Using the Gartner magic quadrant when buying security products

The Gartner magic quadrant is ubiquitous at security sales presentations. Being featured in the quadrant, the leaders quadrant in particular, is a part of the vendor pitch and the recognition that it provides may have an impact on the purchasing decision. Is it of such significance and should it impact your purchase decision?

Gartner does provide useful analysis of security products, their penetration into markets and their product maturity. I occasionally check out Anton Chuvakin’s blog on SIEM as I find it a useful resource in my own specialisation. Knowing the quality of the output (at least in the SIEM blog), I have some faith that the MQ delivers what it promises to deliver. This is what one needs to note: is the MQ’s judgement criteria relevant to your purchase decision?

In very few sales presentations that I have attended have I seen an actual quote from Gartner’s analysis provided by the vendor. They have contented themselves to put up the MQ itself to allow potential clients to assume that that means it is a fantastic product or, if the product is the highest and rightmost on the chart, the best product. The clients for their part appear to fall for the assumption. This is not what the MQ is meant for. While the MQ does say something about the market penetration, the vision and coverage of the product and vendor, it says very little about whether the product fits your business. Users look for products in the top-right quadrant, when in fact a product in the top-left may be a much better fit for your environment.

Gartner explains their methodology for the magic quadrants here.

Gartner is very open in stating that the quadrants talk about the capabilities of the technology providers in executing and envisioning the future for the type of product. It says nothing about the technology solution on offer and does not pretend to. Gartner’s critical capabilities articles are much more useful when considering products provided by the vendor. More importantly, use this as no more than as a starting point when considering dealing with a vendor / product. There might even be a chance that the best-fitting product is not there in the quadrant or that there is no quadrant for the kind of product that will fit your requirement.

Gartner’s analysis is inadequate to inform you as to whether the product will work for you. Get your vendors to come up with a proposal to fit your requirements and perform a proof of concept with a few vendors and with you security team to really understand the product for your decision making.

You might also find these articles interesting:
The horror of the security product presentation
Comparing SIEMs for your environment

I am speaking at the CSX 2016 Asia Pacific conference (14-16th November 2016) on SIEM. Check it out: http://www.isaca.org/cyber-conference/csxasia.html

SIEM: Comparing available SIEMs

This is an article of a series on a group of security products known as SIEM: security information and event management. This article introduces SIEM.

You have decided to get a SIEM since you need it in your environment. Vendors will soon present to you on the merits of their SIEM and how their product is superior to the competitions. How do you cut through the jargon and understand whether the product fits your needs? Here are some of the things that different SIEM products perform differently.

User-friendliness
This might be harder to measure than you think. Note that there are different types of users in every environment. “Using” the SIEM (i.e. running reports and searches and looking at dashboards requires one level of user). With some SIEMs, the user can simply type in a keyword or an IP address and instantly get query results from days of logs. With others, they may need to learn the syntax of a search query. In some cases the search query syntax can be learned in minutes. In other cases, a really good query may require knowledge of regular expressions which require analysts with technical talent.

Administering the SIEM and creating reports and rules typically requires users with a higher degree of technical knowledge. They also need to find the SIEM friendly to use. In some cases, it is very easy to extract out the results of a search as a report and save the format for later use. In others, it is more complex, with multiple modules needing to be created prior to arriving at the final output. Likewise some SIEMs allow correlation rules to be created with just a series of mouse-clicks from a search output. Some others may not have this functionality.

User-friendliness should be a key criteria when there are no dedicated personnel handling the SIEM. If you have a small security team (or worse, if you have no dedicated security team, this will be a significant criteria).

Setup time
Some vendors advertise ‘turn-key’ products that can get up and running in minutes. Always take with a pinch of salt any promise of instant security. What these provide are a check in the “do we have a SIEM?” checkbox for people with compliance requirements. Given that, setup time still varies among products. Some vendors will have multiple types of products with differing setup times that are worth considering.

Why do these setup times vary? Often the products may be a ‘starter pack’ with a small subset of features or they may turn out to be not very customisable or extensible. Consider whether the product will also fit your needs a few years on when purchasing something that has a short setup time.

