Rational Survivability

Mike Rothman commented today on another of Michael Farnum’s excellent series on being an "effective security manager."   

Mike R. starts of well enough in defining the value-prop of "Risk Management" as opposed to managing threats and vulnerabilities, and goes on to rightfully suggest that in order to manage risk you need to have a "value component" as part of the weighting metrics for decision making…all good stuff:

But more importantly, you need to get a feel for the RELATIVE value of
stuff (is the finance system more important than the customer
management) before you can figure out where you should be spending your
time and money.

It goes without saying that it’s probably a good idea (and an over-used cliche) that it doesn’t make much sense to spend $100,000 to protect a $100 asset, but strangely enough, that’s what a lot of folks do…and they call it "defense in depth." 

Before you lump me into one of Michael F’s camps, no, I am not saying defense in depth is an invalid and wasteful strategy.  I *am* saying that people hide behind this term because they use it as a substitute for common sense and risk-focused information protection and assurance...

…back to the point at hand…

Here’s where it gets ugly as the conclusion of Mike R’s comments set me
off a little because it really does summarize one of the biggest
cop-outs in the management and execution of information protection/security today:

That is not a technique for the unsophisticated or
those without significant political mojo. If you are new to the space,
you are best off initially focusing on the stuff within your control,
like defense in depth and security awareness.

This is a bullshit lay-down.  It does not take any amount of sophistication to perform a business-driven risk-assessment in order to support a risk-management framework that communicates an organization’s risk posture and investment in controls to the folks that matter and can do something about it. 

It takes a desire to do the right thing for the right reason that protects that right asset at the right price point.  Right?

While it’s true that most good IT folks inherently understand what’s important to an organization from an infrastructure perspective, they may not be able to understand why or be able to provide a transparent explanation as to what impacts based upon threats and exposed attack surfaces really mean to the BUSINESS.

You know how you overcome that shortfall?  You pick a business and asset-focused risk assessment framework and  you start educating yourself and your company on how, what and why you do what you do; you provide transparency in terms of function, ownership, responsibility, effectiveness, and budget.  These are metrics that count.

Don’t think you can do that because you don’t have a fancy title, a corner office or aren’t empowered to do so?  Go get another job because you’re not doing your current one any justice.

Want a great framework that is well-suited to this description and is a good starting point for both small and large companies?  Try Carnegie-Mellon’s OCTAVE.  Read the book.  Here’s a quick summary:

For an organization that wants to understand its information security
needs, OCTAVE^® (Operationally Critical Threat, Asset, and
Vulnerability Evaluation^SM) is a risk-based strategic assessment
and planning technique for security.

OCTAVE is self-directed. A small team of people from the operational (or
business) units and the IT department work together to address the security
needs of the organization.  The team draws on the knowledge of many employees to
define the current state of security, identify risks to critical assets, and
set a security strategy.

OCTAVE is flexible. It can be tailored for most organizations. 

OCTAVE is different from typical technology-focused assessments. It focuses
on organizational risk and strategic, practice-related issues, balancing operational
risk, security practices, and technology.

Suggesting that you need to have political mojo to ask business unit leaders well-defined, unbiased, interview-based, guided queries is silly.  I’ve done it.  It works.  It doesn’t take a PhD or boardroom experience to pull it off.  I’m not particularly sophisticated and I trained a team of IT (but non-security) folks to do it, too.

But guess what?  It takes WORK.  Lots and lots of WORK.  And it’s iterative, not static.

Because of the fact that Michael’s task list of security admins is so huge, anything that represents a significant investment in time, people or energy usually gets the lowest priority in the grand scheme of things.  That’s the real reason defense-in-depth is such a great hiding place.

With all that stuff to do, you *must* be doing what matters most, right?  You’re so busy!  Unsophisticated, but busy! 😉

Instead of focusing truly on the things that matter, we pile stuff up and claim that we’re doing the best we can with defense in depth without truly understanding that perhaps what we are doing is not the best use of money, time and people afterall.

Don’t cop out.  Risk Management is neither "old school" or a new concept; it’s common sense, it’s reasonable and it’s the right thing to do.

It’s Rational Security.

I read with some interest a recent Network Computing web posting by Don MacVittie  titled "The Downside of All-in-One Security."  In this post, Don makes some comments that I don’t entirely agree with, so since I can’t sleep, I thought I’d perform an autopsy to rationalize my discomfort.

