Firewalls and SSL: More Profitable than Facebook

In this list of Ten Tech Companies that are more Profitable than Facebook, there are two infosec representatives. Facebook has 40% Operating Margins, very respectable even by tech company standards. However, not to be outdone, infosec's 1995 innovation outperforms even the latest buzzworthy names like Facebook. Checkpoint sports 56% Operating Margins and the other tech tha's more profitable than Facebook tha happens to be an infosec company? You guessed it - Verisign at 42% Operating Margins.

All for companies making profits for doing good work, but would be nice to measure innovations in years not decades. Companies continue to spend on security, but what we can see from margins like these is that the security market itself is not demanding that security companies innovate, so they churn out the same stuff every year with a scintilla of improvement - now your Firewall box comes in the color red for 2012!

Sadly the biggest problem in security isn't attackers or complexity. Its the lack of market forces in infosec, the buyers (Infosec teams) don't demand innovation and so the vendors don't provide it. What you get is a very small toolset for a very high price. Think of what you would have got for a database from Oracle in 1995 (infantile capabilities comapred to today) and at what cost, what you would have bought for a database even 7 years ago is freeware at this point, database buyers are discerning and demanding. But 15+ year old innovation is still getting top dollar in infosec.

Subjective Probabilities: You Still Need to Think

I have followed Markel and Tom Gayner (Markel's CIO) for several years. Markel is often classified as a Baby Berkshire in that they are an insurance company who invests their float (the premiums before they are paid out) in a conservative, long term stock portfolio. Markel writes some pretty interesting policies (they got started many years ago insuring jitneys) including Data Breach insurance (you will see why). Tom Gayner spoke at Motley Fool on some of Markel's background and approach which has some  overlaps to infosec risk and security metrics and ideas on how to make forward progress, here are my notes:

Cocktail party definition of Markel if someone asks about Markel, its an insurance company that they've never heard of. Well an easy way to think about that is if you have an insurance policy that you can get easily and quickly, well we wouldn't do that. We do the sorts of insurance where people go 'Oh no. We've got a problem or we've got a situation' This isn't to disparage the other insurance companies, we all have a role in life. What GEICO says yes to is not going to be the same thing that Markel says yes to. What Markel says yes to isn't going to be the same thing that GEICO says yes to. Its a different organization and orientation.

We do 100 different forms of insurance - everything from children's summer camps that are out in the middle of nowhere, that have teenagers supervising teenagers and no fire departments nearby, kids jumping on trampolines and being out in canoes, all the sorts of exposures that go with that (Note: just like infosec!).

We would do oil rigs that are out in the Gulf of Mexico (one of the ways we lost some money this year), those sorts of things need insurance and Markel is a company that for decades has been in that business, and its a good business, but there are days when you wake up and read the headlines and go 'Oh no', but that is why people buy insurance.

We do things like bass boats with too big a motor on it, this has always been intriguing to me. Bass boats tend to be flat bottomed, and they come with a 10-15 hp motor or something like that, but if you are really into bass fishing you have to get to the spot in the corner of the lake faster than the other guy. So people put 250 hp engines on their bass boats. I can tell you that every accident or loss report reads the same way, and that is: 'Craft traveling at a high rate of speed, when it hit a submerged object. Occupants hurled from the craft.' When you are trying to buy insurance on your bass boat and you are a State Farm or  GEICO customer, they're going to ask you about how many horsepower you have on your boat and when you answer 250 they're gonna say 'thanks but you need to find somebody else to that.' 

Well, we're the Statue of Liberty, bring us your tired your poor, yearning to be free. Short line railroads, little spur lines with only one customers. We do bars and taverns that are sometimes on the wrong side of town. On and on and on.

So with that backdrop its not too surprising that Markel is involved with data breach insurance. What's also interesting is the commentary on how they approach risk management in these sorts of unique situations, responding to a question 'if Liberty Mutual is writing a life insurance policy they can go to the bureau of statistics and get all the life expectancy data that they need, you on the other hand are confronted with this remote entity let's call it Camp Haltertop, where do you go to get information to find out how much you are going to charge for your policy?' Tom Gayner replied:

Excellent question and really illustrates some points with the games you're playing with the statistics. Life insurance - those statistics are disturbingly known. As we were eating hamburgers at Five Guys before we came to the meeting today I was probably dooming myself to the left hand side of the curve. Those numbers are well known, we really wouldn't sell life insurance, with the only exception that we do sell life insurance for horses. One of our specialized niches of policy.