Extensibility
Depending upon the environment and the your initial motivations behind getting a SIEM, your need for storage space may change slightly or drastically over the life of the product. Enterprise-grade products ought to be extensible, either by adding storage to the existing setup or by having another instance of the product software running that can be integrated into the current setup. In some architectures it is possible to run a search from one component on all components in the infrastructure. In some other architectures, a selection of events flow up to a higher level manager where these key events are analysed.

Customisability
Customisability, along with extensibility, are occasionally antithetical to user-friendliness and setup time. Some products come with a large number of use cases that are effective out of the box, but are not customisable or are hard to customise. Others are used best when they are heavily tailored to the environment and allow a great deal of customisability.

Environments with fewer analysts (or no analysts) may not need the customisability option so much. Security operation centres and large environments will work best when the use cases are tailored. These environments are also more likely to have dedicated personnel who can learn the SIEM thoroughly such that the user-friendliness and intuitiveness of the SIEM is less likely to be a problem.

The above four are criteria that help with evaluating traditional SIEM. The below capabilities are now becoming more relevant and useful in improving the effectiveness of SIEMs.

User behavior analytics
While dealing with ‘events’ generated by devices is key to SIEM functionality, attaching those events to actual flesh and blood users performing actions, legitimate and illegitimate, is of considerable value. Today’s SIEMs either have this capability built in or can add in this capability as an extra module. This should be a part of your consideration especially if you look into insider threat (you absolutely should)!

Artificial intelligence / machine learning / anomaly detection
Different companies will call it by different names. The crux is to go beyond pre-built rules to let the machine analyse normal patterns of behavior and inform the analyst of anomalies. The technology is not foolproof, but this is the future.

Get your vendors to do a proof of concept (POC) so that the SIEM demonstrates its value. Have your technical staff evaluate the product based on the criteria for your environment before you make your decision.

Also check out these resources:
My previous article introducing SIEM
Anton Chuvakin’s blog at Gartner is a great SIEM resource 

I am speaking at the CSX 2016 Asia Pacific conference (14-16th November 2016) on SIEM. Check it out: http://www.isaca.org/cyber-conference/csxasia.html

SIEM: Security information and event management

This is the first article of a series on a group of security products known as SIEM: security information and event management.

You are probably familiar with the fact that most computing devices log a number of events that happen on their systems, e.g. a user logs into Windows; an antivirus scanner detects a virus; a switch port is disabled; etc. As in a plane’s black box or a written log of events, the events happening inside computer systems have value: an administrator can understand what caused a user to get locked out of his computer; why the web server is no longer receiving traffic; where the origin of a worm is; etc. Since the logs are available, it will be of much more use if they can be readily accessed from a purpose-built system than if we had to go to each individual machine to retrieve them. Log management systems (LMS) were born out of this requirement.

A log management system collects logs in a central repository. This can be useful for after-the-fact reviews of incidents. What if you want to know in close to real-time what is going on in your computer infrastructure? This is where the SIEM comes in. SIEMs have considerably enhanced capabilities over LMS, but usually may not retain the logs for as long as purpose-built LMS.

SIEMs perform a few functions: they normalise, aggregate and correlate the logs. They present the logs in an easy to understand GUI. They are able to provide trending and analysis.

Normalisation: Logs come in various formats. It can require a bit of an effort to understand what logs from different products/manufacturers are trying to say. SIEMs simplify this by standardising the log content into fields that are common to the SIEM. The analyst has to understand the field within the SIEM. This is adequate to comprehend the logs.

Aggregation: There are some devices that send hundreds, perhaps thousands of similar events with just a few parameters including the timestamp differentiating between them. In the event that the distinctions are not relevant, a number of events within a short timeframe can be aggregated into one event, along with the total number of events represented in a field. This reduces the number of lines than an analyst has to look at.

