Friday, December 30, 2011

AlgoSec introduces firewall management for virtualized environments

AlgoSec, Tufin and Firemon are the Big 3 for firewalls rules management with a few others (Skybox and Athena to name a couple) starting to catch on. AlgoSec has hired a really good marketing director who will have a noticable impact. Sam Erdheim's work started with this AlgoSec press release supporting virtual environments.

“The dynamic nature of virtualization, especially the rapid provisioning of new applications and desktops across data centers, presents a new set of security challenges for IT organizations,” said Eric Ogren, principal analyst of the Ogren Group. “Firewall rules management software is a critical must-have capability to control access and ensure tight security for companies evolving from physical to virtual environments.”

Friday, December 2, 2011

“The malware, a version of a toolkit available since 2005…”

The story of the RSA attacks, as Qualys recently posted a very detailed study of the Adobe Flash exploit that caused all of the trouble at RSA last spring. It is a very thorough study – right down to a couple of pages of code.

Loved the human angle of a security-conscious person yanking the offending email out of a spam folder so they could open the infected XLS attachment. Good stuff. There will always be cases where people just make a mistake and have a lapse of judgment.

Great observation that some of the new security features found in Windows 7, such as Data Execution Prevention, probably would have thwarted the attack. It goes to show how hard it is for IT to move forward with a new version of an OS. Heck, it is hard even to move forward with a safer version of Flash or to enforce safe browser settings.

We know the half-life of a vulnerability and the difficulty in patching endpoints. Perhaps we should add a Law of Vulnerability for the life expectency of unpatchable software.

Thursday, September 29, 2011

VDI: it's about people

After participating in analyst events with the world’s leading VDI vendors (AppSense, Citrix, VMware) , it is increasingly apparent that the marketing of virtual desktops needs to get personal and emotional in a hurry if the industry expects to see explosive growth. For all of the VDI hype and messages of IT control, there are precious few deployments of more than 1000 seats. One possible reason is that end-users do not see what VDI does for them that cannot be easily done with the present physical approach of applications installed on laptops. Virtualization vendors trumpet the IT benefits while marketing to server teams - VDI is doomed to niche uses unless vendors can lead people to clamor for the new capabilities introduced by the technology.

Vendor marketing messaging and positioning targets IT decision makers with promises of enhancing data security, controlling application environments, saving operational expenses, and enabling business agility for existing applications. However, when it comes to re-inventing user experiences the user organizations participate in endpoint architecture decisions and it is personal demand for new capabilities that is going to drive explosive growth in virtualization at the endpoint.

One good start will be to shift the words virtual desktop infrastructure to the fine print of the back page of all market-oriented material. There is not one word in VDI that a user really wants: few people are comfortable with their understanding of anything virtual, a desktop is a necessary evil only to run desired programs, and do users rise to the edge of their seats when the conversation turns to infrastructure? There is amazing technology and potential in virtualization that is buried under IT-oriented technical jargon. It is critical that vendors tap into key user emotions related to making their computing lives easier. A few examples may be:

Imagine having business and personal applications at your fingertips not matter where you are or what computer you’re using – without painful software installations or generic browser user interfaces. You do not need the frustration of being unproductive on the road because you forgot to pre-install software, or you had to borrow a computer that doesn’t have your presentation on it. VDI can provide you access to more exciting programs at your fingertips than you can possibly install yourself.

Imagine relief from not getting upset waiting while Windows installs important updates and reboots your machine just when you’re ready to use your computer. System and application software is maintained by IT in the data center, meaning the most up to date versions are ready to run – before you need them! No more waiting like a second citizen while your computer manages itself; no more playing “IT” to configure security software or applications.

Imagine the freedom of not having to lug a laptop home from the office every day, and back again. There have to be better ways to exercise your upper body and back muscles. There is no need to include laptops, power cords and heavy-weight knapsacks in every commute. Virtualization allows you to run business applications – including Microsoft Office – on home computers, tablets, or mobile devices without having to install application software.

