While the State Department breach is relatively small, it’s newsworthy for several reasons. 

1. It’s another failure for an organization that seems to be plagued with network security challenges.  Considering they have detailed identity data on nearly 200 million U.S. passport holders, it’s reasonable to ask, “Who’s guarding this information, and how?”
   
2. We’re dealing with identity theft originating from within a branch of the federal government! 

We might be able to choose not to do business with a specific retailer, but we don’t have a choice when it comes to the government.  If you apply for a passport, your records are stored in their database, apparently easily accessible, and with little to no oversight.  While many states have passed data breach notification laws, these laws don’t seem to apply to the State Department. It wasn’t required to notify applicants that their records may have been compromised and their identities were at risk - and they didn’t notify them for over seven months.

Will the federal government be held to the same security and compliance standards that it has mandated for corporations or that states impose on businesses operating within their borders?

It seems unlikely, so we’re faced with a serious dilemma.  The national ID campaign, and of course the drive toward national healthcare will both embody massive, centralized databases that we’re “assured” will be secure.  How can we be sure as citizens that the ever-growing volume of citizen and visitor data being compiled by the government will be “secure”?

I’m not a cynic, just a practicing pragmatist.  The challenge is enormous, the risks are real, and I’ve seen little evidence to-date that suggests the problem is being addressed.  There are no easy answers, and certainly no cheap ones, but we can start by demanding the government play by the same rules they’ve imposed on business.  I’d like to see the people signing off on government IT audits held to the same standards (and penalties) that SOX places on executives.  At the very least, responsible disclosure requirements should be implemented.

I’ve recently had several calls from analysts asking about how TriGeo is faring during these uncertain economic times.  Nearly all of the analysts I spoke with are hearing that VC funded SIEM and log management vendors are being told by their investors to cut back spending…and not just back…WAAAYY Back. 

During the discussion I told them all, we’re “doubling down.”  While everyone else in our space is cutting back (even Symantec is laying off nearly 5% of its workforce) TriGeo is hiring in almost every department and investing even more into our marketing and channel efforts.  We have no intention of ducking for cover - we’re forging ahead and expanding.

I see this economic downturn as an incredible opportunity for TriGeo.  We’re in the best position out of all our competitors to weather this storm.  TriGeo is profitable, cash flow positive, has a huge cash reserve and is debt free.  I’m certain you won’t find any other private SIEM vendor who can say the same.

It’s likely that the downturn will lead to the disappearance of many of the marginal SIEM and log management products on the market.  The companies selling these marginal products are alive because VC funds are keeping them afloat, not because of customer adoption.  These companies are long past the time when investment made sense to get a company off the ground.  Having these products fall away is a bit of ‘Natural Selection’ in action.  This is the best possible news for consumers.  They’ll get better products for better prices.  

Yep, I do think this cloud has a silver lining.

California’s Governor, Arnold Schwarzenegger, vetoed the state legislator’s second attempt to pass a Consumer Data Protection Act.  While the new bill softened some provisions found in the original, such as the requirement that a breached organization reimburse financial institutions for the cost of replacing credit cards, it remained a flawed bill in many respects.

By vetoing the bill, the Governor once again concluded that adequate protection already exists. Schwarzenegger wrote, “As I stated in last year’s veto of a similar bill, this bill attempts to legislate in an area where the marketplace has already assigned responsibilities and liabilities that provide for the protection of consumers.”

I had a chance to talk about the proposed legislation last month. During the discussion, I expressed my hope that the Governor would again veto the bill because I saw it as an inadequate attempt to define appropriate data handling requirements with only one possible outcome…litigation.

The bill meant well, but falls short of providing any significant new value and includes minimal guidance on how to minimize the potential loss of data.  Its technical focus is limited to storage and transmission suggesting that businesses:
1.      Don’t store consumer data, even if it’s encrypted
2.      Encrypt data that is being transmitted on open networks

These aren’t unreasonable requests…

Inappropriate customer data storage and transmission have been the leading culprits in several recent breaches.  Unfortunately, storage and transmission breaches are only the tip of the iceberg.  Businesses continue to lose sensitive data just through wireless access points, weak passwords, weak encryption, vendor default or contractor passwords, systems compromised by key loggers, trojans and more.  Plain and simple: If a business handles a meaningful volume of credit card data, there is a high probability someone is looking for a way to get it.

