Secure. 

Back in my days as a CISO or even previous to that in various practitioner roles, there were two frequently asked questions by executives and management.

1. Are we secure?
2. How do we compare to $x?

Let’s start with the first question. Security is not binary. That is, it’s not a state of on or off. Security in it’s entirety should be viewed more like 256 shades of grey. It’s not a question of whether or not you are secure but rather how secure or insecure you may be. There are a lot of controls and decisions that go into that state, each of them pushing your state to more secure or less. Each of those controls and decisions have a lot of trade-offs.

What I’m really getting at, is that it’s a bogus question. But you can’t really respond that way so you take it with a grain of context and politely answer.

Now on to the second question, one that I find more interesting and more meaningful. A common concern amongst management is how they line up with the competition. If your security falls behind that of your competition they worry they will be burned by this and look bad. On the other hand, if they are way ahead of the competition, why? Sure it gives some level of comfort but are they spending too much on security? Could those dollars be better spent elsewhere? Ahh trade-offs again.

There may be many reasons why you need or should be ahead of your competition in securing applications and infrastructure. Perhaps you’re working in an infosec lagging vertical where “keeping up with the competition” means you’re a target of opportunity on the Internet. Being a target of opportunity can come down to how you stand up against a particular vulnerability versus those of your neighbors on the Internet or Google’s search index. Regardless of reason, you’re going to need data to back you up.

Measuring what’s important to your organization, industry and management is the best way to answer these questions. Include not only metrics around these but also benchmarks to compare how you are doing versus your vertical, the broader industry and internally. Pick and choose your metrics carefully and make sure they pass the “so what” test. You can benchmark in an automated manner in some cases as well as loosely through industry organizations such as the ISACs and other areas where your industry gathers.

You can now pick and choose which vulnerability attributes are displayed and which are hidden.

Just a quick post to give you an update on one of our newest features. A few months back we wrote about custom fields in Risk I/O and how to add your own data and metadata to your vulnerabilities and assets. Today I’m writing about taking this customization to the next step.

We recognize different people within your company are going to need to see different views of your data, so why not give them what they need? With our latest release of Risk I/O vulnerability management not only can you create custom attributes and meta data, but also create completely custom views of this data within the interface and reports. By simply checking a box, you can choose what data is displayed and what data is hidden within your vulnerabilities.

Combine these custom data views with your custom attributes, asset tags, and our faceted search and you have a very personalized and dynamic view into your security data.

For our current customers, check out this new capability within the vulnerabilities tab. Don’t have an account? Sign up for a free version!

“We realized that just as the fraudsters collaborate with each other, we as an industry must collaborate,” said Keith Gordon, a Bank of America senior vice president of security.

Reading the entire article tells you the industry still has a long way to go and there are a number of hold outs still believing secrecy and security religion are the best way to keep information safe. Despite these beliefs, I am genuinely encouraged by the approach being taken here by some of the largest financial institutions in the world. I hope this continues and expands. Information sharing doesn’t need to be an advantage for the fraudsters.

At HoneyApps, we are building out a set of tools and services that serve as a clearinghouse for some of this information, enabling our customers to get insight in an anonymous fashion. As I hope it’s obvious to readers of this blog by now, we are big believers in taking a quantitative, evidence-based approach to security. By sharing information we are all seeing, whether it’s threat activity, successful versus unsuccessful controls, or comparative metrics we can all not only understand what’s important but also raise the tide that lifts all boats.

If anyone has other stories about information sharing across companies that has lead to improvements in the industry, I’d leave to hear about them in the comments.

Although these issues become more commonplace as you grow, there are a number of known ways to help decrease the amount of false positives that are produced by automated tools. From a network and host standpoint, the easiest way to reduce false positives is to perform authenticated scans. This will dramatically reduce the false positive findings leaving you with a result set likely requiring some form of remediation. You can further break these results down using additional automated tools such as Metasploit to confirm exploitablilty. Having multiple tools evaluating the same infrastructure can increase your coverage as well.

