Target Breach: Vendors, You're Not Wrestlers, And This Isn't The WWE

Yesterday, Bloomberg Businessweek ran a story providing some alarming details on the Target breach.  The article, “Missed Alarms and 40 Million Stolen Credit Card Numbers: How Target Blew It,” didn’t paint a pretty picture of Target’s response. 

Some of the highlights in case you haven't read it yet: 

  • Six months before the incident, Target invested $1.6 million in FireEye technology.
  • Target had a team of security specialists in Bangalore monitoring the environment.
  • On Saturday November 30, FireEye identified and alerted on the exfiltration malware. By all accounts this wasn't sophisticated malware; the article states that even Symantec Endpoint Protection detected it. 
Read more

You Should Attend Next Year’s RSA Conference Innovation Sandbox

Last week I attended the RSA Conference (RSAC) Innovation Sandbox for the first time.  Not only was I an attendee, but I also was fortunate enough to host a CTO panel during the event. For those that aren’t aware, the Innovation Sandbox is one of the more popular programs of the RSAC week.  The highlight of the Innovation Sandbox is the competition for the coveted “Most Innovative Company at the RSA Conference” award.  This is basically the information security version of ABC’s Shark Tank.  If you want to learn about the up-and-coming vendors and technologies, this is one place to do it. To participate, companies had to meet the following criteria: 

  • The product has been in the market for less than one year (launched after February 2013).
  • The company must be privately held, with less than $5M in revenue in 2013.
  • The product has the potential to make a significant impact on the information security space.
  • The product can be demonstrated live and on-site during Innovation Sandbox.
  • The company has a management team that has proven successful in the delivery of products to market.
Read more

Actionable Intelligence, Meet Terry Tate, Office Linebacker

sdfasdfaasdfThe #Forrester Security & Risk team is hiring. We are looking for consultants to join our team bit.ly/M9gWS5 #infosecasdfasdasdfasdddsadfas

We are now less than two weeks away from our annual sojourn to the RSA security conference. RSAC is a great time for learning, meeting and making friends. (Please hold cynical remarks; RSAC is what you make of it.)  As the date grows near and my excitement grows, I am preparing my mind and patience for the ubiquitous silver bullet marketing that is predestined to appear.  

One of these silver bullets will be the term "actionable intelligence." You will be surrounded by actionable intelligence. You will bask in the glory of actionable intelligence. In fact, the Moscone expo floor will have so much actionable intelligence per capita you will leave the conference feeling like the threat landscape challenge has been solved. Achievement unlocked, check that off the list. Woot!

Well not so fast. I frequently talk to vendors that espouse the greatness of their actionable intelligence. Whenever I hear the term actionable intelligence I want to introduce them to Terry Tate, Office Linebacker.  Terry Tate first appeared in a 2003 Reebok Super Bowl commercial. 

Read more

LG Is Learning An Embarrassing Privacy Lesson In The Age Of The Customer

In a recent report titled “Technology Management In The Age Of The Customer,” Forrester defines the Age of the Customer as: "A 20-year business cycle in which the most successful enterprises will reinvent themselves to systematically understand and serve increasingly powerful customers."  In this Age of the Customer, empowered consumers using social media can have tremendous influence.  Technology gives the lone voice a platform to be heard across the Internet. Technology is the force multiplier for empowered consumers.  

Jason Huntley, a UK-based IT consultant, is a perfect example of one of these increasingly powerful customers. He posted a blog titled “LG Smart TVs logging USB filenames and viewing info to LG servers.” In it Jason detailed how his Smart LG TV was spying on him.  The TV was not only reporting data about viewing habits, but was also uploading the filenames from the storage devices he attached to the TV.  His viewing habits data was collected despite the fact that he had opted out of the “Collection of watching info.”  Jason wrote, “This information appears to be sent back unencrypted and in the clear to LG every time you change channel, even if you have gone to the trouble of changing the setting above to switch collection of viewing information off.”  He had a false expectation of privacy. See below: 

Read more

Kicking Off Forrester's "Targeted Attack Hierarchy Of Needs" Research

I am about to kick off my next Forrester research on targeted attacks.  Here is the short abstract: "The threat landscape has evolved but organizations haven't. Leveraging concepts of Zero Trust, this report will detail strategies for protecting against targeted attacks against your organization. We will focus on the pros and cons of various strategies and provide suggestions for maximizing your investments." If you'd like a preview to the tone of this research please see one of my previous blogs: "Kim Kardashian and APTs."

  • Vendors:  The focus of this research is on overall strategy and NOT on specific vendor capabilities. We look forward to detailed vendor conversations when we do follow on Waves or Market Overviews in the future. 
  • Enterprises:  If you would like to provide us feedback on your experience with defending against targeted attacks, we would love to hear from you.  If you purchased a magic anti-APT box and it is/isn't living up to your expectations, let us know.  We are currently scheduling research interviews.  Research interviews are open to more than just Forrester clients.  If you aren't a client and would like to participate, we will provide you a complimentary copy of the final research upon completion. 
Read more

If Everything Is Threat Intelligence, Then Nothing Is Threat Intelligence

The hype surrounding threat intelligence has continued to build since I wrote the blog "My Threat Intel Can Beat Up Your Threat Intel” in mid-2012.  S&R pros are responding to both the hope and promise of threat intelligence. According to our Forrsights survey data, 75% of security decision-makers report that establishing or improving threat intelligence capabilities is a top priority for their organization.   

