarm." Bull shit.
Larger vendors (like the Antivirus Vendors), can sit on their laurels and enjoy the fruits of ineptitude. That's right, I said ineptitude. Do we really know how (in)effective antivirus is? It's a good thing it's cheap! If it didn't why would we need so many layers in our defense in depth program? A/V should be able to kill anything landing on the computer, but, alas, they cant. Instead they have to rely on a whole slew of other technologies to do their job, and guess what? There's no way to correlate all of those things together to tell what's good and what's not! Sorry folks, I've come to the realization that A/V vendors would rather expand their market rather than make their product more accurate.
Bottom line. Vendors are out of touch with their market. Here are a few things that'd make things a WHOLE lot better.
1. Small and medium size companies --use Competitive Intelligence as a regular part of your marketing team. CI can help with pricing strategies (by finding out what competitors charge), product management, and long range planning. For the cost of one engineer, you can have a VERY clear idea of what you're facing and where the niche is.
2. Larger companies? Pay attention to your customers. Premium service packages are nice, but not if you're only catching 10% of the problems. The products should work first time, every time, and be right.
Next time... Magic Quadrant!
Jeff
For those of you who know me, Henry was my basset hound, and the fictitious name used during (ahem) special research. I'm a former intelligence officer, a professional analyst, CEO of a Managed Security Service, and a blogger since 2004 writing about my experiences on the journey --information security, cyber intelligence, education, thoughts. Some love my writings others hate it. If you like it, follow me!
Monday, July 20, 2009
Saturday, May 30, 2009
We Have A Cyber Czar, and He Has Spoken
I couldn't help it. I took a link from Bob Gourley's CTOVision blog where he tells the world that we ALREADY have a Cyber Czar. His name is Vladimir Putin!
http://ctovision.com/2009/05/white-house-cyber-policy-review-and-a-cyber-czar/
Bob tells it like it is, so there's no need for me to :)
Enjoy!
Jeff
http://ctovision.com/2009/05/white-house-cyber-policy-review-and-a-cyber-czar/
Bob tells it like it is, so there's no need for me to :)
Enjoy!
Jeff
Friday, May 29, 2009
eWeekNews: Discovery Features Make DLP Smarter... really?
Lawrence Walsh's article (eWEEKNews, 2009-05-29) entitles "Discovery Features Make DLP Smarter" made me both scratch my head and chuckle a little. It's a story I've heard many times, and in fact commented on a few days ago in my blog notes entitled 'Vendor Hype'. In this case, it didn't take long to see something in the news about the one very item that I always think about when I think about vendor hype. Sorry Larry. You know I love ya!
Over the past several years (since 2004?) I've been keeping a close eye on the DLP space. This for many reasons. First if they can ever figure out how to go beyond SSNs, credit card numbers, and a few other key pieces of PII without the high false positive rate, this solution would be an absolute win. I'm not saying PII isn't important, but PII can be found using MANY tools, not just the expensive solutions offered by Vontu, Reconnix, and a half dozen others out there. There's something good that comes with these solutions (don't get me wrong!) but it is very simply this --they can find simple strings in moving data that they can flag on to tell you when something is leaving the enterprise that probably shouldn't.
I chuckle because one vendor in particular took a host based approach --Verdasys --to finding data and watching it move, while the rest seemed to believe they could do a better job of flagging it in motion. Now it appears they're heading in the same direction. The network based tools want to do host based detection/protection, while the host based providers want to start moving in the direction of the network.
That said, I polled several reference customers of a couple of DLP vendors. Not one of them reported their DLP vendor having done great jobs in the areas not considered their sweet spot. The network providers don't do host based work well.
Hunting critical information to effect its protection? This is a task not easily performed. Here's why... even in a small environment, data doesn't always sit where you think it should. While shares and repositories are likely places you'd want to find source code, work product, finished proposals, PII, or anything else you might consider important they almost always sit on the users computers and in many cases, private backup disks and other removeable media. Another critical issue --I've worked in LARGE enterprise (100,000+ users) for the last several years. One thing that troubles me in large enterprise is that most times the owners of those environments have no idea, nor any accounting, for where critical information resides. This is especially true of any company who's growth came from the heavy acquisition strategy used in the '90s!
OK, it's easy to be negative. Here's what I'd like to see to solve the problem:
1. DLP vendors need to consider integrating spiders into their applications that can do pattern matching in an attempt to flag data in a data classification schema. Once this is performed, do a bucket analysis of each of the different flags and let a human review the schema to ensure it's accuracy, and how the data should be protected. Use company policy (if it exists) to enforce as needed.
