Research Papers

Open source software is ubiquitous. Nearly every company is running some. Many organizations are not even aware of it – or at least weren’t until the Heartbleed vulnerability. Then they discovered what many firms already know: there is open source running in your company, and it’s an integral part of your operations.

In an uncommon occurrence we have updated one of our papers within a year of publication. As mentioned in the latest version of our Endpoint Security Buyer’s Guide, mobile devices are just additional endpoints that need to be managed like any other device. But it became clear that we needed to dig a bit deeper into securing mobile endpoints.

Open source software is ubiquitous. Nearly every company is running some. Many organizations are not even aware of it – or at least weren’t until the Heartbleed vulnerability. Then they discovered what many firms already know: there is open source running in your company, and it’s an integral part of your operations.

Anti-virus is basically dead, at least according to the biggest anti-virus vendor. The good news is that signature-based AV has actually been dead for a long time; even the big players have been broadening their capabilities to assess, prevent, detect, and investigate advanced malware on endpoints and servers. There has been a tremendous amount of activity and innovation in protecting endpoint and servers, driven by necessity:

What’s a couple hundred gigabits per second of traffic between friends, right? Because that is the magnitude of recent volumetric denial of service attacks, which means regardless of who you are, you need a plan to deal with that kind of onslaught.

Attacks keep happening. Breaches keep happening. Senior management keeps wondering what the security team is doing.

The lack of demonstrable progress [in stopping malware] comes down to two intertwined causes. First, devices are built using software that has defects attackers can exploit. Nothing is perfect, especially not software, so every line of code presents an attack surface. Second, employees can be fooled into taking action (such as installing software or clicking a link) that enables…

As we continue our research into the practical uses of threat intelligence (TI), we have documented how TI should change existing security monitoring (SM) processes. In our Leveraging Threat Intelligence in Security Monitoring paper, we go into depth on how to update your security monitoring process to integrate malware analysis and threat intelligence. Updating our process maps demonstrates that we don’t consider TI a flash in the pan – it is a key aspect of detecting advanced adversaries as we…

This paper originally started with a blog post called Inflection that looked at a series of developing security trends and attempted to predict their eventual outcome. I researched for nearly 18 months; this paper compiles my thoughts on where the security industry is headed, why, and how it affects us now. From the introduction:

Has your SIEM failed to meet expectations despite significant investment? Has your platform failed to keep up with emerging threats and scalability requirements? If you are questioning whether your existing product or service can get the job done, you are not alone. Given the rapid evolution of requirements, and the changing needs of enterprise users, it is no surprise that many vendors have been passed by as they work to address market demands from 4 years ago. You are likely more than a little…

iOS 7 is a significant update, with serious implications for enterprise management and data security (don’t worry, all good).

The short version is that iOS is quite secure – far more than a general-purpose computer. But you need to understand Apple’s security philosophy to comprehend their design decisions and your integration options. Apple has a clear vision of the future for BYOD, and it is very different than the way most organizations have managed personal devices in the past.

We have always been fans of making sure applications and infrastructure are ready for prime time before letting them loose on the world. It’s important not to just use basic scanner functions either – your adversaries are unlikely to limit their tactics to things you find in an open source scanner. Security Assurance and Testing enables organizations to limit the unpleasant surprises that happen when launching new stuff or upgrading infrastructure.

One of a CISO’s most difficult challenges is sorting the valuable wheat from the overhyped chaff, and then figuring out what it all means in terms of risk to the organization. There is no shortage of technology or threat trends, and CISOs need to determine which matter and how they impact security.

