Enterprise Strategy Group X Network Security

vShield, Cloud Computing, and the Security Industry

Jon Oltsik — Thu, 01 Sep 2011 19:05:07 +0000

As VMworld winds down today, several security vendors including BitDefender, Catbird, Lumension, McAfee, Sophos and Symantec announced their intentions to work with VMware as a security partner or integrate with VMware vShield APIs. These vendors join Trend Micro, a company that bet on vShield integration and is clearly benefiting from this decision.

I spoke to VMware before the big event–good thing, since Hurricane Irene kept me from making it to Las Vegas. Given its focus on virtualization and cloud computing, VMware understands that if workloads are to be cloud-ready and mobile, then security must become a virtual service. In other words, each VM needs to have security properties assigned to it, and the cloud has to be able to understand, enforce, and monitor security controls on each and every VM regardless of where it resides at any given moment.

Let’s face it: traditional security tools based upon physical systems, IP addresses, network segmentation, and static rules just won’t cut it in the cloud. We need a new model, and VMware is developing security technologies to get there.

So why aren’t more security vendors jumping on the bandwagon? Many of them look at vShield as a potentially competitive security product, not just a set of APIs. In a recent Network World interview, Allwyn Sequeira, VMware’s chief technology officer of security and vice president of security and network solutions, admitted that the vShield program in many respects “does represent a challenge to the status quo” and that sometimes new ideas may be “viewed with suspicion” (see Ellen Messmer’s article here). This confusion is amplified by the fact that vShield does provide its own security services (firewall, application layer controls, etc.) in some cases. In the future, VMware plans to work with RSA Security to introduce DLP functionality into vShield as well.

VMware has its own agenda: tightly integrate security services into vSphere and vCloud to continue to advance these platforms. Nevertheless, VMware’s role in virtualization/cloud and its massive market share can’t be ignored. So here’s a compromise I propose:

Security vendors should become active VMware/vShield partners, integrate their security solutions, and work with VMware to continue to bolster cloud security. Since there is plenty of non-VMware business out there, the best heterogeneous platforms will likely win.
VMware must make clear distinctions among APIs, platform planning, and its own security products. For example, if a large VMware shop wants to implement vShield for virtual security services but has already decided on Symantec (Vontu) or McAfee DLP, it should have the option for interoperability with no penalties (i.e., loss of functionality, pricing/support premiums, etc.).

This seems like a worthwhile “win-win,” as that old tired business cliche goes. Heck, customers would win too as they already have non-VMware security tools in place. VMware will still sell loads of vShield product and the security industry becomes an active champion instead of a suspicious player in another idiotic industry concept, “coopitition.” The sooner that VMware and the security industry pass the peace pipe around, the better for everyone.

Read more of Jon’s blog entries at Insecure About Security.

ESG Research Brief: Remote/Branch Offices – An Extremely Vulnerable Target for Security Attacks

Jon Oltsik — Fri, 12 Aug 2011 20:02:46 +0000

Over the past few years, IT consolidation has reached a fever pitch with most organizations moving as many IT assets as possible from remote locations and small data centers into more cost-effective optimized corporate facilities. The applications and data in these centralized sites, however, are still accessible to remote/branch offices at the other end of the wire. Inadequately managed remote PCs combined with poorly trained workers at these locations creates a vulnerable population that could be an easy entry point for cyber criminals and advanced persistent threat (APT) attacks.

Improving ROBO Security through Centralization

ESG recently surveyed 454 senior IT professionals working at corporate headquarters locations and responsible for supporting IT requirements at their organization’s remote office/branch office (ROBO) sites. One of the key findings of the research was that nearly three-quarters (74%) of organizations claim that the majority of corporate applications and/or IT services are deployed and managed centrally at a corporate site and accessed over the WAN by ROBO locations.[1] With the transition from LAN- to WAN-based application delivery, IT organizations take service levels and performance very seriously. In fact, respondents said that improving both the performance of and accessibility to applications for end-users were their top two IT priorities with respect to supporting ROBOs (see Figure 1). Beyond applications, however, IT also puts a premium on improving information security measures for remote/branch offices. The thought here is that by moving critical applications and sensitive data from ROBO locations to the data center, these valuable assets gain enhanced protection with the oversight of skilled security professionals and layered security technology defenses.

