tag:blogger.com,1999:blog-42551939399094626062024-02-20T14:35:52.320-05:00Ogren Group Security VibesSecurity topics and links from the Ogren Group.Eric Ogrenhttp://www.blogger.com/profile/12401647238457809070noreply@blogger.comBlogger135125tag:blogger.com,1999:blog-4255193939909462606.post-46178827077976021022015-08-26T10:40:00.003-04:002015-08-26T10:40:32.521-04:00DRM could be making a comeback in the enterpriseI recently helped out CSO magazine with a recent <a href="http://www.csoonline.com/article/2974261/data-protection/drm-could-be-making-a-comeback-in-the-enterprise.html">article on file security</a>. The author Maria was pretty impressive - she thought about the problem of enterprises protecting data without hassling employees, and derived a lot of interesting points.<br />
<br />
It is a good piece and is worth checking out.<br />
<br />Erichttp://www.blogger.com/profile/15483839982358136750noreply@blogger.com0tag:blogger.com,1999:blog-4255193939909462606.post-45504248812882087962015-08-12T17:37:00.003-04:002015-08-12T17:37:35.805-04:00Security and IoT: work to be done<div class="MsoNormal">
A few weeks ago I was lucky enough to moderate a lively
discussion with Chris Eng of Veracode and Josh Corman of Sonatype. I have done
a bunch of these things and this one organized by Dark Reading, "<a href="https://webinar.darkreading.com/19880?keycode=DRWEOD">The Internet of Things, the Software Supply Chain and Cybersecurity</a>" was one of the most timely, informative, and memorable. Chris ("security faults are product defects!)") and Josh ("I
am the cavalry") are super passionate about IoT security - you should
definitely spend an hour to check it out.</div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<a href="http://www.cbsnews.com/news/hackers-hijack-corvette-via-text-message/">IoT security has gone mainstream in the press</a>! This story of a hijacked Corvette being just one of many recent examples. We know that smart devices are seldom built
with security in mind, and we trust the controllers in the cloud are secure,
but the truth is pretty scary.</div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
The percentage of open source code in IoT devices is staggering.
You'll have to watch the video or read the whitepapers on Veracode or Sonatype's
web sites for the numbers.</div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
</div>
<ol>
<li>The first problem is that the owners of the devices don't
know what vulnerabilities they are inheriting in the open source code and are building
into their products. There are some interesting legislative ideas being chatted
up, but really it is up to us security experts to help educate and offer
solutions.</li>
<li>The second problem is that these devices seldom have a patch
mechanism to fix security defects. So once an exploit is discovered, like being
able to remote control a car, there is no pragmatic or efficient process for
correcting the fault. A secure patch mechanism has to be mandatory!</li>
<li>The third problem is that the security of the cloud
applications that control the IoT devices are usually put into production
without a rigorous review by experienced security researchers. This is the
cyber-jackpot for IoT - hacking a device is just one thing, but hacking the
controller application in the cloud gives unauthorized access to all the
devices. Yikes!</li>
</ol>
<br />
<br />
<div class="MsoNormal">
IoT security is a problem that extends all down the supply
chain, and has the potential to affect everyone's daily life. It is a big deal
and time for the security industry to treat it as a strategic initiative.</div>
Erichttp://www.blogger.com/profile/15483839982358136750noreply@blogger.com0tag:blogger.com,1999:blog-4255193939909462606.post-28454187575814982532015-07-24T14:37:00.000-04:002015-07-24T14:37:08.658-04:00Security has to hustle to catch the SDN train before it leaves the station<div class="MsoNormal">
Security has a problem with Software Defined Networking.
Organizations are embracing SDN for its adaptability to business needs, lower
acquisition costs, and potentially lower operating costs. However, there is
insufficient practical experience to guide the security industry in adequately
supporting SDN infrastructures. This results in either organizations moving
forward with SDN without waiting for security to catch up or organizations
moving forward at greater expense by shoe-horning traditional security
capabilities into SDN architectures. We feel that the time has never been
better for new network security upstarts to challenge the status quo.</div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<b>The Ogren Group View<o:p></o:p></b></div>
<div class="MsoNormal">
<b><br /></b></div>
<div class="MsoNormal">
It seemed like every other keynote presentation at RSA
Conference 2015 pointed out that security has failed miserably, however it was
terribly difficult to find compelling ideas from these industry leaders as
to how to fix the security problems. Much
of the discussion focused on the existence of security product silos that do
not interact effectively with each other, and the need for organizations to try
harder.</div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
It is our take that many of the traditional network security
silos are obsolete and over-valued, and that the network security industry
desperately needs to get ahead of the curve by adopting the principles of software
defined networking architectures. Traditional inspection and rigid perimeter
concepts will be even more ineffective in cloud-driven SDN architectures than
they are today.</div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
The security vendors that break the mold of traditional
security, with a particular emphasis on detection and incident response/automated
remediation, will have significant security impact in the SDN world.</div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<b>Opportunities<o:p></o:p></b></div>
<div class="MsoNormal">
<b><br /></b></div>
<div class="MsoNormal">
With challenges come opportunities for security vendors.
Security is typically a reactionary industry that often gets called out for battling
attackers with defenses designed for the last cyber-war. We believe it is very
clear that traditional security products will struggle to be effective in SDN
environments.</div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
SDN, with its ability to efficiently reconfigure the
network, is a disruptive approach that requires security vendors to step up
with innovative solutions to remain relevant. We find significant potential in
companies such as Cyphort, Exabeam, Fortscale, LightCyber, TaaSera, vArmour,
Vectra, and zScaler that offer many of the characteristics of successful
SDN-oriented security companies:</div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
Adapt with changes in the network infrastructure. Static,
monolithic products will have to become agile and flexible. For instance, IPS's
cannot expect to be on every data path and placing an IPS inside every virtual
server makes little sense. Many of the content inspection security
capabilities, such as IPS and DLP, will have to become software defined
themselves to deliver benefits to the business.
</div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
Empower analytical detection capabilities. It will become
increasingly difficult for security teams to detect the presence of attacks as
resources are automatically provisioned, upgraded, put in motion, and expired. While
organizations understand that security cannot block every attack, they do need
more help detecting attacks living within their networks. We feel that there is
room to grow for analytical and behavioral approaches that can be customized to
detect faults within complex networks.</div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
Accelerate incident response and incident remediation. Just
as SDN offers the capability to adapt to business performance demands, so too
should SDN adapt to security incident demands. Security seems to be one of the
few industries that is excused when its products fail - organizations will seek
out vendors that make headway automating incidence response and remediation for
attacks that evade security.</div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<b>Challenges<o:p></o:p></b></div>
<div class="MsoNormal">
<b><br /></b></div>
<div class="MsoNormal">
In many ways SDN is the antithesis of traditional security
concepts. The SDN approach of virtualizing control planes and data planes for a
flexible network that can adapt at the speed of business presents problems for
security vendors schooled in rigid controls and content inspections.</div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
One large challenge is aligning security with the adaptive
nature of SDN. Software defined networks promise to dynamically shift resources
to meet business demands, even if those resources lie off premise in the cloud.