For the sort of thing we do, there are two ways to deal with it. One if you're talking about summer camps which was your example. Well we have been in the summer camp business since the 1930s. So whatever statistics there are, its not the law of super huge numbers that you have when you are talking about life insurance and mortality statistics or autos and miles driven, we can have the advantage because we have been in that marketplace for so long - we have the law of kind of big numbers on our side

The second thing is and this salutes the culture of the Motley Fool, there's no formula, there's no spreadsheet, there's no mechanical thing you can do that is going to give you 100% of the answer. you need to do those things, but don't pretend and delude yourself that you've done all you need to do once you've done the mechanical, calcuable things. you still need to think. What we have are a cadre of incredibly thoughtful, professional underwriters who've been at this sort of thing for a long time and there is an element of judgement that those people need to apply when they are in a situation where they need to ask themselves - 'what bad can happen to me? What are my policy limits here? What sort of odds are there that that will occur?' Just a simple example if you have a $100 policy and you calculate there's a one in three chance that it will occur then your actuarial burn rate is $33 so you know you need to charge something more than $33 to offer that policy. Now those are subjective probabilities, they're not precise and not completely explained by statistics. there's some statistics, there's some numbers that are helpful, but there;s also seasoned judgement which adds to that.

And the other thing you need to know is - its an iterative process. That's the decision you make today, tomorrow you get the good fortune of being faced with another decision so if you are wrong or new information is starting to come in - you iterate to a higher or lower number as your judgement is confirmed or blown up. You iterate through in the policy line and across policy lines.

 

I see a tremendous amount of overlap in Markel's process and the role of infosec, in the case of the points Gayner mentions the first is action is - logs are really important. They won't give you everything, but gather whatever you can. Who is going to have better data on your system than you?

I am very tired of quant debates where proponents setup strawmen on subjective approaches versus supposedly uber logical objective ones and talk about how the supposed quant approach beats the subjective approach. Its not a matter of if you have subjectivity or not, its there in your biases when you made the model, its whether you recognize it or not, where you choose to place and how you iteratively improve you decisions with feedback loops from the real world. 

To me the formula for infosec is objective measures through logging and monitoring, subjective decisions on where to place them, and what depth, a mix of subjective and objective review of the logs and data feedback from the system's performance over time.

In terms of overall architecture, structure is important. You can, and likely will, be wrong on some of the security architecture decisions. This should be factored in up front through gathering data and by giving yourself a place to fight back from. Wiring secuirty policy enforcement points into the system structure is a key initial decision, even when the policy decisions and answers are not known up front, locating where they will occur can be tremendously helpful down the road once real world feedback comes in. A good example here is the Security Gateway which can begin its role in your system by simply proxying communications and reducing attack surface but then additional services like access control, input validation can be layered on. The key here is that the system structure remains the same, and only behavior is changed to reflect updated security architecture goals.

Fatal Separation of Risk Theory and Practice

One of the highlights for me in 2011 was when I got invited to speak at a leading university on the financial crisis. This university is home to some of the most well known and influential economists.

The topic I planned to speak on is the fatal separation between academic theory and real world practice in markets. The notion of risk is certainly at heart of this, Pat Dorsey recently wrote an insightful piece on this point

 

Stipp: You wrote recently a little bit about risk, and you mentioned that a lot of different people have a lot of different perceptions of risk. Can you walk through what different things risk means to different types of investors?

Dorsey: This is a little bit like discussing the existence of God with a theologian. An academic says risk is volatility--the more an asset bounces around in price, the riskier it is.

A mutual fund manager might say it's career risk. If he lags his benchmark for too long, he gets fired.

An individual might frame it as pain. Of course, we feel losses much more than we value gains. So just seeing your portfolio go down is a lot of risk.

And of course Warren Buffett would just define it as permanent capital impairment--the odds that an asset's value will go down and never recover.

Those are pretty different notions.

In my view, these varying definitions of risk are at the heart of what we saw in 2008. In particular, academic models of risk as volatility were hard wired into trading algorithms, and then further juiced by leverage (up 30x-40x leverage!). The risk as volatility assumption by itself would have just led to dumb trades and losses. But with the extra weight and status of the false precision that academic models can provide, this gave large institutions the courage to lever up 40 to 1 and this turned bad trades into catastrophes and meltdowns. Overconfidence in what one could count and ignoring what one couldn't model.

Howard Marks, The Most Important Thing

"According to the academicians who developed capital market theory, risk equals volatility, because volatility indicates the unreliability of an investment. I take great issue with this definition of risk.

