Tuesday, November 26, 2013

Last week's security vibes

It has been quite a while! Let me recap selected security news from vendors I’ve talked with in the past couple of weeks to get up to date with current events. In most cases I had to wait for their embargoes to lift – my apologies if I have announced anything early J!

Palo Alto Networks and VMware announce that next generationfirewalls from PAN will embrace VMW’s NSX to secure traffic between virtualmachines as well as between virtual data centers. I thought this was great as it allows vCenter to orchestrate application security policy both within and between perimeters. In the long run, with software defined networks, security policy will have to travel with the application to be enforced locally. This agreement nicely positions Palo Alto and VMware toadd much needed flexibility in securing applications as they evolve from physical to virtual to cloud environments. Love this one!

NetCitadel announced ThreatOptics to enhance an organization’s ability to respond to incidents. What I like about the vision is that instead of layering analytics on mountains of SIEM data, NetCitadel kicks off when a network sandbox such as FireEye or Palo Alto Networks WildFire reports an anomaly. ThreatOptics then reaches out to affected endpoints with a dissolvable agent to grab detailed host information that it can then combine with what the network sees to give security organizations better intelligence to prioritize and respond to incidents. I believe that launching investigations based on observed suspicious behavior is a concept with impact – it will be fun to watch NetCitadel run with it!

Mojave Networks, nee Clutch Mobile, is stepping beyond mobile device management to offer a cloud-based security service for mobile devices. This makes perfectly intuitive sense to me - as most of the action for mobile and tablet devices takes place in the cloud that’s where security should be! Dumping a lot of security apps onto your device can’t be the right approach with issues of battery life, compatibility with popular applications, and constant upgrades. I like where Mojave is going and the team they’ve assembled. I wish they would extend their focus beyond small and medium enterprises to address larger security concerns of larger enterprises, but the market will soon speak to that.

Adallom is a freshly launched company with a clever idea to protect SaaS applications. It is a tough problem as IT needs to protect the business, but does not need to get involved in personal use issues. The Adallom solution piggybacks on the identity process to audit cloud activity and implements heuristic profiles similar to those that have proven successful in detecting credit card fraud. The company still needs to execute, but they have a great idea and experienced leadership so I look for more from this exciting company as they move forward!

Prelert announced Anomaly Detective 3.0, a special Splunk application that, based on learning a machine’s and network’s normal behavior, promises to reduce a high volume of security alerts to an actionable level of incidents. It is an interesting approach to combat the flood of data and alerts that security teams now have to deal with. I like Splunk a lot (as do lots of others) partly because of the balance it strikes in delivering value to both IT and security operations. It looks like Prelert is going to stick to its security roots, but the Splunk bandwagon is a good one to hitch onto.

Thursday, October 31, 2013

Happy to be blogging with Computerworld (again)!

Every now and then you get lucky enough to be able to correct an unfortunate decision. For some time I had enjoyed posting my thoughts, opinions and recommendations on Computerworld’s security blog, building up a nice following in the process.

Thanks to the kindness of Computerworld’s editorial team, who honestly already gets an amazing amount of work done, I have returned to the beat with weekly contributions. I am looking forward to the coming year and I hope to see you there!

The first posting talks about threat reports and I hope you enjoy it:

Friday, June 7, 2013

Decision time! Choosing the right firewall analysis approach for you

I am hearing feedback that organizations are checking out Firewall Analysis vendors to save time satisfying firewall change requests and to increase the security quality of each change (e.g. reducing errors that create gaping holes or disrupt application services). These organizations get the operational efficiency benefits, but are unsure whether to prioritize application-oriented Firewall Analysis or threat path-oriented Firewall Analysis, to use terms from my recent Firewall Analysis Saves Time Keeping Application Paths Clear report.

The answer is very clear: firewalls are in place to secure access to applications. That is job 1. Period. You should be prioritizing your evaluations on application-oriented Firewall Analysis solutions because that is what your business most needs right now and in the coming years. Firewall changes are driven by the demands of users and applications – it is simply practical to align Firewall Analysis criteria to meet these demands.

You would think the application-oriented issue would be the thousands of applications organizations need to make accessible to a large mobile user community. And to a certain extent you would be right as users will feel the brunt of application service disruptions. Ironically enough, it is the back-end complexity of applications that causes the security headaches. Applications now consist of connected web servers, databases, application engines, load balancers, and gateways – many of which are transient virtual images, deployed in corporate data centers, or distributed throughout the cloud. Leveraging your understanding of the relationships of the entire application environment in maintenance of firewall rule sets is critical in creating effective rules and in avoiding creating over permissive access which could leave a security hole to critical resources undetected for far too long a time. Application-oriented Firewall Analysis will help you secure the entire application environment and save you considerable administrative time.