Security needs to adapt with shifting applications and network resources to
ensure acceptable coverage, prevention, detection, and remediation
capabilities. </div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
While security prefers to inspect all content and log
everything for subsequent investigations, this comes at the price of
performance degradation if done inline. That is why most IPS and data
collectors hang off switch SPAN ports, but forcing traffic routes through security
devices becomes much more challenging with SDN. Placing security devices
everywhere is just not practical for organizations committed to an SDN
infrastructure.</div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
Finally there is the challenge of access controls and
blocking risky applications, connections, and users. A Software Defined Network
needs to react to a dynamic business environment, effectively responding to
spikes in service demands without destabilizing the network. There simply is
not going to be much opportunity in most verticals for security teams to insert
themselves into these processes.</div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
The Security Driven Network concept, defined as security
policies inhibiting evolution to business-enhancing Software Defined Networking,
is a dog that will not hunt for most organizations.</div>
<div class="MsoNormal">
<b><br /></b></div>
<div class="MsoNormal">
<b>Get in the minds of
IT<o:p></o:p></b></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
Some of the security challenges in an SDN world revolve
around the hesitancy to deploy new security technologies. IT can be risk averse
when it comes to evaluating new architectures, especially when it comes to
security with concerns about effectiveness, loss of control, costs, and the job
continuation program if new technologies fail. It is incumbent on SDN-oriented
security vendors to educate corporate decision makers so they can act without
resorting to old ineffective bromides or the lack of compliance history as
excuses to not change, and to help justify budget line items for SDN security
proof-of-concept projects.</div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
The industry does not understand what it means to operate a
compliant software defined network. We feel it is the vendors that must
interpret compliance standards for SDN, and in some cases form best practice
standards to help guide early adopters. </div>
<div class="MsoNormal">
<br /></div>
<span style="font-family: "Calibri","sans-serif"; font-size: 11.0pt; line-height: 115%; mso-ansi-language: EN-US; mso-ascii-theme-font: minor-latin; mso-bidi-font-family: "Times New Roman"; mso-bidi-language: AR-SA; mso-bidi-theme-font: minor-bidi; mso-fareast-font-family: Calibri; mso-fareast-language: EN-US; mso-fareast-theme-font: minor-latin; mso-hansi-theme-font: minor-latin;">We believe that security mechanisms in physical
networks have generally proven to be ineffective against attacks and imagine
the problem will worsen in software defined networks. This presents an
opportunity for new vendors with new security approaches to take off, with
budget allocations coming at the expense of traditional technologies.</span>Erichttp://www.blogger.com/profile/15483839982358136750noreply@blogger.com0tag:blogger.com,1999:blog-4255193939909462606.post-71313313195369239222015-07-09T10:59:00.003-04:002015-07-09T10:59:37.823-04:00Spikes Security innovative approach to securing browser activity<div class="MsoNormal">
Browsers present a special problem for security-conscious
organizations. While essential as a ubiquitous interface to cloud-based
applications, browsers also provide handy interfaces for attacks to penetrate
endpoints and the network. <a href="http://www.marketwired.com/press-release/spikes-security-introduces-breakthrough-isla-web-malware-isolation-system-eliminating-2034195.htm">Spikes Security is responding to this problem </a>with a
hardware appliance that hosts browser execution in a secure environment deployed
outside the firewalls and away from the corporate network. The Ogren Group
feels this is a significant architectural approach as it affords security teams
a safe harbor for browsers, keeps attacks from spreading through the network, and
provides security teams an opportunity to secure mobile browsing activity. </div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
When an employee launches a browsing session, a secure
connection is transparently made to the Spikes Security appliance. The
appliance fires up a virtual image of the browser which executes in hardware-enforced
isolation. The vendor promises that attacks cannot leap out of isolation to
infect the network or other browsing sessions hosted on the appliance. It is a
clever idea which also offers these benefits:</div>
<div class="MsoNormal">
</div>
<ol>
<li>Secure user browsing sessions, particularly those on
smartphones and tablets, through a corporately supported security device
without the hassles of managing endpoint software. This is huge, as IT can
offer users heightened endpoint security that is transparent to browsing
activity and offers a point of on-premise focus for securing cloud activity.</li>
<li>Scan all downloads for known threats and audits mobile use
of corporate resources. The IT supported appliance makes it easier to block
infected downloads before the file reaches the endpoint.</li>
<li>Accelerate the timeline for receiving the security
advantages of hardware isolation to retard the spread of an attack without
having to refresh PCs, wait for Windows
upgrades, or offer software solutions for mobile devices. </li>
</ol>
<br />
<div class="MsoNormal">
</div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
Spikes Security is a new vendor so the Ogren Group
recommends some practical prudence in evaluating the solution with real users. In
addition to the usual growing pains of new products, there are specific issues that
enterprise buyers must address during the proof of concept. These include:</div>
<div class="MsoNormal">
</div>
<ol>
<li>Ensure that users do not disable browser settings directing
traffic to the security appliance. There will always be users that do not want
security teams having visibility into their browsing activity - these users
will be noticeable by their absence from the activity logs.</li>
<li>Assure users that their browsing privacy is not being
invaded. Use auditing responsibly - only look at browser access to corporate applications,
ignore personal browsing activity and keep users on your side.</li>
<li>Evaluate the number of concurrent browsing sessions in your
organization to plan for the proper number of Spikes Security appliances, and
be sure to understand the user impact if browsing demands exceeds appliance capacity. </li>
</ol>
<br />
<div class="MsoNormal">
</div>
<div class="MsoListParagraphCxSpLast" style="mso-list: l0 level1 lfo2; text-indent: -.25in;">
<br /></div>
<br />
<div class="MsoNormal">
The Ogren Group believes this is a neat architectural
approach for organizations relying on cloud-based applications - and every
organization has a cloud-based application strategy. Spikes Security is a
promising vendor that, with proper execution, can help organizations protect against
browser-borne infections and confidential data loss.</div>
Erichttp://www.blogger.com/profile/15483839982358136750noreply@blogger.com0tag:blogger.com,1999:blog-4255193939909462606.post-83177924880521962082015-06-26T14:32:00.000-04:002015-06-26T14:32:39.873-04:00CIO/CISO Summit Boston<div class="MsoNormal">
<span style="font-size: 10.0pt; line-height: 115%; mso-bidi-font-size: 11.0pt;">We all have our pet peeves when it comes to security
technologies and practices. One of mine is the hesitancy of security
practitioners to openly share their experiences lest they expose a serious
weakness to the world. Trust me, if you have large vulnerability issues the bad
guys already know about it! You are much better off talking with peers in your
industry to find out what works for them so you can learn from them and make
progress.<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-size: 10.0pt; line-height: 115%; mso-bidi-font-size: 11.0pt;"><br /></span></div>
<div class="MsoNormal">
<span style="font-size: 10.0pt; line-height: 115%; mso-bidi-font-size: 11.0pt;">The healthy exchange of security ideas from enterprise
leaders was one of the reasons I was excited to be invited to the CIO/CISO
Summit held last week in Boston. This conference provides an opportunity for
CIO/CISOs to participate in roundtable discussions, absorb highlights from
presentations and otherwise network with peers. It is an inspirational idea
that seems like time well spent.<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-size: 10.0pt; line-height: 115%; mso-bidi-font-size: 11.0pt;"><br /></span></div>
<div class="MsoNormal">
<span style="font-size: 10.0pt; line-height: 115%; mso-bidi-font-size: 11.0pt;">A few points resonated with me from one of the sessions:<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-size: 10.0pt; line-height: 115%; mso-bidi-font-size: 11.0pt;"><br /></span></div>
<div class="MsoNormal">
<b><span style="font-size: 10.0pt; line-height: 115%; mso-bidi-font-size: 11.0pt;">Strong
security processes can lead to user fatigue, and user support is critical for
security.</span></b><span style="font-size: 10.0pt; line-height: 115%; mso-bidi-font-size: 11.0pt;"> We sometimes overlook the impact security decisions can have
on our people. A CPA friend bemoans that accounting guidelines call for a
separate un-memorizable password for each and every client and that passwords
must be regularly changed. So of course he writes them all down in multiple
obvious places so he can work from home or office ... and now has a jaundiced
view of IT security recommendations. Ridiculous. If you are on a security team,
be sure to consider the impact on users and avoid being invasive "for
security's sake" whenever possible.<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-size: 10.0pt; line-height: 115%; mso-bidi-font-size: 11.0pt;"><br /></span></div>
<div class="MsoNormal">
<b><span style="font-size: 10.0pt; line-height: 115%; mso-bidi-font-size: 11.0pt;">Technology
is important, but be careful of a false sense of security.</span></b><span style="font-size: 10.0pt; line-height: 115%; mso-bidi-font-size: 11.0pt;"> Every
vendor promises the next great thing, and many products are indeed great. But
no product does everything great. SIEMs are cool, but your data is already lost
by the time any event is recorded; user analytics are a fascinating approach to
detecting the presence of malware, but there will be false positives in
anything based on behavioral scoring. One takeaway is that fundamentals are
fundamental for a reason - be sure to have and enforce standard operating
environments for important servers, efficient processes to patch critical
vulnerabilities, documented processes to rebuild after attacks, and only run
the latest releases of software. Killer technology is best when supplementing a
security program focused on strong fundamentals.<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-size: 10.0pt; line-height: 115%; mso-bidi-font-size: 11.0pt;"><br /></span></div>
<div class="MsoNormal">
<b><span style="font-size: 10.0pt; line-height: 115%; mso-bidi-font-size: 11.0pt;">Reserve
more of your security budget to embrace new user activity.</span></b><span style="font-size: 10.0pt; line-height: 115%; mso-bidi-font-size: 11.0pt;"> In the
last 5 years where has your organization changed the most and how is your
security program adjusting to those changes? This is a difficult question because
security likes to control stable processes and technology, but things cannot
always stay the way they are. This may mean that capabilities you fought hard
for just a few years ago are suddenly worth a lot less to you now (can you say
MDM?). It is easy to see the growth of the cloud and mobile devices so instead
