Bringing secure workspaces to USBs

Kingston Digital has successfully applied its pedigree in flash memory products to become one of the leading suppliers of cryptographically secure USB devices. Its DataTraveler product line starts at a basic personal-use level, and then extends up to a full FIPS 140-2 Level 3 certified device. Each release of a USB device undergoes third party security penetration testing to help ferret out vulnerabilities before customer deployment.

The real thing I like, and yes I have yet again buried the lede, is Kingston’s partnership with Microsoft to put a manageable Windows To Go on a USB. This is a pretty cool evolution. I’ve always been a big fan of a secure workspace solution on a USB for remote access – operating system, VPN client, storage, and authentication – such as Check Point GO or the Imation IronKey offering. This new capability with Microsoft has the potential to cut IT support costs for mobile workforces and give IT choices in a Windows deployment models.

One of the big hurdles with secure workspaces is phoning home for software updates and configuration changes. MokaFive was an early pioneer in the use of the cloud to update virtual images. With the Microsoft partnership I expect Kingston to offer management through Active Directory services. Perhaps integrating with VDI in a box products from folks like Citrix VDI in a Box, Pano Logic Quickstart or VMware View will give USB form factors more traction in small and medium businesses – we’ll see! But for now I like the evolution of virtual workspaces from solving remote access security requirements to reducing desktop support costs.

Recommending ShareFile

This week I gained more experience than I really wanted in using file sharing services. Fortunately, ShareFile by Citrix saved the day for me after a few other approaches did not work at anything more than wasting my time. Thanks to them I was able to get a large file - greater then Gmail's 25Mb size limit - to a client before my deadline!

I was recording the audio track of a Putting Compliance to Work in a Virtualized World webcast for TechTarget on my iPad. The WavePad software generated a 32Mb MP3 file that I then had to deliver to Mr. Parizo (who performed some editting before posting it behind a registration page for TechTarget subscribers). I have to admit that I am a complete klutz when it comes to using new tools - my brain has become finely tuned at always choosing the wrong options and I had a lot of issues with poor user interfaces from other products.


But let's focus on how to do it right. I loved the ShareFile experience. A simple registration page got me started, using the "browse files" button to upload my MP3 was a snap, and the simple shortened link supplied for me was the perfect thing to mail off. Citrix also followed up a personalized note for support if needed and a customized login screen. I shouldn't be surprised based on my GoToMeeting experiences, but the ease of use and the high level of service really sets ShareFile apart. In any event, my client was able to download the MP3 file and we were off and running. I'm guessing the whole process took less than 30 minutes. This is the way cloud apps should be - if you are looking at sharing files without clogging up mailboxes, then check out ShareFile.

Become Flame Retardant: Blend Defense Layers

It surprises me that there is not a greater sense of concern across the security industry, as the ramifications of the Flame malware attack become clearer. This attack strikes at the very tenets of traditional security practices – weaknesses in anti-virus processing, trust chains of certificates, and tardiness in patching. The following ideas were refined during interesting discussions with Bit9, Venafi, and enterprise friends who wish to remain anonymous. By now, most of you have read Mikko Hypponen’s heart-felt emotions on AV being torched by Flame, even though all of the detection signs were there. One of the sustaining worries about targeted attacks such as Flame is the developers are highly certain that the attack will pass under the radar screens of AV researchers because they are not widespread outbreaks, they carry their own communications capability, and they lie dormant for a while so the attack code can penetrate. AV companies detect millions of new attacks per day (!), and must use some automated triage filters to reduce the number of samples passed on to skilled humans. It is unreasonable to expect humans to lay eyes on every single malware sample, but the malware industry designs targeted attacks knowing they will slip through the filters. Organizations with whitelisting products – especially on external-facing servers – report resilience to Flame. You are really missing a key element of a defense-in-depth strategy if you are not using whitelisting. If nothing else, sprinkle whitelisting on various endpoints so you can detect infections and drift out of compliance by comparing machines against the whitelist-established baselines. Certificates form the foundation of identity trust. I call this the circles of paranoia – Something like, “this authority confirms that this person is who they say they are, and this other authority confirms that the first authority can be trusted, and … ah the heck with it – they can’t all be lying can they?” Well, if you have based your trust model on MD5 certificates, then they can be lying. Flame took advantage of MD5 to create a certificate allowing a rogue software update facility to appear as a trusted Microsoft service. There is no network- or host-based scanner that would have detected that malicious communication. IT teams need to ferret out MD5 certificates and especially applications that generate MD5 certs and upgrade those to the latest SHA recommended standards. Assume even the internal-facing applications are at risk. In fact, Flame provides great incentive to re-examine certificate management policies with an eye to shortening cert lifecycles – making any hash-collision operation less attractive. Finally, and I seem to say this with every new attack, the best course of action is to close vulnerabilities with timely patching. It has been more than a decade since I collaborated with Qualys on the Laws of Vulnerabilities, and it seems that the half-life of a vulnerability curve is resistant to flattening (meaning the time to patch systems isn’t improving much). Patch technology has vastly improved – check out Lumension or eEye to complement Microsoft’s Windows Update Services. And if modifying a production application is unappealing, then Virtual Patching from Trend Micro may be the answer for you, or heck periodically replace whole images with updated copies via application virtualization from people like Citrix and VMware. The bottom line is that committed attackers will always be able to defeat AV scanners, so finding other approaches to closing vulnerabilities or blocking attack execution is now pragmatic. Refreshing images and certificates is also worth investigating.