I’ve posted before regarding Don’s commentary on UTM (this older story is basically the identical story as the one I’m commenting on today?) in which he said:

Just to be entertaining, I’ll start by pointing out that most readers I talk to wouldn’t
consider a UTM at this time. That doesn’t mean most organizations
wouldn’t, there’s a limit to the number I can stay in regular touch
with and still get my job done, but it does say something about the
market.

All I can say is that I don’t know how many readers Don talks to, but the overall UTM market to which he refers can’t be the same UTM market which IDC defines as being set to grow to $2.4 billion in 2009, a 47.9 percent CAGR from 2004-2009.  Conversely, the traditional firewall and VPN appliance market is predicted to decline to $1.3 billion by 2009 with a negative CARG of 4.8%.

The reality is that UTM players (whether perimeter or Enterprise/Service Provider class UTM) continue to post impressive numbers supporting this growth — and customers are purchasing these solutions.  Perhaps they don’t purchase "UTM" devices but rather "multi-function security appliances?" 🙂 

I’m just sayin’…

Don leads of with:

Unified Threat Management (UTM) products combine multiple security
functions, such as firewall, content inspection and antivirus, into a
single appliance. The assumption is UTM reduces management hassles by
reducing the hardware in your security infrastructure … but you know
what happens when you assume.

No real problems thus far.  My response to the interrogative posited by the last portion of Don’s intro is: "Yes, sometimes when you assume, it turns out you are correct."  More on that in a moment…

You can slow the spread of security appliances by collapsing many
devices into one, but most organizations struggle to manage the
applications themselves, not the hardware that runs them.

Bzzzzzzzzttttt.  The first half of the sentence is absolutely a valid and a non-assumptive benefit to those deploying UTM.  The latter half makes a rather sizeable assumption, one I’d like substantiated, please.

If we’re talking about security appliances, today there’s little separation between the application and the hardware that runs them.  That’s the whole idea behind appliances.

In many cases, these appliances use embedded software, RTOS in silicon, or very tightly couple the functional and performance foundations of the solution to the binding of the hardware and software combined.

I can’t rationalize someone not worrying about the "hardware," especially when they deploy things like HA clusters or a large number of branch office installations. 

You mean to tell me that in large enterprises (you notice that Don forces me to assume what market he’s referring to because he’s generalizing here…) that managing 200+ firewall appliances (hardware) is not a struggle?  Don talks about the application as an issue.  What about the operating system?  Patches?  Alerts/alarms?  Logs?  It’s hard enough to do that with one appliance.  Try 200.  Or 1000!

Content
inspection, antivirus and firewall are all generally controlled by
different crowds in the enterprise, which means some arm-wrestling to
determine who maintains the UTM solution.

This is may be an accurate assumption in a large enterprise but in a small company (SME/SMB) it’s incredibly likely that the folks managing the CI, AV and firewall *are* the same people/person.  Chances are it’s Bob in accounting!

Then there’s bundling. Some vendors support best-of-breed security
apps, giving you a wider choice. However, each application has to crack
packets individually–which affects performance.

So there’s another assumptive generalization that somehow taking traffic and vectoring it off at high speed/low latency to processing functions highly tuned for specific tasks is going to worsen performance.  Now I know that Don didn’t say it would worsen performance, he said it  "…affect(s) performance," but we all know what Don meant — even if we have to assume. 😉

Look, this is an over-reaching and generalized argument and the reality is that even "integrated" solutions today perform replay and iterative inspection that requires multiple packet visitations with "individual packet cracking" — they just happen to do it in parallel — either monolithically in one security stack or via separate applications.  Architecturally, there are benefits to this approach.

Don’t throw the baby out with the bath water…

How do you think stand-alone non-in-line IDS/IPS works in conjunction with firewalls today in non-UTM environments?  The firewall gets the packet as does the IDS/IPS via a SPAN port, a load balancer, etc…they crack the packets independently, but in the case of IDS, it doesn’t "affect" the firewall’s performance one bit.  Using this analogy, in an integrated UTM appliance, this example holds water, too.

Furthermore, in a UTM approach the correlation for disposition is usually done on the same box, not via an external SEIM…further saving the poor user from having to deploy yet another appliance.  Assuming, of course, that this is a problem in the first place. 😉

I’d like some proof points and empirical data that clearly demonstrates this assumption regarding performance.  And don’t hide behind the wording.  The implication here is that you get "worse" performance.   With today’s numbers from  dual CPU/multi-core processors, huge busses, NPU’s and dedicated hardware assist, this set of assumptions flawed.