Correlation: This is the key strength of the SIEM. Correlation is the ability to see relationships between distinct events that happen in the infrastructure. The events may originate from distinct products and can sometimes be separated by hours. If such relationships can be automatically found, it drastically reduces human effort in analysis. If a person’s remote login account is used and within a few minutes, their door card is used to access an office building, this might be something that security has an interest in. A SIEM can detect this sort of correlations.

Alerting:
The obvious next thing to do after detecting a correlation that is security-critical would be to notify the analysts of the event. This can be done via email, SMS, popups on their console, etc. SIEMs have the ability to send alerts close to real-time once an event or a correlation occurs.

Dashboards and reporting:
SIEMs come with nice interfaces that provide snapshots or current states of security in one’s environment. These may be snapshots in the form of reports, presented as charts, tables or a combination or they may be dashboards that show current states, maxima, minima, averages, etc.

 

SIEMs have evolved over the last decade and they now come with even more features. The ability to do user behavior analysis and integrate threat and network models are features that you will see in today’s SIEMs.

The ubiquitous Gartner magic quadrant for SIEM will give you an idea of the major players in the SIEM market as Gartner sees it. Take care to actually read their analysis and to look beyond the picture when you consider buying a SIEM for your organisation.

I will make a few more posts on SIEM in the next few weeks. I am speaking at the CSX 2016 Asia Pacific conference (14-16th November 2016) on SIEM. Check it out: http://www.isaca.org/cyber-conference/csxasia.html
 

Blocking internet access for cyber security: Will it work?

“The only secure computer is one that’s unplugged, locked in a safe, and buried 20 feet under the ground in a secret location… and I’m not even too sure about that one.” —Dennis Hughes, FBI [attributed]

From May 2017, the Singapore government intends to block internet connectivity for the work computers of its 100,000-strong force of public servants. The government has opted for the drastic measure on account of security concerns. Is it really necessary and is this the best way of keeping things safe?

A key principle that information security managers learn is that security must work to enable business and not prevent it. Attempts to add security that appear to work against the normal functioning of the business are doomed to fail. This will be critical to whether the Singapore government’s efforts succeed or fail. It is not only the technological aspect of this new setup that must be taken care of, but also the ‘people’ and ‘process’ aspects. The latter appear to be lacking, at least in what has been covered in the news.

Did the government get the technology aspect right? Among other things, companies that have information security-aware management perform a ‘blacklisting’: for instance file-sharing activity, chatting, pornography sites and known malware sites and activity may be blacklisted and cannot be accessed by employees. Some security experts recommend a tougher measure called ‘whitelisting’: only the specific sites in the whitelist may be accessed by employees. This list could contain the top 1000 sites on the internet known to be safe and, upon business justification, additional sites could be added to the list. Entirely blocking internet access is the toughest possible measure and might be a bit heavy-handed.

Disconnecting a computer from the internet is called air-gapping. It is a legitimate security measure for the very paranoid / persons under surveillance. Security expert Bruce Schneier explains here what he did to stay secure from the NSA while working on the Snowden documents. Air-gapping requires a huge amount of effort to get right, primarily because the information that you work with tends to come through the internet. Air-gapping will make life harder for an attacker who wishes to access information in/through your computer. Information on one’s computer may still be accessible in certain ways, but accessing the office network through that device does get considerably more difficult for an attacker.

Air-gapping is not foolproof. An air-gapped computer owned by a non-technical person is less likely to be updated with security patches than one that is connected to the internet. It may make the device more susceptible to attacks through vectors outside of the internet. Targeted attacks have been carried out against air-gapped devices as long ago as 2010 using USB drives. The Singapore government currently does allow its employees to use the USB ports on their devices. USB drives are well-known transmission vectors for malware and many companies prevent their usage by locking them down. This would be a pragmatic step to take before the more desperate measure of taking away internet access.

