LogBlog

Forrester's 2010 security predictions

By Andy Morris

Firstly, congratulations to Mike Rothman on joining Securosis.

Now, on to my Verizon post. Mike correctly pointed out that I drank too much over Christmas, and that what I said about being safe was fluffy and careless. In my defense, I was having post-Christmas fun, not submitting a whitepaper, or advising anyone on strategy. I’d just spent 400 words telling people to be vigilant, and not believe Verizon’s roses-round-the-door view of 2010. Plugging my products seemed like too good an opportunity to pass.

And in Verizon’s defense, I doubt the author really meant to sound cavalier either. After all, Top 10s are just a way of letting off steam after a long year.

Over at Forrester, the big brains have put out a much more reasonable, more nuanced piece.
I like the Forrester document; it’s in tune with what I’m seeing happening here in Silicon Valley.

So, without further ado, here’s my take on their predictions:
A) Data security budgets will flat-line
I expect this to be true, after all, we’re in a tight spot money-wise at the moment, but some context is required. Firstly, I think that whilst spending on security will flat-line, spending on IT will fall. Meaning that security as a whole will now get a bigger slice of the pie, and therefore, will have greater visibility at the Board and “C-level” within companies. I don’t know of any B-2-B companies that are officially cutting list prices at the moment, but they all seem to be discounting heavily to secure purchase orders. So, now security has a greater share of the pie, buying even more vendor goods, which actually helps everybody. Greater buying power equals cheaper products, means more deployments, which in turn, means greater security. Win/Win. Hurrah for the recession!

B) Enterprises will strike better deals on DLP
This is really a very specific version of what I just said. DLP dealers like Websense, McAfee & Symantec sold roughly nothing last year. The DLP market exploded in to life when some very early adopters paid Vontu a boat-load of cash for early access products. 4 Years have passed since then, and nobody has really bought anything of note. Deep discounting during a recession is business as usual. If you want a DLP prediction, here’s one. Companies will stop pretending they can deploy content filters to prevent breaches, and instead, will focus on education and after-the-fact forensics. Or as we like to think of it over here, Log Management.

C) Cloud data concerns will begin to dissipate
Correctly, in my opinion, Forrester defines “the cloud” as being made up of totally different types of services, each with their own audience, scope, problems, and security concerns. These sub-clouds are: interactive apps (Facebook); hosted apps (Exchange); application APIs (Google Maps); application components (SimpleDB); infrastructure (Amazon); and physical space (GoDaddy). So the headline “concerns dissipate” is a little misleading. As Dimitri said, no one is going to trust the likes of Facebook or Flickr to improve to the satisfaction of a CISO, and everyone already trusts the physical security vendors with their array of cameras, motion sensors and armed guards. What is really top of mind then, are the hosted apps, and the infrastructure bits-and-pieces that can be assembled in to enterprise applications. Forrester is right; we will gradually learn to trust these boys. The key word here is “gradually”. Here at LogLogic we already outsource our email and web service - and we’re very comfortable. We use SalesForce, and again, are happy that our customers are not being mixed in a big pot with our competitors’. But are we going to roll our finance, logistics and engineering secrets out to the cloud? Not yet. If ever. Clever word that “gradually”. It allows Forrester to be both right, and wrong.

D) Full disk encryption will continue its slow and steady march
Full disk encryption is on the rise! Hmmm. A bit like the sea levels. Yes they’re going up, but it’s imperceptible to the human eye - for now. Encryption clearly is a superb idea. But until its 100% transparent to the frustrated sales guy with his laptop, hundreds of miles from tech-support, its not going to be mainstream.

E) Creative vendor couplings will renew interest in ERM
Simply put, no. Well, yes. Creative vendors will seek ERM partnerships, but the examples given by Forrester are all about DLP. So, my question to you is, does tying two technologies, which don't quite fulfill their promise, together, make them attractive? Of course not. ERP will still be hard to deploy. DLP will still over promise, and under deliver. The future of data control is at a fork. We either go the 1984 route, and try to control everything, or we use education, forensics, and public discipline. Big Brother appeals to Silicon Valley because we think we can build it. But as we found out at Christmas, no security is 100% effective, there are no silver bullets, but vigilance and education can go a long way to solving the problem.

So, how do you best educate? My mom always says, (and she’s a teacher), teach by example. To help improve risk management what we need are tools that can analyze what’s gone wrong, and can demonstrate breaches to the masses. We have acronyms for that: SEM & SEIM. Here’s what Gartner, and others, think you need to know.

If you read the Forrester report, 90% of which I agree with, you’ll come to this conclusion: if you’re in business, spend security money wisely, educate your staff, deploy defenses where they’re proven, and be ready to swiftly, comprehensively and immutably document breaches. And stay vigilant. The bad guys are slippery like a worm.
Of course I’m biased, but that’s what we do here at LogLogic. We let you get on with running your businesses, making all that money, giving all those people a safe place to work, and should anything go wrong, we help you remediate.

Happy (safe, compliant, responsible) New Year.

Andy Morris, Product Marketing Director, LogLogic

Posted by Andy Morris on January 11, 2010 in Top10 | Permalink | Comments (0)

Verizon Thinks You'll Evolve

By Andy Morris, Log Fan

I read Dimitri's take on the Verizon Top 10 Security Predictions for 2010 and thought I'd take a swing at it myself.

Verizon’s security predictions for 2010 are interesting partly because of their insightfulness, and partly due to their lack of insight. You can read their full list of predictions at here, but if you’ll allow me, let me play scrooge.

1) Services will protect themselves.
No they won’t. What most services will do, is appear to protect themselves. They’ll respond to a few highly publicized events with new user interface options that people won’t use properly, and will give the fake appearance of positive change.

2) Malware will not evolve.
This seems about right. Why go to all that fuss and expense of evolving, when most networks still aren’t protected against threats that were discovered ages ago? Mass outbreaks, of course, are for show-off-bored-kids; these days the real money is “on the fringes”. You know, like the Russian Mafia exploiting high street banks for millions. So, no real concern there then. Except that we’re in a recession, and it’s our money they’re stealing.

3) Consumers are getting smarter.
This is possibly the most dangerous of all the predictions. I don’t know if it will be true or false, but as security experts we have to assume it’s false, and build a world that protects the naive, the innocent, the gullible, and that chap that runs with scissors.

4) Windows 7 will be more robust than expected.
Well that’s a low bar - remember Windows 7 was launched on Oct 22, and exploits started turning up as far back as April, but Verizon is right to turn the focus on ISV’s. After all, hackers are after money, and that’s buried in data, and that’s handled by ISV software.

5) Serious finger pointing will occur – criminals think twice.
Yes and no. Finger pointing will occur, but criminals will just shrug. Maybe this is a good time to have a debate about Capital Punishment deterring murderers?

6) Breaches will increase.
Yes they will. The lust for money is powerful motivator.

7.) Nothing happens to non-PCs 8.) CaaS works 9.) Virtualization is not attacked 10.) China will be blamed for everything.
Lets hope so :: I don’t care :: More hoping :: Seems fair.

What does LogLogic predict for 2010? Regardless of whether, all, some, or none, of Verizon’s predictions come true, networks will still be left vulnerable, applications will be un-patched, user error will causes breaches in protocol, and criminals will successfully knock down walls.

But not on a LogLogic protected infrastructure.

We can prevent, capture and prove compliance for whatever 2010 throws at your systems.
LogLogic customers are predicting a stress free, safe 2010.
(No lead paint was used in the making of this post – no thanks to China. Or Nigeria. Or Eastern Europe.)

Posted by Andy Morris on January 06, 2010 in Security , Top10 | Permalink | Comments (0)

Top 10 Security Predictions for 2010

By Dimitri McKay, Log Evangelist

Verizon Security recently posted a set of 10 predictions for 2010 on their security blog. I have my own opinions about their predictions as you'll read below.

To see Verizon’s original predictions, click here:2010 Security Predictions

Our friends at Verizon Security feel that services like Facebook, Google, Twitter, and TinyURL will work to get better controls in place regarding criminal content. They believe that their business model is at stake if they don’t attempt to flag or eradicate nefarious activity... advertisers will start pulling their dinero. And my response to that is "of course they will!" It's an obvious statement. The online services will absolutely do more to try to curb illegal behavior. If they don’t do it, who will?

The recent FaceBook"apps" scandal has made everyone scratch their heads and realize that they're allowing a number of different programs to have access to their accounts and with that, some level of personal information. Twitter has been hacked over and over again. MySpace has vulnerabilities left/right and center. So to say that services will protect themselves is obvious. Whether these hacks or illicit behavior take place to them or on their networks is a variable. It all depends on the vulnerabilities discovered. The web after all is Swiss cheese. Admitting that is the first step.

Our friends at Verizon also feel that Malware will not evolve this year, that Botnets will stay the same as a whole, and there won't be any mass outbreaks or targeted attacks. Personally, I don’t see evolution as necessary when the same ole vulnerabilities still exist. Security best practices weren't followed until specific verticals created requirements to do so. The result was PCI, HIPAA, SOX, ISO17799, and more pop up every day. If businesses would stop thinking of security as an outflow of cash, and instead think of it as a necessary cost of doing business, we'd all be a whole lot safer. The outbreaks will happen when yet another bored 14-year-old finds a vulnerability and decides he’s going to be the next big thing. And chances are, he’ll be rewarded with a big security job somewhere. Funny how that works.

The security team at Verizon also feel that consumers are getting smarter. The impression that there are fewer newbies on the internet, and services are more secure, and that people are generally more aware might be true. In one respect, however, I wholeheartedly disagree. As P.T. Barnum once articulately stated, "A sucker is born every minute." This hasn't changed. Sure, people aren't responding to instant messages on AOL asking for usernames and passwords, but the phishing sites are getting better, the vulnerabilities are becoming more public and people are still falling victim. Think back to the days of "Don't open executables!" which became "Don't open .SCR files!" followed by "Don't open macros!" and then the ActiveX nonsense for malware. At the end of the day, although the public is getting a wee bit wiser, the trojan writers are getting better-er. Claiming that people are more intelligent because your friends haven't been scammed in a while says little about the state of public affairs.

Number four on Verizon’s list states that Windows7 (not necessarily IE8) will prove to be more robust than anticipated (vs. Vista), and that applications are the new targets. These are two completely different statements, and I’m not sure why they ended up in the same paragraph together.

First off, I should warn you – take what I’m about to say with a grain of salt as I am a world-class Windows hater. I will do my best not to let my absolute loathing of all things Microsoft seep out. Oh well. So much for that.

Windows7 is more robust than Vista, but that's not saying much. It’s like saying a 2009 Honda Civic is more robust than a 2008 Honda Civic just because there's new standard leather trim. It's still a Honda Civic. It's still the same car. It’s just dressed up prettier. Windows fans will go on and on about this-and-that device support and stability. We’ll all stay tuned for that one.

Attacking applications as the next step is fairly obvious. Of course crooks are going to go for applications. Applications aren't written to be secure. Writing for security is much more time consuming and therefore more expensive. Coding for security has to be the next evolution in application development. Write for security as the first step. Make security the high priority. Don't write the app, then go back to see if it's secure. This is what causes world class /fail.

Number five on Verizon’s list of 2010 predictions is that government and non-tech organizations worldwide will become increasingly frustrated over SMTP, DNS and SPAM, and they’ll find phishing more and more difficult to thwart. They believe that Microsoft’s legal efforts to can-that-spam, along with a high-profile arrest will somehow cause all the other SPAMMERS in the world to shake in their boots and think twice about their line of work.

*yawn*

Spammers are nothing more than ticks on the backside of the internet. They exist. They suck off their hosts. And then they fall off. If we want to end SPAM tomorrow we have to make the punishment for spamming so severe that the mere thought of it will make these hoodlums shake in fear. Follow the money. Who is profiting? Is it the manufacturer of said product? Is it a reseller? Follow the money. Then once you get them, go after the people who actually BOUGHT something due to a SPAM email. The only reason spammers still SPAM is because someone is buying. Those people should be prosecuted for even responding to SPAM.

Verizon Security also believes that breaches will increase, but on a smaller scale with fewer records compromised. They feel that more money theft will take place with account staff credentials being compromised. And they also believe mid-size businesses will be hit with some sort of compliance mandate to force them to do the right thing. Where Verizon and I disagree is that I see this going in the opposite direction. I see more breaches, more records compromised, more insider threats, more phishers, and more crooks using Western Union to transfer money. 

What I'd love to see is a better than best practices compliance mandate to supersede all mandates. From small business to large enterprise, make everyone play by the same rules regardless of vertical, regardless of industry, regardless of income. One compliance mandate to rule them all. That compliance mandate should not only represent best practices, but step it up a few levels. 

Also, if there was blanket worldwide legal policy that applied to ALL cyber-crooks globally, these scoundrels would no longer go unpunished. A couple of thousand dollars stolen from an account in the U.S. goes a LONG way in some other countries, and not only is it relatively easy to commit these crimes, but there are really no legal deterrents in place to discourage these high tech pickpockets in other countries. Hoodlums can make millions (yes, millions) without any fear of prosecution, and the temptation to pick such low-hanging (albeit forbidden) fruit is very difficult to resist. Let's get downright hardcore on the legal front. Let’s take down these wrongdoers.

Verizon Security went out on a limb when they stated that nothing of note is going to happen to phones, PDA’s, and Macs. Really? Uh…no. Just two weeks ago we all learned about a sneaky little trick to invade unlocked iPhones who have SSH enabled with default passwords. This is just step one. If you look at how many iPhones are on the market, you can see the huge motivation for delinquents to act-a-fool. I see the mobile phone market getting its fair share of security issues.

Although I think Verizon Security has a high level view of what takes place on the side of security, it seems some of the predictions are off in left field somewhere.

One prediction I believe nobody will dispute though, is that 2010 will be a very exciting year in security. And if we're lucky, a few people will realize they need log management to keep an eye on the security of their infrastructure. Stay tuned.

Posted by Bill Roth on December 28, 2009 in Security , Top10 | Permalink | Comments (0)

Visit loglogic.com

I ♥ Logs

Subscribe to this blog’s feed RSS

January 2010
Sun Mon Tue Wed Thu Fri Sat
          1 2
3 4 5 6 7 8 9
10 11 12 13 14 15 16
17 18 19 20 21 22 23
24 25 26 27 28 29 30
31            
Categories
Archives
Blogroll
Blogroll
Compliance
Good Reading
LogLogic
LogLogic Partners
Sites We Watch