It is rare to find organizations that plan to be entirely VDI hosted in the data center - laptops are not going away anytime soon and even the early adopters seem to only envision a 20% penetration. For virtualization at the endpoint to move forward significantly, vendors need to find and promote visions of the technology that provide benefits that are not easily achieved in physical endpoints or through browsers. The present path of marketing solely IT benefits will result in organizations maintaining about 80% of their endpoints as physical desktop and laptop systems, VDI will be an additive expense, and the great opportunity to impact user lifestyles with virtualization will be lost. It is about people – let’s look for ways for virtualization to change user experiences.

Friday, September 23, 2011

Proactively addressing home and office PC security

Webroot’s extensive survey – over 2500 respondents that was summarized in a Sept 20th press release – reinforced the need for businesses to recognize the inevitable blurring between personal and professional computing. With anti-malware scanning and filtering shifting to the cloud it is easier for organizations to proactively help secure home PCs as well as those in the office. Vendors can do their part by providing services that makes it easy for users or IT to manage security policy for multiple devices - inside and outside of the office.

What caught my eye in the Webroot study was that more than 40% of respondents purchased non-work related items online. Combined with prior results that 46% of users visit their favorite social networking site several times a day, it is becoming clear that employees don’t think twice about blurring personal and professional browsing while in the office. That is not a real surprise, since hundreds of millions of users have been blurring the distinction between personal and professional computing while at home to read business mail, or connect to desktops via VPNs or products like GoToMyPC. And that does not even factor in the use of mobile devices which completely bypass corporate security. Security teams need to address home security for home computing.

Businesses can help by negotiating coverage of home computers in their anti-virus agreements, evaluating cloud-based endpoint security management that bridges the home and the office, or recommending to employees the best free anti-malware offerings (sometimes available from service providers). There is a train of thought that there should be a clear separation of duties between personal and professional devices, and it is up to the employee to shell out $50 per PC annually to help protect the business. But that train is leaving the station.

Friday, September 16, 2011

Intelligent Whitelisting and VDI

Check out my latest post on intelligent whitelisting titled "Working together in a virtual environment: application whitelisting and anti-virus". It is all about provisioning thinner virtual desktops for greater performance and density. Those requiring AV can run it as a security service on the virtual server.The article is right here.

Wednesday, September 14, 2011

RSA SBIC is worth checking out

You have to give RSA credit for the way they’ve responded to their phishing attack. Rather than being totally defensive about the incident, RSA has responded with a drive to educate the market about threats that start with a plausible email that begs for attention. It is a good effort by a mature security vendor.

Their Security for Business Innovation Council reports are interesting executive conversations that result in recommendations and conclusions for enterprise security officers. The latest edition, released Tuesday of this week, focuses on the serious problems in combating APTs.

Usually I take these things with more than a grain of salt because they can be overly slanted into “buy my product” pieces, but RSA does a nice job of letting the executives speak. I liked that recommendation #6 was to “Rearchitect IT”. This is an admission that instead stacking security products in costly (and futile) defense in depth architectures, perhaps the business might be safer with thin clients and virtualization, tighter network zones and access controls, and even use of cloud infrastructures to share costs. It is thought provoking and worth checking out – although having said that I am not convinced about enterprise needs for intelligence services.

RSA also publishes a series of phishing reports - the latest reminding us that though phishing is a global concern, there are security actions we can take here in the US that may help. That is certainly not new information, but while the above SBIC report spent time talking about foreign agents and foreign attacks, it seems like our government and service providers have responsibilities right here - the US hosted 53% of the world’s phishing attacks in July!

Friday, September 2, 2011

Recent press release support

Summer is winding down and Q4 activities are picking up. I’ll post a short note Monday on some concepts from briefings that I found interesting. Meanwhile here are the top 3 quotes I gave recently for Watchguard, Damballa and eEye …


I like what Watchguard has been doing, particularly for companies looking to protect their networks against security issues associated with social networks. The quote is on DLP functionality that will help against unauthorized outbound data flows. My French stops with “merci” – Watchguard did the translating:

“Until recently, data loss prevention technology has been predominately relegated to enterprise organisations that have the staff or resources capable of managing the administrative complexities associated with DLP,” said Eric Ogren of the Ogren Group. “The new DLP features in this WatchGuard
release focus on providing mainstream business environments with the badly needed benefits of enterprise‐strength DLP in a simple to manage solution.”

