Rational Survivability

Hey, do you remember reading this little snippet as a quote from a certain industry personality we all know and love in regards to his lack of love for UTM?

"I have a problem with the idea of Universal Threat Management
appliances.  Leaving aside the horrible terminology (Who wants to
manage threats? Don’t you want to block them and forget about them?)
the question that I always ask is: If best-of-breed is the standard for
large enterprises why would it be good practice for a smaller entity to
lump a lot of security functions such as firewall, email gateway, spam
filter, anti-virus, anti-spyware, IDS, IPS, and vulnerability
management all in one under-powered device?"

I’ll give you a hint.  It was posted here by the original author and I responded to it, here.

That’s right!  It was my buddy, Richard Stiennon — lambasting Universal (sic) Threat Management appliances…like those of Fortinet, before they offered him a job.  Perhaps Fortinet doesn’t count because they make Unified, not Universal, Threat Management devices?

Don’t hate the player, baby, hate the game!  (i.e., be careful what you blog, it could come back to hire haunt you.)

Sorry, Rich.  3 Bourbons and a long week make Johnny a lit boy.  Couldn’t help myself.  Fire Away!

/Hoff

Funny.  For more chuckles, see SecurityBullshit!

Hey, at least I’ve never said "military grade hardware." 😉

Gunnar Peterson (1 Raindrop blog) continues to highlight the issues of implementing security models which are not keeping pace with the technology they are deployed to protect.  Notice I didn’t say "designed" to protect.

Specifically, in his latest entry titled "Understand Web 2.0 Security Issues – As Easy as 2, 1, 3" he articulates (once again) the folly of the security problem that we cannot solve because we simply refuse to learn from our mistakes and proactively address security before it becomes a problem:

"So let’s do the math, we have rich Web 2.0 and its rich UI and lots
of disparate data and links, we are protecting these brand new
2007-built apps with a Web 1.0 security model that was invented in
1995. This would not be a bad thing at all if the attacker community
had learned nothing in the last 12 years, alas they have already
upgraded to attacker 3.0, and so can use Web 2.0 to both attack and distribute attacks.

2.0 functionality, 1.0 security, 3.0 attackers. this cannot stand."

A-Friggin’-Men.  Problem is, unless we reboot the entire human race (or at least developers and security folk) it’s going to take a severe meltdown to initiate change.

Oh, and BTW, just because it bugged me when Thomas Ptacek bawked while asking what I meant in a presentation of mine where I said:

"What happens when we hit Web3.0 and we’re still only at
Security 2.4beta11?"

…and he asked:

What does this even mean?

…the answer is simple: Please see Gunnar’s post above.  It’s written much better, but i trust this is all cleared up now?

I immediately looked on Snopes when I saw this raw image as I just couldn’t understand how on Earth someone thought this was a good idea:

Put a clear plastic bag with a fake bomb contained within in conspicuous spaces of a public mall with a "public service message" written on the front.  The point was to suggest that with a little attention to detail, people can avert a tragedy.

The message reads:

It’s this obvious if you are alert.  If you spot anything suspicious, please inform security.
Dummy Explosives
A public service initiative by R Mall

So, if I see a bag that contains an explosive, I should get close enough to read the tagline that says "Boom!  You’re Dead!?"

In Boston our police force blew up little aqua teen hunger force brite-lites that were part of an advertising stunt.  Could you imagine what the hell they’d do with this?

This stroke of brilliance comes from what appears to be an Indian advertising company called Y&R in Mumbai.  Unbelievable.

/Hoff

I read ZDNet’s coverage of the Wharton Technology Conference in Philadelphia by Larry Dignan and was astounded by what Larry reported was said in regards to comments made by TD Ameritrade’s Chief Security Officer, Bill Edwards.

I’m not trying to pick on Mr. Edwards as I have never met the man, but his comments regarding SOA left me disillusioned about how security and emerging technologies are approached in what continues to be a purely reactive, naive and disconnected manner.

Specifically, SOA is not exactly "new."  The evolution of technology, maturing of standards, proliferation of Web 2.0 and massive deployments of SOA’s in some of the world’s largest companies shouldn’t come as a surprise to anyone…even in the risk averse financial services sector.  That being said, SOA is disruptive and innovative and needs to be approached both strategically as well as tactically.

As a former CISO of a $25 Billion financial services firm, I was embroiled in our first SOA deployments 2.5 years ago.  It’s blood and guts.  It involves dealing with the business, business partners, IT and development staffs in ways you never have.  It takes communication, education, expertise and business acumen.  It’s not something you wait to be dragged into.

The notion that a security team would be "dragged" into SOA rather than embrace and approach it proactively and from the perspective of a thought leader and collaborative contributor astounds me.