Other vendors tweak
performance by tightly integrating apps, but you’re stuck with the
software they’ve chosen or developed.

…and then there are those vendors that tweak performance by tightly integrating the apps and allow the customer to define what is best-of-breed without being "stuck with the software [the vendor has] chosen or developed."  You get choice and performance.  To assume otherwise is to not perform diligence on the solutions available today.  If you need to guess who I am talking about…

For now, the single platform model isn’t right for enterprises large
enough to have a security staff.

Firstly, this statement is just plain wrong.  It *may* be right if you’re talking about deploying a $500 perimeter UTM appliance (or a bunch of them) in the core of a large enterprise, but nobody would do that.  This argument is completely off course when you’re talking about Enterprise-class UTM solutions.

In fact, if you choose the right architecture, assuming the statement above regarding separate administrative domains is correct, you can have the AV people manage the AV, the firewall folks manage the firewalls, etc. and do so in a very reliable, high speed and secure consolidated/virtualized fashion from a UTM architecture such as this.

That said, the sprawl created by
existing infrastructure can’t go on forever–there is a limit to the
number of security-only ports you can throw into the network. UTM will
come eventually–just not today

So, we agree again…security sprawl cannot continue.  It’s an overwhelming issue for both those who need "good enough" security as well as those who need best-of-breed. 

However, your last statement leaves me scratching my head in confused disbelief, so I’ll just respond thusly:

UTM isn’t "coming," it’s already arrived.  It’s been here for years without the fancy title.  The same issues faced in the datacenter in general are the same facing the microcosm of the security space — from space, power, and cooling to administration, virtualization and consolidation — and UTM helps solve these challenges.  UTM is here TODAY, and to assume anything otherwise is a foolish position.

My $0.02 (not assuming inflation)

/Chris

So, like, why is ‘thr33’ the magic number?  The Ninja answers thusly: "Combine the Wizard of Oz, Reign of Fire, and Jonathan Livingston Seagull and you’ll get the picture."  Then again, you probably won’t.

Confused as to just what the hell this has to do with security?   

So am I, so my apologies go out to any real ninjas who happen to be using their spare time away from battling Magons (half monkey/half dragon — firebreathers with a prehensile tail!) and rather than relax with a Sobe and a stepped down pilates session have decided instead to read my security blog.

That happens you know.  All.  The.  Time.

Seriously, though, there is a security reference in here.  Pay attention.  First person who responds in the comments section below as to the security reference gets a free pouch of homemade guacamole.  You pay shipping.

Click on the little ‘play’ icon in the pic below…

I was actually going to write about how I think that so many of the FOG (you figure it out) security icons we have in the industry have turned into grumpy old bastards — all telling us how we’re "doing security wrong" and that all you need is a few ACLs, a stick of chewing gum, a tampon and and a teaspoon of Sucalose to secure your network…but then that would just be stating the obvious and I might be mistaken for an analyst…

Rot Roh.  Ah well.  Onto more pressing security matters because I have no interest in talking about privacy breaches, NAC or regulatory pressures today…we’re in the midst of moving our HQ this week and BOTH our existing and new buildings were struck by lightning today.  I figure I’ll use up my other 7 lives and pick on someone else.  Film @ 11.

So anyway, I was reading this fine piece of work today and I swear, this thing is written like page 6 of the Post.  I usually enjoy reading the scribbles over on Dark Reading, but it seems that every damned sentence in this article is gleefully punctuated with some doomsday quotation from the security-expert-rolodex-autobot Outlook 2000 journalistic quotamatron plug-in!

What happened to getting on with it and telling folks what they have to worry about instead of glamming it up with quote after quote of wag!?  If it wasn’t interesting enough to stand on its own as a story, why tart it up and put it on the corner hoping that someone might find it sexy?  Bah!

The fine folks quoted in this article probably gave some salient and well-articulated commentary (sigh) on the state of patching hell (oh, how rare,) but the way it came across in this article, you’d think this was the first Patch Tuesday, evah!

The really funny thing about this story is that comes across as though 80% of it is comprised of a bunch of strung-together quotations from these (mostly) vendors that actually contradict one another in some places.  Two of the quoted are contributing columnists from Dark Reading.

Read the article. You’ll laugh.  You’ll cry.