Denial of Service attacks can encompass a number of different tactics, all aimed at impacting the availability of your applications and/or infrastructure. In Defending Against Denial of Service Attacks we described both network-based and application-targeting attacks. In this paper we dig much deeper into application DoS attacks. For good reason – as the paper says:

Managing network security at scale is not easy, but the organizations that do it best tend to follow a predictable and repeatable pattern. This paper distills those lessons into a pragmatic process designed for larger organizations and those with more complicated networks, such as medium-sized businesses with multiple locations. We don’t claim our process is magical or easy, but it’s certainly easier than any alternatives we are aware of. Even if you only pick out a few tidbits, our process…

Everyone has an opinion about security awareness training, and most of them are negative. Waste of time! Ineffective! Boring! We have heard them all. And the criticism isn’t wrong – much of the content driving security awareness training is lame. Which is probably the kindest thing we can say about it. But it doesn’t need to be that way. Actually, it cannot remain this way – there is too much at stake. Users remain the lowest-hanging fruit for attackers, and as long as that is the case attackers…

We all know and love the firewall. The cornerstone of every organization’s network security defense, firewalls enforce access control policies and determine what can and cannot enter your network. But, like almost every device you have had for a while, you take them for granted and perhaps don’t pay as much attention as you need to. Until a faulty rule change opens up a hole in your perimeter large enough to drive a tanker through. Then you get some religion about more effectively managing these…

A few months back I did a series of posts on how to leverage Amazon EC2, APIs, Chef, and Ruby to improve security over what you can do with traditional infrastructure. I decided to collect these posts together, clean them up, and release them as a standalone paper.

Continuous Monitoring has become an overused and overhyped term in security circles, driven by US Government mandate (now called Continuous Diagnostics and Mitigation). But that doesn’t change the fact that monitoring needs to be a cornerstone of your security program, within the context of a risk-based paradigm. So your pals at Securosis did their best to document how you should think about Continuous Security Monitoring and how to get there.

API gateways are an emerging hot spot in IT services. They offer platforms for companies to selectively leverage IT systems for end user use. But well beyond just slapping a web server in front of an app, gateways both facilitate use of an application and protect it. Gateways enable third party developers, outside your organization, to support different use cases in different environments – such as new applications, mobile apps, and service mash-ups – while allowing you to control security,…

Most folks think the move towards the extended enterprise is very cool. You know, get other organizations to do the stuff your organization isn’t great at. It’s a win/win, right? From a business standpoint, there are clear advantages to building a robust ecosystem that leverages the capabilities of all organizations. But from a security standpoint, the extended enterprise adds a tremendous amount of attack surface.

We are proud to announce the availability of our Cloud Identity and Access Management research paper. While you have likely been hearing a lot about cloud services and mobile identity, how it all works is not typically presented. Our goal for this research paper is simple: Present the trends in IAM in a clear fashion so that security and software development professionals understand the new services at their disposal. This paper shows how cloud computing is driving extensible architectures and…

You have heard of denial of service attacks, but database denial of service? It may come as a surprise, but database denial of service attacks have become common over the past decade. Lately they are very popular among attackers, as network-based attacks become more difficult. We have begun to see a shift in Denial of Service (DoS) tactics by attackers, moving up the stack from networks to servers and from servers to the application layer. Over the last 18 months we have also witnessed a new…

Our updated and revised 2014 Endpoint Security Buyer’s Guide updates our research on key endpoint management functions, including patch and confirmation management and device control. We have also added coverage of anti- … malware, mobility, and BYOD. All very timely and relevant topics. The bad news is that securing endpoints hasn’t gotten any easier. Employees still click things, and attackers have gotten better at evading perimeter defenses and obscuring attacks.

Much of the security industry spends significant time and effort focused on how hard it is to deal with today’s attacks. Adversaries continue to improve their tactics. Senior management doesn’t get it, until there is a breach… then your successor can educate them. And the compliance mandates hanging over your organization like albatross remain 3-4 years behind the attacks you see daily. The vendor community compounds the issues by positioning every product and/or service as a solution to the APT…

The benefits of Infrastructure as a Service (IaaS), public or private, are driving more and more organizations to cloud computing; but one of the biggest concerns – even for internal deployments – is data security. The cloud fundamentally changes how data is stored, and brings both security and compliance concerns. We see this creating a resurgence of interest in encryption, with some very practical approaches available: