Rational Survivability

See that odd looking hammer to the left?  It’s called the MaxiStrike from Redback Tools.

No, it hasn’t been run over by a Panzer, nor was there grease on the lens  during the photography session. 

Believe it or not, that odd little bend enables this 20 ounce mallet with the following features:

     > maximize strike force

     > reduce missed hits

     > leave clearance for nailing in cramped areas

All from that one little left hand turn from linear thought in product design.

You remember that series of posts I did on Disruptive Innovation?

This is a perfect illustration of how innovation can be "evolutionary" as opposed to revolutionary.

Incrementalism can be just as impacting as one of those tipping point "big-bang" events that have desensitized us to some of the really cool things that pop up and can actually make a difference.

So I know this hammer isn’t going to cure cancer, but it makes for easier, more efficient and more accurate nailing.  Sometimes that’s worth a hell of a lot to someone who does a lot of hammering…

Things like this happen around us all the time — even in our little security puddle of an industry. 

It’s often quite fun when you spot them.

I bet if you tried, you can come up with some examples in security.

Well?

Sad, but true…

I spent quite a bit of time in the Catbird booth at VMworld, initially lured by their rather daring advertising campaign of "running naked."  I came away intrigued by the Security SaaS-like business model provided by their V-Agent offering and saw that as the primary differentiator.

I was particularly interested today when I read a latest press release from Catbird that suggests that their new "HypervisorShield" is specifically designed to secure the hypervisor from network access and attack:

Catbird, provider of the only comprehensive security solution for virtual and physical networks, and developer of the V-Agent™ virtual appliance, today announced the launch of HypervisorShield™, the industry’s
first dedicated comprehensive security solution specifically designed
to guard against unauthorized hypervisor network access and attack.

The paragraph above seems to be talking about protecting the "hypervisor" itself from network-borne compromise which is very interesting to me for reasons that should be obvious at this point. 

However, the following paragraph seems to refer to the "hypervisor management network" which I assume is actually referring to the the virtual interface of the management functions like VMware’s service console?   Are we talking about protecting the service console or the network functions provided by the vKernel? 

HypervisorShield, the latest service in Catbird’s V-Security product, extends best practice security protection to virtualization’s
critical hypervisor layer, thwarting both inadvertent management error
and malicious threats. Delivering continuous, automated 24×7 monitoring
focused on the precise vulnerabilities, known attack signatures and
guest machine access of the hypervisor management network,
HypervisorShield is the only service to proactively secure this
essential component of a virtualization deployment.

Here’s where it gets a little more confusing because the wording seems again to suggest they are protecting the hypervisor itself — or do they mean the virtual switch as a component of the Hypervisor?:

HypervisorShield is the first virtualized security technology which
can monitor and control access to the hypervisor network, detect
malicious network activity directed at the hypervisor from virtual
machines and validate that the hypervisor network is configured
according to best practices and site security policy.

…sounds like an IPS function that isolates VM’s from one another like Reflex and Blue Lane? 

OK, but here’s where it gets really interesting.  Catbird is suggesting that they are able to "…see inside the hypervisor" which implies they have hooks and exposure to elements within the hypervisor itself versus the vSwitch plumbing that everyone has access to.

Via the groundbreaking Catbird V-Agent virtual appliance, protection
is delivered within the virtual network itself. By contrast,
traditional security solutions retrofitted for virtual deployments
cannot see inside the hypervisor. Monitoring from the inside yields
significantly more effective coverage and eliminates the need to
reroute traffic onto the physical network for validation. As an example
of the benefits of running right on the virtual subnet, HypervisorShield’s exclusive network access control (NAC) will instantly quarantine unauthorized devices on the management network.

They do talk about NAC from the VM perspective, which is something I’ve been
advocating.

From Catbird’s website we see some more detail regarding HypervisorShield which again introduces an interesting assertion:

How do you monitor the Hypervisor?

Securing a virtual host does not only involve applying the
same security controls to virtual networks as were applied to their
physical counterparts. Virtualization introduces a new layer of
abstraction entirely—the Hypervisor. Hypervisor exploits have grown 35%
in the last several years, with more surely on their way. Catbird’s
patent-pending HypervisorShield protects and defends this essential
component of a virtual deployment.

Really?  Hypervisor exploits have grown 35% in the last several years?  Which hypervisor exploits, exactly?  You mean exploits against the big, fat, Linux-based service console from VMware?  That’s not the hypervisor!

I’m trying to give Catbird the benefit of the doubt here, but this is confusing as heck as to what exactly Catbird does (with partnering with companies like SourceFire) that folks like Reflex and BlueLane don’t already do.