Figure 1. Top Five IT Priorities for Supporting ROBO Locations

Remote Worker Vulnerabilities Remain

While centralizing IT assets can certainly enhance security capabilities, ESG research also indicates a frightening reality. ROBO-based employees, and the endpoint devices they use, represent an ever-growing security risk. Why? First of all, nearly one-third (31%) of respondent organizations revealed that none of their ROBO locations have on-site IT personnel,[2] leaving PC management, security, and support to distant IT staff members that probably have their hands full with local issues. Security complexity and a lack of local hands-on support can make remote user security management extremely challenging. According to ESG research, organizations have difficulty with security tasks such as managing remote PC security and configurations, training and enforcing corporate security and compliance policies for ROBO-based employees, and managing the use and storage of sensitive data accessed by remote employees (see Figure 2).

Figure 2. Security Challenges for Supporting ROBO Locations

These issues are nothing new. When it comes to IT, remote workers have always held the status of “second-class citizens,” typically receiving support only when they visit corporate headquarters or when their PCs stop working. These were once mere inconveniences, but in the current era of advanced persistent threats (APTs) and costly publicly-disclosed data breaches, remote PC security presents a major risk to the entire organization because:

Centrally-deployed IT applications and services are easily accessible to vulnerable remote workers. As mentioned previously, most ROBO locations access the majority of IT applications and services from central data centers. This means that vulnerable or compromised remote PCs have a direct line to mission-critical systems and sensitive data. This type of network architecture may help increase IT optimization and lower cost, but it also creates a potential security nightmare.
Remote users lack essential security training and knowledge. Organized crime and state-sponsored hacking groups regularly use sites like Facebook to garner intelligence about individuals and then employ social engineering techniques to fool users into downloading malicious code. Alarmingly, remote office workers may be “sitting ducks” for these kinds of APT attacks. ESG’s data indicates that remote worker PC configurations and security settings may lag behind corporate standards and that remote employees may not receive the right security training, creating a knowledge gap. Unprepared and uneducated users working on PCs fraught with software and configuration vulnerabilities are an easy target for the highly-skilled cyber underground.
Sensitive data is easy for remote workers to access, but difficult for IT to monitor. The security challenges listed above illustrate two likely data breach scenarios: 1) While applications may be centralized, 38% of organizations are challenged with monitoring the use and storage of sensitive data accessed by remote workers. In more pedestrian terms, IT managers don’t know if remote workers are accessing sensitive data, how they are using this data, and if they are copying sensitive data to local storage devices. Remember, too, that these remote workers may not have the proper training about acceptable use policies. This lack of oversight greatly increases the risk of a data breach. 2) More than one-third (34%) of organizations also indicated a problem with remote user authentication and access controls. This points to several issues like stale user accounts or remote users with access to sensitive data they shouldn’t have. Either way, sensitive data is in harm’s way.

The Bigger Truth

As the old colloquialism goes, “a chain is only as strong as its weakest link.” ESG’s data points to an alarming conclusion: remote workers may be a far weaker link than most organizations realize. This being the case, corporate security expertise and best-in-class security technology safeguards won’t be effective if cyber criminals and professional hackers can simply enter through the remote office back door.

What can be done to bridge this pervasive and disturbing gap? ESG has a few suggestions. Large organizations should:

Add network identity context and access controls. In most cases, remote workers simply use Windows authentication to gain access to the network, but remote worker security vulnerabilities, coupled with burgeoning sophisticated attacks, demand greater use of authentication, network identity, and granular access controls. To add a layer of network security, large organizations should look closely at new network-based technologies. “Context-aware” solutions recognize users, devices, and network locations to apply and enforce specific access control policies. When Alice in sales tries to access the network with a PC that hasn’t been patched in a month, she can be guided toward a remediation VLAN before proceeding. When Bob in engineering suddenly tries to access a secure server containing product planning documents at 3am, network identity can block access, log the event, and alert security staff of suspicious activities.
Combine PC management and security. PC management (i.e., configuration management, software distribution, help desk, etc.) and security management activities (i.e., endpoint security software management and configuration, signature distribution, monitoring, etc.) are often done by discrete IT teams. This is a result of historical IT organizational evolution rather than a well thought out plan. Given the overlap between IT operations and security, it is high time that these artificial walls come tumbling down. CIOs should consider a single group—endpoint management and security operations—guided by common policies, processes, and integrated tools. A secure system is a well-managed system.
Increase the use of desktop virtualization for remote workers. Desktop virtualization may be very effective for addressing remote PC configuration/security issues and sensitive data management. While this means delivering desktop images over the WAN, many organizations have years of experience with Citrix XenApp (formerly Presentation Server) virtualizing desktop applications for remote workers in a similar manner. Additionally, the combination of decreasing WAN bandwidth costs and WAN optimization support for desktop virtualization protocols provide the right technical and economic foundations to move forward. ESG’s data demonstrates that many organizations are already pursuing or plan to pursue some type of desktop virtualization strategy to enhance security and endpoint management for remote workers (see Figure 3).