Web application assessments bring an altogether greater challenge when automating. That said, there are additional ways you can limit the number of false positives you have to deal with. One of the best methods, or at least the most thorough, is through manual validation; however, if you’re performing manual validation internally you’re going to hit a scaling problem real quick. And if you are outsourcing your manual validation, that could get quite costly depending on frequency and number of applications. Like network vulnerability assessments, a diverse set of tools is your friend. If you happen to be running both dynamic application security testing (DAST) and static application security testing (SAST), in some cases you can correlate these results and actually use them against each other. One of the common complaints we hear about static analysis tools is the amount of false positives they can produce and the large amount of tuning that is required. If you correlate your result sets from these tools, you can verify some of your SAST results via the DAST output (by the way we hear the opposite complaints about DAST with false negatives, but that’s a post for another day).

If you are intending to use virtual patches via web application firewalls and intrusion prevention systems, you’re going to want to stay on top of your false positive rates in order to prevent implementing unnecessary rules. We have built out several features within Risk I/O to support all of the methods above to make weeding these out easier. Another benefit of having a central repository for your vulnerabilities and security defects is the ability to flag once regardless of source. For our enterprise customers, we can flag these through custom fields. I went ahead and created a short video how-to in order to get you started and embedded it below.

I’d love to hear how others are dealing with these issues. I’ll likely be writing another post on false negatives in the near future. Happy viewing!

I have been making my rounds at various security events around the country attempting to evangelize a new school approach to information security. This is an approach where we rely more on data and evidence and less on the fear, uncertainty and doubt of the past. This talk continues to evolve and stay tuned for incorporation of hard data (yes – I’m practicing what I preach) in the next iteration.

There was a also a preview of BayThreat done on a recent RiskHose podcast. I spoke to Alex Hutton and I will likely participate in one of these next month. Perhaps we can do a quick summary of that event while I’m there.

The presentation is embedded below for your viewing pleasure.

Earlier this year, Rapid7 and Risk I/O collaborated to create a simple out-of-the-box connector that pulls vulnerability scan data directly from Rapid7′s Nexpose, and uses Risk I/O to aggregate, correlate and prioritize vulnerabilities for the most effective remediation of possible security threats. Through this collaboration, Nexpose users can integrate the vulnerability assessment tool directly into Risk I/O, enabling users to easily detect and manage vulnerabilities.

The HoneyApps team is delighted to be part of the Technology Alliances program and Ed Bellis, CEO and co-founder of HoneyApps, Inc. recently summed up our feelings, “ We’re very excited about our partnership with Rapid7. By combining the thorough assessment capabilities of Nexpose with the in-depth data analysis and reporting of Risk I/O, our mutual customers can identify and prioritize their riskiest vulnerabilities and automate their workflow.”

Rapid7 has developed Technology Alliances with security industry leaders to assure that their customers can leverage Rapid7 unified vulnerability management as part of their overall enterprise security strategy.

You can read more about this industry collaboration in the recent Rapid7 blog post.

As much as the headlines of a new bill in Washington grabbed my interest with a twinkle of hope, it turns out in some ways this may be a step away from a new wave of information sharing. It appears to promote information sharing regarding security breaches between the private sector and the government by blanketing companies with protections such as not publicly disclosing the information. While I’m all for information sharing, this seems to be more back-room sharing to the benefit of some but to the detriment of most.

One of the primary ways we can learn about information security breaches and their cause is through publicly available resources like DataLossDB. If the majority of us within the security community cannot access information and learn from it, in the end this will only cause more breaches not less. We as a community are starting to see the very early benefits of a New School way of thinking through reports like the Verizon DBIR and many others like it. By understanding what is causing real world security incidents, we can prioritize our work and put the right controls in place to protect against them. We need to get away from what has been traditionally a practice in alchemy and black art and realize we can all learn from each other. The bad guys seem to be better at this than we are.

A Screen Shot of Our Upcoming Vulnerability Explorer

Here at HoneyApps we drink the New School of Information Security kool-aid on a daily basis. By taking a quantitative approach to our security and operations we have not only been able to more effectively prioritize our work, but have learned where our product needs to evolve to support and enable these methods. With our upcoming open vulnerability explorer, we hope to combine many of the public vulnerability data sources into a single searchable and filtered view where we can also facilitate open discussions on remediation and controls that matter in protecting against these. We’ll continue to evolve our metrics and benchmarking to provide a view into how you as well as your peers are doing in very quantifiable terms. In the near future we will begin to combine this with the threat and breach activity that is available whether it’s public or via subscriptions we obtain.

