Archive

Archive for the ‘Information Security’ Category

GigaOm’s Alistair Croll on Cloud Security: The Sky Is Falling!…and So Is My Tolerance For Absurdity

December 14th, 2008 3 comments
Whatmeworry
I just read the latest blog of Alistair Croll from GigaOm titled "Cloud Security: The Sky Is Falling!" in which he suggests that we pillow-hugging security wonks ought to loosen our death grips on our data because not only are we flapping our worry feathers for nothing, but security in "the Cloud" will result in better security than we have today. 

It's an interesting assertion, really, that despite no innovative changes in the underpinnings of security technology, no advances in security architecture or models and no fundamental security operational enhancements besides the notion of enhanced "monitoring," that simply outsourcing infrastructure to a third party "in the cloud" will in some way make security "better," whatever version of "the Cloud" you may be describing:

I don’t believe that clouds themselves will cause the security breaches and data theft they anticipate; in many ways, clouds will result in better security. Here’s why:

    • Fewer humans – Most computer breaches are the result of human error; only 20-40 percent stem from technical malfunctions. Cloud operators that want to be profitable take humans out of the loop whenever possible.
    • Better tools – Clouds can afford high-end data protection and security monitoring tools, as well as the experts to run them. I trust Amazon’s operational skills far more than my own.
    • Enforced processes – You could probably get a co-worker to change your company’s IT infrastructure. But try doing it with a cloud provider without the proper authorization: You simply won’t be able to.
    • Not your employees — Most security breaches are committed by internal employees. Cloud operators don’t work for you. When it comes to corporate espionage, employees are a much more likely target.

    Of course it takes people to muck things up, it always has and always will.  Rushing to embrace a "new" computing model without the introduction of appropriately compensating controls, adapted risk assessment/management methodologies and practices will absolutely introduce new threats, vulnerabilities and risk at a pace driven by supposed economic incentives that have people initially foaming at their good fortune and then fuming when it all goes bad.

    This comes down to the old maxim: "guns don't kill people, people kill people."  Certainly "the Cloud" alone won't increase breaches and data theft, but using it without appropriate safeguards will.

    This is an issue of squeezing the balloon.  The problem doesn't change in volume, it just changes shape.

    Those of us concerned about security and privacy in cloud computing models have good reason to be concerned; we live with and have lived with these sorts of disruptive innovations and technology before and it really, really screws things up because the security models and technology we can lean on to manage risk is not adapted to this at all and the velocity of change eclipses our ability to do do our jobs competently.

    Further bonking things up is the very definition of "the Cloud(s)" in the first place.

    Despite the obvious differences in business models, use cases, technical architecture as well as the non-existence of a singularity called "The Cloud," this article generalizes and marginalizes the security challenges of cloud computing regardless.  In fact, it emphasizes on one leg of the IT stool (people) to the point of downplaying via the suspension of disbelief that the other two (process and technology) are problems less deserving of attention as they are magically addressed.

    To be fair, I can certainly see Alistair's argument holding water within the context of an SME/SMB with no dedicated expertise in security and little or no existing cost burden in IT infrastructure.  The premise: let your outsourced vendor provide you with the expertise in security you don't have as they have a vested interest to do so and can do it better than you.  

    The argument hinges on two things: that insiders intent on malicious activity by tampering with "infrastructure" are your biggest risk eliminated by "the cloud" and that infrastructure and business automation, heretofore highly sought after elements of enterprise modernization efforts, is readily available now and floating about in the cloud despite its general lack of availability in the enterprise.

    So here's what's amusing to me:
    1. It takes humans to operate the cloud infrastructure.  These human operators, despite automation, still suffer from the same scale and knowledge limitations as those in the real world.  Further the service governance layers that translate business process, context and risk into enforceable policy across a heterogeneous infrastructure aren't exactly mature. 
        
    2. The notion that better tools exist in the cloud that haven't as yet been deployed in the larger enterprise seems a little unbelievable.  Again, I agree that this may be the case in the SME/SMB, but it's simply not the case in larger enterprises.  Given issues such as virtualization (which not all cloud providers depend upon, but bear with me) which can actually limit visibility and reach, I'd like to understand what these tools are why we havent' heard of them before.
    3. The notion that you can get a co-worker to "…change your company's IT infrastructure" but you can't get this same event impact to occur in the cloud is ludicrous.  Besides the fact that the bulk of breaches result from abuse or escalation of privilege in operating systems and applications, not general "infrastructure," and   "the Cloud," having abstracted this general infratructure from view. leaves bare the ability to abuse the application layer just as ripely.
    4. Finally, Alaistair's premise that the bulk of attacks originate internally is misleading. Alistair's article was written a few days ago.  The Intranet Journal article he cites to bolster his first point substantiating his claim was written in 2006 and is based upon a study done by CompTIA in 2005.  2005!  That's a lifetime by today's standards. Has he read the Verizon breach study that empirically refutes many of his points? (*See Below in extended post)
     As someone who has been on both the receiving end as well as designed and operated managed (nee Cloud) security as a service for customers globally, there are a number of exceptions to Alistair's assertions regarding the operational security prowess in "the Cloud" with this being the most important: 

