See You At RSA 2012!

Just a quick note to my readers: see you at RSA 2012 next week. I am around Monday-Thursday and even though most of my time is booked, you can probably find me near the press room at odd hours.

SecurityBSides San Francisco at RSA 2011 Presentation

My account of RSA 2011 cannot be complete without-  yes! - SecurityBSides San Francisco. I was holding this post hoping to include links to videos, but – despite the power of Google – I was not able to figure out where AND whether the video are posted.  So, you have to enjoy my new fun SIEM presentation (below) without my voice and an image of me pointing at the sky

Something Fun About Using SIEM by Dr. Anton Chuvakin

View more presentations from Anton Chuvakin

Enjoy!

Possibly related notes:

• RSA 2011 Conference Notes
• RSA 2011 PCI Council Interview
• All posts tagged RSA

RSA 2011 PCI Council Interview

Just like last year, I did this great interview with Bob Russo, the GM of PCI Council. There is no audio recording,  what follows below are my notes reviewed by the Council. Italic emphasis is added by me for additional clarity.

Q1. PCI DSS 2.0 is out. What do you think its impact is, so far?
A:

We are just entering the implementation phase, but it seems like there is no major impact yet, it is definitely too early to say what the impact would be.
Using data discovery – merchants looking to confirm that PAN data does not exist outside of the defined PCI DSS scope - seem to be becoming more prominent and this seems to be a direct result of PCI DSS 2.0. Accidental exposure of cardholder data is a known risk. By identifying where the data truly resides first, through a tool or a methodology, should aid organizations in their assessment efforts and ongoing security.
By the way, despite moving to the longer three year process, we can still update the standard in between via errata mechanism [described here – added by A.C.] or using additional guidance produced by the Council and SIGs. For example, if there is a new threat, we can issue additional guidance on how to deal with it within the framework of PCI DSS.

Q2. QSA assessment quality is said to be improving due to QSA QA. On the other hand, reports of many SAQs being “inaccurate” are fairly widespread. Is anything being done to improve SAQ quality at Level2 and smaller merchants?
A:

Well, some merchants do “answer Yes to every question”- is that what you mean by inaccurate?! We see education as the answer to this. For example, there are plans for making SAQ easier to fill in– think about a TurboTax type model for SAQ – a wizard process for answering the pertinent SAQ questions and for presenting the right questions to the merchant in a logical order.
Education efforts can help a merchant understand that honest and accurate SAQ are for “their protection.” Everyone needs to include security in their daily process. The Council will seek to help by providing additional guidance on how to become more secure, comply with the Standards and how to validate that compliance. Some of this is being addressed with the new general Awareness Training we have launched, offering a high level overview of what PCI is and the role that every employee plays in keeping card holder data secure.

Q3. While we are on the SAQ theme, can anything be done to have more merchants stay compliant, not just get validated every year and then forget about PCI DSS until the next validation?
A:

Definitely, more education is needed and we are trying to fill that vacuum, like with the Awareness Trainings we have rolled out. For example, educating merchants that PCI DSS is about data security – not checkbox compliance - is a big focus. Merchants also need to be reminded that they need to get secure and compliant and stay secure and compliant. It requires ongoing vigilance. Unfortunately, some merchants think that “PCI DSS is about a questionnaire and a scan” and this mentality needs to be addressed by educating merchants about data security.

Q4. Visa new EMV rules might make merchants in Europe and Asia care even less about payment data security. What do you think the impact of the new rules will be on PCI?
A:

It is too early to tell at this stage as the rules were announced last week [first week of February 2011 – A.C.]. In essence though, this is a compliance or reporting issue. Nothing has changed for the Council or the standards. PCI DSS still remains the foundation for card security for all payment brands. Ecommerce merchants in those regions remain still must adhere to the PCI DSS even with the new rules. In essence, the new rules imply that the merchants do not need to continue validate compliance, however, we understand that the merchants still has to become and stay compliant, and have proof of that even before considering this program by that brand.
As far as we know, acquirers still plan to get their merchants compliant and validated, so “nothing has changed” for them in the new VISA program. Also, according to public information on the new program, acquirers can still be fined for non-compliance under the new rules as well. This should continue to lead them to get their merchants PCI compliant to reduce the risk of the acquiring bank.
It’s early to tell what merchants think and how they will react to this at this time.

Q5. Will PCI DSS ever move away from the model where the merchants are either compliant with the entire PCI or they are not? Isn’t it better if 100% of merchants implement 10 critical controls vs 10% of all merchants implement 100% of controls?
A:

We are continuing to look at ways for merchants and others in the payment chain to reduce and minimize their card data environment. Some technologies can help, but only if done right. That is why we are putting so much effort in really scrutinizing these technologies to ensure that they are indeed effective, and under circumstances.
For those just starting their compliance journey, using the PCI milestones and Prioritized Approach [see here – A.C.] will also increase in the future. For example, in the new standards we suggest a risk based approach to compliance programs. Mitigate the biggest risks first and you are doing yourself a great favor and moving that much closer to compliance. As an example of this, updating requirement 6.2 to allow vulnerabilities to be ranked and prioritized according to risk. You will hear more from the Council about this in 2011.

Q6. Some QSAs (and merchants) still complain that “QSAs are subjective.” Will there be more prescriptive assessment procedures?
A:

Compliance cannot be absolute and completely objective since merchant environments differ greatly. For example, look at compensating controls – they are an example of flexibility with working with the Standards.
If we get more rigid, and do not include flexibility within the Standard for compensating controls, more people will believe that PCI DSS is forcing them to do things “our way.” We think the current standard is at or close to a balance in this regard, allowing security and flexibility to protect card data within everyone’s own unique environment. People should feel free to ask the PCI Council if there is any doubt about a particular QSA decision.
The Council also receives details on QSA performance, outside of just merchants. We keep a close watch on this to ensure a consistent level of QSA performance. Also, merchants are not the only ones who can report bad QSAs to the Council. [I suspect, although I am not sure, that they are talking about other QSAs here – A.C.]
In addition, we hope that more organizations will take advantage of our Internal Security Assessor program to help their internal employees better understand the process of an external assessment and how to maintain a strong security program between assessments.

Q7. Does council plan to “certify” any other security technologies, like you do for ASV vulnerability scanning?
A:

We do not currently have plans to do so. More guidance will likely be released on using technologies to help with PCI DSS compliance and data security. There are no plans to certify other security technologies in a manner similar to vulnerability scanning and ASVs.
Many technologies, such as possibly logging and log review, may get additional guidance in the future. While the DSS 2.0, added a sub-requirement for payment applications to support centralized logging [PA-DSS Requirement 4.4 – A.C.], it is a known area where many merchants are struggling and additional guidance could go a long way.

Q8. There is definitely a need for more scoping guidance, especially for complex environments, involving virtualization, cloud providers, 3rd party partners, etc. When will scoping SIG guidance be released?
A:

PCI DSS 2.0 does recommend using data discovery for better scoping. We’ve reinforced that all locations and flows of cardholder data should be identified and documented to ensure accurate scoping of cardholder data environment. Merchants should not be guessing at what the scope is, but completely and objectively determine that scope. Simple scoping guidance is a challenge. It is difficult to create a single set of parameters that one can undertake to determine the scope of PCI applicability across a complex environment. It is an inherently complicated task.
However, we hope to provide some additional guidance on this process soon, perhaps, a few steps at a time to begin to help merchants better understand this process.

