Ogren Group Security Vibes

AlgoSec introduces firewall management for virtualized environments

2011-12-30T16:03:00.000-05:00

AlgoSec, Tufin and Firemon are the Big 3 for firewalls rules management with a few others (Skybox and Athena to name a couple) starting to catch on. AlgoSec has hired a really good marketing director who will have a noticable impact. Sam Erdheim's work started with this AlgoSec press release supporting virtual environments.

“The dynamic nature of virtualization, especially the rapid provisioning of new applications and desktops across data centers, presents a new set of security challenges for IT organizations,” said Eric Ogren, principal analyst of the Ogren Group. “Firewall rules management software is a critical must-have capability to control access and ensure tight security for companies evolving from physical to virtual environments.”

“The malware, a version of a toolkit available since 2005…”

2011-12-02T15:40:00.000-05:00

The story of the RSA attacks, as Qualys recently posted a very detailed study of the Adobe Flash exploit that caused all of the trouble at RSA last spring. It is a very thorough study – right down to a couple of pages of code.

Loved the human angle of a security-conscious person yanking the offending email out of a spam folder so they could open the infected XLS attachment. Good stuff. There will always be cases where people just make a mistake and have a lapse of judgment.

Great observation that some of the new security features found in Windows 7, such as Data Execution Prevention, probably would have thwarted the attack. It goes to show how hard it is for IT to move forward with a new version of an OS. Heck, it is hard even to move forward with a safer version of Flash or to enforce safe browser settings.

We know the half-life of a vulnerability and the difficulty in patching endpoints. Perhaps we should add a Law of Vulnerability for the life expectency of unpatchable software.

VDI: it's about people

2011-09-29T12:41:00.000-04:00

After participating in analyst events with the world’s leading VDI vendors (AppSense, Citrix, VMware) , it is increasingly apparent that the marketing of virtual desktops needs to get personal and emotional in a hurry if the industry expects to see explosive growth. For all of the VDI hype and messages of IT control, there are precious few deployments of more than 1000 seats. One possible reason is that end-users do not see what VDI does for them that cannot be easily done with the present physical approach of applications installed on laptops. Virtualization vendors trumpet the IT benefits while marketing to server teams - VDI is doomed to niche uses unless vendors can lead people to clamor for the new capabilities introduced by the technology.

Vendor marketing messaging and positioning targets IT decision makers with promises of enhancing data security, controlling application environments, saving operational expenses, and enabling business agility for existing applications. However, when it comes to re-inventing user experiences the user organizations participate in endpoint architecture decisions and it is personal demand for new capabilities that is going to drive explosive growth in virtualization at the endpoint.

One good start will be to shift the words virtual desktop infrastructure to the fine print of the back page of all market-oriented material. There is not one word in VDI that a user really wants: few people are comfortable with their understanding of anything virtual, a desktop is a necessary evil only to run desired programs, and do users rise to the edge of their seats when the conversation turns to infrastructure? There is amazing technology and potential in virtualization that is buried under IT-oriented technical jargon. It is critical that vendors tap into key user emotions related to making their computing lives easier. A few examples may be:

Imagine having business and personal applications at your fingertips not matter where you are or what computer you’re using – without painful software installations or generic browser user interfaces. You do not need the frustration of being unproductive on the road because you forgot to pre-install software, or you had to borrow a computer that doesn’t have your presentation on it. VDI can provide you access to more exciting programs at your fingertips than you can possibly install yourself.

Imagine relief from not getting upset waiting while Windows installs important updates and reboots your machine just when you’re ready to use your computer. System and application software is maintained by IT in the data center, meaning the most up to date versions are ready to run – before you need them! No more waiting like a second citizen while your computer manages itself; no more playing “IT” to configure security software or applications.

Imagine the freedom of not having to lug a laptop home from the office every day, and back again. There have to be better ways to exercise your upper body and back muscles. There is no need to include laptops, power cords and heavy-weight knapsacks in every commute. Virtualization allows you to run business applications – including Microsoft Office – on home computers, tablets, or mobile devices without having to install application software.

It is rare to find organizations that plan to be entirely VDI hosted in the data center - laptops are not going away anytime soon and even the early adopters seem to only envision a 20% penetration. For virtualization at the endpoint to move forward significantly, vendors need to find and promote visions of the technology that provide benefits that are not easily achieved in physical endpoints or through browsers. The present path of marketing solely IT benefits will result in organizations maintaining about 80% of their endpoints as physical desktop and laptop systems, VDI will be an additive expense, and the great opportunity to impact user lifestyles with virtualization will be lost. It is about people – let’s look for ways for virtualization to change user experiences.

Proactively addressing home and office PC security

2011-09-23T13:05:00.000-04:00

Webroot’s extensive survey – over 2500 respondents that was summarized in a Sept 20th press release – reinforced the need for businesses to recognize the inevitable blurring between personal and professional computing. With anti-malware scanning and filtering shifting to the cloud it is easier for organizations to proactively help secure home PCs as well as those in the office. Vendors can do their part by providing services that makes it easy for users or IT to manage security policy for multiple devices - inside and outside of the office.

What caught my eye in the Webroot study was that more than 40% of respondents purchased non-work related items online. Combined with prior results that 46% of users visit their favorite social networking site several times a day, it is becoming clear that employees don’t think twice about blurring personal and professional browsing while in the office. That is not a real surprise, since hundreds of millions of users have been blurring the distinction between personal and professional computing while at home to read business mail, or connect to desktops via VPNs or products like GoToMyPC. And that does not even factor in the use of mobile devices which completely bypass corporate security. Security teams need to address home security for home computing.

Businesses can help by negotiating coverage of home computers in their anti-virus agreements, evaluating cloud-based endpoint security management that bridges the home and the office, or recommending to employees the best free anti-malware offerings (sometimes available from service providers). There is a train of thought that there should be a clear separation of duties between personal and professional devices, and it is up to the employee to shell out $50 per PC annually to help protect the business. But that train is leaving the station.

Intelligent Whitelisting and VDI

2011-09-16T16:38:00.000-04:00

Check out my latest post on intelligent whitelisting titled "Working together in a virtual environment: application whitelisting and anti-virus". It is all about provisioning thinner virtual desktops for greater performance and density. Those requiring AV can run it as a security service on the virtual server.The article is right here.

RSA SBIC is worth checking out

2011-09-14T18:41:00.000-04:00

You have to give RSA credit for the way they’ve responded to their phishing attack. Rather than being totally defensive about the incident, RSA has responded with a drive to educate the market about threats that start with a plausible email that begs for attention. It is a good effort by a mature security vendor.

Their Security for Business Innovation Council reports are interesting executive conversations that result in recommendations and conclusions for enterprise security officers. The latest edition, released Tuesday of this week, focuses on the serious problems in combating APTs.

Usually I take these things with more than a grain of salt because they can be overly slanted into “buy my product” pieces, but RSA does a nice job of letting the executives speak. I liked that recommendation #6 was to “Rearchitect IT”. This is an admission that instead stacking security products in costly (and futile) defense in depth architectures, perhaps the business might be safer with thin clients and virtualization, tighter network zones and access controls, and even use of cloud infrastructures to share costs. It is thought provoking and worth checking out – although having said that I am not convinced about enterprise needs for intelligence services.

RSA also publishes a series of phishing reports - the latest reminding us that though phishing is a global concern, there are security actions we can take here in the US that may help. That is certainly not new information, but while the above SBIC report spent time talking about foreign agents and foreign attacks, it seems like our government and service providers have responsibilities right here - the US hosted 53% of the world’s phishing attacks in July!

Recent press release support

2011-09-02T17:58:00.000-04:00

Summer is winding down and Q4 activities are picking up. I’ll post a short note Monday on some concepts from briefings that I found interesting. Meanwhile here are the top 3 quotes I gave recently for Watchguard, Damballa and eEye …

Watchguard

I like what Watchguard has been doing, particularly for companies looking to protect their networks against security issues associated with social networks. The quote is on DLP functionality that will help against unauthorized outbound data flows. My French stops with “merci” – Watchguard did the translating:

“Until recently, data loss prevention technology has been predominately relegated to enterprise organisations that have the staff or resources capable of managing the administrative complexities associated with DLP,” said Eric Ogren of the Ogren Group. “The new DLP features in this WatchGuard
release focus on providing mainstream business environments with the badly needed benefits of enterprise‐strength DLP in a simple to manage solution.”

"Jusqu’à récemment, la technologie de prévention des pertes de données était principalement réservée aux services de l’entreprise disposant du personnel ou des ressources capables de gérer les complexités d’administration inhérentes", déclare Eric Ogren d’Ogren Group. "Les nouvelles fonctionnalités DLP de cette mise à jour de WatchGuard visent à offrir aux principaux environnements professionnels les avantages indispensables d’une protection DLP d’entreprise éprouvée au sein d’une solution simple à gérer."

Damballa

I liked Damballa’s ISP approach to associating domains and IP addresses with botnets. This allows service providers to detect command and control communications in the cloud, blocking early attacks while AV can perform clean-up of existing threats.

“The designer malware used in today’s attacks is supremely capable of evading detection,” said Eric Ogren, principal analyst of The Ogren Group. “The weakest link for data-seeking malware is now the command and control infrastructure with its reliance on the DNS hierarchy. Being able to detect the criminal infrastructure in its early days, as it is being set up and long before the actual attacks are launched, gives businesses a fighting chance at staying ahead of these threats.”

eEye

eEye has been in security for a while, with both Retina and Blink products. I thought their approach to risk identification, vulnerability management, and patching to be interesting for small and medium businesses that can benefit from a community approach.

“Many organizations fail to address their most critical security weaknesses, spending time and money correcting relatively minor security problems,” said Eric Ogren, principal and founder of the Ogren Group. “Security risk prioritization is an indispensable element of any pragmatic IT security and compliance strategy. Enterprises need solutions that will allow them to prioritize so that they can quickly and easily close the most dangerous security gaps in their networks.”

Virtualization accelerates firewall rules change requests

2011-07-29T15:44:00.000-04:00

Just posted on Tufin's blog ...

The shift to virtualization, with most organizations virtualizing more than 30% of their applications, challenges the means by which security teams implement firewall-based foundational controls. Organizations are embracing virtualization for obvious cost savings benefits when applications share server and infrastructure resources. In fact, many enterprises continue to re-architect networks to consolidate data centers, applications and IT services. For instance, the rapid provisioning of applications - running in a matter of minutes on a virtual server for a task that would take weeks with physical architectures – necessitates a rapid evolution in the security lifecycle management of firewall rules.

Security and firewall management blog at Tufin

2011-06-17T15:45:00.001-04:00

Firewalls are the heart of every organization's security strategy. Every compmany has firewalls, with rule sets that have grown to be a big can of worms. Tufin has very interesting technology that helps meet the scary challenge of keeping firewall rules consistent across the company and consistent across multiple vendors. Not only that, but I am finding security and network admin teams efficiently sharing Tufin's products for a secure network.

Tufin is taking a leadership position by hosting a discussion on security and firewall management. There will be guest analysts, and I am pleased to be able to contribute. You can check it out here.