Considering all the risks, and the reality that security can be expensive, don’t we need legislation?

Perhaps… but not this legislation.

It didn’t highlight many of the possible attack vectors and PCI already enforces everything the proposed legislation would offer. Given the California bill’s shortcomings, I wonder who the target audience was for the bill.  Were they serious about requiring businesses to protect the data, or was their agenda focused on generating evidence to assign blame?

Clearly, the most meaningful consumer data protection comes from taking responsible and prudent steps to prevent data loss. Even under the best of circumstances, no one can guarantee that a loss will never occur and that’s where California led the way in disclosure legislation.  In my opinion, this legislation was ill-conceived and I hope it won’t be back.

What do you think?

Network security is often viewed as an arms race, and Black Hat is one of those venues where the arms merchants gather to display their wares, and people on opposite sides of the conflict evaluate claims and counter-claims and challenge both.

Is Virtual Security Real Security
Much of the focus this year was on virtualization, and the popular misconception that virtualized systems are “as secure” or even “more secure” than their physical counterparts – nothing could be further from the truth. As is often the case, network management and network security are at odds in this fairly new arena. The pros of virtualization are obvious – space, power, heat and cost are all significant drivers to the rapid adoption of this technology, but ignore the security implications of the virtual world at your peril.

It’s certainly easy to imagine that when multiple systems and virtual network infrastructure all coexist that it’s critical to understand that a security flaw exposes much more than a comparable physical implementation. The bottom line is that virtualized network infrastructures simply do not equate (yet) to their physical counterparts and some caution is required to ensure you understand the strengths and weaknesses of virtual networks and plan accordingly.

No Honor Among Thieves
Nitesh Dhanjani and Billy Rios’ presentation “Bad Sushi: Beating Phishers at Their Own Game“ delved into their research on phishing tools and tactics, and the underbelly of this community. While not entirely surprising, it was interesting to see the volume of ready-made sites, how little some members of the phishing community actually know, and the lucrative market for captured personal information.

Using information gleaned from one of the phishing sites they investigated, they turned to Google and found pages of credit card data readily available. This raised an interesting question. Why is it that this information, some of it only hours old, was so readily available? Their conclusion was that the free “samples” establish the sellers as “legitimate”. On the market front, it seems that Gold and Platinum cards, complete with CCV, sell in packs of 100 for $2,500 and 500 for $5,000 (prices subject to change without notice.)

It was fun to hear of the duo’s effort to break into the world of phishing, and that a “mentor” assisted them with code that would have sent a copy of anything they collected directly to their new cyber-friend. Clearly, the prevailing rule is the law of the jungle where Big Phish eat Little Phish. The community does attempt to police itself with blacklists that expose “unscrupulous phishers” – an amusing oxymoron.

Get Rich or Die Trying
One of the more entertaining presentations this year was “Get Rich or Die Trying - Making Money on The Web, The Black Hat Way”, by Jeremiah Grossman, Arian Evans. They stated at the outset that some of the techniques demonstrated could yield significant financial reward, and while some might even be “legal”, they could stretch the envelope of one’s ethics.

There was the case of the woman that discovered QVC would send her free merchandise if she simply ordered and then canceled. The $412,000 she made exploiting the cancellation system flaw and reselling the “QVC packaged” items on eBay ultimately led to her discovery and conviction for wire fraud. In another example, an Estonian financial firm discovered that it was possible to view embargoed press releases (releases scheduled to be made public on a specific date in the future). The SEC investigation estimated they made over $8 million trading on this information.

These are just a few of the many Black Hat approaches to making money on the web that were discovered and tested by some creative (if not always bright) people, cataloged for us in this presentation, and presented as education and temptation - just in case that day job doesn’t work out.

Apparently, the firm’s USB policy was to glue the ports to prevent their use, and they missed one. An insider took advantage of this hole in their security, and every Sunday evening for approximately 2 years, this individual allegedly copied approximately 20,000 customer records to a USB mass storage device.