Check this out (of context):

1. First, the title: "The Patch Race Is On"   Like, wow.  It’s, like, Patch Tuesday…again!?
2. Then, the leader: "There were no big surprises among Microsoft’s Patch Tuesday releases today, but there were a couple of holes Microsoft kept under wraps until now." … so why write a big ass fluffy article about nothing then?
3. The first of many "Captain Obvious" quotations oft times contradicted further on in the article to fill up the word count:
   • But it was the critical holes that caught most security experts’ and managers’ attention.
   • "Anything that is ranked as critical and allows an attacker to take control of a system is very high priority,"
   • "Although there were no real show-stoppers among the patches, the sheer number of vulnerabilities they cover is notable."
   • "Once a system is seized it can be used to penetrate other systems that otherwise would be more secure."
   • "You should jump on any server-side vulnerability quickly."
   • "An anonymous user from outside could deliver malicious traffic."
   • "That’s significant. I don’t think we’ve ever before seen so many vulnerabilities in Office applications."
   • "It’s not too surprising to find a bunch of Excel and
     Office vulnerabilities in here,"
   • "This will continue until we’ve caught all the big ones."
   • "It’s the Holy Grail of hacking,"
   • "Now the race is on for enterprises to test and install their patches before hackers can exploit these vulnerabilities."
   • "The problem with Patch Tuesday is Hack Wednesday,"
   • "I wouldn’t be surprised if you saw an exploit being publicly released tonight or tomorrow."

I think this was a synopsis of the "Idiot’s Guide to the Internet," right?  Or is it a history of the IRC?

I’m certain that within that article there were supposed to be a few useful nuggets of information, but I couldn’t see it for all the comedic value I extracted otherwise.  Many of these stories are becoming progressively anchored on goofy out-of-context quotes from some really notable people whom I respect…but it’s making them sound like total tools.

Save yourself some time, just go here.

Hey, my $0.02 (not accounting for inflation.)  Aw, crap.  I’ve turned into a grumpy bastard myself.

Did I mention you’re doing security wrong?

/Chris

What a staggering number of individuals who have had the privacy of their personally-identifiable information compromised:

    88,795,619

This information comes from the Privacy Rights Clearinghouse and presents a chronology of breaches since the Choicepoint incident in February, 2005. 

I don’t remember seeing or hearing anything about most of these incidents…imagine the many more than none of us do!

Wow.

Chris

Like most folks, I’ve been preoccupied with doing nothing over the last few days, so please excuse the tardiness of this entry.  Looks like Alan Shimmel and I are suffering from the same infection of laziness 😉

So, now that the 4 racks of ribs are in the smoker pending today’s festivities celebrating my country’s birth, I find it appropriate to write about this debacle now that my head’s sorted.

When I read this article several days ago regarding the standards that the OMB was "requiring" of federal civilian agencies, I was dismayed (but not surprised) to discover that once again this was another set of toothless "guidelines" meant to dampen the public outrage surrounding the recent string of privacy breaches/disclosures recently. 

For those folks whose opinion it is that we can rest easily and put faith in our government’s ability to federalize legislation and enforcement regarding privacy and security, I respectfully suggest that this recent OMB PR Campaign announcement is one of the most profound illustrations of why that suggestion is about the most stupid thing in the universe. 

Look, I realize that these are "civilian" agencies of our government, but the last time I checked, the "civilian" and "military/intelligence" arms were at least governed by the same set of folks whose responsibility it is to ensure that we, as citizens, are taken care of.  This means that at certain levels, what’s good for the goose is good for the foie gras…kick down some crumbs!

We don’t necessarily need Type 1 encryption for the Dept. of Agriculture, but how about a little knowledge transfer, information sharing and reasonable due care, fellas?  Help a brother out!

<sigh>

The article started off well enough…45 days to implement what should have been implemented years ago:

To comply with the new policy, agencies will have to encrypt all data
on laptop or handheld computers unless the data are classified as
"non-sensitive" by an agency’s deputy director. Agency employees also
would need two-factor authentication — a password plus a physical
device such as a key card — to reach a work database through a remote
connection, which must be automatically severed after 30 minutes of
inactivity.

Buahahaha!  That’s great.  Is the agency’s deputy director going to personally inspect every file, database transaction and email on every laptop/handheld in his agency?  No, of course not.  Is this going to prevent disclosure and data loss from occuring?  Nope.  It may make it more difficult, but there is no silver bullet.