My new post on IntelligentWhitelisting.com

2011-06-17T15:45:00.000-04:00

It is important that application whitelist approaches make allowances for differences in individual PCs. Each device is slightly different – it is very unlikely that a “one size fits all” approach will be pragmatic.I mention this because I often hear the misperception that application whitelist vendors maintain a master list of every published software executable in the world, can query that database to validate the integrity of any given program, and that there is great value in this massive clearinghouse capability ...

You can read the entire post here.

Can SecurID be trusted?

2011-06-03T16:56:00.002-04:00

RSA Security’s security problems, as evidenced by recent intrusions into defense contractor networks, are causing more than a few organizations to not only re-evaluate their commitment to SecurID authentication, but also to re-evaluate the role of authentication in their security programs. I have already heard of large companies that have embarked on a multi-year program to transition from premium-priced SecurID to cheaper alternatives.

RSA desperately needs to disclose more information about the nature of the breach, and what actions RSA customers should be taking to protect themselves. In the absence of information, security organizations should assume the worst – that their business is next in line for a breach – and should be prepared to detect and act upon an intrusion.

If you are a SecurID customer there are a few things that you may consider to help keep your business secure:

Add the device as part of the “something you have” authentication factor. Users would need SecurID from an approved device to gain access to applications and the network. This can be done either directly with PKI keys on the chip (e.g. Wave Systems using the TPM in Intel machines) or by evaluating the device (e.g. iovation assessing the machine fingerprint). Only a few users will ever need to access resources from unauthorized computers, so narrow this exposure by also authenticating the device.

Heighten efforts to detect APTs and intrusions. It is actually easier to avoid getting caught by launching a spear-phishing attack, penetrating corporate defenses with malware, and letting the APT deliver secrets than it is impersonating a user and bumbling around a network like Diogenes looking for secrets. Step up automated efforts to catch configuration drifts out of compliance and non-compliant network traffic – signs that you may be under attack.

With increased diligence, you can verify your trust in SecurID.

Endpoint Security: Become Aware of Virtual Desktop Infrastructures!

2011-05-20T15:57:00.004-04:00

I completed a pretty neat whitepaper for Trend Micro just before leaving for a couple of weeks of travel. Here is an abstract of the exec summary and you should be able to get the rest at Trend Micro.

Virtual desktops infrastructures, VDI, present IT with the unique opportunity to fundamentally improve the way desktops are purchased, deployed, managed, and secured. Organizations are attracted to VDI’s promise to reduce operating costs, provide users with wide choices of devices, improve application performance, and enhance corporate security against malware and loss of sensitive data. The benefits are compelling, with survey data showing approximately 70 percent of CIOs reporting VDI projects planned for 2010.

However, enterprises find while scaling from proof-of-concept projects to full deployment that desktop security software that is not optimized for VDI causes storage and network contention that significantly degrades virtual machine densities. The Ogren Group recommends the following guidelines in selecting endpoint security to help organizations preserve the benefits of VDI:

Choose endpoint security that is specifically designed for VDI performance. Endpoint security needs an architecture that avoids performance drags from storage and network resource contention.

Require intelligent use of cloud-based security to keep agent bloat from affecting VDI density. Evaluate approaches that scale by blocking attacks in the cloud, and do not steadily increase processor demands for VM-based endpoint security.

Insist on VDI-aware approaches allowing endpoint security to simplify administration of virtual and physical desktops. Since organizations will need to operate a mix of physical and virtual endpoint security, the security software should be optimized for each environment for user satisfaction, and ease of administration.

Trend Micro’s OfficeScan and Deep Security products are designed for use in VDI environments. The Ogren Group finds that Trend Micro exceeds requirements for protecting the business while enabling IT to realize the benefits of virtual desktop infrastructures.

Wedge Networks

2011-05-04T11:43:00.003-04:00

I commented on the content-focused approach of Wedge Networks and was pleased to support their BeSecure announcement.

Eric Ogren, analyst and founder, Ogren Group, said:

"The trend towards moving applications and data into private and public clouds introduces a new realm of very real security risks. Critical to identifying and remediating new threats will be a content-based approach offering deep inspection and clear visibility into network traffic. Wedge Networks is well positioned to meet these challenges with its BeSecure Web Gateway that enables organizations to protect sensitive data and have a clear view of content as it traverses the cloud."

Recent white papers ... ForeScout

2011-05-04T10:12:00.002-04:00

ForeScout has done a pretty good job of navigating through the NAC requirements. They've always had an interesting technical idea and now they have a team in place that can properly position the company. The next couple of quarters will be key for the company as it executes its new vision.

Recent white papers ... SenSage

2011-05-04T09:58:00.005-04:00

I often wish I could pay more attention to keeping you up to date with what's going on. I'm still learning that part of the job! Anyway, here are a few recent papers that you may be able to find on the web sites of ForeScout, SenSage, and Trend Micro. Let's start with SenSage.

VDI Security: Centralized Control

2011-05-04T09:55:00.002-04:00

One of my favorite articles I wrote for TechTarget’s Information Security Magazine was published last year. It turned out to be pretty popular with a huge number of downloads. I recently received the following mail from SearchMidmarketSecurity.com with a link you can check out.

Virtual desktop infrastructure implementation provides security pros with a perfect opportunity to re-architect their organization’s endpoint security and management. The fact that virtual desktops are managed via centralized services means that an entirely new approach can be taken with respect to endpoint security and desktop configurations, giving security teams much more control over their company’s data.

http://go.techtarget.com/r/13746997/6224113/1

This complimentary IT Decision Checklist explores the most significant security opportunities coming out of VDI solutions and how you can leverage them to fortify your own organization’s security posture.

Explore how to achieve the following in a VDI environment:

-- Control endpoint configurations
-- Isolate sensitive and regulated data
-- Enhance antimalware strategy
-- And more

Application whitelisting: an extra layer of malware defense

2011-04-02T14:43:00.002-04:00

I am a big fan of whitelisting as a complement to attack-centric approaches, and as a foundational layer of defense. Even though it is not called whitelisting, I see Apple successfully using this method for ensuring compliance for iPad, iPhone and iTunes. It is a technology that also works in the corporate environment, even if it is not an AV killer.

I was excited when Information Security Magazine asked me to write an article on AWL. I enjoyed talking to the major vendors and my enterprise security contacts about whitelisting, and am happy with the final result. I hope you also find it to be an interesting read.

“Application whitelisting makes too much pragmatic sense to not have appeal as an antimalware mechanism. Intuitively, a technology operating in the kernel that detects suspicious changes in an IT-controlled software configuration should be easier to scale than a technology that looks at all files to identify and clean attacks.” The rest of the story can be found here.

Vineyard Networks Application Intelligence and Classification

2011-03-25T15:35:00.001-04:00

Vineyard Networks is a pretty cool company that supplies high performance application intelligence logic to vendors of firewalls, WAN optimization appliances, and other network communications equipment. Vineyard has an interesting perspective on how security and operations teams both get the most out of application intelligence.

My contribution to their press release reads, “Organizations require the next generation of networking products to leverage application intelligence for greater visibility and control of the cyber-infrastructure. Security and networking vendors that hope to compete for enterprise business better offer a solid foundation of high performance application awareness and classification.”

RSA Caught in a Compromised Position

2011-03-23T18:38:00.002-04:00

There has been a lot written about the breach of RSA Security and the effect the advanced persistent threat has on SecurID users. The Open Letter to RSA Customers is so vague that it is hard to figure out exactly what the exposure is, and more importantly what to recommend to corporations relying on SecurID for two-factor authentication. I used worked with Security Dynamics, maker of SecurID before changing their name to RSA, as Director of Product Management from 1993-1998, so let me add to the discussion (I no longer have any financial interests in RSA Security).

The big risk is theft of source code that would allow an intruder to design a custom attack against servers installed on customer premises. For instance, all the attacker would need to do is exploit a weakness in the management protocol to be able to insert a backdoor or impersonate a privileged user to steal secrets. This scenario would be very serious as RSA would not be in a position to assure customers of the integrity of their authentication system, and wouldn’t even know how the attack manifests itself until customers are infected.

The lesser risk is theft of serial numbers and seed values. An attacker would still need to associate the exposed seed and serial number with the company that the purchased the token and the user possessing the token. That is really hard for an outsider to do, and if successful all an attacker achieves is one random user to impersonate. Yes, it is a concern but it seems like a manageable one.

If you are a SecurID customer there are a couple of procedural things you should do while RSA conjures up an explanation that may reduce the risk of an infected authentication system:

Audit IPS and firewall policies to ensure that there are no unauthorized communications with SecurID servers. This includes outbound connections that could signal a successful penetration of malware. This communication to the attacker might be the only way to detect a devastating breach of security.

Scale back on remote management of SecurID, including IT service desk procedures. Management operations that originate from outside the server perimeter are particularly dangerous. Consider assigning a member of your security team to perform privileged operations from a physically connected console, and disallow privileged operations over the Internet.

Finally, voice your displeasure at RSA in no uncertain terms and send them the bill for you extra security precautions. If you are a bank using SecurID for high-roller customers, then you are responsible for disclosure and re-imbursement if the system is compromised – RSA owes you more guidance than what I have seen.

It is ironic that enterprises have to disclose security incidents to consumers, but here we have a one of the most trusted security companies on the planet keeping business in the dark. Hopefully, RSA Security soon issues another open letter that is more enlightening on how customers should protect themselves.

Proofpoint Email Security Service

2011-03-21T10:14:00.003-04:00

Cloud-based security services can help drive down the operational costs of securely handling corporate information, especially securing the large volume of information contained in saved email. Proofpoint attacks this problem with a service approach that delivers cost benefits without jeopardizing obedience to compliance mandates. Their full release includes my supporting quote:

"The IT landscape is changing at a rapid pace, and organizations are struggling to keep up with regulatory and security pressures," said Eric Ogren, principal analyst of the Ogren Group. "By leveraging secure business services in the cloud, organizations may be able to alleviate the increased compliance burdens they are facing without having to make large investments in on-premise deployments and without having to give up control of their sensitive data."

Does compliance inhibit security innovation?

2011-03-15T13:35:00.004-04:00

I had some fun with a SearchSecurity.com podcast on the impact of compliance on security innovation. For me, there is no question that compliance stifles innovation, but people I really respect feel differently. It's an interesting question to think about ... or even listen to here.

Be comfortable with key management to secure your data

2011-03-11T16:10:00.001-05:00

Encrypting sensitive data on premise before the data gets to the cloud or gets on a truck is a best practice when utilizing offsite storage. I have talked with many organizations that insist they will never store regulated data in the cloud. In fact, when asked what it would take to make them more comfortable they do not even spend 3 seconds of think time before shuddering at the prospect of their CEO appearing on TV to explain a major data loss incident. Many cannot envision any confidence in data security that will enable off-site storage of sensitive data. However, with proper key management organizations can safely reduce expenses by using storage services for encrypted data only.

Seagate announced that it has sold more than one million self-encrypting drives. This is important to security officers because disk drives, and the regulated data they contain, do not stay in the data center forever. Seagate claims that 80% of the disk drives that are sent out for repair, or returned at the expiration of a lease, contain readable data. Furthermore, disks that are retired undergo expensive physical cleaning and shredding processes – unless that is overlooked due to human error. Self-encrypting drives automatically encrypt all data on disk to reduce the risk of data loss without adversely affecting performance or requiring incremental security procedures.