The initial announcement of the upcoming policy also stated that employees would be allowed access to the internet on their personal devices and devices kept specifically for internet use. The Infocomm Development Authority (IDA) clarified in a Facebook post that “only unclassified emails for purposes such as accessing URLs” could be forwarded to private email accounts. This is going to be tricky. An employee who has habituated himself to transferring emails between his work and personal emails is going to do more and more work when directly connected to the internet on their personal devices, especially when the work requires research or benefits from information found on the internet. This in turn could lead to the personal devices becoming targets of attack, reducing the need to attack the office-issued devices in the first place. Considerable effort will need to be made to ensure that employees are aware of what information may absolutely not be transferred to devices outside the office-issued computers. These are serious flaws in the ‘people’ and ‘process’ aspects of the new policy.

I have already encountered people discussing how to subvert this ‘problem’ of no internet access. Singaporeans are technically savvy enough to get the internet that they need. The government has to ensure that their work does not get too painful and that access is had where they require it or the subversion will eliminate the positive security effects of removing internet access.

Security buzzwords – zero day and APT

Information security / cybersecurity is all over the news these days with a serious hack / breach reported just about every week. News reporters and salesmen are happy to capitalise with catchy headlines and spreading of fear. On occasion, the truth gets lost while this is going on. Here are a few buzzwords / buzz-phrases that you may have come across, that may not mean what you think:

Zero day
A ‘zero-day vulnerability’ is a vulnerability that the maker of the product does not know about, but an attacker does. Once information about this vulnerability is known, the vendor has 0 days to fix it before it affects their customers. Plenty of vulnerabilities these days are discovered by ‘good guys’ – white-hat researchers – who report their findings to the producers of the software and give them a reasonable period (such as 90 days) before the information is made public. These vulnerabilities are not zero-days because the wider community (and malicious players in particular) typically learn about them only after the patch is released. A ‘zero-day exploit’ would be the use of such a vulnerability before the vendor learned of its existence.

Examples of misuse:
Vulnerability in LastPass misreported as zero-day by many reputable news sites: http://www.theregister.co.uk/2016/07/27/zero_day_hole_can_pwn_millions_of_lastpass_users_who_visit_a_site/
Nonsensical title talking about a ‘patched zero-day’: https://threatpost.com/patched-ie-zero-day-incorporated-into-neutrino-ek/119321/

APT / advanced persistent threat
An advanced persistent threat (APT) is a higher grade attacker than the usual. APT attacks tend to be targeted, stealthy, may involve a large number of steps, with multiple devices being infected and data being exfiltrated only in the later stages. Some of these will be so effective that they will remain undetected for years. On occasion, they can also reach computers that are not connected to a network. The level of sophistication is said to be such that only nation-states and big criminal organisations are said to have the expertise to carry out such attacks.

Some of the top names in security have ‘APT’ solutions. Do they work? They do detect some threats that traditional methods do not, but advanced persistent threats? No. Claims to detect APTs must be taken with some amount of caution. Malware testing company NSS labs came up with a few tests of increasing difficulty where none of the tested products detected the stealthy test. Their conclusion: “Novel anti-APT tools can be bypassed with moderate effort…” They were able to develop the test samples without having access to the APT solutions during test development and “resourceful attackers who may be able to buy these products will also be able to develop similar samples or even better ones.” Our takeaway from this: Make sure that the vendors claims are supported by evidence and seek unbiased sources when trying to find out more information.

Also check out this previous article: The horror of the security product presentation

The Ransomware Social Contract

I had been anticipating this for a while: there has finally been a publicly known case where the social contact between ransomware extortionists and their victims had been broken. The contract? That after paying the ransom, the victims would be given access to their files.

What is ransomware? Extortionist criminals are now using this tactic to make money. They break into their victims computer systems and encrypt their data. The victims are then told to pay a ransom in order to get the key to decrypt the data. Imagine the situation where all your photos and work in your computer are inaccessible, despite still being in your computer. If you could pay a small amount to make this problem go away, odds are that you would.

Now multiply the volume of data a million-fold. A business is hit. Their daily operations requires this data to be accessible. Every second that they do not have it is money lost. If it is a hospital? Hospitals have been hit and left unable to provide effective care to their most vulnerable patients for short periods. Most would be willing to just pay the small amount in ransom than put their work in jeopardy.