Figure 3. Organizations Plan to Adopt Desktop Virtualization for ROBO-based Employees

Explore the use of SaaS security for remote workers. Large organizations often outsource activities like HR benefits administration or manufacturing. Why not remote office and/or user security? This makes more and more sense all the time, especially in light of the security challenges described above and the lack of on-premises IT resources at many ROBO locations. Large organizations should explore SaaS-based security options as soon as possible. Those that choose to proceed should follow a phased approach, plan carefully, and develop and track clearly defined success metrics. Learn from experience so that ROI benefits can be achieved more rapidly as more and more SaaS security services are consumed.

[1] Source: ESG Research Report, Remote Office/Branch Office Technology Trends, July 2011.

[2] Ibid.

New Demands for Real-time Threat Management

Jon Oltsik — Wed, 15 Jun 2011 15:07:10 +0000

Many organizations are evaluating a new security model based upon IT risk management best practices. This is a good idea, but not enough for today’s dynamic and malevolent threat landscape. To keep up with IT changes and external threats, large organizations need to embrace two new security practices: Real-time Risk Management for day-to-day security adjustments and Real-time Threat Management to detect and remediate sophisticated, stealthy, and damaging security breaches (i.e., Advanced Persistent Threats or APTs).

Overview

Enterprise security management has undergone a series of profound changes over the past few years. Circa 2005, information security became inexorably linked to government and industry regulations like FISMA, HIPAA, GLBA, and PCI DSS. During this timeframe, security management was driven by one objective: passing compliance audits. Once organizations established processes and controls for these audits, they simply moved on to making these activities more efficient.

Somewhere around 2009, CISOs came to an alarming conclusion as they realized that passing security audits created a ton of work for security staff but this effort didn’t necessarily equate to strong security. In fact, many CISOs working in the U.S. federal government observed that their agencies were spending inordinate amounts of time and money preparing for FISMA audits while experiencing a growing number of security incidents.

Clearly, security management focus on regulatory compliance was no longer enough. This led to a second security management transition from a regulatory compliance focus to one of IT risk management.

With IT risk management, threats and vulnerabilities are assessed on an asset-by-asset basis. Risk management decisions are then made depending upon an IT asset’s level of exposure (e.g., threats and vulnerabilities) as well as its value (e.g., the relative significance each asset delivers in overall business operations). Armed with these metrics, organizations can make qualitative and quantitative risk management decisions such as risk acceptance, risk assignment or transfer (e.g., transferring potential risk to a third party such as an insurance company) or risk reduction (e.g., mitigating risk by implementing security controls, policies, and procedures). In this case, a control is defined as a mechanism used to restrain, regulate, or reduce vulnerabilities.

The Rise of Real-time Risk Management

IT risk management is a step in the right direction because it is based upon thorough IT assessments, established metrics, and intelligent cooperative decisions among business, security, and IT executives. Given today’s dynamic threat landscape and constantly changing IT infrastructure, CISOs must go beyond periodic assessments and basic practices and embrace sound risk management practices designed to deal with their dynamic environments. ESG calls this advanced practice “Real-time Risk Management” (RTRM). RTRM is based upon:

Instantaneous threat and vulnerability knowledge. The ever-changing nature of both IT and the threat landscape demand that asset changes, vulnerability assessments, and threat data must be available in real-time. Security tools must correlate this information and immediately report on new types or levels of risks. Security practitioners must be trained to digest these inputs, present them to business managers, and expedite risk management mitigation without delay.
Comprehensive visibility and coverage. IT is made up of a multitude of assets like hardware devices, databases, business applications, and virtual appliances all interacting with one another. It is no longer enough to understand a sub-segment of the entire IT portfolio alone or adopt a piecemeal view of the entire IT infrastructure through a potpourri of tools; to keep up with assets and their associated vulnerabilities, CIOs need consistent data, visibility, and alerts across the entire IT spectrum.
Constant controls assessment and adjustment. Security controls don’t fit into the “set-it-and-forget-it” category. Rather, controls need persistent assessment to ensure they adequately address new or changing risks.

