A recurring theme I hear at conferences is that security teams can’t fight the inevitable shift to cloud computing, and instead need to figure out ways to adapt. This message was echoed at RSA Conference 2012, where a panel of CISOs urged the industry to get ahead of the cloud trend and ensure cloud services are adopted securely.
With its potential to slash IT costs, cloud computing is driving fundamental change in organizations, said Jerry Archer, senior vice president and CISO at Sallie Mae. “Everyone in this room will be impacted by it,” he told attendees.
That got me thinking: How will information security roles change as cloud computing becomes more prevalent in the enterprise? Do security pros need to worry about looking for other lines of work as security responsibilities shift to public clouds?
Industry experts I talked to see security pros continuing to play an important role as cloud adoption accelerates. After the RSA panel, Archer told me that security pros may need to acquire additional knowledge, for example in the area of contracts and law. But security is necessary and those with security expertise become “the gatekeepers” in this new IT environment, he said.
Cloud Security Alliance Executive Director Jim Reavis said security roles will change depending on the organization – whether it’s a cloud provider or cloud consumer. Providers will need to be able to provide the whole stack of security expertise and technologies while consumers will be looking to leverage higher layers of the cloud stack – SaaS and PaaS. For security pros working at organizations that are cloud consumers, this will mean a shift away from operational skills to application skills and closer work with business units, he said.
“I don’t think IT teams or security teams will disappear because of cloud,” Reavis said. “If you’ve got security expertise, you’ll be well employed for many years to come.”
Randall Gamby, information security officer for the Medicaid Information Service Center of New York (MISCNY), told me he sees security’s role falling in the vendor management space when it comes to cloud. Security professionals need to help organizations ask the right legal and technical questions of a cloud provider to ensure their data is protected.
“Being able to set up criteria to judge a cloud vendor and understand not only the services it offers, but the risks it may pose is important,” he said.
How do you think information security roles will change as cloud services become more prevalent? Leave me a comment below.
The big-bad scary zero-day exploit: it sends almost the same kind of shivers down everyone’s back as APT. Yet, like the advanced persistent threat, the zero-day is suffering some hype fatigue. More Web servers are popped by known bugs and exploits than some shadowy secretive attack crafted by the Electrical Engineering University of China’s People’s Liberation Army. Yet companies are still bombarded with marketing FUD about zero-days despite numbers that indicate exploits hitting unknown vulnerabilities account for less than 1% of all malware.
So do zero-days matter? Like everything else in security, it depends. If you’re in the bug hunting and bug selling business, they sure do. Last week’s CanSecWest hacker, err, researcher conference in Vancouver was a zero-day Lollapalooza with companies like VUPEN taking dead-aim at Google Chrome and Microsoft’s IE9 browser with zero-days developed just for the event. The French company, called out by privacy advocate Chris Soghoian at the recent Kaspersky Security Analyst Summit, admits to holding on to certain vulnerabilities and exploits only for its customers, refusing at times to share information with the affected vendors. Soghoian said VUPEN and others sell exploits to governments, who pay a heck of a lot more for what can be turned into a weaponized exploit than say a security conference or a bug bounty program, such as TippingPoint’s Zero-Day Initiative.
VUPEN CEO Chaouki Bekrar told Threatpost that VUPEN’s government customers are only trusted democracies and not oppressive countries. Taking him at his word, there’s still the argument that while a select few get a fix, the general user population remains exposed. It’s silly to think attackers aren’t way ahead of the game and already have their share of unreported bugs and exploits at their disposal, but this level of backroom wheeling and dealing is disconcerting. It casts a poor light on offensive security research and events like the Pwn2Own contest are probably unwillingly aiding and abetting.
I had a conversation with Microsoft senior security strategist lead Katie Moussouris recently about zero-days and vulnerability disclosure. Katie has been in the security business a while, including a stint at @Stake back in the day, and she said Microsoft’s experience with the research community is much different. She said that 80% of vulnerabilities found in Microsoft products are disclosed privately, and 90% of those disclosures are made directly to Microsoft. Most researchers, she said, are not motivated by money, but by intellectual curiosity. As a result, Microsoft has shied away from offering a bug bounty, and has instead focused on rewarding defensive security research with initiatives such as its Blue Hat Prize.
