1. Inventory of authorized and unauthorized devices.
2. Inventory of authorized and unauthorized software.

These two controls state that you should know everything about all the devices connected to your network (i.e., what they are, where they are, etc.) and the entire catalog of software resident on these devices (i.e., operating systems, revision levels, patches, applications, etc.). Since these things are in a constant state of change, you need to have some type of automated tools to detect and react to new or changing assets as soon as possible.

File this requirement under the old axiom, “you can’t manage what you can’t measure.” That said, think about how difficult it is to enforce these two controls. Employees are bringing mobile devices to work and demanding network access. Virtual desktops and servers are easy to provision, deploy, and change while physical device changes are now automated to keep up all this other activity. What about software? Employees are constantly accessing social networks or downloading the latest viral application.

While these issues are extremely challenging, the SANS 20 Critical Security Controls document contains great advice on implementing and automating each control. Here are a few of my thoughts based upon the SANS recommendation and my personal experience:

• Security processes and tools need to be integrated with other activities around asset, change, and configuration management. For example, lots of organizations use CMDBs to capture this information but many security tools don’t integrate with CMDBs and lots of security professionals have no exposure to CMDBs or IT frameworks like ITIL and COBIT. These systemic and technology issues need to be addressed up front to avoid visibility gaps or redundant processes.
• To ensure that only approved devices gain access to the network, SANS recommends the use of 802.1X. This brought me back to 2007 when I worked with several organizations (Identity Engines, Aruba Networks, Symantec, etc.) to establish an Open Source 802.1X supplicant, but few networking or endpoint vendors highlight 802.1X in their products. This has to change – 802.1X (or some other type of device authentication) should be part of the default configuration of physical and virtual devices.
• If 802.1X does happen, large organizations will need a new type of network identity server beyond basic RADIUS. My friends at Identity Engines nailed this concept until some ill-informed VC fat cat pulled the plug on the company (note: The technology was acquired by Nortel and now thrives at Avaya). Cisco’s Identity Services Engine is perfect for this growing requirement.
• Browser virtualization/sandboxing is also a growing requirement. I know there are lots of technologies but Check Point offers a great solution here.
• I know white listing/black listing is a pain but this has to be part of a full-featured solution. Grey listing is also important for those fringe use cases. When an unknown application shows up, it has to automatically trigger some kind of approval cycle, sandboxing, or other policies and controls.
• Why isn’t the private sector embracing the U.S. Federal government’s Secure Content Automation Protocol (SCAP) or something similar. Device security vendors like McAfee, Symantec, and Trend Micro should come together, line up behind SCAP, and push it to their customers.
• Look for virtualization to be used more extensively for security purposes, such as virtualized desktops with specific applications/workloads that run in a container.

You can read Jon’s other blog entries at Insecure About Security.

via Review: Trend Micro Endpoint Security – eSecurity Planet.

Judging by the progress in this area, centralization appears extremely successful but alas, one especially difficult technology remains anchored to branch and remote offices–PCs. This is a real problem since PC management and security has always been a “one step up, two steps back” proposition. Remote PC security alone remains a bear. In a recent ESG Research report, IT professionals were asked to define their biggest information security issues around remote/branch office support. Managing remote PC security and configurations topped the list of challenges. Obviously, persistent PC security problems remain.

So what are large organizations doing to address this? You may be surprised to learn that a growing number of firms are ready to can the whole PC enchilada and replace physical remote PC configurations with desktop virtualization alternatives. In fact, 25% of organizations are already using desktop virtualization technologies to serve remote/branch workers, 22% plan to do so in the next 12 months, and 20% plan to do so in the next 24 months.