Building on an RTRM Foundation

As the name suggests, real-time risk management is dedicated to providing CISOs with up-to-the-minute security information so they can analyze the current status of their environment, detect malicious activities as quickly as possible, and minimize damage. RTRM must be extremely flexible in order to provide security executives with granular intelligence about new and evolving threats at all times, but this is easier said than done. Why? The latest extremely sophisticated, stealthy, targeted attacks (often referred to as Advanced Persistent Threats, or APTs) are purposefully designed to avoid exposure. For example, APTs use “social engineering” tactics to fool users into downloading seemingly harmless files chock full of malware. APT malware is often propagated through trusted channels with hackers assuming familiar identities such as Facebook “friends.” Once installed, APT malware silently gathers user names and passwords, covertly scans network address spaces, and slowly penetrates other systems on the network. After weeks or months of these activities, distant hackers usually find something of value like credit card numbers, software source code, or other types of intellectual property. Finally, the APT malware receives clandestine command-and-control instructions to copy precious data files, encrypt them, and send them to remote hacker-controlled drop servers.

New Threats Demand Real-Time Threat Management

Do APTs render real-time risk management obsolete? Not at all. The objective of real-time risk management is to proactively “harden” IT assets, protecting them from all types of attacks including APTs. For example, APTs may persuade organizations to turn on advanced features in endpoint security software or more closely monitor activities around copying and storing sensitive data. Unfortunately this is no longer enough. Recently, security breaches at organizations such as Google, Lockheed Martin, and RSA Security demonstrate that APTs demand security adjustments and new defenses.

Dealing with APTs demands a philosophical change within organizations. While risk management and incident preventions should remain top priorities, CISOs, CIOs, and executive managers should work under the assumption that their organizations will be compromised. This means that RTRM must be complemented with the right processes and tools for emergency response—like getting support from executive management, establishing a team, developing and communicating emergency response processes, and testing emergency response effectiveness.[1]

Remember that the primary objective of any emergency response effort is fairly simple: minimize the impact of a security attack. To achieve this goal, large organizations need to be able to detect sophisticated targeted attacks as quickly as possible. This begs an obvious question: How can the security team detect these attacks when APTs are designed for undetectable “low-and-slow” attacks?

ESG believes that defending against APT-like attacks is difficult, but not impossible. To accomplish this, RTRM must be aligned with a new complementary service: Real-time Threat Management (RTTM). RTTM goes beyond basic situational awareness about vulnerabilities and traditional malware threats. Rather, it looks at network behavior across a multitude of devices looking for anomalous traffic patterns, connections, and flows within the corporate network and at network ingress/egress points. When real-time threat management detects suspicious content or network activities, it can automatically take immediate preventative actions such as quarantining malicious files and executables, blocking command-and-control traffic, or automatically “cleaning” infected endpoints. To accomplish these goals, RTTM depends upon:

Improved network monitoring. Real-time threat management goes beyond inspection of network logs and flow data alone. How? By looking at network traffic up to the application layer with special attention given to packet payloads, protocols, destination addresses, and APT communications patterns.
Event detection designed for sophisticated threats. RTTM is designed with APTs in mind, carrying specific filtering rules and correlation engines. Network traffic is analyzed in multitude of ways, looking for specific behavior that may be indicative of a sophisticated threat.
Immediate remediation and policy enforcement. Once an organization has discovered the presence of a sophisticated threat, it is often too late—sensitive data has already been stolen. Given this type of exposure, RTTM MUST go beyond detection to hands-on prevention and remediation. When RTTM detects command-and-control communications or other malicious traffic, it begins a sequence of alerting and remediation events. For example, RTTM can alert security staff and automatically remediate infected systems. Based upon an organization’s security and business policies, RTTM may also take proactive in-line actions like updating perimeter security device rules or isolating infected systems.
Network intelligence services. Since APTs constantly mutate and evolve, RTTM must be equally as agile. To remain current, tools must be backed up with leading-edge actionable security research and new enforcement rules. The goal here is to match hacker brain power and tricks with a superior force of white hats and PhDs.

Trend Micro Threat Management System

While existing security defenses like firewalls, IDS/IPS, and endpoint security tools can be tuned to better address advanced threats, RTTM technologies should be viewed as an effective supplemental layer of defense against attackers seeking customer data, intellectual property, or highly sensitive internal documents. Many security vendors are exploiting APT fears to sell existing products that offer little incremental protection; others have developed specific new solutions that truly can make a difference. Trend Micro’s Threat Management System (TMS) is just such a product.