Enjoy!
Possibly related notes:

• RSA 2010 EXCLUSIVE PCI Security Standards Council Interview

RSA 2011 Conference Notes

Here is my account of RSA 2011 conference – with all its awesomeness! I LOVE RSA and I always say that if you can only attend one security event a year – make it RSA. Now, it takes some [admittedly, small] effort to get value out of your RSA experience: the conference is not about the keynotes and not really about [way too many] tracks of presentations. It is about our industry gathering – pretty much the entire security industry as it exists in 2011! For security training you go to SANS, for latest attacks – to BlackHat/DEFCON (or, increasingly, to smaller conferences),  but for getting a sense of the entire security industry … SECURITY BUSINESS, if I may… you MUST go to RSA.

I spent my first RSA2011 day – Monday (aka The Valentine’s Day) at Metricon.  This year Metricon – and I admit to only attending about 2/3 of the day – just disappointed. This is the second year I am sacrificing all sorts of fun RSA-related events – CSA, AGC, etc – for security metrics and I promise I won’t do it again. Metricon this year was a shoutfest, not a conversation, about metrics. Yes, there was awesomeness there, for sure: Verizon crew showed their early results from Veris community incident data collection (“Baker, Wade and Alex Hutton - Veris Data/Veris Community”). I loved the presentation on log analysis of DNS server data (“Fruhwirth, Proschinger, Lendl, Savola - Name Server Log Data”) which did show a few new log tricks. Then a guy from Finnish CERT talked about automated incident reporting.  Chris Eng  on “Critical Consumption of Infosec Stats” was fun to watch as well, although it did turn loud a few times… A few other presentation turned into a mess, and I won’t go into details – it was painful enough being there.
RSA proper started for me on Tuesday, since – yes, I know, it is unbelievable – I spent Monday evening celebrating Valentine’s Day instead. But before, there was one awesomeness-induced day at SecurityBSides San Francisco, where I presented on SIEM (to be covered in a separate blog post).

So, apart from current and future client meetings (these always “taste better” at RSA somehow :-)), I had a chance to spent some time in RSA Vendor Exhibition on Tuesday. Usually I allocate 5-6 hours to walk the vendor hall, talk to people (old and new) and figure what’s up – and who’s down (=HBGary, obviously, this year). What did I see?

• Since I expected the cloud to be a huge oppressive presence, I was not surprised. In fact, I was surprised that some booths did NOT have cloud written all over them. Cloud, BTW, is not just “a security trend of the day” ! It is part of a massive “trifecta of security evil”- Virtualization + Cloud + Mobile – which will absolutely change the way we do information security in the next 3-5 years and possibly longer.
• BTW, I learned a new definition of “virtualization security” at RSA: “a belief that your virtual infrastructure is as secure as your physical infrastructure”…. aka "secured by faith" 
• The third leg of the trifecta – mobile – was not visible at all. I am not talking about the silly “mobile anti-virus” stuff, but about security solutions focused on mobile security problems (no, viruses is not one of them!). After RSA, somebody introduced me to Nukona which will serve here as an example of mobile security solutions focused on mobile security problems (no, I am not on their advisory board )
• I didn’t see enough application security, even counting all incarnations. Obviously, application security plays a leading role in security of the above “trifecta of security evil”, but somehow I have not noticed enough new approaches to appsec. I did notice a bit more whitelisting, I guess, and this approach definitely deserves to finally go into the mainstream.
• Funnily, I noticed some sad loser vendors with big booths. What’s up, dudes? Have you blown your entire 2011 marketing budget on that RSA booth and now somebody will surely acquire you?
• Maybe it is just me , but I have never noticed Asian companies at RSA before  – this year there were a few. Is this a new trend?
• It was also interesting to see a theme of “we unify security and compliance” (as if compliance ever existed on its own ..well…it kinda did, unfortunately). What’s going on here is vendors sold a lot of gear for compliance and now need to “sell” the worldview that all that gear is useful for security – what a shocker!
• I also noticed a lot of network traffic and flow analysis, but absolutely no DLP. Has DLP fallen into that pig trough of disillusionment?
• Yes, booth babes are mostly gone (except for the NSA booth, but that is totally different). However, it seems like booth monkeys are in: I had an unfortunate experience of talking with people at booths who had a very, very vague idea about security, despite having lofty titles like “VP of Marketing.” If you show up at RSA, please do your homework!
• And sorry for a mildly idiotic final point, but why don’t we use email encryption in 2011? There was not even one vendor with a new and creative email encryption scheme. Even without painful HBGary reminder, it seems clear that organizations treat email as sensitive protected data. How dumb is that? Please remember the old saying: unless you encrypt, email is a postcard…

On Wednesday, apart from more meetings, I did another interview with PCI Council’s Bob Russo (to be published under separate cover).

The rest of Wednesday was spent in fun meetings with potential clients (and a quick trip to Palo Alto …don’t ask ). Thursday was spend advancing CEE log standard and even – surprise! – attending a few RSA sessions.

Fridays at RSA are always fun – not too many people at the sessions. I spent my morning  at BUS-402 “analyst roundtable” session with Kupplinger Cole, Gartner and Forrester, moderated by Asheem Chandna from Greylock VC firm.  Most “analyst takeaways” from RSA 2011 were pretty much about cloud and mobility. I’ve heard a fun opinion on IT consumerizatiion: if you deal with the security of employee devices by banning them, you will automatically make your organization unattractive to the best employees – thus increasing, not reducing, your business risk (not sure how true it is, really). Also, I  didn’t realize that virtualization platform vendors abandon security; this was strangely stated as a fact by the analysts.

Finally, I went to President Clinton keynote. After tolerating the ever-so-annoying Hugh Thompson, we got the full “Clinton experience” for more than an hour. Clinton keynote was great – unexpectedly so. He mentioned tea Party 3x times of his mentions of Obama (in the form of “Obamacare”), spoke how he is a “socially progressive / fiscally conservative” (which is pretty awesome, IMHO). I am still shocked that I’d appreciate the politician speech at a security conference that much. He was more specific and fact-based than a few other keynoters at RSA2011… If the video of his keynote surfaces (maybe), do listen, just for fun.

Other fun RSA2011 accounts are tagged here: http://www.delicious.com/anton18/RSA+2011. A few fun example are “Change we can believe in?”, “RSA 2011: In Summary”, “RSA 2011: What’s My Theme?”


Possibly related posts:

• RSA 2010 – Day 4-5 and all posts tagged RSA

CFP for RSA 2011 Metricon 5.5 Event: Be There!