of trying to force them to behave like your physical infrastructure isn't it
more pragmatic to have security get ahead of user activity? Be willing to
change security processes with the times - even if it means leaving good legacy
stuff behind.<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-size: 10.0pt; line-height: 115%; mso-bidi-font-size: 11.0pt;"><br /></span></div>
<br />
<div class="MsoNormal">
<span style="font-size: 10.0pt; line-height: 115%; mso-bidi-font-size: 11.0pt;">I was impressed with the program put together by the CIO/CISO
Summit. I am hoping that your region has something similar. While it is always
nice to socialize with peers, it is even better to have challenging security
conversations.<o:p></o:p></span></div>
Erichttp://www.blogger.com/profile/15483839982358136750noreply@blogger.com0tag:blogger.com,1999:blog-4255193939909462606.post-58124254416830764682015-05-20T14:06:00.001-04:002015-05-20T14:06:06.021-04:00Research calendar for 2015<div class="MsoNormal">
My post-RSA research is moving along at a nice accelerating
pace! After being laid up for far too long, I have set an ambitious 2015 plan
intending to cover:</div>
<div class="MsoNormal">
<br /></div>
<div class="MsoListParagraphCxSpFirst" style="mso-list: l0 level1 lfo1; text-indent: -.25in;">
</div>
<ol>
<li><span style="text-indent: -0.25in;">User controls and behavior analytics,</span></li>
<li><span style="text-indent: -0.25in;">Next generation endpoint security,</span></li>
<li><span style="text-indent: -0.25in;">Securing virtualized infrastructures,</span></li>
<li><span style="text-indent: -0.25in;">Re-imagining file security, and</span></li>
<li><span style="text-indent: -0.25in;">Advances in practical network integrity monitoring</span></li>
</ol>
<br />
<div class="MsoNormal">
My <i>user controls and behavior
analytics</i> report is well underway
with several vendor briefings and a few background-only enterprise briefings
already completed with a June publish date targeted. As usual, my security
segment reports always come up with interesting trends - what started out as a
"protect the business against unauthorized privileged insider activity"
has become more of a "protect the business against malicious threats via inappropriate
user behavior detection". Makes sense in that security must detect malware
grabbing a user's credentials and enterprises always have more budget for
anti-malware provisions than for controlling users. Stay tuned as I did deeper
into some clever innovations that every security team should be evaluating.</div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
Along the same line, vendors are looking at re-imagining file
security in light of malware protection and the evolution towards cloud
architectures. It is stunning to think in these days of disclosing sensitive
data loss that none of the primary security technologies - firewalls, antivirus,
IPS, IAM, SIEM - have any concept of file security! The best you can do is to
control access to servers, but honestly you cannot control where your files go
once they reach a remote PC. Fortunately, there are vendors worrying about what
happens to your files once they travel beyond the firewalls. There are some
excellent concepts discussed by <a href="http://www.scmagazine.com/file-sharing-and-collaboration--todays-data-leakage-dilemma/article/411485/">SC Magazine and FinalCode in a May 21st webcast</a> that you may find interesting.</div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
A lot of vendors are scrambling for a category to detect
attacks that evade classical signature-oriented defenses. I am quite enthused
about the next generation endpoint players and about those looking at the
problem from a network integrity viewpoint. Lots seem to be scrambling towards EDR
even though nobody, including Gartner, really knows what EDR is. So I'll take a
crack at defining next generation endpoint security and network integrity with
an eye to solving specific enterprise problems that cannot be solved via
classical methods. </div>
<div class="MsoNormal">
<br /></div>
<br />
<div class="MsoNormal">
Finally, let's hope that the government actually does the
right thing by restricting NSA cyber activities, and that the NSA stops
treating laws like Massachusetts drivers treat yellow lights. Just because you
can eavesdrop, collect data on private conversations, and develop malware
attacks doesn't mean that you should. Mother's Day just passed - maybe the NSA
got an earful from their moms on how to behave?</div>
Erichttp://www.blogger.com/profile/15483839982358136750noreply@blogger.com0tag:blogger.com,1999:blog-4255193939909462606.post-2490671309422965312015-05-01T15:18:00.001-04:002015-05-01T15:18:37.108-04:00<div class="MsoNormal">
Hard to believe that it has been almost a week since I got
home from RSA 2015! It was a whirlwind week reconnecting with friends and
having fascinating security discussions at every turn. Security is riding high
and this had to be the largest RSA Conference yet whether measured by numbers
of attendees or exhibitors!</div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
Of course, there is always a mix of experiences so here is
my brief recap of the highs and lows of the week.</div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<b>Things that made me smile:</b></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
</div>
<ol>
<li>The new breed of network security vendors, including
<a href="https://www.cyphort.com/products/firewhy/">Cyphort</a>, <a href="http://www.elastica.net/2014/02/introducing-elastica/">Elastica</a>, <a href="https://www.lastline.com/customers/success">Lastline</a>, and <a href="https://www.taasera.com/why-taasera">TaaSera</a> taking dead aim on detecting malware
within enterprise networks. They take different approaches, but all of them
combine intelligent analysis of network and endpoint behavior to fill in the
blanks between AV and IDS systems. Neat stuff!</li>
<li>FIDO and smartphone based authentication systems that
elevate the prospect of widespread consumer by distributing proof of identity
to remote devices. There are so many phones and devices that a person carries,
that separately purchased and managed security tokens are becoming less and
less appealing. I talked with <a href="http://www.identiv.com/press-releases/press/identiv-makes-first-rsa-appearance-headlining-identity-new-perimeter/">Identiv</a>, <a href="https://keypasco.com/solution.html">Keypasco</a>, <a href="https://www.noknok.com/how-we-do-it/videos">Nok Nok</a>, and <a href="http://www.emc.com/about/news/press/2015/20150421-02.htm">RSA VIA</a> at the
show and came away from each excited about the future direction of
authentication.</li>
<li>A shout out to the RSA Conference itself for their edict
banning booth babes. It seems like more than a few sharp female security
professionals were being treated as if they were at the conference only for
their looks, and of course others were there only for their ability to flaunt
their curves and swipe badges. The conference committee put an end to that
practice and the RSA experience was far far better as a result. Two thumbs up
there!</li>
<li>Best parties? I bumped into a lot of folks at the Qualys
event, and scored an autographed copy of Brian Kreb's <i><a href="http://krebsonsecurity.com/tag/spam-nation/">Spam Nation</a></i> for reading
on a rainy New England day. I also had a great time clubbing with<i> <a href="https://www.youtube.com/watch?v=jhgVu2lsi_k">Royal Blood</a></i>,
thanks to <a href="https://www.varmour.com/index.php?option=com_content&view=article&id=56&Itemid=144&lang=en">vArmour</a>, where it was dark enough that only a few close
to me could laugh at my excuse for moves :).</li>
</ol>
<br />
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<b>Things that made me pause:</b></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
</div>
<ol>
<li>"Security is broken". I must have heard this a
hundred times throughout the week, from CEOs to demo engineers. Unfortunately,
most of the people saying "security is broken" followed it up with an
upbeat description of their product's 5.2 dot release - which hasn't moved the
security bar in years. I would have liked hearing more innovative attempts to fix
security's problems.</li>
<li>I can't help but feel that the attention paid to Threat
Intelligence is the best example of how broken security is. Think about it - it
is basically tossing threat information to enterprise security and telling them
to go protect themselves. Seems it is our job as security professionals to
analyze security threats, protect the enterprise, and help them recover when an
attack inevitably breaks through.</li>
<li>My federal government tax dollars at work. I honestly do not
see how the government believes it should be in the consumer security business,
and nothing has shown me that they can do the job even adequately. Yet, there
were booths in the exhibit halls by the DHS, DHS Science & Technology, FBI,
Federal Reserve Bank, NSA and Treasury. I get that DHS is the leading vertical
for many security vendors, money talks and lively discourse is good. But
wouldn't we be better served if the government figured out how to prosecute
cyber-thieves, established national disclosure policies, and educated
enterprises on investigative requirements for incident response plans? </li>
</ol>
<br />
Erichttp://www.blogger.com/profile/15483839982358136750noreply@blogger.com0tag:blogger.com,1999:blog-4255193939909462606.post-72303234825400041002015-04-18T11:41:00.001-04:002015-04-18T11:41:05.403-04:00Endpoint Monitoring is a Strategic Imperative for Business Operations<div class="MsoNormal">
Invincea is starting off what promises to be an exciting RSA
2015 with its <a href="http://www.invincea.com/2015/04/invincea-redefines-endpoint-security-with-integrated-endpoint-cloud-analysis-and-enterprise-response-capabilities/">Advanced Endpoint Protection announcement</a>, and I am looking forward to catching up with the latest <a href="http://www.emc.com/security/rsa-ecat.htm">RSA ECAT</a>, <a href="http://www.emc.com/security/rsa-ecat.htm">Bromium vSentry</a>, <a href="http://www.cybereason.com/advantage/">Cybereason</a>, and more in the endpoint security space. (Also keen on a few others, but that is for next week :). Here is something I wrote a while ago that still reflects my thinking today!:</div>
<div class="MsoNormal">
<i><br /></i></div>
<div class="MsoNormal">
Continuous endpoint monitoring has become a strategic
imperative for many security organizations. Modern attacks designed to extract
confidential information modify endpoint software, reconnoiter your network
looking for exploitable weaknesses, and connect to externally-sourced servers
to deliver your secrets. The inevitable result is a labor intensive
investigation to detect infected systems and a costly recovery process that
impacts the business. If you are not continuously monitoring your endpoints,
servers and connected user devices, then you will not have the intelligence to
rapidly detect attacks within your perimeter and expeditiously restore normal
business operations. </div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
You have all invested in the latest pattern-matching cyber-security
defenses to prevent attacks from penetrating the network. Traditional
anti-malware is a required fundamental, but is proven to be incapable to
preventing threats and cleaning up after an infection. In fact, it is difficult
to determine what constitutes best-of-breed anti-malware and many of you base
purchase decisions on price and business relationships knowing that you need to
check the compliance box and that it leaves large gaps in your cyber-security
practice that you must account for.</div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
CISOs are now expected to improve operational performance in
detecting security incidents and to reduce the time and energy required to
return infected devices to a secure state after the detection of an attack.
