Rational Survivability

Not to single out Jeremiah, but in my Take5 interview with him, I asked him the following:

3) What do you make of Google’s foray into security?  We’ve seen them crawl sites and index malware.  They’ve launched a security  blog.  They acquired GreenBorder.  Do you see them as an emerging force to be reckoned with in the security space?

…to which he responded:

I doubt Google has plans to make this a direct revenue generating  exercise. They are a platform for advertising, not a security company. The plan is probably to use the malware/solution research  for building in better security in Google Toolbar for their users.  That would seem to make the most sense. Google could monitor a user’s  surfing habits and protect them from their search results at the same time.

To be fair, this was a loaded question because my opinion is diametrically opposed to his.   I believe Google *is* entering the security space and will do so in many vectors and it *will* be revenue generating. 

This morning’s news that Google is acquiring Postini for $625 Million dollars doesn’t surprise me at all and I believe it proves the point. 

In fact, I reckon that in the long term we’ll see the evolution of the Google Toolbar morph into a much more intelligent and rich client-side security application proxy service whereby Google actually utilizes client-side security of the Toolbar paired with the GreenBorder browsing environment and tunnel/proxy all outgoing requests to GooglePOPs.

Google will, in fact, become a monster ASP.  Note that I said ASP and not ISP.  ISP is a commoditized function.  Serving applications and content as close to the user as possible is fantastic.  So pair all the client side goodness with security functions AND add GoogleApps and you’ve got what amounts to a thin client version of the Internet.

Remember all those large sealed shipping containers (not unlike Sun’s Project Blackbox) that Google is rumored to place strategically around the world — in conjunction with their mega datacenters?  I think it was Cringley who talked about this back in 2005:

In one of Google’s underground parking garages in Mountain View …
in a secret area off-limits even to regular GoogleFolk, is a shipping
container. But it isn’t just any shipping container. This shipping
container is a prototype data center.

Google hired a pair of
very bright industrial designers to figure out how to cram the greatest
number of CPUs, the most storage, memory and power support into a 20-
or 40-foot box. We’re talking about 5000 Opteron processors and 3.5
petabytes of disk storage that can be dropped-off overnight by a
tractor-trailer rig.

The idea is to plant one of these puppies
anywhere Google owns access to fiber, basically turning the entire
Internet into a giant processing and storage grid.

Imagine that.  Buy a ton of dark fiber, sprout hundreds of these PortaPOPs/GooglePOPs and you’ve got the Internet v3.0

Existing transit folks that aren’t Yahoo/MSN will ultimately yield to the model because it will reduce their costs for service and they will basically pay Google to lease these services for resale back to their customers (with re-branding?) without the need to pay for all the expensive backhaul.

Your Internet will be served out of cache…"securely."  So now instead of just harvesting your search queries, Google will have intimate knowledge of ALL of your browsing — scratch that — all of your network-based activity.   This will provide for not only much more targeted ads, but also the potential for ad insertion, traffic prioritization to preferred Google advertisers all the while offering "protection" to the consumer.

SMB’s and the average Joe consumers will be the first to embrace this
as cost-based S^2aaS (Secure Software as a Service) becomes mainstream
and this will then yield a trickle-up to the Enterprise and service
providers as demand will pressure them into providing like levels of service…for free.

It’s not all scary, but think about it…

Akamai ought to be worried.  Yahoo and MSN should be worried.  The ISP’s of the world investing in clean pipes technologies ought to be worried (I’ve blogged about Clean Pipes here.)

Should you be worried?  Methinks the privacy elements of all this will spur some very interesting discussions.

Talk amongst yourselves.

/Hoff

(Didn’t see Newby’s post here prior to writing this…good on-topic commentary.  Dennis Fisher over at the SearchSecurity Blog has an interesting Microsoft == Google perspective.)

Over the last couple of years, we’ve seen the full spectrum of disclosure and "research" portals arrive on scene; examples stem from the Malware Distribution Project to 3Com/TippingPoint’s Zero Day Initiative.  Both of these examples illustrate ways of monetizing the output trade of vulnerability research.   

Good, bad or indifferent, one would be blind not to recognize that these services are changing the landscape of vulnerability research and pushing the limits which define "responsible disclosure."

It was only a matter of time until we saw the mainstream commercial emergence of the open vulnerability auction which is just another play on the already contentious marketing efforts blurring the lines between responsible disclosure for purely "altruistic" reasons versus commercial gain.

Enter Wabisabilabi, the eBay of Zero Day vulnerabilities.   

This auction marketplace for vulnerabilities is marketed as a Swiss "…Laboratory & Marketplace Platform for Information Technology Security" which "…helps customers defend their databases, IT infrastructure, network, computers, applications, Internet offerings and access."

Despite a name which sounds like Mushmouth from Fat Albert created it (it’s Japanese in origin, according to the website) I am intrigued by this concept and whether or not it will take off.