Low ransoms and the fact that the extortionists have kept their promise of providing the decryption key have made ransomware a viable business model. This may be finally over. One hospital paid the ransom only to have the extortionists ask for more. The ‘social contact’ is broken. It was always a possibility that the attackers would go back on their word. It has happened.

Ransomware is not a new phenomenon. It has been around almost since three decades ago. For some reason, it just took off as something big in the last three years. Perhaps the existence of commercial software such as exploit kits that package various methods of attack without requiring much technical skill on the part of the attacker helped its rise.

What now? Ransomware is not about to go away. We should practise some IT security 101 to protect the data that is precious to us (yes, really). Backing up data is the old-fashioned and effective method that protects against the loss of data (ransomware or otherwise). Knowing not to click on unknown links or open dubious email attachments helps too. Keeping your operating system and software updated and having an anti-virus enabled is another. These things are all IT security 101 and knowing and practicing them will protect you against more than ransomware.

What if you have been hit and do not have a backup? You could pay, but be aware that you are depending upon the mercy of criminals.

Also read:
http://www.essaysonsecurity.com/blog/shit-just-got-real
https://nakedsecurity.sophos.com/2015/10/28/did-the-fbi-really-say-pay-up-for-ransomware-heres-what-to-do/

Shit just got real

Over the past few years, we have had plenty of time to read about the exploits of malicious hackers. These have appeared on the news so many times that we have had the (mis) fortune to get desensitised to them. Why does it matter? Why should anyone care about who got hacked? And then, what can one (the layman) do about it?

It matters because it can affect us, and affect us badly. Our personal details are stored by many companies and governments. Not all of them put effort into securing this information that they have been entrusted to keep safe. Details such as our birth date and our address may be used by our bank or our email provider to verify our identity over the phone. Imagine if someone were able to access our email just because they knew our birthday and our address. This happened to to the director of the CIA, James Brennan. It has happened to ordinary people as well.

What about the companies that got hacked? Sometimes the hacking is (relatively minor) reputational damage in the form of website defacement. It is a serious matter when personal information, email contents and proprietary data are stolen – things that can directly affect a company’s bottom line and harm its customers. Theft of money or something like money (such as credit card information) also happens. How do we not get habituated to ignoring these things when the show up in the news?

Last week presented something that I found to be quite scary: the “shit just got real” moment. A hospital in Hollywood had great difficulty doing the job of caring for its patients because on an attack on their IT infrastructure. The hospital’s files were affected by a type of malware called ‘ransomware’, which encrypts the data until decrypted with a key obtained after paying the ransom. Staff used pen and paper to record new patient details, transferred some patients out to other places. Patients’ records are stored in computers. Their details are digitised so that a doctor or nurse can easily pull them up on a monitor when getting to do their work. What happens when something as basic as a hospital is unable to function because their IT is hit? This is why security is important, and why we have to demand that our various service providers take it very seriously.

What can we do about this?

  1. Educate yourself about personal information security.
  2. Vote with your feet against companies that do a bad job; especially against companies that are unrepentant and against companies that claim that they were hacked by “sophisticated” attackers (don’t take their word for it).

If you happen to work in IT, operations, or risk management, make the effort to understand how information security risks may affect your organisation and your clients and take steps to reduce the risks.

When is 2FA not 2FA?

Security experts strongly recommend using 2-factor authentication (2FA) for accessing critical accounts, such as your bank account. What precisely does this mean?

Authentication methods are divided into three factors:

  1. Something you know (passwords)
  2. Something you have (authentication token, a key, a code sent to your phone, etc.)
  3. Something you are (biometrics: fingerprint, iris, veins under your fingertips, etc.)

Combing two of these factors provides effective security protection in the event that any single factor is compromised. In the event that someone shoulder-surfed your password, they may still need your authentication token to log in. In the event that your RSA token device was stolen, it is useless without your password. If an attacker has your key, but faces a retinal scanner awaiting input, he may be stopped.

So far so good. The problem is that users themselves are key to subverting these additional protections. The use of a 2FA token is not a panacea that allows you to not use a good password. This is precisely what happens in environments with a large number of devices where a few resource-starved engineers are tasked with remembering passwords with no password management.