There are a lot of very skilled people in functions outside of information security that continue to learn from each other and the data that is out there. Here’s to hoping the security community moves in that direction.

While the topic itself is extremely broad and impossible to cover in an hour, there were a few important take-aways I felt worth calling out here. A lot of the presentations and content I see around threat management – specifically “next generation” – all too often involve the dreaded A.P.T., or specific threats to technologies such as mobile or cloud. The problem I have with this focus in the industry isn’t that those threats aren’t real or don’t exist, we’re simply not even close to being able to deal with those.

Take a look at the breaches laid out in the Verizon DBIR year after year after year. The vast majority of the incidents we call in the forensics and incident response teams to deal with have to do with us getting the basics wrong. A couple of years ago, David Mortman and Alex Hutton gave a great but overlooked presentation at Black Hat. It was in the final time slot of the conference and unfortunately went head to head with Bruce Schneier that year, which means that most missed it. What they did was create a simple model to run vulnerabilities through to essentially determine if it was something the average security team needed to worry about. They began by using actual vulnerabilities that were disclosed that week at the conference. I often recite a quote from that presentation which is “The sexiest vulnerability isn’t the one you should be worried about”. Or as Bruce Schneier himself often says, “The very definition of news is something that hardly ever happens.”. We need to spend a lot more time focusing on the real and most common causes of security breeches and incidents.

Recently, Josh Corman came up with the term H.D. Moore’s Law at metricon and wrote up a great follow up post on it. His assertion goes like this:

“Casual Attacker power grows at the rate of Metasploit”

Or to put it more simply, if we cannot protect our environment from the latest metasploit module used by what we deem a script kiddie, how and why are we talking about how to protect ourselves from advanced persistent threats or the latest threat du jour?

Alex Hutton came up with a similar concept which he referred to as the Security Mendoza line. We as an industry need to strive to hit above the Mendoza line and focus on the data that provides evidence to the most likely of threats. The first step in this is using the data we have to help prioritize our focus. For the majority, “next generation threat management” is same as it ever was.

Under this Forever Free, users with simpler needs can continue using Risk I/O at no cost. This is not a watered-down, 30-day “free trial” plan. This is a forever free plan, where users get full access to the tools necessary to centralize their organization’s vulnerability data across applications, networks, servers and databases and track each vulnerability through its lifecycle. If you’re interested in taking that first step towards a more secure organization, this plan is for you.

Our new plans offer the following features:

• The “Forever Free” edition offers a throttled API and supports up to two connectors, five users, reporting, metrics and benchmarking in addition to an online support portal.
• The Basic edition offers an open API and supports up to four connectors, 10 users, reporting, metrics and benchmarking in addition to 8×5 email support.
• The Pro edition offers an open API and supports up to six connectors, 25 users, reporting, metrics and benchmarking in addition to 8×5 email support as well as phone-based support.
• The Enterprise edition offers an open API and supports unlimited connectors and users, the ability to create custom reports, metrics, benchmarking, bug tracker integration, custom fields, 24/7 8×5 email support and phone-based support with additional features promised to be added soon.

Pricing for the premium plans start at $999, mo. All customers (“forever free” withstanding) will receive a 30-day free trial of their chosen plan.

Interested in how one of these new plans can help you manage and monitor your information assets? Get started now!

If you’re currently using this vulnerability assessment tool as part of your application security program, you can now connect your instance into Risk I/O, along with other assessment tools, to manage your entire set of security vulnerabilities and defects while giving you a holistic view from layer seven all the way down. Combine this with our integrations into your remediation systems, custom fields, reporting and metrics to manage and automate your tracking like a boss.

Setting up your WebInspect connector, like our other connectors is a simple process in Risk I/O and requires completing only a single field form. Not a customer but would like to try it out? Try out our free version.

We will be adding additional connectors to our list in the near future, and we welcome your feedback on connectors that you’d be interested in integrating with Risk I/O.