Archive for May, 2008

Down Under: Where Security Is SO Last Tuesday…

May 7th, 2008 3 comments

I read this article from Network World (Australia) where the author relayed the pinnings of C-levels from Australia and New Zealand by titling his story thusly: "If only reducing costs was as easy as security, say CIOs"

It seems that based upon a recent study, IDC has declared that "…conquering IT security is a breeze for CIOs.

I’m proud of my Kiwi lineage, but I had no idea my peeps were so ahead of the curve when it comes to enlightened advancements in IT security governance.  They must all deploy GRC suites and UTM or something? 

Anton, there must be something in the logs down there!

As per that famous line in "When Harry Met Sally," I respond with "I’ll have what [s]he’s having…" 

Check this out:

The IDC Annual Forecast for Management report surveyed 363 IT executives from Australia (254 respondents) and New Zealand (109 respondents) across industries including finance, distribution, leisure and the public sector.

Information security was rated last place in the Top 10 challenges for CIOs.

Threats targeting the application layer were cited as the biggest concern (36%), while spyware (16%) was rated as a bigger threat than disgruntled employees, remote access, and mobile devices.

The CIOs top priority for the next 12 months was reducing costs and addressing a lack of resources. This was followed by meeting user expectations and developing effective business cases.

The top four IT investments for the next year will be in collaborative technologies and knowledge management; systems infrastructure; back office applications; and business intelligence.

I’m no analyst, but allow me to suggest that just because security is not the top priority or "challenge" does NOT mean they have the problem licked.   It simply means it’s not a priority!

Perhaps it’s that these CIO’s recognize that they’ve been spending their budgets on things that aren’t making a difference and should instead be focusing on elements that positively impact corporate sustainability and survivability as an on-going concern instead?

The most hysterical thing about this article — besides the re-cockulous premise they overly-hyped and the (likely) incorrect interpretation of results the title suggests — is that on the same page as this article which suggests the security problem is licked, we see this little blurb for a NWW podcast:


So, there we have it.  A direct tie.  Security is solved and failing, all at the same time!



Categories: Information Security Tags:

Virtualizing Security Will NOT Save You Money; It Will Cost You More

May 7th, 2008 6 comments

In my post titled "The Four Horsemen Of the Virtualization Apocalypse" I brought to light what I think are some nasty performance, resilience, configuration and capacity planning issues in regards to operationalizing virtualized security within the context of security solutions as virtual appliances/VM’s in hosts.

This point was really intended to be discussed outside of the context of virtualizing security in physical switches, and I’ll get to that point and what it means in relation to this topic in a later post.

I wanted to reiterate the point I made when describing the fourth horseman, Famine, summarized by what I called "Spinning VM straw into budgetary gold:"

By this point you probably recognize that you’re going to be deploying the same old security  software/agents to each VM and then adding at least one VA to each physical host, and probably more.  Also, you’re likely not going to do away with the hardware-based versions of these appliances on the physical networks.

That also means you’re going to be adding additional monitoring points on the network and who is going to do that?  The network team?  The security team?  The, gulp, virtual server admin team?

What does this mean?  With all this consolidation, you’re going to end up spending MORE on security in a virtualized world instead of less.

This is a really important issue because over the last few weeks, I’ve seen more and more discussions surrounding virtualization TCO and ROI calculations, but most simply do not take these points into consideration.

We talk about virtualization providing cooling, power and administrative cost-avoidance and savings.  We hear about operational efficiencies, improved service levels and agility, increased resource utilization and reduced carbon footprint. 

That’s great, but with all this virtualized and converged functionality now "simplified" into a tab or two in the management console of your favorite virtualization platform provider, the complexity and operational issues related to security have just faded into the background and been thought of as having been absorbed or abstracted away.

I suppose that might point to why many simply think that security ought to be nothing more than a drop-down menu and checkbox because in most virtualization platforms, it is!

When thinking about this, I rationalized the experience and data points against my concern related to security’s impact on performance, scale, and resiliency to arrive at what I think explains this behavior:

Most of the virtualization implementations today, regardless of whether they are client, server, production/QA or otherwise, are still internally-facing and internally-located.  There are not, based upon my briefings and research, a lot of externally-facing "classically DMZ’d" virtualized production instances.

This means that given the majority lack of segmentation of internal networks (from both a networking and security perspective,) the amount of network security controls in place are few.