I am, however, a little unclear on how customers are able to purchase a vulnerability and then become more secure in defending their assets. 

A vulnerability without an exploit, some might suggest, is not a vulnerability at all — or at least it poses little temporal risk.  This is a fundamental debate of the definition of a Zero-Day vulnerability. 

Further, a vulnerability that has a corresponding exploit but without a countermeasure (patch, signature, etc.) is potentially just as useless to a customer if you have no way of protecting yourself.

If you can’t manufacture a countermeasure, even if you hoard the vulnerability and/or exploit, how is that protection?  I suggest it’s just delaying the inevitable.

I am wondering how long until we see the corresponding auctioning off of the exploit and/or countermeasure?  Perhaps by the same party that purchased the vulnerability in the first place?

Today in the closed loop subscription services offered by vendors who buy vulnerabilities, the subscribing customer gets the benefit of protection against a threat that they may not even know they have, but for those who can’t or won’t pony up the money for this sort of subscription (which is usually tied to owning a corresponding piece of hardware to enforce it,) there exists a point in time between when the vulnerability is published and when it this knowledge is made available universally.

Depending upon this delta, these services may be doing more harm than good to the greater populous.

In fact, Dave G. over at Matasano argues quite rightly that by publishing even the basic details of a vulnerability that "researchers" will be able to more efficiently locate the chunks of code wherein the vulnerability exists and release this information publicly — code that was previously not known to even have a vulnerability.

Each of these example vulnerability service offerings describes how the vulnerabilities are kept away from the "bad guys" by qualifying their intentions based upon the ability to pay for access to the malicious code (we all know that criminals are poor, right?)  Here’s what the Malware Distribution Project describes as the gatekeeper function:

Why Pay?

Easy; it keeps most, if not all of the malicious intent, outside the
gates. While we understand that it may be frustrating to some people
with the right intentions not allowed access to MD:Pro, you have to
remember that there are a lot of people out there who want to get
access to malware for malicious purposes. You can’t be responsible on
one hand, and give open access to everybody on the other, knowing that
there will be people with expressly malicious intentions in that group.

ZDI suggests that by not reselling the vulnerabilities but rather protecting their customers and ultimately releasing the code to other vendors, they are giving back:

The Zero Day Initiative (ZDI) is unique in how the acquired
vulnerability information is used. 3Com does not re-sell the
vulnerability details or any exploit code. Instead, upon notifying the
affected product vendor, 3Com provides its customers with zero day
protection through its intrusion prevention technology. Furthermore,
with the altruistic aim of helping to secure a broader user base, 3Com
later provides this vulnerability information confidentially to
security vendors (including competitors) who have a vulnerability
protection or mitigation product.

As if you haven’t caught on yet, it’s all about the Benjamins. 

We’ve seen the arguments ensue regarding third party patching.  I think that this segment will heat up because in many cases it’s going to be the fastest route to protecting oneself from these rapidly emerging vulnerabilities you didn’t know you had.

/Hoff

An entire day and forum dedicated to NAC in the NYC?  Huh.  I thought we did that at InterOp and RSA already!?  I suppose it’s necessary to wade through all the, uh, information surrounding the second coming of network security.

If someone builds one for UTM, I will kill myself.   

Oh NAC…I wish I knew how to quit you!

(I was going to photoshop the poster to the left including Alan Shimel and changing the title to BrokeNAC Mountain, but I can’t find my Photoshop CD and I’ve got a plane to catch to Milan…)

I’ve made it clear that I think NAC (Network Admission Control and Network Access Control) is valuable and worth investing in as part of a layered defense.  It ain’t the silver bullet of security, however.  Maybe Stiennon can come up with a new name for it and it will be?

I’ve also made it clear that despite the biggest amount of hype since the Furby, NAC will become a feature as part of a conglomeration of solutions in the short term (24 months); it already is a replacement blanket marketing term for companies that used to be SSL VPN’s that then became IPS’s that are now NAC.  Look at the companies that now claim they’re NAC-focused.  That’s usually because the "market" they were in previously collapsed — just like NAC will.

It seems that NAC’s relationship with the world plays out just like a scene from Brokeback Mountain where the two main characters discuss whether the public sees through the thin facade of the uneasy relationship they project to the world — just like the front NAC puts on:

Ennis Del Mar:
You ever get the feelin’… I don’t know, er… when you’re in town and
someone looks at you all suspicious, like he knows? And then you go out
on the pavement and everyone looks like they know too?
Jack Twist:
[Casually] Well… maybe you oughta get out of there, you know? Find yourself someplace different. Maybe Texas.

