Friday, July 24, 2015

Security has to hustle to catch the SDN train before it leaves the station

Security has a problem with Software Defined Networking. Organizations are embracing SDN for its adaptability to business needs, lower acquisition costs, and potentially lower operating costs. However, there is insufficient practical experience to guide the security industry in adequately supporting SDN infrastructures. This results in either organizations moving forward with SDN without waiting for security to catch up or organizations moving forward at greater expense by shoe-horning traditional security capabilities into SDN architectures. We feel that the time has never been better for new network security upstarts to challenge the status quo.

The Ogren Group View

It seemed like every other keynote presentation at RSA Conference 2015 pointed out that security has failed miserably, however it was terribly difficult to find compelling ideas from these industry leaders as to  how to fix the security problems. Much of the discussion focused on the existence of security product silos that do not interact effectively with each other, and the need for organizations to try harder.

It is our take that many of the traditional network security silos are obsolete and over-valued, and that the network security industry desperately needs to get ahead of the curve by adopting the principles of software defined networking architectures. Traditional inspection and rigid perimeter concepts will be even more ineffective in cloud-driven SDN architectures than they are today.

The security vendors that break the mold of traditional security, with a particular emphasis on detection and incident response/automated remediation, will have significant security impact in the SDN world.


With challenges come opportunities for security vendors. Security is typically a reactionary industry that often gets called out for battling attackers with defenses designed for the last cyber-war. We believe it is very clear that traditional security products will struggle to be effective in SDN environments.

SDN, with its ability to efficiently reconfigure the network, is a disruptive approach that requires security vendors to step up with innovative solutions to remain relevant. We find significant potential in companies such as Cyphort, Exabeam, Fortscale, LightCyber, TaaSera, vArmour, Vectra, and zScaler that offer many of the characteristics of successful SDN-oriented security companies:

Adapt with changes in the network infrastructure. Static, monolithic products will have to become agile and flexible. For instance, IPS's cannot expect to be on every data path and placing an IPS inside every virtual server makes little sense. Many of the content inspection security capabilities, such as IPS and DLP, will have to become software defined themselves to deliver benefits to the business. 

Empower analytical detection capabilities. It will become increasingly difficult for security teams to detect the presence of attacks as resources are automatically provisioned, upgraded, put in motion, and expired. While organizations understand that security cannot block every attack, they do need more help detecting attacks living within their networks. We feel that there is room to grow for analytical and behavioral approaches that can be customized to detect faults within complex networks.

Accelerate incident response and incident remediation. Just as SDN offers the capability to adapt to business performance demands, so too should SDN adapt to security incident demands. Security seems to be one of the few industries that is excused when its products fail - organizations will seek out vendors that make headway automating incidence response and remediation for attacks that evade security.


In many ways SDN is the antithesis of traditional security concepts. The SDN approach of virtualizing control planes and data planes for a flexible network that can adapt at the speed of business presents problems for security vendors schooled in rigid controls and content inspections.

One large challenge is aligning security with the adaptive nature of SDN. Software defined networks promise to dynamically shift resources to meet business demands, even if those resources lie off premise in the cloud. Security needs to adapt with shifting applications and network resources to ensure acceptable coverage, prevention, detection, and remediation capabilities.  

While security prefers to inspect all content and log everything for subsequent investigations, this comes at the price of performance degradation if done inline. That is why most IPS and data collectors hang off switch SPAN ports, but forcing traffic routes through security devices becomes much more challenging with SDN. Placing security devices everywhere is just not practical for organizations committed to an SDN infrastructure.

Finally there is the challenge of access controls and blocking risky applications, connections, and users. A Software Defined Network needs to react to a dynamic business environment, effectively responding to spikes in service demands without destabilizing the network. There simply is not going to be much opportunity in most verticals for security teams to insert themselves into these processes.

The Security Driven Network concept, defined as security policies inhibiting evolution to business-enhancing Software Defined Networking, is a dog that will not hunt for most organizations.

Get in the minds of IT

Some of the security challenges in an SDN world revolve around the hesitancy to deploy new security technologies. IT can be risk averse when it comes to evaluating new architectures, especially when it comes to security with concerns about effectiveness, loss of control, costs, and the job continuation program if new technologies fail. It is incumbent on SDN-oriented security vendors to educate corporate decision makers so they can act without resorting to old ineffective bromides or the lack of compliance history as excuses to not change, and to help justify budget line items for SDN security proof-of-concept projects.

The industry does not understand what it means to operate a compliant software defined network. We feel it is the vendors that must interpret compliance standards for SDN, and in some cases form best practice standards to help guide early adopters.

We believe that security mechanisms in physical networks have generally proven to be ineffective against attacks and imagine the problem will worsen in software defined networks. This presents an opportunity for new vendors with new security approaches to take off, with budget allocations coming at the expense of traditional technologies.

Thursday, July 9, 2015

Spikes Security innovative approach to securing browser activity

Browsers present a special problem for security-conscious organizations. While essential as a ubiquitous interface to cloud-based applications, browsers also provide handy interfaces for attacks to penetrate endpoints and the network. Spikes Security is responding to this problem with a hardware appliance that hosts browser execution in a secure environment deployed outside the firewalls and away from the corporate network. The Ogren Group feels this is a significant architectural approach as it affords security teams a safe harbor for browsers, keeps attacks from spreading through the network, and provides security teams an opportunity to secure mobile browsing activity.

When an employee launches a browsing session, a secure connection is transparently made to the Spikes Security appliance. The appliance fires up a virtual image of the browser which executes in hardware-enforced isolation. The vendor promises that attacks cannot leap out of isolation to infect the network or other browsing sessions hosted on the appliance. It is a clever idea which also offers these benefits:
  1. Secure user browsing sessions, particularly those on smartphones and tablets, through a corporately supported security device without the hassles of managing endpoint software. This is huge, as IT can offer users heightened endpoint security that is transparent to browsing activity and offers a point of on-premise focus for securing cloud activity.
  2. Scan all downloads for known threats and audits mobile use of corporate resources. The IT supported appliance makes it easier to block infected downloads before the file reaches the endpoint.
  3. Accelerate the timeline for receiving the security advantages of hardware isolation to retard the spread of an attack without having to refresh PCs,  wait for Windows upgrades, or offer software solutions for mobile devices. 

Spikes Security is a new vendor so the Ogren Group recommends some practical prudence in evaluating the solution with real users. In addition to the usual growing pains of new products, there are specific issues that enterprise buyers must address during the proof of concept. These include:
  1. Ensure that users do not disable browser settings directing traffic to the security appliance. There will always be users that do not want security teams having visibility into their browsing activity - these users will be noticeable by their absence from the activity logs.
  2. Assure users that their browsing privacy is not being invaded. Use auditing responsibly - only look at browser access to corporate applications, ignore personal browsing activity and keep users on your side.
  3. Evaluate the number of concurrent browsing sessions in your organization to plan for the proper number of Spikes Security appliances, and be sure to understand the user impact if browsing demands exceeds appliance capacity.  

The Ogren Group believes this is a neat architectural approach for organizations relying on cloud-based applications - and every organization has a cloud-based application strategy. Spikes Security is a promising vendor that, with proper execution, can help organizations protect against browser-borne infections and confidential data loss.