This strategic imperative to integrate detection of and recovery from security
events with business operations drives demands for effective monitoring of
servers and user endpoints. You will also find organizational benefits of
security utilizing endpoint intelligence to better integrate cyber-security
with IT teams.</div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
The main features of a continuous endpoint monitoring
program include:</div>
<div class="MsoNormal">
<br /></div>
<div class="MsoListParagraphCxSpFirst" style="mso-list: l0 level1 lfo1; text-indent: -.25in;">
<!--[if !supportLists]--><span style="font-family: Symbol; mso-bidi-font-family: Symbol; mso-fareast-font-family: Symbol;">·<span style="font-family: 'Times New Roman'; font-size: 7pt; font-stretch: normal;">
</span></span><!--[endif]--><b>Automate
behavioral approaches to monitor changes in configurations, network usage,
memory utilization.</b> All attacks leave traces that can be detected such as insertion
of attack logic into executable code in memory or in persistent storage,
probing of your network in search of vulnerable endpoints that can join the
attack or host confidential information that can be monetized by the intruder, communicate
with external application services and IP addresses to pilfer your electronic business information
assets. Deploy endpoint monitoring to detect unauthorized changes to your
infrastructure that may indicate the presence of an attack.</div>
<div class="MsoListParagraphCxSpFirst" style="mso-list: l0 level1 lfo1; text-indent: -.25in;">
<br /></div>
<div class="MsoListParagraphCxSpMiddle" style="mso-list: l0 level1 lfo1; text-indent: -.25in;">
<!--[if !supportLists]--><span style="font-family: Symbol; mso-bidi-font-family: Symbol; mso-fareast-font-family: Symbol;">·<span style="font-family: 'Times New Roman'; font-size: 7pt; font-stretch: normal;">
</span></span><!--[endif]--><b>Use
endpoint monitoring to help you confirm changes to your security policy,
including deployment of software upgrades and patches, and retirement of
obsolete or insecure software.</b> While endpoint monitoring solutions analyze
endpoints for the presence of infections, the process also arms you with independent
intelligence on actual software configurations. Information on where executable
programs are installed in your network can prove invaluable when it comes time
to plan and launch attack investigations and cleanup operations. You get what
you inspect, not what you expect.</div>
<div class="MsoListParagraphCxSpMiddle" style="mso-list: l0 level1 lfo1; text-indent: -.25in;">
<br /></div>
<div class="MsoListParagraphCxSpLast" style="mso-list: l0 level1 lfo1; text-indent: -.25in;">
<!--[if !supportLists]--><span style="font-family: Symbol; mso-bidi-font-family: Symbol; mso-fareast-font-family: Symbol;">·<span style="font-family: 'Times New Roman'; font-size: 7pt; font-stretch: normal;">
</span></span><!--[endif]--><b>Endpoint
monitoring, a single source of
information on software and network activity, becomes a focal point for the
integration of security with business operations.</b> The business integration
values of a continuous endpoint monitoring program go well beyond enhancing
operational security performance for detecting cyber-threats and returning to a
compliant business. IT organizations, such as end-user service desks, application
services, network management, and quality assurance increasingly use security
monitoring technologies as a go-to source of real-time information of what is
actually happening on endpoints. They do this because endpoint monitoring
reduces errors and makes their jobs easier. You will find IT colleagues using
your endpoint monitoring solution to quickly gather the information they need
to maintain the infrastructure.</div>
<br />
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
You know you need an automated system that can efficiently
and cost-effectively allow you to detect infections before your customers
report them, and accelerate recovery procedures to restore a compliant
business. Your peers in other organizations are utilizing endpoint monitoring
tools as a strategic imperative for operating a secure business. If you are not
leveraging endpoint monitoring in your security practice, this should rise to
the top of your priority list for 2015.</div>
Erichttp://www.blogger.com/profile/15483839982358136750noreply@blogger.com0tag:blogger.com,1999:blog-4255193939909462606.post-85616657274027581772015-04-01T17:36:00.001-04:002015-04-01T17:36:35.360-04:00RSA is approaching - check out firewall analysis vendors<div class="MsoNormal">
Anyone managing their corporate firewalls without the use of
modern analysis tools is committing security malpractice. </div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
Every good security program starts with firewalls and the
ability to control network access to critical resources. However, firewalls are only as effective as
the set of rules defining communication access policies. While it is easy to
know when firewalls block legit access to applications - users call up the
service desk and complain - the bigger problem is it is nigh impossible to
detect when firewall rules inadvertently create broad access to your network . </div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
The risk of enticing security incidents via gaping holes in
your network security are just too great to ignore. Ferreting out holes in your
firewall security requires a thoroughness and attention to detail that only an
automated product can provide. It is just asking too much of your best security
expert to find errors of omission and to prove negatives. </div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
The good news is that firewall analysis tools are mature and
are effective. While they are first and foremost security products, you will
find many time saving benefits in helping you manage complex applications,
network reconfigurations, and evolution to virtualized data centers. Any of the
primary vendors will have references that you should talk with to better
understand the benefits.</div>
<div class="MsoNormal">
<br /></div>
<br />
<div class="MsoNormal">
There are some fine firewall analysis products out there
including (alphabetically) <a href="http://www.algosec.com/">AlgoSec</a>, <a href="http://www.firemon.com/">FireMon</a>, <a href="http://www.solarwinds.com/">Solarwinds</a>, and <a href="http://www.tufin.com/">Tufin</a>. <a href="http://www.redseal.co/">RedSea</a>l and <a href="http://www.skyboxsecurity.com/">Skybox</a>
provide more network path analysis, but are also worth knowing about. If you
have any degree of network complexity, then go get one of these tools now. Consider
it an always-on rule. </div>
Erichttp://www.blogger.com/profile/15483839982358136750noreply@blogger.com0tag:blogger.com,1999:blog-4255193939909462606.post-86526832877323867132013-11-26T14:46:00.006-05:002013-11-26T14:46:50.545-05:00Last week's security vibes
<br />
<div class="MsoNormal" style="margin: 0in 0in 10pt;">
<span style="font-family: Calibri;">It has been quite a while! Let me recap selected security
news from vendors I’ve talked with in the past couple of weeks to get up to
date with current events. In most cases I had to wait for their embargoes to
lift – my apologies if I have announced anything early </span><span style="font-family: Wingdings; mso-ascii-font-family: Calibri; mso-ascii-theme-font: minor-latin; mso-char-type: symbol; mso-hansi-font-family: Calibri; mso-hansi-theme-font: minor-latin; mso-symbol-font-family: Wingdings;"><span style="mso-char-type: symbol; mso-symbol-font-family: Wingdings;">J</span></span><span style="font-family: Calibri;">!</span></div>
<br />
<div class="MsoNormal" style="margin: 0in 0in 10pt;">
<span style="font-family: Calibri;"><a href="https://www.paloaltonetworks.com/partners/vmware.html"><strong>Palo Alto Networks and VMware</strong> announce that next generationfirewalls from PAN will embrace VMW’s NSX to secure traffic between virtualmachines as well as between virtual data centers.</a> </span><span style="font-family: Calibri;">I thought this was great as it allows vCenter to orchestrate application security
policy both within and between perimeters. In the long run, with software
defined networks, security policy will have to travel with the application to
be enforced locally. This agreement nicely positions Palo Alto and <a href="http://www.vmware.com/company/news/releases/vmw-palo-alto-networks-111913.html">VMware toadd much needed flexibility in securing applications</a> as they evolve from
physical to virtual to cloud environments. Love this one!</span></div>
<br />
<div class="MsoNormal" style="margin: 0in 0in 10pt;">
<span style="font-family: Calibri;"><strong>NetCitadel </strong>announced <a href="http://www.netcitadel.com/press/new/threat-management-ga/">ThreatOptics </a></span><span style="font-family: Calibri;"><a href="http://www.netcitadel.com/press/new/threat-management-ga/">to enhance an organization’s ability to respond to incidents</a>. What I like about
the vision is that instead of layering analytics on mountains of SIEM data,
NetCitadel kicks off when a network sandbox such as FireEye or Palo Alto Networks
WildFire reports an anomaly. ThreatOptics then reaches out to affected
endpoints with a dissolvable agent to grab detailed host information that it
can then combine with what the network sees to give security organizations better
intelligence to prioritize and respond to incidents. I believe that launching
investigations based on observed suspicious behavior is a concept with impact –
it will be fun to watch NetCitadel run with it!</span></div>
<br />
<div class="MsoNormal" style="margin: 0in 0in 10pt;">
<span style="font-family: Calibri;"><strong>Mojave Networks</strong>, nee Clutch Mobile, is stepping beyond mobile
device management to offer a <a href="https://www.mojave.net/features/overview">cloud-based security service for mobile devices</a></span><span style="font-family: Calibri;">.
This makes perfectly intuitive sense to me - as most of the action for mobile and
tablet devices takes place in the cloud that’s where security should be!
Dumping a lot of security apps onto your device can’t be the right approach
with issues of battery life, compatibility with popular applications, and
constant upgrades. I like where Mojave is going and the team they’ve assembled.
