RSA Conference 2012 Fearless Forecast – The Cloud of FUD

Next week, something insidious and life-choking will settle over the San Francisco Bay area and threaten everyone with confusion, nausea, and full loss of body hair.

The cloud of FUD.

For you South Park fans, yes, this is far more dangerous than the Cloud of Smug introduced in one of the classic South Park episodes (The Perfect Storm of Self Satisfaction). In the episode, the South Park residents begin to purchase hybrid cars (the Toyonda Pious) in large numbers, and their self-satisfaction in their eco-friendly ways creates a dangerous cloud of smug.  Unfortunately, the South Park cloud collides with two other clouds of smug, one from the general self-satisfaction of the SF Bay inhabitants and a rogue cloud from George Clooney’s Academy Award speech.  This creates the perfect storm of self-satisfaction with catastrophic results, destroying San Francisco and causing general havoc in South Park.

The RSA Conference is next week, and the amount of FUD in any normal RSA week can be problematic.  But this year, the IT security world is at an interesting crossroads.  The underpinnings of trust have been called into question through breaches of companies like Diginotar, and more recently, VeriSign.  Analysis released last week called into question encryption algorithms used by RSA, who is still reeling from a highly public breach last year. Studies indicate that breaches are on the rise, and targeted attacks (including the Advanced Persistent Threat) are hitting their mark with increasing frequency.  And we have no idea how many breaches are yet undiscovered and when we do discover them, we lack the tools to fully assess the damage.  The public disclosure of the VeriSign breach included language from VeriSign management that they were still not quite sure what had been stolen, in spite of the breach occurring in 2010.   Attacks like Duqu were illustrative of the growing sophistication in data gathering techniques to build even more sophisticated follow-on attacks.

We have entered a new phase in IT security to be sure, and all of this uncertainty will amplify the FUD volume to deafening levels.  That is because while there are several innovative companies offering real solutions to these new problems, the majority are scrambling.  When companies scramble in the IT security market, the result is a Perfect Storm of Self Preservation.  Those who lack real answers will look to duck and cover, and the predictable result will be epic volumes of FUD with a healthy undercurrent of smug.

Seriously, we should consider renaming the RSA 2012 exhibit area FUDapalooza! I am not talking about the usual “hamster wheels of pain”, “yes, I do that” (before a question is asked) level of FUD.  This will be highly advanced, super concentrated FUD.

For example, everyone, including the nice people that serve old, stale sandwiches in the lobby for $18, will have “The Solution for the Advanced Persistent Threat”.  Everyone will have the “Next Generation of Threat Protection” and “Your Weapon for Cyber Warfare”.  Companies that went the M&A route will have the “First Truly Comprehensive Security Suite/Platform”.  The large, “usual suspect” companies with the huge booths at the center of the floor will promise to plug the massive gaps that studies now show their own products to have.

I remember my first RSA Conference in 2005.  I was immediately struck by the signal to noise ratio (very little signal, copious amounts of noise) and lack of clear messaging and differentiation on the exhibit floor.  One of the more popular posts for this blog was about the animals you will see at RSA.  I can only imagine what 2012 will be like.

At the end of the South Park episode, Kyle points out to the citizens that driving a hybrid is really a good thing, but they have to learn to drive them without being smug.  The townspeople go back to their old gas guzzling cars, saying that “it’s simply asking too much”.  The RSA Conference could be an excellent place to explore ways to meet the new challenges we collectively face today.  Unfortunately, I think for most of my vendor comrades “it’s simply asking too much”, and most will instead take the Gladiator approach and unleash FUD hell.

The Cloud of FUD is coming.  Bring your Hazmat suit.

The Evidence is Overwhelming: Organizations are not Prepared for the Inevitable Breach

84 and 173.5.

These are two significant statistics I picked up from the “Trustwave 2012 Global Security Report”.  I downloaded the report yesterday to review the analysis and the salient numbers from the study.  If you read this blog, you know I quote liberally from the Verizon Business “2011 Data Breach Investigations Report”.  I felt it prudent to see if the Trustwave report aligned with the VBDBIR and my frequent calls to wake up and smell the coffee about breaches.

