Two Security Startups To Keep An Eye On

imageThe security market has been heating up. With the acquisition of McAfee by Intel Corp for $7.68 billion and ArcSight by Hewlett-Packard for $1.5 billion. Now its time to start looking for new startups. Two companies have caught my eye as they focus on two areas ripe for new ventures– security management and on-demand. identity management.

The first startup is Chicago-based HoneyApps which aims to simplify your security management by consolidating “ security vulnerability information, reporting and management into a single place.”. It has just secured $1 million in funding. Ed Bellis, former CISO at Orbitz, is one of the founders.

The second start-up is San Francisco based Okta, founded by executives- Todd McKinnon and Frederic Kerrest. It provides an on-demand identity and access management service.With the IT disruption cycle impending from a move to the cloud, similar services should help people accelerate their move to the cloud.

I’m looking forward to see how these companies fare and what their exit strategies end up being.

At the RSA Conference 2011

Its that time of the year again when all the security vendors are packing their bags and preparing to mob San Francisco’s Moscone Center. I’ve had a set of interesting experiences at RSA – As a graduate student I’ve met brilliant cryptographers; been offered jobs; as a speaker faced a tough crowd and schmoozed by vendors.

This year, I’m looking to connect with some old friends and make some new acquaintances. Drop me a line in you will be there and would like to meet.

Conflicting Approaches: 2 different approaches to enforcing privacy

Enforcing information security & privacy laws and policies has become a priority for a myriad of law enforcement agencies. This reflects the growing importance that information plays in our lives. However many laws and policies are unclear. The punishment for these crimes also varies widely around the world ranging. Two cases highlight this:

1. 5 years jail time for looking at spouse’s email: In a recent case, Leon Walker faces 5 years in jail for unlawfully reading his wife’s email under Michigan statute 752.795. This law states that

A person shall not intentionally and without authorization or by exceeding valid authorization do any of the following:

Access or cause access to be made to a computer program, computer, computer system or computer network to acquire, alter, damage delete or destroy property or otherwise use the service of a computer program, computer, computer system or computer network.

2. Swiss banker fined for giving away bank secrets: In 2008, Rudolph Elmer gave the website Wikileaks secret information on a number of bank accounts held by individuals. He was recently fined around $7400 for this by a Swiss court. Since then, Mr. Elmer has gotten himself into more trouble but that’s a story for another post.

Both these instances demonstrate the varying nature of laws and punishment around privacy. As case law around this evolves we should hopefully see this more consistent laws and policies. That may take yet take several years.

Secure your Facebook password

Ok. I’m going to make an exception from my general rule of focusing on deep analysis and not providing technology–specific security how-to’s.  Some of my friends and family could definitely benefit from securing their Facebook accounts.

The Change: Facebook is rolling out new security features over the next few weeks that will allow you to securely connect to the website. In technical terms, they are enabling SSL based secure HTTPS connections by default to your account.

How to Enable the Setting: Log in to your Facebook account. Then go the top right click the following in order Account-> Account Settings->Account Security. That should bring you to the view below:

Check the “Secure Browsing (https)” box and click Save. If you, don’t see the above setting don’t worry. Facebook will probably take a couple of weeks (till mid-Feb) to enable all accounts. Check back in in a few weeks.

Should you care: Absolutely. If you have ever visited Facebook from a coffee shop, airport or even your home Wi-Fi, then you should enable this setting. It will make it much harder for someone from stealing your Facebook password. By doing this, Facebook now meets the common minimum bar for website security. This setting does not make all of Facebook secure, you still need to follow basic security advice.

I’m glad to see Facebook taking this action. Over the past few months, several people have asked for my help in securing their accounts, usually after they have been hacked. This should provide them with some added protection.

Advanced Persistent Threat (APT): Real or just hype?

Put four CSOs together and sooner or later they’ll start talking about Advanced Persistent Threat (APT). Now imagine the conversation with 20 CSOs together.