Typing in “12345678” for the password followed by the generated token eliminates the effectiveness of the 2FA token. I have seen worse.

What do I suggest: use a password manager so that the passwords can indeed be long and complex and the administrators are not tasked with remembering them. Also use a token / other form of 2FA for extra protection. Do not task someone with remembering a large number of complex, distinct passwords, or they will all end up being the same or being easy to guess.

Also see my previous posts: Passwords ain’t nothing but trouble
and Lessons from Target on password complexity

Lessons from Target on password complexity

US retailer Target was infamously hacked in 2013, causing the credit card records of tens of millions of customers to be stolen. Target had its systems assessed and came up with some findings which Brian Krebs has just made public. While there are many lessons in this, I want to focus on one item: the passwords.

The Verizon security team was able to crack a large number of Target’s passwords in a week. Observe that most of the listed top 10 passwords were at least 8 characters long, had small letters, capitals, numbers and a special character. Despite the credentials adhering to the password policy, the passwords were successfully cracked.

The lesson: password complexity rules may be outdated. It is quite possible to stick with the letter of the compliance requirement and be quite insecure. Consider using password managers with really long passwords and multi-factor authentication systems. Meanwhile we should look into technologies that move beyond passwords for authentication.

Also see my previous post: Passwords ain’t nothing but trouble

Passwords ain’t nothing but trouble

You may be familiar with the standard script that your IT gives you about password complexity: it must have 8 characters or more, at least one small letter, one capital, one numeric character and one special. If you are in IT, you may have even seen the Dilbert strip above and felt it hit home.

What’s with these requirements? It is the length and complexity of a password that determine how a hacker with very little information about the user can crack the password. The methods are various: For a password with just 6 characters, a “brute-force” attempt can be made using all possible combinations of six characters to match a piece of encrypted text that is known to contain one’s password. If it is longer, “dictionary attacks” are made against known common passwords or actual words as brute force rapidly loses effectiveness. So “Pa$$w0rd” is a bad password, despite it having all the requirements stated in the first line.

The problem here is that the more complex and long the password becomes, the harder it is for the user to remember. This results in the worst problem of all: The password gets written down.

I have come across many posts over the years trying to cover this topic. I recall someone recommending passphrases on the basis that length and not complexity was key to making a password unhackable. Then there is this:

And yet we have missed something crucial. All of the discussion so far was about one password. I now have more than one hundred passwords, about twenty of which I use on a weekly basis. None of these methods are even slightly usable if we have to remember such a large number of passwords.

If we try to memorise, we need to find some patterns with slight variations. If we do lose a couple of these patterns, a person who is interested in getting your information may figure out the pattern. There are some sites that we use that may store passwords very poorly, sometimes even in clear text.

I mostly gave up on memorisation a few months ago and started using a password manager. This comes with its own set of problems. If, for some reason, the password manager is unavailable when one needs to log in, login may be impossible. If someone malicious (or merely mischievous) should get access to one’s unlocked password manager, one can get locked out of all one’s accounts. If the password manager is installed locally on one device, you still need some means of remembering passwords when using other devices. If it stores information that is accessible over the internet it can be used from many devices, but may be more vulnerable to attack.

What can we do? There are people working on that very question. Biometrics is one possibility for the future. We now have mobile phones that unlock upon fingerprint and finger swipe identification and office doors that open using retinal scans. If these technologies gain wide commercial acceptance in various products that we use, they may one day allow us to log in to websites and applications as well. People have currently proven many of these technologies to be theoretically hackable, but the products will keep improving.

Plenty of smart cards are brought out all the time, but they tend to have one flaw: they can easily be lost / stolen. Technologies are now coming up that require the smart card in addition to a biometric or a simple memorisation option. For the sake of our security and convenience, I hope that passwords get replaced by something better in the next decade or two.

This essay was originally posted at my LinkedIn  page: https://www.linkedin.com/pulse/passwords-aint-nothing-trouble-vijay-luiz