Recently in infosec Category

In preparing for my Cloud Security World 2016 talk, "Automagic! Shifting Trust Paradigms Through Security Automation," I did a lot of thinking about what can be automated, how to automate, and how to demonstrate and measure value around all that jazz. It occurred to me. however, that perhaps I was looking at those questions all wrong. Is it really a question of whether or not something should be automated, so much as it's a question of what shouldn't be automated?

At first blush, this may seem like a silly way of thinking about things. After all, it's probably still too early to talk about automating, well, just about everything, right? As it turns out, this isn't the case. Not even close. There are so many ways to automate many of our standard development, operational, and security responsibilities that I'm actually surprised we're still hearing complaints about inadequate hirable resources and not instead hearing complaints about too much automation stealing jobs.

That said, there are certainly several areas where automation requires human involvement, either as a fail-safe, or as a manual process. Here are a few of those categories and a little information on why fully automating is at least premature, if not an outright bad idea.

Unless you've been offline in a remote land for the past month or so, you've undoubtedly heard that the 2016 VzB DBIR is out. As with every year, two things have happened: 1) DBIR is now the basis of almost all infosec vendor marketing promos, and 2) data analysts are coming out of the woodwork to levy the same old criticisms and accusations that we hear every year.

At the end of the day, there's a few consistent takeaways. First, yes, the data is biased. All data is biased. That's life. Welcome to data analysis 101. There's no such thing as "pure objectivity," only "more or less subjective." Second, yes, the data is dirty. It's inevitable, especially at scale coming from multiple sources. I think the bulk of the incident data is decent. Where things, as always, go off the rails is around the much-maligned vulnerability section (for example, read Dan Guido's criticism pieceread Dan Guido's criticism piece, which links to others as well). Third, for all the noise and drama and bickering and ad hominem attacks, my conclusions don't change. At. All.

Solving Endpoint Security

"Insanity: doing the same thing over and over again and expecting different results."

As a security architect, I've come to truly loathe the endpoint security space. The "answer" seems to be an unending stream of "yet another agent" to layer onto an endpoint, usually just to supplement another tool that's insufficient. Rarely, if ever, can I remove one of these tools (like AV! I still have AV after all this time?!), which means I get to encounter all sorts of conflicts and problems, and for what benefit? Why am I investing hundreds of thousands for incredibly small incremental gains? Insanity...

Part of the challenge with endpoint security is the problem state. As it stands today, we're typically stuck in a traditional general purpose OS environment with very little useful segregation. We deploy tools that live inside this general environment and then hope that a) they keep functioning, b) don't introduce more problems, and c) are somehow able to get enough visibility to assert reasonable control. Sheer folly. It's like trying to estimate the size of an infinite universe from an ant's perspective.

Putting aside specialized solutions deployed to endpoints for solving non-endpoint problems (like monitoring or controlling data movement)... the core focus of endpoint security /should/ be focused on monitoring for state changes. Unfortunately, in a general OS environment, this is very difficult because there are rarely clean, clear boundaries that can be watched for these state changes. In the mobile world we see this problem moving to a slightly more tenable position wherein wrappers and containers can be deployed to better define boundaries, which then enables watching for state changes. We're also starting to see this in production applications that leverage a container-based micro-services architecture. All of which leads me to an interesting thought:

unikernel+containers+sidecars=secure endpoint!

Ten Feet Tall and Covered in Mud

Those who know me know that I'm not overly concerned with being liked, per se, so long as I'm not often wrong and not generally thought an idiot. However, by the same token, it's sometimes nice to be wanted, and maybe even appreciated, from time to time. Now more so than in the past, heading into RSA 2016 in a few short weeks, I'm starting to realize that the temporary career boost from my time at Gartner has faded and my dance card for the event is remarkably empty.

This phenomenon of transitioning from "leading analyst firm" to "mere mortal" has been interesting. While I'm now enjoying my new environs, it certainly did not start out that way with the first post-analyst experience. If nothing else, it has certainly confirmed my concerns over the state of the industry, instilled throughout my time as an analyst.