    As "the Cloud" provider adds customers, the capability to secure the infrastructure and the data transiting it, ultimately becomes an issue of scale, too. The more automation that is added, the more false positives show up, especially in light of the fact that the service provider has little or no context of the information, business processes or business impact that their monitoring tools observe.  You can get rid of the low-hanging fruit, but when it comes down to impacting the business, some human gets involved.

    The automation that Alastair asserts is one of the most important reasons why Cloud security will be better than non-Cloud security ultimately suffers from the same  lack of eyeballs problem that the enterprise supposedly has in the first place.

    For all the supposed security experts huddled around glowing monitors in CloudSOC's that are vigilantly watching over "your" applications and data in the Cloud, the dirty little secret is that they rely on basically the same operational and technical capabilities as enterprises deploy today, but without context for what it is they are supposedly protecting.  Some rely on less.  In fact, in some cases, unless they're protecting their own infrastructure, they don't do it at all — it's still *your* job to secure the stacks, they just deal with the "pipes."

    We're not all Chicken Little's, Alistair.  Some of us recognize the train when it's heading toward us at full speed and prefer not to be flattened by it, is all.

    /Hoff

    Read more…

    Beware the Transparent Proxy…Your Faith In VPNs Might Waiver

    November 20th, 2008 9 comments

    Eyespy
    Aviram from the Securiteam blog wrote a post titled "Who's Your SMTP Daddy?" that caught my eye regarding the false sense of security that use of corporate IPSec VPNs brings to traveling road warriors due to the use by providers of so-called transparent proxies.

    Let's say that you've got some sort of IPSec VPN solution installed on your laptop using the standard corporate configuration with your mail client pointing to mail.foo.com.  Your machine has AV, HIPS, firewall, etc.

    You connect to a provider's network (wired, wifi, hotel, airport, etc…) and fire up your VPN client which authenticates just fine.  You then launch your mail client and type a quick note to your CEO about the confidential M&A project you're working on.  A few minutes later you get a response from your CEO to proceed with the tender.

    You disconnect.

    Here's the problem: that SMTP session you thought was encrypted through your VPN back to the corporate mail server was actually sent in the clear.  In fact, it wasn't even sent through your mail relay/server.

    Here's a great example of why taken from Aviram's blog:

    A quick investigation shows the following: The hotel’s network blocks
    my VPN (as some of them do) but happily resolves any unresolvable host
    name (such as my SMTP server’s hostname). This is resolved to a
    catch-all server that proxies everything. Transparently. (well, almost)

    Lesson learned. Changed the hostname to the IP, and will soon switch
    to SSL based SMTP who will authenticate the server. In the meanwhile –
    be careful from helpful Beijing wifi providers who are only too happy
    to forward your mail on! (with some changes, of course).

    Aviram is in China, but this example is valid in many countries and you can probably expect that given the behavior of some domestic ISP's, Telcos and Mobile Operators that it is or will go on here too.  It could easily work with other protocols that aren't sensitive to session tampering/MITM.*  Further, Aviram's example was about interception.  There's every reason to believe that one could expect the content of your email to be modified also…

    I personally use SSL authenticated SMTP with valid issued certificates so at least if there is tampering with my session, my mail client barfs letting me know something is wrong.  That error probably wouldn't help the average sales droid in the field as he/she would just click OK like most people do to any security error that pops up, but it's worth considering.

    /Hoff

    * Obviously this example presents a worst case scenario with certain configuration assumptions and license taken for illustration, but take the message for what it's intended: blind faith in VPNs can cause you some serious heartache.  Transparent proxies work very well…

    Categories: Information Security Tags:

    Gunnar Peterson Channels Tina Turner (Sort Of): What’s Happiness Got To Do With It?

    October 29th, 2008 1 comment

    Tinaturner
    Gunnar just hit a home run responding to John Pescatore's one line, twelve word summarization of how to measure a security program's effectiveness.  Read Gunnar's post in it's entirety but here's the short version:

    Pescatore says:

    The best security program is at the business with the happiest customers.


    To which Gunnar suggests:

    There's a fine line between happy customers and playing piano in a bordello.

    …and revises Pescatore's assertion to read:

    The best security program is at the business with sustainable competitive advantage.

    To which, given today's economic climate, I argue the following simplification:

    The best security program is at the business that is, itself, sustainable.