Again, this is why data classification doesn’t work.  If they knew where the data was and where it was going in the first place, it wouldn’t go missing, now would it?  I posted about this very problem here.

Gee, for a $1.50 and a tour of the white house I could have drafted this.  In fact, I did in a blog post a couple of weeks ago 😉

But here’s the rub in the next paragraph:

OMB said agencies are expected to have the measures in place within 45
days, and that it would work with agency inspectors general to ensure
compliance. It stopped short of calling the changes "requirements,"
choosing instead to label them "recommendations" that were intended "to
compensate for the protections offered by the physical security
controls when information is removed from, or accessed from outside of
the agency location."

Compensate for the protections offered by the physical security controls!?  You mean like the ones that allowed for the removal of data lost in these breaches in the first place!?  Jesus.

I just love this excerpt from the OMB’s document:

Most departments and agencies have these measures already in place.  We intend to work with the Inspectors General community to review these items as well as the checklist to ensure we are properly safeguarding the information the American taxpayer has entrusted to us.  Please ensure these safeguards have been reviewed and are in place within the next 45 days.

Oh really!?  Are the Dept. of the Navy, the Dept. of Agricultre, the IRS among those departments who have these measures in place?  And I love how polite they can be now that tens of millions of taxpayer’s personal information has been displaced…"Please ensure these safeguards…"  Thanks!

Look, grow a pair, stop spending $600 on toilet seats, give these joes some funding to make it stick, make the damned "recommendations" actual "requirements," audit them like you audit the private sector for SoX, and prehaps the idiots running these organizations will take their newfound budgetary allotments and actually improve upon rediculous information security scorecards such as these:

I don’t mean to come off like I’m whining about all of this, but perhaps we should just outsource government agency security to the private sector.  It would be good for the economy and although it would become a vendor love-fest, I reckon we’d have better than a D+…

/Chris

I don’t know exactly how I stumbled across this, but I found a website that purports to offer a "public service" by providing a fake identity generator complete with social security and credit card numbers.  In reading the FAQ, the utility of this "service" as offered is:

There are a ton of uses for this service. Here are a few examples:

• "Generate excellent test data quickly and cheaply" DB2 News & Tips
• Persons living outside of the U.S. can use this information to gain
  access to websites that do not support their country’s addresses.
• Use fake information when filling out forms to avoid giving out personal information.
• Generate a false identity to use as your pseudonym on the internet.
  This allows you to keep your real life and your internet life seperate.
• Get ideas for names to use for characters in a book or story.
• Generated credit cards can be used to test basic
  client-/server-side validation techniques without accidently processing
  a real card.

How about one more?  Give illegal immigrants, people fraudulently attaining employment, criminals, identity thieves, and miscreants yet another avenue to more easily do things they shouldn’t.  You can even order in bulk, with SOCIAL SECURITY NUMBERS.

I suppose that by linking to this site I am attracting even more attention to it, but I just can’t understand how Corban Works whose website says they are "…dedicated to creating family-friendly websites" and makes references to the LDS (Mormon church) thinks this is a good idea?

[Editors note: I removed this link because my stats/hit counter for this post was going crazy — seems every scumbag on Earth looking for hits on ‘fake social security numbers" and the like from Google was pulling this entry up.  I don’t want to make it any easier for these idiots to do what they do.]

One of the things I spend a lot of time doing these days is talking to
analysts – both market and financial – regarding the very definition of
UTM and what it means to vendors, customers, and the overall impact
that UTM has to the approach to security taken by the SMB contingent,
large enterprises and service providers.

The short of it: it means a LOT of things to a LOT of different people.  That’s potentially
great if you’re a vendor selling re-branded UTM kit that used to be a
firewall/IDS/IPS because it allows for a certain amount of latitude and
agility in positioning your product, but it can also backfire when you
don’t have a sound strategy and you try to be everything to everyone.

It also sucks if you’re a customer because you have to put the hip
waders on in order to determine if UTM is something you should care
about, integrate into your strategy and potentially purchase.

I’ve written about how UTM Messaging is broken
before, that there are TIERS of product offerings that are truely
differentiated.  Ultimately, UTM breaks down into two strata: Perimeter
UTM and Enterprise/Service Provider UTM.