Following that logic, one can then assume that short of the existing host-based controls which are put in place with every non-virtualized server install, most people continue this operational practice in their virtualized infrastructure; what they did yesterday is what they do today. 

Couple that with the lack of compelling security technologies available for deployment in the virtual hosts, most people have yet to start to implement multiple security virtual appliances on the same host.

Why would people worry about this now?   It’s not really a problem…now.

When we start to see folks ramp up virtual host-based security solutions to protect against intra-vm threats and vulnerabilities (whether internally or externally-facing) as well as to prevent jail-breaking and leapfrog attacks against the underlying hypervisors, we’ll start to see these problems bubble to the surface.

What are your thoughts?  Are you thinking about these issues as you plan your virtualization roll-outs?


Categories: Virtualization Tags:

The Five Laws Of Virtualization – Not Immutable Any More?

May 3rd, 2008 10 comments


Update: Please read the comments section.  Rather than force playing blog pong, I’ve cross-posted some of the comment thread from Lindstrom’s blog.

I believe I’ve offered up a clear present and future case that invalidates "immutable" law #1. Pete, of course, disagrees…

I’ve commented a couple of times about the confusingly contradictory nature of Lindstrom’s Burton’s "Five Immutable Laws of Virtualization."  I go back every once and a while and try to utilize them as suggested by their author to see what pops out the other end:

When combining the standard risk principles with an understanding of the use cases of virtualization, a set of immutable laws can be derived to assist in securing virtual environments

I’m not sure I really ever got an answer to what those "…standard risk principles" are and as such, there seems to exist a variability based upon interpretation that again makes me scratch my head when staring at the word "immutable."

So I try and overlook the word (as did the author/editor in the title of the Baseline magazine article below — it was omitted) and I find myself back where I started which sort of makes sense given the somewhat reflexive and corollary nature of these "laws."   

This is where I get stuck.  I don’t know whether to interpret each law as though it can stand on its own or the group as a whole.

Basically, I have a hard time seeing how they enable making more effective risk management decisions any easier.  I will admit, it could just be me…

Further, I’ve noticed the very careful choice of words used in these laws, and interestingly they don’t appear to be consistently referenced which would defeat the purpose of calling them "immutable," no?

Take for example the original wording of the five laws from Burton’s original minting and compare it against an article appearing in Baseline magazine from the same author(s) — Lindstrom in this case:

Original Burton Article Example:

Law 1: Attacks against the OS and applications of a physical system have the exact same damage potential against a duplicate virtual system.

Baseline Magazine Article Example:

Law 1. Attacking a virtual combination of operating systems and applications is exactly the same as attacking the physical system it replicates.

This example may seem subtle and unimportant, but I maintain it is not.  I suggest that they mean very different things indeed.  I mean, if these are "laws," they’re not something you get to reword at a whim.  I trust I don’t have to  explain why.

One could have lots of fun with the Constitution if that were the case. 😉

There are additional differences scattered throughout the two articles.  See if they appeal differently to you as they did to me.

Now, I’m sure Pete’s going to suggest I’m picking nits and that I’m missing the spirit and intent of these "laws," but before he does, I’m going to remind him that I didn’t come up with the title, he did.  I’m merely stuck on trying to assess whether these are actually "immutable" or "refutable" but I am admittedly still having trouble getting past step #1.

Help a brother out.  Explain these to me to where they make sense.  Pete tried and it didn’t stick.  Maybe you can help?


Categories: Virtualization Tags:

Asset Focused, Not Auditor Focused

May 3rd, 2008 5 comments

Gunnar Peterson wrote a great piece the other day on the latest productization craze in InfoSec – GRC (Governance, Risk Management and Compliance) wherein he asks "GRC – To Be or To Do?"

I don’t really recall when or from whence GRC sprung up as an allegedly legitimate offering, but to me it seems like a fashionably over-sized rug under which the existing failures of companies to effectively execute on the individual G, R, and C initiatives are conveniently being swept.

I suppose the logic goes something like this: "If you cant effectively
govern, manage risk or measure compliance it must be because what you’re doing is fragmented and siloed.  What you need is
a product/framework/methodology that takes potentially digestible
deliverables and perspectives and "evolves" them into a behemoth suite instead?"

I do not dispute that throughout most enterprises, the definitions, approaches and processes in managing each function are largely siloed and fragmented and I see the attractiveness of integrating and standardizing them, but  I am unconvinced that re-badging a control and policy framework collection constitutes a radical new approach. 