I recently hosted a session at a security event at Microsoft and the two dozen security executives started discussing APT. Each of them had a different description of APT’s and opinions ranged from APT being the next frontier of security to it being the next Y2K. Consensus seemed to coalesce around the definition of  APT being characterized by wide spectrum of attack, targeted on particular goals, persistently finding ways to sustain the compromise, highly-resourced attackers and intentional attacks rather than opportunistic attacks. Most organizations admitted that they were looking to invest in APT related programs over the next three years.

While most organizations will continue to struggle with separating the real from the hype surrounding APT, I’d suggest considering the following questions when dipping your toes in the murky APT water:

  • How does your organization define APT?
  • How does this APT definition differ from traditional threats?
  • What are the primary drivers for APT related programs in your organization?
  • How will your current mitigations stand up to your definition of  APT?
  • How will APT influence your existing Information Security programs?

Akshay’s Uncertainty Principle: Observing Some Metrics Changes Them

You’ve probably heard of the famous  Heisenberg Uncertainty Principle  in Quantum physics. It states

“The more precisely the position is determined, the less precisely the momentum is known in this instant, and vice versa.”
–Heisenberg, uncertainty paper, 1927

This principle is related to the observer Heisenberg in 1927effect. In physics, the term observer effect refers to changes that the act of observation will make on the phenomenon being observed.

Ok, now to get to the point. As a business manager responsible for P&L, I am asked to produce several performance metrics or revenue metrics. Some of these metrics are simple and straightforward  Key Performance Indicators (KPIs). KPIs can include net revenue, profit, # of new customers or in our case customer satisfaction numbers.

The problem with metrics crops up when we need to measure a property and no mechanism exists to measure it quickly or the metric is not representative of the property being measured. In general this happens when the following scenarios arise:

  1. Metric is not available: No mechanism is in place to measure the property at that time.
  2. Property is not measurable: No metrics are available to capture the property.
  3. Deliver unplanned metrics quickly: Metrics that the system was not designed to capture need to be measured quickly.
  4. CSF masquerading as KPI: Critical Success Factors are vital elements for a strategy to be successful and should not be confused with KPIs which quantify strategic performance.  The metric being asked for is a CSF not a KPI.

In simple words, the amount of effort required to measure the metric changes the amount of effort we can dedicate to create the metric. The act of measuring the metric changes it.  For example, in the economic downturn several teams have had to reduce headcount. If this barebones team is now asked to capture  information on how a recently released tool is being used by customers without that mechanism already in place, then they cannot deliver that metric without additional effort that will impact the overall KPIs.The problem that arises is what I’ve dubbed the Akshay’s Uncertainty Principle:

In a resource constrained environment, a new or modified metric cannot be measured without impacting the metric itself.

- Akshay

If you like this post, subscribe to the RSS feed feed-icon-28x28

Shrinking Budgets: Application Security Tools vs Process Tradeoff

An all too familiar scene repeated itself two weeks ago. My good friend & CISO of a mid-sized technology company, lets call him Alok, went into a budget planning meeting and came out as a shadow of his former self. To be more precise a 85% version of the Alok that I know. He had just been handed a 15% reduction in budget.

Like most managers, Alok, started taking stock of his mini-empire and prioritizing things that he could do without. Luckily he had already expected a cut and so had planned ahead. Unluckily, he had planned for a 6% reduction not a 15% reduction. After some brainstorming and taking some tough decisions he had cut costs by 10%. Now began his quest for the elusive final 5%. His organization had started the transition from being a network security centric organization to a more application security centric organization around 15 months ago. So, a solution posed by one of his managers was to drop the security engineering process integration program and replace it with a set of static analysis tools they had just evaluated. This strategy had paid of handsomely for them in the network security field. Ron, one of the leading application architects in the organization was opposed to the idea. Thus started a turf war, which left some angry, most frustrated and everyone confused.