There are also many vendors offering to use shared cloud-based resources to drive down the costs of handling sensitive data for such activities as backup/restore (IBM, i365), email archiving (AppRiver, ProofPoint), and world-wide availability (RSA Security, Trend Micro). The critical element for cloud-based services is also to encrypt and decrypt the data on premise so it is not at risk of exposure in the cloud. This also reduces the IT burden of auditing service provider security policies and allows the organization to leverage efficient storage services.

Both of the physical and cloud-based secure storage objectives require organizations to manage their own cryptographic keys. That is a core competency that every security-aware corporation must have, especially if they choose to enable the use of external service providers. Companies effectively use services with sensitive data all the time (e.g. payroll services, 401K programs, health networks, sales force information, etc) so they should feel more comfortable with evaluating secure storage services knowing that the company still controls the data.

Intelligent Whitelisting

2011-03-08T17:41:00.002-05:00

Intelligent Whitelisting is a new site encouraging an open discussion on all things related to whitelisting, and application whitelisting. There are some really good security ideas being expressed in there – including a new one my me on VDI and AWL working together. Check it out when you get a chance, and make it a resource for security discussions.

Even though Lumension is sponsoring the site and panel of posters, they have made it clear that this is not the place for product review discussions. They are looking to build a community of thinkers and doers for the next generation of endpoint security and endpoint management. It’s a great concept that is gaining momentum!

Last thoughts from RSA Conference

2011-02-18T20:19:00.001-05:00

The RSA Conference is now over. I’ve been coming to a lot of these and I have to say that this is one of the better ones. I saw a lot of innovation, new ideas, and general buzz at the show. It felt great to see security starting to get out of its doldrums.

I loved seeing Art Coviello on stage again. I liked Art a lot when he was at RSA and he has played a major role in building a $700M business. It is a personal note, but it was pretty cool this afternoon seeing a Security Dynamics alum (via CrossComm) sitting with a President!

I also liked the fact that security is starting to catch on to the concept of providing information to IT and network operations teams. Security sees everything so why not communicate some of what it sees to the rest of the IT organization? The next-gen firewall conversations, usually centered on Palo Alto Networks is a perfect example of this. Another is a whitepaper that Qualys was featuring that emphasizes the strategic business efficiencies to be gained from secure cloud services.

SonicWALL also surprised me with a big honkin’ box that is loaded with application level logic. That company has come a long ways from the one that averaged 1.6 boxes per small business when I first met them.

Time to run for the airport. It was a good week – catching up with lots of friends, having great security conversations, and contributing to the Trusted Computing Group and Anti-malware sessions!

Top 5 observations at the mid-point of RSA week

2011-02-17T15:23:00.003-05:00

Top 5 observations at the mid-point of RSA week, or what seems to be themed NG RSA:

1. One of the fun events of RSA week happens before the show commences – the Innovation Sandbox. This event, in its second year, features 10 young companies, each staffing a small demo station and then presenting their idea on stage to a panel of judges and the audience. This year's winner was Invincea for their secure browser protection. The Innovation Sandbox experience also has a very cool idea of “speed dating” where aspiring entrepenuers get a few minutes to pitch their idea with an experienced VC. That is the kind of networking activity that made the RSA Conference famous back in the 90’s and it is awesome to see the return to supporting new innovative ideas. I recommend that every “A” round security company enter the competition next year.

2. Cisco is back to tackling big security problems with the unveiling of SecureX, their next generation security architecture. SecureX applies context gathered from network traffic and the presence of more than 150 million VPN agents to make smarter security decisions in Cisco devices. Cisco needs some help articulating a vision of how SecureX will change the life of security, IT and networking teams but there is a ton of potential and I think of this more as an exciting start for 2011.

3. According to Quest Software, “One in ten IT Professionals (10%) admit that they have accounts from previous jobs where they can still access systems even after they’ve left the organization.” For years the industry believed that Single Sign-On would be a big productivity gain by making it easier for users to connect to applications, and perhaps reduce service desk calls by reducing the number of passwords to be managed. However, perhaps the ability to easily de-provision user accounts with a single click will provide incentive for security teams to look more closely at SSO (and to be worried less about losing “the keys to the kingdom”).

4. Symantec was the company that perhaps has given me the greatest positive surprise this week with the performance and virtualization enhancements announced in SEP 12 . It is great to see companies like Symantec and Trend Micro getting out ahead of the curve when it comes to leveraging virtualization and the cloud. Symantec Endpoint Protection 12 has significant improvements based on their Insight intelligence that will keep Symantec a force for some time. The following chart is snipped out of AV Comparatives real world testing report – I have not had time to read the report for bias, but however you cut it these numbers look good for Symantec.

5. Lumension is doing some nice integration work with device discovery, application whitelisting, anti-virus, and patching features. It is very clear to me that some form of whitelisting is an essential layer of defense – it just makes too much sense to look one way while signature approaches look in the other (or vice-versa). Integrating the capabilities into an end-to-end system can fundamentally help the way IT manages endpoints and conducts incident response investigations.

I have to say that this has been an excellent week at RSA. The only real complaints are the weather – rain, cold and overall yuck – and the fact that every booth has to have “cloud” or “next generation” in its signage. Must be some sort of RSA Conference zoning regulation for booth rentals.

Early Vibe: Mykonos

2011-02-16T13:49:00.001-05:00

My RSA week started off on the right foot with an early Tuesday morning meeting with Mykonos Software. This is an exciting young pre-A round company with an interesting idea for cutting off custom-designed web application attacks before they can be launched. It is an intriguing approach to web application security that is likely to please organizations that want to say goodbye to cross site scripting and SQL injection attacks.

It is surprising that the intuitive Mykonos solution has not been tried more often. Mykonos offers an appliance that monitors outbound web traffic for the presence of forms and validates that the completed inbound form does not carry malware. The product salts the web form with what it refers to as “detection points”, allowing the solution to recognize malicious changes to the form when it is returned to the application. Attackers that are testing their attack code are identified, permanently tagged, and future activity blocked before the attack development completes and launches. Mykonos does not require “scan and hope” signatures and does not rely on interpretation of application behavior – if the detection points have been modified then there is no question about unauthorized activity.
There are benefits of the Mykonos approach over traditional web application firewalls:

+ Mykonos does not have to learn web application behavior or understand the business logic expressed in the web dialog. This significantly simplifies the administration and reduces false positives that can plague other web application firewalls.

+ IT does not have to coordinate changes to the dynamic web site with security – the Mykonos appliance just recognizes the presence of a form and applies its detection points-based logic. Traditional solutions that are dependent on rules or learning mode struggle to keep up with the rate of change of dynamic web sites.

+ As a start-up with a new idea, Mykonos can tap into existing enterprise PCI-driven line item budgets for web application firewalls.

The intelligence gathered on the attackers, their locations and attack methods, gives the company nice flexibility going forward. They still have challenges such as ensuring that attackers can’t recognize detection points to by-pass the security mechanisms, or improving the catch rate of already developed attacks. The Mykonos idea has a lot going for it, without requiring cumbersome rules. With proper execution, Mykonos will have a fun 2011.

RSA Conference 2011 is next week

2011-02-10T18:53:00.003-05:00

I hope to see everyone in San Francisco next week during the RSA Conference 2011 festivities. I am so glad to have RSA return to its February dates - I am in big time need of a warm sun, green grass, and lively security discussions!

I am participating in a couple of sessions that I’m very excited about:

Monday finds me moderating a panel of network security experts for the Trusted Computing Group’s workshop on IF-MAP. This is good stuff with the content provided by industry experts and not vendors. It would be well worth your time on Monday to check out: TCG-001 – Can You Trust Your Enterprise? Top Analysts & Implementers Debate Using Trusted Computing is in Orange Room 301 starting at 11:00.

Friday is my presentation on the demise of HIPS. It is sad, but the time has come with the retirement of Cisco CSA. I’ve put some intriguing ideas on how to use whitelisting to plug some of the holes that AV misses. The details: TECH-403 – Is it Time to Put HIPS in the Recycle Bin? is Friday at 11:20 in Orange Room 307.

RSA is easily the best security event of the year – if you can only go to one event, this is the one to choose. Please take advantage of resources that can be critical to your plans for 2011:

Seek out networking opportunities with fellow security professionals. Share experiences and plans – you will be surprised at the tips you will pick up.

Attend sessions that broaden your security knowledge. This is a fabulous chance to learn about security issues before they become a challenge for your business. In particular, I would recommend Steve Orrin’s session on virtualization security as well as sessions from the Cloud Security Alliance. The lineup of sessions with abstracts is found here.

Talk with vendors in the exhibit hall for demos and discussions with how the product can work in your environment.

Enjoy the show and I hope to see you there!

Early Vibe: CloudPassage

2011-01-27T18:30:00.002-05:00

CloudPassage, a Bay area startup, has just exited stealth this week with a proposition to simplify security for cloud-based servers. The problem, according to the vendor, is that vulnerability management and firewall policy enforcement both suffer as application servers are dynamically launched and shuffled between data centers. For instance, the ability for enteprises to reach their applications in the cloud to frequently assess and manage server vulnerabilities or to enforce server-based security policies both suffer.

The secret sauce of the CloudPassage SaaS technology features a cloud-based analytic grid that continuously correlates server configurations with vulnerability information and customer security policies - offloading individual servers from that burden. CloudPassage initially offers two products, Halo SVM and Halo Firewall:

Halo SVM (Server Vulnerability Management), depends on a host-based agent to initiate communications with the CloudPassage grid. The agent profiles the Linux or Unix server, and uploads that information to the CloudPassage grid for analysis. The end benefit is a vulnerability management procedure that transparently evaluates applications for vulnerabilities and configuration drift with a higher frequency than scanning options can reasonably achieve.

Halo Firewall is a host based firewall that is designed to travel with cloud-based servers to enforce security policies. Similar to SVM, the Firewall product connects to the CloudPassage grid to download the most recent set of policies for the server.

The Ogren Group believes that CloudPassage is on the right track. Enterprise applications are evolving from customer premise-based services to hybrid environments and public clouds, yet the evolution of static security perimeters and scheduled vulnerability management isn’t evolving at the same pace. Placing the burden of analysis in the cloud as a SaaS allows CloudPassage to avoid distribution overhead to servers while assessing vulnerability information, server configurations, and customer policies for each server (and there will be plenty of opportunity to add additional security computations). CloudPassage does have challenges to overcome, starting with expanding its solution capability to include support for Windows servers and also an agentless option for those that can’t tolerate additional software on a server. The company is very young with a grid capability that provides potential for excellent flexibility in responding to securing the cloud.

Catching the Wave

2010-12-29T12:20:00.000-05:00

You have to admire the perseverance of a vendor whose vision is miles ahead of the market, and then fights, scratches, claws, and just hangs on until they find customer traction. This has been the case with Wave Systems, an early evangelist of placing and managing keys in secure hardware, particularly the TPM as defined by the Trusted Computing Group. For Wave there has always the lingering question of “if the idea is so good, why aren’t companies buying”? Well, it looks like the time has come and they’re now underway with two primary use cases:

Secure remote access with intrinsic two-factor authentication. Using the secret key from the TPM turns the laptop into the “something you have” factor to go along with the password (“something you know”). Enterprises not only save money by reducing token purchases, they also gain secure access while giving users and security administrators one less thing to worry about.