Let’s just examine this scenario for a moment. I appreciate that in a large organization it can be costly to deploy desktop-based solutions that monitor and prevent the use of USB storage devices. I also pity the poor guy that ran around with a glue gun, and question how they addressed USB keyboards and mice, but let’s be honest - the glue, or lack thereof, was not the problem - not on one PC, not on a thousand.

Countrywide has databases full of highly confidential, and extremely valuable information - valuable both to the company, and obviously on the black market. Naturally, that begs the question, was the glue their only access control method? Were they so confident in its ability to thwart all attacks, that database auditing, user identity and access monitoring or even basic application auditing were completely ignored - for two years?

It’s easy to rush to judgment, but from the publicly available information on this case, there was an obvious breakdown in event monitoring. I suspect that Countrywide, like most organizations, employs many layers of network defense, and these defenses are generating a literal ocean of log data. As is often the case, it’s simply impossible to do an effective job of analyzing this data without some form of automation. In some cases, the data is captured and stored for search and compliance purposes, but without correlation and analysis this data lacks a critical ingredient: context.

What do I mean by context? Let’s examine what we know about this situation, and that will put the “context” of this situation into perspective.

Obviously, the employee in question possessed whatever physical access control was needed to get into the building. He also had perfectly valid credentials to access the network. Likewise, he was an authorized user of whatever application provided access to the customer data. When viewed as individual data points, there’s nothing unusual in this information and assuming all of this activity was logged, and archived for compliance, theres really nothing suspicious about this activity — and no reason for it to have captured anyone’s attention — and it never did.

Now, let’s give this same information some critical “context”. The employee entered the building on Sunday evenings, logged onto a workstation, fired up some application, queried the database, retrieved 20,000 records, inserted a USB mass storage device and copied the data to that device - from a workstation that was not even his normal location.

Let’s look at this as it could been seen with event correlation:

• Physical access outside business hours
• Network access outside business hours, from an unusual location (the exposed PC)
• Application access outside business hours, from an unusual location
• Database access outside business hours, from an unusual location, resulting in over 20,000 records being retrieved
• Insertion of a USB mass storage device (a policy violation, but they were blind to this activity)
• Copying data to the USB device (again, the organization was blind to this activity)

When viewed as whole, a picture of clearly suspicious activity emerges — that’s context.

Is it reasonable to expect that they could have seen this picture? Absolutely!

Assuming that Countrywide has fairly typical security systems and audit best practices in place, this activity would have generated a significant audit trail that could have been correlated, in real-time, to alert the security team to some highly suspicious if not clearly malicious activity.

The lesson here goes well beyond the Superglue Security hole. Identity, access, application and location data is readily available in most environments, but without correlation this data lacks the context needed to detect and prevent insider abuse. It’s the ability to provide real-time correlation that distinguishes security information and event management (SIEM) technology from log management, aggregation and search-based products. TriGeo SIM, for example, ships with over 650 correlation rules — that includes “out of the box” rules that could have easily identified the activity listed above, notified the security team, and even stopped this guy in his tracks.

The one thing both Log Management and SIEM vendors agree on is that they’re not the same. Both sides are often competing for the same IT budget dollars and have a vested interest in convincing you that their solution is the one you need.

As the article points out, both technologies rely on first collecting the data, and there’s opportunity here to map collection methodologies to desired business objectives. For example, since Log Management tools have a primarily forensic and reporting focus, most are content to collect data in a batch mode or polling process and emphasize agentless models for collecting OS data. On the other hand, since modern SIEM products emphasize real-time analysis and correlation, they tend to focus on continuous collection methods often relying on agents to capture data at the source.

Naturally, there are exceptions in both camps, so you’ll need to examine how a specific product maps to your requirements. For example, while batch collection is common, it has questionable value when examining “chain of custody” issues for regulatory compliance. The simple fact that log data can be left unattended for minutes, even hours or days, represents a significant opportunity for tampering or even simple deletion, and this is an area where compliance audits are starting to look under the covers.

As the author Greg Shipley states:“SIEM products typically provide many of the features required for log management but add event-reduction, alerting and real-time analysis capabilities. They provide the layer of technology that allows one to say with confidence that not only are logs being gathered but they are also being reviewed.”