"Jusqu’à récemment, la technologie de prévention des pertes de données était principalement réservée aux services de l’entreprise disposant du personnel ou des ressources capables de gérer les complexités d’administration inhérentes", déclare Eric Ogren d’Ogren Group. "Les nouvelles fonctionnalités DLP de cette mise à jour de WatchGuard visent à offrir aux principaux environnements professionnels les avantages indispensables d’une protection DLP d’entreprise éprouvée au sein d’une solution simple à gérer."


I liked Damballa’s ISP approach to associating domains and IP addresses with botnets. This allows service providers to detect command and control communications in the cloud, blocking early attacks while AV can perform clean-up of existing threats.

“The designer malware used in today’s attacks is supremely capable of evading detection,” said Eric Ogren, principal analyst of The Ogren Group. “The weakest link for data-seeking malware is now the command and control infrastructure with its reliance on the DNS hierarchy. Being able to detect the criminal infrastructure in its early days, as it is being set up and long before the actual attacks are launched, gives businesses a fighting chance at staying ahead of these threats.”


eEye has been in security for a while, with both Retina and Blink products. I thought their approach to risk identification, vulnerability management, and patching to be interesting for small and medium businesses that can benefit from a community approach.

“Many organizations fail to address their most critical security weaknesses, spending time and money correcting relatively minor security problems,” said Eric Ogren, principal and founder of the Ogren Group. “Security risk prioritization is an indispensable element of any pragmatic IT security and compliance strategy. Enterprises need solutions that will allow them to prioritize so that they can quickly and easily close the most dangerous security gaps in their networks.”

Friday, July 29, 2011

Virtualization accelerates firewall rules change requests

Just posted on Tufin's blog ...

The shift to virtualization, with most organizations virtualizing more than 30% of their applications, challenges the means by which security teams implement firewall-based foundational controls. Organizations are embracing virtualization for obvious cost savings benefits when applications share server and infrastructure resources. In fact, many enterprises continue to re-architect networks to consolidate data centers, applications and IT services. For instance, the rapid provisioning of applications - running in a matter of minutes on a virtual server for a task that would take weeks with physical architectures – necessitates a rapid evolution in the security lifecycle management of firewall rules.

Friday, June 17, 2011

Security and firewall management blog at Tufin

Firewalls are the heart of every organization's security strategy. Every compmany has firewalls, with rule sets that have grown to be a big can of worms. Tufin has very interesting technology that helps meet the scary challenge of keeping firewall rules consistent across the company and consistent across multiple vendors. Not only that, but I am finding security and network admin teams efficiently sharing Tufin's products for a secure network.

Tufin is taking a leadership position by hosting a discussion on security and firewall management. There will be guest analysts, and I am pleased to be able to contribute. You can check it out here.

My new post on

It is important that application whitelist approaches make allowances for differences in individual PCs. Each device is slightly different – it is very unlikely that a “one size fits all” approach will be pragmatic.I mention this because I often hear the misperception that application whitelist vendors maintain a master list of every published software executable in the world, can query that database to validate the integrity of any given program, and that there is great value in this massive clearinghouse capability ...

You can read the entire post here.

Friday, June 3, 2011

Can SecurID be trusted?

RSA Security’s security problems, as evidenced by recent intrusions into defense contractor networks, are causing more than a few organizations to not only re-evaluate their commitment to SecurID authentication, but also to re-evaluate the role of authentication in their security programs. I have already heard of large companies that have embarked on a multi-year program to transition from premium-priced SecurID to cheaper alternatives.

RSA desperately needs to disclose more information about the nature of the breach, and what actions RSA customers should be taking to protect themselves. In the absence of information, security organizations should assume the worst – that their business is next in line for a breach – and should be prepared to detect and act upon an intrusion.

If you are a SecurID customer there are a few things that you may consider to help keep your business secure:

Add the device as part of the “something you have” authentication factor. Users would need SecurID from an approved device to gain access to applications and the network. This can be done either directly with PKI keys on the chip (e.g. Wave Systems using the TPM in Intel machines) or by evaluating the device (e.g. iovation assessing the machine fingerprint). Only a few users will ever need to access resources from unauthorized computers, so narrow this exposure by also authenticating the device.