On the other hand, I am not a big fan of threat path analysis as part of a vulnerability management strategy. And I want to be. The premise is that you do not have to patch key vulnerabilities in servers if threats cannot reach those vulnerabilities, or must pass through an IPS in transit. It is a security form of alchemy, sounding obvious and beautiful until you think it through a little bit. No matter how many hops you analyze, attacks are going to defeat pattern-matching security filters and somehow reach a vulnerable server tucked away in the darkest corner of your data center. They always do. And now your threat path analysis is worthless. Can you imagine your CISO telling the board that vulnerability management of sensitive servers was given a low priority because a threat path analysis vendor told him/her that an attack could not reach those servers? Me neither and I have yet to talk with any enterprise security executive that thinks this is a valid approach. Threat path analysis can help you audit your network for security AV and IPS filters, or trace where an attack may have leapt to from an infected server, but will only be able to help you once or twice a year. For vulnerability management however, I don’t buy it and neither should you.

Just think about what your most common firewall related help desk tickets say. Probably “I cannot access my application” or “My application performance is terrible” top the list. You are probably not getting a lot of requests to leave serious vulnerabilities in critical servers un-patched. If you must go with threat path-oriented vendors, know that you will only use them once a year or so to make sure all network segments pass traffic through security filters. My advice to you is to start with a strategy of application-oriented Firewall Analysis that will protect your business, keep users happy, and save you time every single day.

Tuesday, June 4, 2013

Webinar: Achieving Continuous Diagnostics & Monitoring

Clear your calendar for tomorrow afternoon's ForeScout webinar based on the government's CDM initiative!

The federal government has created budget for agencies to step up to the challenge of continuous security. I refer to it as continuous compliance, but someone smarter than me saw the potential for a TLA (aka three letter acronym). It is an interesting topic and a good chance to talk about how the network is driving real-time vigilance of the infrastructure. I hope you can listen in at 2:00ET/11:00PT.

Tomorrow will also be the anniversary of Tiananmen Square's unknown rebel. The cyber-security metaphors are just too good to pass up. I start by thinking of the unknown rebel as a CSO :).

Sunday, May 12, 2013

Firewall Analysis Saves Time Keeping Application Paths Clear report is out!

The Firewall Analysis Saves Time Keeping Application Paths Clear report is complete and available!

Please contact me for more info. The teaser is:

Firewalls rely on IT-defined rules in allowing authorized application traffic to flow unencumbered between data centers and users while preventing undesirable traffic from entering the corporate network. These rules, which can number in the thousands per firewall, prescribe allow/deny decisions based on sources, destinations, and the services provided. The more complex the network, the more complex the firewall rule sets, and the more likely IT will encounter disruptive side-effects when changing firewall rules to secure application access.

The primary reason to analyze firewall rule sets is to identify logic errors opening security gaps, violating compliance policies for segmenting regulated data, preventing subsequent rules from firing, or rules becoming obsolete due to changes in business services. This leads to business benefits in managing network complexity such as:

• Drive operational costs out of making changes to firewall rule sets by reducing errors, automating compliance reporting, and recommending effective rules based on application requirements.
• Accelerate application deployment cycle times by streamlining firewall change processes to a matter of hours.
• Enable an orderly evolution to application-centric security management for next generation firewalls as well as traditional deployed firewalls.
• Model the impact of new rules before a change is approved to protect against errors that could block application paths.
• Maintain a secure audit log of firewall rules changes to document all changes for compliance reporting.

Firewalls connect businesses to the Internet. It is the one security technology that truly enables a stronger business by securing application paths to users. The Ogren Group believes it is critically important for organizations to apply technology to help manage accuracy and instill a change process to control operating costs with increasing complexity in networks and firewall rule sets.

It is far from certain that firewall analysis will be more than a niche market with room for multiple vendors. Firewall analysis vendors are branching into application security motivated by next generation firewall concepts, enterprise security management to reduce operational costs, and threat assessment based on path analysis. The Ogren Group applauds AlgoSec, SolarWinds and Tufin for their vision and execution in Firewall Analysis.

In this report, the Ogren Group presents the features, life cycle, and market strategy of Firewall Analysis. The report concludes with recommendations for vendors and the enterprise buyers they covet.