The short answer is that they do and it does.  84 represents the percentage of breaches that were discovered by someone other than the breached organization.  This aligns with the VBDBIR number of 86%.  I noted that the 84% is actually up from the 2011 Trustwave Report number of 80%.

The numbers on self-detection are of interest to me for two reasons.  One, they scream that organizations are quite ill-equipped to detect a breach and the problem is getting worse.  They dump money in pursuit of the perfect shield, but are essentially unable to know when those shields fail.  And frankly, if I have to convince you that your shields are failing, you may be in the wrong profession.

Second, they underscore that when an organization gets breached, knowledge of the breach is not being contained within the organizational walls.  If a third party finds it, the secret is out.  Organizations cannot ignore the reputational risk that comes from a breach. And there is a coming storm of breach notification legislation that will make the problem even harder to ignore.

The real thunderbolt comes from the 173.5.  Because 173.5 is the average number of days between the initial infiltration and discovery for those attacks discovered by third parties.  173.5 represents the average amount of time that the adversary has free access to the systems and confidential information of the attacked organization.  The report notes that for companies with active discovery initiatives, this number goes down to 43 days.  Better, but no less unacceptable.

I will say it again (and again, and again).  Organizations are going to be breached.  Organizations are not equipped to detect breaches, and once a breach is detected, organizations are not equipped and prepared to respond.  Stop trying to build the perfect shield, step back, and address your exposure to breaches now.  Embrace the fact that you will be breached, and build a rapid detection and response capability.

Need to see something beyond statistics? Just today an article on the Wall Street Journal Online noted that Nortel had been breached without detection for over ten years.  The article discusses SEC breach notification guidelines and the impact on acquiring companies, the potential impact of the breach on Nortel equipment, and implies that the breaches may have contributed to the ultimate decline of the company.

The lesson is simple really.  The Trustwave report and the Nortel story show (again) that while you are busily trying to build that perfect shield, you may already have an adversary working undetected on your systems with relative impunity.

Prediction Regarding Data Breach Detection – Soon to be a Regulatory Requirement

In a post last week titled “Proposed EU Data Protection Fines Push the Lack of Breach Detection Capabilities into the Light“, I noted that the proposed European Union data protection rules would impose fines against organizations who did not report data breaches in a timely manner.  After that post I came across a story (“Companies worry about SEC’s advice to disclose cyberthreats“) in the San Jose Mercury News that noted that the SEC is continuing to amp up the pressure on companies to disclose breaches in their public disclosures.

I am not usually in the prediction business, but I noted in a blog post on February 25, 2010 titled “Intel Notes Attack on 10K – Are We Heading to Mandated Disclosure of Cyber Attacks?” that the SEC might soon mandate disclosure of breaches.  Given the increasingly digital economy, it would make sense that investors would consider breaches material information.

I am old enough to have seen similar patterns like this through the years.  Guidance by the SEC is one very public data breach away from being regulation, and those organizations that read the tealeaves and are prepared have a distinct advantage over those who ignore the signs and signal and are forced to play catch-up.

So I will break from form and make a prediction: by the New Year, we will either have or will be on the way to having multiple regulatory provisions that will require prompt (24 hour) notification of breaches.  Organizations can scramble then, or they can start looking at technologies (like Triumfant) that are focused on detecting the attacks that evade their protection software (shields).  Given that knowing when (again, the IF ship has sailed) you have been breached is critical information that every organization should want and have anyway, this is not the worst initiative ever catalyzed by regulatory mandate.

Why not beat the rush?

Hearing the Sound of Inevitability – Rapid Detection and Response

It appears that the IT security market maybe finally hearing the sound of inevitability.

In an InformationWeek article by Matthew J. Schwartz called “10 Security Trends To Watch In 2012”, Schwartz puts “Breaches now inevitable, say businesses” as number 1.  Number 1! Finally the message seems to be permeating the years of flat earth thinking in the IT industry and the broader market!

Quoting Schwartz:  “The new mandate, then, is not just to maintain killer defenses, but also to have the right technology and practices in place to quickly detect when the business has been breached, and then to block the attack and ideally identify how the breach occurred and what might have been stolen.”