Heighten efforts to detect APTs and intrusions. It is actually easier to avoid getting caught by launching a spear-phishing attack, penetrating corporate defenses with malware, and letting the APT deliver secrets than it is impersonating a user and bumbling around a network like Diogenes looking for secrets. Step up automated efforts to catch configuration drifts out of compliance and non-compliant network traffic – signs that you may be under attack.

With increased diligence, you can verify your trust in SecurID.

Friday, May 20, 2011

Endpoint Security: Become Aware of Virtual Desktop Infrastructures!

I completed a pretty neat whitepaper for Trend Micro just before leaving for a couple of weeks of travel. Here is an abstract of the exec summary and you should be able to get the rest at Trend Micro.

Virtual desktops infrastructures, VDI, present IT with the unique opportunity to fundamentally improve the way desktops are purchased, deployed, managed, and secured. Organizations are attracted to VDI’s promise to reduce operating costs, provide users with wide choices of devices, improve application performance, and enhance corporate security against malware and loss of sensitive data. The benefits are compelling, with survey data showing approximately 70 percent of CIOs reporting VDI projects planned for 2010.

However, enterprises find while scaling from proof-of-concept projects to full deployment that desktop security software that is not optimized for VDI causes storage and network contention that significantly degrades virtual machine densities. The Ogren Group recommends the following guidelines in selecting endpoint security to help organizations preserve the benefits of VDI:

Choose endpoint security that is specifically designed for VDI performance. Endpoint security needs an architecture that avoids performance drags from storage and network resource contention.

Require intelligent use of cloud-based security to keep agent bloat from affecting VDI density. Evaluate approaches that scale by blocking attacks in the cloud, and do not steadily increase processor demands for VM-based endpoint security.

Insist on VDI-aware approaches allowing endpoint security to simplify administration of virtual and physical desktops. Since organizations will need to operate a mix of physical and virtual endpoint security, the security software should be optimized for each environment for user satisfaction, and ease of administration.

Trend Micro’s OfficeScan and Deep Security products are designed for use in VDI environments. The Ogren Group finds that Trend Micro exceeds requirements for protecting the business while enabling IT to realize the benefits of virtual desktop infrastructures.

Wednesday, May 4, 2011

Wedge Networks

I commented on the content-focused approach of Wedge Networks and was pleased to support their BeSecure announcement.

Eric Ogren, analyst and founder, Ogren Group, said:

"The trend towards moving applications and data into private and public clouds introduces a new realm of very real security risks. Critical to identifying and remediating new threats will be a content-based approach offering deep inspection and clear visibility into network traffic. Wedge Networks is well positioned to meet these challenges with its BeSecure Web Gateway that enables organizations to protect sensitive data and have a clear view of content as it traverses the cloud."

Recent white papers ... ForeScout

ForeScout has done a pretty good job of navigating through the NAC requirements. They've always had an interesting technical idea and now they have a team in place that can properly position the company. The next couple of quarters will be key for the company as it executes its new vision.

Recent white papers ... SenSage

I often wish I could pay more attention to keeping you up to date with what's going on. I'm still learning that part of the job! Anyway, here are a few recent papers that you may be able to find on the web sites of ForeScout, SenSage, and Trend Micro. Let's start with SenSage.

VDI Security: Centralized Control

One of my favorite articles I wrote for TechTarget’s Information Security Magazine was published last year. It turned out to be pretty popular with a huge number of downloads. I recently received the following mail from with a link you can check out.

Virtual desktop infrastructure implementation provides security pros with a perfect opportunity to re-architect their organization’s endpoint security and management. The fact that virtual desktops are managed via centralized services means that an entirely new approach can be taken with respect to endpoint security and desktop configurations, giving security teams much more control over their company’s data.

This complimentary IT Decision Checklist explores the most significant security opportunities coming out of VDI solutions and how you can leverage them to fortify your own organization’s security posture.