I wish they would extend their focus beyond small and medium enterprises to
address larger security concerns of larger enterprises, but the market will
soon speak to that.</span></div>
<br />
<div class="MsoNormal" style="margin: 0in 0in 10pt;">
<span style="font-family: Calibri;"><strong>Adallom</strong> is a freshly
launched company with <a href="http://adallom.com/how-it-works/">a clever idea to protect SaaS applications</a>. It is a tough
problem as IT needs to protect the business, but does not need to get involved
in personal use issues. The Adallom solution piggybacks on the identity process
to audit cloud activity and implements heuristic profiles similar to those that
have proven successful in detecting credit card fraud. The company still needs
to execute, but they have a great idea and experienced leadership so I look for
more from this exciting company as they move forward! </span></div>
<br />
<div class="MsoNormal" style="margin: 0in 0in 10pt;">
<span style="font-family: Calibri;"><strong>Prelert</strong> announced <a href="http://prelert.com/press/releases/Anomaly-Detective-3-Launch.pdf">Anomaly Detective 3.0</a>, a special Splunk
application</span><span style="font-family: Calibri;">
that, based on learning a machine’s and network’s normal behavior, promises to
reduce a high volume of security alerts to an actionable level of incidents. It
is an interesting approach to combat the flood of data and alerts that security
teams now have to deal with. I like Splunk a lot (as do lots of others) partly
because of the balance it strikes in delivering value to both IT and security
operations. It looks like Prelert is going to stick to its security roots, but
the Splunk bandwagon is a good one to hitch onto.</span></div>
Erichttp://www.blogger.com/profile/15483839982358136750noreply@blogger.com0tag:blogger.com,1999:blog-4255193939909462606.post-51454945033436279722013-10-31T15:44:00.002-04:002013-10-31T15:44:21.075-04:00Happy to be blogging with Computerworld (again)!<span style="font-family: "Arial","sans-serif";"><o:p></o:p></span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjpaEInAnD2JLBAvRiDjALGhHVp8K7PGnWPHiW7ir9mYK3s96wxmetfuDOkgh9nEPHtsHuAQLy_e0fO2VzcF5eQtVB3Olw1TTBwj09PuZMaUXIOmfVgZcAlADGb0KJjMTrSjEHBvHF12zYW/s1600/computerworld+logo.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjpaEInAnD2JLBAvRiDjALGhHVp8K7PGnWPHiW7ir9mYK3s96wxmetfuDOkgh9nEPHtsHuAQLy_e0fO2VzcF5eQtVB3Olw1TTBwj09PuZMaUXIOmfVgZcAlADGb0KJjMTrSjEHBvHF12zYW/s1600/computerworld+logo.png" /></a></div>
<br />
<br />
<span lang="EN" style="font-family: "Helvetica","sans-serif"; mso-ansi-language: EN;">Every now and then you get lucky enough to be able to correct
an unfortunate decision. For some time I had enjoyed posting my thoughts,
opinions and recommendations on Computerworld’s security blog, building up a
nice following in the process.<o:p></o:p></span><br />
<br />
<div class="MsoNormal" style="margin: 0in 0in 10pt;">
<span lang="EN" style="font-family: "Helvetica","sans-serif"; mso-ansi-language: EN;">Thanks to the kindness of Computerworld’s editorial team,
who honestly already gets an amazing amount of work done, I have returned to
the beat with weekly contributions. I am looking forward to the coming year and
I hope to see you there!<o:p></o:p></span></div>
<br />
<div class="MsoNormal" style="margin: 0in 0in 10pt;">
<span lang="EN" style="font-family: "Helvetica","sans-serif"; mso-ansi-language: EN;">The first posting talks about threat reports and I hope you enjoy it:<o:p></o:p></span></div>
<br />
<div class="MsoNormal" style="margin: 0in 0in 10pt;">
<span lang="EN" style="font-family: "Helvetica","sans-serif"; mso-ansi-language: EN;"><a href="http://blogs.computerworld.com/malware-and-vulnerabilities/22888/finding-goodness-threat-reports">Are you drawing the right conclusions from your favorite security vendor’s 2013 threat report? Some do, but I talk with a lot of security executives that miss the opportunity to use these reports as stimulus to re-examine their security strategies. The importance of threat reports are what the trends of user activity mean to your security practices and not-so-much the details of individual threats.</a></span></div>
Erichttp://www.blogger.com/profile/15483839982358136750noreply@blogger.com0tag:blogger.com,1999:blog-4255193939909462606.post-3678427462314102902013-06-07T08:01:00.000-04:002013-06-07T08:01:06.304-04:00Decision time! Choosing the right firewall analysis approach for youI am hearing feedback that organizations are checking out Firewall Analysis vendors to save time satisfying firewall change requests and to increase the security quality of each change (e.g. reducing errors that create gaping holes or disrupt application services). These organizations get the operational efficiency benefits, but are unsure whether to prioritize application-oriented Firewall Analysis or threat path-oriented Firewall Analysis, to use terms from my recent Firewall Analysis Saves Time Keeping Application Paths Clear report.<br />
<br />
The answer is very clear: firewalls are in place to secure access to applications. That is job 1. Period. You should be prioritizing your evaluations on application-oriented Firewall Analysis solutions because that is what your business most needs right now and in the coming years. Firewall changes are driven by the demands of users and applications – it is simply practical to align Firewall Analysis criteria to meet these demands.<br />
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgajY5hkPmcnOJ_6a_Hbfq2wqRS8srUKOL9Iz_41qaFLkJl2C7L38qzFsiE-nCBkbY9KSg4_bXvcTbMrLsZlbzJ24gWfVjjb5-b3l3WHpUIvjMI0cV1xHElslvgtL0jA4_pVmfNUeG-huE/s1600/which+way.jpg" imageanchor="1" ><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgajY5hkPmcnOJ_6a_Hbfq2wqRS8srUKOL9Iz_41qaFLkJl2C7L38qzFsiE-nCBkbY9KSg4_bXvcTbMrLsZlbzJ24gWfVjjb5-b3l3WHpUIvjMI0cV1xHElslvgtL0jA4_pVmfNUeG-huE/s320/which+way.jpg" /></a><br />
<br />
You would think the application-oriented issue would be the thousands of applications organizations need to make accessible to a large mobile user community. And to a certain extent you would be right as users will feel the brunt of application service disruptions. Ironically enough, it is the back-end complexity of applications that causes the security headaches. Applications now consist of connected web servers, databases, application engines, load balancers, and gateways – many of which are transient virtual images, deployed in corporate data centers, or distributed throughout the cloud. Leveraging your understanding of the relationships of the entire application environment in maintenance of firewall rule sets is critical in creating effective rules and in avoiding creating over permissive access which could leave a security hole to critical resources undetected for far too long a time. Application-oriented Firewall Analysis will help you secure the entire application environment and save you considerable administrative time. <br />
<br />
On the other hand, I am not a big fan of threat path analysis as part of a vulnerability management strategy. And I want to be. The premise is that you do not have to patch key vulnerabilities in servers if threats cannot reach those vulnerabilities, or must pass through an IPS in transit. It is a security form of alchemy, sounding obvious and beautiful until you think it through a little bit. No matter how many hops you analyze, attacks are going to defeat pattern-matching security filters and somehow reach a vulnerable server tucked away in the darkest corner of your data center. They always do. And now your threat path analysis is worthless. Can you imagine your CISO telling the board that vulnerability management of sensitive servers was given a low priority because a threat path analysis vendor told him/her that an attack could not reach those servers? Me neither and I have yet to talk with any enterprise security executive that thinks this is a valid approach. Threat path analysis can help you audit your network for security AV and IPS filters, or trace where an attack may have leapt to from an infected server, but will only be able to help you once or twice a year. For vulnerability management however, I don’t buy it and neither should you.<br />
<br />
Just think about what your most common firewall related help desk tickets say. Probably “I cannot access my application” or “My application performance is terrible” top the list. You are probably not getting a lot of requests to leave serious vulnerabilities in critical servers un-patched. If you must go with threat path-oriented vendors, know that you will only use them once a year or so to make sure all network segments pass traffic through security filters. My advice to you is to start with a strategy of application-oriented Firewall Analysis that will protect your business, keep users happy, and save you time every single day.<br />
Eric Ogrenhttp://www.blogger.com/profile/12401647238457809070noreply@blogger.com0tag:blogger.com,1999:blog-4255193939909462606.post-84340895122328422832013-06-04T15:47:00.000-04:002013-06-04T15:47:14.341-04:00Webinar: Achieving Continuous Diagnostics & MonitoringClear your calendar for tomorrow afternoon's <a href="http://www.forescout.com/news/webcasts/#GSNPresents">ForeScout webinar </a>based on the government's CDM initiative! <br />
<br />
The federal government has created budget for agencies to step up to the challenge of continuous security. I refer to it as continuous compliance, but someone smarter than me saw the potential for a TLA (aka three letter acronym). It is an interesting topic and a good chance to talk about how the network is driving real-time vigilance of the infrastructure. I hope you can listen in at 2:00ET/11:00PT.<br />
<br />
Tomorrow will also be the anniversary of Tiananmen Square's unknown rebel. The cyber-security metaphors are just too good to pass up. I start by thinking of the unknown rebel as a CSO :).<br />