This makes a ton of sense–standard desktop images, centralized configuration and patch management, server-based storage of sensitive PC data, etc. I can see desktop virtualization gaining momentum in the future as Bring Your Own Device (BYOD) policies evolve further. What else does change mean? Here are a few thoughts:

1. Desktop virtualization represents a new use case for WAN optimization vendors. The primary job of WAN optimization controllers is accelerating Sharepoint, Exchange, and file access. Lots of vendors do this pretty well but desktop virtualization requires new protocol support and may open the market for new equipment or new vendors. Citrix is keenly aware of this and is already tightly coupling XenDesktop (and XenApp) with NetScaler.
2. Virtual desktops may not come from corporate HQ. My guess is that many firms will look at the transition from physical to virtual desktops and at least investigate SaaS provider options as an alternative to owning all of the servers, storage, networking equipment, etc. This may mean that branch offices become dual-homed with WAN connections to corporate data centers and direct Internet connections for cloud connectivity. This could be a profound change to typical branch office networks.
3. Virtualization will likely spread to tablets, smart phones, and remote workers. If virtualization can ease endpoint management and improve security, why stop at remote office Windows PCs? More and more endpoints will simply render graphics over the network rather than receive software updates and store sensitive data on local memory and disk.

You can read Jon’s other blog entries at Insecure About Security.

Microsoft was pretty bullish about its announcement. When Forefront was announced, Bob Muglia, who was VP of Microsoft’s server and tools business stated, “we think that this product will provide a level of integration and simplicity that really differentiates it, and really enables a different kind of solution.” Microsoft wasn’t alone in its expectations. Here at ESG, we had just done some market research revealing that: 1) Most security professionals looked at endpoint as a commodity product, and 2) They were already evaluating Forefront or were willing to do so. In other words, the market was open to Microsoft–all it had to do was execute and beat the competition on price.

Fast forward to 2011 and Forefront seems like a blip on the endpoint security radar screen. I regularly speak with McAfee, Symantec, Trend and others who rarely if ever mention Microsoft as a primary competitor. From 2007 through 2009, Microsoft briefed me on Forefront progress and plans but then the company re-organized in 2010 and almost all communications stopped. Wondering if it was me, I reached out to some analyst friends to see if Microsoft continues to discuss Forefront with others. I got a consistent response, “not really.”

So what happened? Here are a few of my thoughts:

1. Forefront did have momentum out of the gate in 2007 but it faced a few obstacles. First, there is the traditional view that Microsoft products don’t hit their stride until Rev 3.0, so customers were willing to wait. More importantly, we are talking about security professionals who are paid to be paranoid. Microsoft would have to work hard to get the benefit of the doubt from this tough crowd.
2. Microsoft tried to make endpoint security an economic rather than an IT issue by putting Forefront on its Enterprise Client Access License (ECAL) which made the product virtually free to companies that bought a bundle of client licenses for Exchange, Sharepoint, etc. It was an “all or nothing deal” whereby you had to buy client licenses for all desktops. From my perspective, Microsoft didn’t win many ECAL Forefront deals but did alienate security professionals by pulling the “end around.”
3. Forefront management required a number of other pieces of Microsoft infrastructure (Microsoft Operations Manager, SQL Server, ActiveDirectory, etc.). Security professionals were used to more turnkey endpoint security management platforms.
4. Microsoft stopped selling OneCare in the consumer market. Although it replaced OneCare with Microsoft Security Essentials (a free alternative), many people were spooked by this change of plans. With Microsoft out of the consumer market, why would it stick around the commercial market?
5. Microsoft Forefront “Stirling,” the next-generation product, was delayed by several years.
6. Microsoft re-organized and cut back its Forefront marketing.
7. On average, Forefront was a “B” player in most independent security product testing. Most recently, Microsoft Forefront was characterized as a “niche” product in the influential (and IT vendor extortion-oriented) Gartner Magic Quadrant.

Most likely there was sub-plot to these issues on the sales side of the house. Microsoft reps and channel partners didn’t see much ROI on Forefront sales efforts so they simply stopped selling the product to concentrate on others that were easier to sell.

So the supply side (Microsoft corporate, sales, the channel) slowly backed off while the demand side never really caught on.