Well said.

This the exact concept behind what Triumfant calls Rapid Detection and Response.  Understanding that shields are not, and will never be, 100% effective and your organization will get breached.  It is, as Schwartz says, inevitable.  Therefore, Rapid Detection and Response is about detecting attacks that infiltrate machines as close to the moment of infiltration as possible, providing the analysis to make an informed response, and stopping the attack and repairing the infiltrated machine. It is about understanding that this not a DoD or NSA problem about detecting the Advanced Persistent Threat but the very hard reality that targeted attacks are getting through your shields.

What remains to be seen is how quickly this grasp of the inevitable will be followed by action.  The problem with the inevitable is that it does not wait for us to grasp it – it is happening all around us regardless.

(BTW, some of you Matrix fans may be surprised by my choice of picture. I searched relentlessly and could not find a single picture of the exact scene moment when Agent Smith delivers his “sound of inevitability” line.  I was disappointed. The Internet, it seems, is not yet 100% – much like the shields people trust too much to protect their endpoints and servers.)

Story on Targeted Attacks Dispels the Presumption of Complexity

I came across a story today that really speaks to the mythology of targeted attacks and their much-hyped subset, the Advanced Persistent Threat.  In a story on the Threatpost Blog by Paul Roberts (@paulroberts) called “Attackers Reused Adobe Reader Exploit Code From 2009 In Extremely Targeted Hacks“, Roberts provides insightful details on a targeted attack that used Adobe exploit to go after system integrators that specialize in working with the DoD.

The story nicely shows how targeted attacks don’t have to use a cutting edge zero day exploit or some new DeathRay level malware to succeed.  In this attack, the attackers went after an Adobe vulnerability (since patched) called CVE-2011-2642 (first reported December 9, 2011) and leveraged exploit code that dated back to 2009.  The malware planted was the Sykipot Trojan, malicious code known to the IT security industry.

Too often I think that business people hear “Targeted Attack” or “Advanced Persistent Threat” and get a visual image of super smart adversaries in white lab coats creating exceedingly complex and sophisticated attacks.  They assume that targeted means specialty built attacks that take enormous effort to conceive, construct and deploy.  They see it as rocket science.  And in some ways, I think that they use these misconceptions to talk themselves into thinking that no one would expend such effort to target their systems and creating a false sense of security.  They apply the business concept of “barriers to entry” to presume they are safe.

As this analysis shows, a targeted attack can be cobbled together from spare parts on their workbench. The barriers to entry in regards to the technical side of targeted attacks are nominal and easily scaled. All it takes is a motivated and intentional adversary that believes that your systems have something of value, and you can be the victim of a targeted attack.

As Robert’s story shows, companies cannot hide behind false presumptions that there is inherent complexity that reduces the odds that they will be the victim of a targeted attack or APT.  Companies need to step up to a rapid detection and response strategy as part of their IT security thinking.  Triumfant excels at detecting targeted attacks and detecting the advanced persistent threat, and is an example of solutions that can close the security gaps that leave companies open to such attacks.

RFIs – You Don’t Know What You Don’t Know

RFI’s drive me crazy.

First, I think the concept is a Gordian knot.  I need to learn about something I do not know.  I will learn by asking questions in a static, rigid format.  Okay, but if you don’t know about something, how can you hope to ask the right questions to get the information you need, or hope that your questions don’t inhibit receiving the real information you need, which you don’t know you need because you don’t know.  You don’t know what you don’t know, so how do you expect to ask questions so you will know.  See – Gordian knot.

Second, the amount of bias is staggering.  I will ask people who have a vested interest in swaying my thinking for the answers I need.  I will ask the vendors.  The vendors that are in a daily dogfight in a crowded and often confusing market where every vendor tells much the same story.  Vendors that hold Maslow’s proverbial hammer and will therefore put every answer in the context of the nail for which their hammer best drives.  Vendors that know before you ask that the answer to every RFi or RFP question is – surprise! – yes.  Vendors that are on commission for heaven’s sake!

Well, Jim, why wouldn’t I ask the vendors?  They are most helpful.  Some offered to actually write the RFI for me.  I see your point and that seems perfectly reasonable.  It frees you up to interview foxes to watch your hen house.