These are watershed days for security researchers and vulnerability disclosure. To be honest, the whole disclosure debate probably gives most of you a headache, worst of all if you’re a CISO sitting between the researchers and the vendors and the VUPEN-like middlemen while all this wrangling plays itself out. Tim Stanley, former CISO at Continental Airlines, summed it up best a couple of years ago:
“I love the love-fest between the vendors and researchers, but quite honestly, I don’t give a hoot. I’m the consumer, the guy who paid for the product that I expect to be correct in the first place. I’m the guy who paid for the software. When am I gonna know? The issue becomes a matter where the people paying for the product need to be better represented in this process.”
Changes to the data protection regulations are on the way for the 27 countries of the European Union, and the fallout in Europe serves as a good case study for U.S. governing bodies and businesses who are also playing tug-of-war over compliance regulations.
Businesses in the U.K. are steaming over the DPA proposals. In fact, our U.K. bureau chief, Ron Condon, described the reaction of the Confederation of British Industry (CBI), a lobbying organization representing more than a quarter-million companies, as “hostile.” Why such a severe reaction to proposed European privacy laws that, according to the European Commission, will save businesses £2.3 billion (about $3.6 billion) per year?
As part of the new data protection regime, businesses operating in the EU will need to ask consumers for explicit permission to capture the consumer’s data. Businesses fear just asking for permission will make consumers nervous, and nervous consumers can be miserly consumers.
It appears businesses may be right to worry. Consider what happened to the Information Commissioner’s Office in the U.K. when it implemented its own PECR regulation, specifically asking all site visitors for permission to place a cookie on their computer. According to the BBC, the ICO website normally received 12,000 site visitors per day, but after debuting the cookie request notice, the number of visitors dropped to about 1,400 per day.
Actually, the number of visitors willing to be tracked dropped. The ICO said only about 10% of its visitors accepted the cookie. The other 90% were probably still there; they may have simply declined to be tracked.
This could have serious repercussions to the way many businesses operate today. Without knowing which pages visitors look at, how long they study a product page, or the order they place products in the online shopping cart, businesses will lose crucial information they need to direct their strategies. Some businesses, I wager, may even go out of business once deprived of customer information.
Where should the line be drawn between visitors who want to be anonymous, and businesses who can’t serve their customers’ needs without fundamental information about those customers?
The ICO holds out hope that, eventually, users won’t be so easily scared off by cookie warnings, but I see this playing out another way. I got an inkling from an incident at RSA Conference 2012 last week.
A security vendor had a representative standing on Howard Street, flagging down anyone walking by who was wearing an RSA conference badge. In return for handing over a business card, the passerby received a $5.00 Starbucks gift card. Apparently $5.00 is the price this particular vendor was willing to pay for an RSA attendee to share their basic information.
As for me, I’m wondering how many cookies I can buy for $5.00 at Starbucks.
When it comes to customer case studies, CloudFlare has one of the most unusual and dramatic I’ve ever heard.
Last summer, the LulzSec hacking group signed up its website for CloudFlare, drawing the website security service and accelerator company into one of the biggest cyber battles ever, as LulzSec created mayhem on the Internet while rivals and others tried to knock it offline. CloudFlare’s CEO and Co-founder Matthew Prince detailed the attacks in a presentation at RSA Conference 2012; I wasn’t able to attend, but he filled me in during a briefing at the show last week.
LulzSec registered for CloudFlare on June 2, 2011 after it a substantial DoS attack knocked its newly launched site — LulzSecurity.com — offline for 45 minutes, Prince said. “We had no idea who LulzSec was,” he said. As it turns out, the group had just published information it had allegedly stolen from Sony.
For the next 22 days, LulzSec waged battle on the Web as rivals and white hat hackers launched a volley of attacks against the group’s site. “It was like a gunfight and we were sitting in the middle of it,” Prince said.
The battle proved a mighty test for Palo Alto, Calif.-based CloudFlare, which protects websites against threats like DDoS, XSS and SQL injection attacks while also boosting site performance. “It was the most massive pen test ever,” Prince said. “We learned a ton from the fact that LulzSec was with us.”
He explained that CloudFlare’s system automatically looks for anomalies to detect attacks and once it does, adds protection for all the websites it protects. More than 250,000 websites, from Fortune 500 companies to individual blogs, use CloudFlare. Using the service doesn’t require any hardware installation, only a change to network settings to allow site traffic to pass through CloudFlare, which operates 14 data centers around the world.
“We’re like a smart, skilled router on your network,” Prince said.
The fact that LulzSec stayed online for the 22 days it was with CloudFlare illustrates the company’s core value proposition, Prince said. “Because we saw these threats our network got smarter,” he added.
Prince said CloudFlare never got a request from law enforcement to take LulzSec offline, but quickly added that it has no mechanism to do that anyway. He noted that CloudFlare wasn’t LulzSec’s hosting provider.
As to whether CloudFlare considered shutting off service for LulzSec – a group linked to a number of attacks on corporate government sites – Prince said his company’s role isn’t that of an Internet censor.
“There are tens of thousands of websites currently using CloudFlare’s network,” he said in a blog post last summer. “Some of them contain information I find troubling. Such is the nature of a free and open network and, as an organization that aims to make the whole Internet faster and safer, such inherently will be our ongoing struggle. While we will respect the laws of the jurisdictions in which we operate, we do not believe it is our decision to determine what content may and may not be published. That is a slippery slope down which we will not tread.”
Traditional antivirus vendors are doing a good job detecting and blocking known mobile malware, according to Av-Test, a Germany-based independent service provider that tests antivirus and antimalware software.
The firm tested the detection capabilities of a variety of available Android mobile security apps using a malware set of 618 malicious application package (APK) files. Malicious apps that were discovered between August and December 2011 were included in the test set.
Avast, Dr.Web, F-Secure, Ikarus and Kaspersky rated highly, according to the firm’s latest analysis, Test: Malware Protection for Android 2012 (.pdf), issued today. Zoner and Lookout, two independent security firms with mobile security apps also performed well, Av-Test said. The apps had a detection rate of more than 90%.
Products that fell between 65%-90% included AegisLab, AVG, Bitdefender, ESET, Norton/Symantec, Quick Heal, Super Security, Trend Micro, Vipre/GFI and Webroot. Despite falling below 90%, Av-Test said the mobile security apps are still very good and should be considered.
“Some of these products just miss one or two malware families, which might be not prevalent in certain environments anyway,” Av-Test said in its report.
Mobile malware continues to make up about 1% of overall malware, but despite the threat currently being minimal, experts at RSA Conference 2012 have pointed to a variety of attacks, from banking Trojans to SMS fraud, which could pose a threat to enterprise networks. Some say attackers are not too far away from weaponizing applications to perform a variety of functions all aimed at collecting as much data as possible about the device owner.
Judging by the attendance at the mobile sessions during the conference, it’s clear that security professionals are concerned about mobile device security and are looking for ways to gain control and visibility into employee devices at the endpoint. Both Google Android and Apple iOS have been built with security features right into the platform.
“I would go as far as to say they are probably the most secure platforms ever built,” Kevin Mahaffey, CTO of Lookout told me in a mobile security interview at RSA Conference. Sandboxing and granular permissions that limit the device capabilities available to installed mobile applications make it much harder for an attack to be successful, Mahaffey said.
“We haven’t really seen malicious use of vulnerabilities on mobile devices yet, but plenty of researchers have demonstrated that it’s possible. There’s no magic pixie dust in iPhone or Android that makes it somehow immune from all the problems on the desktop,” Mahaffey said.
Anup Ghosh, founder and CEO of browser security vendor Invincea, shares a different view about the
Android platform. At RSA Conference, Gosh told me Android users should be concerned about mobile malware. Apple has done a good job of controlling its platform, keeping its ecosystem closed off to potential malware writers. Meanwhile, Android is using Java as part of its sandboxing strategy. It’s highly buggy, Ghosh said, with a lot of native interfaces to the underlying firmware.
According to Gosh: “When you download an app from the Android store you are giving explicit permissions, giving that app access to all kinds of system resources, which are all holes to that sandbox. It’s a fairly rich environment for adversaries to write malware. We’re still early as far as malicious code development goes, but they will follow the money.”
It doesn’t hurt to have a layer of security for protection. Mahaffey said a good mobile security app can protect device owners from malware or spyware, provide safe browsing capabilities and locate lost and stolen devices.
Av-Labs said that its test determined a grouping of 17 trustworthy mobile security apps. Even if a mobile security app performed poorly in its detection tests, some have other capabilities such as remote lock and wipe, backup and phone locating that may make them useful.
The firm tested the latest version of available mobile security apps using an Android emulator running the Gingerbread version of Android. The results were verified on a Samsung Galaxy Nexus running the latest Android version, Ice Cream Sandwich.
DNS services provider OpenDNS has hired away the chief technology officer of security vendor Websense Inc. and is laying the groundwork for a variety of DNS layer security services and products aimed at enterprises.
Dan Hubbard, who spent 14 years at Websense, is planning to build out OpenDNS’ security product portfolio. Hubbard played a significant role at Websense, building the Websense Security Labs and the company’s classification engine, which is at the heart of its security products. The engine is used to filter out malicious websites, block spam and phishing attacks and is also at the core of Websense’s content filtering technology.
Hubbard confirmed his departure this week. A Websense spokesperson said the company is already reshuffling executives to fill the CTO role. Charles Renert, an expert noted for his work with Symantec Security Labs and founding Determina, was promoted to vice president and will assume Hubbard’s responsibilities in the interim.
It’s going to be extremely interesting to see how OpenDNS’s enterprise security plans unfold under Hubbard’s guidance.
I spoke to Hubbard at a reception at RSA Conference 2012 where he exuded a lot of enthusiasm for his new gig at OpenDNS. Hubbard said there’s a potential for a whole new range of security technologies that take advantage of being in the DNS layer. The company, which launched in 2005, already provides malware protection for its users by blocking outbound botnet communications at the DNS layer. It also maintains PhishTank, the largest clearinghouse of phishing information on the Internet. OpenDNS has 12 data centers that handle DNS requests, but also have been collecting threat intelligence data for years. Combining threat intelligence with the ability to keep track of individual IP addresses opens up an interesting set of capabilities for protecting laptops and mobile devices.
The company already has a broad set of users of OpenDNS Enterprise, which provides inbound and outbound protection and is application-, operating system-, protocol- and port-agnostic since it is essentially cloud-based at the DNS layer. The company has been pushing itself as an extra layer sitting between the Internet and enterprise firewalls and antivirus technology at the endpoint. There are some built-in reporting capabilities providing data on attacks and malicious websites that were blocked by the service.
Hubbard’s move to OpenDNS and the company’s security strategy caught the eyes of at least two prominent security luminaries: Dan Kaminsky and Paul Vixie, who attended the reception. Last year, Kaminsky briefly shared with me his vision of what DNS-based security technologies can do. He believes a broad range of technologies can be built out leveraging DNSSEC architecture for authentication and establishing trust in Internet communications. It could provide a much needed injection of trust into the Internet, which has been evaporating in recent years because of a variety of issues, including breaches at SSL Certificate Authority vendors and well known weaknesses in the digital certificate system itself. Vixie has also publicly shared the potential of adding security to the DNS layer.
It was hard, however, to find the enthusiasm for OpenDNS from others at the RSA Conference. The first thing that comes to mind with OpenDNS is its consumer products that enable parents to shield porn and other websites from their children.
Several industry analysts and other security professionals I spoke to were too wrapped up in their own respective areas of expertise, but a few people said they share Kaminsky’s passion for the long-term potential of DNS-layer security technologies.
OpenDNS CEO David Ulevitch told me the company already has the foundation in place to provide a wide variety of security services. He said it just has to execute on its strategy and provide a convincing argument that enterprises can get value out of having security at the DNS layer.
Government and businesses – and individuals – often have competing priorities when it comes to information security and privacy, and those competing priorities are reflected in the multitude of ever-expanding compliance regulations in the U.S. IT pros are struggling to in light of these competing priorities and, from my vantage point sitting in on GRC sessions at RSA Conference 2012 this week, they are pretty stressed out.
Unfortunately, panelists speaking about hot topics in law and compliance at RSA Conference 2012 appeared to have little hope for a resolution to the tension anytime soon.
Panelist Benjamin T. Wilson, general counsel and senior vice president of industry relations for SSL certificate authority DigiCert Inc., called the tension between government and individuals/businesses a “megatrend” that’s overriding the compliance regulationsbeing written or modified in 2012. Regulators are torn between individuals and businesses: each want access to all kinds of information, but also want all their own information kept private.
Add in the many and varied regulations of other countries, who are themselves attempting to regulate how data is stored or transmitted, and the job of compliance manager becomes that much more difficult.
Microsoft’s Azure cloud service suffered a worldwide outage that started Tuesday and was apparently triggered by a timing miscalculation for the leap year. The company was continuing to work on Wednesday to resolve the Azure outage, which continued to affect some customers.
Microsoft said it became aware of an issue impacting the service management component of Azure at 5:45 p.m. Pacific Time on Tuesday.
“The issue was quickly triaged and it was determined to be caused by a software bug. While final root cause analysis is in progress, this issue appears to be due to a time calculation that was incorrect for the leap year,” Bill Laing, leader of the Azure engineering team, wrote in a blog post.
Microsoft created a fix and deployed it to most of the Windows Azure sub-regions, which restored the Azure service to most customers by 2:57 a.m. PST on Wednesday, he said.
“However, some sub-regions and customers are still experiencing issues, and as a result of these issues they may be experiencing a loss of application functionality. We are actively working to address these remaining issues,” he said.
In an email statement, a Microsoft spokesperson said some customers in three sub-regions – north central U.S., south central U.S. and North Europe – remained affected late Wednesday afternoon. Customers might have issues with Access Control 2.0, Marketplace, Service Bus and the Access Control & Caching Portal, which could result in loss of application functionality, the spokesperson said.
Windows Azure Storage was not impacted, according to Microsoft.
UPDATE: Microsoft reported Thursday at 10:13 a.m. Pacific Time that the Azure service disruption was completely resolved.
RSA Conference 2012 feels like a big ol’ group therapy session. Small circles of friends, larger circles of industry peers, huddled masses freeing themselves of a collective weight on their shoulders. No longer do they have to lie to themselves, their colleagues or bosses. “Hi, I’m Joe Security and I’m pwned!” They’ve come to grips with the fact that it’s OK to say security technologies suck, networks are compromised and attackers are winning.
OK, that last part has always been part of the dialogue. But the other two have only been whispered in the past. Now it’s being shouted at networking events and even from the big keynote pulpit here in San Francisco. Legacy investments in signature-based antivirus, intrusion detection and other detection technologies don’t serve the industry as well as they used to. Signature updates can’t keep up with the evolution of malware. And most attacks are too targeted or too stealthy, or both, to warrant signatures for the masses. It doesn’t work anymore and everyone’s free to say it without repercussion.
Granted, Art Coviello, RSA Security’s chief executive, has a vested interest in shouting it the loudest, but he made a good, encapsulating point during his keynote yesterday: “We have to stop being linear thinkers, blindly adding new controls on top of failed models. We need to recognize, once and for all, that perimeter-based defenses and signature-based technologies are past their freshness dates, and acknowledge that our networks will be penetrated. We should no longer be surprised by this.”
There’s a lot of whispering now about bringing big data concepts to security. Your resume had better soon include some business analytics experience if you wanna be tomorrow’s CISO. You’d also better figure out how to harness all that data your security gear spits out and learn how to baseline “normal” network behavior and address anomalies. And oh yeah, you better know how to talk to your executives about security.
Selling them your initiatives based on fear is so five years ago. You better learn your business, how it makes money, and how to deliver metrics that address not only bottom-line impact, but how the customer experience is affected, how internal processes need to reflect security and how you’re articulating security to the company to turn everyone into an advocate for you.
Journalists and analysts like tipping points and landmarks because it makes it easier for us to articulate our stories to readers. Most of the time those tipping points and landmarks are made up; not this time though. There’s a definite change in the air and some tangible direction for the industry. Let’s see how we did about this time next year.
The Cloud Security Alliance Summit at the RSA Conference 2012 got off to an entertaining start Monday with a keynote from an unlikely entertainer: Mike McConnell, former NSA and national intelligence director. McConnell had the crowd laughing with stories of his grandchildren and old times with Colin Powell, but he segued into a serious message: The country isn’t doing enough to address the threat of economic cyberespionage.
The U.S. is the “most digitally dependent nation” and its competitive advantage is its innovation, creativity, research and development, he said. “That information is regularly being taken from us,” added McConnell, who is now vice chairman at Booz Allen Hamilton.
McConnell didn’t point fingers at any country, but said some nation states make it a policy to conduct economic espionage and capture intellectual capital. “We are moving very slowly to address these threats. …We don’t have a cyberdefense capability on a global scale,” he said.
The country needs to establish a policy for what the NSA can do to protect the nation in cyberspace, he said. “The industry is going to have to accept some level of regulation.”
“The economics of cloud computing are compelling,” McConnell said. “It will happen. We need to address privacy, business interests and the national security dimension.”
Other highlights from the CSA Summit:
The CSA announced an “innovation initiative” to help speed development of cloud security by identifying key issues related to security that block the adoption of next-generation IT, documenting guiding principles that IT innovators should address, and incubating IT solutions that align with CSA principles.
Interestingly, the initiative includes not only a working group within CSA, but a for-profit entity that will work with innovators. Innovators don’t have to use CSA assistance in developing their technology, but can have a CSA working group assess its value.
The CSA also is starting a research project into SLAs and is looking for volunteers. The goal is to develop standards around SLAs – something no doubt many cloud users would appreciate.