    I maintain that if, as John suggests, you want to introduce the emotive index of "happiness" and relate it to a customer's overall experience when interacting with your business, then the best security program is one that isn't seen or felt at all.  Achieving that Zen-like balance is, well, difficult.

    It's hard enough to derive metrics that adequately define a security program's effectiveness, value, and impact on risk.  Balanced scorecard or not, the last thing we need is the introduction of a satisfaction quotient that tries to quantify (on a scale from 1-10?) the "warm and fuzzies" a customer enjoys whilst having their endpoint scanned by a NAC device before attaching to your portal… 😉

    I understand what John was shooting for, but it's like suggesting that there's some sort of happiness I can achieve when I go shopping for car insurance.

    /Hoff

    IDS: Vitamins Or Prophylactic?

    September 25th, 2008 2 comments

    Agentmaxwell
    Ravi Char commented on Alan Shimel's blog titled "IDS – The Beast That Just Won't Die."

    Ravi makes a number of interesting comments in his blog titled
    "IDS/IPS – is it Vitamins?"  I'd like to address them because they offer what I maintain is a disturbing perspective on the state and implementation of IDS today by referencing deployment models and technology baselines from about 2001 that don't reflect reality based on my personal experience.

    Ravi doesn't allow comments for this blog, so I thought I'd respond here.

    Firstly, I'm not what I would consider and IDS apologist, but I do see the value in being able to monitor and detect things of note as they traverse my network.  In order to "prevent" you first must be able to "detect" so the notion one can have one without the other doesn't sound very realistic to me.

    Honestly, I'd like to understand what commercial stand-alone IDS-only solutions Ravi is referring to.  Most IDS functions are built into larger suites of IDP products and include technology such as correlation engines, vulnerability assessment, behavioral anomaly, etc., so calling out IDS as a failure when in reality it represents the basis of many products today is nonsensical.

    If a customer were to deploy an IPS in-line or out-of-band in "IDS" mode and not turn on automated blocking or all of the detection or prevention capabilities, is it fair to simply generalize that an entire suite of solutions is useless because of how someone chooses to deploy it?

    I've personally deployed Snort, Sourcefire (with RNA,) ISS, Dragon, TippingPoint, TopLayer and numerous other UTM and IDP toolsets and the detection, visibility, reporting, correlation, alerts, forensic and (gasp!) preventative capabilities these systems offered were in-line with my expectations for deploying them in the first place.

    IDS can capture tons of intrusion events, there is so much of don't
    care events it is difficult to single out event such as zero day event
    in the midst of such noise. 

    Yes, IDS can capture tons of events.  You'll notice I didn't say "intrusion events" because in order to quantify an event as an "intrusion," one would obviously have already defined it as such in the IDS, thus proving the efficacy of the product in the first place.  This statement is contradictory on face value.

    The operator's decision to not appropriately "tune" the things he or she is interested in viewing or worse yet not investing in a product that allows one to do so is a "trouble between the headsets" issue and not a generic solution-space one.  Trust me when I tell you there are plenty of competent IDS/IPS systems available that make this sort of decision making palatable and easy.

    To take a note from a friend of mine, the notion of "false positives" in IDS systems seems a little silly.  If you're notified that traffic has generated an alert based upon a rule/signature/trigger you defined as noteworthy, how is that a false positive?  The product has done just what you asked it to do!  Tuning IDS/IPS systems requires context and an understanding of what you're trying to protect, from where, from whom, and why.

    People looking for self-regulating solutions are going to get exactly what they deserve.

    Secondarily, if an attacker is actually using an exploit against a zero-day vulnerability, how would *any* system be able to detect it based on the very description of a zero-day?

    It requires tremendous effort to sift through the log and derive meaningful actions out of the log entries.

    I again remind the reader that manually sifting through "logs" and "log entries" is a rather outdated concept and sounds more like forensics and log analysis than it does network IDS, especially given today's solutions replete with dashboards, graphical visualization tools, etc.

    IDS needs a dedicated administrator to manage. An administrator who
    won't get bored of looking at all the packets and patterns, a truly
    boring job for a security engineer. Probably this job would interest a
    geekier person and geeks tend to their own interesting research!

    I suppose that this sort of activity is not for everyone, but again, this isn't Intrusion Detection, Shadow Style (which I took at SANS 1999 with Northcutt) where we're reading through TCPDUMP traces line by line…

    There are companies that do without IDS, and they do just fine. I
    agree with Alan's assessment that IDS is like a Checkbox in most
    cases.  Business can run without IDS just fine, why invest in such a
    technology?

    I am convinced that there are many companies that "do without IDS."  By that token, there are many companies that can do without firewalls, IPS, UTM, AV, DLP, NAC, etc., until the day they realize they can't or realize that to be even minimally compliant with any sort of regulation and/or "best practice" (a concept I don't personally care for,) they cannot.

    I'm really, really interested in understanding how it is that these companies "…do just fine."  Against what baseline and using what metrics does Ravi establish this claim.  If they don't have IDS and don't detect potential "intrusions," then how exactly can it be determined that they are better off (or just as good) without IDS?

    Firewalls and other devices have built in features of IDS, so why invest in a separate product.

    So I misunderstood the point here?  It's not that IDS is useless, it's just that standalone IDS deployments from 2001 are useless but if they're "good enough" functions bundled with firewalls or "other devices," they have some worth because it costs less?

    I can't figure out whether the chief complaint here is an efficacy or ill-fated ROI exercise.

    IDS is like Vitamins, nice to have, not having won't kill you in
    most cases. Customers are willing to pay for Pain Killers because they
    have to address their pain right away. For Vitamins, they can wait.
    Stop and think for moment, without Anti-virus product, businesses can't
    run for few days. But, without IDS, most businesses can run just fine
    and I base it out of my own experience.

    …and it's interesting to note the difference between chronic and acute pain.  In many cases, customers don't notice chronic pain — it's always there and they adjust their tolerance thresholds accordingly.  It may not kill you suddenly, but over time the same might not be true.  If you don't ingest vitamins in some form, you will die.

    When an acute pain strikes, people obviously notice and seek immediate amelioration, but the pain killer option is really just a stop-gap, it doesn't "cure" it simply masks the pain. 

    By this definition it's already too late for "prevention" because the illness has already set in and detection is self-evident — you're ill.  Take your vitamins, however, and perhaps you won't get sick in the first place…

    The investment strategy in IDS is different than that of AV.  You're addressing different problems, so comparing them equliaterally is both unfair and confusing.  In the long term, if you don't know what "normal" looks like — a metric or trending you can certainly gain from IDS/IPS/IDP systems — how will you determine what "abnormal" looks like?

    So, sure, just like the vitamin example — not having IDS may not "kill" you in the short term, but it can certainly grind you down over the long haul.

    Probably, I would have offended folks from the IDS camp. I have a
    good friend who is a founder of an IDS company, I am sure he will react
    differently if he reads my narratives about IDS.  Once businesses start
    realizing that IDS is a Checkbox, they will scale down their
    investments in this area. In the current economic climate, financial
    institutions are not doing well. Financial institutions are
    big customers in terms of security products, with the current scenario
    of financial meltdown, they would scale down heavily on their spending
    on Vitamins.

    Again, if you're suggesting that stand-alone IDS systems are not a smart investment and that the functionality will commoditize into larger suites over time but the FUNCTION is useful an necessary, then we agree.

    If you're suggesting that IDS is simply not worthwhile, then we're in violent disagreement.

    Running IDS software on VMware sounds fancy.  Technology does not
    matter unless you can address real world pain and prove the utilitarian
    value of such a technology. I am really surprised that IDS continues to
    exist. Proof of existence does not forebode great future. Running IDS
    on VMware does not make it any more utilitarian. I see a bleak future
    for IDS.

    Running IDS in a virtual machine (whether it's on top of Xen, VMware or Hyper-V) isn't all that "fancy" but the need for visibility into virtual environments is great when the virtual networking obfuscates what can be seen from tradiational network and host-based IDS/IPS systems. 

    You see a bleak future for IDS?  I see just as many opportunites for the benefits it offers — it will just be packaged differently as it evolves — just like it has over the last 5+ years.

    /Hoff

    Security Will Not End Up In the Network…

    June 3rd, 2008 9 comments

    Secdeadend
    It’s not the destination, it’s the journey, stupid.

    You can’t go a day without reading from the peanut gallery that it is
    "…inevitable that network security will eventually be subsumed into
    the network fabric."  I’m not picking on Rothman specifically, but he’s been banging this drum loudly of late.

    For such a far-reaching, profound and prophetic statement, claims like these are strangely myopic and inaccurate..and then they’re exactly right.

    Confused?

    Firstly, it’s sort of silly and obvious to trumpet that "network security" will end up in the "network."  Duh.  What’s really meant is that "information security" will end up in the network, but that’s sort of goofy, too. You’ll even hear that "host-based security" will end up in the network…so let’s just say that what’s being angled at here is that security will end up in the network.

    These statements are often framed within a temporal bracket
    that simply ignores the bigger picture and reads like a eulogy.  The reality is that historically
    we have come to accept that security and technology are
    cyclic and yet we continue to witness these terminal predictions defining an end state for security that has never arrived and never will.


    Let me make plain my point: there is no final resting place for where and how security will "end up."

    I’m visual, so let’s reference a very basic representation of my point.  This graph represents the cyclic transition over time of where and how
    we invest in security.

    We ultimately transition between host-based security,
    information-centric security and network security over time. 

