Friday, February 18, 2011

Last thoughts from RSA Conference

The RSA Conference is now over. I’ve been coming to a lot of these and I have to say that this is one of the better ones. I saw a lot of innovation, new ideas, and general buzz at the show. It felt great to see security starting to get out of its doldrums.

I loved seeing Art Coviello on stage again. I liked Art a lot when he was at RSA and he has played a major role in building a $700M business. It is a personal note, but it was pretty cool this afternoon seeing a Security Dynamics alum (via CrossComm) sitting with a President!

I also liked the fact that security is starting to catch on to the concept of providing information to IT and network operations teams. Security sees everything so why not communicate some of what it sees to the rest of the IT organization? The next-gen firewall conversations, usually centered on Palo Alto Networks is a perfect example of this. Another is a whitepaper that Qualys was featuring that emphasizes the strategic business efficiencies to be gained from secure cloud services.

SonicWALL also surprised me with a big honkin’ box that is loaded with application level logic. That company has come a long ways from the one that averaged 1.6 boxes per small business when I first met them.

Time to run for the airport. It was a good week – catching up with lots of friends, having great security conversations, and contributing to the Trusted Computing Group and Anti-malware sessions!

Thursday, February 17, 2011

Top 5 observations at the mid-point of RSA week

Top 5 observations at the mid-point of RSA week, or what seems to be themed NG RSA:

1. One of the fun events of RSA week happens before the show commences – the Innovation Sandbox. This event, in its second year, features 10 young companies, each staffing a small demo station and then presenting their idea on stage to a panel of judges and the audience. This year's winner was Invincea for their secure browser protection. The Innovation Sandbox experience also has a very cool idea of “speed dating” where aspiring entrepenuers get a few minutes to pitch their idea with an experienced VC. That is the kind of networking activity that made the RSA Conference famous back in the 90’s and it is awesome to see the return to supporting new innovative ideas. I recommend that every “A” round security company enter the competition next year.

2. Cisco is back to tackling big security problems with the unveiling of SecureX, their next generation security architecture. SecureX applies context gathered from network traffic and the presence of more than 150 million VPN agents to make smarter security decisions in Cisco devices. Cisco needs some help articulating a vision of how SecureX will change the life of security, IT and networking teams but there is a ton of potential and I think of this more as an exciting start for 2011.

3. According to Quest Software, “One in ten IT Professionals (10%) admit that they have accounts from previous jobs where they can still access systems even after they’ve left the organization.” For years the industry believed that Single Sign-On would be a big productivity gain by making it easier for users to connect to applications, and perhaps reduce service desk calls by reducing the number of passwords to be managed. However, perhaps the ability to easily de-provision user accounts with a single click will provide incentive for security teams to look more closely at SSO (and to be worried less about losing “the keys to the kingdom”).

4. Symantec was the company that perhaps has given me the greatest positive surprise this week with the performance and virtualization enhancements announced in SEP 12 . It is great to see companies like Symantec and Trend Micro getting out ahead of the curve when it comes to leveraging virtualization and the cloud. Symantec Endpoint Protection 12 has significant improvements based on their Insight intelligence that will keep Symantec a force for some time. The following chart is snipped out of AV Comparatives real world testing report – I have not had time to read the report for bias, but however you cut it these numbers look good for Symantec.

5. Lumension is doing some nice integration work with device discovery, application whitelisting, anti-virus, and patching features. It is very clear to me that some form of whitelisting is an essential layer of defense – it just makes too much sense to look one way while signature approaches look in the other (or vice-versa). Integrating the capabilities into an end-to-end system can fundamentally help the way IT manages endpoints and conducts incident response investigations.

I have to say that this has been an excellent week at RSA. The only real complaints are the weather – rain, cold and overall yuck – and the fact that every booth has to have “cloud” or “next generation” in its signage. Must be some sort of RSA Conference zoning regulation for booth rentals.

Wednesday, February 16, 2011

Early Vibe: Mykonos

My RSA week started off on the right foot with an early Tuesday morning meeting with Mykonos Software. This is an exciting young pre-A round company with an interesting idea for cutting off custom-designed web application attacks before they can be launched. It is an intriguing approach to web application security that is likely to please organizations that want to say goodbye to cross site scripting and SQL injection attacks.

It is surprising that the intuitive Mykonos solution has not been tried more often. Mykonos offers an appliance that monitors outbound web traffic for the presence of forms and validates that the completed inbound form does not carry malware. The product salts the web form with what it refers to as “detection points”, allowing the solution to recognize malicious changes to the form when it is returned to the application. Attackers that are testing their attack code are identified, permanently tagged, and future activity blocked before the attack development completes and launches. Mykonos does not require “scan and hope” signatures and does not rely on interpretation of application behavior – if the detection points have been modified then there is no question about unauthorized activity.
There are benefits of the Mykonos approach over traditional web application firewalls:

+ Mykonos does not have to learn web application behavior or understand the business logic expressed in the web dialog. This significantly simplifies the administration and reduces false positives that can plague other web application firewalls.

+ IT does not have to coordinate changes to the dynamic web site with security – the Mykonos appliance just recognizes the presence of a form and applies its detection points-based logic. Traditional solutions that are dependent on rules or learning mode struggle to keep up with the rate of change of dynamic web sites.

+ As a start-up with a new idea, Mykonos can tap into existing enterprise PCI-driven line item budgets for web application firewalls.

The intelligence gathered on the attackers, their locations and attack methods, gives the company nice flexibility going forward. They still have challenges such as ensuring that attackers can’t recognize detection points to by-pass the security mechanisms, or improving the catch rate of already developed attacks. The Mykonos idea has a lot going for it, without requiring cumbersome rules. With proper execution, Mykonos will have a fun 2011.

Thursday, February 10, 2011

RSA Conference 2011 is next week

I hope to see everyone in San Francisco next week during the RSA Conference 2011 festivities. I am so glad to have RSA return to its February dates - I am in big time need of a warm sun, green grass, and lively security discussions!

I am participating in a couple of sessions that I’m very excited about:

Monday finds me moderating a panel of network security experts for the Trusted Computing Group’s workshop on IF-MAP. This is good stuff with the content provided by industry experts and not vendors. It would be well worth your time on Monday to check out: TCG-001 – Can You Trust Your Enterprise? Top Analysts & Implementers Debate Using Trusted Computing is in Orange Room 301 starting at 11:00.

Friday is my presentation on the demise of HIPS. It is sad, but the time has come with the retirement of Cisco CSA. I’ve put some intriguing ideas on how to use whitelisting to plug some of the holes that AV misses. The details: TECH-403 – Is it Time to Put HIPS in the Recycle Bin? is Friday at 11:20 in Orange Room 307.

RSA is easily the best security event of the year – if you can only go to one event, this is the one to choose. Please take advantage of resources that can be critical to your plans for 2011:

Seek out networking opportunities with fellow security professionals. Share experiences and plans – you will be surprised at the tips you will pick up.

Attend sessions that broaden your security knowledge. This is a fabulous chance to learn about security issues before they become a challenge for your business. In particular, I would recommend Steve Orrin’s session on virtualization security as well as sessions from the Cloud Security Alliance. The lineup of sessions with abstracts is found here.

Talk with vendors in the exhibit hall for demos and discussions with how the product can work in your environment.

Enjoy the show and I hope to see you there!