“Mini-MetriCon 5.5 (organized by securitymetrics.org, loosely defined ) is intended as a forum for lively, discussion in the area of security metrics. It is a forum for quantifiable approaches and results to problems afflicting information security today, with a bias towards specific approaches that demonstrate the value of security metrics with respect to a security-related goal. Topics and presentations will be selected for their potential to stimulate discussion in the workshop.
Mini-MetriCon will be a one-day event, Monday, February 14, 2010, co-located with the RSA Conference, the meeting room is a courtesy of RSA.
Mini-Metricon begins at 8:30am, and lunch is taken in the meeting room.
Attendance will be by invitation and limited in size.
All participants are expected to be willing to address the group in some fashion. Potential Mini-Metricon participants are expected to submit a discussion topic. Abstracts of papers, research projects, or practitioner presentations are encouraged and may result in a session allocation devoted to the submission topic. We also welcome ideas for 5-to-10-minute lightning talks on topics such as security-related data sets or key problems and challenges in security metrics. Collections of these talks are expected to result in group discussion on the submitter's topic of interest.
Submissions should be sent to  metricon5.5@securitymetrics.org  by November 12, 2010.”
Remember, the ONLY way to be there is to propose a discussion topic! There is no non-participating audience, as per event chapter
P.S. Last year I had to pass on both Cloud Security Alliance meet-up and some VC meetings in order to be at the Metricon – and I didn’t regret it one bit. As you can guess, I can recognize deep awesomeness, when I see it


Possibly related posts:

• Notes from RSA 2010 Metricon event

Fun Reading on Security and Compliance #24

Here is an issue #24 of my “Fun Reading on Security and Compliance,” dated March 31, 2010 (read past ones here). You can judge that my “2blog” folder has been kinda full, since I was too busy working on a few fun consulting projects.
This edition is dedicated to RSA conference – an unending source of awesomeness!
Main section:

1. First, a great read from Dave Shackleford “A Glimpse Into the Security Mindset” which reminds: “Security people have a challenge that is 100% unique to their discipline [within IT – A.C.]: we have adversaries.” While there, also read his “5 Reasons Your Security Program is a Failure.” (quote: “if you don’t have daily SOPs around your monitoring tools and capabilities, you will end up with shelfware, and that just sucks”). But if you really into sucking, check Lenny’s “How to Suck at Information Security”
2. Gartner blog has hilarious “Worst and Best Security Sales Practices” (first). Example: '”saying your product is in market X, since X is currently cool”
3. Josh Corman, Jeff Williams (of OWASP fame) and David Rice (of “Geekonomics” fame) launch “RUGGED software” manifesto: “Software that endures against the environmental forces arrayed against it in cyberspace.” The manifesto is here at its brand new site. 
4. Sad hilarity reigns supreme here in comments at  “Thor vs Clown”  from TaoSecurity. Example: “P(Compromise) = P(C.SMS) x P(C.PIN)”

Logging, log management section and SIEM section:

1. ”Using Logs To Reduce Response Gap”: “Unfortunately, auditing and never really using logs for anything except for records retention can cause organizations to treat them as merely objects to move around and not necessarily utilize for any action.”
2. Prism Microsystems continues its epic mega-saga of “100 Log Management Uses” here at “#27 Printer logs.”   While there, also please read “Sustainable vs. situational values” by Ananth that has this great quote: “I am often asked that if Log Management is so important to the modern IT department, then how come more than 80% of the market that “should” have adopted it has not done so?”
3. Something made the Team Securosis think about correlation – and even argue between themselves: “Network Security Fundamentals: Correlation” (quote: “Most security professionals have tried and failed to get sufficient value from correlation relative to the cost, complexity, and effort involved in deploying the technology.”) and “Counterpoint: Correlation Is Useful, but Threat Assessment Is Fundamental” – then Rocky comments on the whole thing [BTW, I have no idea why they think correlation is about NETWORK security…]
4. BTW, fun correlation discussion is also ongoing at one of the SANS blogs: “IT Audit: Correlating Logs and Event Logs.” It looks like David Hoelzer might bring his DAD correlation project back to life…
5. A fairly intelligent piece on logging (“Best Practices For Windows Log Monitoring”) has this great quote: “Not monitoring your Windows logs is like setting up a security camera and putting an exit sign in front of it.”
6. Lenny has “Establishing a Practical Routine for Reviewing Security Logs:” “A practical routine for reviewing security logs is regularly scheduled, partially automated, alternated among team members, and linked to problem resolution.” Our joint project, "Critical Log Review Checklist for Security Incidents" definitely helps with that.
7. I mean, come on, even McAfee suddenly started talking about logs (something they’ve been ignoring forever). Eric Cole talks about logs in the context of SANS CAG/CSC in “Critical Control 6: Maintenance, Monitoring, and Analysis of Audit Logs.” He says: “Unmanaged Logs Hurt” and reminds that “Sometimes logging records are the only evidence of a successful attack.” Sadly, at the end he hints that you should be using ePO as a SIEM… gasp.
   

Vendor section [now that I am not employed by the vendor I can call vendors names, etc :-)]:

1. Finally, one SIEM vendor realized that  analyzing firewall rules together with vulnerability data should not be left to the dedicated vendors [I always thought that fw rules + vuln scans analysis is waaay too narrow to launch a company on; SIEM should have ‘owned’ that a long time ago] and launched a new product that looks at events, flows, rules and vulnerability scans. Good idea!
2. And one log management vendor realized that “Reviewing logs everyday is a pain, we just made it easier”
3. AlienVault, OSSIM commercial home, has released OSSIM 2.2. This deck has the highlights. As I am using the system now, it looks more impressive than ever. Seriously!

Enjoy!
Possibly related posts:

• All other security reading posts.

RSA 2010 – Day 4-5

The final RSA 2010 post covers the last two days: Day 4-5.
As during the previous days, I had quite a few fun meetings with people that will hopefully translates in to more business for Security Warrior Consulting.


One of the days, Branden and I did our PCI book signing (picture). First, we were shocked to learn that the book actually sold out (!) at RSA bookstore and the publisher had to rush another batch in (which actually almost sold out as well by the end of the show…)

On Friday, I went to a really interesting presentation called “Got DLP. Now What?” Some guy from Forsythe delivered a VERY well-thought-through presentation on what to do after you got that DLP box. Basically, stuff on DLP program, process, even how to think about DLP (“not for malicious attacks”, “not for malicious data theft”), etc.
Just as SIEM, DLP most often fails for political and cultural reasons, not because the technology is somehow inadequate.  His range of common DLP mistakes went all the way down to “we don’t know whether we have anything sensitive, but we think DLP will protect us” (yeah right!)
I also loved that he focused on building incident response procedures first after buying DLP (and, better, even before!). Indeed, response plan is needed first (SIEM is the same – what happens when that correlation rule triggers?). He also reminded that DLP will likely require full-time employees (or staff augmentation by a skilled consultant) to operate it.
He also said that “just run DLP and then chase alerts” approach never work. Thousands of alerts – the IDS syndrome- will kill it. Starting from a detailed DLP policy is the only way (surprise! :-)); AUP or general security policy won’t do.
Another thing I loved is the dilemma of “classify first OR discover first.”  Just as I suspected, in a perfect world , “classify first” works – just not in this one (see Rich explain it here). “Discover scan first then create policy/classification” is more useful.
Similarly, “monitor first then slowly add prevention” is the only way to successful implementation. Overall, this presentation proved to me that RSA conference is not just about business development, chasing VCs and partying :-)

Finally, the juiciest bit: The Vendor Hall.