2. Performing hash value calculations on anything in a database and then watching them leave the enterprise isn't an effective solution. First, as I mentioned above, it's rare to know where everything resides. Second, documents have lives of their own. Hash values will change every time the document changes. It's impractical.
3. Consider integrating with digital rights management solutions. DRM DOES tagging, as well as offers access credentials. By integrating DRM solutions into DLP, you get the best of both worlds without having to build another solution.
DLP vendors need to think about partnering to offset some of their gaps. One does host based protection well. Others do network based protection well. Stop trying to be something you're not and pair up!
As always, feedback welcome! Mine is only one opinion :)
Jeff
Over the past several years (since 2004?) I've been keeping a close eye on the DLP space. This for many reasons. First if they can ever figure out how to go beyond SSNs, credit card numbers, and a few other key pieces of PII without the high false positive rate, this solution would be an absolute win. I'm not saying PII isn't important, but PII can be found using MANY tools, not just the expensive solutions offered by Vontu, Reconnix, and a half dozen others out there. There's something good that comes with these solutions (don't get me wrong!) but it is very simply this --they can find simple strings in moving data that they can flag on to tell you when something is leaving the enterprise that probably shouldn't.
I chuckle because one vendor in particular took a host based approach --Verdasys --to finding data and watching it move, while the rest seemed to believe they could do a better job of flagging it in motion. Now it appears they're heading in the same direction. The network based tools want to do host based detection/protection, while the host based providers want to start moving in the direction of the network.
That said, I polled several reference customers of a couple of DLP vendors. Not one of them reported their DLP vendor having done great jobs in the areas not considered their sweet spot. The network providers don't do host based work well.
Hunting critical information to effect its protection? This is a task not easily performed. Here's why... even in a small environment, data doesn't always sit where you think it should. While shares and repositories are likely places you'd want to find source code, work product, finished proposals, PII, or anything else you might consider important they almost always sit on the users computers and in many cases, private backup disks and other removeable media. Another critical issue --I've worked in LARGE enterprise (100,000+ users) for the last several years. One thing that troubles me in large enterprise is that most times the owners of those environments have no idea, nor any accounting, for where critical information resides. This is especially true of any company who's growth came from the heavy acquisition strategy used in the '90s!
OK, it's easy to be negative. Here's what I'd like to see to solve the problem:
1. DLP vendors need to consider integrating spiders into their applications that can do pattern matching in an attempt to flag data in a data classification schema. Once this is performed, do a bucket analysis of each of the different flags and let a human review the schema to ensure it's accuracy, and how the data should be protected. Use company policy (if it exists) to enforce as needed.
2. Performing hash value calculations on anything in a database and then watching them leave the enterprise isn't an effective solution. First, as I mentioned above, it's rare to know where everything resides. Second, documents have lives of their own. Hash values will change every time the document changes. It's impractical.
3. Consider integrating with digital rights management solutions. DRM DOES tagging, as well as offers access credentials. By integrating DRM solutions into DLP, you get the best of both worlds without having to build another solution.
DLP vendors need to think about partnering to offset some of their gaps. One does host based protection well. Others do network based protection well. Stop trying to be something you're not and pair up!
As always, feedback welcome! Mine is only one opinion :)
Jeff
Thursday, May 28, 2009
Study finds IT security pros cheat on audits --Is this a surprise?
In an article received on twitter yesterday, the author (Angela Moscaritolo, on May 27, 2009) discusses the fact that IT Security Pros cheat on Audits. The article may be seen at:
http://www.scmagazineus.com/Study-finds-IT-security-pros-cheat-on-audits/article/137546/
It should come as no surprise that corners get cut in audits. I wouldn't call it cheating per se, nor am I defending those who blatantly gundeck (a Navy term for cheating on assigned tasks) for a few reasons, but here are two:
1. In smaller/medium sized companies, resources generally don't exist to carry out the full scope of even the most basic audit frameworks (measuring against 800-53, ISO, etc.), thereby leaving gaps in the completed audit when compared to the plan.
2. In larger companies, the audit teams report to the board of directors, not the ISO or CFO as will the Risk team or Information Security team. Auditors get treated like every other auditor.. they get what they ask for -nothing more, nothing less. I've worked as an auditor, and worked with auditors several times in the past eight years and know the drill quite well. If an auditor is uninformed, they don't ask good questions, and as a result, get inaccurate information.