    We do this little
    shuffle based upon the effectiveness and maturity of technology,
    economics, cultural, societal and regulatory issues and the effects of disruptive innovation.  In reality, this
    isn’t a smooth sine wave at all, it’s actually more a classic dampened
    oscillation ala the punctuated equilibrium theory I’ve spoken about
    before
    , but it’s easier to visualize this way.

    Youarehere_3

    Our investment strategy and where security is seen as being "positioned" reverses direction over time and continues ad infinitum.  This has proven itself time and time again yet we continue to be wowed by the prophetic utterances of people who on the one hand talk about these never-ending cycles and yet on the other pretend they don’t exist by claiming the "death" of one approach over another. 
     

    Why?

    To answer that let’s take a look at how the cyclic pendulum effect of our focus on
    security trends from the host to the information to the network and
    back again by analyzing the graph above. 

    1. If we take a look at the arbitrary "starting" point indicated by the "You Are Here" dot on the sine wave above, I suggest that over the last 2-3 years or so we’ve actually headed away from the network as the source of all things security.   

      There are lots of reasons for this; economic, ideological, technological, regulatory and cultural.  If you want to learn more about this, check out my posts on how disruptive Innovation fuels strategic transience.

      In short, the network has not been able to (and never will) deliver the efficacy, capabilities or
      cost-effectiveness desired to secure us from evil, so instead we look at
      actually securing the information itself.  The security industry messaging of late is certainly bearing testimony to that fact.  Check out this year’s RSA conference…
       

    2. As we focus then on information centricity, we see the resurgence of ERM, governance and compliance come into focus.  As policies proliferate, we realize that this is really hard and we don’t have effective and ubiquitous data
      classification, policy affinity and heterogeneous enforcement capabilities.  We shake our heads at the ineffectiveness of the technology we have and hear the cries of pundits everywhere that we need to focus on the things that really matter…

      In order to ensure that we effectively classify data at the point of creation, we recognize that we can’t do this automagically and we don’t have standardized schemas or metadata across structured and unstructured data, so we’ll look at each other, scratch our heads and conclude that the applications and operating systems need modification to force fit policy, classification and enforcement.

      Rot roh.
       

    3. Now that we have the concept of policies and classification, we need the teeth to ensure it, so we start to overlay emerging technology solutions on the host in applications and via the OS’s that are unfortunately non-transparent and affect the users and their ability to get their work done.  This becomes labeled as a speed bump and we grapple with how to make this less impacting on the business since security has now slowed things down and we still have breaches because users have found creative ways of bypassing technology constraints in the name of agility and efficiency…
       
    4. At this point, the network catches up in its ability to process closer to "line
      speed," and some of the data classification functionality from the host commoditizes into the "network" — which by then is as much in the form of appliances as it is routers and switches — and always
      will be.   So as we round this upturn focusing again on being "information centric," with the help of technology, we seek to use our network investment to offset impact on our users.
       
    5. Ultimately, we get the latest round of "next generation" network solutions which promise to deliver us from our woes, but as we "pass go and collect $200" we realize we’re really at the same point we were at point #1.

    ‘Round and ’round we go.

    So, there’s no end state.  It’s a continuum.  The budget and operational elements of who "owns" security and where it’s implemented simply follow the same curve.  Throw in disruptive innovation such as virtualization, and the entire concept of the "host" and the "network" morphs and we simply realize that it’s a shift in period on the same graph.

    So all this pontification that it is "…inevitable that network security will eventually be subsumed into
    the network fabric" is only as accurate as what phase of the graph you reckon you’re on.  Depending upon how many periods you’ve experienced, it’s easy to see how some who have not seen these changes come and go could be fooled into not being able to see the forest for the trees.

    Here’s the reality we actually already know and should not come to you as a surprise if you’ve been reading my blog: we will always need a blended investment in technology, people and process in order to manage our risk effectively.  From a technology perspective, some of this will take the form of controls embedded in the information itself, some will come from the OS and applications and some will come from the network.

    Anyone who tells you differently has something to sell you or simply needs a towel for the back of his or her ears…

    /Hoff

    Of Course Defense-In-Depth, er, Defense-In-Breadth Works!

    May 7th, 2008 6 comments

    I don’t know what the the hell Ptacek and crew are on about.  Of course defense-in-depth defense-in-breadth is effective.  It’s heresy to suggest otherwise.  Myopic, short-sighted, and heretical, I say!

    In support, I submit into evidence People’s Exhibit #1, from here your honor:

    Tsa20layers_2

    …and I quoteth:

    We use layers of security to ensure the security of the traveling public and the Nation’s transportation system.

    Each one of these layers alone is capable of stopping a terrorist attack. In combination their security value is multiplied, creating a much stronger, formidable system.  A terrorist who has to overcome multiple security layers in order to carry out an attack is more likely to be pre-empted, deterred, or to fail during the attempt.