Transparently encrypt the hard drive of remote users. Enterprises that need to protect intellectual property or regulated data on laptops are getting tired of trying to administer DLP or DRM at the endpoint. A simpler solution is to transparently encrypt data on the hard drive using a secret key from the TPM. It is more secure, easier to manage, and may cost less. The most noteworthy implementations support Bitlocker and Samsung and Seagate self-encrypting hard drives.

Wave Systems sells software that makes administration of keys and TPMs practical for larger organizations that need to secure remote access and locally stored data. They’re moving forward and have some impressive references to their credit, including Mazda, Papa Gino’s, and Boston Medical Center. It’s nice to see their perseverance paying off.

Checking out PacketMotion

2010-07-26T13:22:00.002-04:00

PacketMotion came by my office in Stow last week, leading to a lively discussion on the direction of network security. The company, founded in 2004 with its flagship PacketSentry product at version 4.0, has been around too long for Early Vibe status in this blog. However, PacketMotion is embracing a few unique ideas that may give security teams the flexibility they need to meet corporate functionality and cost-of-ownership requirements.

Corporate networks are dynamic as IT gains flexibility with wireless access, virtualizes applications and desktops, and increasingly relies upon browser-based cloud applications to support the business. This trend changes access paths between users and applications, and challenges security that is based on static addresses.

User Activity orientation allows IT to focus on securing business policies of users and applications. PacketSentry integrates with Active Directory to monitor user traffic to applications, with the option of killing non-compliant connections. Security policies are less dependent on the network infrastructure and are more easily mapped to business requirements.

Virtual Segmentation features provide a virtual PCI-compliance partitioning of resources by automatically monitoring and enforcing user activity to regulated applications and data repositories. That is, rather than deploying internal firewalls and replicating security mechanisms in the network, PacketMotion’s virtual segmentation helps assure that users and programs do not step out of bounds and access unauthorized business resources.

Automate compliance reporting with significant cost savings. Compliance mandates are designed to ensure the security of a business process and confidential data. Traditionally this has been done in a bottom-up manner starting with individual security products and then aggregating and correlating results into an overall business view. PacketMotion’s top-down approach reporting user and application activity across a broad range of protocols saves IT a lot of pain and can significantly reduce the burden of compliance reporting.

PacketMotion does a lot of things. In fact, one of their larger challenges is defining a strong position in the marketplace that also addresses priorities in security budgets. Since PacketSentry is a network appliance in the datacenter that looks at and records activity there will be pressure to place the company into a SIEM bucket (because it records activity), an NBAD bucket (because it can detect and terminate unauthorized behavior), or an automated GRC bucket (because it automates compliance). The company has good leadership and will find its way, but for now its differentiators are worth examining for forward-thinking security teams.

CoreTrace webcast on June 28th!

2010-06-28T14:48:00.001-04:00

There has been a ton of interest in application whitelisting lately, especially with security-savvy organizations reacting to the Cisco Security Agent end of life scheduled for the end of 2010. Those folks know that they cannot rely totally on AV, but they also know they need a proactive approach that can be managed across the enterprise without breaking the bank.

CoreTrace is a leading application whitelisting vendor that does some pretty cool stuff at low levels. The webcast on Tuesday, June 28th is well worth an hour. Check out all of the details here:

http://www.coretrace.com/resources/webinars/CoreTrace_Webinar--Transitioning_from_Cisco_Security_Agent.aspx

Early Vibe: Armorize

2010-06-01T16:31:00.001-04:00

Armorize is a web application security company that is being introduced to North America after gaining market traction in Asia/Pacific. The new management team is blessed with venture capital, noteworthy reference accounts, and an experienced engineering organization in Taipei. The focus on detecting actual malware residing on web sites addresses a critical security problem, where attacks such as drive-by downloads from trustworthy web sites infect customer endpoints. While vulnerability scanning is an important best practice, the Ogren Group believes malware scanning, if executed properly, addresses a sharper pain that gives enterprises a compelling reason to buy.

The main attraction for Armorize is a cloud-based service approach that finds the presence of malware on enterprise web sites. The HackAlert service is for security teams that need to react with a heightened sense of urgency to clean an infected web site to protect customers. Ferreting out vulnerabilities is good application hygiene to patch holes before exploits find them, but actually detecting infections solves more immediate customer needs. The cloud-based service approach makes perfect sense for organizations requiring continuous vigilance for malware.

Armorize also offers a code scanning product, CodeSecure, which examines web application software for security faults. This complements the malware scanning by offering Armorize customers a long-term end-to-end solution to hardening web applications. Organizations with custom developed applications will use this product early in the engineering cycle to ensure that web applications will be more resilient to attacks – and less likely to incur expensive emergency security fixes.

A significant challenge for Armorize will be to develop a pricing model that encourages customers to frequently scan for malware, while also being compensated for resources consumed by the Armorize data centers and a business model that aligns the HackAlert service with the CodeSecure offering. The Ogren Group believes the management team understands the web security space well enough to solve these problems, and will find a way to bundle code scanning with malware scanning for a comprehensive web security subscription service. Armorize has an interesting idea focusing on malware instead of vulnerabilities and with execution is well positioned to have a positive impact on improving enterprise’s web application security.

Live Web Seminar with Bit9

2010-05-07T16:38:00.002-04:00

I will be talking about the failure of HIPS to provide a scalable endpoint security and the acceptance of application whitelisting as a foundational layer in conjunction with AV. One of the big problems with HIPS is that it is prohibitively expensive from an administrative standpoint. I think it is an interesting topic since I have some experience with with is now Cisco CSA. I hope you can join us on May 19th at 2:00ET.

"While significant enterprise security resources are devoted to prevention of malicious code infections, malware continues to frustrate security teams. Traditional anti-virus approaches have proven to be ineffective against modern attacks, and organizations that have tried host intrusion prevention find that technology is not an effective part of the endpoint security solution. Application whitelisting monitors endpoints in real time to ensure that only authorized programs can run, and that those programs have not been modified by malware."

Using user communities to bolster security offerings

2010-02-26T15:59:00.002-05:00

Social networking ideas are coming to security, with efficiencies that are likely to .

Secure Passage is introducing a program whereby members can share configuration rules and policies to allow tight alignment between firewalls, routers, and other network devices. This is a really good idea that allows its customers to quickly tighten the security and compliance of their networks while reducing the chances of creating gaping holes in their security profiles. Secure Passage may also find that customers are extending the product into applications and server settings, which could lead SP to a nice growth path.

Computerworld post ...

2010-02-26T15:46:00.002-05:00

I thought the Alexa statistics on web site usage were pretty cool. I have always liked numbers and statistics. I did some exploring on US-China-India numbers on web site visitors for a Computerworld article and found the following (hopefully the formatting does not get screwed up):

Company USA India China
Check Point 22.3% 13.8% 4.8%
Cisco 32.2 12.5 4.7
EMC 39.8 13.2 9.8
IBM 18.4 12.5 19.3
Microsoft 20.6 7.5 7.0
NetApp 40.6 18.8 4.9
Symantec 25.3 13.3 3.2
Websense 30.3 7.8 23.9

Lockheed-Martin 49.5 7.0 11.3
Pfizer 47.6 12.9 5.7
Whitehouse.gov 65.7 3.4 3.9

There could be lots of business reasons for some of these numbers such as sales model, or amount of off-shore manufacturing partners, etc. However, the number of visitors from China and India is frequently significantly greater than the number from large industrialized countries including England, Germany and Japan.

If you are in security, you better know your business.

Computerworld blog entry

2010-01-22T16:03:00.002-05:00

After an 11 month hiatus, I have returned to the Computerworld blog. I had a lot of fun writing for them before and I am thrilled that they would have me back! Here is the first posting of 2010 ...

"Application service providers offer a centralized control point to deliver secure services for millions of its subscribers. Let’s hope that more social networking application providers follow Facebook’s and Comcast’s example by making it easy to acquire endpoint security software, and by enhancing its own internal vigilance. In the meantime, consumers with a paid anti-virus subscription are advised to act quickly in getting free protection from the likes of Avast!, AVG, or Microsoft..."

Web security strategy

2009-12-29T12:04:00.000-05:00

Check out SearchSecurity.com for the latest:

If you haven't focused on an enterprise-wide Web security strategy then it's time for a reality check. It's safe to assume that various parts of your organization are using Web applications and a cloud computing infrastructure or services, and the time to wrap a security strategy around that is now.

Microsoft and EC settle their IE dispute

2009-12-16T17:34:00.000-05:00

Good to see the European Union competition commissioner has finally come to its senses and settled its silly and costly business practices lawsuit against Microsoft over the bundling of Internet Explorer into Windows.

This seemed like pure harassment to me – browsers are free, users can easily download and install any browser they want, and service providers could have included or recommended browsers if their customers demanded help. In fact, you could even argue that ubiquitous feature-rich free browsers have worked to everyone’s benefit (though I do not believe Microsoft set the market price of free).

Anyway, Microsoft and the European Commission are now in agreement. Microsoft has agreed to give the user a choice of leading browsers in versions of Windows and presumably the EC can find better things to do.

Lessons from CoreStreet

2009-12-15T15:51:00.001-05:00

CoreStreet is the most recent security company fire sale – selling to ActivIdentity for “approximately” $20 million. Usually this means that the investors get some money back, the founders get some candy so they’ll bring their next idea back to the VC’s, and everyone else gets new business cards. CoreStreet gave it a good go – they had sharp mathematicians and a new idea for authentication, but could not find a sustainable and repeatable business. There are at least 2 things that other struggling security companies may be able to learn from CoreStreet:

Keep your messaging simple. CoreStreet is in the “distributed credential validation solutions” segment. You cannot expect a security team to evaluate, recommend or buy a product that they do not fully understand or have an expressed need for. When I first talked with them, CoreStreet described proofs and math models to authenticate signatures when a certificate authority was unavailable. I was in over my head in about 30 seconds, and I like to think I’m pretty good at authentication and math. If you are looking to increase sales traction, make sure your messaging is easily understood and directly addresses an important business need.

Try to diversify from government dominated customer base. When it comes to security, government agencies often have unique solution requirements that do not translate well into the commercial world. You can make a business serving the federal government if your company reaches a critical mass, but if you are not cash flow positive you need to have alternatives. While CoreStreet attracted business from defense-oriented agencies, it couldn’t translate its technology to the commercial sector. The company had no options and no place to grow, except perhaps by acquisition to a vendor that can service outstanding government contracts.

There is a tough year coming up and we will see more security vendors like CoreStreet with tired investors and shuttered doors in 2010.

Database activity monitoring lacks security lift

2009-12-15T15:47:00.002-05:00

Posted to SearchSecurity ...

The IBM acquisition of Guardium Inc., a privately-held database activity monitoring (DAM) vendor, is far from a validation statement of DAM as a viable security market segment.

Vendors including Embarcadero Technologies Inc., IPLocks (acquired by Fortinet Inc.), Lumigent Technologies Inc., Symantec Corp. and Tizor Systems Inc. (acquired by Netezza Corp.), have already given up on the DAM space, leaving companies such as Application Security Inc., Imperva Inc., Secerno Inc. and Sentrigo Inc. fighting to divvy up a total annual market of well less than $100 million. The IBM acquisition of Guardium helps the company gain information management technology and a capability to drive professional service revenues in the data center.