First, the meta-observation. Security industry is baaaack!  RSA 2010 felt more like super-glam RSA 2007 than like the meager RSA 2008. Economy in crisis? Not in this sector, baby! New vendors, old vendors, large vendors, small vendors – everybody is back in business [in fact, even some folks who shouldn’t be… you, triple-dead-zombies, you :-)]
Second, I noticed a lot of new security vendors with REEEEEEEEEEEEEEEALLY bad marketing, all the way down to this [BTW, somebody mentioned that the vendor in question has pretty useful and novel technology, it’s just their marketing is a bit … ya know… dumb].  BTW, “bad” here is defined as actually ineffective, not “overly deceptive” (e.g. compliance appliance) or “somehow offensive” (e.g. utilizes boobs and, especially, augmented ones).
Yes, there was even an obligatory village idiot with “we sell SOC-in-a-box” message. As well as “<our name>= Security” (while everybody knows that their name merely stands for PCI DSS compliance). And don’t even get me started on APT marketing – Rich said it best here.
Sometimes I felt like all vendors are divided into those who know what they are doing and how to market it; those who know what they are doing, but not how to market it; those who know don’t know what they are doing, but with great skills on how to market it; and, finally, those who don’t know what they are doing and have no idea how to market it (sad).
Third, it was funny when I’d approach a booth of Log Management Vendor X and everybody (including people I don’t personally know) will say “Hi Anton.” Then I approach Log Management Vendor Y and ask them a question, while wearing my name tag, and they  will say “come talk to this press guy over here” (!) and then they will start explaining to me what a columnar database is  :-) This was indeed hilarious! BTW, there was plenty of log management and SIEM vendors [some would say too many] and most if not all of them looked pretty optimistic.
Fourth, I have not picked anything that smelled like a new technology trend. It looked like most security subspaces (well, maybe not NAC…) are experiencing a major reemergence. The only thing that jumped at me (not sure why) was a large number of authentication and “access control” (loosely defined) vendors. Cloud stuff – even if in name only! – is even louder than in 2009 (substance is a bit hard to find, of course). You can try to do a quick divination on “Securosis Guide to RSA” [PDF], but I suspect all trends have been mined from there already :-)
Here is some more fun RSA 2010 (and BSides) notes from other folks (in no particular order)

• Martin McKeay on our compliance panel
• Rocky DeStefano on BSides and RSA
• Securosis team on RSA (those guys also notice amazing spurt of optimism!); read this one about APT as well (quote: “astounded at the outlandish displays of idiocy and outright deception among pundits and the vendor community”)
• More RSA 2010 and SecurityBSides impressions are here, here, here (from RSnake) etc.
• And of course, #rsac Twitter hash tag, if you’d like to be overwhelmed.

So, I am really looking forward to RSA 2011 :-)
Possibly related posts:

• RSA 2010 – Day 1 Metricon
• RSA 2010 - Day 2-3
• RSA 2010 EXCLUSIVE PCI Security Standards Council Interview
• RSA 2010: Where to Find Anton?
• All RSA conference coverage (all years)

RSA 2010 – Day 2-3

Continuing my much delayed coverage of RSA 2010, this is my summary of Days 2-3.

Day 2 was all meetings and getting new business for Security Warrior Consulting, so nothing to write about (yet). By far the most fun part was a long discussion with Rocky DeStefano, that went all the way back to 2003 when we faced each other through the gun ports of the warring battleships… eh... competing SIEM vendors [his side eventually won :-)]

Day 3 started from attending  an 8AM session by Bob Russo. Now, think about it!

RSA conference + Wednesday (day after heavy party Tuesday) + PCI DSS + 8AM (!) = empty room?

I honestly thought I’d be the only one who wouldn’t want to miss Bob Russo (session GRC-201). Ha-ha-ha, poor naive Anton :-) I came at 7:55AM – and there was barely a place to sit in a HUGE room. Bob didn’t say that much new, but he heavily focused on educating the merchants to focus on security, not checklists and “teaching to the test” [=PCI assessment]. See my RSA interview with the PCI Council  for more PCI DSS updates.

After the panel, I spent some time wandering the vendor hall – one of my favorite things to do at RSA; coverage of this will be presented in the next post since I am still sleeping on some of the trends that I think I’ve noticed.

Later in the day, I jumped to SecurityBSides where our compliance panel “The Great Compliance Debate: No Child Left Behind or The Polio Vaccine” was about to be held. This time we also had a QSA , a large service provider CSO and the usual suspects: Josh “PCI is the Devil” Corman and Jack Daniel, our illustrious moderator.  The panel went well and was a much better experience overall than our similar ShmooCon panel (notes, video [FLV]): more structure, more useful discussion and just enough anger to keep it fun :-)  To me the most jarring part was a comment by an esteemed audience member (sadly, she is not seen on the video) that implementing PCI DSS controls is COMPLETELY out of alignment of what she needs to do based on her understanding of risk at a mid-size service provider. Hopefully, she clarifies it on her blog soon :-) So, watch the video: part 1 and then part 2. Also, read some more notes here.

Enjoy! One more RSA 2010 post to come: Days 4-5.

Possibly related posts:

• RSA 2010 – Day 1 Metricon
• RSA 2010 EXCLUSIVE PCI Security Standards Council Interview
• RSA 2010: Where to Find Anton?
• All RSA conference coverage (all years)

RSA 2010 – Day 1 Metricon

Let me start my [much delayed] coverage of RSA 2010 conference with the awesomeness of Metricon 4.5 (technically, a Mini-Metricon 4.5 :-)) where I spent my first RSA day (sacrificing the Cloud Security Alliance meeting that was reported to be packed).

Here is an agenda for the meeting with my comments:

08:45 - 10:05: Morning Session I - Chair: Jeremy Epstein

• Qualitative Tuning as Preparation for Quantitative Methods, Pete Lindstrom

This was one of the most fun presentations, focusing on expert opinion vs. fact/metric in security. Pete showed an interesting approach for assessing the opinions in order to come up with something that looks more like fact.

• Metrics for insights on the state of application security, Ashish Larivee

This was an interesting presentation of Veracode research of binary analysis (paper, some highlights). A few thing actually blew me away first, but, upon further consideration, started to look perfectly logical. For example,  software industry is worse at developing secure software than financial service industry. It can be explained that FS folks develop only mission-critical software though. Still, this seems to prove that in some areas “if you want it done well, do it yourself and do NOT trust the professionals to do it” :-) In fact, commercial software overall fared worse [vulnerability-wise] than internally developed AND outsourced software. It also had longest remediation cycle, while open source had the shortest (for methodology details see their full report)

10:20 - 11:40: Morning Session II - Chair: Joe Magee

• Translating the Narrative into Metrics: The Verizon Incident Sharing Framework,Alex Hutton and Wade Baker

Verizon VerIS was released via this presentation (release, exec summary, document [PDF]). VerIS “translates the incident narrative (the attacker did this, then that, then the other thing) into a data set” and thus allows the creation of such awesomeness as DBIR.