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh8BSUhtfLD8k8gQLhc2SDktT_Z9jaG-YeEgYRM701eHbcnu0x2aZNwCwH5jnAK_NuMsucDZzIXMruGSufTDdlN0PspWOqlvH_xC4n9vB2iy8AOdOwIRH622fShNUfHUsP3oFVG6mswgps/s1600/Tiananmen.jpg" imageanchor="1" ><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh8BSUhtfLD8k8gQLhc2SDktT_Z9jaG-YeEgYRM701eHbcnu0x2aZNwCwH5jnAK_NuMsucDZzIXMruGSufTDdlN0PspWOqlvH_xC4n9vB2iy8AOdOwIRH622fShNUfHUsP3oFVG6mswgps/s320/Tiananmen.jpg" /></a><br />
<br />
Eric Ogrenhttp://www.blogger.com/profile/12401647238457809070noreply@blogger.com0tag:blogger.com,1999:blog-4255193939909462606.post-25016307741682864002013-05-12T13:28:00.000-04:002013-05-12T13:37:32.899-04:00Firewall Analysis Saves Time Keeping Application Paths Clear report is out!The <i>Firewall Analysis Saves Time Keeping Application Paths Clear</i> report is complete and available! <br />
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhmSf8kYeZao_bleM2GCqfg_mFrQF19_n5991Cte57IlNpWLcBF0J5eIdIfbl_MpvgIp0AmPyxmIpbJt8hkLpG-1hDuLjQaKBEdwD-nA1rSkjzrU6eXC0xg7clejcUHibT0JH3ia-1rHs8/s1600/FWA.gif" imageanchor="1" ><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhmSf8kYeZao_bleM2GCqfg_mFrQF19_n5991Cte57IlNpWLcBF0J5eIdIfbl_MpvgIp0AmPyxmIpbJt8hkLpG-1hDuLjQaKBEdwD-nA1rSkjzrU6eXC0xg7clejcUHibT0JH3ia-1rHs8/s320/FWA.gif" /></a><br />
<br />
Please contact me for more info. The teaser is:<br />
<br />
Firewalls rely on IT-defined rules in allowing authorized application traffic to flow unencumbered between data centers and users while preventing undesirable traffic from entering the corporate network. These rules, which can number in the thousands per firewall, prescribe allow/deny decisions based on sources, destinations, and the services provided. The more complex the network, the more complex the firewall rule sets, and the more likely IT will encounter disruptive side-effects when changing firewall rules to secure application access.<br />
<br />
The primary reason to analyze firewall rule sets is to identify logic errors opening security gaps, violating compliance policies for segmenting regulated data, preventing subsequent rules from firing, or rules becoming obsolete due to changes in business services. This leads to business benefits in managing network complexity such as:<br />
<br />
• Drive operational costs out of making changes to firewall rule sets by reducing errors, automating compliance reporting, and recommending effective rules based on application requirements.<br />
• Accelerate application deployment cycle times by streamlining firewall change processes to a matter of hours.<br />
• Enable an orderly evolution to application-centric security management for next generation firewalls as well as traditional deployed firewalls.<br />
• Model the impact of new rules before a change is approved to protect against errors that could block application paths.<br />
• Maintain a secure audit log of firewall rules changes to document all changes for compliance reporting.<br />
<br />
Firewalls connect businesses to the Internet. It is the one security technology that truly enables a stronger business by securing application paths to users. The Ogren Group believes it is critically important for organizations to apply technology to help manage accuracy and instill a change process to control operating costs with increasing complexity in networks and firewall rule sets.<br />
<br />
It is far from certain that firewall analysis will be more than a niche market with room for multiple vendors. Firewall analysis vendors are branching into application security motivated by next generation firewall concepts, enterprise security management to reduce operational costs, and threat assessment based on path analysis. <i>The Ogren Group applauds AlgoSec, SolarWinds and Tufin for their vision and execution in Firewall Analysis.</i> <br />
<br />
In this report, the Ogren Group presents the features, life cycle, and market strategy of Firewall Analysis. The report concludes with recommendations for vendors and the enterprise buyers they covet.<br />
Eric Ogrenhttp://www.blogger.com/profile/12401647238457809070noreply@blogger.com2tag:blogger.com,1999:blog-4255193939909462606.post-91552056737447788212013-03-20T10:33:00.001-04:002013-03-20T10:33:27.469-04:00Early Vibe: Skyhigh Networks<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgUGvxy8vXWJneItbE8LAF53XB9-eLjw4T9CsL241i-AG6KnHe5s7vcy05nTV3LE7oJDDlwpyf-JSjtSOQkJ-StFSheSLW3MyztbNYec5xnjlq0uFkyww3G0O96gYvlp-yAG4eF2qoKG9c/s1600/skyhigh.png" imageanchor="1" ><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgUGvxy8vXWJneItbE8LAF53XB9-eLjw4T9CsL241i-AG6KnHe5s7vcy05nTV3LE7oJDDlwpyf-JSjtSOQkJ-StFSheSLW3MyztbNYec5xnjlq0uFkyww3G0O96gYvlp-yAG4eF2qoKG9c/s320/skyhigh.png" /></a><br />
I was very impressed with this year’s RSA Conference – not only was the energy level of 24,000 attendees up over previous years, but I also witnessed more innovation on the exhibition floor than I had seen for a very long time. One of the companies I enjoyed talking with, thanks to a tip from my friend Rich B., was Skyhigh Networks. Skyhigh launched on the Monday of RSA so they get the prize for my earliest Early Vibe ever!<br />
<br />
Skyhigh offers a subscription service based on firewall logs to identify cloud services accessed from within the network. Most companies have no visibility, and thus no control, over the cloud applications users access from within the corporate network. I find IT usually knows personal use of email, social sites, and data storage is happening, but IT is often stunned when they learn the magnitude of the usage. And of course, there are always the security benefits of detecting use of unauthorized applications, checking out security reputations of applications that are used for the first time, planning training needs for secure use of cloud apps, and prioritizing heavily used applications for renewal negotiations. <br />
<br />
My understanding of how it works is firewall log data is delivered up through the cloud, where Skyhigh matches addresses with domains and applications within domains (e.g. granularity for Salesforce or Facebook apps), and security gets a lovely dashboard of cloud application usage patterns. Skyhigh has a cool idea to offer analysis of cloud applications and user behavior as a service that gives Skyhigh a ton of flexibility to deliver new security applications.<br />
Eric Ogrenhttp://www.blogger.com/profile/12401647238457809070noreply@blogger.com0tag:blogger.com,1999:blog-4255193939909462606.post-32769491892754898372013-03-11T14:47:00.001-04:002013-03-11T14:47:41.317-04:00Network Access Control: A Strong Resurgence is UnderwaySecurity analyst firm the Ogren Group today released its vendor market forecast and market analysis security report <i>Network Access Control: A Strong Resurgence is Underway</i>.<br />
<br />
To buy Ogren Group Security Reports or reprint rights please send mail to eric@ogrengroup.com.<br />
<br />
<b>Analyst Comment</b><br />
<br />
The ability to detect and characterize users and devices connecting to the network, and enforce security policies based on real-time assessments, is a huge benefit for enterprises requiring security and compliance for mobile users. The NAC roots of segmenting guests and unhealthy endpoints from sensitive data is fueling growth with BYOD and wireless initiatives along with demands for continuous endpoint compliance. <br />
<br />
The NAC market has not only revived, but is experiencing a strong resurgence - the Ogren Group estimated the market for Network Access Control products and services was $392 million in 2012, and predicts it will grow at a 22% CAGR to $1,061 million by 2017. <b>Cisco</b>, <b>ForeScout</b>, and <b>Juniper</b> combined represent over 70% market share and are the clear leaders in the NAC market.<br />
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg6GUlKZhjslGEa2VDWY98iVLuqhijlUdE9LZUSyPHvrIe3prwbhz85JDWuhxrUhg2sRYJ74uXOz48exENzmcsuezEXV5mEq0AbbjYakVK2JIB_jmFlzyTc-EqO9tisgNo4gWJT1F9Pz6g/s1600/NAC+Market+Forecast.gif" imageanchor="1" ><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg6GUlKZhjslGEa2VDWY98iVLuqhijlUdE9LZUSyPHvrIe3prwbhz85JDWuhxrUhg2sRYJ74uXOz48exENzmcsuezEXV5mEq0AbbjYakVK2JIB_jmFlzyTc-EqO9tisgNo4gWJT1F9Pz6g/s320/NAC+Market+Forecast.gif" /></a><br />
<br />
<b>Security Report Summary</b><br />
<br />
The Ogren Group interviewed major vendors and security officers at large organizations in examining the Network Access Control market. This Security Report presents the features, market strategy, future directions, and recommended vendors for NAC. In addition to Cisco, ForeScout, and Juniper, the Security Report also profiles <br />
Aruba, Bradford, StillSecure, and TrustWave. The report structure is:<br />
<br />
Executive Summary<br />
Overview<br />
Economic Drivers of NAC Resurgence<br />
Technical Drivers of NAC Resurgence<br />
Noteworthy NAC Features<br />
Noteworthy NAC Weaknesses<br />
Selected Vendor Profiles<br />
Network Infrastructure Vendors<br />
Software Infrastructure Vendors<br />
Independent Vendors<br />
Niche NAC Vendors<br />
NAC Roadmap <br />
Conclusions<br />
Enterprise Recommendations<br />
Vendor Recommendations<br />
Directions and Predictions<br />
<br />
<b>Upcoming Ogren Group Research in 2013</b><br />
<br />
<i>Firewall Analysis: Keep Application Paths Clear<br />
Endpoint Security Advances: Protect Un-trusted Systems<br />
BYoD: Security Answers the Bell<br />
Incident Response Strategies: Detect and Act!<br />
Virtualization Impact on Security: Is It a Game Changer?<br />
Spotlight on Threat Intelligence: Get a Head Start on Threats<br />
</i>Eric Ogrenhttp://www.blogger.com/profile/12401647238457809070noreply@blogger.com2tag:blogger.com,1999:blog-4255193939909462606.post-33241701189104161902013-02-12T14:43:00.003-05:002013-02-12T14:43:40.243-05:00Security Training? Seriously.It is no secret that many CSO's acknowledge the inevitability of attacks penetrating security defenses. You are all challenged with enabling the user community to participate in security and to make healthy security decisions on their own. The continuous training of end-users on the latest security issues should be a fundamental element of every security strategy to ward off security incidents.<br />