What really frustrates me about RFIs is the lost opportunity to get exposed to truly innovative solutions that the organization could actually use to fill very real gaps in their IT security.  Why?  because most RFI writers don’t know what they don’t know and therefore ask questions about what they do know: the same tired technologies that are at the heart of the very gaps that need to be filled.  RFIs are written from the sound bites from analysts and vendor web sites and industry pundits.  So what comes back is the same tired answers and nothing new is discovered.

You don’t know what you don’t know.  But what you do know is your problem, and that is where you should start.  You may not be ready to admit it publicly, but you know what gaps your organization has.  You know malware is getting past your shields, and you know that you are not equipped to know when and where. RFIs should not use vendor terminology or be bound by the solution de jour.

Write your RFIs to real, unfiltered gaps and problems, and provide a framework for vendors to provide solutions, but stay away from pre-dispositions.  Doing so will quickly sort marketing speak from real, innovative technology that is not more of the same.  Questions should be heavy on detail about the problem, but not have artificial fences or filters as to how the problem can be solved.  Old assumptions should be abandoned, because those assumptions were largely forged about attacks and attack techniques that have evolved exponentially and have shattered those assumptions.

Tell me your problem and open your mind to the answer.  Am I biased about my product?  You bet I am.  But give me the opportunity to honestly (yes, there are more honest vendors out there than you may think or have been led to believe) provide you alternatives that you may not have even heard about, much less considered when writing the RFI.  You may be surprised what is out there.  After all, isn’t that the point?

That is all for now, as I have some RFI’s to compete.  Let’s see. Question 1…(thoughtfully pondering)…”Yes”.

The American Airlines Phishing Attack – Front Row Seat to the Psychology of an Attack

Today I came face to face with the phishing attack and was able to watch firsthand as the attack worked on the human element of IT security.  This morning I contacted by a friend who had received an email that confirmed the purchase of a flight on American Airlines.   The friend was now convinced that a credit card had been compromised and that immediate steps were necessary.

Savvy IT security guy that I am, I immediately smelled a rat and asked that my friend (who lives close by) bring the PC with the email to me.  After all, I did not want potentially malicious stuff on my machine.

Sure enough, everything about the email spoke of fraud.  The appearance and format of the email was not even close to looking like a professional email from a large company that does lots of business online.  The email address was suspect, and having been on an airplane or two (or a thousand), I noted that the flight number was not even close to the American Airlines flight numbering system.  Lastly, there was the ubiquitous .zip file attached, just waiting to be clicked.  An example fo the email can be found on the American Web site here.

What was an interesting study was the reaction of my friend to all of this.  I have had a credit card stolen so I knew it was not the end of the world.  I also knew that the credit card companies actually handle fraud pretty well, so every second did not really count.  My friend was very nervous about the credit card being used to buy all manner of unseemly things all the while laying waste to credit ratings.

But most of all, I noted that the .zip file hung like a ball of yarn in front of an over-caffeinated kitten.  My friend so wanted to click on that file.  The psychological pull was palatable.

I walked my friend through the process of recognizing such an attack, and went to the American Airlines web page to demonstrate that the flight number on the email did not exist.  In fact, it was a digit longer than the field on the site for the flight number status.  Next I listened as my friend called American, and then the credit card company.  Both verified that no transaction had occurred and that this was part of a wide reaching scheme.  The American agent actually spent a lot of time walking my friend through the phishing concept at a high level an provided steps on how to dispose of the email without releasing the malware.  I was impressed.

I had several takeaways from the experience.  First, while the attack seemed amateurish and hackneyed to me, I was taken by how quickly my friend swallowed the hook and was quickly prepared to react.  The simple psychology involved was brutally effective, and I saw why such attacks succeed.  If a wide enough net is cast, someone will react the way the bad guys want.

Second, it reinforced the critical nature of the human element in IT security.  My friend is bright, educated, and computer savvy.  Yet that same person immediately and kinetically reacted to what was a cut-rate phishing attack.  People will always be the X-factor in IT security whether it be opening .zip files, shutting off their AV software, or gleefully inserting USB devices from any and every source.