I know that Microsoft Forefront endpoint protection 2012 is currently in Beta test. I’m sure the product is superior to the current offering but will it really turn the market and channel around? Given the 4-year track record of Forefront, I doubt it.

Ultimately, Microsoft has to ask itself a difficult but necessary question: Given our limited success, is it worth continuing to invest in this market? Microsoft did this with the Zune music player, perhaps it’s time to do the same with Forefront.

You can read Jon’s other blog entries at Insecure About Security.

One of the characteristics of APTs is some type of social engineering tactic where the bad guys somehow con an internal user into downloading a malicious executable. This creates an internal outpost where hackers can steal credentials, scan the network, and ultimately steal valuable data.

Recent ESG data points to an alarming reality: remote workers (i.e., those that work in remote offices and branch offices) are sitting ducks for these kind of attacks.

ESG asked IT professionals to identify their top security challenges with regard to supporting remote workers. The top four security challenges mentioned were as follows:

• 46%: Managing remote PC security and configurations
• 46%: Training and enforcing corporate security and compliance policies for Remote Office/Branch Office (ROBO) employees
• 38%: Monitoring the use and storage of sensitive data accessed by remote employees
• 34%: Remote user authentication and access controls

To use a technical phrase, holy cow! So remote worker PCs don’t have the right security signatures or OS patches. Remote workers themselves lack training and security knowledge. Meanwhile, IT has no idea what data is on these PCs and remote workers may have access to sensitive information they shouldn’t have. There may also be a bunch of stale remote worker accounts that remain active.

Never mind sophisticated APT attacks–the bad guys can put their trainees on remote worker targets and still infect their PCs in many cases.

While it may be obvious, it is worth mentioning that we’ve spent the last ten years or so centralizing IT so remote workers generally access mission-critical business applications and IT services over the WAN. What this means is that these extremely vulnerable remote worker PCs have an express train to the corporate jewels.

As the old saying goes, “a chain is only as strong as its weakest link.” If we don’t address these remote worker vulnerabilities, then all of the corporate security best practices and best-in-class security technologies don’t matter. The bad guys will simply enter through the remote office back door.

Read more of Jon’s blog entries at Insecure About Security.

Resistance? Eventually impact their organizations? These warnings were appropriate when dinosaurs walked the earth! Forget the future, IT consumerization is already well underway. According to ESG Research, 55% of large organizations are experiencing “significant growth” of alternative endpoint computing devices (i.e., smart phones, tablet computers, etc.). Why? The biggest driver is “end-user demand for different/alternative devices.”

So have we entered the “post PC era” as some analysts suggest? Not in my mind. Yeah, I know that web applications and cloud services are growing like crazy but I still see many organizations with thousands of Windows PCs and Microsoft Office. This combination may be the mainframe of this timeframe. Like the S/390 of the 1990s, we have too much invested in Microsoft technology to pull the plug anytime soon.

So we are clearly moving beyond Windows PCs in the enterprise. What does this mean? In my mind, we have to remember when managing PCs was the most disruptive activity in IT (not too long ago) and learn from the past. A few thoughts:

1. Around 1995 or so, the PC mantra was around standardization. Standard vendors, standard applications, standard configurations, etc. The thought here was to standardize on vendors to maximize volume discounts and standardize on software and device configuration to streamline operations. To the extent possible, this same mindset should be used for alternative devices. I realize it won’t be possible to tell the iPhone or Android crowd to switch platforms, but IT should have a standard secure configuration for all leading mobile computing devices. IT must also quarterback patch management activities–users won’t do it. I think Symantec‘s mantra: “A well managed device is a secure device,” has some merit here.
2. Mobile devices place a big priority on wireless security and network access controls. This means that it’s a good time to review wireless security policies and controls. I also like the Unisys internal policy where employee devices are instrumented with digital certificates for AAA purposes. Oh, it’s probably a good time to look at RADIUS server policies and functionality as well. Cisco‘s new Identity Services Engine was really designed for this intersection between mobility, security, and network access.
3. PCs have security software, therefore, mobile devices should have security controls. Mobile devices may feel like toys or modern day “boob tubes,” but they are powerful computing devices that could pose a threat to high-value network assets. Additionally, let’s not forget that lost devices are the biggest risk. If these devices contain regulated data, a lost $49 iPhone could lead to millions of dollars in damages. The key consideration with mobile devices is where to put the security controls. Should they be deployed as resident software? Cloud services? Agents and cloud services? All of these options will have an appropriate use case so it’s important to really research options.