TMS provides an architectural approach to APT detection, remediation, and reporting. The solution consists of:

Threat Discovery Appliance. A network-based out-of-band device that monitors network traffic, behavior, and protocols and is designed and tuned for sophisticated attack detection.
Threat Mitigator. A network-resident system that provides automated real-time remediation (clean-up) of endpoint malware infections identified by the Threat Discovery Appliance.
Dynamic Threat Analysis System. A malware identification and analysis platform that uses sandboxing and other advanced methods to provide detection, detailed exploration, simulation, and full forensic analysis of suspected malware captured by TMS or submitted directly by a security specialist.
Threat Management Portal. A hosted or on-premises dashboard providing visibility, analysis, alarms, and multi-level reporting of threat activity and root cause analysis including source IP address, point of network entry, and details about malware characteristics.

For organizations that need further assistance identifying and reacting to advanced threats, Trend Micro backs TMS with its risk management services offering. Customers who choose this option are provided with ongoing help with threat analysis and alerts, risk posture, proactive monitoring, and strategic security planning. This service offering leverages Trend’s threat analyst expertise and Smart Protection Network intelligence, a cloud-based infrastructure powered by a global network of threat sensors.

What makes Trend Micro TMS more effective at detecting ATPs than an IDS/IPS, next-generation firewall, or other network analyzer? Malware generally plays a key role in APT and advanced attacks. TMS focuses on detecting malware and the traces of its activity with specialized threat detection engines and event correlation that is continually updated with new threat relevance rules.

TMS uses an array of specialized threat engines that include signature-based scanning, document exploit examination, heuristic behavior-based analysis, reputation-based ratings, sandboxing, and more. Packets, streams, and full sessions are analyzed at layers 2-7 for real-time detection, and then later undergo an additional layer of correlation analysis to discover “low and slow” and other evasive activities discernable only over an extended period. The high detection rate coupled with deep forensic analysis tools can clearly help reduce the risk of initial APT intrusion and speed discovery and containment of any actual attack.

The Bigger Truth

An evolutionary cycle is happening in enterprise security. Large organizations are moving beyond compliance-centric security and beginning to embrace an IT risk management approach focused on threats, vulnerabilities, and asset value. This is a sound foundation, but today’s dynamic threat landscape demands a flexible risk management model that can keep up with constant change.

Real-time risk management provides a foundation for keeping up with changes to assets, networks, and vulnerabilities. With the onset of sophisticated APT-like attacks, real-time risk management now requires a sister service, real-time threat management. RTTM essentially expands the scope of RTRM with specific threat intelligence, detection, and remediation capabilities. The goal? React immediately to new types of threats to prevent or minimize damages.

Trend Micro Threat Management System is a good example of a RTTM solution. Built and deployed as an architecture, TMS detects and blocks APT malware, detects and remediates stealthy behavior associated with a sophisticated attack in progress, and offers the security team specific intelligence associated with sophisticated threats and anomalous network behavior. Given these capabilities, enterprise organizations should evaluate TMS capabilities to see if it is a fit for their environments. Organizations with strong security skills may find that TMS provides an effective security layer for defense-in-depth and firms with security skill deficits may find that TMS products and Trend Micro services can replace or augment existing security controls while supplementing internal security knowledge.

[1] The CERT Coordination Center provides a good set of emergency guidelines at http://www.cert.org/csirts/Creating-A-CSIRT.html.

RSA Lessons

Ginny Roth — Tue, 22 Mar 2011 13:34:18 +0000

I took a few days to comment on the RSA breach because I wanted to see what more I could learn about the details rather than speculate about what might be. But in the end, as far as what lessons the customer can take from this breach, the details don’t matter as much.

The fact is, breaches happen. In this case, it happened to RSA. And I’m sure they’re dealing with the ramifications that that entails. But, this could’ve happened to many other vendors–it has, and it will again.

The lesson the customer takes away, or the lesson that is reinforced because we all know this as security folks, is that every organization needs to follow a defense in depth strategy for mitigating threats and the damage that can occur:

Effective IPS systems to detect intrusions coming from both outside and inside the network
DLP implementations to detect sensitive and/or protected data that’s leaving the network
Effective access control policies from the application layer all the way to the network layer
Strong authentication for a higher level of assurance when identifying users
Strong policies for principles of least privilege and separation of duties

Also, keep in mind that the breach occurred with the SecureID token that is used for two-factor authentication. Since it’s two factor, that means there is still another factor that has to be paired with that token to successfully authenticate. And while username/password is not the best assurance, it still slows down the attack if users are diligent about not sharing their credentials. As always, this is where education comes in. Users have always been the weakest security link and constant education on security policy and practice can not be overdone. As a matter of fact, when looking at the message sent by RSA identifying an Advanced Persistent Threat (APT) as the nature of the attack, the actions to take that RSA outlined to its customers had a heavy social engineering focus to it. Not surprising.