GRC appears to be a way to sell more products and services under a fancy new name to address problems rather than evaluate and potentially change the way in which we solve them.  Look at who’s pushing this: large software companies and consultants as well as analysts looking to pin their research to something more meaningful.

From a first blush, GRC isn’t really about governance or managing risk.  It’s audit-driven compliance all tarted up.

It’s a more fashionable way of getting all your various framework and control definitions in one place and appealing to an auditor’s desire for centralized "stuff" in order to document the effectiveness of controls and track findings against some benchmark.  I’m not really sure where the business-driven focus comes into play?

It’s also sold as a more efficient way of reducing the scope and costs of manual process controls.  Fine.  Can’t argue with that.  I might even say it’s helpful, but at what cost?

Gunnar said:

GRC (or Governance, Risk Management, and Compliance for
the uninitiated) is all the rage, but I have to say I think that again
Infosec has the wrong focus.

Instead of Risk Management helping to deliver transparent Governance and as a natural by-product demonstrate compliance as a function of the former, the model’s up-ended with compliance driving the inputs and being mislabeled.

As I think about it, I’m not sure GRC would be something a typical InfoSec function would purchase or use unless forced which is part of the problem.  I see internal audit driving the adoption which given today’s pressures (especially in public companies) would first start in establishing gaps against regulatory compliance.

If the InfoSec function is considering an approach that drives protecting the things that matter most and managing risk to an acceptable level and one that is not compliance-driven but rather built upon a business and asset-driven approach, rather than make a left turn Gunnar suggested:

Personally, I am happy sticking to classic infosec knitting – delivering confidentiality, integrity, and availability through authentication, authorization, and auditing. But if you are looking for a next generation conceptual horse to bet on, I don’t think GRC is it, I would look at information survivability. Hoff’s information survivability primer is a great starting point for learning about survivability.

Why survivability is more valuable over the long haul than GRC is that survivability is focused on assets not focused on giving an auditor what they need, but giving the business what it needs.

Seminal paper on survivability by Lipson, et al. "survivability solutions are best understood as risk management strategies that first depend on an intimate knowledge of the mission being protected." Make a difference – asset focus, not auditor focus.

For obvious reasons, I am compelled to say "me, too."

I would really like to talk to someone in a large enterprise who is using one of these GRC suites — I don’t really care which department you’re from.  I just want to examine my assertions and compare them against my efforts and understanding.


Shimel’s in Der Himmel & Stiennon’s A Mean-Un…NAC Dust-Up Part Deux.

May 3rd, 2008 2 comments

Nothing to see here folks.  Move along…

This is like a bad episode of "Groundhog Day" meets "Back To the Future." 

You know, when you wake every day to the same daymare where one person’s touting that features like NAC are the next flux capacitor while another compares its utility to that of sandpaper in the toilet roll dispensers in a truck stop restroom? 

I know Internet blog debates like this get me more excited than having my nipples connected to jumper cables and being waterboarded whilst simultaneously shocked with 1.21 Jigawatts…

Alan Shimel’s post ("Stiennon says NAC is dead – I must be in heaven!") in response to Stiennon’s entry ("Don’t even bother investing in Network Admission Control") is hysterical.


Because it’s the exact arguments (here and here) they had back in August 2007 when I refereed (see below) the squabble the first time around and demonstrated convincingly how they were both right and both wrong.  The silly little squabble — like most things — is all a matter of perspective.

I’d suggest that if you want a quick summary of the arguments without having to play blog pong, you can just read my summary from last year, as none of their arguments have changed.


P.S. The German word "himmel" translates to "heaven" (and sky) in English…funny given Shimmy’s post title, methinks…

Categories: Network Access Control Tags:

Welcome To the Information Survivability/Sustainability/Centricity Circus…

May 3rd, 2008 No comments

Forget "Security Theater."  The "Security Circus" is in town…

I wrote this some time ago and decided that I didn’t like the tone as it just came out as another whiny complaint against the "man."  I’m in a funny mood as I hit a threshold yesterday with all the so-called experts coming out of the woodwork lately, so I figured I’d post it because it made me chortle. 

They Shoot Horses, Don’t They?