If anyone, especially Catbird, has some clarification for me, I’d be mighty appreciative.

/Hoff

Read a scary report from Google’s security team today titled "All your iFrame Are Point to Us" regarding the evolving trends in search-delivered drive-by malware downloads.  Check out the full post here, but the synopsis follows:

It has been over a year and a half since we started to identify web pages that infect vulnerable hosts via drive-by downloads,
i.e. web pages that attempt to exploit their visitors by installing and
running malware automatically. During that time we have investigated
billions of URLs and found more than three million unique URLs on over
180,000 web sites automatically installing malware. During the course
of our research, we have investigated not only the prevalence of
drive-by downloads but also how users are being exposed to malware and
how it is being distributed. Our research paper is currently under peer
review, but we are making a technical report [PDF] available now.  Although our technical report contains a lot more detail, we present some high-level findings here:

The
above graph shows the percentage of daily queries that contain at least
one search result labeled as harmful. In the past few months, more than
1% of all search results contained at least one result that we believe
to point to malicious content and the trend seems to be increasing.

Ugh.  The technical report offers some really good background data on infrastructure and methodology,  geographic distribution, properties and delivery mechanisms.  Fascinating reading.

/Hoff

I just finished reading a research paper from Andreas Antonopoulous from Nemertes titled "A risk analysis of large-scaled and dynamic virtual server environments."  You can find the piece here: 

Executive Summary

As virtualization has gained acceptance in corporate data centers,
security has gone from afterthought to serious concern. Much of the
focus has been on the technologies of virtualization rather than the
operational, organizational and economic context. This comprehensive
risk analysis examines the areas of risk in deployments of virtualized
infrastructures and provides recommendations

I was interested by two things immediately:

1. While I completely agree with the fact that in regards to virtualization and security the focus has been about the "…technologies of virtualization rather than the
   operational, organizational and economic context" I’m not convinced there is an overwhelming consensus that "…security has gone from afterthought to serious concern" mostly because we’re just now getting to see "large-scaled and dynamic virtual server environments.’  It’s still painted on, not baked in.  At least that’s how people react at my talks.
    
2. Virtualization is about so much more than just servers, and in order to truly paint a picture of analyzing risk within "large-scaled and dynamic virtual server environments" much of the complexity and issues associated specifically with security stem from the operational and organizational elements associated with virtualizing storage, networking, applications, policies, data and the wholesale shift in operationalizing security and who owns it within these environments.

I’ve excerpted the most relevant element of the issue Nemertes wanted to discuss:

With all the
hype surrounding server virtualization come the inevitable security
concerns: are virtual servers less secure? Are we introducing higher
risk into the data center? For server virtualization to deliver
benefits we have to examine the security risks. As with any new
technology there is much uncertainty mixed in with promise. Part of the
uncertainty arises because most companies do not have a good
understanding of the real risks surrounding virtualization.

I’m easily confused…

While I feel the paper does a good job of describing the various stages of
deployment and many of the "concerns" associated with server
virtualization within these contexts, I’m left unsatisfied that I’m anymore prepared to assess and manage risk regarding server virtualization.  I’m concerned that the term "risk" is being spread about rather liberally because there is the presence of a bit of math.

The formulaic "Virtualization Risk Assessment" section is suggested to establish a quantatative basis for computing "relative risk," in the assessment summary.  However, since the variables introduced in the formulae are subjective and specific per asset, it’s odd that the summary table is then seemingly presented generically so as to describe all assets:

I’m trying to follow this and then get smacked about by this statement, which explains why people just continue to meander along applying the same security strategies toward virtualized servers as they do in conventional environments:

This conclusion might appear to be pessimistic at first glance.
However, note that we are comparing various stages of deployment of
virtual servers. A large deployment of physical servers will suffer
from many of the same challenges that the “Complete Virtualization”
environment suffers from.

Furthermore, it’s unclear to me how to factor in compensating controls into this rendering given what follows:

What is new here is that there are fewer solutions for providing
virtual security than there are for providing physical security with
firewalls and intrusion prevention appliances in the network. On the
other hand, the cost of implementing virtualized security can be
significantly lower than the cost of dedicated hardware appliances,
just like the cost of managing a virtual server is lower than a
physical server.

The security solutions available today are limited by how much integration exists with the virtualization platforms today.  We’ve yet to see the VMM’s/Hypervisors opened up to allow true low-level integration and topology-sensitive security interaction with flow classification, provisioning, and disposition.