Wednesday, March 20, 2013

Early Vibe: Skyhigh Networks

I was very impressed with this year’s RSA Conference – not only was the energy level of 24,000 attendees up over previous years, but I also witnessed more innovation on the exhibition floor than I had seen for a very long time. One of the companies I enjoyed talking with, thanks to a tip from my friend Rich B., was Skyhigh Networks. Skyhigh launched on the Monday of RSA so they get the prize for my earliest Early Vibe ever!

Skyhigh offers a subscription service based on firewall logs to identify cloud services accessed from within the network. Most companies have no visibility, and thus no control, over the cloud applications users access from within the corporate network. I find IT usually knows personal use of email, social sites, and data storage is happening, but IT is often stunned when they learn the magnitude of the usage. And of course, there are always the security benefits of detecting use of unauthorized applications, checking out security reputations of applications that are used for the first time, planning training needs for secure use of cloud apps, and prioritizing heavily used applications for renewal negotiations.

My understanding of how it works is firewall log data is delivered up through the cloud, where Skyhigh matches addresses with domains and applications within domains (e.g. granularity for Salesforce or Facebook apps), and security gets a lovely dashboard of cloud application usage patterns. Skyhigh has a cool idea to offer analysis of cloud applications and user behavior as a service that gives Skyhigh a ton of flexibility to deliver new security applications.

Monday, March 11, 2013

Network Access Control: A Strong Resurgence is Underway

Security analyst firm the Ogren Group today released its vendor market forecast and market analysis security report Network Access Control: A Strong Resurgence is Underway.

To buy Ogren Group Security Reports or reprint rights please send mail to eric@ogrengroup.com.

Analyst Comment

The ability to detect and characterize users and devices connecting to the network, and enforce security policies based on real-time assessments, is a huge benefit for enterprises requiring security and compliance for mobile users. The NAC roots of segmenting guests and unhealthy endpoints from sensitive data is fueling growth with BYOD and wireless initiatives along with demands for continuous endpoint compliance.

The NAC market has not only revived, but is experiencing a strong resurgence - the Ogren Group estimated the market for Network Access Control products and services was $392 million in 2012, and predicts it will grow at a 22% CAGR to $1,061 million by 2017. Cisco, ForeScout, and Juniper combined represent over 70% market share and are the clear leaders in the NAC market.

Security Report Summary

The Ogren Group interviewed major vendors and security officers at large organizations in examining the Network Access Control market. This Security Report presents the features, market strategy, future directions, and recommended vendors for NAC. In addition to Cisco, ForeScout, and Juniper, the Security Report also profiles
Aruba, Bradford, StillSecure, and TrustWave. The report structure is:

Executive Summary
Economic Drivers of NAC Resurgence
Technical Drivers of NAC Resurgence
Noteworthy NAC Features
Noteworthy NAC Weaknesses
Selected Vendor Profiles
Network Infrastructure Vendors
Software Infrastructure Vendors
Independent Vendors
Niche NAC Vendors
NAC Roadmap
Enterprise Recommendations
Vendor Recommendations
Directions and Predictions

Upcoming Ogren Group Research in 2013

Firewall Analysis: Keep Application Paths Clear
Endpoint Security Advances: Protect Un-trusted Systems
BYoD: Security Answers the Bell
Incident Response Strategies: Detect and Act!
Virtualization Impact on Security: Is It a Game Changer?
Spotlight on Threat Intelligence: Get a Head Start on Threats

Tuesday, February 12, 2013

Security Training? Seriously.

It is no secret that many CSO's acknowledge the inevitability of attacks penetrating security defenses. You are all challenged with enabling the user community to participate in security and to make healthy security decisions on their own. The continuous training of end-users on the latest security issues should be a fundamental element of every security strategy to ward off security incidents.

According to Wombat Security, 48% of organizations report difficulty in funding security training programs and 44% report difficulty encouraging employees to take security seriously. This is an unacceptable position in these days of mobile and cloud computing that places so much of the business beyond the protective reach of your IT and security teams.

Perhaps it is time for organizations to re-think their approach to security training. It is not a matter of sitting through an annual seminar lecture, or being forced to read policy documents and sign security pledges. CSOs love activating business users for a healthy business - integrating security training with employee education is consistent with that mission. With that in mind, here are three thoughts that may help you with a security training program.

1. Work with applications teams and human resources to embed security awareness into the business. Users are just not into security training for security's sake. For instance, you could allow cloud-based application training to include a few modules on mobile security. Users learn how to do their business better and improve their security awareness too!

2. Design metrics into the security training program. Your executive team will want to know how an investment in security training will help manage risk and drive the business - so build in measurements to help manage the program! For example, compare security trained and un-trained users on the ability to recognize phish messages, redirections to rogue websites, risky applications, etc. You should expect that trained users will be less apt to be duped by new threats.