• Ontologies for Modeling Enterprise Level Security Metrics, Anoop Singhal

This presentation was a bit of a cruel joke. It carried unfortunate signs of being done by somebody who never ventured in the real world of security (for example, single number “asset value”, “risk = damageValue”, “security measures that reduce the frequency of attacks”, etc, etc, etc). And, what was even more embarrassing, it came after the stellar presentation by the Verizon team; I think I have seen the grimaces on their faces :-) And every time the NIST speaker mentioned “this was done on tax payer dime” or uttered the word “ontology”, I wanted to just reach for a ShmooBall. To make his material even more insulting, he was also a bad presenter. Yuck!

13:10 - 14:40: Afternoon Session I - Chair: Caroline Wong

• Improving CVSS-based vulnerability prioritization with business context information, Christian Fruhwirth

This was a curious little preso that basically can be summarized in one phrase “using CVSS as it was intended by the original team – with Env scores – is valuable.” Even though there was one “cringe moment” when the speaker expected a normal distribution of vulnerability CVSS scores (pray tell me, why medium severity are more likely than low severity?)

• Security Metrics Field Research, Ramon Krikken

This presentation by a Burton …eh... Gartner… analyst Ramon Krikken was hugely insightful. They did some metrics research among their clients and came up with some surprising conclusion that shows metrics programs largely in the Stone Age (in fact, what was before the Stone Age? Ah, yes, Sharpened Stick Age! The maybe the metrics are in that age…). Here are some of the themes, but get the presentation materials when they are posted – very worthwhile. As expected, “compliance metrics are easy; security metrics are hard”, “assessments and audits matter”, “need to map to ” and “ONLY prevention of ‘business being stopped’ matters at many companies.” The research showed no focus on improvements, no peer benchmarking, etc. Regarding tools, MS Excel was by far the #1, couple of times RSA/Archer and SIEM.

 15:10 - 16:30: Afternoon Session II - Chair: Ray Kaplan

• Metrics for Cloud Security, Lynn Terwoerds, Caroline Wong, Betsy Nichols

This panel announced that CSA is starting a cloud security metrics effort, which was in a VERY early stage. No material has been created yet.

• Identifying critical information security areas with a Threat Agent Risk Assessment, Matthew Rosenquist

I read the TARA paper back when it came out, but this presentation (and the discussion) was still VERY interesting. The main idea is that vulnerability or asset focused approach makes no sense since there are way too many vulnerabilities (presenter example was “data center is vulnerable to a meteor strike”) and thus the way to go is to focus on threat agents that are motivated to cause damage and that can realistically to do so. The logic thus becomes: threat agent –> vulnerability –> control –> what remains is the risk that needs to be dealt with somehow. But read the paper instead of this, Intel folks explain it much better :-)

 

So, as I said, Metricon was the most thought-provoking part of RSA for me! And I am not even mentioning the level of hallway discussions there…

RSA 2010 EXCLUSIVE PCI Security Standards Council Interview

At RSA 2010, I was given a unique opportunity to interview Bob Russo (GM at PCI SSC) and Troy Leach (CTO at PCI SSC). I have prepared a deck of very tough questions and then had an hour-long discussion with Bob and Troy around those questions. What follows is the interview reconstruction from my notes with minimum edits and clarifications by the Council folks.

Anton Introduction:  I think PCI DSS is the most valuable thing to hit security industry since its inception – both as a driving force for security improvements and as a source for security guidance. However, there are skeptics among merchants (too much security) and some security professionals (too little security). Some of my questions below focus on dispelling the misconceptions such skeptics might hold.
Anton Question 1: What, in your opinion, is the main value of PCI DSS – to the community at large? Merchants? Banks? Brands?
Bob and Troy @ PCI Council answer:
You have answered this question yourself above: it is security. Motivation for payment security improvements is the value of PCI. For some companies it is also a springboard for additional security improvements needed for their businesses. This benefits everybody!
PCI value can also be rephrased as demonstrating trust across organizational boundaries and. As we know, payment security has many sides and PCI compliance is one way of demonstrating trust across organizational boundaries.

Anton Question 2: Way too many companies seem to focus on compliance and not on security. What is the best way to prevent “teaching to the test” for PCI DSS compliance?
Bob and Troy @ PCI Council answer:
Too many companies focus on studying for the test. We believe the PCI Standards provide a solid foundation for a security strategy to look after payment and other types of data, but security does not start and end with compliance with standards.
Education is very important and that is why the PCI Council will focus even more on educating the merchants and changing their mindset from one of compliance to security. Their old way of doing business – retaining card data, for example- was viable one day, but not today.One of the steps we see is increased outsourcing of payment processing to trusted providers.

Anton Question 3: Some people say that “the brands must just change the system” since Level4 merchants [=typically smaller merchants] can never be educated and this never can be secured. What do you say to this?
Bob and Troy @ PCI Council answer:
It’ll happen eventually, but it is obviously not so easy. We’re talking 5 to 10 years here. The payment system is diverse and incredibly complex. Any drastic changes will probably be more costly and disrupt merchants’ business even more than PCI DSS ever could, so they have to happen gradually. The PCI Council’s mandate is to get as much done to improve payment security as possible - within the existing system. Security has to become part of every business that deals with card data.

Anton Question 4: There are many debates about PCI DSS in security industry, among merchants, etc. How can the impact of PCI DSS payment security be measured? Who might have the data to do it?
Bob and Troy @ PCI Council answer:
Security breach statistics demonstrating a root cause that can be mapped to PCI DSS requirements is one such possible way to prove the value of PCI. For example, if the company did not take any measures to protect against SQL injection and got breached through that, they need to pay more attention to Requirement 6.6.
On the other hand, trying to analyze what the non-breached companies are doing right with PCI is harder since you don’t hear about the myriad of success stories of companies that are defending against breaches through following DSS or have minimized card data compromise in breach situations through strong logging and monitoring, mandated by PCI.
PCI DSS prescribes logging and monitoring, which help detect data loss. Unfortunately some recent incidents had breach evidence present in logs, but since logs were not reviewed until breach became public (contrary to PCI DSS requirements) this was not utilized for detecting the breach.
More education efforts are needed to explain to merchants that PCI is not only about breach prevention, but also about detection of intrusions and security monitoring. Thus, judging its value only on breach prevention is shortsighted.
Enhanced information sharing will drive more improvements here.

Anton Question 5: What is your opinion of mandating the discovery of stored card data and especially track and other prohibited data? This technology was not high on the list in PWC report.
Bob and Troy @ PCI Council answer:
Many QSAs already use data discovery tools today. Since PCI scope covers systems where card data is present, payment card data discovery should be part of scope validation. “Forgotten” credit card data dumps were indeed present in some recent breaches stories.
Methods of such discovery can vary- using an automated tool is one of the options, but such tools are still not mature.