It’s my view that — knowingly or unknowingly — academicians settled on volatility as the proxy for risk as a matter of convenience. They needed a number for their calculations that was objective and could be ascertained historically and extrapolated into the future. Volatility fits the bill, and most of the other types of risk do not. The problem with all of this, however, is that I just don’t think volatility is the risk most investors care about.

There are many kinds of risk. . . . But volatility may be the least relevant of them all. Theory says investors demand more return from investments that are more volatile. But for the market to set the prices for investments such that more volatile investments will appear likely to produce higher returns, there have to be people demanding that relationship, and I haven’t met them yet. I’ve never heard anyone at Oaktree — or anywhere else, for that matter — say, “I won’t buy it, because its price might show big fluctuations,” or “I won’t buy it, because it might have a down quarter.” Thus, it’s hard for me to believe volatility is the risk investors factor in when setting prices and prospective returns.

Rather than volatility, I think people decline to make investments primarily because they’re worried about a loss of capital or an unacceptably low return. To me, “I need more upside potential because I’m afraid I could lose money” makes an awful lot more sense than “I need more upside potential because I’m afraid the price may fluctuate.” No, I’m sure “risk” is — first and foremost — the likelihood of losing money."

In obsessing over volatility and price movements, the Efficient Market Theory models missed human behavior in markets (driven by fear and greed), the safety of an asset, the liquidity of an asset in the face of certain events, and an overall conservative approach to investing - try to buy dollars for 50 cents, and not lever up 40 to 1 to buy many $100 bills for 99.95 each. This, of course, goes to the heart of risk management - namely building a wide margin of safety as a hedge against your own ignorance, instead overconfidence in flawed models.

Hedging against your ignorance up front (usually by paying a cheap price) means that you have more time and resources to spend on constructing a margin of safety to protect assets and ensure they are there when you need them. Ill placed confidence in risk models like Value at Risk (VaR) instead of conservative process led people to ignore these two virtues. When events began to unwind the dominoes fell quickly because there were no buffers and no foundation just algorithms gone wild.

I never gave the talk. So what was the highlight you ask? A week after the invitation came, and was ready to talk on the fatal separation of risk theory and practice, I was disinvited for not having a PhD! I often wonder what was discussed in those sessions.

Understanding Cloud Security Standards Part 3

Part three of my three part series on Cloud Security Standards is available on the Intel blog (Part 1, Part 2, Part 3)

Part 1 examines four Identity and Access Anti-Patterns that occur regularly with enterprises moving to Cloud include:

• Low/no access control - we'll see if it works and add security later
• Replicating user accounts - copying enterprise directory in full or extract to Cloud Provider
• Copying credentials - copying or hardcoding credentials to Cloud based services
• “Trusted” proxy - Gateway is a pass through lacking support for security standards and services

Part 2 looks at how SAML, oauth and other standards help enterprises retain control of user management whilst leveraging Cloud services. Part 3 looks at how XACML can be used to close out some of the gnarlier Anti-Patterns through improved integration and granular, dynamic authorization.

Google Renews Push Into China

Two years after saying they were going to be pulling out of China, Google renews its push into China.

Google's share of China's Web-search market fell to 17.2% in the third quarter of 2011 from 36% in the fourth quarter of 2009, largely to the benefit of rival Baidu Inc., according to Analysys International, a Beijing-based research firm.

Even during the APT hysteria of 2010 it wasn't particularly difficult to see that it would go this way. The IMF predicts China will surpass the US as the world's largest economy in 2016 (measured by Purchasing Power Parity). There are benefits to being the largest demand center, as The Economist says "Being the biggest economy in the world does offer advantages. It helps to ensure military superiority and gives a country more say in fixing international rules. "

Costco's Value Chain

Morningstar awarded Costco CEO Jim Sinegal its CEO of the year. Like infosec, retail is a tough business, and Sinegal and Costco succeeded by following a core set of values and by doing things differently.

Several years ago a Costco clothing buyer was able to purchase a large quantity of high-end brand-name jeans at an extremely low price, and the pants showed up in the warehouses for $29.99. The same jeans were selling for $50 at department stores.

It turns out that the buyer was able to negotiate an even better deal on the next order, about $7 less per pair. The idea of keeping the price at $29.99 was briefly floated - potentially bringing in a handsome payoff, considering Costco could sell millions of pairs of jeans. But the notion was quickly and forcefully rejected- and the price dropped to $22.99 a pair, or just a few dollars over cost.