Ennis Del Mar:
[Sarcastically]
Texas? Sure, maybe you can convince Alma to let you and Lureen to adopt
the girls. And we can just live together herding sheep. And it’ll rain
money from LD Newsome and whiskey’ll flow in the streams – Jack, that’s
real smart.
Jack Twist:
Go to hell, Ennis. If you wanna live your miserable fuckin’ life, then go right ahead.

Ennis Del Mar:
Fine.

Jack Twist:
I was just thinkin’ out loud.

Ennis Del Mar:
Yep, you’re a real thinker there. Goddamn. Jack fuckin’ Twist; got it all figured out, ain’t ya?

If the next NAC Forum is held in Texas, you’ll know the end of the world is near…’course there ain’t nuthin’ wrong with the heavens rainin’ money and streams full-a whiskey…

At any rate, I was catching up on my back-dated blog entries and just read Dom Wilde’s (Nevis Networks  Illuminiations Blog) summary of the Network Computing NAC 2007 Forum and couldn’t help but chuckle.  Shimel’s review seemed a little more upbeat compared to Dom’s, but since Alan got stalked by a blogger paparazzi in a three-wheeled, pedal-powered rickshaw, I can see why.

Snippet Summary from Dom’s Post:

It’s little wonder that people are confused about NAC.  Too many times
during the day I found myself with a furrowed brow trying delineate
between reality and fiction…Disappointing moment of the day – 7 panelists on the OOB panel frying
the audience’s collective brain, by taking 10 minutes each to say "me
too".  Result: half the audience didn’t return after lunch for more
lively and concise discussions on in-line and framework based
solutions, and more critically, to hear narratives and lessons learned
from people who have deployed NAC.

Snippet Summary from Alan’s Post:

Anyway, it was a great way for people looking at deploying NAC to come
up and touch and feed a real live NAC vendor. Ultimately, you still
have to install the product and play with it yourself to see if it
works.  There were lots of claims and NAC crap flying today.  I also
would like to see more of a panel of answering questions then just
giving our elevator pitch powerpoints to the crowd.  Still a worthwhile
day and a good job by Network Computing. I think all of the elevator
pitches will be posted on NC site soon.

Sounds great.

Both Dom and Alan’s companies provide NAC solutions.  Both were at the show.  Both seem to convey the sense that this was more circus than it was scholarly.  I’m not sure that’s because it was focused on NAC or because in general most conferences/forums are completely useless, but I’m interested in anyone else’s opinion from those what where there.

/Hoff

I’ve spent a while in this business and have been doing time on planet Earth in a variety of roles in the security field; I’ve been a consumer, a CISO, a reseller, a service provider, and a vendor, so I think I have a good sense of shared empathy across the various perspectives that make up the industry’s collective experience.

I get to spend my time traveling around the world speaking to very smart people; overworked, tired, cynical, devoted, and fanatical security folks who are all trying to do the right thing within the context of the service they provide their respective businesses and customers.

A lot of them are walking around in a trance however, locked into the perpetual hamster wheel of misery that many will have you believe is all security can ever be.  That’s bullshit.  I love my job; I’ve loved every one of them in this space.  They have all had their ups and downs, but I know that I’ve made a positive difference in every one because I believe in what I’m doing and more importantly I believe in how I’m doing it.   If you want to manifest misery, then you will.  If you want to change the way security is perceived, you will.

Most of the people I speak to all have the identical set of problems and for some reason seem to be stuck in the same pattern and not doing much about trying to solve them.  Now, I’m not going to try and get all preachy, but when I hear the same thing over and over, up and down the stack from the Ops trenches to the CSO and nobody seems to be able to gain traction towards a solution, I’m puzzled as to whether it’s the problem or the answer people are seeking.

In many cases, people feel the need to solve problems themselves.  It’s the classic “Dad won’t pull into the gas station to ask directions when he’s lost” syndrome.  Bad form.   Let’s just pull over for a second and see if we can laugh this thing off and then get back on the road with a map.

I thought that I’d summarize what I’ve heard and articulate it with my top ten things that anyone who is responsible for architecting, deploying, managing and supporting an information security program should think about as they go about their jobs.   This isn’t meant to compete with Rothman’s Pragmatic CSO book, but if you want to send me, say, half the money you would have sent him, I’m cool with that.

These are not in any specific order:

1.    Measure Something
I don’t care whether you believe in calling this “metrics” or not.  If you’ve got a pulse and a brain (OK, you probably need both for this) then you need to recognize that the axiom “you can’t manage what you don’t measure” is actually true, and the output – no matter what you call it – is vitally important if you expect to be taken seriously.

Accountants have P&L statements because they operate around practices that allow them to measure the operational integrity and fiscal sustainability of a business.  Since security is functional service mechanism of the business, you should manage what you do as a business.

I’m not saying you need to demonstrate ROI, ROSI, or RROI, but for God’s sake, in order to gauge the efficiency, efficacy and investment-worthiness of what you’re doing, you need to understand what to focus on and what to get around to when you can spare cycles.  Be transparent about what you’re doing and why to management.  If you have successes, celebrate them.  If you have failures, provide a lessons-learned and move on.