Anton Question 6: Do you think that there should be tiered security requirements for small and large organizations (that go beyond today’s SAQ validation levels)? For example, daily log review seems onerous to many merchants.
Bob and Troy @ PCI Council answer:
You cannot dumb security down below a certain level. More education efforts will be needed to explain to merchants how to satisfy requirements and become compliant [and stay compliant].
However, the Council is planning to build more tools in order to help merchants understand what exactly they need to do to become compliant. A wizard interface or some other method to simplify the SAQ process can be used here to highlight which controls the merchant needs to implement.

Anton Question 7: The “None were compliant when breached” rings true to me. Why do you think so many people object to this?
Bob and Troy @ PCI Council answer:
People simply need to know the facts and find out what happened in those breach stories. For example, some breached companies had massive stores of prohibited data, such as authorization data. Or they were not adequately protected at the application or database level against things like SQL injections. There is a difference between “breached due to negligence” and “breached due to bad luck.” Being diligent but still ultimately failing to protect the information is possible (so safe harbor does exist for such companies); it just isn’t what happened in those incidents.

You just need to get the facts. If a company gained compliant status by misrepresenting the facts to a QSA, PCI standards are not at fault when the breach happened.

Anton Question 8: What is the best way to balance PCI DSS lifecycle with both merchants complaints about “moving target” and with rapidly changing threats?
Bob and Troy @ PCI Council answer:
So far, the current two year lifecycle has provided a good balance between structured development and staying abreast of rapidly changing threats. Feel free - and have your readers - to suggest changes to that lifecycle, if you think it needs to be changed! We are considering how it might evolve.

Anton Question 9: What do you think of using PCI DSS controls for non-payment-card data?
Bob and Troy @ PCI Council answer:
It is a good thing, if you keep in mind that PCI DSS controls are the foundation or the minimum baseline for an effective security strategy. Organizations will likely need to build more security on top of the PCI foundation to protect other sensitive data. Layering technology solutions and combining with the necessary people and processes continues to be the most effective means in protecting cardholder data.
PCI has certainly raised awareness for all data protection, not just payment card data.
Anton Summary
Overall, the main themes I picked in the conversation were:

• “PCI compliance” is a means to an end. And the end is “security!”
• Education is one of the ways to change the thinking of merchants and to improve security.

Thanks to Bob and Troy for the insightful discussion!

Security Warrior Blog EXCLUSIVE: 10 Question Interview with Bob Russo and Troy Leach of PCI Council

... will be posted next week.

If you think it would be awesome...prepare for "awesome++"

RSA 2010: Where to Find Anton?

Since everybody is  heading down (…up or sideways – in my case) to RSA, here my schedule. If you want to meet up, it will help you to track me down.

• Monday: Metricon 4.5. Sadly, missing the Cloud Security Summit. Is there anything more important than cloud? Yes, security metrics! :-)
• Tuesday: mostly meetings with clients, prospects, friends and everybody else. I plan to attend a few GRC-themed RSA presentations in the afternoon.
• Wednesday: at SecurityBSides, speaking on PCI DSS and otherwise having fun. Come say hi if you are there! Obviously the way to end this day is at the famous RSA Security Blogger Meet-up.
• Thursday: attending RSA, more meetings with prospects and friends, and – YES! - our PCI DSS book signing (!!!). Come have your PCI book signed by BOTH Branden and me (a rare event indeed!) at 1PM at the RSA bookstore.
• Friday: yet another day of meetings and RSA presentations.

BTW, we […for any value of ‘we’] totally need to bunch up and do a vendor hall walk – if for no other reason but to make fun of vendors with incompetent marketing, look for hippos (=misspelled HIPAA) and “compliancy” as well as other fun stuff. Maybe this year I should finally organize the “1st Annual RSA Vendor Hall Walk”, especially given that I do not work for a vendor anymore…

Nobody Is That Dumb ... Oh, Wait XII

RSA is that time of the year when a lot of otherwise hidden hilarity is suddenly exposed – thru the work of noble PR folks. For example, below is a pre-RSA press email I received the other day – it made a perfect candidate for my “Nobody Is That Dumb ... Oh, Wait” series. The last post in the series was a while ago, so this was a perfect opportunity to revive the series.

“I know your time at RSA is filling up, but I wanted to tell you about “Embarrass Security” [company name sanitized – A.C.], a company that is changing the way companies protect their web properties. “Embarrass Security” is going to be at booth No. XXX [sanitized – A.C.] during RSA and will be:

• Announcing a new ‘counter-hacking appliance’ for enterprises
• Demonstrating a ‘live hacking & sting operation’  demonstration in the “Embarrass Security” booth (with the disclaimer that no animals will be harmed in the production of the demo)

With the counter-hacking appliance, “Embarrass Security” will demonstrate the ability to alert companies when hackers are knocking at the door, and can also show how they thwart evil intentions by making sure the hackers don’t actually see what they think they’re seeing. “Embarrass Security” enables enterprises to protect their web properties at a deeper level that even the bad guys can’t touch.”

Nothing to add really.. let’s all go buy the “counter-hacking appliances,” thwart some evil intentions and be done with it :-)  I can’t help but wonder what kinda people work for their product management / marketing team…

Possibly related posts:

• Everything else labeled “stupidity”

Monthly Blog Round-Up – April 2009

As we all know, blogs are a bit "stateless" and a lot of good content gets lost since many people, sadly, only pay attention to what they see today. These monthly round-ups is an attempt to remind people of useful content from the past month! If you are “too busy to read the blogs” (eh…cause you spent all your time on twitter? :-)), at least read these.

So, here is my next monthly "Security Warrior" blog round-up of top 5 popular posts/topics.

1. My PCI DSS hearing coverage in US Congress takes the #1 spot, hand down. Also see (if you can stand it…) , live Twitter coverage here under #pcihearing hashtag.
2. Of course, “Five Reasons to Dislike PCI DSS – And Why They Are WRONG!” is hot. Also check out the longer paper on the same subject “PCI Shrugged”, published in CSO Magazine.
3. This month Verizon breach reports was released and my coverage of it takes the #3 spot: “Breach Report 2009 Day." Again, kudos to the team that made it real!
4. My highlight of Dave’s paper (“MUST Read: ”Who is Minding the Legal Risk around PCI?” by David Navetta“) takes the spot in Top 5 this month.
5. Only then comes Conficker / Confickr, but not the post you’d think :-) It is my April 1st post “100% Protection from Confickr Revealed!”
6. RSA impressions crawled from the back, namely RSA 2009 Impressions, Part I or “PCI DSS is NOT a Pill Against ‘Stupid’”. All other RSA impressions.

See you in May Also see my annual “Top Posts” (2007, 2008)

Note: this is posted by a scheduler; I am away from computers for a few days.