Explore how to achieve the following in a VDI environment:

-- Control endpoint configurations
-- Isolate sensitive and regulated data
-- Enhance antimalware strategy
-- And more

Saturday, April 2, 2011

Application whitelisting: an extra layer of malware defense

I am a big fan of whitelisting as a complement to attack-centric approaches, and as a foundational layer of defense. Even though it is not called whitelisting, I see Apple successfully using this method for ensuring compliance for iPad, iPhone and iTunes. It is a technology that also works in the corporate environment, even if it is not an AV killer.

I was excited when Information Security Magazine asked me to write an article on AWL. I enjoyed talking to the major vendors and my enterprise security contacts about whitelisting, and am happy with the final result. I hope you also find it to be an interesting read.

“Application whitelisting makes too much pragmatic sense to not have appeal as an antimalware mechanism. Intuitively, a technology operating in the kernel that detects suspicious changes in an IT-controlled software configuration should be easier to scale than a technology that looks at all files to identify and clean attacks.” The rest of the story can be found here.

Friday, March 25, 2011

Vineyard Networks Application Intelligence and Classification

Vineyard Networks is a pretty cool company that supplies high performance application intelligence logic to vendors of firewalls, WAN optimization appliances, and other network communications equipment. Vineyard has an interesting perspective on how security and operations teams both get the most out of application intelligence.

My contribution to their press release reads, “Organizations require the next generation of networking products to leverage application intelligence for greater visibility and control of the cyber-infrastructure. Security and networking vendors that hope to compete for enterprise business better offer a solid foundation of high performance application awareness and classification.”

Wednesday, March 23, 2011

RSA Caught in a Compromised Position

There has been a lot written about the breach of RSA Security and the effect the advanced persistent threat has on SecurID users. The Open Letter to RSA Customers is so vague that it is hard to figure out exactly what the exposure is, and more importantly what to recommend to corporations relying on SecurID for two-factor authentication. I used worked with Security Dynamics, maker of SecurID before changing their name to RSA, as Director of Product Management from 1993-1998, so let me add to the discussion (I no longer have any financial interests in RSA Security).

The big risk is theft of source code that would allow an intruder to design a custom attack against servers installed on customer premises. For instance, all the attacker would need to do is exploit a weakness in the management protocol to be able to insert a backdoor or impersonate a privileged user to steal secrets. This scenario would be very serious as RSA would not be in a position to assure customers of the integrity of their authentication system, and wouldn’t even know how the attack manifests itself until customers are infected.

The lesser risk is theft of serial numbers and seed values. An attacker would still need to associate the exposed seed and serial number with the company that the purchased the token and the user possessing the token. That is really hard for an outsider to do, and if successful all an attacker achieves is one random user to impersonate. Yes, it is a concern but it seems like a manageable one.

If you are a SecurID customer there are a couple of procedural things you should do while RSA conjures up an explanation that may reduce the risk of an infected authentication system:

Audit IPS and firewall policies to ensure that there are no unauthorized communications with SecurID servers. This includes outbound connections that could signal a successful penetration of malware. This communication to the attacker might be the only way to detect a devastating breach of security.

Scale back on remote management of SecurID, including IT service desk procedures. Management operations that originate from outside the server perimeter are particularly dangerous. Consider assigning a member of your security team to perform privileged operations from a physically connected console, and disallow privileged operations over the Internet.

Finally, voice your displeasure at RSA in no uncertain terms and send them the bill for you extra security precautions. If you are a bank using SecurID for high-roller customers, then you are responsible for disclosure and re-imbursement if the system is compromised – RSA owes you more guidance than what I have seen.

It is ironic that enterprises have to disclose security incidents to consumers, but here we have a one of the most trusted security companies on the planet keeping business in the dark. Hopefully, RSA Security soon issues another open letter that is more enlightening on how customers should protect themselves.

Monday, March 21, 2011

Proofpoint Email Security Service

Cloud-based security services can help drive down the operational costs of securely handling corporate information, especially securing the large volume of information contained in saved email. Proofpoint attacks this problem with a service approach that delivers cost benefits without jeopardizing obedience to compliance mandates. Their full release includes my supporting quote:

"The IT landscape is changing at a rapid pace, and organizations are struggling to keep up with regulatory and security pressures," said Eric Ogren, principal analyst of the Ogren Group. "By leveraging secure business services in the cloud, organizations may be able to alleviate the increased compliance burdens they are facing without having to make large investments in on-premise deployments and without having to give up control of their sensitive data."