This type of APT seems impossible to combat, and in many ways it is. Users will always fall prey to these types of social engineering schemes. And introducing social networks into the equation makes the problem even large and makes the requirements around strong authentication and authorization even more critical. Authenticating users to critical data should entail more than just a two-factor challenge. The authentication must contain context around the access request. Where is the user located? Is the authentication request coming from Russia when the user has already authenticated at the local office? How many times has the user logged in? And if it’s from different locations, then we’re not talking about the same person. When are they accessing the information? Is it likely that Ethan, from accounting, would be working on the accounts receivable data at 2 in the morning? These are just some of the obvious alerts that could aid IT departments in catching unauthorized access into corporate resources. Vendors who can provide IT departments more visibility to what’s happening with their data and the events happening with their corporate directory in a comprehensive way will provide a valuable service toward a more thorough defense against attacks and data theft.

In the end, these attacks will continue. And don’t expect users to become more savvy as they start to use more social networking and other sites to conduct more business on the internet. Expect them to become more vulnerable and, in turn, expose your organization to more risk.

The EMC/RSA Breach: What It Means

Jon Oltsik — Fri, 18 Mar 2011 18:05:52 +0000

I have two immediate words with regard to the EMC/RSA breach: Holy smokes! Add the EMC/RSA breach to a list including the Aurora attack on Google, Conficker, and WikiLeaks as extremely frightening cyber security incidents. Can anyone still claim that we aren’t extremely vulnerable to cyber crime, espionage, and outright attacks?

A few other thoughts:

If you are in the enterprise IT business, you are under attack–it’s as simple as that. Are IT vendors doing their best to defend their intellectual property? Do they have world-class security processes and cyber supply chain risk management in place? I don’t know the answer to these questions, but it seems to me that large organizations should be auditing their vendors’ security and doing extremely granular due diligence before purchasing new equipment.
The security industry is an extremely attractive target. First, Kaspersky Labs had its source code stolen, now EMC/RSA is breached. Why? Remember that scene in Oceans 11 when George Clooney and the gang build an exact copy of the Vegas vault so they could practice their heist? Cyber criminals want to do the same thing. If you can poke at the innnards of security technologies, you may be able to find vulnerabilities. Let’s hope that Check Point, Cisco, Juniper, McAfee, Symantec, Trend Micro, and others are well protected.
We don’t know much about the extent of the breach, when it first occurred, how it transpired, how EMC/RSA discovered it, or how the company is addressing it with customers. Granted, there is probably an investigation going on right now that may involve diplomatic dialogue and international law enforcement cooperation. Nevertheless, we need to know as much as possible to understand what happened and how to prevent the next attack.
The open FTP site incident of a few years ago makes this breach much more difficult for EMC/RSA.

EMC/RSA were the unfortunate victims of a security breach, but at least they discovered the problem, disclosed it, and is now in the process of assessing the scope and remediating the problem. I guarantee that a lot of other organizations with value based on intellectual property have also been breached, but don’t even know it. Every day, we lose more and more of our IP this way.

There is a lot of room for improvement across the board: in the IT industry, the federal government, the international community, etc. Hopefully, the EMC/RSA security breach will make us all more aware of how vulnerable we are and push us to finally respond.

Read more of Jon’s blog entries at Insecure About Security.

Taking IBM’s Pulse

Ginny Roth — Thu, 03 Mar 2011 14:08:53 +0000

Spending three days in Las Vegas can be a dangerous thing. But, I can honestly say for the first time I didn’t drop a single coin in a slot or sit at a card table. Quite frankly, I was busy getting a brain dump from IBM on its latest announcements and strategy for a “Smarter Planet.” As one would expect from IBM, the focus was on leveraging its products and integration expertise to achieve an efficient and optimized infrastructure. IBM was very effective in delivering its vision through consistent keynote messages delivered not only by IBM executives but by real customer success stories, and a live demonstration showing all the elements of IBM’s solutions delivered through a single dashboard.