    Yeah!  Get some! It’s just like firewalls, IPS, and AV, bitches!  Mo’ is betta!

    It’s patently clear that Ptacek simply doesn’t layer enough, is all.  See, Rothman, you don’t need to give up!

    "Twenty is the number and the number shall be twenty!"

    How’s that for a metric?

    That is all.

    /Hoff

    Down Under: Where Security Is SO Last Tuesday…

    May 7th, 2008 3 comments

    Fail
    I read this article from Network World (Australia) where the author relayed the pinnings of C-levels from Australia and New Zealand by titling his story thusly: "If only reducing costs was as easy as security, say CIOs"

    It seems that based upon a recent study, IDC has declared that "…conquering IT security is a breeze for CIOs.

    I’m proud of my Kiwi lineage, but I had no idea my peeps were so ahead of the curve when it comes to enlightened advancements in IT security governance.  They must all deploy GRC suites and UTM or something? 

    Anton, there must be something in the logs down there!

    As per that famous line in "When Harry Met Sally," I respond with "I’ll have what [s]he’s having…" 

    Check this out:

    The IDC Annual Forecast for Management report surveyed 363 IT executives from Australia (254 respondents) and New Zealand (109 respondents) across industries including finance, distribution, leisure and the public sector.

    Information security was rated last place in the Top 10 challenges for CIOs.

    Threats targeting the application layer were cited as the biggest concern (36%), while spyware (16%) was rated as a bigger threat than disgruntled employees, remote access, and mobile devices.

    The CIOs top priority for the next 12 months was reducing costs and addressing a lack of resources. This was followed by meeting user expectations and developing effective business cases.

    The top four IT investments for the next year will be in collaborative technologies and knowledge management; systems infrastructure; back office applications; and business intelligence.

    I’m no analyst, but allow me to suggest that just because security is not the top priority or "challenge" does NOT mean they have the problem licked.   It simply means it’s not a priority!

    Perhaps it’s that these CIO’s recognize that they’ve been spending their budgets on things that aren’t making a difference and should instead be focusing on elements that positively impact corporate sustainability and survivability as an on-going concern instead?

    The most hysterical thing about this article — besides the re-cockulous premise they overly-hyped and the (likely) incorrect interpretation of results the title suggests — is that on the same page as this article which suggests the security problem is licked, we see this little blurb for a NWW podcast:

    Securityfail

    So, there we have it.  A direct tie.  Security is solved and failing, all at the same time!

    Sigh.

    /Hoff

    Categories: Information Security Tags:

    Asset Focused, Not Auditor Focused

    May 3rd, 2008 5 comments

    Grcsoup
    Gunnar Peterson wrote a great piece the other day on the latest productization craze in InfoSec – GRC (Governance, Risk Management and Compliance) wherein he asks "GRC – To Be or To Do?"

    I don’t really recall when or from whence GRC sprung up as an allegedly legitimate offering, but to me it seems like a fashionably over-sized rug under which the existing failures of companies to effectively execute on the individual G, R, and C initiatives are conveniently being swept.

    I suppose the logic goes something like this: "If you cant effectively
    govern, manage risk or measure compliance it must be because what you’re doing is fragmented and siloed.  What you need is
    a product/framework/methodology that takes potentially digestible
    deliverables and perspectives and "evolves" them into a behemoth suite instead?"

    I do not dispute that throughout most enterprises, the definitions, approaches and processes in managing each function are largely siloed and fragmented and I see the attractiveness of integrating and standardizing them, but  I am unconvinced that re-badging a control and policy framework collection constitutes a radical new approach. 

    GRC appears to be a way to sell more products and services under a fancy new name to address problems rather than evaluate and potentially change the way in which we solve them.  Look at who’s pushing this: large software companies and consultants as well as analysts looking to pin their research to something more meaningful.

    From a first blush, GRC isn’t really about governance or managing risk.  It’s audit-driven compliance all tarted up.

    It’s a more fashionable way of getting all your various framework and control definitions in one place and appealing to an auditor’s desire for centralized "stuff" in order to document the effectiveness of controls and track findings against some benchmark.  I’m not really sure where the business-driven focus comes into play?

    It’s also sold as a more efficient way of reducing the scope and costs of manual process controls.  Fine.  Can’t argue with that.  I might even say it’s helpful, but at what cost?

    Gunnar said:

    GRC (or Governance, Risk Management, and Compliance for
    the uninitiated) is all the rage, but I have to say I think that again
    Infosec has the wrong focus.

    Instead of Risk Management helping to deliver transparent Governance and as a natural by-product demonstrate compliance as a function of the former, the model’s up-ended with compliance driving the inputs and being mislabeled.

    As I think about it, I’m not sure GRC would be something a typical InfoSec function would purchase or use unless forced which is part of the problem.  I see internal audit driving the adoption which given today’s pressures (especially in public companies) would first start in establishing gaps against regulatory compliance.