For the sake of brevity, here’s the rundown introducing the differences:

…That’s what Enterprise-class UTM is for.  The main idea here is that
while for a small company UTM (perimeter UTM) is simply a box with a set number of
applications or security functions, composed in various ways and
leveraged to provide the ability to "do things" to traffic as it passes
through the bumps in the security stack.

In large enterprises and service providers the concept of the "box"
has to extend to an *architecture* whose primary attributes are
flexibility, resilience and performance.

I think that most people don’t hear that, as the marketing of UTM
has eclipsed the engineering realities of management,
operationalization and deployment based upon what most people think of
as UTM.

Historically, UTM is defined as an approach to network security in
which multiple logically complimentary security applications, such as
firewall, intrusion detection and antivirus, are deployed together on a
single device. This reduces operational complexity while protecting the
network from blended threats.

For large networks where security requirements are much broader and
complex, the definition expands from the device to the architectural
level. In these networks, UTM is a “security services layer” within the
greater network architecture. This maintains the operational simplicity
of UTM, while enabling the scalable and intelligent delivery of
security services based on the requirements of the business and
network. It also enables enterprises and service providers to adapt to
new threats without having to add additional security infrastructure.

Today, Richard Stiennon (of "IDS is dead" fame) blogged
some very interesting comments ultimately asking if "..your UTM [is] a
Mutt?"  It’s an interesting comment on the UTM market as a whole where
ultimately he gets around to shoring up his question/statement by
referencing Symantec’s exit from the hardware market.

I’d say that most UTM offerings are mutts because that’s
exactly what perimeter UTM delivers — a mashup of every neighborhood
stray that happened to end up humping the same piece of hardware.  Ew.

That’s why unless you want to be king of the pound, sporting papers
which testifies to your pedigree and heritage is really important.
You’re not going to win best of show looking like the sappy little
poodle-chihuahua-dingo-thing featured above.

In his scribble, Richard makes the following statement which I exactly addressed in the comment above:

I have a problem with the idea of Universal Threat Management
appliances.  Leaving aside the horrible terminology (Who wants to
manage threats? Don’t you want to block them and forget about them?)
the question that I always ask is: If best-of-breed is the standard for
large enterprises why would it be good practice for a smaller entity to
lump a lot of security functions such as firewall, email gateway, spam
filter, anti-virus, anti-spyware, IDS, IPS, and vulnerability
management all in one under-powered device?

Firstly, the ‘U’ in UTM stands for "Unified" not "Universal,"
however I *totally* agree with Richard that managing (T)hreats and
vulnerabilities is the WRONG approach and UTM has become this catch-all
for the petty evolution of any device that continues to lump ad hoc
security functions onto an existing platform and call it something
else.  That’s perimeter UTM.

So, intead of manging threats, we should be managing risk.  Call me psychic, but that’s exactly what I wrote about here when I introduced the concept of Unified Risk Management (URM.) 

URM provides a way of closing the gap between
pure technology-focused information security infrastructure and
business-driven, risk-focused information survivability
architectures and does so by using sound risk management practices in conjunction with best
of breed consolidated Unified Threat Management (UTM) solutions as the
technology foundation of a consolidated risk management model.

Moving on, I’m not sure that with where we are in today’s compute
cycles that it’s fair to generalize that the companies Richard mentions
such as Astaro, Fortinet, or Watchguard are actually "under-powered,"
but  one could certainly  argue that extensibility, flexibility and
scalability are certaintly constrained by the practical limits of the
underlying machinery and its ability to perform and clumping lots of
these individual boxes together isn’t really a manageable solution.

That being said, I also wrote about this issue here whereby
I make the case that for the Enterprise and service provider markets,
commoditized general purpose boxes will not and cannot scale to
effectively meet the business and risk management requirements — even
with offload cards that plug into big, fat buses.

The reality is that like anything you do when you investigate
technology, concepts or strategy, you should map your business
requirements against the company’s appetite for risk and determine what
architecture (I didn’t say platform specifically) best fits the
resulting outcome.

If "good enough" security is good enough, you have lots of UTM
choices.  If, however, what you need is a balanced defense-in-depth
strategy invested in best-of-breed (based upon your business
requirements) which allows you to deploy security as a service layer in
an extremely high-performance, scaleable, extensible, flexible and
highly-available way, may I suggest the following: (blatant plug, I
know!)

Finally, Symantec exiting the hardware business is a fine thing
because all it really does is galvanize the fact software companies should produce good software and do what they do best. 