Tuesday, March 15, 2011

Does compliance inhibit security innovation?

I had some fun with a podcast on the impact of compliance on security innovation. For me, there is no question that compliance stifles innovation, but people I really respect feel differently. It's an interesting question to think about ... or even listen to here.

Friday, March 11, 2011

Be comfortable with key management to secure your data

Encrypting sensitive data on premise before the data gets to the cloud or gets on a truck is a best practice when utilizing offsite storage. I have talked with many organizations that insist they will never store regulated data in the cloud. In fact, when asked what it would take to make them more comfortable they do not even spend 3 seconds of think time before shuddering at the prospect of their CEO appearing on TV to explain a major data loss incident. Many cannot envision any confidence in data security that will enable off-site storage of sensitive data. However, with proper key management organizations can safely reduce expenses by using storage services for encrypted data only.

Seagate announced that it has sold more than one million self-encrypting drives. This is important to security officers because disk drives, and the regulated data they contain, do not stay in the data center forever. Seagate claims that 80% of the disk drives that are sent out for repair, or returned at the expiration of a lease, contain readable data. Furthermore, disks that are retired undergo expensive physical cleaning and shredding processes – unless that is overlooked due to human error. Self-encrypting drives automatically encrypt all data on disk to reduce the risk of data loss without adversely affecting performance or requiring incremental security procedures.

There are also many vendors offering to use shared cloud-based resources to drive down the costs of handling sensitive data for such activities as backup/restore (IBM, i365), email archiving (AppRiver, ProofPoint), and world-wide availability (RSA Security, Trend Micro). The critical element for cloud-based services is also to encrypt and decrypt the data on premise so it is not at risk of exposure in the cloud. This also reduces the IT burden of auditing service provider security policies and allows the organization to leverage efficient storage services.

Both of the physical and cloud-based secure storage objectives require organizations to manage their own cryptographic keys. That is a core competency that every security-aware corporation must have, especially if they choose to enable the use of external service providers. Companies effectively use services with sensitive data all the time (e.g. payroll services, 401K programs, health networks, sales force information, etc) so they should feel more comfortable with evaluating secure storage services knowing that the company still controls the data.

Tuesday, March 8, 2011

Intelligent Whitelisting

Intelligent Whitelisting is a new site encouraging an open discussion on all things related to whitelisting, and application whitelisting. There are some really good security ideas being expressed in there – including a new one my me on VDI and AWL working together. Check it out when you get a chance, and make it a resource for security discussions.

Even though Lumension is sponsoring the site and panel of posters, they have made it clear that this is not the place for product review discussions. They are looking to build a community of thinkers and doers for the next generation of endpoint security and endpoint management. It’s a great concept that is gaining momentum!

Friday, February 18, 2011

Last thoughts from RSA Conference

The RSA Conference is now over. I’ve been coming to a lot of these and I have to say that this is one of the better ones. I saw a lot of innovation, new ideas, and general buzz at the show. It felt great to see security starting to get out of its doldrums.

I loved seeing Art Coviello on stage again. I liked Art a lot when he was at RSA and he has played a major role in building a $700M business. It is a personal note, but it was pretty cool this afternoon seeing a Security Dynamics alum (via CrossComm) sitting with a President!

I also liked the fact that security is starting to catch on to the concept of providing information to IT and network operations teams. Security sees everything so why not communicate some of what it sees to the rest of the IT organization? The next-gen firewall conversations, usually centered on Palo Alto Networks is a perfect example of this. Another is a whitepaper that Qualys was featuring that emphasizes the strategic business efficiencies to be gained from secure cloud services.

SonicWALL also surprised me with a big honkin’ box that is loaded with application level logic. That company has come a long ways from the one that averaged 1.6 boxes per small business when I first met them.