As a security gal, what was really impressive was witnessing the renewed commitment IBM has made to making security an integral part of each of its solution deliverables. Just a few examples of the enhanced visibility I saw at the conference:

A multi-threaded security track was added to the conference focusing on compliance, cloud, endpoint security (a la Big Fix), identity management, and emerging threats. The sessions I went to were well attended and it was clear that security is a growing segment of this conference.
IBM has elevated security within the company, with resources devoted to supporting security initiatives across all the IBM brands. This approach shows IBM’s seriousness about building security into the design and development of each of its products.
Speaking to Teresa Cook, Director of World Wide Security Marketing, it’s clear that IBM is focused on a strategy to assist customers with their security initiatives by emphasizing the ways that security can foster innovation rather than inhibit business.

These are all encouraging signs, and I hope the security tracks continue to grow at next year’s conference. The sessions this year were full of success stories from customers who provided blueprints for attendees in providing these solutions.

On another note, if you ever get the chance to hear Dean Kamen from Deka Research speak, it would be time well spent. Not only is he one of the great inventors of his time, but his passion for fostering and inspiring enthusiasm for technology in our youth through his FIRST organization is truly impressive. In attendence at the keynote were youngsters from the local chapter of FIRST who received a rousing ovation from the conference attendees when they were introduced. This ovation fit in perfectly with the message Dr. Kamen wants to promote in celebrating technology in our country like we celebrate sports and entertainment. I would strongly encourage anyone that wants to get involved in sharing his/her enthusiasm for our industry and developing a passion for technolgy in our youth to look at the work FIRST is doing and volunteer. It would certinaly be a fantastic journey.

Random Thoughts from the RSA Conference

Jon Oltsik — Thu, 17 Feb 2011 14:39:55 +0000

I’ve been in back-to-back meetings at the RSA Conference, which limits my time for blogging. Here is my brain dump for the day:

The focus of RSA seems to be on cloud and mobile security. I get that these are hot areas with lots of marketing buzz but I have two problems here:
1. Mobile security technology is relatively easy, but the weird triangulation between a user, an organization, and a service provider creates some interesting dynamics. Do I buy mobile security from my mobile carrier? If I do, does the corporate security group get engaged? Do I really want my company putting security software on my personal device? I’m not sure how this will be solved, but suffice it to say that this is different than my corporate PC.
2. I understand that we have to make the cloud secure before we will really embrace this model, but let’s face it: existing IT infrastructure isn’t secure. Why aren’t we talking about securing this first?
RSA is mostly about security products, not security. I know, it’s a money thing, but I wish we would highlight more about use cases, reference architectures, and best practices and less about the latest security widget.
HP and IBM are way more focused on security than most people think. HP now considers security one of its five top business initiatives and IBM has created a virtual security group headed by Steve Robinson with its own P&L. Both companies can address what I call “big security” use cases like securing networked business processes, creating IT risk management best practices, or dealing with cybersecurity issues at critical infrastructure organizations. How many other security vendors at RSA can do this? Less than five.
Speaking of HP, the company is talking about a vision that merges ArcSight with HP operations software for further improvements to both IT service management and security automation. Cool stuff. If this takes off, it will be the exclusive domain of a handful of companies. BMC could play, but it needs a security portfolio. CA could play but it needs a better security portfolio. Attachmate may be a wild card here with NetIQ and Novell.
There are a number of threat reports available and most are pretty good. That said, Blue Coat Systems did a great job of presenting its web threat report yesterday. Very insightful and a worthwhile read.
Another buzz area is virtualization security, but this one is more real to me than others. Why? Virtualization security is pretty elementary today, based mostly on physical safeguards. While vendors are announcing virtual security products, they need to focus on education before they jump into technology. ESG research indicates that security professionals lack virtualization knowledge and best practice models for server virtualization security. Until they gain this knowledge, they won’t buy security tools. Time to teach the market how to fish.
When I think of security vendors, I almost never think of Barracuda Networks, but I have to give it credit for its manufacturing and distribution skills. Someone is buying these gateways.

More tomorrow.

Read more of Jon’s blog entries at Insecure About Security.

Hackers breach Nasdaq; trading systems not affected – SC Magazine US

Garrett Doherty — Mon, 07 Feb 2011 16:37:17 +0000

“This breach is yet another example of what cybersecurity is all about,” Jon Oltsik, principal analyst at Enterprise Strategy Group, wrote in a blog post Monday.

via Hackers breach Nasdaq; trading systems not affected – SC Magazine US.

Identity and Networking

Jon Oltsik — Tue, 25 Jan 2011 20:12:42 +0000

For the past 15 years or so, the networking industry has been hinting at a vision with a snappy title like “identity-driven networking.” I first heard this concept in the late 1990s when Cisco came up with its own spin on this theme with an initiative called Directory Enabled Networking (DEN). The thought was that the network would query the network directories to enforce some kind of access control policy based upon user properties stored in network directories. Cisco nailed the vision and was way ahead of its time.