3. Include a few security best practices that are designed for home use. Face it, most of your user base have families with a younger generation that uses apps that your employees know little about. Including security awareness tips designed for home appeal may provide additional incentive for your users to learn a bit more about security issues.

Finally, be careful about relying too heavily on “test moments”, where you capitalize on a security incident as justification to drive home security messages. While these are important, and you need to help users understand what they may have done more securely, you also want to keep your focus ahead of the curve and next attack.

Good luck!

Wednesday, August 22, 2012

Bringing secure workspaces to USBs

Kingston Digital has successfully applied its pedigree in flash memory products to become one of the leading suppliers of cryptographically secure USB devices. Its DataTraveler product line starts at a basic personal-use level, and then extends up to a full FIPS 140-2 Level 3 certified device. Each release of a USB device undergoes third party security penetration testing to help ferret out vulnerabilities before customer deployment.

The real thing I like, and yes I have yet again buried the lede, is Kingston’s partnership with Microsoft to put a manageable Windows To Go on a USB. This is a pretty cool evolution. I’ve always been a big fan of a secure workspace solution on a USB for remote access – operating system, VPN client, storage, and authentication – such as Check Point GO or the Imation IronKey offering. This new capability with Microsoft has the potential to cut IT support costs for mobile workforces and give IT choices in a Windows deployment models.

One of the big hurdles with secure workspaces is phoning home for software updates and configuration changes. MokaFive was an early pioneer in the use of the cloud to update virtual images. With the Microsoft partnership I expect Kingston to offer management through Active Directory services. Perhaps integrating with VDI in a box products from folks like Citrix VDI in a Box, Pano Logic Quickstart or VMware View will give USB form factors more traction in small and medium businesses – we’ll see! But for now I like the evolution of virtual workspaces from solving remote access security requirements to reducing desktop support costs.

Friday, July 13, 2012

Recommending ShareFile

This week I gained more experience than I really wanted in using file sharing services. Fortunately, ShareFile by Citrix saved the day for me after a few other approaches did not work at anything more than wasting my time. Thanks to them I was able to get a large file - greater then Gmail's 25Mb size limit - to a client before my deadline!

I was recording the audio track of a Putting Compliance to Work in a Virtualized World webcast for TechTarget on my iPad. The WavePad software generated a 32Mb MP3 file that I then had to deliver to Mr. Parizo (who performed some editting before posting it behind a registration page for TechTarget subscribers). I have to admit that I am a complete klutz when it comes to using new tools - my brain has become finely tuned at always choosing the wrong options and I had a lot of issues with poor user interfaces from other products.

But let's focus on how to do it right. I loved the ShareFile experience. A simple registration page got me started, using the "browse files" button to upload my MP3 was a snap, and the simple shortened link supplied for me was the perfect thing to mail off. Citrix also followed up a personalized note for support if needed and a customized login screen. I shouldn't be surprised based on my GoToMeeting experiences, but the ease of use and the high level of service really sets ShareFile apart. In any event, my client was able to download the MP3 file and we were off and running. I'm guessing the whole process took less than 30 minutes. This is the way cloud apps should be - if you are looking at sharing files without clogging up mailboxes, then check out ShareFile.