Tips for doing better audits?
1. Look for experience IT/Security people that can be taught auditing. Certifications are good, but not perfect. CISA is common among the large consulting organizations, but again, personal experience leads me to believe that not all CISAs are created equal.
2. Create an environment of cooperation between the audit team and the infosec/risk team. If an audit is going to happen at a certain location, why not leverage the audit team to perform a risk assessment at the same time. There's an opportunity for resource sharing if you can get legal to sign off.
3. Cross train and labor share. Use infosec people as auditors, and get auditors involved in sitting in the SOC. This makes everyone smarter, and eventually, the company better.
4. Find a good framework and stick to it. Measure the results location versus location, program against program, or division against division. It's not a report card but a score card that offers baseline, and hopefully upward trending.
Most importantly, remember, auditors get treated like auditors. They're outsiders and need to know what to ask, and whom to speak with to get the right information. They get this through bonding and familiarity in the organization. Train them well, get cooperation with infosec, and you'll see markedly better, and more consistent audit results.
Happy hunting!
Jeff
http://www.scmagazineus.com/Study-finds-IT-security-pros-cheat-on-audits/article/137546/
It should come as no surprise that corners get cut in audits. I wouldn't call it cheating per se, nor am I defending those who blatantly gundeck (a Navy term for cheating on assigned tasks) for a few reasons, but here are two:
1. In smaller/medium sized companies, resources generally don't exist to carry out the full scope of even the most basic audit frameworks (measuring against 800-53, ISO, etc.), thereby leaving gaps in the completed audit when compared to the plan.
2. In larger companies, the audit teams report to the board of directors, not the ISO or CFO as will the Risk team or Information Security team. Auditors get treated like every other auditor.. they get what they ask for -nothing more, nothing less. I've worked as an auditor, and worked with auditors several times in the past eight years and know the drill quite well. If an auditor is uninformed, they don't ask good questions, and as a result, get inaccurate information.
Tips for doing better audits?
1. Look for experience IT/Security people that can be taught auditing. Certifications are good, but not perfect. CISA is common among the large consulting organizations, but again, personal experience leads me to believe that not all CISAs are created equal.
2. Create an environment of cooperation between the audit team and the infosec/risk team. If an audit is going to happen at a certain location, why not leverage the audit team to perform a risk assessment at the same time. There's an opportunity for resource sharing if you can get legal to sign off.
3. Cross train and labor share. Use infosec people as auditors, and get auditors involved in sitting in the SOC. This makes everyone smarter, and eventually, the company better.
4. Find a good framework and stick to it. Measure the results location versus location, program against program, or division against division. It's not a report card but a score card that offers baseline, and hopefully upward trending.
Most importantly, remember, auditors get treated like auditors. They're outsiders and need to know what to ask, and whom to speak with to get the right information. They get this through bonding and familiarity in the organization. Train them well, get cooperation with infosec, and you'll see markedly better, and more consistent audit results.
Happy hunting!
Jeff
Wednesday, May 27, 2009
Podcast: More Targeted, Sophisticated Attacks: Where to Pay Attention
What timing! I just blogged about this this morning.
The conversation is 20 minutes long, but the piece with Marty talking about new issues --Social Engineering and (still) bad code is about 6. It's worth a listen. I'd love comments back. Thoughts? What other issues should we be concerned with during this period of adjustment to new threats?
More Targeted, Sophisticated Attacks: Where to Pay Attention
http://www.cert.org/podcast/show/20090526lindner.html
Featuring:
Marty Lindner - CERT Julia Allen
RSS: http://www.cert.org/podcast/exec_podcast.rss
The conversation is 20 minutes long, but the piece with Marty talking about new issues --Social Engineering and (still) bad code is about 6. It's worth a listen. I'd love comments back. Thoughts? What other issues should we be concerned with during this period of adjustment to new threats?
More Targeted, Sophisticated Attacks: Where to Pay Attention
http://www.cert.org/podcast/show/20090526lindner.html
Featuring:
Marty Lindner - CERT Julia Allen
RSS: http://www.cert.org/podcast/exec_podcast.rss
Information Security Vendor hype?
It seems we're in an entrepreneurial dilemma... especially in the information security field.