Time to run for the airport. It was a good week – catching up with lots of friends, having great security conversations, and contributing to the Trusted Computing Group and Anti-malware sessions!

Thursday, February 17, 2011

Top 5 observations at the mid-point of RSA week

Top 5 observations at the mid-point of RSA week, or what seems to be themed NG RSA:

1. One of the fun events of RSA week happens before the show commences – the Innovation Sandbox. This event, in its second year, features 10 young companies, each staffing a small demo station and then presenting their idea on stage to a panel of judges and the audience. This year's winner was Invincea for their secure browser protection. The Innovation Sandbox experience also has a very cool idea of “speed dating” where aspiring entrepenuers get a few minutes to pitch their idea with an experienced VC. That is the kind of networking activity that made the RSA Conference famous back in the 90’s and it is awesome to see the return to supporting new innovative ideas. I recommend that every “A” round security company enter the competition next year.

2. Cisco is back to tackling big security problems with the unveiling of SecureX, their next generation security architecture. SecureX applies context gathered from network traffic and the presence of more than 150 million VPN agents to make smarter security decisions in Cisco devices. Cisco needs some help articulating a vision of how SecureX will change the life of security, IT and networking teams but there is a ton of potential and I think of this more as an exciting start for 2011.

3. According to Quest Software, “One in ten IT Professionals (10%) admit that they have accounts from previous jobs where they can still access systems even after they’ve left the organization.” For years the industry believed that Single Sign-On would be a big productivity gain by making it easier for users to connect to applications, and perhaps reduce service desk calls by reducing the number of passwords to be managed. However, perhaps the ability to easily de-provision user accounts with a single click will provide incentive for security teams to look more closely at SSO (and to be worried less about losing “the keys to the kingdom”).

4. Symantec was the company that perhaps has given me the greatest positive surprise this week with the performance and virtualization enhancements announced in SEP 12 . It is great to see companies like Symantec and Trend Micro getting out ahead of the curve when it comes to leveraging virtualization and the cloud. Symantec Endpoint Protection 12 has significant improvements based on their Insight intelligence that will keep Symantec a force for some time. The following chart is snipped out of AV Comparatives real world testing report – I have not had time to read the report for bias, but however you cut it these numbers look good for Symantec.

5. Lumension is doing some nice integration work with device discovery, application whitelisting, anti-virus, and patching features. It is very clear to me that some form of whitelisting is an essential layer of defense – it just makes too much sense to look one way while signature approaches look in the other (or vice-versa). Integrating the capabilities into an end-to-end system can fundamentally help the way IT manages endpoints and conducts incident response investigations.

I have to say that this has been an excellent week at RSA. The only real complaints are the weather – rain, cold and overall yuck – and the fact that every booth has to have “cloud” or “next generation” in its signage. Must be some sort of RSA Conference zoning regulation for booth rentals.

Wednesday, February 16, 2011

Early Vibe: Mykonos

My RSA week started off on the right foot with an early Tuesday morning meeting with Mykonos Software. This is an exciting young pre-A round company with an interesting idea for cutting off custom-designed web application attacks before they can be launched. It is an intriguing approach to web application security that is likely to please organizations that want to say goodbye to cross site scripting and SQL injection attacks.

It is surprising that the intuitive Mykonos solution has not been tried more often. Mykonos offers an appliance that monitors outbound web traffic for the presence of forms and validates that the completed inbound form does not carry malware. The product salts the web form with what it refers to as “detection points”, allowing the solution to recognize malicious changes to the form when it is returned to the application. Attackers that are testing their attack code are identified, permanently tagged, and future activity blocked before the attack development completes and launches. Mykonos does not require “scan and hope” signatures and does not rely on interpretation of application behavior – if the detection points have been modified then there is no question about unauthorized activity.
There are benefits of the Mykonos approach over traditional web application firewalls:

+ Mykonos does not have to learn web application behavior or understand the business logic expressed in the web dialog. This significantly simplifies the administration and reduces false positives that can plague other web application firewalls.

+ IT does not have to coordinate changes to the dynamic web site with security – the Mykonos appliance just recognizes the presence of a form and applies its detection points-based logic. Traditional solutions that are dependent on rules or learning mode struggle to keep up with the rate of change of dynamic web sites.