Unlike most managers, Alok reached out for advice. He asked me to share my experience with customers in similar budgetary situations & maturity. This is how our conversation went:

Alok: So I think the automated security tools can help us reduce risk and save us money. Unfortunately, I have to reduce budget and I’m thinking of buying <snip> tool to drive efficiency. What do you think?

Akshay: I’m sorry that you have had a budget cut. A lot of my clients have been facing a similar situation. Before I answer your question can you tell me what value you expect to derive from the tool?

Alok: We are looking to get standardized security bugs and find all the vulnerabilities that exist in our code base.

Akshay: Do you know how the tool compares to a manual security code review. I mean, what kind of coverage does it give you? And is that coverage good enough for your organization?

Alok: No, we haven’t examined that. Assume that it is. Should we go ahead? You know I can get more done with less by buying the tool and getting rid of my contingent vendor staff.

Akshay: Well, the tool that you mentioned will need to be used by both your development team and your security team. Have you considered the cost of training people to use it?

Alok: No. What other impacts and costs may there be?

Akshay: I imagine the development staff  is also being reduced. I imagine that they will resist taking on additional work while having to let go off people. In my experience when clients by static analysis or other tools , a large portion of them end up as shelfware. Not enough thought is given to how to integrate this in existing into development lifecycles. Application security is fundamentally a process problem and you can’t solve it just by using tools.

In my opinion, this is a great time for forward looking organizations to re-engineer their development process to integrate security into the process. People are the biggest resistors of change. Culture change is the toughest challenge when moving to a SDL like process. The prevailing lean development team, a more malleable workforce and forward looking leadership can and should be leveraged in these tough economic times to make the organization healthier for the future.

- Akshay

Streams of Consciousness

I’m expanding my blog writings to include posts on topics that I am currently thinking about. These will be more, ideas floating in my head than an analysis, and so I will call them Streams of Consciousness. These will complement my regular in-depth analysis on topics.

The McAfee Way: Don’t follow it!!

The chronicles of McAfee’s shoddy security updates have been well chronicled.  If you haven’t been following this, let me summarize the situation for you. McAfee sent out a security update that led millions of uninfected machines to think they were infected leading McAfee to commit hara-kiri on themselves.

Clearly, this did not make any of the impacted customers happy. But what’s even more interesting is that McAfee blamed this on broken quality assurance processes. They changed their testing process to make it less rigorous. Now, at any other time this may have been fine. When this happens during the time that Toyota is subject to the largest recall of its history due to shoddy testing and their band image is taking a beating, it seems brain dead to roll out a untested, less rigorous QA process.

Again that was far from the end of it. McAfee’s customer service then went out an made things worse. I’ve had many incidents of customers sharing horror stories from this incident with me. The following comment on an article by Larry Seltzer summed up the collective experience:

My main problem with this situation (and the main problem echoed by numerous other IT professionals I’ve talked with) was with McAfee’s response. Faced with a MAJOR mistake that was impacting people on an international scale, what did they do? Did they send out an e-mail notification to warn of the problem and advise us how to fix systems that had been impacted? No. Did they have a large, easy to find link right from their home page to help us QUICKLY find out what the problem was and how to fix it? No. Even after it was reported in the major media, they acted like it was no big deal and had just a little link in a location where it was very easy to overlook and worded to look like it related to something that was no big deal, this made it easy to overlook when you’re pressing trying to quickly find a solution for angry customers.

Lesson for you to take away. Catastrophic business situations will arise due to carelessness on your part. If you haven’t done an analysis of consequence for these situations, you will trip. And when you get up, you may not look pretty.

If you like this post, subscribe to the RSS feed feed-icon-28x28

RIP: Jack Louis passes on

Jack Louis of Outpost24 passed away on Sunday as a result of a house fire in Sweden. He was known for the security scan tool Unicornscan. Some of you may remember him from Sockstress, a vulnerability that can trigger denial of service on any system listens for remote connections using TCP. Jack and my paths had crossed a few times in both competitively and intellectually fulfilling ways.

- Akshay