Possibly related posts / past monthly popular blog round-ups:

• Monthly Blog Round-Up – March 2009
• Monthly Blog Round-Up – February 2009
• Monthly Blog Round-Up - January 2009
• Monthly Blog Round-Up - December 2008
• Monthly Blog Round-Up - November 2008
• Monthly Blog Round-Up - October 2008
• Monthly Blog Round-Up - September 2008
• Monthly Blog Round-Up - August 2008
• Monthly Blog Round-Up - July 2008
• Monthly Blog Round-Up - June 2008
• Monthly Blog Round-Up - May 2008
• Monthly Blog Round-Up - April 2008
• Monthly Blog Round-Up - March 2008
• Monthly Blog Round-Up - February 2008
• Monthly Blog Round-Up - January 2008
• Monthly Blog Round-Up - December 2007
• Monthly Blog Round-Up - November 2007
• Monthly Blog Round-Up - October 2007
• Monthly Blog Round-Up - September 2007
• Monthly Blog Round-Up - August 2007

Technorati Tags: chuvakin,monthly,blog,security

RSA 2009 Impressions, Part IV or The Rest of RSA 2009

This is my final RSA 2009 impressions post; check out the previous ones here. Check out other coverage of RSA 2009 on security blogs here.

First, I did go to a few sessions; way less than I wanted. One on SIEM (which was a little sad), one on PCI (which was very exciting) and a few others mentioned below. As many other, I was shocked about how poorly the sessions were scheduled: I had situations where 4 sessions (!) running at the same time were interesting and then there were two time slots where none were (OK, maybe it is just me :-)), Also, I was amazed to see flashes of TweetDeck everywhere in the audience; amazing change from last year when Twitter was virtually unheard of.

Next, I went to Jericho Forum mini-conference, which was kinda fun in its own detached way ;-) There were a few presentations about “cloud security”, cloud cube, etc. And, which was more fun, Philippe gave his pre-keynote presentation to the Jericho club (this is where he first mentioned cloud as a possible way to “invisible/ implicit/ unavoidable”  security), which was then followed by a good discussion. Then Rich Mogul, Gunnar Peterson and Chris Hoff beat up on the Jericho folks a tiny bit ("COA is unimplementable”, “no practical examples in documents”, ”confuses data centricity”, etc). Obviously, the common sense conclusion that ‘"the cloud" is no more/no less secure’ was the pink elephant in the room; it’s what you do with it counts.

Another pinky was the idea that “security is either baked in or none" for consumers; current move to cloud computing is our second chance to bake security in. How can we not miss that chance? Since power of large end user organizations is what often drives security (e.g. trustworthy computing at MS), unless and until large organizations say “I won't use XYZ cloud vendor unless secure up to ABC standards” this second chance will not be taken advantage of [this BTW needs said ABC standard as well a few metrics to boot].

On Thursday, our log standards panel was held; it was lots of fun too and we had almost 100 people (!). Dan Blum, our moderator, has a good account of it here. However, what matters is what happened before the panel: we had a three hour working meeting and made a lot of progress on Common Event Expression (CEE) effort in particular and log standards in general (more details in the future)

On Friday I went to RSA just to see Chris Hoff and Rich Mogul do their “Disruptive Innovation and Security” session, which exuded pure awesomeness! Key items I caught:

• Business innovation vs technology innovation vs security innovation – all 3 often seem out of sync, but security innovation is usually MORE behind.
• Threat innovation IS business innovation – just for the criminal businesses.
• Chris and Rich suggest that the motion from network->host-> data is not linear, but part of a cyclic circular progress; a fun idea.
• I realized that an idea that I recently “suffered” from (“intrusion tolerance”) is the same as what Chris calls “information survivability”
• Also, I liked their technology assessment methodology: security impact vs business impact chart (with IDS is in left bottom corner with both being “low”)

Finally, the most important part: the vendor hall impressions. Every year I am trying to “soak the vendor hall in” – and then produce insight while seating in an armchair (that last part is key for being called “an armchair analyst” :-)). This year I got a bizarre sensation: a whole hall-full of vendors TOTALLY missing both a) security of cloud applications (broadly defined) and b) ability to provide security services via SaaS/cloud (yes, I know these are not the same). No, this is not some Qualys PR talk – just think about it: 23 (!) RSA sessions that mention “SaaS” or “cloud computing” combined with almost NO vendors providing either a) or b) above (apart from blatantly idiotic “cloud gods send us the virus definitions” already ridiculed here). If I were to launch a security company today, I would NEVER even think of doing software, maybe an appliance – but most likely SaaS… I bet in a few years the whole concept of “buying servers to run security on them” will be grounds for being put into asylum (I do remember the time when my employer of 2002-2006 sometimes required 17 servers to run well…)

A few more observations from the expo: vendors who add themselves to all product categories probably means “FAIL due to lack of focus.” I saw a SIEM vendor listing themselves in a whole bunch of categories, including “Vulnerability Scanning” and a scanning vendor listed, among other things, in “DRM” (!) Also, I saw amazing amount of horribly confusing marketing, all the way to “not clear one bit to a certain Ph.D. ‘security insider’” :-) People, grow up! If users don’t get what you do, they will NOT buy your stuff! Among the technologies which vanished from our collective consciousness are: NAC (in a year I bet folks will ask what the letters stand for), anti-spyware and – strangely – DLP.

Overall, awesome show!

Possibly related posts:

• RSA 2009 Impressions, Part I or "PCI DSS is NOT a Pill Against 'Stupid'"
• RSA 2009 Impressions, Part II or The Only Fun RSA Keynote
• RSA 2009 Impressions, Part III - Mini-Metricon 3.5
• RSA 2009 Panel on Log Standards
• All years RSA coverage on my blog.
• Fun RSA impressions from others tagged here: http://delicious.com/anton18/conference+RSA+2009

RSA 2009 Impressions, Part III - Mini-Metricon 3.5

In this 3rd RSA 2009 blog post I will go back in time to my Day 1 of RSA which I spent at Minimetricon 3.5.  Minimetricon event exuded pure awesomeness! Some people bitch about RSA keynotes AND even about RSA content overall; they say they are there to “meet people.” However, Minimetricon (which just “coincided” with RSA) was all about presentations and discussions, especially the latter. It goes without saying that the caliber of people there was quite impressive (e.g. eBay, Google, etc security folks)

First, as a preface, I happen to believe that our inability to “measure security” is one of the top three problems we are facing in security industry today (no, it is not 0-day defense and not clown computing either – metrics actually underlie both of them too). So, here are some tidbits from talks:

Jeremiah web statistics talk was fun; some insights follow:

• XSS still tops all the web vulnerability charts; SQL injection is close [A.C. - BTW, PCI DSS prohibits both]
• CSRF is heavily underrated (11%) , likely due to not being discovered en masse.
• Retails sites: 61% has critical vulnerabilities [A.C. – to me this is the same as “they are 0wned by somebody who cares…” AND did we mention that PCI prohibits these vulns?]
• Resolution rates are low for XSS; basically, people are just not fixing it [A.C. - did we mention…ah…we did, didn’t we? :-)]
• There is also a long tail of web vulnerabilities; a lot of vulns are rare on few sites.
• Overall, “the whole Interweb thing” is hugely complex today – and has its complexity growing (which makes it more fun…)

Verizon breach report came out a few days before; still, their team’s talk was awesome too (and, yes, PCI section caused a bit of a storm)

• This breach study was insightful, but various people now want “breach cost study”, which will be MUCH harder.
• PCI slide: PCI compliance rates are claimed; some orgs even say this, verbatim: "we had the PCI paperword filled; how can we be compromised?"
• On the other hand, their compliance technology metrics are not claimed, but observed (e.g. that penetration of log management was around 5% across the breached organizations); thus claimed compliance rates are HIGHER then the use of tech mandated for being able to claim such compliance (BTW, see PCI Connect)

Fred Cohen did a fun talk on forensics and objectivity:

• The main idea, as I got it, was that forensics is one area of security where we just HAVE TO be fact-based and objective (and, no, we are not)
• Mysticism vs science in security; Fred thinks that security will have to become fact-based in the future; must have decisions based on intelligent risk management. Today security is pure mysticism and the use of fact-based metrics is very uncommon (and, yes, today’s risk management = voodoo)
• And the big question is: will security stop being a black art and start being a science in 10,20,30 years as IT importance grows?