+ As a start-up with a new idea, Mykonos can tap into existing enterprise PCI-driven line item budgets for web application firewalls.

The intelligence gathered on the attackers, their locations and attack methods, gives the company nice flexibility going forward. They still have challenges such as ensuring that attackers can’t recognize detection points to by-pass the security mechanisms, or improving the catch rate of already developed attacks. The Mykonos idea has a lot going for it, without requiring cumbersome rules. With proper execution, Mykonos will have a fun 2011.

Thursday, February 10, 2011

RSA Conference 2011 is next week

I hope to see everyone in San Francisco next week during the RSA Conference 2011 festivities. I am so glad to have RSA return to its February dates - I am in big time need of a warm sun, green grass, and lively security discussions!

I am participating in a couple of sessions that I’m very excited about:

Monday finds me moderating a panel of network security experts for the Trusted Computing Group’s workshop on IF-MAP. This is good stuff with the content provided by industry experts and not vendors. It would be well worth your time on Monday to check out: TCG-001 – Can You Trust Your Enterprise? Top Analysts & Implementers Debate Using Trusted Computing is in Orange Room 301 starting at 11:00.

Friday is my presentation on the demise of HIPS. It is sad, but the time has come with the retirement of Cisco CSA. I’ve put some intriguing ideas on how to use whitelisting to plug some of the holes that AV misses. The details: TECH-403 – Is it Time to Put HIPS in the Recycle Bin? is Friday at 11:20 in Orange Room 307.

RSA is easily the best security event of the year – if you can only go to one event, this is the one to choose. Please take advantage of resources that can be critical to your plans for 2011:

Seek out networking opportunities with fellow security professionals. Share experiences and plans – you will be surprised at the tips you will pick up.

Attend sessions that broaden your security knowledge. This is a fabulous chance to learn about security issues before they become a challenge for your business. In particular, I would recommend Steve Orrin’s session on virtualization security as well as sessions from the Cloud Security Alliance. The lineup of sessions with abstracts is found here.

Talk with vendors in the exhibit hall for demos and discussions with how the product can work in your environment.

Enjoy the show and I hope to see you there!

Thursday, January 27, 2011

Early Vibe: CloudPassage

CloudPassage, a Bay area startup, has just exited stealth this week with a proposition to simplify security for cloud-based servers. The problem, according to the vendor, is that vulnerability management and firewall policy enforcement both suffer as application servers are dynamically launched and shuffled between data centers. For instance, the ability for enteprises to reach their applications in the cloud to frequently assess and manage server vulnerabilities or to enforce server-based security policies both suffer.

The secret sauce of the CloudPassage SaaS technology features a cloud-based analytic grid that continuously correlates server configurations with vulnerability information and customer security policies - offloading individual servers from that burden. CloudPassage initially offers two products, Halo SVM and Halo Firewall:

Halo SVM (Server Vulnerability Management), depends on a host-based agent to initiate communications with the CloudPassage grid. The agent profiles the Linux or Unix server, and uploads that information to the CloudPassage grid for analysis. The end benefit is a vulnerability management procedure that transparently evaluates applications for vulnerabilities and configuration drift with a higher frequency than scanning options can reasonably achieve.

Halo Firewall is a host based firewall that is designed to travel with cloud-based servers to enforce security policies. Similar to SVM, the Firewall product connects to the CloudPassage grid to download the most recent set of policies for the server.

The Ogren Group believes that CloudPassage is on the right track. Enterprise applications are evolving from customer premise-based services to hybrid environments and public clouds, yet the evolution of static security perimeters and scheduled vulnerability management isn’t evolving at the same pace. Placing the burden of analysis in the cloud as a SaaS allows CloudPassage to avoid distribution overhead to servers while assessing vulnerability information, server configurations, and customer policies for each server (and there will be plenty of opportunity to add additional security computations). CloudPassage does have challenges to overcome, starting with expanding its solution capability to include support for Windows servers and also an agentless option for those that can’t tolerate additional software on a server. The company is very young with a grid capability that provides potential for excellent flexibility in responding to securing the cloud.