What they (and others, mind you) realize that unifying hardware and software in a
compelling way is hard to do if you want to really offer
differentiation and value.  Sure, you can continue to deploy on commoditized hardware if what you want to do is serve an overly-crowded market with margins lower than dust, but why?

Richard further goes on to  talk about how Symantec is focusing on a more lucrative market:  services.   This, in my opinion, is a fantastic idea:

Evidently Symantec is more interested in software and services going
forward. I think they may be on to something.  If the appeal of
mixed-bread, easy to manage security appliances is so great for small
businesses maybe managed security services are set to take off.

Alan Shimel responded with a follow-on perspective to Mike Rothman’s post in which he said:

If big companies want best-of-breed, why should smaller companies
settle for less than that?  It just doesn’t make sense to me.  Mike Rothman
, in his big is small theory, says that customers are willing to put up
with less than best of breed by getting it all from one big vendor.
But some of the "pile them high" UTM’s are not big companies.  Astaro,
Fortinet, Baracuda are not exactly Cisco, Symantec or McAfee. However,
they are all grabbing market share with UTM’s that do not offer best of
breed applications.

This simply comes down to economics (see "good enough" comment above) where they may want an enterprise-class UTM product, but that doesn’t mean they’ll pay for one.  Doing battle in the SMB UTM space is brutal — don’t let the big, bold numbers impress you that much.  When you’re dealing with ASP’s in the $500 range, even with margins in the 40-50% bracket, you’ve got to sell a BOATLOAD of boxes to make money — then there’s the cost of all those adminstrative assistants-cum-network security administrators who call your support center further burdening the bottom line.

That dove-tails right into the argument regarding managed services and security in the cloud — these really are beginning to take off, so this move by Symantec is the right thing to do.  Let the folks who can deliver BoB hardware running your best-in-breed software do that, and you can have your customers pay you to manage it.  In the case of Crossbeam, we don’t market/sell to the SMB, as they are our customer’s customers…namely our enterprise and service-provider UTM offerings are deployed in a completely different space than the folks you mention above. 

In this case, we win either way: either a large enterprise buys our solutions directly or they sub-out to an MSSP/ISP that uses our solution to deploy their services.  Meanwhile, the perimeter/SMB UTM vendors fight for scraps in the pound waiting to be put down because nobody claims them 😉

We’ll cover the hot topic of security outsourcing here shortly.

/Chris

U.S. Navy: Data Breach Affects 28,000

It looks like we’re going to get one of these a day at this point.  Here’s the latest breach-du-jour.  I guess someone thought that our military veterans were hogging the limelight so active-duty personnel(and their families, no less) get their turn now.  From eWeek:

Five spreadsheet files with personal data on approximately 28,000 sailors and family members were found on an open Web site, the U.S. Navy announced June 23. 

The personal data included the name, birth date and social security
number on several Navy members and dependents. The Navy said it was
notified on June 22 of the breach and is working to identify and notify
the individuals affected.

"There is no evidence that any of the data has been used illegally.
However, individuals are encouraged to carefully monitor their bank
accounts, credit card accounts and other financial transactions," the
Navy said in a statement.

Sad.

This is getting more and more laughable by the minute.  From Dark Reading:

JUNE 22, 2006 | Another
day, another security breach: In the last 48 hours, Visa, Wachovia,
Equifax, and the U.S. Department of Agriculture have joined a growing
list of major companies and government agencies to disclose they’ve
been hit by sensitive — and embarrassing — security breaches.

The organizations now are scrambling to assist customers and
employees whose personal information was either stolen or compromised
in recent weeks. They join AIG, ING, and the Department of Veterans
Affairs, all of which have disclosed major losses of sensitive data in
the last few weeks.

Each of the incidents came to light well after the fact.

Disclaimer: I am *not* suggesting that anyone should make light of or otherwise shrug off these sorts of events.  I am disgusted and concerned just like anyone else with the alarming rate of breach and data loss notifications in the last month, but you’re not really surprised, are you?  There, I’ve said it.

If anyone has any real expectation of privacy or security (two different things) when your data is in the hands of *any* third party, you are guaranteed to be sorely disspointed one day.  I fully expect that no matter what I do, that some amount of my personal information will be obtained, misappropriated and potentially misused in my lifetime.   I fully expect that any company I work for will ultimately have this problem, also.  I do what I can to take some amount of personal responsibility for this admission (and its consequences) but to me, it’s a done deal.  Get over it.