Crazy, right? Yes if you follow traditional retail rationale. But going against convention has been Costco's modus operandi from the start. The person to best explain the approach is Jim Sinegal, Costco co-founder and longtime CEO:

"in traditional retail the thinking is 'Gee, I'm selling this thing for ten bucks, I wonder if I can get eleven for it? The customer's never going to know the difference. We look at it and we say, 'Selling this thing for ten bucks, how do I get it to nine? And then if I get it to nine, how do I get it to eight?'"

This little story illustrates the Costco mindset, which by itself would be an impressive achievement, but Costco values integrity for more than just low prices. At the top SInegal answers his own phone and takes an annual salary of $400k/year. At the employee level, Costco is unique among big retailers in that they pay health benefits, a 50% higher wage, have employee retention rates near 90% (unheard of in the space), and did not lay employees off during the financial crisis. This leads to a great customer experience, and for shareholders the highest valuation of major retailers. You often hear the term "value chain" in business, but Costco actually built one.

Of course, creating a virtuous circle like Costco has isn't easy, otherwise everyone would do it. Its not a stright line path, learning and adapting is required, and this is not an accident either - as Jim Sinegal says "If you aren't spending 90% of your time teaching, you aren't doing your job."

Good News and Bad News

Long before the shenanigans and financial collapse of 2007-8, Dan Geer said that in the financial world risk management works because there is zero ambiguity over who owns which risk and rightly fretted that here in infosec we suffer from nothing but ambiguity over who owns what risk.

First for the Good News, in infosec we're now a lot closer to the financial world in terms of risk management.

Now for the Bad News, the reason we're closer is that many parts of the financial world do not seem to know who owns which risk any better than infosec does.

There are lots of examples of this over the past decade, the one from today was former MF Global CEO, Jon Corzine says he did not know where $1.2 Billion in client funds are.

The majority of these cases in the past decades' financial meltdowns have Derivatives playing a starring role (and yes there are many other drivers but stay with me), the interesting thing here going back to Dan's point on ambiguity in finance is that Derivatives were introduced a Risk Management tool, to smooth out volatility and such, (whether this is even possible is a topic for another day) but in doing so Derivatives introduced an enormous amount of complexity into the system and at the same time inserted ambiguity into where the risk was and how big it was.

We can already buy and sell shares, what derivatives did was give people a way to amplify returns through models, but it also amplifies risk. Derivatives are at the heart of all the rogue trading (Barings, SocGen, UBS, NAB) scandals (watch for my review of How to be A Rogue Trader), and Derivatives are at the heart of 2007-08 collapses.

Derivatives is a case of something with good or at least benign intentions, intended for safety making the system overall much less safe.

**

One of my favorite derivatives quotes from Warren Buffett:

"Long ago, Mark Twain said: “A man who tries to carry a cat home by its tail will learn a lesson that can be learned in no other way.” If Twain were around now, he might try winding up a derivatives business. After a few days, he would opt for cats."

 **

Charlie Munger on derivatives in 2004:

Derivatives
The system is almost insanely irresponsible. and what people think are fixes aren't realy fixes. It's so complicated I can't do it justice here - but you can't believe the trillions of dollars involved. You can't believe the complexity. You can't believe how difficult it is to do the accounting. You can't believe how big the incentives are to have wishful thinking about values and wishful thinking about ability to clear.

People don't think about the consequences of the consequences. People start by trying to hedge against interest rate changes, which is very difficult and complicated. Then, the hedges make the [reported profits] lumpy. So they use the new derivatives to smooth this. Well, now you've morphed into lying. This turns into a Mad Hatter's Tea Party. This happens to vast, sophisticated corporations.

Somebody has to step in and say, "We're not going to do it - it's just too hard."

I think a good litmus test of the mental and moral quality at any large institutions [with significant derivative exposure] would be to ask them, "Do you really understand your derivatives book?" Anyone who says yes is either crazy or lying.

It's easy to see [the dangers] when you talk about [what happened with] the energy derivatives - they went kerflooey. When [the companies] reached for the assets that were on their books, the money wasn't there. When it comes to financial assets, we haven't had any such denouement and the accountings hasn't changed so the denouement is ahead of us.

Derivatives are full of clauses that say if one party's credit gets downgraded then it has to put up collateral. It's like margin - you can go broke [just putting up more margin]. In an attempt to protect themselves, they've introduced instability. Nobody seems to recognize what a disaster of a system they've created. It's a demented system. 

In engineering people have a big margin of safety. But in the financial world, people don't give a damn about safety. They let it balloon and balloon and balloon. It's aided by false accounting. I'm more pessimistic about this than Warren is.