Specifically, it seems that no matter how far we'd like to think we've come as an industry, we're still generally losing ground and - more importantly - losing the battle and the war. A friend and I were just discussing earlier today the abysmal state of things and just how bleeding common it has become to encounter teams and organizations where everyone is running around with their hair on fire, trying to "do something to help," but as often as not simply making things worse.

How did we come to such a point in the industry wherein we're able to stand on the shoulders of giants and still be mired in mud? Paradoxical, to say the least, but also greatly distressing. Are we so far behind in our maturity and technological advancement? Alas, I think it may be true that for every step we take forward as the security industry, we're continually leapfrogged by our adversaries, who neither think linearly, nor have to worry about dealing with an asymmetric environment wherein we must succeed all the time and they must only be lucky once. It hardly seems fair.

Fortunately, I think there's an out, if we're only savvy and brave enough to entreat it. Alas, pricing on various automation tools still seems to be relatively high, and continually targeted at the F250 companies. However, less expensive options, such as Ansible, Puppet, Chef, and even Jenkins (to name a few), increasingly provide a reasonable starting point for security automation and orchestration, not to mention the FOSS tool FIDO from Netflix, as well as the potential for greater market accessibility for Invotas Security Orchestrator, which has been acquired by FireEye.

We'll have to see how things pan out, but I'm cautiously optimistic that we may eventually get our collective heads above water... but only by shifting away from human-dependent paradigms to ones underpinned by creative, proactive automation that scales.

I contributed a piece to the Norse Security Dark Matters blog a few weeks back.

It's Time to Kill the General Purpose Browser

Another week, another critical Adobe Flash vulnerability (CVE-2015-3113), complete with active exploit in the wild. Adobe encourages everyone to patch right away, but is there more you should do?

In fact, here in 2015, with a constant stream of broken apps, broken browser, broken plugins, and breach after breach after breach, I'm left to wonder: Why are we still using general purpose browsers at all anymore? Are they, and their associated plugins, doing more harm than good?

Continue reading here...

From January 2015...

As you've undoubtedly heard by now, President Obama renewed calls for increased cybersecurity legislation, all apparently because Sony Pictures Entertain (SPE) got hacked? If you've not heard, check out the mainstream press coverage here...

Continue reading here...

From January 2015...

Now that we can soundly close the book on 2014, it's perhaps a good time to take a quick think back as we consider our best path forward. 2014 was indeed the year of infosec insanity, based on the sheer number of large breaches, number of breaches, number of "major, earth-shattering" vulnerability disclosures, etcetera etcetera etcetera (if you didn't read that last bit in the voice of the King of Siam, then check it out here).

Continue reading here...

From December 2014...

I was awoken around 5am post-Thanksgiving Saturday by multiple text messages from Facebook instructing me to click a link and enter a code to reset my password. It seems someone decided to try and takeover my account. This led me to conclude that now would be a good time to quit putting-off enabling 2-factor authentication (2FA) for my account. What should have been a very simple process was complicated (slightly) by a degree of true derpitude: in order to enable 2FA for my account, Facebook first insisted that I change my browser configuration (or use a different browser) that wasn't set to clear cookies after each session.

Continue reading here...

GBN: NAC NAC (Who's There?)

Posted on my Gartner blog...

"We're currently working on an update to the GTP document "Architectural Alternatives for Enforcing Network Access Control Requirements" (Doc# G00227091). As part of this process, we've spoken with vendors, vendor references, and clients about what they're doing with NAC, what sort of technical and social challenges they may be encountering..."

Continue reading here...

GBN: All the World's a Cloud

Posted on my Gartner blog...

"No, not really. But it could be. Consider, if you will, the five essential characteristics of cloud computing (via SP800-145, as well as the CSA Security Guide):


  • On-demand self-service

  • Broad network access

  • Resource pooling

  • Rapid elasticity

  • Measured service


"Keeping these in mind, let's look at three quick scenarios where shifting the mindset to a cloud services approach, even within traditional IT shops, can help reduce cost, improve efficiency, and improve security qualities."


Continue reading here...

My Other Pages

Support Me

Support EFF


Bloggers' Rights at EFF

Creative Commons License
This blog is licensed under a Creative Commons License.
Powered by Movable Type 5.2.10