That said, here’s what I had a problem with:

TD Ameritrade Chief Security Officer Bill Edwards figures that he’s
going to be pulled onto the service oriented architecture (SOA)
bandwagon soon. He might as well use it to enhance security.

"When the architects approached me about SOA my first reaction was ‘no
you can’t do that,’" said Edwards, who spoke at a financial services
online fraud panel at Wharton Technology Conference in Philadelphia on
Friday. "But then I realized I’m going to be dragged along with SOA
anyway so I should use it to rebuild security from the ground up. I
know it’s coming so my team got friendly with the architecture group."

What disturbs me is that SOA represents potentially monumental impact to business, technology and security and instead of embracing (see below) this in a proactive manner, the ad hoc formation of a "strategic" response is "…if you can’t beat ’em, join ’em" and perhaps leverage this to fix problems that weren’t fixed prior.

Paying for sins of the past with currency of the future and confusion in the present isn’t exactly showing alignment to the business as an enabler.  But that’s just me.

It’s clear that the first reaction of saying "no, you can’t do that" is so incredibly typical and representative of the security industry in general; fear what you don’t understand and can it. I can’t imagine how making decisions on risk without an effective model is doing the business justice.

Realizing that this is a train on the tracks that can’t be ducked and that he’s going to be "dragged along with SOA" and that something must be done to head off disaster at the pass (or at least get more budget,) I’m having trouble reconciling this:

"SOA is going to be embraced by security. I don’t know if the industry
is ready for security on SOA, but I’m looking forward to it as it will
make my job easier," he said. "SOA allows you to get granular on
security and focus on specific modules."

I am really having trouble understanding whether this is a statement or a question, but I just cannot comprehend how much sense that last sentence fails to make. 

You’re not embracing SOA when you describe being "dragged into it" and your first reaction is "no." Further, if you’re deploying SOA and you’re not baking in security, you should be fired.

Secondly, Explain to me how SOA is going to make security (his job) easier?  Because you can get "granular on security?"  Huh?  SOA is complex.  If you don’t have your "stuff" together in the first place, it’s only going to make your life more difficult.

I’m sorry for this reading like I’m a grumpy bastard (I am) and that I’m singling out Mr. Edwards (he chose to be on a panel) but this just doesn’t jive.

My advice to Mr. Edwards and anyone else looking for the right approach to take with SOA and security is to read Gunnar Peterson’s blog or some more of his work.
 

/Hoff

Over the last couple of months, the topic of virtualization and security (or lack thereof) continues to surface as one of the more intriguing topics of relevance in both the enterprise and service provider environments and those who cover them.  From bloggers to analysts to vendors, virtualization is a greenfield for security opportunity and a minefield for the risk models used to describe it.

There are many excellent arguments being discussed which highlight in an ad hoc manner the most serious risks posed by virtualization, and I find many of them accurate, compelling, frightening and relevant.  However, I find that overall, to gauge in relative terms the impact  that these new combinations of attack surfaces, vectors and actors pose, the risk model(s) are immature and incomplete. 

Most of the arguments are currently based on hyperbole and anecdotal references to attacks that could happen.  It reminds me much of the ballyhooed security risks currently held up for scrutiny for mobile handsets.  We know bad things could happen, but for the most part, we’re not being proactive about solving some of the issues before they see the light of day.

The panel I was on at the RSA show highlighted this very problem.  We had folks from VMWare and
RedHat in the audience who assured us that we were just being Chicken Little’s and that the risk is
both quantifiable and manageable today.  We also had other indications that customers felt that while the benefits for virtualization from a cost perspective were huge, the perceived downside from the unknown risks (mostly theoretical) were making them very uncomfortable.

Out of the 150+ folks in the room, approximately 20 had virtualized systems in production roles.  About 25% of them had collapsed multiple tiers of an n-tier application stack (including SOA environments) onto a single host VM.  NONE of them had yet had these systems audited by any third party or regulatory agency.

Rot Roh.

The interesting thing to me was the dichotomy regarding the top-down versus bottom-up approach to
describing the problem.  There was lots of discussion regarding hypervisor (in)security and privilege
escalation and the like, but I thought it interesting that most people were not thinking about the impact on the network and how security would have to change to accommodate it from a bottoms-up (infrastructure and architecture) approach.

The notions of guest VM hopping and malware detection in hypervisors/VM’s are reasonably well discussed (yet not resolved) so I thought I would approach it it from the perspective of what role, if any, the traditional  network infrastructure plays in this.

Thomas Ptacek was right when he said "…I also think modern enterprises are so far from having reasonable access control between the VLANs they already use without virtualization that it’s not a “next 18 month” priority to install them." And I agree with him there.  So, I posit that if one accepts this as true then what to do about the following:

If now we see the consolidation of multiple OS and applications on a single VM host in which the bulk of traffic and data interchange is between the VM’s themselves and utilize the virtual switching fabrics in the VM Host and never hit the actual physical network infrastructure, where, exactly, does this leave the self-defending "network" without VM-level security functionality at the "micro perimeters" of the VM’s?