Tuesday, July 3, 2012

Become Flame Retardant: Blend Defense Layers

It surprises me that there is not a greater sense of concern across the security industry, as the ramifications of the Flame malware attack become clearer. This attack strikes at the very tenets of traditional security practices – weaknesses in anti-virus processing, trust chains of certificates, and tardiness in patching. The following ideas were refined during interesting discussions with Bit9, Venafi, and enterprise friends who wish to remain anonymous. By now, most of you have read Mikko Hypponen’s heart-felt emotions on AV being torched by Flame, even though all of the detection signs were there. One of the sustaining worries about targeted attacks such as Flame is the developers are highly certain that the attack will pass under the radar screens of AV researchers because they are not widespread outbreaks, they carry their own communications capability, and they lie dormant for a while so the attack code can penetrate. AV companies detect millions of new attacks per day (!), and must use some automated triage filters to reduce the number of samples passed on to skilled humans. It is unreasonable to expect humans to lay eyes on every single malware sample, but the malware industry designs targeted attacks knowing they will slip through the filters. Organizations with whitelisting products – especially on external-facing servers – report resilience to Flame. You are really missing a key element of a defense-in-depth strategy if you are not using whitelisting. If nothing else, sprinkle whitelisting on various endpoints so you can detect infections and drift out of compliance by comparing machines against the whitelist-established baselines. Certificates form the foundation of identity trust. I call this the circles of paranoia – Something like, “this authority confirms that this person is who they say they are, and this other authority confirms that the first authority can be trusted, and … ah the heck with it – they can’t all be lying can they?” Well, if you have based your trust model on MD5 certificates, then they can be lying. Flame took advantage of MD5 to create a certificate allowing a rogue software update facility to appear as a trusted Microsoft service. There is no network- or host-based scanner that would have detected that malicious communication. IT teams need to ferret out MD5 certificates and especially applications that generate MD5 certs and upgrade those to the latest SHA recommended standards. Assume even the internal-facing applications are at risk. In fact, Flame provides great incentive to re-examine certificate management policies with an eye to shortening cert lifecycles – making any hash-collision operation less attractive. Finally, and I seem to say this with every new attack, the best course of action is to close vulnerabilities with timely patching. It has been more than a decade since I collaborated with Qualys on the Laws of Vulnerabilities, and it seems that the half-life of a vulnerability curve is resistant to flattening (meaning the time to patch systems isn’t improving much). Patch technology has vastly improved – check out Lumension or eEye to complement Microsoft’s Windows Update Services. And if modifying a production application is unappealing, then Virtual Patching from Trend Micro may be the answer for you, or heck periodically replace whole images with updated copies via application virtualization from people like Citrix and VMware. The bottom line is that committed attackers will always be able to defeat AV scanners, so finding other approaches to closing vulnerabilities or blocking attack execution is now pragmatic. Refreshing images and certificates is also worth investigating.

Wednesday, June 27, 2012

Brian Prince's eWeek article on MS Surface

Microsoft's Surface is sure to have an impact for organizations looking to empower mobile workers with Windows applications. The BYOD revolution will challenge every security team - especially those wishing to exert control. You can read my quotes on the BYOD trend here.

Friday, June 22, 2012

BYOD - unchaining the workforce

Fortinet briefed me earlier this week on the worldwide BYOD survey they conducted. BYOD is getting a lot of airtime this year and I have honestly been a fan of BYOD for decades if you consider a home PC with a dial-up modem to be a computing device sharing personal and professional uses. I’m not even sure the trend should be called Bring Your Own Application. Sure, the virtualization people love that, but it does not capture the spirit of being able to access applications from anywhere, whenever it is most convenient. There is no question that mobile devices – phones and tablets – are driving the trend along with the easy availability of cloud-based applications. But for now let me stick with BYOD. Anyway, Fortinet does a lot of really good security things in high performance devices. The BYOD trend truly amplifies the need for next generation application security in the network which aligns with Fortinet’s business. It certainly makes sense – you cannot expect a personal device to have all of the security protections that an IT-controlled PC would have. Organizations should be looking at next-gen capability to help free the workforce. The survey of 3872 people between the ages of 20 and 29 was pretty interesting. I loved the fact that 66% of respondents selected “I am ultimately responsible” when questioned about the security of their personal device used for business. That is a healthy response and, correlating with questions about data and application security, encourages me that new approaches to security that maintain user freedoms will be well received. I also liked how Fortinet articulates how personal and business lives remain largely separated (40% chose this first) with social networking applications, but drops as the applications become more focused (email at 23%). My least favorite question was “Of the following what do you think are the greatest risks TO YOUR ORGANISATION if you use your own devices in work, or for work?” The leading response at 46% was “Potential for greater time-wasting on personal activities during work hours”. To me, this is not the job of security, cannot be a compelling purchase criteria for security, and the thought of positioning security as cracking down on users scares me. I was surprised that only 42% chose “Potential for greater exposure to IT threats and the theft/loss of confidential data” – I expected that to be number one. A thought provoking survey by Fortinet – always a good thing!

Tuesday, June 19, 2012

ForeScout offerring an enlightened NAC commentary

From Day One I felt that NAC was terribly positioned as a "lock out bad guys" technology. To me it has always been an "automate endpoint protection" technology that would appeal to all size companies. Back in the day this was the excitement I felt when talking with Mitchell from StillSecure, Stacy from InfoExpress, and the Arvin/Irene/Rohit triumvirate at Perfigo. Unfortunately, somewhere along the way the NAC vendors all started tilting at the absolutely wrong windmills. I am pleased to say that NAC is now doing much better, and is sorting itself out - I would peg the segment at about $300M in 2012 revenues. One of those vendors that figured it out is ForeScout that has been doing quite well thanks to unique technology, focus on security automation, inclusion of mobile devices, and enthusiastic customer references. You can read a bit of what I think about ForeScout here!