A few other notes here. First, endpoint virtualization tools from Citrix, Parallels, and VMware will likely play a huge role in mobile device application deployment and security so make sure to do some due diligence here. Finally, in the era of Advanced Persistent Threats, it is critical to understand both device and user behavior. If Androids look like anonymous IP devices to monitoring tools, this could be a big problem.

You can read Jon’s other blog entries at Insecure About Security.

As a security gal, what was really impressive was witnessing the renewed commitment IBM has made to making security an integral part of each of its solution deliverables. Just a few examples of the enhanced visibility I saw at the conference:

1. A multi-threaded security track was added to the conference focusing on compliance, cloud, endpoint security (a la Big Fix), identity management, and emerging threats. The sessions I went to were well attended and it was clear that security is a growing segment of this conference.
2. IBM has elevated security within the company, with resources devoted to supporting security initiatives across all the IBM brands. This approach shows IBM’s seriousness about building security into the design and development of each of its products.
3. Speaking to Teresa Cook, Director of World Wide Security Marketing, it’s clear that IBM is focused on a strategy to assist customers with their security initiatives by emphasizing the ways that security can foster innovation rather than inhibit business.

These are all encouraging signs, and I hope the security tracks continue to grow at next year’s conference. The sessions this year were full of success stories from customers who provided blueprints for attendees in providing these solutions.

On another note, if you ever get the chance to hear Dean Kamen from Deka Research speak, it would be time well spent. Not only is he one of the great inventors of his time, but his passion for fostering and inspiring enthusiasm for technology in our youth through his FIRST organization is truly impressive. In attendence at the keynote were youngsters from the local chapter of FIRST who received a rousing ovation from the conference attendees when they were introduced. This ovation fit in perfectly with the message Dr. Kamen wants to promote in celebrating technology in our country like we celebrate sports and entertainment. I would strongly encourage anyone that wants to get involved in sharing his/her enthusiasm for our industry and developing a passion for technolgy in our youth to look at the work FIRST is doing and volunteer. It would certinaly be a fantastic journey.

I recently saw a demonstration of a more modern version of fake antivirus. The bad guys have made this scam more effective and sinister. When the fake AV appears on your system now, you notice a steady progression with no way out. First, it shuts down your real antivirus and removes the icon from your system tray. It then shuts down any applications you have open, claiming that they may be infected. Finally, it blocks any file with a .exe extension so you can’t open any processes. This blocks all of the things you would normally use to try to alleviate the problem. I tried launching pre-installed antivirus software to perform a system scan, opening Windows Task Manager to kill a process, and going into Windows tools to restore the system configuration to an earlier recovery point. All of these actions were blocked. Oh and don’t bother re-booting the system. This won’t help either.

Basically, fake AV launches a denial-of-service attack, making your PC absolutely useless. It reminded me of the insidious pop-up spyware and adware from the early 2000s. With this type of attack, even users who know better are tempted to buy the fake AV in order to get their PC, and their precious data, back. If you can open a browser and are willing to fight on, there are numerous downloadable tools that claim to overcome fake AV. Guess what? Many of them are just another kind of malware. Cybercriminals know how to kick you when you are down.

If you do get infected, there is actually a relatively easy way out. You have to reboot your system in safe mode (press the F8 key as you do), go into system tools, and then restore your system to an earlier recovery point. When this action is completed, I recommend updating Windows and doing a full system scan with your real AV immediately.