Lastly, the experience screamed for the need for Rapid Detection and Response, because in spite of shields and protections the human factor can be leveraged to bypass or evade those protections.  Stuff gets through, and in front of me was a simple example of how.

I have to go, I just received another email from another friend who says he just got a confirmation for a flight to Atlanta he did not buy.  Seriously.

iPads, Angry Birds, and an IT Security Christmas Shopping Recommendation

One of the interesting phenomenon about working in the computer industry is that people will ask your guidance when considering purchasing anything computer related, including smart phones and tablets.  It of course matters not to them that your job responsibilities are not related to that part of the computer industry.  They are buying a piece of technology they do not understand and you are the closest thing to a lifeline that they have, especially during the Christmas season.

I find in such occasions that people ask about devices rather than about purpose – Nook, iPad, Kindle Fire.  I responded by asking them about what they wanted the device to help them do – what is the third level of why behind considering the device.  More times than not, that question is met with a confused gaze and a shrug.  My best guess is that this person has fallen for the marketing hype behind the device rather than fitting function to need.  The iPad is a great tool, but I know plenty of people who have their up for sale because they found it to be either less than they expected or a very expensive platform for Angry Birds.

The funny thing is that when I try to help people think their question through they sometimes become a bit put off at me because they have emotionally sold themselves on the device, often irrespective of that device’s real ability to perform useful tasks that would justify the purchase.

I see the same thing in the security market as new “it” (silver bullet) technologies come and go.  Executives read the magazine in the airplane seatback, see some well-turned advertising, or get swept into the analyst hype cycle.  They conclude that they need the new bright shiny object to (choose one or more)

  • Make them “more secure”
  • Protect them from the advanced persistent threat
  • Shield them from the Cybergeddon (actually taken from a Web Site)
  • Lower cholesterol, cure male pattern baldness, and end the common cold

My advice is to decide what it is you need from a security product, and then evaluate products against that need.  Whitelisting has been getting a lot of hype these days.  I have been at organizations where whitelisting is a perfect fit for their culture, their security philosophies, their staff, and their relative threat profile.  And I have been to organizations where it is easy to predict that whitelisting will not be a success for many reasons unrelated to the product itself.  I will also tell you that at many organizations, even a fabulously successful implementation of a perfectly good whitelisting tool will not ultimately fill the real needs of that organization.  And no, this is not a whitelist bashing as I could have chosen any number of technologies.

This is not, as they say, rocket surgery.  Step back from product hype and ask yourself what you need.  Determine your areas of risk – the gaps in your security.  Examine broader approaches to filling that need.  Only then should you begin to look at products within those broader approaches.  Steel yourself against the marketing hype of the latest bright shiny object and focus on what you want the tool to do. Don’t buy the latest bright shiny object and try to bend your problems to that product – the results will be predictable.

Don’t get me wrong – I am sure Angry Birds on an iPad is a great experience.  But budgets are tight, the adversary is relentless, and resources thin.  Shop wisely.

Exhibit Hall Hard Truth – Buy One of Everything and You Will Still Be Breached

This week I spent the day at a table at an exhibit hall at a conference.  Traffic was light in the exhibit area and it gave me a lot of time to think, which is often dangerous.  The show is was one of egalitarian exhibits where everyone gets the same six foot table, so there was no little vendors being dwarfed by massive booths with overwhelming A/V systems and elaborate staging.  Mostly pop-up banners and table covers.  The somewhat equal playing field allowed for some interesting observations and one important epiphany.

First, IT security is the land of really bad company names.  I won’t call out any here.  But, really?

Second, if it were your first time in an exhibit hall how could you possibly come to any rational conclusions?  Every booth seemed to promise the same thing and share the same set of bulleted claims to the point that I think you could have randomly redistributed banners and most booths would have not missed a beat.

Finally, I was struck by the fact the emphasis on prevention and the pursuit of the perfect shield is really sending a very loud message if the attendees were willing to see the forest for the trees. Of the 50 tables at the show, 47 were about preventing attacks, 2 were consulting shops, and one, Triumfant, was about detecting breaches.