Almost all supposed "virtualization-ready" security solutions today are nothing more than virtual appliance versions of existing solutions or simply the same host-based solutions which run in the VM and manage not to cock it up.  Folding your management piece into something like VMware’s VirtualCenter doesn’t count.

In general, I simply disagree that the costs of implementing virtualized security (today) can be significantly lower than the cost of dedicated hardware appliances — not if you’re expecting the same levels of security you get in the conventional, non-virtualized world.

The reasons (as I give in my VirtSec presentations):  Loss of visibility, constraint of the virtual networking configurations, coverage, load on the hosts, licensing.  All really important.

Cutting to the Chase

I’m left waiting for the punchline, much like I was with Burton’s "Immutable Laws of Virtualization," and I think the reason why is that despite these formulae, the somewhat shallow definition of risk seems to still come down to nothing more than reasonably-informed speculation or subjective perception:

So, in the above risk analysis, one must also
consider that the benefits in virtualization far outweigh the risks.
The question is not so much whether companies should proceed with
virtualization – the market is already answering that resoundingly in
the affirmative. The question is how to do that while minimizing the
risk inherent in such a strategy.

These few sentences above seem to almost obviate the need for risk analysis at all and suggests that for most, security is still an afterthought.  High risk or not, the show must go on?

So given the fact that virtualization is happening at breakneck pace, we have few good security solutions available, we speak of risk "relatively," and that operationally the entire role and duty of "security" within virtualized environments is now shifting, how do we end up with this next statement?

In the long run, virtualized security solutions will not only help
mitigate the risk of broadly deployed infrastructure virtualization,
but will also provide new and innovative approaches to information
security that is in itself virtual. The dynamic, flexible and portable
nature of virtual servers is already leading to a new generation of
dynamic, flexible and portable security solutions.

I like the awareness Andreas tries to bring in this paper, but I fear that I am not left with any new information or tools for assessing risk (let alone quantifying it) in a virtual environment. 

So what do I do?!  I still have no answer to the main points of this paper, "With all the
hype surrounding server virtualization come the inevitable security
concerns: are virtual servers less secure? Are we introducing higher
risk into the data center?"

Well?  Are they?  Am I?

/Hoff

I’ll be at in D.C. at ShmooCon the latter part of this week. 

I’m arriving in D.C. the afternoon of the 14th and leaving on Saturday the 17th.

If you’re going to be there, ping me [choff @ packetfilter.com] or call my voice router @ +1.978.631.0302.  I’m looking forward to a number of talks.

See you there.

/Hoff

James Gardner reminded me of something that I wanted to bring up but had forgotten about for some time.  Yes, he’s Australian, but he can’t help that.

You’d understand why that was funny if you knew that I grew up in New Zealand.  Or perhaps not.

Let me first begin by suggesting that we owe many things to the empire of Great Britain. 

There’s the Queen, crumpets, French jokes, that wonderful derivative affectation that causes all the women to swoon, the incessant need for either a cuppa tea or litres of beer, and some interesting cultural and business customs.

One of those customs is that of the Chatham House Rule. 

If you’ve ever been to the UK and attended a business meeting discussing sensitive subject matter, there’s a good chance that someone pronounced that all those participating are cloaked under the Chatham House Rule.

If, as a gracious guest, you were not (at least by modern standards) subject to Her Majesty’s sovereign rule, you may have simply smiled and nodded politely not knowing who, what, or where this oddly-named domicile was and what it may have had to do with your meeting.

The same could be said for that guy Robert and all his suggestions, I suppose.

At any rate, for all of you who have wondered just what in Tony Blair’s closet you just agreed to when you attended one of these meeting governed by this odd architectural framework defined in the spirit of Chatham, you may now wonder no longer.

The Chatham House Rule reads as follows:

"When a meeting, or part thereof, is held under the Chatham House
Rule, participants are free to use the information received, but
neither the identity nor the affiliation of the speaker(s), nor that of
any other participant, may be revealed".

The world-famous Chatham House Rule may be invoked at meetings to encourage openness and the sharing of information.

EXPLANATION of the Rule

The Chatham House Rule originated at Chatham House with the aim of
providing anonymity to speakers and to encourage openness and the
sharing of information. It is now used throughout the world as an aid
to free discussion. Meetings do not have to take place at Chatham House
to be held under the Rule.

Meetings, events and discussions held at Chatham House are normally
conducted ‘on the record’ with the Rule occasionally invoked at the
speaker’s request. In cases where the Rule is not considered
sufficiently strict, an event may be held ‘off the record’.

If you’re interested in what the Chatham House is, besides the link to the rule (above) you can check out the following link to learn about the home of the Royal Institute of International Affairs.

