Friday, March 25, 2011

Vineyard Networks Application Intelligence and Classification

Vineyard Networks is a pretty cool company that supplies high performance application intelligence logic to vendors of firewalls, WAN optimization appliances, and other network communications equipment. Vineyard has an interesting perspective on how security and operations teams both get the most out of application intelligence.

My contribution to their press release reads, “Organizations require the next generation of networking products to leverage application intelligence for greater visibility and control of the cyber-infrastructure. Security and networking vendors that hope to compete for enterprise business better offer a solid foundation of high performance application awareness and classification.”

Wednesday, March 23, 2011

RSA Caught in a Compromised Position


There has been a lot written about the breach of RSA Security and the effect the advanced persistent threat has on SecurID users. The Open Letter to RSA Customers is so vague that it is hard to figure out exactly what the exposure is, and more importantly what to recommend to corporations relying on SecurID for two-factor authentication. I used worked with Security Dynamics, maker of SecurID before changing their name to RSA, as Director of Product Management from 1993-1998, so let me add to the discussion (I no longer have any financial interests in RSA Security).


The big risk is theft of source code that would allow an intruder to design a custom attack against servers installed on customer premises. For instance, all the attacker would need to do is exploit a weakness in the management protocol to be able to insert a backdoor or impersonate a privileged user to steal secrets. This scenario would be very serious as RSA would not be in a position to assure customers of the integrity of their authentication system, and wouldn’t even know how the attack manifests itself until customers are infected.

The lesser risk is theft of serial numbers and seed values. An attacker would still need to associate the exposed seed and serial number with the company that the purchased the token and the user possessing the token. That is really hard for an outsider to do, and if successful all an attacker achieves is one random user to impersonate. Yes, it is a concern but it seems like a manageable one.

If you are a SecurID customer there are a couple of procedural things you should do while RSA conjures up an explanation that may reduce the risk of an infected authentication system:

Audit IPS and firewall policies to ensure that there are no unauthorized communications with SecurID servers. This includes outbound connections that could signal a successful penetration of malware. This communication to the attacker might be the only way to detect a devastating breach of security.

Scale back on remote management of SecurID, including IT service desk procedures. Management operations that originate from outside the server perimeter are particularly dangerous. Consider assigning a member of your security team to perform privileged operations from a physically connected console, and disallow privileged operations over the Internet.

Finally, voice your displeasure at RSA in no uncertain terms and send them the bill for you extra security precautions. If you are a bank using SecurID for high-roller customers, then you are responsible for disclosure and re-imbursement if the system is compromised – RSA owes you more guidance than what I have seen.

It is ironic that enterprises have to disclose security incidents to consumers, but here we have a one of the most trusted security companies on the planet keeping business in the dark. Hopefully, RSA Security soon issues another open letter that is more enlightening on how customers should protect themselves.

Monday, March 21, 2011

Proofpoint Email Security Service

Cloud-based security services can help drive down the operational costs of securely handling corporate information, especially securing the large volume of information contained in saved email. Proofpoint attacks this problem with a service approach that delivers cost benefits without jeopardizing obedience to compliance mandates. Their full release includes my supporting quote:

"The IT landscape is changing at a rapid pace, and organizations are struggling to keep up with regulatory and security pressures," said Eric Ogren, principal analyst of the Ogren Group. "By leveraging secure business services in the cloud, organizations may be able to alleviate the increased compliance burdens they are facing without having to make large investments in on-premise deployments and without having to give up control of their sensitive data."

Tuesday, March 15, 2011

Does compliance inhibit security innovation?

I had some fun with a SearchSecurity.com podcast on the impact of compliance on security innovation. For me, there is no question that compliance stifles innovation, but people I really respect feel differently. It's an interesting question to think about ... or even listen to here.

Friday, March 11, 2011

Be comfortable with key management to secure your data

Encrypting sensitive data on premise before the data gets to the cloud or gets on a truck is a best practice when utilizing offsite storage. I have talked with many organizations that insist they will never store regulated data in the cloud. In fact, when asked what it would take to make them more comfortable they do not even spend 3 seconds of think time before shuddering at the prospect of their CEO appearing on TV to explain a major data loss incident. Many cannot envision any confidence in data security that will enable off-site storage of sensitive data. However, with proper key management organizations can safely reduce expenses by using storage services for encrypted data only.

Seagate announced that it has sold more than one million self-encrypting drives. This is important to security officers because disk drives, and the regulated data they contain, do not stay in the data center forever. Seagate claims that 80% of the disk drives that are sent out for repair, or returned at the expiration of a lease, contain readable data. Furthermore, disks that are retired undergo expensive physical cleaning and shredding processes – unless that is overlooked due to human error. Self-encrypting drives automatically encrypt all data on disk to reduce the risk of data loss without adversely affecting performance or requiring incremental security procedures.

There are also many vendors offering to use shared cloud-based resources to drive down the costs of handling sensitive data for such activities as backup/restore (IBM, i365), email archiving (AppRiver, ProofPoint), and world-wide availability (RSA Security, Trend Micro). The critical element for cloud-based services is also to encrypt and decrypt the data on premise so it is not at risk of exposure in the cloud. This also reduces the IT burden of auditing service provider security policies and allows the organization to leverage efficient storage services.

Both of the physical and cloud-based secure storage objectives require organizations to manage their own cryptographic keys. That is a core competency that every security-aware corporation must have, especially if they choose to enable the use of external service providers. Companies effectively use services with sensitive data all the time (e.g. payroll services, 401K programs, health networks, sales force information, etc) so they should feel more comfortable with evaluating secure storage services knowing that the company still controls the data.

Tuesday, March 8, 2011

Intelligent Whitelisting


Intelligent Whitelisting is a new site encouraging an open discussion on all things related to whitelisting, and application whitelisting. There are some really good security ideas being expressed in there – including a new one my me on VDI and AWL working together. Check it out when you get a chance, and make it a resource for security discussions.

Even though Lumension is sponsoring the site and panel of posters, they have made it clear that this is not the place for product review discussions. They are looking to build a community of thinkers and doers for the next generation of endpoint security and endpoint management. It’s a great concept that is gaining momentum!