Greg’s comment about demonstrating that the logs are actually being reviewed is an important one, and here too, auditors we’ve spoken with are expressing concern that companies focused on log aggregation and management are missing the point. While you can print reports and search the data using virtually any product focused on log data collection, how do you demonstrate to the auditors that you are actually reviewing the reports and know what to search for in the raw data? This is the question and the challenge that brings many to the conclusion that SIEM is the better fit for their organization.

Greg sums it up this way: “In watching the market mature over the past 10 years we believe there is room for both traditional log management tools and the real-time analysis capabilities provided by SIEM tools, but we suspect that organizations would prefer to go to a single vendor for both. Clearly organizations have to solve the first problem (log management) in order to address the second (analysis and monitoring), but the wise purchaser will know that after the first problem is addressed the second will become immediately apparent. Plan accordingly”

We can learn a lot from recent examples of data loss from “PCI-compliant” organizations. Check-box compliance is not the goal and it’s certainly not the end of data security. To echo what so many others have said before, security is a process, not a product.

As a product vendor, is it heresy for me to take this stance? Not at all. We never have and never will position our technology as a silver bullet to all your compliance needs or something that’s ‘set it and forget it.’

Can we play a significant role? Absolutely!

We offer an “audit proven” technology which has helped businesses pass thousands of audits. In fact, our customers credit TriGeo with helping them achieve the highest audit scores in their markets. But compliance is not the goal – it’s the result of good security practices. By going beyond simple log aggregation, reporting and forensics, companies are taking the next step in protecting their data, which is the fundamental objective for all of these compliance initiatives.

It’s no surprise that many enterprise-focused companies are making mid-market product announcements. What we hear is that the air is getting a little thin in the Fortune 500 and Global 2000 markets as major public companies battle in the streets for every dollar.

The vast midmarket potential must seem like rivers overflowing with gold or perhaps just a last hope for those organizations unable gain traction and reach profitability targeting the enterprise. (I had an analyst say to me recently that just because a technology wasn’t successful selling to the enterprise, doesn’t make it a mid-market product.)

The harsh reality is that while the marketing plan looks good on paper, many of these companies simply fail to understand the needs of smaller sized businesses. At a recent security conference, I spoke with a somewhat-competitive, enterprise-focused vendor. He made an interesting observation that years ago some folks in the industry, I suspect including him, questioned our exclusive focus on the midmarket. He mentioned that many felt we’d never survive, but that today we look like visionaries…

OK maybe those weren’t his “exact” words but the sentiment was clear: our focus on the midmarket was successful and something that others want to emulate. The following week his company announced a mid-market product line….

Is this good news for midmarket organizations? Absolutely.

These announcements bring attention to this critical market segment. The midmarket boosts the economy by generating jobs and delivering services that we need. Conservative estimates place the U.S. market alone in the neighborhood of over one million businesses, and these organizations face the same challenges as their larger counterparts but with far fewer resources – making every purchase decision absolutely critical.

I’ve been selling and developing technology for midmarket organizations for almost 20 years and I can tell you that we recognize the sophistication of the midmarket today more than ever. As one company described it, “We’re sick of these large companies trying to jam their enterprise products down our throats.” Another midmarket company added that “Enterprise companies date their vendors. We marry them.”

The spring was a heavy season for network security and IT management tradeshows, and TriGeo was busy in the U.S. and U.K. The RSA highlight was winning our second SC Magazine Reader Trust Award for Best Event Management Technology, beating several well-known enterprise products.

Naturally, we’re extremely proud of this award, and winning it for two consecutive years is simply outstanding, and a testament to our customers who continue to drive our innovation. Our thanks go out to all of you that voted for TriGeo - your response and respect for what we’re doing is certainly appreciated.

For those of you that haven’t had the chance to visit us at one of these or other events, you would find that TriGeo actually shows our product and staffs the booth with senior technical staff so we can address both business and technical questions. Our theater-style presentations are never death-by-PowerPoint, and we deliver live product presentations that both inform and entertain without sliding into the side-show circus realm. We take these events seriously, and we know you do to.

We also use these venues as an opportunity to survey the companies attending the show and visiting the booth. The results are often enlightening - especially as they pertain to the specific interests, challenges and objectives of midmarket companies. Look for details on the survey results in upcoming posts.