Evolving to Security Decision Support: Data to Intelligence

Posted under: Research and Analysis As we kicked off the Evolving to Security Decision Support series, the point we needed to make is the importance of enterprise visibility to the success of your security program. Given all the moving pieces in your environment, including the usage of various clouds (SaaS and IaaS), mobile devices, containers, and eventually IoT devices – it’s increasingly hard to really know where your critical data is and how it’s being used. Though enterprise visibility is necessary, but not sufficient. You still have to figure out if/how you are being attacked and if/how data and/or apps are being misused. Ultimately no one gets any credit for knowing where you can be attacked. You get credit for stopping attacks and protecting critical data. Ultimately that’s all that matters. The good news is that many organizations already do extensive security data collection (thanks compliance!), so you have a base to work with. It’s really just a matter of turning all of that security data into actual intelligence that you can use for security decision support. The History of Security Monitoring Let’s start by providing some historical perspective on how we got here, and why many organizations already do extensive security...
Read more

Firestarter: Old School and False Analogies

Posted under: Old School and False Analogies This week we skip over our series on cloud fundamentals to go back to the Firestarter basics. We start with a discussion of the week’s big acquisition (like BIG considering the multiple). Then we talk about the hyperbole around the release of the iBoot code from an old version of iOS. We also discuss Apple, cyberinsurance, and the actuarial tables. Then we finish up with Rich blabbing about lessons learned as he works on his paramedic again and what parallels to bring to security. For more on that you can read these posts: https://securosis.com/blog/this-security-shits-hard-and-it-aint-gonna-get-any-easier and https://securosis.com/blog/best-practices-unintended-consequences-negative-outcomes Watch or listen: - Rich (0) Comments Subscribe to our daily email digest
Read more

Best Practices, Unintended Consequences, Negative Outcomes

Posted under: Research and Analysis Information Security is a profession. We have job titles, recognized positions in nearly every workplace, professional organizations, training, and even some early degree programs. I mean none of that sarcastically, but I wouldn’t necessarily say we are a mature profession. We still have a lot to learn about ourselves. This isn’t unique to infosec, it’s part of any maturing profession, and we can learn their lessons. As I go through the paramedic re-entry process I realized, much to my surprise, that I have been a current or expired paramedic for over half the lifetime of the profession. Although I kept my EMT up, I haven’t really stayed up to date with paramedic practices (the EMT level is basically advanced first aid; paramedics get to use drugs, electricity, and all sorts of interesting… tubes). Paramedics first appeared in the 1970’s and when I started in the early 1990’s we were just starting to rally behind national standards and introduce real science of the prehospital environment into protocols and standards. Now the training has increased from about 1000 hours in my day to 1500-1800 hours, in many cases with much higher pre-training requirements (typically college level anatomy...
Read more

Firestarter: Best Practices for Root Account Security and… SQRRL!!!!

Posted under: Firestarter Just because we are focusing on cloud fundamentals doesn’t mean we are forgetting the rest of the world. This week we start with a discussion over the latest surprise acquisition of Sqrrl by Amazon Web Services and what it might indicate. Then we jump into our ongoing series of posts on cloud security by focusing on the best practices for root account security. From how to name the email accounts, to handling MFA, to your break glass procedures. Watch or listen: - Rich (0) Comments Subscribe to our daily email digest
Read more

Evolving to Security Decision Support: Visibility is Job 1

Posted under: Research and Analysis To be masters of the obvious, it’s not getting any easier to detect attacks. Not that it was ever really easy, but at least you knew what tactics the adversaries would use and you’d have a general idea of where they would end up because you knew where your important data was and largely had a single type of device that accessed it – the PC. Hard to believe we’re longing for the days of early PCs and centralized data repositories. That is not today’s world. You face professional adversaries (and possibly nation-states) that use agile methods to develop and test attacks. They have means of obfuscating who they are and what they are trying to do to further complicate detection. They prey upon perpetually gullible employees who click on anything to gain a foothold in your environment. Further complicating matters is the inexorable march towards cloud services, which moves both unstructured content to cloud storage, outsources back office functions to a variety of service providers, and moves significant portions of your technology environment to the public cloud. And these movements are accelerating, seemingly exponentially. There has always been a playbook to deal with attackers when we...
Read more