Health Net breach failure of security policy, technology

2009-12-01T09:34:00.002-05:00

I'm back from vacation and Thanksgiving - hope you all had a nice break!

Here is the latest SearchSecurity posting:

"The recent Health Net data breach—affecting some 1.5 million users—is a failure of all aspects of IT security, including the ability to set appropriate policy, communicate that policy to employees and deploy the relevant security technology.

Health Net announced last week that unencrypted records, and the portable external hard drive containing those records, were lost. A loss of this magnitude from normal business practice suggests that either sensitive data accumulated over a long period of time and was not systematically erased when no longer needed, or the user worked on extremely large chunks of data without proper security controls. IT should have been aware of both possibilities and acted to protect the business." ...

Audit Ready Data Center Webinar with Accelops

2009-11-13T22:01:00.002-05:00

AccelOps has a really interesting approach to management of the technical infrastructure for mid-tier organizations. They do a solid innovative job of going a few extra steps to combine, correlate and analyze data - steps that IT does not have to learn to manually perform. The Audit-Ready Data Center is a webinar in conjunction with ISSA where we talk about the needs of meeting requirements for continuous audit that provides a common language for security discussions with other organizations in the company. Hope you can check it out on the 19th.

Press Quote: Tufin extends security lifecycle management

2009-11-10T12:54:00.002-05:00

Tufin has a nice vision for helping IT manage network access policies - coordinating rules between firewalls, routers, and switches for consistency and security. It is worth checking out, especially if your network has sensitive data (and what network doesn't).

"Firewall Policy Management functions are only part of the solution when controlling access to sensitive zones within the corporate infrastructure." said Eric Ogren, principal analyst of the Ogren Group. "Access policies that are enforced by high speed switches and routers need to cooperate, and be consistent with firewall rules for effective management of a secure network. Tufin’s approach of converging analysis of leading network and security devices can help enterprises control dynamic networks for compliance and security."

How to use Internet security threat reports

2009-11-10T12:49:00.001-05:00

A bunch of security threat reports have hit the presses lately. Here are a few thoughts of how IT should use these, as posted in SearchSecurity ...

"The Melissa worm, one of the most prolific email viruses in history, earned its notoriety by forwarding itself to the first 50 people found in a victim's Microsoft Outlook address book. Security researchers celebrated its 10th anniversary earlier this year, and in the decade since Melissa, the world has seen a boom in viruses, Trojans, SQL injection, spam, phishing and drive-by downloads." ...

Security benefits of virtual desktop infrastructures

2009-11-06T16:03:00.001-05:00

Newly posted to SearchFinancialSecurity:

"An emerging technology is helping to solve security issues within the financial industry: virtual desktop infrastructures. With a virtual desktop infrastructure, an organization actually executes desktop applications on servers in the data center, relying on remote display protocols to give the user a localized look and feel. The security benefits of VDI in the data center are clear: IT controls software configurations, assuring that users execute software with the latest patches and upgrades ..."

Two-factor authentication, constant vigilance foils password theft

2009-11-04T17:42:00.001-05:00

The latest on passwords at SearchSecurity"

"The state of the art in static password protection policies has left some specialists questioning the usefulness of current password policies.

It's going to take new measures -- a mixture of technology and policy -- to hold users more accountable while addressing new attack methods and the automated connectivity of Web 2.0 behavior..."

Chip and PIN adoption serves lesson for U.S. payment industry

2009-10-29T16:31:00.001-04:00

Fresh off the SearchSecurity press:

"First Data Corp. and RSA, the security division of EMC Corp., are the latest major companies working together to encrypt credit card data at the point-of-sale device. This early encryption approach, also offered by other vendors, including ProPay Inc. and Merchant Warehouse, can lower the technical costs of Payment Card Industry Data Security Standard (PCI DSS) compliance, as well as the legal risk of disclosure notifications and the risk of mass information loss. It is a proactive approach that retailers should be evaluating" ...

Lumension adds AV to endpoint security offering

2009-10-27T16:02:00.002-04:00

Lumension continues to put together the critical pieces of an endpoint security solution. In addition to patching vulnerabilities to reduce the risk of an exploit and application whitelisting with device control to reduce the risk of an attack modifying software, Lumension now adds an attack-centric AV layer to eradicate known threats. Defense in depth only really works if each layer adds a unique complementary technology approach. That way, whatever threat one approach might miss, the next approach is likely to catch. The addition of AV to patching and applicatino whitelisting is a good approach that should work well for Lumension's customers.

I supported Lumension's release activity with the following quote:

Eric Ogren, Principal Analyst, Ogren Group
“As the explosion of viruses and data-stealing crimeware continues to wreak havoc on corporate networks, IT administrators need to take an increasingly more proactive and blended approach to endpoint protection. Lumension now offers solution layers that close system vulnerabilities, identify and remove attacks, and protect against malware from Web 2.0 threats. Organizations that adopt such a coordinated defense will be better-suited to protect against threats, keeping their network, endpoints, and business resistant to the daily influx of newborn malware.”

DLP technology challenges security costs

2009-10-21T17:44:00.001-04:00

New to SearchSecurity:

"Vendors have blurred the functional boundaries between data leakage prevention, digital rights management and even endpoint device control, to the extent that IT should reset expectations for DLP deployments. The recent Burton Group report on DLP summarizes the market from a vendor offerings point of view, with heavy emphasis in vendor rankings given to companies with large market shares and marketing budgets. DLP can be a powerful weapon for security teams balancing threat protection with data protection and acceptable use policies, but only in well-defined business scenarios." ...

Phishing protection begins with training, antiphishing evangelist

2009-10-16T08:25:00.001-04:00

Newly posted on SearchSecurity:

Law enforcement has demonstrated that it's serious about cracking down on phishers, spammers and other nefarious cybercriminal activity, but now is the time for security organizations to launch an antiphishing program to protect customers and employees from the upcoming wave of attacks that will most certainly mark the holiday season.

Phishing is a nagging social problem that preys on users' trust of established brands and confidence in the Internet. The classic phishing scam consists of a plausibly written email message containing a link to a phish website that looks like the real thing, but is designed to steal passwords and account numbers when the unsuspecting user authenticates. While law enforcement is part of the solution to breaking up phishing rings, IT needs to continuously focus on social countermeasures to fight the strength of phishing attacks.

Mitigating zero-day vulnerabilities in customers' environments

2009-10-06T16:48:00.001-04:00

Posted today at SearchSecurityChannel:

"Zero-day exploits -- attacks in the wild that are too new for signature checkers to recognize -- present a serious challenge to security solution providers who are expected to protect client endpoints, hosted websites, application services and Web communications. However, there may be opportunities for service providers to differentiate, or offer revenue generating services, with services that help clients recover from a zero-day infection."

Feds push cybersecurity jobs, PCI DSS changes ahead

2009-10-05T14:02:00.001-04:00

Posted to TechTarget today:

"In a significant sign of the government's commitment to improving its cybersecurity profile, the Department of Homeland Security said it could hire 1000 security professionals over the next three years. This is welcome news for those seeking cybersecurity jobs. A longer-term view of the problem of securing the national technical infrastructure would have DHS allocating more of its $40 billion total budget authority to cybersecurity educational programs. We've heard reports about the problem of filling and retaining professionals in government information security jobs. In addition to existing degree programs at a few universities, perhaps cybersecurity can also be featured in Reserve Officers Training Candidate programs to develop military leadership well-versed in cybersecurity skills. Presently, neither the Army ROTC nor the Air Force ROTC shows cybersecurity as a career choice..."

Nominum Broadens Intelligent DNS Impact with SKYE Cloud Services

2009-09-22T14:19:00.003-04:00

Nominum is introducing a DNS SaaS approach called SKYE. This is interesting partly because the DNS lookup seems like a good time to layer on security and acceptable use services, since attacks now originate from the Web. It is a good concept, with a good management team behind it, and I was glad to support their release.

“DNS has evolved from a simple name resolution protocol to a policy-based system that provides essential availability, auditing and security services for the entire ecosystem of web-based applications,” said Eric Ogren, principal analyst at the Ogren Group. “Since the first step of any Internet request is a DNS look-up, the name service is a natural position to deploy technology asserting manageable controls over the complexities and threats of today’s Internet. With web threats dominating the Internet, the time could not be better for Nominum to launch its SKYE service for ISPs and enterprises.”

Whitelists, SaaS modify traditional security, tackle flaws

2009-09-21T13:49:00.001-04:00

Posted on SearchSecurity.com:

"The SANS Institute's latest threat report should be a reminder to security teams that now is the time to rethink the traditional approach to security as 2010 plans are being prioritized, with a strategy to transform security into a capability that is as dynamic as the attack landscape.

Threat reports are usually a tough read as they highlight the successes of hackers without suggesting meaningful preventive actions that IT can take. But the SANS report, The Top Cyber Security Risks, found that traditional security is woefully inadequate in protecting the business infrastructure against infected websites and penetration through popular applications such as Adobe Flash and Microsoft Office."

Last thoughts from VMworld

2009-09-16T13:01:00.001-04:00

Now that my computer has been replaced with a shiny new Dell box, it is time for my last thoughts on VMworld. Overall, VMware did a great job, there was tangible excitement throughout the entire week at the show, and VMware is poised for a great year. Without further ado, here are my top 5 impressions -

1.Virtual desktops and virtual workspaces are gaining real momentum. The concept of IT managing users and content, and not managing devices is gaining traction. The primary driver is compliance – IT is fed up with configuration drift and data loss at the endpoint which is leading to programs for VDI.

2.VMware needs to provide a bridge from physical environments to hybrid physical-virtual environments to a total virtualized infrastructure. It is one thing to evangelize virtualization and the cost savings associated with application density. However, only 15-20% of applications in the data center have been virtualized. The remaining 80% or so of physical applications will take a while to evolve so VMware would do well to have vCenter embrace management of the entire infrastructure, not just ESX.

3.VMware has the chance to be the spokeperson for virtualization if they change their approach to competitors. RSA was brilliant in giving airtime to opposing points of view from competitors and the US government. The result is the most important and comprehensive security conference on the planet. VMware needs to lift space and messaging restrictions on Citrix, Microsoft, Oracle and others to elevate VMworld to the virtualization showcase conference.

4.VMware has a brand new leadership team with key players in their roles for less than 3 quarters. It is a challenge to learn the business and choose the best strategic path while undergoing on the job training. Maybe I’m overly sensitive to this – I saw Security Dynamics (now RSA) swap out Sales, Marketing, and Engineering leaders only to find the newbies surround themselves with cronies and stymie the business by chasing the PKI windmills.

5.Citrix and Microsoft are very much in VMware’s cross-hairs. Even Citrix customers often host applications on ESX and deliver the user experience with Citrix ICA. VMware is targeting end-to-end solutions by bolstering VDI with PCoIP – a direct challenge to Citrix’ ICA. This is a good move for VMware and will certainly benefit customers who will soon have more choice. Less good is the fear of Microsoft Hyper-V and App-V. VMware needs to find a cooperative and competitive strategy where they can spend less time looking over their backs at Redmond.

Security vendors can learn from ConSentry Networks demise

2009-09-10T07:43:00.002-04:00

The latest article posted to SearchSecurity:

"There is a plethora of security vendors in the world today, many of which are not going to get any bigger. Security startups struggle to get broad horizontal traction, and I have talked with many vendors who insist that everyone must have their product. However, most security vendors simply do not grow to be very big, primarily because their product line is not obviously needed by everybody.