Notice I said breaches.  I realize that everyone talks about detecting attacks as the recognition needed to prevent attacks.  Triumfant is distinguished in that we detect successful attacks – the ones that get through the defenses.  Therefore, we detect breaches.

And now for the epiphany: shouldn’t the vast number of prevention solutions and all of the noise really tell you something about prevention?  If shields are working so darn well, then why do we have hundreds of shield solutions in the market?  Why does your endpoint solution (AV vendor) continuously have to add layer upon layer of new technology?  Why are you neck deep in the spent shell casings of silver bullet technologies that will finally provide you with the 100% of myth and legend?

Repeat after me: Attacks get through your shields.  Attacks get through everyone’s shields.  You have been breached.  You can buy every prevention product on the market and you will continue to be breached. And no, this is not all about exotic targeted attacks and the advanced persistent threat.  Sometimes it is just basic, opportunistic malware that gets through.

It gets worse.  You are not prepared.  You do not have the tools in place to detect a breach.  The Verizon Business Data Breach Investigations Report showed that you will only find it yourself 6% of the time.  You are unprepared to detect successful attacks, yet you continue to shop for silver bullets instead of facing the hard truth.

I am talking about the ability to detect a breach within minutes of infection, alert the proper personnel, and return detailed actionable information. If you choose wisely, you may even get a solution so sophisticated that it can build a remediation for the breach, stop the malicious software, and repair the machine (including collateral damage) also within minutes of the infection.

My big takeaway from my time at the shows was really quite simple: the noise and confusion of the security shows and the broad infosec market is actually telling you something if you step back and listen.

Malware Counts – Shock, Yawn, or a Useful Reminder of Today’s IT Security Reality?

5 million new threats in Q3 2011!

This was one of the hot lead statistics from the Q3 2011 PandaLabs Report released at the beginning of this month.  Instead of pondering that number, I found myself pondering how the market reacts to that number as we move toward the end of 2011.  Shock? Knowing nod of the head? Yawn?

When I joined Triumfant in November of 2008, the world had entered that year with less than 1 million signatures according to Symantec’s Internet Threat Report series.  Those were simpler times.   In 2009, the number of new signatures exceeded the number of total signatures reported in 2008.  The statistics were sobering and captured the attention of the market as organizations began to internalize that the malware game had changed dramatically across multiple dimensions – volume, velocity, and sophistication.  Threats were also shifting from broad, opportunistic blunt instruments to targeted attacks, some written for a single target.  The term Advanced Persistent Threat moved from the MIC into the broader consciousness.

As we close out 2011, my impression is that the 5 million number by PandaLabs generates very little response and such numbers numbers no longer resonate.  Maybe these numbers have gotten large enough where they loose a sense of connection.  Maybe the numbers have been overused to the point that they no longer have any impact (the marketing bashers so prevalent in IT security will quickly form a line here).  Or maybe most right thinking people have seen the weight of evidence and have accepted the new threat reality.  Regardless, they appear to no longer capture the imagination.

What the numbers continue to say is that the world of IT security has changed dramatically and continues to rapidly evolve.  The numbers dictate that organizations need to be open-minded to new solutions and must stay nimble to keep up with this evolution.  For example, I think organizations now academically understand that the notion of the 100% shield is obsolete, but far too many have to emotionally accept that reality and take action accordingly.

The numbers also remind us of the relentless nature of the adversary, who never stop trying to broaden the always-present gap between offense and defense.  The numbers indicate that your defenses have plenty to do, so make sure that they are stood up and properly configured on every machine so as not to give the bad guys a beachhead.  There is no 100% shield, but you should ensure that your shields stop what they can.

The numbers reinforce the fact that you should expect to be breached.  Accept that there will be attacks written specifically to evade your shields and get to your sensitive data and IP.  Think beyond shields and have rapid detection and response software in place for those times when you are breached.

In the end, the only real number that is truly significant is how many breaches that go undetected and result in loss of revenue, loss of customer confidence, or loss of intellectual property.  All you have to do is read this very frank assessment of the cost of the RSA breach to know that the number “1” may be far more impactful than 5 million.


Get every new post delivered to your Inbox.

Join 478 other followers