<br />
According to Wombat Security, 48% of organizations report difficulty in funding security training programs and 44% report difficulty encouraging employees to take security seriously. This is an unacceptable position in these days of mobile and cloud computing that places so much of the business beyond the protective reach of your IT and security teams.<br />
<br />
Perhaps it is time for organizations to re-think their approach to security training. It is not a matter of sitting through an annual seminar lecture, or being forced to read policy documents and sign security pledges. CSOs love activating business users for a healthy business - integrating security training with employee education is consistent with that mission. With that in mind, here are three thoughts that may help you with a security training program.<br />
<br />
1. Work with applications teams and human resources to embed security awareness into the business. Users are just not into security training for security's sake. For instance, you could allow cloud-based application training to include a few modules on mobile security. Users learn how to do their business better and improve their security awareness too! <br />
<br />
2. Design metrics into the security training program. Your executive team will want to know how an investment in security training will help manage risk and drive the business - so build in measurements to help manage the program! For example, compare security trained and un-trained users on the ability to recognize phish messages, redirections to rogue websites, risky applications, etc. You should expect that trained users will be less apt to be duped by new threats.<br />
<br />
3. Include a few security best practices that are designed for home use. Face it, most of your user base have families with a younger generation that uses apps that your employees know little about. Including security awareness tips designed for home appeal may provide additional incentive for your users to learn a bit more about security issues. <br />
<br />
Finally, be careful about relying too heavily on “test moments”, where you capitalize on a security incident as justification to drive home security messages. While these are important, and you need to help users understand what they may have done more securely, you also want to keep your focus ahead of the curve and next attack.<br />
<br />
Good luck!<br />
Eric Ogrenhttp://www.blogger.com/profile/12401647238457809070noreply@blogger.com1tag:blogger.com,1999:blog-4255193939909462606.post-35053958799358081442012-08-22T17:56:00.000-04:002012-08-22T17:56:10.545-04:00Bringing secure workspaces to USBsKingston Digital has successfully applied its pedigree in flash memory products to become one of the leading suppliers of cryptographically secure USB devices. Its DataTraveler product line starts at a basic personal-use level, and then extends up to a full FIPS 140-2 Level 3 certified device. Each release of a USB device undergoes third party security penetration testing to help ferret out vulnerabilities before customer deployment.<br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi4NZUXlbxRaz0Nb6IoTWIXSsWdmeukQIeHi-BgHx-fSjXir5Sto-3gVL6cHMIA1QCr-kLv9_GYe90QlP7tUpFbNAhQIe9g025EHm6bVe0j12IVxtCva_Serj2YjOS7t0SIWWYdjyooTus/s1600/Kingston.jpg" imageanchor="1" style="clear:right; float:right; margin-left:1em; margin-bottom:1em"><img border="0" height="125" width="200" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi4NZUXlbxRaz0Nb6IoTWIXSsWdmeukQIeHi-BgHx-fSjXir5Sto-3gVL6cHMIA1QCr-kLv9_GYe90QlP7tUpFbNAhQIe9g025EHm6bVe0j12IVxtCva_Serj2YjOS7t0SIWWYdjyooTus/s200/Kingston.jpg" /></a></div><br />
The real thing I like, and yes I have yet again buried the lede, is <a href="http://www.kingston.com/us/company/press/article/6021">Kingston’s partnership with Microsoft</a> to put a manageable Windows To Go on a USB. This is a pretty cool evolution. I’ve always been a big fan of a secure workspace solution on a USB for remote access – operating system, VPN client, storage, and authentication – such as <a href="https://www.checkpoint.com/products/go/">Check Point GO </a>or the <a href="https://www.checkpoint.com/products/go/ or the Imation IronKey (http://www.imation.com/en-US/Forms/Imation-Enterprise-Powered-By-IronKey-2/?OM_Ad_Source__c=google&OM_Ad_Type__c=PaidSearch&OM_Ad_Keyword__c=ironkey%20usb%20drive&OM_Ad_Version__c=IronKey-Text&OM_Ad_Campaign__c=Branding_USA_Search&OM_Effort__c=TRUE">Imation IronKey</a> offering. This new capability with Microsoft has the potential to cut IT support costs for mobile workforces and give IT choices in a Windows deployment models. <br />
<br />
One of the big hurdles with secure workspaces is phoning home for software updates and configuration changes. MokaFive was an early pioneer in the use of the cloud to update virtual images. With the Microsoft partnership I expect Kingston to offer management through Active Directory services. Perhaps integrating with VDI in a box products from folks like <a href="http://www.citrix.com/English/ps2/products/product.asp?contentID=2316437">Citrix VDI in a Box</a>, <a href="http://www.panologic.com/solutions-quickstart">Pano Logic Quickstart </a>or <a href="http://www.vmware.com/products/view/overview.html">VMware View </a>will give USB form factors more traction in small and medium businesses – we’ll see! But for now I like the evolution of virtual workspaces from solving remote access security requirements to reducing desktop support costs.<br />
Eric Ogrenhttp://www.blogger.com/profile/12401647238457809070noreply@blogger.com0tag:blogger.com,1999:blog-4255193939909462606.post-12458489042319328462012-07-13T16:29:00.003-04:002012-07-13T16:30:00.220-04:00Recommending ShareFileThis week I gained more experience than I really wanted in using file sharing services. Fortunately, <a href="http://www.sharefile.com">ShareFile by Citrix </a> saved the day for me after a few other approaches did not work at anything more than wasting my time. Thanks to them I was able to get a large file - greater then Gmail's 25Mb size limit - to a client before my deadline!<br />
<br />
I was recording the audio track of a <i>Putting Compliance to Work in a Virtualized World </i>webcast for TechTarget on my iPad. The WavePad software generated a 32Mb MP3 file that I then had to deliver to Mr. Parizo (who performed some editting before posting it behind a registration page for TechTarget subscribers). I have to admit that I am a complete klutz when it comes to using new tools - my brain has become finely tuned at always choosing the wrong options and I had a lot of issues with poor user interfaces from other products.<br />
<br />
<br />
But let's focus on how to do it right. I loved the <a href="https://www.sharefile.com/">ShareFile</a> experience. A simple registration page got me started, using the "browse files" button to upload my MP3 was a snap, and the simple shortened link supplied for me was the perfect thing to mail off. Citrix also followed up a personalized note for support if needed and a <a href="https://ogrengroup.sharefile.com">customized login screen</a>. I shouldn't be surprised based on my GoToMeeting experiences, but the ease of use and the high level of service really sets ShareFile apart. In any event, my client was able to download the MP3 file and we were off and running. I'm guessing the whole process took less than 30 minutes. This is the way cloud apps should be - if you are looking at sharing files without clogging up mailboxes, then check out ShareFile.<br />
<br />
<br />
<br />
<br />
<br />Eric Ogrenhttp://www.blogger.com/profile/12401647238457809070noreply@blogger.com0tag:blogger.com,1999:blog-4255193939909462606.post-75791097087348729962012-07-03T11:11:00.001-04:002012-07-10T11:55:33.559-04:00Become Flame Retardant: Blend Defense LayersIt surprises me that there is not a greater sense of concern across the security industry, as the ramifications of the Flame malware attack become clearer. This attack strikes at the very tenets of traditional security practices – weaknesses in anti-virus processing, trust chains of certificates, and tardiness in patching. The following ideas were refined during interesting discussions with <a href="https://www.bit9.com/blog/2012/06/19/the-undetectables-how-flame-highlights-the-failure-of-antivirus/">Bit9</a>, <a href="http://www.venafi.com/flame-malware-attack-vector-md5-certificates-compromise/">Venafi</a>, and enterprise friends who wish to remain anonymous.
By now, most of you have read <a href="http://www.wired.com/threatlevel/2012/06/internet-security-fail/">Mikko Hypponen’s heart-felt emotions on AV being torched by Flame</a>, even though all of the detection signs were there. One of the sustaining worries about targeted attacks such as Flame is the developers are highly certain that the attack will pass under the radar screens of AV researchers because they are not widespread outbreaks, they carry their own communications capability, and they lie dormant for a while so the attack code can penetrate. AV companies detect millions of new attacks per day (!), and must use some automated triage filters to reduce the number of samples passed on to skilled humans. It is unreasonable to expect humans to lay eyes on every single malware sample, but the malware industry designs targeted attacks knowing they will slip through the filters. Organizations with whitelisting products – especially on external-facing servers – report resilience to Flame. You are really missing a key element of a defense-in-depth strategy if you are not using whitelisting. If nothing else, sprinkle whitelisting on various endpoints so you can detect infections and drift out of compliance by comparing machines against the whitelist-established baselines.