    If the InfoSec function is considering an approach that drives protecting the things that matter most and managing risk to an acceptable level and one that is not compliance-driven but rather built upon a business and asset-driven approach, rather than make a left turn Gunnar suggested:

    Personally, I am happy sticking to classic infosec knitting – delivering confidentiality, integrity, and availability through authentication, authorization, and auditing. But if you are looking for a next generation conceptual horse to bet on, I don’t think GRC is it, I would look at information survivability. Hoff’s information survivability primer is a great starting point for learning about survivability.

    Why survivability is more valuable over the long haul than GRC is that survivability is focused on assets not focused on giving an auditor what they need, but giving the business what it needs.

    Seminal paper on survivability by Lipson, et al. "survivability solutions are best understood as risk management strategies that first depend on an intimate knowledge of the mission being protected." Make a difference – asset focus, not auditor focus.

    For obvious reasons, I am compelled to say "me, too."

    I would really like to talk to someone in a large enterprise who is using one of these GRC suites — I don’t really care which department you’re from.  I just want to examine my assertions and compare them against my efforts and understanding.

    /Hoff

    Welcome To the Information Survivability/Sustainability/Centricity Circus…

    May 3rd, 2008 No comments

    Beardedlady
    Forget "Security Theater."  The "Security Circus" is in town…

    I wrote this some time ago and decided that I didn’t like the tone as it just came out as another whiny complaint against the "man."  I’m in a funny mood as I hit a threshold yesterday with all the so-called experts coming out of the woodwork lately, so I figured I’d post it because it made me chortle. 

    They Shoot Horses, Don’t They?

    To answer what seems to be a question increasing in frequency due to the surge in my blog’s readership lately, as well as being cycled through the gossip mill, I did not change the name of my blog from "Rational Security" to "Rational Survivability" due to IBM’s Val Rahmani’s charming advertisement keynote at RSA.  😉

    One might suggest that Val’s use of the mythological reference to Sisyphus wasn’t as entertaining as Noonan’s "security as the width of two horses’ asses" keynote from a couple of years ago, but her punchline served to illustrate the sad state of Information Security, even if it also wanted to make me shoot myself.

    Val’s shocking admission that IBM was "…exiting the security business,"
    that "…information security was dead," and that we should all
    celebrate by chanting "…long live [information] sustainability!" 

    This caused those of us here at Rational Survivability HQ to bow our heads in a moment of silence for the passing of yet another topical meme and catchphrase that has now been "legitimized" by industry and thus must be put out of its misery and never used again.

    You say "tomato," I say "tomato…"

    Yeah, you might argue that "sustainability" is more business-focused
    and less military-sounding than "survivability," but it’s really about
    the same concepts. 

    I’m not going to dissect her speech because that’s been done.  I have said most of what I have to say on this concept in my posts on Information Survivability and honestly, I think they are as relevant as ever. 

    You can read the first one here and follow on with the some more, here. 

    For those of you who weren’t around when it happened, I changed the name of my blog over six months ago to illustrate what is akin to the security industry’s equivalent of an introduction at an AA meeting and was so perfectly illustrated by Val’s fireside chat. 

    You know the scene.  It’s where an alcoholic stands up and admits his or her weaknesses for a vice amongst an audience of current and "former" addicts.  Hoping for a collective understanding of one’s failure and declaring the observed days of committed sobriety to date,  the goal is to convince oneself and those around you that the counter’s been reset and you’ve really changed.  Despite the possibility of relapse at any moment, the declaration of intent — the will to live sober — is all one needs.

    That and a damned good sponsor.

    And now for something completely different!

    Circustent
    That was a bloody depressing analogy, wasn’t it?  Since this was supposed to be a happy occasion, I found myself challenged to divine an even worse analogy for your viewing pleasure.   Here goes.

    That’s right.  I’m going to violate the Prime Directive and go right with the patented Analog Of Barnum & Bailey’s Circus:

    What Information Security has become is the equivalent of a carnie’s dancing poodle in the circus tent of industry. 

    Secretly we want to see the tigers eat the dude with the whip, but
    we cheer when he makes them do the Macarena anyway. 

    We all know that one day, that little Romanian kid on
    the trapeze is going to miss the triple-lindy and crash to the floor
    sans net, but we’re not willing to do anything about it and it’s the tension that makes the act work, despite the exploitative child labor practices and horrible costumes.

    We pump $180 in tokens into the ring toss to win an $11 stuffed animal, because it’s the effort that counts, not the price.

    We’re all buying tickets, suffering through the stupid antics of the clowns piling out of the tiny little car in the spotlight hoping that the elephant act at the end of the show is going to be worth the price of admission. 