Three things will likely come of this post:

1. You can confidently acknowledge your understanding of The Rule and use it in the spirit under which it was constructed
2. You’ve now realized that all that stuff you blabbed about from
   those prior meetings under The Rule (which you didn’t understand) is someday going to come back and punt
   you right in the blender
3. You can now start evoking the Chatham House rule in random places regarding all manner of activities and confuse the hell out of people.  I quite like declaring it before ordering Chili Poppers and girlie drinks at TGI Friday’s, for example.

You can probably guess why I’m writing this.

Some people just never learn.

My work here is done.

Carry on.

/Hoff

If you haven’t got enough of Nir Zuk talking, how about his gangsta rap?

I present you with "Security Idol" featuring contestants: Junne Ipper, Chuck Point and Paolo Alto.

Personally, I think Paula’s kinda hot in this video…

Ya gotta love marketing…if you don’t figure it out by the end of the video, this is a viral effort by Palo Alto Networks.  Funny.

If you’ve got scripting disabled, here’s the link to the video.

In this Dark Reading post, Peter Tippett, described as the inventor of what is now Norton Anti-virus, suggests that the bulk of InfoSec practices are "…outmoded or outdated concepts that don’t apply to today’s computing
environments."

As I read through this piece, I found myself flip-flopping between violent agreement and incredulous eye-rolling from one paragraph to the next, caused somewhat by the overuse of hyperbole in some of his analogies.  This was disappointing, but overall, I enjoyed the piece.

Let’s take a look at Peter’s comments:

For example, today’s security industry focuses way too much time
on vulnerability research, testing, and patching, Tippett suggested.
"Only 3 percent of the vulnerabilities that are discovered are ever
exploited," he said. "Yet there is huge amount of attention given to
vulnerability disclosure, patch management, and so forth."

I’d agree that the "industry" certainly focuses their efforts on these activities, but that’s exactly the mission of the "industry" that he helped create.  We, as consumers of security kit, have perpetuated a supply-driven demand security economy.

There’s a huge amount of attention paid to vulnerabilities, patching and prevention that doesn’t prevent because at this point, that’s all we’ve got.  Until we start focusing on the the root cause rather than the symptoms, this is a cycle we won’t break.  See my post titled "Sacred Cows, Meatloaf, and Solving the Wrong Problems" for an example of what I mean.

Tippett compared vulnerability research with automobile safety
research. "If I sat up in a window of a building, I might find that I
could shoot an arrow through the sunroof of a Ford and kill the
driver," he said. "It isn’t very likely, but it’s possible.

"If I disclose that vulnerability, shouldn’t the automaker put in
some sort of arrow deflection device to patch the problem? And then
other researchers may find similar vulnerabilities in other makes and
models," Tippett continued. "And because it’s potentially fatal to the
driver, I rate it as ‘critical.’ There’s a lot of attention and effort
there, but it isn’t really helping auto safety very much."

What this really means and Peter doesn’t really ever state, is that mitigating vulnerabilities in the absence of threat, impact or probability is a bad thing.  This is why I make such a fuss about managing risk instead of mitigating vulnerabilities.  If there were millions of malicious archers firing arrows through the sunroofs of unsuspecting Ford Escort drivers, then the ‘critical’ rating is relevant given the probability and impact of all those slings and arrows of thine enemies…

Tippett also suggested that many security pros waste time trying
to buy or invent defenses that are 100 percent secure. "If a product
can be cracked, it’s sometimes thrown out and considered useless," he
observed. "But automobile seatbelts only prevent fatalities about 50
percent of the time. Are they worthless? Security products don’t have
to be perfect to be helpful in your defense."

I like his analogy and the point he’s trying to underscore.  What I find in many cases is that the binary evaluation of security efficacy — in products and programs — still exists.  In the absence of measuring the effective impact that something has in effecting one’s risk posture, people revert to a non-gradient scale of 0% or 100% insecure or secure.  Is being "secure" really important or is managing to a level of risk that is acceptable — with or without losses — the really relevant measure of success?   

This concept also applies to security processes, Tippett said.
"There’s a notion out there that if I do certain processes flawlessly,
such as vulnerability patching or updating my antivirus software, that
my organization will be more secure. But studies have shown that there
isn’t necessarily a direct correlation between doing these processes
well and the frequency or infrequency of security incidents.

"You can’t always improve the security of something by doing it
better," Tippett said. "If we made seatbelts out of titanium instead of
nylon, they’d be a lot stronger. But there’s no evidence to suggest
that they’d really help improve passenger safety."

