Firewall Analysis Saves Time Keeping Application Paths Clear report is out!

The Firewall Analysis Saves Time Keeping Application Paths Clear report is complete and available!



Please contact me for more info. The teaser is:

Firewalls rely on IT-defined rules in allowing authorized application traffic to flow unencumbered between data centers and users while preventing undesirable traffic from entering the corporate network. These rules, which can number in the thousands per firewall, prescribe allow/deny decisions based on sources, destinations, and the services provided. The more complex the network, the more complex the firewall rule sets, and the more likely IT will encounter disruptive side-effects when changing firewall rules to secure application access.

The primary reason to analyze firewall rule sets is to identify logic errors opening security gaps, violating compliance policies for segmenting regulated data, preventing subsequent rules from firing, or rules becoming obsolete due to changes in business services. This leads to business benefits in managing network complexity such as:

• Drive operational costs out of making changes to firewall rule sets by reducing errors, automating compliance reporting, and recommending effective rules based on application requirements.
• Accelerate application deployment cycle times by streamlining firewall change processes to a matter of hours.
• Enable an orderly evolution to application-centric security management for next generation firewalls as well as traditional deployed firewalls.
• Model the impact of new rules before a change is approved to protect against errors that could block application paths.
• Maintain a secure audit log of firewall rules changes to document all changes for compliance reporting.

Firewalls connect businesses to the Internet. It is the one security technology that truly enables a stronger business by securing application paths to users. The Ogren Group believes it is critically important for organizations to apply technology to help manage accuracy and instill a change process to control operating costs with increasing complexity in networks and firewall rule sets.

It is far from certain that firewall analysis will be more than a niche market with room for multiple vendors. Firewall analysis vendors are branching into application security motivated by next generation firewall concepts, enterprise security management to reduce operational costs, and threat assessment based on path analysis. The Ogren Group applauds AlgoSec, SolarWinds and Tufin for their vision and execution in Firewall Analysis.

In this report, the Ogren Group presents the features, life cycle, and market strategy of Firewall Analysis. The report concludes with recommendations for vendors and the enterprise buyers they covet.

Early Vibe: Skyhigh Networks

I was very impressed with this year’s RSA Conference – not only was the energy level of 24,000 attendees up over previous years, but I also witnessed more innovation on the exhibition floor than I had seen for a very long time. One of the companies I enjoyed talking with, thanks to a tip from my friend Rich B., was Skyhigh Networks. Skyhigh launched on the Monday of RSA so they get the prize for my earliest Early Vibe ever!

Skyhigh offers a subscription service based on firewall logs to identify cloud services accessed from within the network. Most companies have no visibility, and thus no control, over the cloud applications users access from within the corporate network. I find IT usually knows personal use of email, social sites, and data storage is happening, but IT is often stunned when they learn the magnitude of the usage. And of course, there are always the security benefits of detecting use of unauthorized applications, checking out security reputations of applications that are used for the first time, planning training needs for secure use of cloud apps, and prioritizing heavily used applications for renewal negotiations.

My understanding of how it works is firewall log data is delivered up through the cloud, where Skyhigh matches addresses with domains and applications within domains (e.g. granularity for Salesforce or Facebook apps), and security gets a lovely dashboard of cloud application usage patterns. Skyhigh has a cool idea to offer analysis of cloud applications and user behavior as a service that gives Skyhigh a ton of flexibility to deliver new security applications.

Network Access Control: A Strong Resurgence is Underway

Security analyst firm the Ogren Group today released its vendor market forecast and market analysis security report Network Access Control: A Strong Resurgence is Underway.

To buy Ogren Group Security Reports or reprint rights please send mail to eric@ogrengroup.com.

Analyst Comment

The ability to detect and characterize users and devices connecting to the network, and enforce security policies based on real-time assessments, is a huge benefit for enterprises requiring security and compliance for mobile users. The NAC roots of segmenting guests and unhealthy endpoints from sensitive data is fueling growth with BYOD and wireless initiatives along with demands for continuous endpoint compliance.