Brian Prince's eWeek article on MS Surface

Microsoft's Surface is sure to have an impact for organizations looking to empower mobile workers with Windows applications. The BYOD revolution will challenge every security team - especially those wishing to exert control. You can read my quotes on the BYOD trend here.

BYOD - unchaining the workforce

Fortinet briefed me earlier this week on the worldwide BYOD survey they conducted. BYOD is getting a lot of airtime this year and I have honestly been a fan of BYOD for decades if you consider a home PC with a dial-up modem to be a computing device sharing personal and professional uses. I’m not even sure the trend should be called Bring Your Own Application. Sure, the virtualization people love that, but it does not capture the spirit of being able to access applications from anywhere, whenever it is most convenient. There is no question that mobile devices – phones and tablets – are driving the trend along with the easy availability of cloud-based applications. But for now let me stick with BYOD. Anyway, Fortinet does a lot of really good security things in high performance devices. The BYOD trend truly amplifies the need for next generation application security in the network which aligns with Fortinet’s business. It certainly makes sense – you cannot expect a personal device to have all of the security protections that an IT-controlled PC would have. Organizations should be looking at next-gen capability to help free the workforce. The survey of 3872 people between the ages of 20 and 29 was pretty interesting. I loved the fact that 66% of respondents selected “I am ultimately responsible” when questioned about the security of their personal device used for business. That is a healthy response and, correlating with questions about data and application security, encourages me that new approaches to security that maintain user freedoms will be well received. I also liked how Fortinet articulates how personal and business lives remain largely separated (40% chose this first) with social networking applications, but drops as the applications become more focused (email at 23%). My least favorite question was “Of the following what do you think are the greatest risks TO YOUR ORGANISATION if you use your own devices in work, or for work?” The leading response at 46% was “Potential for greater time-wasting on personal activities during work hours”. To me, this is not the job of security, cannot be a compelling purchase criteria for security, and the thought of positioning security as cracking down on users scares me. I was surprised that only 42% chose “Potential for greater exposure to IT threats and the theft/loss of confidential data” – I expected that to be number one. A thought provoking survey by Fortinet – always a good thing!

ForeScout offerring an enlightened NAC commentary

From Day One I felt that NAC was terribly positioned as a "lock out bad guys" technology. To me it has always been an "automate endpoint protection" technology that would appeal to all size companies. Back in the day this was the excitement I felt when talking with Mitchell from StillSecure, Stacy from InfoExpress, and the Arvin/Irene/Rohit triumvirate at Perfigo. Unfortunately, somewhere along the way the NAC vendors all started tilting at the absolutely wrong windmills. I am pleased to say that NAC is now doing much better, and is sorting itself out - I would peg the segment at about $300M in 2012 revenues. One of those vendors that figured it out is ForeScout that has been doing quite well thanks to unique technology, focus on security automation, inclusion of mobile devices, and enthusiastic customer references. You can read a bit of what I think about ForeScout here!

TechTarget security video reaches out

Sometimes threads just come together at opportune times. Earlier this week my friend Liz was asking me how many followers I had for my Security Vibes blog. My answer was that I didn’t know - I don’t check because my work tends to get around to the right people just fine. A day later I receive this nice email from John at Hirsch Identive (reprinted below without permission, but I don’t think he’ll mind :^). It refers to a video I shot for TechTarget’s security university a few months ago where I mention that NAC is a much better control technology than blocking technology with some interesting events coalescing around IF-MAP. I know I need to be better at tracing where my stuff appears and publishing links. I’ll get started on that Monday!