Many of the MiniMetricon talks made me think about the whole “preventative AND monitoring security FAIL” and that maybe “intrusion tolerance” or … “information survivability” (now, Chris, I’ve said it :-)) is really the only way to go. Otherwise, you just accept that everything is 0wned and go home :-) Or go to the cloud.

Finally, I realize why I liked the event so much: it had a very uncommon balance of academic (=smart + totally out of touch) and real-world (=grounded in reality + not having time to think about said reality) people…

Possibly related posts:

• RSA 2009 Impressions, Part I or "PCI DSS is NOT a Pill Against 'Stupid'"
• RSA 2009 Impressions, Part II or The Only Fun RSA Keynote
• Fun RSA impressions from others tagged here: http://delicious.com/anton18/conference+RSA+2009
• Breach Report 2009 Day ...

RSA 2009 Impressions, Part II or The Only Fun RSA Keynote

OK, so people make fun of RSA keynotes as being “content-free”, buzzword-heavy and overall annoying. I did that too. However, this year I had advance knowledge that one keynote will be very fun, insightful and “B.S.-free”!

So, I came a bit earlier and the previous keynoter (not sure who that was) was working hard proving that RSA keynotes suck by droning on and on about nothing. I just couldn’t wait for Philippe’s keynote to start – and then it did and proved even more fun and insightful than I thought. Here is what caught my attention in his keynote:

• First, “The Inconvenient Truth”: critical data is spread across devices / laptops / phones today; many of such devices are lost every day. Data->gone.
• Second, vulnerabilities are being a) exploited and b) not fixed (updated Laws research shows no change in half-life of a vulnerability – still at 30 days as 4 years ago)
• The above two lines should tell everybody (rephrased by me for increased drama): “cloud is not a threat to data governance, you are!”
• Deploying applications to deal with security problems seems to open more security issues. Thus, enterprise LOST the security battle since it is impossible to secure today's networks and applications. To top it off, business need systems, IT resources faster than ever: and they are impossible to secure even at the slower pace.
• I have heard the whole “$84 billion to maintain Outlook+Exchange per year” line before, but it still has shock value. That is what people pay for insecure apps that handle valuable data (=email) today.
• Answer? SaaS! If you sell software and somebody does it in the cloud, you will be replaced. Good bye!
• Good news: today’s expansion of SaaS is also another chance to “build security in”; we failed this for platforms and applications, now we can [try to] do it for SaaS.
• Also, SaaS allows for more control over data (analogy: old mainframe model) and for more usable-yet-effective security. Obviously, there are a lot of problems to solve (e.g. browsers with holes, authentication across apps, strict and enforceable SLAs, etc)
• Example: end to end secure email was attempted since the 80s (with proven 100% failure of adoption rate), but now a big cloud provider (e.g. Gmail) can do it easily.
• Final word: “in cloud we trust, but it is our job to verify it!”
  

Full keynote video is here (yes, it IS actually worth watching!) and a lot of media coverage is here, here, here ("Cloud: Resistance is futile"), etc.

Enjoy all RSA coverage here.

Possibly related posts:

• RSA 2009 Impressions, Part I or "PCI DSS is NOT a Pill Against 'Stupid'"

RSA 2009 Impressions, Part I or “PCI DSS is NOT a Pill Against ‘Stupid’”

Now, I still have to formulate my [deep?] thoughts about the whole RSA 2009 conference. However, here is one post that I just have to write now… right now :-)

At RSA, I had a few people argue with our “PCI Shrugged” paper by showing examples of where PCI DSS was indeed a distracter and resources were pulled from projects that would have reduced information risk more than implementing PCI DSS controls. Typically, those arguments referred to technologies that are not mentioned in PCI DSS guidance (such as DLP), but that would be more effective in reducing their risks than PCI-mandates controls.  Still, in most cases I thought that our argument about PCI DSS covering the basics first still holds water.

However, one argument did give me pause in a big way.

Imagine that the resources of your security team are being pulled to PCI DSS compliance implementation  from … a response to a live ongoing security incident. You bet it cannot happen? I would bet that too, but we would both lose… The management considered lack of PCI DSS validation to be a bigger risk to their bottom line than an actual ongoing intrusion. This just blows up my mind :-)

In fact, I had nothing to say to whoever brought this argument at the time. I stammered and then remembered that  Requirement 12.5.3 mandates that an organization must “Establish, document, and distribute security incident response and escalation procedures to ensure timely and   effective handling of all situations.” However, when uttering this I knew what their answer would be. “Yup! A plan it does mandate… us acting on this incident here – not so much” was the quoted  response from their management.

However, now that I had time to ponder this (and to fully recover from shock), I have this to say:

• PCI DSS does not cure stupid! It was not supposed to, in can’t, and it won’t!
• PCI guidance lacks the magic power to imbue its reader with a shot of common sense.
• PCI does not add “+5” to Intelligence or Wisdom scores (for those who like game metaphors).

In other words, one CAN be stupid with or without PCI DSS; you  can ignore security even in the face of PCI DSS. One RSA speaker suggested that PCI is like a baseball bat; you can use it to play – or you can have you faced “batted” in by somebody really, really stupid…

Possibly related posts:

• Five Reasons to Dislike PCI DSS - And Why They Are WRONG!
• Risk vs Risk
• On "PCI Shrugged"
• Thoughts After Chicago “PCI Dinner” Panel
• Thoughts After RMISC 2009 PCI Panel

Qualys PCI Connect is OUT!

Ok, so RSA is an exciting event, but nothing excites me more than the release of Qualys PCI Connect!

"QualysGuard PCI Connect is an on demand ecosystem bringing together multiple security solutions into one unified end-to-end business application for PCI DSS compliance and validation.

As a new addition to the widely adopted QualysGuard PCI service, PCI Connect streamlines business operations related to PCI compliance and validation for merchants and acquirers all from a combined collaborative application with automated report sharing and distribution. PCI compliance status and tracking is performed on an ongoing basis.

Merchants who use QualysGuard PCI Connect can easily identify areas where they may not be meeting compliance requirements. Acquirers who use QualysGuard PCI Connect can easily evaluate whether merchants have met PCI requirements and whether sufficient evidence has been submitted for validation. "

Also, as of today, Qualys is fully in web application scanning business.

Meeting at RSA

If any of my readers want to meet at RSA2009, drop me an email, blog comment here or DM me on Twitter.

See ya at RSA!