The NAC market has not only revived, but is experiencing a strong resurgence - the Ogren Group estimated the market for Network Access Control products and services was $392 million in 2012, and predicts it will grow at a 22% CAGR to $1,061 million by 2017. Cisco, ForeScout, and Juniper combined represent over 70% market share and are the clear leaders in the NAC market.



Security Report Summary

The Ogren Group interviewed major vendors and security officers at large organizations in examining the Network Access Control market. This Security Report presents the features, market strategy, future directions, and recommended vendors for NAC. In addition to Cisco, ForeScout, and Juniper, the Security Report also profiles
Aruba, Bradford, StillSecure, and TrustWave. The report structure is:

Executive Summary
Overview
Economic Drivers of NAC Resurgence
Technical Drivers of NAC Resurgence
Noteworthy NAC Features
Noteworthy NAC Weaknesses
Selected Vendor Profiles
Network Infrastructure Vendors
Software Infrastructure Vendors
Independent Vendors
Niche NAC Vendors
NAC Roadmap
Conclusions
Enterprise Recommendations
Vendor Recommendations
Directions and Predictions

Upcoming Ogren Group Research in 2013

Firewall Analysis: Keep Application Paths Clear
Endpoint Security Advances: Protect Un-trusted Systems
BYoD: Security Answers the Bell
Incident Response Strategies: Detect and Act!
Virtualization Impact on Security: Is It a Game Changer?
Spotlight on Threat Intelligence: Get a Head Start on Threats

Security Training? Seriously.

It is no secret that many CSO's acknowledge the inevitability of attacks penetrating security defenses. You are all challenged with enabling the user community to participate in security and to make healthy security decisions on their own. The continuous training of end-users on the latest security issues should be a fundamental element of every security strategy to ward off security incidents.

According to Wombat Security, 48% of organizations report difficulty in funding security training programs and 44% report difficulty encouraging employees to take security seriously. This is an unacceptable position in these days of mobile and cloud computing that places so much of the business beyond the protective reach of your IT and security teams.

Perhaps it is time for organizations to re-think their approach to security training. It is not a matter of sitting through an annual seminar lecture, or being forced to read policy documents and sign security pledges. CSOs love activating business users for a healthy business - integrating security training with employee education is consistent with that mission. With that in mind, here are three thoughts that may help you with a security training program.

1. Work with applications teams and human resources to embed security awareness into the business. Users are just not into security training for security's sake. For instance, you could allow cloud-based application training to include a few modules on mobile security. Users learn how to do their business better and improve their security awareness too!

2. Design metrics into the security training program. Your executive team will want to know how an investment in security training will help manage risk and drive the business - so build in measurements to help manage the program! For example, compare security trained and un-trained users on the ability to recognize phish messages, redirections to rogue websites, risky applications, etc. You should expect that trained users will be less apt to be duped by new threats.

3. Include a few security best practices that are designed for home use. Face it, most of your user base have families with a younger generation that uses apps that your employees know little about. Including security awareness tips designed for home appeal may provide additional incentive for your users to learn a bit more about security issues.

Finally, be careful about relying too heavily on “test moments”, where you capitalize on a security incident as justification to drive home security messages. While these are important, and you need to help users understand what they may have done more securely, you also want to keep your focus ahead of the curve and next attack.

Good luck!

Bringing secure workspaces to USBs

Kingston Digital has successfully applied its pedigree in flash memory products to become one of the leading suppliers of cryptographically secure USB devices. Its DataTraveler product line starts at a basic personal-use level, and then extends up to a full FIPS 140-2 Level 3 certified device. Each release of a USB device undergoes third party security penetration testing to help ferret out vulnerabilities before customer deployment.

The real thing I like, and yes I have yet again buried the lede, is Kingston’s partnership with Microsoft to put a manageable Windows To Go on a USB. This is a pretty cool evolution. I’ve always been a big fan of a secure workspace solution on a USB for remote access – operating system, VPN client, storage, and authentication – such as Check Point GO or the Imation IronKey offering. This new capability with Microsoft has the potential to cut IT support costs for mobile workforces and give IT choices in a Windows deployment models.