The recent demise of ConSentry Networks Inc., a switch-oriented NAC vendor, serves as a sad reminder that security often only has niche appeal. Smaller privately held vendors may need to go vertical to best understand how to serve the business and to survive as a company..."

At VMworld 2009, companies focus on virtual desktops for security

2009-09-03T12:06:00.001-04:00

Just posted on SearchSecurity.com from VMworld:

"While security and compliance is a major driver of virtual desktop infrastructure projects, security is taking an otherwise decidedly low profile here at VMworld this week. Clearly customers are moving ahead with virtualization projects within the context of traditional security architectures. This is also reflected in the trend that attached costs for professional services, incremental storage, networking, and business applications are all greater in virtualization projects than security expenses. Virtualization projects are going ahead in the data center where application service configurations are relatively static and security can be placed in the physical infrastructure..."

At VMworld this week

2009-09-01T17:48:00.001-04:00

VMworld brings me back to the Moscone this week. The VMware conference has drawn over 12,500 people and the exhibit hall was absolutely hopping yesterday. There is a lot of excitement about new technology and the vision of a dynamic IT service. Most of what I’ve seen so far is in CAPEX reduction such as layering shared OS images, application packs, and personification settings to reduce storage and administration costs. I like the prospects of VDI to change the security model, but it looks like VDI may stay poised waiting for a breakout for a bit longer.

Most of the security here is tied to multi-tenancy. For example, if an Exchange VM is launched on a new server to meet capacity demand, then make sure a DLP VM is also launched to meet compliance mandates. I can’t say I’ve seen much of innovative use of VMsafe even though big security vendors Check Point, McAfee, Symantec, and Trend Micro are all here. Reflex Security may be interesting when I talk with them tomorrow.

It has come to my attention that www.ogrengroup.com returns a “not found” error message. My blog is hosted by Google so I’ll have to see what changed there. If you are reading this, then you know how to get to my blog directly. Bad timing with the conference going on - I’ll get this fixed as soon as I can!

VMware AppSpeed moves virtualization forward

2009-08-20T17:48:00.004-04:00

This is an Ogren Group Impact I wrote a few weeks ago for VMware AppSpeed. The product is a pretty good idea and should do well for VMware's customers.

"VMware is bolstering its vCenter management capability with AppSpeed 1.0 software enabling organizations to confidently control performance as applications transition to a virtualized infrastructure. AppSpeed allows IT organizations to manage memory, network, and system resources for applications across the physical and virtual corporate infrastructure, assuring predictable VM performance under peak workloads. The Ogren Group believes establishing visibility and control of performance as applications become virtualized is a critical capability for organizations advancing their strategy of cost savings and dynamic IT service management through data center virtualization. The introduction of vCenter AppSpeed is an innovative move by VMware, and positions VMware customers to rely more upon ESX virtualization in the data center..."

Hacker charges also an indictment onPCI, expert says

2009-08-19T11:55:00.002-04:00

Just posted to SearchSecurity ...

"The federal indictment this week of three men for their roles in the largest data security breach in U.S. history also serves as an indictment of sorts against the fraud conducted by PCI – placing the burden of security costs onto retailers and card processors when what is really needed is the payment card industry investing in a secure business process.

A federal grand jury has indicted Albert Gonzalez of Miami and two yet unnamed Russian hackers for their alleged roles in the Heartland Payment Systems Inc. and Hannaford Brothers Co. thefts of 130 million credit and debit card data, plus the 40 million credit cards grabbed from TJX.
SQL Injection still a major problem:
SQL Injection troubles firms, errors lead to breaches: Security experts see the secure software development lifecycle improving, but legacy applications and Web server flaws continue to offer a rich treasure trove for attackers.

Three indicted for Hannaford, Heartland data breaches: A grand jury has charged three men for their role in stealing more than 130 million credit and debit cards from Heartland Payment Systems and several other companies.The indictment makes for good reading, with references to SQL injection, distributed data collection servers, QA against major AV products and temporary messaging accounts to elude detection..."

Webinar coming up - 3 Tactics for Securing Your Website and Driving Trust, Customers and Revenue

2009-08-19T07:17:00.002-04:00

I have the pleasure of conducting a VeriSign-sponsored, IT Security-hosted, webinar next Wednesday on web site security. Given the prevalence of web site attacks, this is pretty timely. I hope you can check it out.

3 Tactics for Securing Your Website and Driving Trust, Customers and Revenue

Date: Wednesday, August 26, 2009
Time: 1PM ET / 10AM PT

If your customers visit your website and don’t think it’s secure, they won’t buy from you. Secure your transactions. Join this FREE live webinar to learn 3 ways your company can ensure your website is secure and you can improve transactions with your customers.

Get 3 easy tactics to secure your website now and drive trust, customers and revenue:

• Strategy to drive trust, customers and revenue by securing your website
• What are the costs and risks to online customers and your business
• Why you need to secure your e-commerce site
• 3 easy tactics to secure your website NOW

A Chance to Win

Live attendees will be entered for a chance to win an iPod Nano. One winner will be selected from the audience by random drawing.*

If you’re interested but can’t attend the live event, register today and we will send you a link to the on-demand archive when available.

We look forward to having you join us.
________________________________________
Featured Speakers:

Eric Ogren is the founder and principal analyst of the Ogren Group. Ogren’s background features over 15 years of enterprise security experience, becoming a highly regarded industry analyst. Coverage areas include virtualization security, alignment of security technologies with business requirements, evolution of endpoint security, authenication and user identity protection, application security, managing security in large enterprise environments, and consumer privacy issues. Prior to starting The Ogren Group, Ogren served as security analyst for the Yankee Group and ESG. Ogren has also served as vice president of marketing at security startups Okena, Sequation and Tizor. Additional vendor-side experience includes product leadership roles at RSA Security and Digital Equipment. Ogren holds a B.S. degree in mathematics from the University of Massachusetts and an M.S. degree in Computer Science from Boston University.

Ryan White is SSL Product Marketing Manager at VeriSign, Inc. Ryan has been at VeriSign for over 3 years helping to educate businesses about how to protect their site and customers with encryption technology.
Michael Oliver-Goodwin is a Contributing Editor of IT Security. He is a widely published writer and an experienced editor for publications, including PC World, MacWeek and InfoWorld.
*Employees of associated companies are not eligible for drawing. Person must live in the US to be eligible. Winner is chosen at random. Winner will be notified at the conclusion of the live webinar. One prize will be given out per person selected from the drawing.

Patch management study shows IT taking significant risks

2009-08-13T14:28:00.001-04:00

Posted to SearchSecurity.com -

"The latest research around patch management is a good reminder for security teams to move patch diligence up the stack to applications and to resist disabling signature checking for performance in UTMs.

Qualys Inc. presented an update at the recent Black Hat USA 2009 briefings to their Laws of Vulnerabilities research, a timely statistical review in light of the increase in Microsoft Internet Explorer, Microsoft Office, Adobe Reader, and Apple QuickTime application level attacks. The study, first conducted in 2004, is based on years of accumulated vulnerability scanning data of the Qualys installed base..."

Microsoft Security Essentials (MSE) shows no vision, expert says

2009-08-11T21:23:00.002-04:00

Posted today on SearchSecurity.com.

"Microsoft's security program is lost in time.

While it works diligently to bring yesterday's antimalware solution to market with Microsoft Security Essentials (MSE), the company is completely losing the future of security definition to competitors, with recent evidence supplied courtesy of Google's Chrome OS announcement and Check Point's browser sandboxing feature. There are a few points where Microsoft security is losing time." ...

Written for Lumension - Endpoint Security: Moving Beyond AV

2009-07-23T15:56:00.004-04:00

"Application whitelisting is emerging as the security technology that gives IT a true defense-in-depth capability, filling in the gaps that anti-virus (AV) was never designed to cover. Organizations have invested heavily in traditional AV solutions, often stacking AV filters from multiple vendors along the data path in the desperate hope that one of the products would stop malware from infecting the corporate or government endpoints. While AV plays a crucial role in identifying known malware and cleaning infected systems, the reality is that relying on layers of the same defense mechanism leaves organizations completely exposed to attacks and data theft from unknown or designer malware that can be delivered in web-based active code, downloaded encrypted code fragments, and persistent botnets. Security teams that know they need more than AV are now deploying application whitelisting technology to protect laptops, desktops, server and Point-of-Sale endpoints from unidentified malicious code as well as undetected code injections - and they are finding significant operational benefits due to fewer interruptions responding to infected endpoints.

This Ogren Group Special Report, Endpoint Security: Moving Beyond AV, commissioned by Lumension, presents the market demand for application whitelisting with recommended actions for security decision makers. Information in this report derives from Ogren Group research and interviews with enterprise security executives of global organizations." ...

OPSWAT quote for press release

2009-07-22T16:21:00.002-04:00

OPSWAT is a neat company that develops toolkits for embedding security into applications. The most common need is for a general purpose interface to make calls to an AV product, allowing the application vendor to pick and choose the right AV engine for the job. OPSWAT also includes logic to facilitate a clean removal of security - a welcome capability for those of us who have ever attempted to uninstall an AV product when switching vendors. They do interesting work with a refreshingly pragmatic approach. I am pleased to support their press release with a quote:

“As the IT need for embedding security solutions in the fabric of the infrastructure becomes an increasing necessity due to the growing number of Internet-based threats, so does the ability to manage these solutions in an efficient manner,” said Eric Ogren, founder and principal analyst at the Ogren Group. “OPSWAT, Inc.’s Metascan technology provides the capability to bolt anti-malware scanning engines directly onto third-party software. Together with OESIS application management features, the acquisition of Metadefender’s technology nicely positions OPSWAT to provide a comprehensive, all-inclusive anti-malware scanning engine, benefiting vendors of secure products.”

New hacker skills optimize revenue

2009-07-22T16:19:00.002-04:00

The latest from SearchSecurity:

"Malware is evolving into a rewarding, mature high-tech market, and it's not surprising that the financial incentives of developing and peddling malware can outweigh the risk of penalties that include spending quality time in jail. Malicious code developers may not be business school graduates, but they appreciate basic business principles to expand their addressable market; optimizing revenue from the install base and leveraging technology. That was the takeaway from the Cisco 2009 Midyear Security Report, an excellent summary of the major malware activity written for a less-technical executive audience..."

Offering SaaS for securing mobile devices

2009-07-17T11:03:00.002-04:00

The following has just been posted in TechTarget's SearchSecurityChannel:

"Intelligent mobile devices are revolutionizing the way remote users connect to their business, and thus are presenting unique security opportunities for solution providers. Blackberrys, iPhones, and the emerging category of promising Mobile Internet Devices (MIDs) are exploding in popularity, fueled by the availability of easy-to-use application interfaces to access information (both business and personal) in non-traditional ways..."

Cloud-based security services should start private

2009-07-13T20:17:00.001-04:00

Posted on SearchSecurity.com this week:

"Many early stage cloud vendors have it backwards when it comes to offering cloud-based services. They implement Software as a Service (SaaS) first to demonstrate their vision and then develop enterprise integration features. But the right way to go about it is to support corporate clouds in early product releases. IT is typically conservative about business risk and likes to retain control over sensitive data and applications. Security SaaS vendors may be better served by allowing IT to start by hosting its own private cloud service, integrated with existing data repositories and administrative systems and then provide a path to the full cloud application environment"...