I recall a question I asked at a recent Goldman Sachs security conference where I asked Jayshree Ullal from Cisco who was presenting Cisco’s strategy regarding virtualized security about how their approach to securing the network was impacted by virtualization in the situation I describe above. 

You could hear cricket’s chirp in the answer.

Talk amongst yourselves….

P.S. More excellent discussions from Matasano (Ptacek) here and Rothman’s bloggy.  I also recommend Greg Ness’ commentary on virtualization and security @ the HyperVisor here.

I was talking to Andy Jaquith (please buy his book, I’m tired of buying him drinks) tonight at BeanSec! and recalled an ad hoc conversation I had with Rothman the other day in regards to just how damned boring the security space has become in the last year.

I know it’s not just me (now) that senses an overall slow down in the amount of forward motion our industry is making.  This isn’t suggesting that there isn’t innovation and technology movement, it’s just that we seem to be solving the same set of problems from twenty years ago and perfuming a pig.

I walked through RSA this year and short of Veracode’s booth (OK, they offered me beer) it may as well have been a Shriner’s convention.

How many NAC vendors does it take to fill an RSA conference?  None, because according to Art (he’s on Crossbeam’s board, but I respectfully disagree) there aren’t going to be any independent security companies.  Yet I digress.

"Sadly," we haven’t really had an exciting worm or virus outbreak recently.  Patch Tuesdays are almost non-events and unless someone releases a zero-day remote exploit  for controlling the UHF output on a Commodore 64, I think I’m just going to die of boredom.  Snore.

Help me out here.  Redeem our industry and help me regain my will to live.  Pop some comments on your perspectives of what’s worth looking at from a security perspective — I mean cool, unique, innovative and problem-solving focused security solutions to really complex business problems.

Please.

/Hoff

One of the benefits of living near Boston is the abundance of amazing museums and historic sites available for visit within 50 miles from my homestead.

This weekend the family and I decided to go hit the Museum of Science for a day of learning and fun.

As we were about to leave, I spied an XP-based computer sitting in the corner of one of the wings and was intrigued by the sign on top of the monitor instructing any volunteers to login:

Then I noticed the highlighted instruction sheet taped to the wall next to the machine:

If you’re sharp enough, you’ll notice that the sheet instructs the volunteer how to remember their login credentials — and what their password is (‘1234’) unless they have changed it!

"So?" you say, "That’s not a risk.  You don’t have any usernames!"

Looking to the right I saw a very interesting plaque.  It contained the first and last names of the museum’s most diligent volunteers who had served hundreds of hours on behalf of the Museum.  You can guess where this is going…

I tried for 30 minutes to find someone (besides Megan Crosby on the bottom of the form) to whom I could suggest a more appropriate method of secure sign-on instructions.  The best I could do was one of the admission folks who stamped my hand upon entry and ended up with a manager’s phone number written on the back of a stroller rental slip.

(In)Security is everywhere…even at the Museum of Science.  Sigh.

/Hoff

[I have a backlog of blog posts due to my 2 weeks on the road.  Excuse my trip into last week.]

During our UTM Smackdown panel @ RSA, Alan Shimel from StillSecure
kept hinting (okay, yelling) about StillSecure’s upcoming product
announcement regarding their bringing a UTM solution to market.

Firstly, I think that’s great, because as I agreed, the natural
evolution of (Enterprise) UTM includes the integration of functionality such as NAC, VA/VM, etc., and StillSecure’s
products are top-notch, so I expect another excellent product from the
boys from Colorado. 

I also know that Alan and Mitchell really know
their market well and do a fantastic job with product management and
marketing within this space.  But Alan/Mitchell’s announcement has me puzzled because there’s some serious amount
of verbiage being tossed about here that’s ignoring a whole lot of reality that even the best marketing distortion field can’t obfuscate.

I found it interesting on Alan’s blog
that actually what he meant to say is that StillSecure intends to bring
a “new” type of product to market that isn’t described as UTM at all –
in fact, Mitchell Ashley (StillSecure’s CTO – and hopefully he won’t
get mad when I call him a friend) is attempting to define both a new paradigm and market segment that they call Unified Network
Platform, or UNP.  See here for Mitchell’s whitepaper and description of UNP.

UNP should not, however, be confused with UPN, the television network that brought you such hits as “Moesha.“

UNP is defined as "…a new paradigm for addressing the needs of network and security functions.  Breaking the mold of the proprietary vendor hardware appliance solution, UNP provides an open platform architecture consisting of open software and general purpose hardware, enabling the convergenceof network applications."