The Shimster (my bud, Alan Shimel) also wrote about some of this here and here.

Am I giving up and rolling over dead?  No.  At the same time, I am facing the realities of the overly-connected world in which we live and moreso the position in which I choose to live it.  It isn’t with my head in the sand or in some other dark cavity, but rather scanning the horizon for the next opportunity to do something about the problem.

Anyone who has been on the inside of protecting the critical assets of an Enterprise knows that isn’t "if" you’re going to have a problem with data or assets showing up somewhere they shouldn’t (or that you did not anticipate) but rather "when" … and hope to (insert diety here) it isn’t on your watch.

Sad but true.  We’ve seen corporations with every capability at their disposal show up on the front page because they didn’t/couldn’t/wouldn’t put in place the necessary controls to prevent these sorts of things from occuring…and here’s the dirty little secret: there is nothing they can do to completely prevent these sorts of things from occuring.

Today we focus on "network security" or "information security" instead of "information defensibility" or "information survivability" and this is a tragic mistake because we’re focusing on threats and vulnerabilities instead of RISK and this is a losing proposition because of these little annoyances called human beings and those other little annoyances they (we) use called computers.

Change control doesn’t work.  Data classification doesn’t work(* see below.)  Policies don’t work.  In the "real world" of IM, encrypted back channels, USB drives, telecommuting, web-based storage, VPN’s, mobile phones, etc., all it takes is one monkey to do the wrong thing even in the right context and it all comes tumbling down.

I was recently told that security is absolute.  Relatively speaking, of course, and that back in the day, we had secure networks.  That said nothing, of course, about the monkeys using them.

Now, I agree that we could go back to the centralized computing model with MAC/RBAC, dumb networks, draconian security measures and no iPods, but we all know that the global economy depends upon people being able to break/bend the rules in order to "innovate" and move business along the continuum and causing me not to put that confidential customer data on my laptop so I can work on it at home over the weekend would impact the business…

The reality is that no amount of compliance initiatives, technology, policies or procedures is going to prevent this sort of thing from happening completely, so the best we can do is try as hard as we can as security professionals to put a stake in the ground, start managing risk knowing we’re going to have our asses handed to us on a platter one day, and do our best to minimize the impact it will have.  But PLEASE don’t act surprised when it happens.

Outraged, annoyed, concerned, angered and vengeful, yes.  Surprised?  Not so much.

Until common sense comes packaged in an appliance, prepare for the worst!

/Chris

P.S. Unofficially, only 3 out of the 50 security professionals I contacted who *do* have some form of confidential imformation on their laptops (device configs, sample code, internal communications, etc.) actually utilize any form of whole disk encryption.  None use two factor authentication to provde the keys in conjunction with a strong password.  See here for the skinny as to why this is relevant.

*Data Classification doesn’t work because there’s no way to enforce its classification uniformly in the first place.  For example, how many people have seen documents stamped "confidential" or "Top Secret" somewhere other than where these sorts of data should reside.  Does MS Word or Outlook force you to "classify" your documents/emails before you store/print/send them?  Does the network have an innate capability to prevent the "routing" of data across segments/hosts?  What happens when you cut/paste data from one form to another?

I am very well aware of many types of solutions that provide some of these capabilities, but it needs to be said that they fail (short of being deployed at aterial junctions such as the perimeter) because:

1. They usually expect to be able to see all data.  Unlikely because anyone that has a large network that has computers connected to it knows this is impossible (OK, improbable)
2. They want to be pointed at the data and classify it so it can be recognized.  Unlikely because if you knew where all the data was, you’d probably be able to control/limit its distribution.
3. They expect that data will be in some form that triggers an event based upon the discovery of its existence of movement.  Unlikely because of encryption (which is supposed to save us all, remember 😉 and the fact that people are devious little shits.
4. What happens when I take a picture of it on my screen with my cameraphone, send it out-of-band and it shows up on a blog?

Rather, we should exercise some prudent risk management strategies, hope to whomever that those boring security awareness trainings inflict some amount of guilt and hope for the best.

But seriously, authenticating access *to* any data (no matter where it exists) and then being able to provide some form of access control, monitoring and non-repudiation is a much more worthwhile endeavor, IMHO.

Otherwise, this exercise is like herding cats.  It’s a general waste of time because it doesn’t make you any more "secure."

I’m getting more cynical by the (breach) minute…BTW, Michael Farnum just wrote about this very topic…