Ogren Group Impact: MokaFive LivePC at your service

2009-07-08T09:38:00.003-04:00

MokaFive has the innovative idea of deploying virtual desktops as a service for remote users. The payoffs can be large for IT – centralized control of endpoint configurations for meeting compliance mandates, protection of sensitive data while working in remote locations, and end-user convenience of having ubiquitous access to their desktop. The Ogren Group believes that with performance concerns abating due to the virtual desktop running on the endpoint, virtual desktops will usher in new opportunities for IT to cost effectively service business users.

Tufin takes an operational view on firewall rules management

2009-07-01T20:24:00.002-04:00

Tufin is one of the promising companies in the firewall rules management market. While security and managing compliance is of primary importance, Tufin also appreciates the operational cost savings benefits of controlling and automating firewall rules administration. The following is a quote for their Automatic Policy Generation press release that hit the wires on June 29th:

"Automating the creation of optimized firewall rule bases is critical to establishing an accurate baseline for increasing network security and reducing operational costs," said Eric Ogren, principal analyst of the Ogren Group. "Well defined firewall rules lower the risk of creating holes in network security, eliminate many of the business disruption issues that can accompany firewall deployments, and reduce the number of costly support calls. Automation ensures that firewall rule bases act on the intelligence discovered from actual observed business traffic."

Twitter risks, Facebook threats trouble security pros

2009-07-01T18:48:00.002-04:00

Nice way to start July with a new SearchSecurity post!

"The explosive growth in social networking has positioned many security teams solidly between a rock and a hard place. On the one hand, conscientious security executives cannot ignore the data loss and regulatory compliance risks to the corporation; on the other hand, security cannot politically survive by categorically objecting to other organizations innovative use of new business tools...."

If you were Check Point, who would you buy?

2009-06-18T11:48:00.002-04:00

I gave this feedback to a senior editor at MergerMarket. Since they provide a subscription service I thought it would be interesting to also dream about Check Point M&A here.

Check Point is an interesting company with a healthy revenue stream, big bank account, and dominant market position. They haven't shown a great desire to grow by aquisition in the past, and the vision of the Zone Labs and Nokia deals doesn't particularly wow me. Still, they can print money so they're clearly doing a lot of things right!

Check Point Software Technologies is a software company specializing in network inspection and processing. I would think the first wave of merger activity would be to diversify from security into adjacent areas of networking. If you think about it, a firewall's job is to let traffic into the network so I tend to think Check Point can better use its checkbook to improve connectivity for its customers.Here are three areas I would recommend for Check Point corporate development:

WAN optimization. Performance over the Internet is critical to capturing new customers and improving business processes. Riverbed would be the number one target. RVBD would allow Check Point to combine security features with web access, accelerated storage, and more. Check Point is good at terminating WAN connections so this is a natural fit.

Virtual Desktop and Virtual Machine delivery. Virtualization will continue penetration in the datacenter and we will see more enterprises solving labor intensive endpoint complexity and security problems with virtualization. Picture a remote user connecting by VPN through a firewall to a network server to run or download a virtual application. Most of the companies in this space are small, with software implementations that Parallels and perhaps the smaller MokaFive and Ring Cube. It would be bold and cool if they could scarf up Citrix but I'm not sure that Checlk Point's pockets are that deep.

Network Management. An under-appreciated strength of Check Point is its management capability. The company gets great stickiness and loyalty from its base that shies away from command line interpretters and script-writing. The trick is to combine mergers in this area with WAN optimization of virtualization. I would look towards companies like Reflex Systems, DynamicOps, or FastScale to allow organizations to quickly take advatage of a compelling Check Point infrastructure. Those are tiny companies - I'm sure there are public ones that also fill this bill it is just too late for me to think of them ;)

I'm not big on Check Point acquiring hardware capability (e.g. Crossbeam) because Check Point is a software company and it is difficult for hardware product lines to thrive in a company with a software DNA - just look at McAfee's history with hardware. I also don't think it makes much sense to commoditize adjacent security vendors (been there with Sourcefire, and what does it really add for customers that can't be done through parternships?). Though maybe they'll score Imperva to get Shlomo Kramer back in the fold or put Code Green on one of their software blades.

Virtual appliances boost flexibility, improve security

2009-06-18T11:42:00.002-04:00

The latest TechTarget post highlights the innovative use and device sharing possibilities afforded by virtual appliances.

"Security products purchased as virtual appliances give IT greater flexibility in deployment than traditional security hardware devices. The concept of treating network security as a software application has proven to be successful. Organizations can save money by re-purposing expensed servers as security devices, achieve a performance boost by placing network-oriented security on a faster processor and consolidate security functions on fewer servers to save on administration while making the security function a bit greener." ...

Security pros find corporate firewall rules tough to navigate

2009-06-15T14:43:00.001-04:00

Posting on June 15th to SearchSecurity:

"Corporate firewalls usually contain a security-Pandora's box of rules, representing prioritized sequences of allow or deny decisions that only the most brave security operator dares to modify. Removing or re-sequencing firewall rules runs the risk of blocking approved business communications or of opening a hole exposing the business to unauthorized traffic. It is near impossible for a human to manually audit firewall rules across the enterprise to reduce risk, optimize firewall device performance, and streamline data paths through routers, switches and firewalls. Security teams are turning to firewall management tools to perform security audits of the infrastructure and automate operational control of the firewalls. ..."

Cloud security begins with infrastructure assessment

2009-06-15T10:37:00.001-04:00

Posted June 10th on TechTarget's SearchSecurity:

"Security professionals are facing the difficult challenge of extending security requirements to take advantage of cloud computing and software-as-a-service applications. Particularly difficult is finding ways to secure the new boundaries between the enterprise, the cloud service and the end user while managing dependencies on off-premise infrastructure and privileged operators. And they have to do all this without inhibiting flexibility and agility. ..."

Early Vibe: Triumfant

2009-06-07T00:09:00.000-04:00

Triumfant is an up and coming endpoint security product vendor headquartered in the Washington, DC area. The company takes a holistic approach to endpoint security, detecting changes to the environment, auditing activity, and restoring the endpoint to a compliant state after an attack. This is a sharp contrast to traditional anti-virus approaches that can never catch all the exploits and behavioral approaches that fail to unwind from a detected attack. I believe the security experiences of Triumfant’s leadership team, and the uniqueness of its technology, give the company a promising future if it can navigate the pitfalls associated with growing an “A” round company.

The secret sauce for Triumfant is the capability to define and manage the drift of adaptive baseline configurations of endpoints under protection. This allows the technology to detect unauthorized changes, such as those caused by malicious code, and to reset the endpoint to the latest baseline. Agent software scans the local environment for changes, and also uses signature and behavioral techniques to increase the chance of detecting an attack. The centralized server allows IT to manage baseline definitions, to automatically allow for configuration drifts by auditing endpoints under Triumfant protection, and to reset a non-compliant endpoint to the latest pristine image without the need for an IT refresh. The approach is refreshing as most endpoint security vendors completely ignore the need to reset an endpoint without IT intervention.

Triumfant will face challenges as it grows, and must carefully choose product features that keep it ahead of the slower moving vendors. The two greatest impacts may come from anti-virus vendors and virtual desktop vendors. IT cannot conceive of an endpoint security world without AV, no matter how many times AV is proven to be effective. Triumfant should bundle an optional AV in its solution to be able to displace installed competitors with a more comprehensive endpoint security solution. Virtual desktops offer the ability to reset the desktop to pristine compliant images when an infection is detected. Triumfant can fill the gap for virtual desktop vendors by enabling desktop resets of virtual images.

Customers need to demand more from all endpoint security vendors and not just accept a status quo that does not work often enough. Triumfant is rising to this challenge with an innovative approach to protect servers and desktops from attacks, and to give IT relief from attack recovery procedures. It is an interesting play that lends itself well to servers and will inevitably become popular on desktops too.

IT pros can detect, prevent website vulnerabilities, thwart attacks

2009-06-04T21:46:00.001-04:00

Posted on SearchSecurity June 3rd.

"IT is left to its own ingenuity to weave diverse products into a Web security protection scheme. Security practitioners will have to categorize externally facing websites and then make security investment decisions among technologies such as scanners, penetration testers, Web application firewalls, source code scanning and security development lifecycle (SDL) investment. There is no one best practice when protecting websites, which is a worrisome state for businesses and helps explain why security vendors report that most attacks penetrate browsers through infected webpages."

WH cybersecurity plan needs private sector guidance

2009-06-02T17:40:00.001-04:00

Posted this week on SearchSecurity.com

President Obama's announcement last week of the creation of a White House senior cybersecurity coordinator has put a dramatic shift in emphasis on critical infrastructure protection that is long overdue -- the country runs on networked applications and other countries have targeted critical elements of the U.S. infrastructure. There were ideas expressed in the Cyberspace Policy Review that are worth calling out ...

Organizations struggle with data leakage prevention, rights management

2009-05-27T14:16:00.001-04:00

Posted May 26th on SearchSecurity ...

"While it is important to have technology that can automatically block violations of acceptable use policies, it is more important to have end users that know their responsibilities and application developers that integrate data security. That's where audit, discovery and reporting features come into play when evaluating data protection products such as data leakage prevention, endpoint device control and rights management systems..."

Software piracy pandemic needs government role, better vendor antipiracy plans

2009-05-22T16:22:00.001-04:00

Posted earlier this week on Tech Target's SearchSecurity.com ...

A satisfactory solution to the business software piracy problem has proven elusive to the software industry. Draconian measures, such as rights management systems or hands-on key management systems, can drive up customer costs in IT administration, while in consumer markets the cost of a single support call can erode all profit margins and may even exceed the price of the product.

Posted opinion on Citrix series of announcements

2009-05-16T00:32:00.002-04:00

Recent post to TechTarget on the Citrix announcements.

One way for IT to dip their toe in the cloud computing waters is by providing internal users with a corporate hosted application service that IT controls. This gives IT the ability to monitor usage patterns and could reduce operating expenses. The key capability of an application service is to deliver compliant applications and desktops to end users with performance close to what would be experienced if the applications were locally installed.

App service cloud could boost security, manageability

Feds should get private sector advice on cybersecurity

2009-05-16T00:28:00.002-04:00

Posted on SearchSecurity.com earlier this month

Feds should get private sector advice on cybersecurity

VMware should push towards becoming the de facto standard

2009-05-04T17:55:00.004-04:00

The latest issue of NetworkWorld dings VMware for not supporting Microsoft and Citrix hypervisors with their vSphere release, claiming VMware’s strategy promotes “vendor lock-in”. Well, duh. Who said supporting other hypervisors was a market requirement for VMware?

Enterprises typically buy technology products because they offer the best features match for the desired functionality, offer the best performance for the business, or offer the best economics between purchase price and operating costs. IT has made the decision to make VMware the market leader for virtualized datacenters because of functionality and performance. Other factors, such as vendor relationship, product roadmap, open support for competitors are usually relegated to tie-breakers. IT strived to control the datacenter – I have not talked with too many IT folks that strive for a mish-mash of hypervisors for corporate applications in the virtual datacenter.