The Model is illustrated graphically by this diagram which looks surprisingly similar to the Carrier Grade Linux group’s model and almost identical to the Crossbeam X-Series architecture:

Clever marketing, for sure, but as I pointed out to Alan at the
Smackdown, short of the new title, neither the model nor the approach
is new at all.  In many aspects of how Alan described his new product line, it’s exactly what we do @ Crossbeam.  I was intrigued, for sure.

Apart from some semantic issues surrounding the use of open source
to the exclusion of COTS and swearing off any potential benefits of optimized hardware, Mitchell’s definition of UNP attempts to
re-brand concepts and a technology approach that’s quite familiar to me.

The model as defined by Mitchell seems to lay claim to an operational and technology integration
model that has been defined already as the foundation for Next
Generation Networks (NGN) that is at the core of the designs
IMS/converged network working groups (and VMWare’s virtual appliance
model for that matter) and call it UNP.

I really don’t get the novelty here.

Virtualization? Check.  Software is the key?  Check.  "Proprietary" hardware versus OTS hardware?

Who gives a crap!?  If the cost of a product and its positioning within the network is justified by the performance, scale, availability of software choice as defined by the user and the appropriate reduction of risk, then it seems to me that the only people who need to make the argument complaining about "proprietary" hardware are those that don’t have any…

I agree that the advance of OTS hardware and multi-core technology is yielding amazing value for the dollar spent and much of the hardware solutions today are commoditized at birth, but I maintain that there is a point of diminishing returns at which even today’s multi-core processors experience limits of memory and I/O (not to mention the ability of the software itself to take advantage of) that is specific to the market into which solutions are designed to operate.

You’ll get no argument from me that software is the secret sauce in the
security space and even in Crossbeam’s case, the hardware is a means to
an end, so if integrating FPGA’s and optimized network processing
hardware provides for hyper-performance of standard Intel reference
designs, ‘splain to me how that’s a bad thing?

I suggest that UNP is an interesting perspective and sheds light
on the “convergence” of security functionality and virtual appliances
for the SME/SMB market, but new it ain’t, and this sort of solution does not fly in the large enterprise, service provider or mobile operator.  It’s also a little odd and
naive to suggest that this is a “network” platform approach that will
rival dedicated networking functions at anything but the SME/SMB level.

Now, I’m not trying to assail Mitchell’s efforts or creativity here,
nor am I suggesting that this is not an interesting way to try and
distance StillSecure from the other 1000 me-too FW, nee IPS nee
small-office UTM fray, but there’s also a danger in trying to create
distinction in an already acronym-burdened industry and come off
looking like your doing something completely new.

I had a point-by-point response to Mitchell’s summary points of his whitepaper, but as I reviewed it I realized that this would come across as one of those enormous Hoff posts — not to mention it read as a Crossbeam versus StillSecure manifesto…and given that Alan’s into his kinder, gentler stage, I reckoned I’d give it a go, too.

…we’ll see how long that lasts.

/Hoff

Despite Mike completely missing the point of my last point regarding Alan Shimel’s rant on Tippingpoint (he defaults to "Hoff is defending Big Iron blurb,) Mike made a bold statement:

Virtualization hasn’t changed the fundamental laws of network architecture

I am astounded by this statement.  I violently disagree with this assertion.

Virtualization may have not changed the underlying mechanisms of CSMA/CD or provided the capability to exceed the speed of light, but virtualization has absolutely and fundamentally affected the manner in which networks are designed, deployed, managed and used.   You know, network architecture.

Whether we’re talking about VLAN’s, MPLS, SOA, Grid Computing or Storage, almost every example of data center operations and network design today are profoundly impacted by the V-word.

Furthermore, virtualization (of transport, storage, application, policy, data) has also fundamentally changed the manner in which computing is employed and resources consumed.  What you deploy, where, and how are really, really important.

More importantly (and relevant here) is that virtualization has caused architects to revisit the way in which these assets and the data that flow through them, is secured.

And to defray yet another "blah blah…big iron…large enterprise….blah blah" retort, I’m referring not just to the Crossbeam way (which is heavily virtualized,) but that of Cisco and Juniper also.  All Next Generation Network Services are in a low-earth orbit of the mass that is virtualization.

"Virtualization of the routed core. Virtualization of the data and control planes.  Virtualization of Transport.  Extending the virtualized enterprise over the WAN.  The virtualized access layer."  You know what those are?  Chapters out of a Cisco Press book on Network Virtualization which provides "…design guidance" for architects of virtualized Enterprises.

I suppose it’s only fair that I ask Mike to qualify his comment, because perhaps it’s another "out-of-context-ism" or I misunderstood (of course I did) but it made me itchy reading it.

Mike?