I’ve read a lot of research indicating that many users either don’t use AV at all or don’t really maintain it. You could say that these folks deserve to be scammed, but when their PCs become part of a global botnet, it impacts us all. The bad guys are very good at what they do. The only chance we have is to stay smart, share information, keep our systems up to date, maintain strong defenses, and remain vigilant.

ESG hasn’t re-visited this question since, but many anecdotal conversations with IT security professionals lead me to believe that nothing has changed. If anything, more people believe that endpoint security tools are a commodity today than four years ago.

In my opinion, this perception is not only wrong, it could also be dangerous. Why? For one thing, threat vectors have changed. The main threat vector today is the web and the primary target is the browser. In addition, traditional antivirus signatures have been joined by other defense-in-depth safeguards, like behavior-based heuristics and cloud services, to protect endpoints. Finally, there are the endpoints themselves. In 2007, the term “endpoint” really meant a Windows PC. Now it could mean a Mac, iPad, or some type of mobile device like a Blackberry, Droid, or iPhone.

Given these changes, CISOs should really take a hard look at their endpoint security tools before signing off on a new subscription. During this assessment, examine endpoint security tools in terms of:

1. Security protection. This is far and away the most important thing you are buying, so prioritize the product’s efficacy over price, manageability, integration capabilities, etc. Endpoint security products should offer defense-in-depth capabilities for all types of threats. Progressive vendors are also using intelligence gathered from their install base and security intelligence to offer much more proactive protection. If your vendor is NOT doing this, there is a problem. Note that I’m somewhat surprised endpoint security vendors haven’t really bundled disk encryption with antivirus and firewalls, but that’s another story.
2. Integration. Endpoint security tools should easily interoperate with network security (i.e., NAC/NAP/identity-based networking, SIEM), and endpoint management tools (i.e., patch management, vulnerability management, asset/inventory management). Other endpoint tools like disk encryption, eRM, and DLP also should fit here. This will help you keep endpoint configurations up to date, monitor behavior, and enforce security policies.
3. Management. Endpoint security tools should have their own management consoles for command-and-control. And it may not be a requirement, but I believe that central management of all types of endpoint devices will become the default configuration over time.

The main point here is that far from commodity products, the endpoint security tools used could mean the difference between business-as-usual or a costly security breach. Choose wisely.

Read more of Jon’s blog entries at Insecure About Security.

There are a few common themes here. Each vendor is targeting consumers with whiz-bang functionality and lots of applications. Video capabilities are highlighted in all cases.

Given this focus, you would think that mobile devices = consumer devices but this is not the case. Enterprises are also running to and jumping on the mobile device bandwagon in a big way.

ESG Research surveyed 174 IT professionals about their organizations’ adoption and use of mobile devices. Here are a few data points that illustrate growing mobile device usage in the enterprise.

Question 1. What are your organization’s spending plans for mobile devices and mobile device support?

37% spending will increase significantly
45% spending will increase moderately
14% spending will stay flat
3% spending will decrease
1% don’t know

Question 2. How important are mobile devices to your organization’s business processes and productivity?

38% critical
48% important
11% somewhat important
1% not important today but will be important in the future
1% not important today or in the future
1% don’t know

Question 3: Does your organization develop, or plan to develop, specific applications for mobile devices?

28% already develop applications for mobile devices
34% plan to develop applications for mobile devices
26% no plans at this time but interested in developing apps.
11% no plans or interest in developing apps.
1% don’t know

In summary, enterprises are spending more on mobile devices and device support, they believe these devices are “critical” or “important” for the business, and most already develop mobile device applications or plan to do so.

Sounds to me like every IT vendor in the endpoint (PC, laptop, mobile device), network, security, management, and application markets should have a mobile device strategy. Those that either haven’t developed or articulated their strategies are way behind.

Read Jon’s other blog entries at Insecure About Security.