    At the end of the night, we leave exhausted, disappointed, broke and smelling like sweaty caramel apples and stale pretzels…wondering when they’ll be back next year so we can take the kids.

    See, I told you it was awful.  But you know what’s much worse than my shitty little clown analogy? 

    Reality.

    Come one, come all.  Let Me Guess Your Weight!

    So in today’s time of crappy economics when money is hard to come by,
    it’s now as consumers that we start to pay attention to these practices
    — this circus.  It’s now that we start to demand that these alleged
    predatory vendors actually solve our business problems and attend to
    our issues rather than simply recycle the packaging.

    So when life hands vendors a lemon, they make marketingade, charge us $4.50 a pop and we still drink it.

    Along those lines, many mainstream players have now begun to work
    their marketing sideshows by pitching the supposedly novel themes of
    sustainability, survivability, or information centricity.  It’s a surreptitiously repentant admission that all the peanuts and popcorn they’ve been selling us while all along we ooh and ahh at the product equivalents of the bearded lady, werewolf children and the world’s tallest man still climax at the realization that it’s all just an act.

    At the end of the night, they count their money, tear down the tents and move on.  When the bearded lady gets a better gig, she bails and they bring in the dude with the longest mustache.  Hey, hair is hair; it’s just packaged differently, and we go to ogle at the newest attraction.

    There’s no real punchline here folks, just the jaded, bitter and annoyed comments of someone who’s becoming more and more like the grumpy folks he always made fun of at bingo night and a stark realization of just how much I hate the circus.

    /Hoff

    Endpoint Security vs. DLP? That’s Part Of the Problem…

    March 31st, 2008 6 comments

    Sandisk
    Larry Walsh wrote something (Defining the Difference Between Endpoint Security and Data Loss Prevention) that sparked an interesting debate based upon a vendor presentation given to him on "endpoint security" by SanDisk.

    SanDisk is bringing to market a set of high-capacity USB flash drives that feature built-in filesystem encryption as well as strong authentication and access control.  If the device gets lost with the data on it, it’s "safe and secure" because it’s encrypted.  They are positioning this as an "endpoint security" solution.

    I’m not going to debate the merits/downsides of that approach because I haven’t seen their pitch, but suffice it to say, I think it’s missing a "couple" of pieces to solve anything other than a very specific set of business problems.

    Larry’s dilemma stems from the fact that he maintains that this capability and functionality is really about data loss protection and doesn’t have much to do with "endpoint security" at all:

    We debated that in my office for a few minutes. From my perspective, this solution seems more like a data loss prevention solution than endpoint security. Admittedly, there are many flavors of endpoint security. When I think of endpoint security, I think of network access control (NAC), configuration management, vulnerability management and security policy enforcement. While this solution is designed for the endpoint client, it doesn’t do any of the above tasks. Rather, it forces users to use one type of portable media and transparently applies security protection to the data. To me, that’s DLP.

    In today’s market taxonomy, I would agree with Larry.  However, what Larry is struggling with is not really the current state of DLP versus "endpoint security," but rather the future state of converged information-centric governance.  He’s describing the problem that will drive the solution as well as the inevitable market consolidation to follow.

    This is actually the whole reason Mogull and I are talking about the evolution of DLP as it exists today to a converged solution we call CMMP — Content Management, Monitoring and Protection. {Yes, I just added another M for Management in there…}

    What CMMP represents is the evolved and converged end-state technology integration of solutions that today provide a point solution but "tomorrow" will be combined/converged into a larger suite of services.

    Off the cuff, I’d expect that we will see at a minimum the following technologies being integrated to deliver CMMP as a pervasive function across the information lifecycle and across platforms in flight/motion and at rest:

    • Data leakage/loss protection (DLP)
    • Identity and access management (IAM)
    • Network Admission/Access Control (NAC)
    • Digital rights/Enterprise rights management (DRM/ERM)
    • Seamless encryption based upon "communities of interest"
    • Information classification and profiling
    • Metadata
    • Deep Packet Inspection (DPI)
    • Vulnerability Management
    • Configuration Management
    • Database Activity Monitoring (DAM)
    • Application and Database Monitoring and Protection (ADMP)
    • etc…

    That’s not to say they’ll all end up as a single software install or network appliance, but rather a consolidated family of solutions from a few top-tier vendors who have coverage across the application, host and network space. 

    If you were to look at any enterprise today struggling with this problem, they likely have or are planning to have most of the point solutions above anyway.  The difficulty is that they’re all from different vendors.  In the future, we’ll see larger suites from fewer vendors providing a more cohesive solution.

    This really gives us the "cross domain information protection" that Rich talks about.

    We may never achieve the end-state described above in its entirety, but it’s safe to say that the more we focus on the "endpoint" rather than the "information on the endpoint," the bigger the problem we will have.

    /Hoff