I would like to see these studies.  I think that companies who have rigorous, mature and transparent processes that they execute "flawlessly" may not be more "secure," (a measurement I’d love to see quantified) but are in a much better position to respond and recover when (not if) an event occurs.  Based upon the established corollary that we can’t be 100% "secure" in the first place, we then know we’re going to have incidents.

Being able to recover from them or continue to operate while under duress is more realistic and important in my view.  That’s the point of information survivability.

Security teams need to rethink the way they spend their time,
focusing on efforts that could potentially pay higher security
dividends, Tippett suggested. "For example, only 8 percent of companies
have enabled their routers to do ‘default deny’ on inbound traffic," he
said. "Even fewer do it on outbound traffic. That’s an example of a
simple effort that could pay high dividends if more companies took the
time to do it."

I agree.  Focusing on efforts that eliminate entire classes of problems based upon reducing risk is a more appropriate use of time, money and resources.

Security awareness programs also offer a high
rate of return, Tippett said. "Employee training sometimes gets a bad
rap because it doesn’t alter the behavior of every employee who takes
it," he said. "But if I can reduce the number of security incidents by
30 percent through a $10,000 security awareness program, doesn’t that
make more sense than spending $1 million on an antivirus upgrade that
only reduces incidents by 2 percent?"

Nod.  That was the point of the portfolio evaluation process I gave in my disruptive innovation presentation:

24. Provide Transparency in portfolio effectiveness

I didn’t invent this graph, but it’s one of my favorite ways of
visualizing my investment portfolio by measuring in three dimensions:
business impact, security impact and monetized investment.  All of
these definitions are subjective within your organization (as well as
how you might measure them.)

The Y-axis represents the "security impact" that the solution
provides.  The X-axis represents the "business impact" that the
solution provides while the size of the dot represents the capex/opex
investment made in the solution.

Each of the dots represents a specific solution in the portfolio.

If you have a solution that is a large dot toward the bottom-left of
the graph, one has to question the reason for continued investment
since it provides little in the way of perceived security and business
value with high cost.   On the flipside, if a solution is represented
by a small dot in the upper-right, the bang for the buck is high as is
the impact it has on the organization.

The goal would be to get as many of your investments in your
portfolio from the bottom-left to the top-right with the smallest dots
possible.

This transparency and the process by which the portfolio is assessed
is delivered as an output of the strategic innovation framework which
is really comprised of part art and part science.

All in all, a good read from someone who helped create the monster and is now calling it ugly…

/Hoff

As it goes in football, so it goes in life…

I delivered the closing presentation of the InfoWorld Executive Virtualization Forum in San Francisco on Monday.  The title of my presentation, which I will upload soon, was "
  Addressing Security Concerns in Virtual Environments."

The conference was a good mix of panels and presentations giving some excellent perspective to senior-level managers and executives on virtualization and its impact.

The night before was obviously the Super Bowl and InfoWorld hosted a get-together complete with beer, snacks and a big screen for us to watch the Big Game.  Most of the InfoWorld staff are out of the MA area, so except for a few Giants fans, it was a room packed with Pats fanatics. 

Ultimately, sad, depressed, and shocked Pats fanatics…

So the next day after having to listen to the fantastic keynote from David Reilly, Head of Technology Infrastructure Services, Credit Suisse — an Irishman who grew up in England and now lives in New York — bleat on about "his beloved Giants," I thought it only appropriate that I take one last stab at regaining my pride.

So, when it was my turn to speak, I slipped a borrowed Randy Moss jersey over my silk shirt and took the stage to stares of bewilderment and confusion.

I explained my costume and expressed my disappointment with the team’s performance in one fell swoop:

You may be wondering why I’m up here presenting in my beloved Patriot’s uniform.  Well, this *is* a security presentation, so I thought I could give you no more spectacular illustration of what happens when you fail to execute on a defensive strategy than this (pointing to the jersey.)

Further, I find it completely amusing and apropos to be standing here in a virtualization conference talking about security *last* in the order of things because that’s exactly the problem I want to talk about…

The crowd seemed to enjoy those couple of opening shots and the rest went quite well — I try to make stabs at involving the audience.  I always gauge the success of a show by how many people come up and talk to me at the podium and afterwards.  By all accounts, it rocked since I spent the next 45 minutes talking to the 30+ folks that engaged me between the podium and the beer stand.

Adrian Lane was kind enough to blog about my performance here…

I very much enjoyed the conversation that ensued with some really interesting people.

Looking forward to the next one in NY in the November timeframe.

Hope to see you there.

/Hoff