One of the big hurdles with secure workspaces is phoning home for software updates and configuration changes. MokaFive was an early pioneer in the use of the cloud to update virtual images. With the Microsoft partnership I expect Kingston to offer management through Active Directory services. Perhaps integrating with VDI in a box products from folks like Citrix VDI in a Box, Pano Logic Quickstart or VMware View will give USB form factors more traction in small and medium businesses – we’ll see! But for now I like the evolution of virtual workspaces from solving remote access security requirements to reducing desktop support costs.

Recommending ShareFile

This week I gained more experience than I really wanted in using file sharing services. Fortunately, ShareFile by Citrix saved the day for me after a few other approaches did not work at anything more than wasting my time. Thanks to them I was able to get a large file - greater then Gmail's 25Mb size limit - to a client before my deadline!

I was recording the audio track of a Putting Compliance to Work in a Virtualized World webcast for TechTarget on my iPad. The WavePad software generated a 32Mb MP3 file that I then had to deliver to Mr. Parizo (who performed some editting before posting it behind a registration page for TechTarget subscribers). I have to admit that I am a complete klutz when it comes to using new tools - my brain has become finely tuned at always choosing the wrong options and I had a lot of issues with poor user interfaces from other products.


But let's focus on how to do it right. I loved the ShareFile experience. A simple registration page got me started, using the "browse files" button to upload my MP3 was a snap, and the simple shortened link supplied for me was the perfect thing to mail off. Citrix also followed up a personalized note for support if needed and a customized login screen. I shouldn't be surprised based on my GoToMeeting experiences, but the ease of use and the high level of service really sets ShareFile apart. In any event, my client was able to download the MP3 file and we were off and running. I'm guessing the whole process took less than 30 minutes. This is the way cloud apps should be - if you are looking at sharing files without clogging up mailboxes, then check out ShareFile.

Become Flame Retardant: Blend Defense Layers

It surprises me that there is not a greater sense of concern across the security industry, as the ramifications of the Flame malware attack become clearer. This attack strikes at the very tenets of traditional security practices – weaknesses in anti-virus processing, trust chains of certificates, and tardiness in patching. The following ideas were refined during interesting discussions with Bit9, Venafi, and enterprise friends who wish to remain anonymous. By now, most of you have read Mikko Hypponen’s heart-felt emotions on AV being torched by Flame, even though all of the detection signs were there. One of the sustaining worries about targeted attacks such as Flame is the developers are highly certain that the attack will pass under the radar screens of AV researchers because they are not widespread outbreaks, they carry their own communications capability, and they lie dormant for a while so the attack code can penetrate. AV companies detect millions of new attacks per day (!), and must use some automated triage filters to reduce the number of samples passed on to skilled humans. It is unreasonable to expect humans to lay eyes on every single malware sample, but the malware industry designs targeted attacks knowing they will slip through the filters. Organizations with whitelisting products – especially on external-facing servers – report resilience to Flame. You are really missing a key element of a defense-in-depth strategy if you are not using whitelisting. If nothing else, sprinkle whitelisting on various endpoints so you can detect infections and drift out of compliance by comparing machines against the whitelist-established baselines. Certificates form the foundation of identity trust. I call this the circles of paranoia – Something like, “this authority confirms that this person is who they say they are, and this other authority confirms that the first authority can be trusted, and … ah the heck with it – they can’t all be lying can they?” Well, if you have based your trust model on MD5 certificates, then they can be lying. Flame took advantage of MD5 to create a certificate allowing a rogue software update facility to appear as a trusted Microsoft service. There is no network- or host-based scanner that would have detected that malicious communication. IT teams need to ferret out MD5 certificates and especially applications that generate MD5 certs and upgrade those to the latest SHA recommended standards. Assume even the internal-facing applications are at risk. In fact, Flame provides great incentive to re-examine certificate management policies with an eye to shortening cert lifecycles – making any hash-collision operation less attractive. Finally, and I seem to say this with every new attack, the best course of action is to close vulnerabilities with timely patching. It has been more than a decade since I collaborated with Qualys on the Laws of Vulnerabilities, and it seems that the half-life of a vulnerability curve is resistant to flattening (meaning the time to patch systems isn’t improving much). Patch technology has vastly improved – check out Lumension or eEye to complement Microsoft’s Windows Update Services. And if modifying a production application is unappealing, then Virtual Patching from Trend Micro may be the answer for you, or heck periodically replace whole images with updated copies via application virtualization from people like Citrix and VMware. The bottom line is that committed attackers will always be able to defeat AV scanners, so finding other approaches to closing vulnerabilities or blocking attack execution is now pragmatic. Refreshing images and certificates is also worth investigating.