To answer what seems to be a question increasing in frequency due to the surge in my blog’s readership lately, as well as being cycled through the gossip mill, I did not change the name of my blog from "Rational Security" to "Rational Survivability" due to IBM’s Val Rahmani’s charming advertisement keynote at RSA.  😉

One might suggest that Val’s use of the mythological reference to Sisyphus wasn’t as entertaining as Noonan’s "security as the width of two horses’ asses" keynote from a couple of years ago, but her punchline served to illustrate the sad state of Information Security, even if it also wanted to make me shoot myself.

Val’s shocking admission that IBM was "…exiting the security business,"
that "…information security was dead," and that we should all
celebrate by chanting "…long live [information] sustainability!" 

This caused those of us here at Rational Survivability HQ to bow our heads in a moment of silence for the passing of yet another topical meme and catchphrase that has now been "legitimized" by industry and thus must be put out of its misery and never used again.

You say "tomato," I say "tomato…"

Yeah, you might argue that "sustainability" is more business-focused
and less military-sounding than "survivability," but it’s really about
the same concepts. 

I’m not going to dissect her speech because that’s been done.  I have said most of what I have to say on this concept in my posts on Information Survivability and honestly, I think they are as relevant as ever. 

You can read the first one here and follow on with the some more, here. 

For those of you who weren’t around when it happened, I changed the name of my blog over six months ago to illustrate what is akin to the security industry’s equivalent of an introduction at an AA meeting and was so perfectly illustrated by Val’s fireside chat. 

You know the scene.  It’s where an alcoholic stands up and admits his or her weaknesses for a vice amongst an audience of current and "former" addicts.  Hoping for a collective understanding of one’s failure and declaring the observed days of committed sobriety to date,  the goal is to convince oneself and those around you that the counter’s been reset and you’ve really changed.  Despite the possibility of relapse at any moment, the declaration of intent — the will to live sober — is all one needs.

That and a damned good sponsor.

And now for something completely different!

That was a bloody depressing analogy, wasn’t it?  Since this was supposed to be a happy occasion, I found myself challenged to divine an even worse analogy for your viewing pleasure.   Here goes.

That’s right.  I’m going to violate the Prime Directive and go right with the patented Analog Of Barnum & Bailey’s Circus:

What Information Security has become is the equivalent of a carnie’s dancing poodle in the circus tent of industry. 

Secretly we want to see the tigers eat the dude with the whip, but
we cheer when he makes them do the Macarena anyway. 

We all know that one day, that little Romanian kid on
the trapeze is going to miss the triple-lindy and crash to the floor
sans net, but we’re not willing to do anything about it and it’s the tension that makes the act work, despite the exploitative child labor practices and horrible costumes.

We pump $180 in tokens into the ring toss to win an $11 stuffed animal, because it’s the effort that counts, not the price.

We’re all buying tickets, suffering through the stupid antics of the clowns piling out of the tiny little car in the spotlight hoping that the elephant act at the end of the show is going to be worth the price of admission. 

At the end of the night, we leave exhausted, disappointed, broke and smelling like sweaty caramel apples and stale pretzels…wondering when they’ll be back next year so we can take the kids.

See, I told you it was awful.  But you know what’s much worse than my shitty little clown analogy? 


Come one, come all.  Let Me Guess Your Weight!

So in today’s time of crappy economics when money is hard to come by,
it’s now as consumers that we start to pay attention to these practices
— this circus.  It’s now that we start to demand that these alleged
predatory vendors actually solve our business problems and attend to
our issues rather than simply recycle the packaging.

So when life hands vendors a lemon, they make marketingade, charge us $4.50 a pop and we still drink it.

Along those lines, many mainstream players have now begun to work
their marketing sideshows by pitching the supposedly novel themes of
sustainability, survivability, or information centricity.  It’s a surreptitiously repentant admission that all the peanuts and popcorn they’ve been selling us while all along we ooh and ahh at the product equivalents of the bearded lady, werewolf children and the world’s tallest man still climax at the realization that it’s all just an act.

At the end of the night, they count their money, tear down the tents and move on.  When the bearded lady gets a better gig, she bails and they bring in the dude with the longest mustache.  Hey, hair is hair; it’s just packaged differently, and we go to ogle at the newest attraction.

There’s no real punchline here folks, just the jaded, bitter and annoyed comments of someone who’s becoming more and more like the grumpy folks he always made fun of at bingo night and a stark realization of just how much I hate the circus.