Entrepreneurs/innovators/tech sales people create, commercialize and sell new, innovative tools, but it seems we've hit a plateau where the entrepreneurs don't understand the new market. In this down-turned economy how many infosec companies have failed? How many have been bought? I'd guess far fewer acquired than failed but then again, that's always been the case. Now it seems harder. It seems entrepreneurs are stuck in two areas that they just can't seem to find their way clear of:
1. New attack methods are not caught by old security tools! No matter how many signatures you stick into an IPS, it's not going to be able to stop a C2 channel heading out your door when it's buried inside of FTP! Don't tell me about Data Loss Prevention or losing the perimeter. I've had all the sales garbage that I can stand from the likes of Vontu and Verdisys. While both good ideas, DLP is not a solution for identifying and stopping badness inside your enterprise. The solutions stop 'not so smart' people from doing stupid things but do not stop smart people from stealing information from you.
2. Entrepreneurs are so busy selling (hyping) their products, and so busy with their noses pointed squarely at their keyboard (or financials), they've lost touch with what infosec practitioners really need... and the worst part is, they're not getting it from the trade magazines either! SC Magazine has gone from a robust magazine with good information to an ad rag full of expensive ads and very little content that will give entrepreneurs information to help them focus their product lines and strategy. So here's a bit of advice folks (from a guy who gets pitched more times than most), stop pitching. Leave your marketing materials at the door. Do your homework and be ready to answer hard questions. If I visit your company, I don't want to talk to your business development people. I want the techies. I want to see the results of your product on your company network, and I want to see the demonstrated ROI realized by you. I want to talk down and dirty tech. Tell me why it works. Show me that it does. Tell me it's current limits... then, and only then, will we have more to discuss.
3. Venture capitalists continue to push offshore development because the numbers make sense. You know what though? I won't buy it if there's no way to assure the security of the product, and EAL certification isn't it. Show me something that hits a product squarely with the newest attacks and handles it well. Base certification on that. Until then, VCs, you're limiting the ability of your portfolio companies to be able to sell to government and government contractors.
There, I said it. Want to know what the market looks like? Want to know what the market is going to look like? Want to know what kinds of threats your security tools need to be able to handle? Contact me. I'll tell you.
Jeff
Entrepreneurs/innovators/tech sales people create, commercialize and sell new, innovative tools, but it seems we've hit a plateau where the entrepreneurs don't understand the new market. In this down-turned economy how many infosec companies have failed? How many have been bought? I'd guess far fewer acquired than failed but then again, that's always been the case. Now it seems harder. It seems entrepreneurs are stuck in two areas that they just can't seem to find their way clear of:
1. New attack methods are not caught by old security tools! No matter how many signatures you stick into an IPS, it's not going to be able to stop a C2 channel heading out your door when it's buried inside of FTP! Don't tell me about Data Loss Prevention or losing the perimeter. I've had all the sales garbage that I can stand from the likes of Vontu and Verdisys. While both good ideas, DLP is not a solution for identifying and stopping badness inside your enterprise. The solutions stop 'not so smart' people from doing stupid things but do not stop smart people from stealing information from you.
2. Entrepreneurs are so busy selling (hyping) their products, and so busy with their noses pointed squarely at their keyboard (or financials), they've lost touch with what infosec practitioners really need... and the worst part is, they're not getting it from the trade magazines either! SC Magazine has gone from a robust magazine with good information to an ad rag full of expensive ads and very little content that will give entrepreneurs information to help them focus their product lines and strategy. So here's a bit of advice folks (from a guy who gets pitched more times than most), stop pitching. Leave your marketing materials at the door. Do your homework and be ready to answer hard questions. If I visit your company, I don't want to talk to your business development people. I want the techies. I want to see the results of your product on your company network, and I want to see the demonstrated ROI realized by you. I want to talk down and dirty tech. Tell me why it works. Show me that it does. Tell me it's current limits... then, and only then, will we have more to discuss.
3. Venture capitalists continue to push offshore development because the numbers make sense. You know what though? I won't buy it if there's no way to assure the security of the product, and EAL certification isn't it. Show me something that hits a product squarely with the newest attacks and handles it well. Base certification on that. Until then, VCs, you're limiting the ability of your portfolio companies to be able to sell to government and government contractors.
There, I said it. Want to know what the market looks like? Want to know what the market is going to look like? Want to know what kinds of threats your security tools need to be able to handle? Contact me. I'll tell you.
Jeff
Subscribe to:
Posts (Atom)