Brian Prince's eWeek article on MS Surface

Microsoft's Surface is sure to have an impact for organizations looking to empower mobile workers with Windows applications. The BYOD revolution will challenge every security team - especially those wishing to exert control. You can read my quotes on the BYOD trend here.

BYOD - unchaining the workforce

Fortinet briefed me earlier this week on the worldwide BYOD survey they conducted. BYOD is getting a lot of airtime this year and I have honestly been a fan of BYOD for decades if you consider a home PC with a dial-up modem to be a computing device sharing personal and professional uses. I’m not even sure the trend should be called Bring Your Own Application. Sure, the virtualization people love that, but it does not capture the spirit of being able to access applications from anywhere, whenever it is most convenient. There is no question that mobile devices – phones and tablets – are driving the trend along with the easy availability of cloud-based applications. But for now let me stick with BYOD. Anyway, Fortinet does a lot of really good security things in high performance devices. The BYOD trend truly amplifies the need for next generation application security in the network which aligns with Fortinet’s business. It certainly makes sense – you cannot expect a personal device to have all of the security protections that an IT-controlled PC would have. Organizations should be looking at next-gen capability to help free the workforce. The survey of 3872 people between the ages of 20 and 29 was pretty interesting. I loved the fact that 66% of respondents selected “I am ultimately responsible” when questioned about the security of their personal device used for business. That is a healthy response and, correlating with questions about data and application security, encourages me that new approaches to security that maintain user freedoms will be well received. I also liked how Fortinet articulates how personal and business lives remain largely separated (40% chose this first) with social networking applications, but drops as the applications become more focused (email at 23%). My least favorite question was “Of the following what do you think are the greatest risks TO YOUR ORGANISATION if you use your own devices in work, or for work?” The leading response at 46% was “Potential for greater time-wasting on personal activities during work hours”. To me, this is not the job of security, cannot be a compelling purchase criteria for security, and the thought of positioning security as cracking down on users scares me. I was surprised that only 42% chose “Potential for greater exposure to IT threats and the theft/loss of confidential data” – I expected that to be number one. A thought provoking survey by Fortinet – always a good thing!

ForeScout offerring an enlightened NAC commentary

From Day One I felt that NAC was terribly positioned as a "lock out bad guys" technology. To me it has always been an "automate endpoint protection" technology that would appeal to all size companies. Back in the day this was the excitement I felt when talking with Mitchell from StillSecure, Stacy from InfoExpress, and the Arvin/Irene/Rohit triumvirate at Perfigo. Unfortunately, somewhere along the way the NAC vendors all started tilting at the absolutely wrong windmills. I am pleased to say that NAC is now doing much better, and is sorting itself out - I would peg the segment at about $300M in 2012 revenues. One of those vendors that figured it out is ForeScout that has been doing quite well thanks to unique technology, focus on security automation, inclusion of mobile devices, and enthusiastic customer references. You can read a bit of what I think about ForeScout here!

TechTarget security video reaches out

Sometimes threads just come together at opportune times. Earlier this week my friend Liz was asking me how many followers I had for my Security Vibes blog. My answer was that I didn’t know - I don’t check because my work tends to get around to the right people just fine. A day later I receive this nice email from John at Hirsch Identive (reprinted below without permission, but I don’t think he’ll mind :^). It refers to a video I shot for TechTarget’s security university a few months ago where I mention that NAC is a much better control technology than blocking technology with some interesting events coalescing around IF-MAP. I know I need to be better at tracing where my stuff appears and publishing links. I’ll get started on that Monday!