In terms of competition, Microsoft will successfully compete on price, and will be penetrating the market via small and mid-tier organizations. They always do, and they always do it well. I have spoken with companies that will switch to Hyper-V as soon as it is enterprise-ready. Citrix competes on performance, especially when it comes to application delivery to the desktop. Yes, Xen has open source roots, but customers buy predominantly because Citrix Xen delivers a local experience to virtual desktop and can save huge operating costs for endpoint management.

I do not often see vendor lock-in as an overriding issue in emerging markets, and I certainly don’t see it here for VMware’s vSphere. VMware's mission is to become the de facto standard for virtualization in the data center, which will drag an eco-system with financial benefits for the installed base. I’m not sure how vendor lock-in is even a major customer concern at this early stage of the market. Am I missing something here?

Last RSA thoughts ...

2009-04-30T11:04:00.001-04:00

The attendance was way down, but RSA has always been a vendor-to-vendor show to encourage open discussions on security. This year seemed to focus on all things cloud, and aligning security with business requirements. With that, here are a few loose ends from last week …

AVG, a nifty endpoint security player, reports that 60% of infected Web sites disappear in less than 24 hours. Cisco is doing a nice job of incorporating Ironport’s reputation heuristics into its security offerings, applying the technology to IPS devices to dramatically boost performance and filter short-lived transient attacks. It looks like this bold move by Cisco could work out for their customers.

I really liked what I heard from Citrix and TrendMicro, and even Microsoft (though it takes them an insane amount of time to ship any security product). Together with Cisco and IBM it is good to see the major infrastructure vendors with product roadmaps recognizing that coordination between host, network, and cloud is the way forward.

I have gone almost full circle on Web application firewalls. I was a huge advocate back in my Yankee Group days, but now I am less sure. WAFs all but died off because IT preferred to fix applications the right way – in the source code – rather than putting a band-aid in front of the app. WAFs are challenged penetrating deeply into the applications chain of Web servers, application servers, and data base servers to thwart SQL injection attacks. PCI threw a lifeline to the segment, but IBM will put a hurt in it with its free version. IBM can do that because scanning and fixing the source code is the Rational route.

Finally, a thanks to Greylock. I’ve been critical of VC’s not venturing new startups over the last two years. Their reception was the networking highlight of the week. There were quite a few friends I would’ve missed had it not been for Greylock’s generosity!

My RSA Conference is over

2009-04-23T21:32:00.002-04:00

The RSA Conference is over for me. I managed to pack in over 30 formal meetings and a big number of informal conversations. Great week! I'll be winging home at 8:30 tomorrow morning, but before I go here is a link to an article on the Innovation Sandbox.

RSA Conference 2009 shines spotlight on security innovation

More from Re-union of Security Associates conference

2009-04-23T10:31:00.004-04:00

This has been a fabulous week at RSA. The weather has been outstanding - my favorite briefings were outside in Yerba Buena gardens surrounded by sun, green grass, and flowering azaleas. Way better than a booth discussion - thanks to Citrix and Safend for getting me outdoors yesterday! I have really enjoyed catching up with people that I only get to see once a year.

A couple of my favorite articles were posted this week on SearchSecurity. Check 'em out:

Gartner gets NAC wrong, again

Mimic the IBM approach to security at RSA

A big surprise at the show is the abstraction of VMware's marketing communications teams. They choose to make a major vSphere announcement on the first day of the show when security press and analysts are at their busiest (hint: Monday was better timing), announce VMsafe on the last day of the show when press and analysts are done for the week (hint: next Monday was better timing), and do not have a presence on the show floor (hint: EMC is your parent; RSA is your sibling - ask to borrow a corner of their booths). I did however manage to chat with a VMware person at the Greylock reception.

Kudos to Greylock for hosting the best event of the conference!

Nice move to the C-Suite by Lumension to start off RSA

2009-04-21T10:38:00.003-04:00

Lumension started off the week with a bang by announcing the acquisition of SecurityWorks at 10:00 Monday morning. This is nice move to add compliance and risk management tools to an already strong portfolio of patching, device control and endpoint security products.

One of the major trends I'm already seeing this week is applying GRC capability to map business goals into automated IT directives. This purchase positions Lumension to have deeper conversations with prospects about the managing and securing the infrastructure, and also gives the company flexibility in driving revenue through additional product lines. Lumension still has to execute, but this is a promising addition.

I'm looking forward to another sunny 80 degree day here - can't wait to see what today's news will be!

On my way to RSA

2009-04-19T19:51:00.002-04:00

I am writing this as the six foot three guy in the middle seat as Virgin America is bringing me to RSA Conference 2009. For an analyst, this is a week jammed with briefings and networking sessions. It is my best chance to meet people I have enjoyed talking with on the phone, catch up with friends I don’t see often enough, and deepen vendor relationships in the pursuit of business. It is all about talking with people this week for me. I do tour the exhibit hall, but to be honest I’ve been briefed before the conference by most of the savvy vendors and it is challenging to have productive conversations in a trade show booth. And there is never time to actually sit in on a session.

RSA is the ultimate networking conference in the security industry. RSA has always been about the best vendors getting together to improve security and business propositions. Be sure to put on your networking hat If you are at the conference – this is the one time to meet people with common interests that can help you in the future.

If you are working a booth, be prepared for a quiet week. Economy-driven travel restrictions that are now in vogue means you should not expect hordes of customers crawling through the exhibit hall. When members of your installed base aren’t stopping by to see what’s new, be sure to check out startups for new ideas and introduce yourself to people.

It is going to be 80 degrees and sunny in San Francisco. Should be a great week!

Citrix XenApp may seem complex, but streamlines security management

2009-04-18T14:53:00.002-04:00

April 17 posting on SecurityBytes, a SearchSecurity.com blog:

Citrix Systems' XenApp, its flagship application delivery product line, can appear to require a complex chain of moving parts of moving parts that can be difficult for prospects to understand. However, existing customers that are saving operational expenses consolidating data centers may also find improvements in the latest version of XenApp to manage user authentication and access control and conduct application auditing as a result of delivering applications from fewer virtual data centers.

Securing Smart Grid: How solution providers can help

2009-04-18T14:45:00.002-04:00

April 9 posting on TechTarget's SearchSecurityChannel.com:

The Obama administration is setting aside $54 billion to modernize the national electronic grid infrastructure, which represents a number of opportunities for security solution providers. The goal of what's being called the Smart Grid plan is to bring the communications power and flexibility of IP networks to the management of the electricity supplier's network. The modernization effort for Smart Grid would involve extensive modernization of security technology and processes to be successful. Solution providers specializing in security technologies or in the utilities vertical will have to expand their knowledge base to be successful.

Cloud computing group to face challenges ahead

2009-04-18T14:40:00.002-04:00

April 15 posting on TechTarget's SearchSecurity:

The new Cloud Security Alliance (CSA) has a number of hurdles to climb if it expects to foster a meaningful discussion about cloud computing and provide useful data for organizations planning cloud implementations. The organization announced its formation earlier this month and plans to release a whitepaper in conjunction with its official launch at the RSA Conference in San Francisco.

Conficker leaves security industry looking clueless

2009-04-06T10:00:00.002-04:00

Posted on TechTarget SeachySecurity.com on April 4, 2009:

The Conficker-fed doomsday scenarios fed to us by security vendors and trade press has come and gone without the big disaster. The IT world on April 4 looks a lot like the IT world on March 31. It is almost disappointing, just as a forecasted winter storm that misses the mark - nobody wants to see property damaged, but a good storm is captivating and fun to watch. Conficker, also known as Downadup and Kido, was primed to start seeking its payload using a wider range of domains on April 1. The over-hyped storm has thus far turned into a dud, leaving the security industry looking clueless once again.

Press quote for CoreStreet

2009-04-06T09:52:00.002-04:00

CoreStreet has very interesting and innovative authentication technology that is finding traction particularly in government organizations. This quote supporting their
CoreStreet Announces the CoreStreet FIPS-201 Solution was an easy one as the CoreStreet FIPS approach can reduce costs in consolidating authenticated ccess for both physical and logical systems.

“The CoreStreet FIPS-201 Suite provides government agencies the critical capability to fulfill the promise of converged physical and logical security as envisioned by HSPD-12,” said Eric Ogren, founder and principal analyst of the Ogren Group. “As an effective upgrade to legacy PACS systems, this solution allows government employees and contractors to use their FIPS 201 credential for secure access to federal buildings.”

Special Report for AccelOps

2009-04-06T09:43:00.004-04:00

AccelOps is a new company dedicated to bringing IT service management to mid-tier firms. This special report is based on qualitative survey research conducted by the Ogren Group on the needs of IT for a pragmatic All-In-One management tool. Check out the special report here.

Press quote for Code Green Networks

2009-03-30T22:52:00.003-04:00

Code Green is one of the up and coming DLP companies. I was impressed with their depth of understanding the data protection problems that the healthcare industry is facing. The following quote in their March 9, 2009 press release reflects their unique position.

"Given the nationwide push to digitize health care records, health care IT professionals should adopt appropriate tools to identify and secure sensitive data moving over their networks, especially via non-secure channels such as web mail and public health networks," said Eric Ogren, principal analyst at the Ogren Group." Content inspection solutions like Code Green’s are an essential tool for identifying and securing data vulnerabilities."

Microsoft IE 8 security only benefits educated users

2009-03-30T22:45:00.003-04:00

Posted on TechTarget's SearchSecurity.com on March 25, 2009:

Microsoft Internet Explorer 8 (IE 8) has a slew of productivity and security features that IT needs to understand. But knowledge of IE 8 security features needs to trickle down to end users quickly in order for organizations to benefit from some of the most meaningful improvements.

Latest Apple iPhone features prompt security concerns

2009-03-23T10:48:00.000-04:00

Apple has a knack for producing consumer friendly technology, and they have done it again with its Applie iPhone OS 3.0 software, which is available later this summer. But in the process they've exposed the smartphone to new areas for hackers to target. The new iPhone software has many exciting new features for consumers. Features such as landscape editting, viewing of email and text files and access to corporate applications through browsers, means this handheld device will be a significant issue for security teams.

Read the entire article at SearchSecurity.com, posted 19 Mar 2009.

See my Ziff-Davis presentation on virtualization security

2009-03-18T17:46:00.000-04:00

I was one of three speakers at today's Ziff-Davis virtual tradeshow on virtualization security. The session went well with several lively questions at the end. You can check it out at the Ziff-Davis virtual trade show.

Microsoft Threat Management Gateway has some drawbacks

2009-03-18T17:32:00.000-04:00

Posted to Tech Target's SearchSecurity on 17 March 2009:

Microsoft Threat Management Gateway has some drawbacks

Microsoft is now a few weeks into the second beta release of its Threat Management Gateway , the successor product to Internet Security and Acceleration Server. But the software giant's conservative approach to security results in some drawbacks for IT.

Smartphone security lacking at many businesses

2009-03-12T18:31:00.000-04:00

Posting on TechTarget SearchSecurity on 19 Feb 2009 -

Smartphone security lacking at many businesses

Smartphones are ubiquitous in corporate life, supplying email and browser access to data whenever and wherever information junkies need a fix. But so far IT has been slow to address the security arising as a result of the smartphone phenomenon.