 

Top 5 Security Influencers

Its December and so its the season for lists. Here is my list of Top 5 Security Influencers, this is the list with the people who have the biggest (good and/or bad) influence on your company and user's security:

1. The Person Coding Your App
2. Your DBA
3. Your Testers
4. Your Ops team
5. You

Except for perhaps the last one, what do these all have in common? None of them are in the Security Department!

We shouldn't look at security as a one off, an isolated department of "specialists", but rather leave the ivory tower and look for tools, processes, and training that help the people on this list do their jobs better. Making it faster, better, cheaper and easier to consume and integrate security services into their daily work is the biggest security influencer of all.

Understanding Cloud Security Standards Part 2

Over on the Intel Cloud Access 360 blog I have series on Understanding Cloud Security standards. In part one, I looked at Cloud Security Anti-Patterns. The four Anti-Patterns that occur regularly with enterprises moving to Cloud include:

• Low/no access control - we'll see if it works and add security later
• Replicating user accounts - copying enterprise directory in full or extract to Cloud Provider
• Copying credentials - copying or hardcoding credentials to Cloud based services
• “Trusted” proxy - Gateway is a pass through lacking support for security standards and services

In part 2, I look at how security standards like SAML, Oauth and OpenID help enterprises mitigate the common Anti-Patterns.

You Assert, We Decide

One of the complicating factors in AppSec these days is access control in distributed systems. Dividing up the roles and responsibilities for authN, authZ, attribution and identity management is a daunting task.A typical enterprise is used to putting a ring fence around its assets and managing everything within the fence with RACF/TopSecret, AD, and other technologies. But this is insufficient by themselves for today's integrated applications.

Identity has made a tremendous amount of progress in the last ten years, standards like SAML and OAuth give enterprises a way to make concrete progress on building defensible identity and access control systems for integrated applications like Cloud apps and services. But still we see mucho breaches in 2011. Chris Wysopal found the majority of big breaches to be AppSec related;  while malicious code certainly looks to responsible for some of them others look like access control fails. We don't know the internal architectures of each of the big breach victims, but its not surprising to see authorization on the list. 

The authorization logic is almost always bound up with the code which makes it hard to audit and hard to test. Externalizing authorization to Roles is a nice start but again insufficient for most systems. Attributes change program structure and behavior. This reality must be accounted for somehow, one approach is to externalize via ABAC a la XACML, but many enterprises are just in early stages here. Until then we can and should expect more authorization related breaches due to emergent behavior from unpredictable (and unmanaged authorization systems).

An additional complicating factor for enterprises is the mix of Push/Pull, Bob Blakley addressed the long term view of this so well. Bob also addressed a pragmatic, incremental way to move from Push to Pull via Virtual Directories.  This is an important and as I mentioned I think practical, improvement over how enterprises operate authorization today, however there are code level issues that enterprises will live with unless and until they move to a pure Pull architecture.

Some of the struggles that i have observed are as follows:

• Unclear on granular roles in authorization framework - identity provider responsibility (who asserts) vs service provider (who decides) responsibilities
• Authoritative source of attributes
• How to resolve conflicts between authoritative sources
• Difficulty in seeing where authZ begins and ends in the app code
• Disentangling user identity from app identity

The above is not a complete list but does demonstrate some important challenges for enterprises progressing towards ABAC. (Note- almost all enterprises already use ABAC, in other words the apps' attributes change the structure and behavior of the app, they just don't recognize it as such)

To create clarity on roles in authorization framework - identity provider responsibility vs service provider responsibilities, I recommend mapping out Chain of Responsibility patterns to better understand what authorization decisions are made and where. For each key decision, there should be an approved authoritative source of those attributes.

Where possible, the authorization decisions should be adjudicated at a boundary such as proxy, presentation, business logic and data layers. Not every app is so clean as to support this, but its effective when viable. Resolving authorization conflicts is a tricky proposition in these cases (and made worse by various impersonation/delegation hacks that enterprises back into by cobbling together partial solutions for app/user identity disentanglement), many enterprises simply fail open, which can wind up ending on the big breach list. 

This post isn't a complete overview of what to do, but practically speaking the list above is a subset of issues that enterprises need to solve for while they progress to Dynamic, Pull based authorization architecture. 

Swapping out authorization systems makes swapping out authenticaiton systems look like a tea party. Don't expect this to be super-fast plug and play, its a journey, for many apps its invasive surgery. I mean that literally, like invasive surgery its short term painful and its long term worth doing. The problem must be diagnosed and due to the degree of change required, mapping that to a longer term vision and work through the subset of issues listed above through careful and likely incremental release planning is key to concrete progress.