Firestarter: Architecting Your Cloud with Accounts

Posted under: We are taking over our own Firestarter and kicking off a new series of discussions on cloud security… from soup to nuts (whatever that means). Each week for the next few months we will cover, in order, how to build out your cloud security program. We are taking our assessment framework and converting it into a series of discussions talking about what we find and how to avoid issues. This week we start with architecting your account structures, after a brief discussion of the impact of the Meltdown and Spectre vulnerabilities since they impact cloud (at least for now) more than your local computer. Watch or listen: - Rich (0) Comments Subscribe to our daily email digest
Read more

This Security Shit’s Hard and it Ain’t Gonna Get Any Easier

Posted under: Research and Analysis If you couldn’t tell from the title, this line is your official explicit tag. We writers sometimes need the full spectrum of language to make a point. Yesterday Microsoft released a patch to roll back a patch that fixed the slightly-unpatchable Intel hardware bug because said patch results in reboots and potential data loss.Specifically, Intel’s Spectre 2 variant microcode patch is buggy. Just when we were getting a decent handle on endpoint security with well secured operating systems with six-figure plus bug bounties, this shit happened. Plus, we probably can’t ever fully trust our silicone or operating systems in the first place. Information security is hard. Information security is wonderful. Working in security is magical… if you have the proper state of mind. I decided this year would be a good one for my mid-life crisis before I miss the boat and feel left out. The problem is my life is actually pretty damn awesome, so I think I’m, just screwing up my crisis pre-requisites. I like my wife, am already in pretty good physical shape, and don’t feel the need for a new car. All of which appears to knock out pretty much all my...
Read more

Wrangling Backoffice Security in the Cloud Age: Part 2

Posted under: Research and Analysis This is the second part in a two part series/paper on managing your increased use and reliance on SaaS for traditionally back office applications. . This will also be including in a webcast with Box on March 6 and you can Where to start Moving your back office applications to the cloud is the classic frog in a frying pan scenario. Sure, there are a few orgs out there that plan everything out ahead of time, but for most of the companies and agencies we work with it tends to be far less controlled. Multiple business units run into the cloud on their own, especially since all you need for SaaS is a web browser and a credit card, and the next thing you know your cloud footprint is WAY bigger than expected. This is a challenge for security teams who are often tasked with fixing one cloud at a time as the requests come in, without having the time or support to take a step back and build out a program to support the transition. We don’t recommend putting the brakes on and pissing everyone off, but we do recommend the first...
Read more

Wrangling Backoffice Security in the Age of Cloud

Posted under: Research and Analysis Over a year ago we first published our series on Tidal Forces: The Trends Tearing Apart Security As We Know It where we identified three key mega-trends in technology with deep, lasting impact on the practice of security: Endpoints are different, often more secure, and frequently less open. If we look at the hardening of operating systems, especially exemplified by the less-open-but-more-secure model of Apple’s iOS, the cost of exploiting endpoints is trending towards being much higher. At least it was before Meltdown and Spectre, but fortunately those are (big) blips, not a permanent destination. Software as a Service (SaaS) is the new back office. Organizations continue to push more and more of their supporting applications into SaaS, especially things like document management, CRM, and ERP that aren’t core to their mission. Infrastructure as a Service (IaaS) is the new data center. The growth of public IaaS has exceeded even our aggressive expectations. It’s the home for most new applications being developed, and a large number of organizations are shifting existing application stacks to IaaS even when it doesn’t necessarily make sense. The fundamental precept of the “Tidal Forces” concept is that these trends act like gravity wells....
Read more

Container Security 2018: Logging and Monitoring

Posted under: Research and Analysis We close out this research paper with two key areas: Monitoring and Auditing. We want to draw attention to them because they are essential to security programs, but have received only sporadic coverage in security blogs and the press. When we go beyond network segregation and network policies for what we allow, the ability to detect misuse is extremely valuable, which is where monitoring and logging come in. Additionally, most Development and Security teams are not aware of the variety of monitoring options available, and we have seen a variety of misconceptions and outright fear of the volume of audit logs to capture, so we need to address these issues. Monitoring Every security control discussed so far can be classed as preventative security. These efforts remove vulnerabilities or make them hard to exploit. We address known attack vectors with well-understood responses such as patching, secure configuration, and encryption. But vulnerability scans can only take you so far. What about issues you are not expecting? What if a new attack variant gets by your security controls, or a trusted employee makes a mistake? This is where monitoring comes in: it is how you discover unexpected problems. Monitoring is...
Read more
Page 1 of 612345...Last »