Eric: I just viewed a video clip at inxpo.com in which you discuss the current state of NAC. I perked up when you brought up the TCG IF-MAP standard as one of the more promising means of deploying effective NAC solutions. Hirsch Identive is possibly the only physical security member of TCG, and we have implemented IF-MAP as part of our offering. We publish our events (persons swiping cards at doors, etc) to an IF-MAP server, making a person’s presence as a piece of IF-MAP metadata. Compliant systems and devices can then subscribe to those events. The first use case we have identified is NAC, and both Juniper Networks and Enterasys NAC solutions can subscribe to our events and add physical presence a policy in granting access to network resources. We see this as a real-world example of the long-awaited “convergence” of physical and network security. We have learned that when it comes to convergence, technology providers are sometimes ahead of customers, and are always looking for ways to reach out beyond our usual physical security customer base for feedback on these kinds of concepts. I recognize that you must be very busy, but since you seem to be finely attuned to the topic, I was hoping to get your thoughts on the feasibility in the real world. If you have a few minutes, I would appreciate your thoughts. I have provided a link to a whitepaper that covers the topic from a physec point of view. http://hirsch-identive.com/sites/default/files/resources/IFMAP%20White%20Paper%20OCT2011.pdf Thanks so much for your time and regards,

Tufin celebrates IPv6 Day

Tufin has chosen IPv6 day to announce the availability of the latest release the Tufin Security Suite. The key feature of the R12-3 release is support for IPv6 addresses, and the ability to manage firewall rule sets with both IPv4 and IPv6 access control specifications. It turns out that this is a big deal - it will take years for IT to evolve to IPv6 so it is critical that IT start with security tools that can handle the long IPv6 hex addresses as well as the standard IPv4 addresses. Good job by Tufin in taking the leadership position. You can read more of what I think about this here.

Early Vibe: Are you a human?

It is not often that I get a chance to talk with a security technology startup that is based in Detroit, but that is exactly where Are you a human? is headquartered. I suppose it shouldn’t surprise me since my two best software engineers when I was a rookie supervisor, Mary S and Carol Y, where both University of Michigan graduates. Are you a human? (AYAH) shows a similar adeptness in tackling problems that affect lots of people. AYAH was founded to give us relief from those annoying CAPTCHAs used by web sites, blogs, and forums use to thwart spam entries that are generated by computers. We’ve all seen them – they are hard to read, annoying to dispense, and lead to a significant drop-off rate for those that view CAPTCHAs as too much trouble. Also, there seems to be an industry growing to offer CAPTCHA solutions to spammers to bypass the protection and to stay ahead of anti-CAPTCHA technology the puzzles get harder and harder for humans to read. I don’t even try to solve CAPTCHAs on my mobile devices any more.

The AYAH approach introduces object recognition, relationships between objects, and human response metrics in the form of a completing a simple game. I like the dynamic metrics part – where an object is grabbed, how long it takes to move it, where the object is dropped, etc. It is a pretty interesting concept to produce active challenges that are more difficult for computers to solve while being easier for humans – and isn’t that the whole idea?

There is always the business side, as customers will want AYAH to be successful to create more plays. I can see the company making money with customer games involving product placements, or gaining bonus payments by reducing drop-off rates from customers that switch from CAPTCHAs. Heck, a game that allows humans to whack an emoticon has to have value! The folks at AYAH will figure it out. When I was working with RSA SecurID, two factor authentication was defined as a combination of something you know, something you have, or something you are. We were thinking of something you are as a biometric – wished we had thought of it as “Are you a human?”

BYOD is here to stay

Business organizations are embracing the use of Android and Apple iOS-based tablets and smartphones in a big way. And why not? - they are light, easy to use, easy to carry, and easy to personalize. Bring your own device may be one of those cases where the marketing hype actually lags customer adoption!

The challenge for security teams is how to say "yes" to this revolution in end-user computing while still protecting the business infrastructure. If your organization can mandate installation of a mobile security application, then by all means leverage that capability. If your business cannot dictate endpoint security software, then you can use network security to assess and audit each tablet or smartphone device as it joins the network. In fact, that is the only way you can pragmatically account for both managed and unmanaged devices with one security solution. ForeScout, Cisco, Juniper, Bradford, and StillSecure have intereesting ideas in this space. ForeScout in particular has a compelling BYOD story that they are starting to tell here.

SonicWALL or SonicBoom !

My rule of thumb on evaluating acquisitions is "How does the acquisition help customers in ways that cannot be achieved organically?”. Sometimes the answer lies in acquiring key technology such as with Trend Micro's acquisition of Third Brigade or Juniper's purchase of Mykonos; sometimes the answer lies in bringing solutions to new opportunities such as with IBM scoring Q1 Labs. It is extraordinarily hard to blend diverse corporate cultures even with beneficial common goals, which is one of the reasons that acquisitions often fall short of their potential.