Eric: I just viewed a video clip at inxpo.com in which you discuss the current state of NAC. I perked up when you brought up the TCG IF-MAP standard as one of the more promising means of deploying effective NAC solutions. Hirsch Identive is possibly the only physical security member of TCG, and we have implemented IF-MAP as part of our offering. We publish our events (persons swiping cards at doors, etc) to an IF-MAP server, making a person’s presence as a piece of IF-MAP metadata. Compliant systems and devices can then subscribe to those events. The first use case we have identified is NAC, and both Juniper Networks and Enterasys NAC solutions can subscribe to our events and add physical presence a policy in granting access to network resources. We see this as a real-world example of the long-awaited “convergence” of physical and network security. We have learned that when it comes to convergence, technology providers are sometimes ahead of customers, and are always looking for ways to reach out beyond our usual physical security customer base for feedback on these kinds of concepts. I recognize that you must be very busy, but since you seem to be finely attuned to the topic, I was hoping to get your thoughts on the feasibility in the real world. If you have a few minutes, I would appreciate your thoughts. I have provided a link to a whitepaper that covers the topic from a physec point of view. http://hirsch-identive.com/sites/default/files/resources/IFMAP%20White%20Paper%20OCT2011.pdf Thanks so much for your time and regards,

Tufin celebrates IPv6 Day

Tufin has chosen IPv6 day to announce the availability of the latest release the Tufin Security Suite. The key feature of the R12-3 release is support for IPv6 addresses, and the ability to manage firewall rule sets with both IPv4 and IPv6 access control specifications. It turns out that this is a big deal - it will take years for IT to evolve to IPv6 so it is critical that IT start with security tools that can handle the long IPv6 hex addresses as well as the standard IPv4 addresses. Good job by Tufin in taking the leadership position. You can read more of what I think about this here.

Early Vibe: Are you a human?

It is not often that I get a chance to talk with a security technology startup that is based in Detroit, but that is exactly where Are you a human? is headquartered. I suppose it shouldn’t surprise me since my two best software engineers when I was a rookie supervisor, Mary S and Carol Y, where both University of Michigan graduates. Are you a human? (AYAH) shows a similar adeptness in tackling problems that affect lots of people. AYAH was founded to give us relief from those annoying CAPTCHAs used by web sites, blogs, and forums use to thwart spam entries that are generated by computers. We’ve all seen them – they are hard to read, annoying to dispense, and lead to a significant drop-off rate for those that view CAPTCHAs as too much trouble. Also, there seems to be an industry growing to offer CAPTCHA solutions to spammers to bypass the protection and to stay ahead of anti-CAPTCHA technology the puzzles get harder and harder for humans to read. I don’t even try to solve CAPTCHAs on my mobile devices any more.

The AYAH approach introduces object recognition, relationships between objects, and human response metrics in the form of a completing a simple game. I like the dynamic metrics part – where an object is grabbed, how long it takes to move it, where the object is dropped, etc. It is a pretty interesting concept to produce active challenges that are more difficult for computers to solve while being easier for humans – and isn’t that the whole idea?

There is always the business side, as customers will want AYAH to be successful to create more plays. I can see the company making money with customer games involving product placements, or gaining bonus payments by reducing drop-off rates from customers that switch from CAPTCHAs. Heck, a game that allows humans to whack an emoticon has to have value! The folks at AYAH will figure it out. When I was working with RSA SecurID, two factor authentication was defined as a combination of something you know, something you have, or something you are. We were thinking of something you are as a biometric – wished we had thought of it as “Are you a human?”

BYOD is here to stay

Business organizations are embracing the use of Android and Apple iOS-based tablets and smartphones in a big way. And why not? - they are light, easy to use, easy to carry, and easy to personalize. Bring your own device may be one of those cases where the marketing hype actually lags customer adoption!

The challenge for security teams is how to say "yes" to this revolution in end-user computing while still protecting the business infrastructure. If your organization can mandate installation of a mobile security application, then by all means leverage that capability. If your business cannot dictate endpoint security software, then you can use network security to assess and audit each tablet or smartphone device as it joins the network. In fact, that is the only way you can pragmatically account for both managed and unmanaged devices with one security solution. ForeScout, Cisco, Juniper, Bradford, and StillSecure have intereesting ideas in this space. ForeScout in particular has a compelling BYOD story that they are starting to tell here.