So what’s happened since? Things were slow and spotty for a while with a few hints of innovation. Broadband access led to VPNs. Wireless networking led to the need for 802.1X device authentication. Worm storms in 2004 led to a flurry of activity around Cisco’s Network Admission Control (NAC) and Microsoft‘s Network Access Protection (NAP) to keep “unhealthy” PCs off the network. Each of these advanced the cause, but rather than fulfill the identity-driven network vision, these were really tactical solutions.

Fast forward to 2011: the industry has moved on to 40/100Gb Ethernet, IPv6, virtualization, and cloud computing, so you don’t hear much about identity-driven networking anymore–but in point of fact, the vision is coming together. Networks can now recognize multiple types of devices, network location, and user attributes to enforce policies. Critical application traffic can be prioritized on a user-by-user basis while other applications can be blacklisted or rate limited based upon users and groups. VPNs are now automated: no more IPSec clients, user names, or passwords; you can get to the network resources you want to from wherever you are.

A few leading examples include Cisco AnyConnect VPN, Juniper‘s Pulse Client and the Funk Software RADIUS server, and Extreme Networks Identity Manager.

We are quickly moving to the service paradigm of identity management where entities like users and devices connect to network services for connectivity, application access, printing, etc. Cloud computing will only accelerate this transition. In this type of architecture, networks have to play a role in “knowing” who or what wants network access, enforcing policies based upon this information, and then optimizing good traffic and blocking bad traffic. It is nice to see that we are making real progress.

Read more of Jon’s blog entries at Insecure About Security.

Attention RSA Conference: Let’s Not Dwell on Cloud Security!

Jon Oltsik — Mon, 24 Jan 2011 15:59:04 +0000

The 2011 RSA Conference is only three weeks away, so the entire security industry is gearing up for this annual gathering of paranoid geeks. As an analyst, I’ve been getting lots of e-mail about what vendors will discuss at the event and I’ve also spent a bit of time perusing the conference website.

This activity leaves me a bit concerned. Why? There seems to be a tremendous focus on cloud security at this year’s event: all kinds of “voyage to the cloud” rhetoric, how security is the biggest hurdle, and a plethora of tools, technologies, and services aimed at addressing cloud security.

Now don’t get me wrong; cloud security is an important topic. There is a tremendous amount of brainpower and investment going into cloud computing. Yes, we will get to a cloud computing model over time and security is truly a stumbling block. This issue is being addressed by organizations like the Cloud Security Alliance (CSA) and NIST’s Federal Risk and Authorization Management Program (FedRAMP). My issue isn’t with the topic per se; it is with the prioritization of the topic. When ESG asked 611 European and North American IT professionals to define their top IT initiatives for 2011, 16% responded with “increase the use of cloud computing services.” This was the 12th most popular answer, well below such things as “increase use of server virtualization” (30%), “manage data growth” (24%), and “major application or deployment” (23%).

We certainly need to be proactive with cloud security, but let’s not get carried away with addressing future risks when we are swimming in so many currently. In the recently published ESG Research Report, Assessing Cyber Supply Chain Security Risks Within the US Critical Infrastructure, 68% of cyber security professionals working at critical infrastructure organizations believed that the threat landscape is worse today than it was two years ago. When the entire security community gets together at RSA, shouldn’t we be focused on why security professionals feel this way and what we can do to address this increasing threat landscape?

If I were running the show, here are some of the things I’d focus on:

Sophisticated and evolving threats. We all need a better understanding of our adversaries–who they are, what they do, and how they think. A new piece of malware is created every 1.5 seconds. Shouldn’t we dedicate security brainpower to this real problem?
Creating, monitoring, and enforcing security controls. The security industry is too hung up on products. We need more discussion on sound policies, processes, and controls–not just the latest threat management widget du jour.
Security management. Closely related to number two, we need better ways of collecting, analyzing, and reacting to an avalanche of IT data.
Identity. This issue gets more dicey each year. We need to talk more about the people and devices that interact in cyberspace and how to better control these relationships.

I understand that security vendors want to make money and that PR and hype are a big part of the technology market. That said, we as a security industry must recognize that we aren’t selling PCs, gaming software, or disk drives. If we can’t secure our existing networks and databases, will any responsible organization ever move to cloud computing?

Read more of Jon’s blog entries at Insecure About Security.