It has been a few days since Dell and SonicWALL have announced their acquisition, and given time to think about it I still love the deal. I'm not passing judgment on the value of the deal, but on its potential impact on customers. This agreement promises to benefit customers in fundamental ways and looks to be everything that a good deal should be.

SonicWALL is reinventing themselves from a company servicing SMB markets to a company marketing application intelligent next generation firewall products that compete strongly in high performance service provider networks. However, their past brand identity as an SMB-oriented vendor makes it challenging for SonicWALL to achieve explosive growth with its SuperMassive product line in large enterprise markets. Now SonicWALL has major financial backing to continue their reanimation in enterprise security and an opportunity to launch a new brand.

Dell is in a similar position of selling efficiently to SMBs, but desiring entrees to larger deal sizes. Security tends to be driven by up-market revenues - in SonicWALL they have a flagship network security product that would be attractive to any large enterprise, and Dell also acquires security technology DNA that can only help beef up Dell's security product lines.

The only losers I can find in this deal are SonicWALL competitors. The space for next generation firewalls is heating up, and not everybody can be a winner – this will only get more interesting!

Early Vibe: CO3 Systems

CO3 Systems is a new security company with an excellent position, seasoned management team, and a ton of potential.

CO3 provides a cloud-based service to help companies prepare for, and then navigate through the process of a disclosure event resulting from a breach of regulated data. It fulfills such an obvious need that I am surprised more vendors are not specializing here – every large company will suffer a serious incident and every exposure of regulated data invariably results in expensive pandemonium. CO3 aims to help businesses save significant expense by generating a custom-fit incident response strategy and then providing the tools to manage the complexities of the notification process.

Market need: Most enterprises are affected by several international, federal, and state regulations for regulated data. Furthermore, the regulations regarding consumer privacy and the best practices associated with those regulations can change. Most enterprises are also not in the disclosure security business so CO3 can help educate the business about the potential costs and expected organization and “fire-drill” process when an incident occurs.

Leadership ability: The management team is as strong as they come. In fact, I would feel better about CO3 if they had been thrown from a few more horses. The team lists @Stake, Arbor, Axent, Counterpane, and Symantec in their lists of credits. The only obvious clunker is Authentica and even there engineering was the strength of that company.

Opportunity: The cloud service approach makes a lot of sense as companies will run low-expense what-if exercises most of the time, and then will experience a massive spike in activity when the breach is detected. CO3 will have to figure out how to deliver continuous education/service to maintain a healthy steady-state revenue flow and then price the disclosure service to reflect its value during a breach – without appearing predatory. CO3 can also drive managed service revenues which would make it attractive to large systems integrators, MSSPs, and even insurance companies.

It will be interesting to see how CO3 executes. Most security startups promise to rid the world of an attack or an obsolete security technology, but then have nothing to offer their customers if their product gets beat by a clever attack. CO3 spends the time researching the regulatory disclosure requirements, working with their customers to have an actionable strategy in place, and then helping to coordinate the response. It is one of the few areas in security with clear ROI benefits. They are nicely positioned with an experienced team – look for good things from CO3.

NAC and VDI work well together

I have spoken with a few companies lately that have made a nice security solution out of integrating NAC and VDI products.

Security officers have always liked most of the traditional NAC story – automatically assess the health of the endpoint, control access to applications at the port level, and have end-users bring their own devices into compliance. That has led to a resurgence of interest in NAC products from the likes of Cisco, ForeScout, Juniper and Microsoft.

However, the NAC problem has always been the concept of quarantining devices that fail health checks, are unmanaged because of device type (such as iPads or mobile devices), or are unmanaged because they are owned by business partners (and maybe do not run 802.1x). In many of these cases the devices cannot automatically be brought into a safe compliant state, but the user still needs to conduct business on the network. There are not many security officers that want to tell business executives that they have blocked access to the network – a better approach is to offer an alternative delivery of the application.

A solution for some is to host guest desktops in the datacenter and to use VDI from the likes of Citrix, Microsoft, Quest or VMware to allow the user to do their jobs. With VDI, the organization has far less concerns of valuable data residing on an infected endpoint since the data never leaves the datacenter in a persistent form, access to critical applications is still controlled by strong authentication, and security can recommend a safe, compliant means of using the network.

If you are running NAC for automated remediation and quarantining of non-compliant or unregistered endpoint, look into granting access to applications with VDI.