One of the most significant challenges in leveraging threat intelligence is operationalizing it. Today, there are two broad categories of organizations that leverage threat intelligence. I’ll use an analogy to describe them. The US television show “Sons of Anarchy” follows the lives of an outlaw motorcycle club. The Sons of Anarchy refer to themselves as “1%ers”: They have the power, resources, and means to accomplish anything they desire. This is in contrast with the 99% who are merely motorcycle enthusiasts without these capabilities.  Some of these early adopters include financial services, technology, and manufacturing companies. 

Read more

Kicking off the Forrester Web Content Security Wave

We are about to kickoff our next Forrester Wave on web content security.  The inclusion criteria for vendor prequalification will be sent out within the next two weeks. We will be focusing on both traditional web gateways as well as the hybrid and SaaS delivery models. What does this mean for you?

  • Vendors:  If you feel that your solution applies to this Wave, please contact us and let us know that you'd like to be sent the prequalification survey.  We will be limiting the number of vendors participating in this evaluation. 
  • Enterprises:  If you would like to provide us feedback on your experience with web content security solutions and vendors, we would love to hear from you.  We plan to leverage your feedback for evaluation criteria as well as score weighting.  

Please contact Kelley Mak (kmak at forrester.com) if you are interested in participating.   We expect this Wave will publish in the Spring of 2014. (Fine print: This is a publication estimate and this date is subject to change.) 

Point Solutions Must Die

Last year I wrote a blog post titled, “Incident Response Isn’t About Point Solutions; It Is About An Ecosystem."  This concept naturally extends beyond incident response to broader enterprise defense.  An ecosystem approach provides us an alternative to the cobbling together of the Frankenstein’esque security infrastructure that is so ubiquitous today. 

Many of us in the information security space have a proud legacy of only purchasing best in breed point solutions. In my early days as an information security practitioner, I only wanted to deploy these types of standalone solutions. One of the problems with this approach is that it results in a bloated security portfolio with little integration between security controls. This bloat adds unneeded friction to the infosec team’s operational responsibilities.  We talk about adding friction to make the attacker’s job more difficult, what about this self-imposed friction?  S&R pros jobs are hard enough. I’m not suggesting that you eliminate best in breed solutions from consideration, I’m suggesting that any “point solution” that functions in isolation and adds unneeded operational friction shouldn’t be considered. 

Read more

Counter-Strike?

On Monday the Wall Street Journal ran a story on hacking back titled, “Support Grows to Let Cybertheft Victims Hack Back.”  The article describes a growing desire to permit the private sector to retaliate against attackers. Being proactive is one thing, but the notion of enterprises retaliating against attackers is ludicrous. I honestly cannot understand why this topic is still in the public discourse. I thought debating this was so 2012.  Legality is an issue, but so is the ability of companies to successfully conduct these types of operations without blowback. 

The article explains, “… companies that experience cybertheft ought to be able to retrieve their electronic files or prevent the exploitation of their stolen information." I hate to be the bearer of bad news, but for most organizations, once the data has left your environment the chances of you retrieving it are very slim. Your data has left the building and it isn’t going to “re-spawn.”  If you couldn’t prevent exfiltration of this data in the first place, what would make you think that you could prevent the subsequent exploitation of it?  

As I said back in January in my “Five Steps To Build An Effective Threat Intelligence Capability” report, “If you have a mature security program, you can consider counterintelligence operations, but leave the hacking back to governments and militaries.” 

There are many suggested strategies for dealing with the threat landscape. Hacking back should not be one. 

Read more

Observations on the 2013 Verizon Data Breach Investigations Report

I was very excited to finally get a copy of the much-anticipated 2013 Verizon Data Breach Investigations Report (DBIR.)  I have found the report to be valuable year after year.  This is the 6th iteration and this year’s report includes 621 confirmed data breaches, as well as over 47,000 reported security incidents.  18 organizations from across the globe contributed to the report this year.  The full report is 63 pages, and I have to say that Wade Baker and company did a great job making it an enjoyable read. I enjoyed the tone, and I found myself laughing several times as I read through it (Laughing and infosec aren't commonly said in the same breath.)  There are tons of great references as well, ranging from NASCAR, to Biggie Smalls, the Violent Femmes and more.  The mantra of this year’s report is “Understand Your Adversary’ is Critical to Effective Defense and Response.”   Here are a few observations: 

The focus on the adversary answers customer questions.  Who is the adversary? This is a frequent question from Forrester clients.  The Mandiant APT1 report stirred up much debate on state sponsored actors and Verizon's data and analysis gives us more perspective on this class of threat actor. The first table in the report profiles the threat actors that are targeting organizations.  It provides a high level view that I suggest you include in any type of executive engagement activity you participate in.  This 3rd party snapshot of the threat actors should resonate with a wide degree of audiences.

Read more