Certificates form the foundation of identity trust. I call this the circles of paranoia – Something like, “this authority confirms that this person is who they say they are, and this other authority confirms that the first authority can be trusted, and … ah the heck with it – they can’t all be lying can they?” Well, if you have based your trust model on MD5 certificates, then they can be lying. Flame took advantage of MD5 to create a certificate allowing a rogue software update facility to appear as a trusted Microsoft service. There is no network- or host-based scanner that would have detected that malicious communication. IT teams need to ferret out MD5 certificates and especially applications that generate MD5 certs and upgrade those to the latest SHA recommended standards. Assume even the internal-facing applications are at risk. In fact, Flame provides great incentive to re-examine certificate management policies with an eye to shortening cert lifecycles – making any hash-collision operation less attractive.
Finally, and I seem to say this with every new attack, the best course of action is to close vulnerabilities with timely patching. It has been more than a decade since I collaborated with <a href="http://www.qualys.com/docs/Laws-Report.pdf">Qualys on the Laws of Vulnerabilities</a>, and it seems that the half-life of a vulnerability curve is resistant to flattening (meaning the time to patch systems isn’t improving much). Patch technology has vastly improved – check out <a href="http://www.lumension.com/vulnerability-management/patch-management-software.aspx">Lumension</a> or <a href="http://www.eeye.com/products/retina">eEye</a> to complement Microsoft’s Windows Update Services. And if modifying a production application is unappealing, then <a href="http://www.trendmicro.com/us/enterprise/challenges/cloud-virtualization/virtual-patching/index.html">Virtual Patching from Trend Micro </a>may be the answer for you, or heck periodically replace whole images with updated copies via application virtualization from people like Citrix and VMware.
The bottom line is that committed attackers will always be able to defeat AV scanners, so finding other approaches to closing vulnerabilities or blocking attack execution is now pragmatic. Refreshing images and certificates is also worth investigating.Eric Ogrenhttp://www.blogger.com/profile/12401647238457809070noreply@blogger.com1tag:blogger.com,1999:blog-4255193939909462606.post-56966534807571922542012-06-27T12:07:00.001-04:002012-06-27T12:07:28.674-04:00Brian Prince's eWeek article on MS Surface<a href="http://www.eweek.com/c/a/Mobile-and-Wireless/Microsoft-Surface-Tablet-Adds-Urgency-to-Defining-Enterprise-BYOD-Polices-370577/"></a>
Microsoft's Surface is sure to have an impact for organizations looking to empower mobile workers with Windows applications. The BYOD revolution will challenge every security team - especially those wishing to exert control. You can read my quotes on the BYOD trend <a href="http://www.eweek.com/c/a/Mobile-and-Wireless/Microsoft-Surface-Tablet-Adds-Urgency-to-Defining-Enterprise-BYOD-Polices-370577/">here</a>.Eric Ogrenhttp://www.blogger.com/profile/12401647238457809070noreply@blogger.com0tag:blogger.com,1999:blog-4255193939909462606.post-26773212272887400822012-06-22T13:52:00.000-04:002012-06-22T13:52:25.704-04:00BYOD - unchaining the workforce<a href="www.fortinet.com">Fortinet</a> briefed me earlier this week on the worldwide BYOD survey they conducted. BYOD is getting a lot of airtime this year and I have honestly been a fan of BYOD for decades if you consider a home PC with a dial-up modem to be a computing device sharing personal and professional uses. I’m not even sure the trend should be called Bring Your Own Application. Sure, the virtualization people love that, but it does not capture the spirit of being able to access applications from anywhere, whenever it is most convenient. There is no question that mobile devices – phones and tablets – are driving the trend along with the easy availability of cloud-based applications. But for now let me stick with BYOD.
Anyway, Fortinet does a lot of really good security things in high performance devices. The BYOD trend truly amplifies the need for next generation application security in the network which aligns with Fortinet’s business. It certainly makes sense – you cannot expect a personal device to have all of the security protections that an IT-controlled PC would have. Organizations should be looking at next-gen capability to help free the workforce.
The survey of 3872 people between the ages of 20 and 29 was pretty interesting. I loved the fact that 66% of respondents selected “I am ultimately responsible” when questioned about the security of their personal device used for business. That is a healthy response and, correlating with questions about data and application security, encourages me that new approaches to security that maintain user freedoms will be well received. I also liked how Fortinet articulates how personal and business lives remain largely separated (40% chose this first) with social networking applications, but drops as the applications become more focused (email at 23%).
My least favorite question was “Of the following what do you think are the greatest risks TO YOUR ORGANISATION if you use your own devices in work, or for work?” The leading response at 46% was “Potential for greater time-wasting on personal activities during work hours”. To me, this is not the job of security, cannot be a compelling purchase criteria for security, and the thought of positioning security as cracking down on users scares me. I was surprised that only 42% chose “Potential for greater exposure to IT threats and the theft/loss of confidential data” – I expected that to be number one.
A thought provoking survey by Fortinet – always a good thing!Eric Ogrenhttp://www.blogger.com/profile/12401647238457809070noreply@blogger.com0tag:blogger.com,1999:blog-4255193939909462606.post-12944328855414998862012-06-19T10:50:00.001-04:002012-06-19T10:50:23.051-04:00ForeScout offerring an enlightened NAC commentaryFrom Day One I felt that NAC was terribly positioned as a "lock out bad guys" technology. To me it has always been an "automate endpoint protection" technology that would appeal to all size companies. Back in the day this was the excitement I felt when talking with Mitchell from StillSecure, Stacy from InfoExpress, and the Arvin/Irene/Rohit triumvirate at Perfigo. Unfortunately, somewhere along the way the NAC vendors all started tilting at the absolutely wrong windmills.
I am pleased to say that NAC is now doing much better, and is sorting itself out - I would peg the segment at about $300M in 2012 revenues. One of those vendors that figured it out is ForeScout that has been doing quite well thanks to unique technology, focus on security automation, inclusion of mobile devices, and enthusiastic customer references. You can read a bit of what I think about ForeScout <a href="http://blog.forescout.com/blog/bid/144782/Everything-you-always-wanted-to-know-about-Endpoint-Compliance-but-were-afraid-to-ask?Preview=true">here</a>!Eric Ogrenhttp://www.blogger.com/profile/12401647238457809070noreply@blogger.com1tag:blogger.com,1999:blog-4255193939909462606.post-37543372165071095822012-06-14T09:44:00.004-04:002012-06-14T09:44:31.101-04:00TechTarget security video reaches outSometimes threads just come together at opportune times. Earlier this week my friend Liz was asking me how many followers I had for my Security Vibes blog. My answer was that I didn’t know - I don’t check because my work tends to get around to the right people just fine. A day later I receive this nice email from John at Hirsch Identive (reprinted below without permission, but I don’t think he’ll mind :^). It refers to a video I shot for TechTarget’s security university a few months ago where I mention that NAC is a much better control technology than blocking technology with some interesting events coalescing around IF-MAP.
I know I need to be better at tracing where my stuff appears and publishing links. I’ll get started on that Monday!
<blockquote>Eric:
I just viewed a video clip at inxpo.com in which you discuss the current state of NAC. I perked up when you brought up the TCG IF-MAP standard as one of the more promising means of deploying effective NAC solutions.
Hirsch Identive is possibly the only physical security member of TCG, and we have implemented IF-MAP as part of our offering. We publish our events (persons swiping cards at doors, etc) to an IF-MAP server, making a person’s presence as a piece of IF-MAP metadata. Compliant systems and devices can then subscribe to those events. The first use case we have identified is NAC, and both Juniper Networks and Enterasys NAC solutions can subscribe to our events and add physical presence a policy in granting access to network resources. We see this as a real-world example of the long-awaited “convergence” of physical and network security.
We have learned that when it comes to convergence, technology providers are sometimes ahead of customers, and are always looking for ways to reach out beyond our usual physical security customer base for feedback on these kinds of concepts. I recognize that you must be very busy, but since you seem to be finely attuned to the topic, I was hoping to get your thoughts on the feasibility in the real world. If you have a few minutes, I would appreciate your thoughts. I have provided a <a href="http://hirsch-identive.com/sites/default/files/resources/IFMAP%20White%20Paper%20OCT2011.pdf">link to a whitepaper </a>that covers the topic from a physec point of view.
http://hirsch-identive.com/sites/default/files/resources/IFMAP%20White%20Paper%20OCT2011.pdf
Thanks so much for your time and regards,</blockquote>Eric Ogrenhttp://www.blogger.com/profile/12401647238457809070noreply@blogger.com0tag:blogger.com,1999:blog-4255193939909462606.post-66909838214195935252012-06-06T13:43:00.000-04:002012-06-06T13:43:24.803-04:00Tufin celebrates IPv6 Day<a href="www.tufin.com"></a>Tufin has chosen IPv6 day to announce the availability of the latest release the Tufin Security Suite. The key feature of the R12-3 release is support for IPv6 addresses, and the ability to manage firewall rule sets with both IPv4 and IPv6 access control specifications. It turns out that this is a big deal - it will take years for IT to evolve to IPv6 so it is critical that IT start with security tools that can handle the long IPv6 hex addresses as well as the standard IPv4 addresses. Good job by Tufin in taking the leadership position.
You can read more of what I think about this <a href="http://www.tufin.com/blog/2012/06/06/fdfedcba9876220ecfffee42ee6/">here</a>.Eric Ogrenhttp://www.blogger.com/profile/12401647238457809070noreply@blogger.com0