You don’t need a degree in statistics, either.  If you want some good clue as to what you can easily do to start off measuring and reporting, please buy this.  Andy Jaquith, while stunningly handsome and yet quaintly modest (did I say that correctly, Andy?) knows his shizzle.

2.    Budget Isn’t Important
That’s right, budget isn’t important, it’s absolutely everything.   If you don’t manage your function like it is a business burning your own cash then you won’t survive over the long term.  Running a business takes money.  If you don’t have any, well…  As my first angel investor, Charles Ying taught me, “Cash is King.”   I only wish I learned this and applied it earlier.

If you lead a group, a team or a department and you come to the second budget cycle (the first you probably had no control over since you inherited it) under your watch and you open the magic envelope to discover that you don’t have the budget to execute on the initiatives in your security program that align to the initiatives of supporting the business, then quit.

You should quit because it’s your fault. It means you didn’t do your job.  It means you’re not treating things seriously as a set of business concerns.

Whether you’re in a downcycle budget-cutting environment or not, it’s your job to provide the justification and business-aligned focus to get the money you need to execute.  That may mean outsourcing.  That may mean you do more with less.  That may mean that you actually realize that there tradeoffs that you need to illustrate which indicate risk, reward and investment strategies and let someone else make the business decision to fund them or not.

Demonstrate what you can offer the business from your security portfolio and why it’s worth investing in.  You won’t be able to do everything.  Learn to stack the deck and play the game.  Anyone who tells you that a budget cycle isn’t a game is (1) a lousy liar, (2) someone who doesn’t have any budget and (3) nobody you need to listen to.

3.    Don’t Be a Technology Crack-Whore
If you continue to focus on technology to solve the security “problem” without the underlying business process improvement, automation and management & measurement planes in place to demonstrate what, why and how you’re doing things, then you’re doomed.   I’m not going to re-hash the ole “People, Process and Technology” rant as that’s overplayed.

Learn to optimize.  Learn to manage your security technology investments as a portfolio of services that can be cross-functionally leveraged across lines of business and operationalized and cost-allocated across IT.

Learn to recognize trends and invest your time and energy in understanding what, if anything, technology can do for you and make smart decisions on where to invest; sometimes that’s with big companies, sometimes that’s with emerging start-ups.

Quantify the risk vs. return and be able to highlight the lifecycle of what you expect from a product.  Understand amortization and depreciation schedules and how they affect your spend cycles and synch this to your key vendor’s roadmaps.

If your solutions deliver, demonstrate it.  If they fail, don’t try to CYA, but refer back to the justification, see where it blew a gasket and gracefully move on.  See #1 above.

4.    Understand Risk
Please take the time to understand the word “risk” and it’s meaning(s).  If you continue to overuse and abuse the term in conversation with people who actually have to make business decisions and you don’t communicate “risk” using the same lexicon and vocabulary as the people who write the checks, you’re doing yourself a disservice and you’re insulting their intelligence.

If you don’t understand or perform business impact analyses and only talk about risk within the context of threats and vulnerabilities, you’re going to look like the FUD-spewing technology crack-whore in #3 above.

This will surely be concluded because you sound like all you want is more money (see #2) because you clearly can’t communicate and speak the language that demonstrates you actually understand what and how what you do unequivocally contributes to the business; probably because you haven’t measured anything (see #1)

If you want to learn more about how to understand risk, please read this. Alex Hutton is one wise MoFo.

5.    Network
That’s a noun and a verb.  Please don’t hunker in your bunker.  Get out and talk to your constituents and treat them as valued customers.  Learn to take criticism (see #6) and ask how you’re doing.  By doing that, you can also measure impact directly (see #1.)   You should also network with your peers in the security industry; whether at local events, conferences or professional gatherings, experiencing and participating in the shared collective is critical.

I, myself, like the format of the various “CitySec” get-togethers.  BeanSec is an event that I help to host in Boston.  You can find your closest event by going here.

The other point here is that as budget swings towards the network folks who seem to be able to do a better job at communicating how investing in their portfolio is a good idea (see #1 and #2) you better learn to play nice.  You also better understand their problems (see #6) and the technology they manage.  If you expect to plug into or displace what they do with more kit that plugs into “their” network, you better be competent in their space.  If they’re not in yours, all the better for you.

6.    Shut-up and Listen
Talk with one hole, listen with two.

If I have to explain this point, you’ve probably already dismissed the other five and are off reading your Yahoo stock page and the latest sports scores.  God bless and call me when you start your landscaping business…I need my hedges trimmed.

7.    Paint a Picture
Please get your plans out of your head and written down!  Articulate your strategy and long-term plan for how your efforts will align to the business and evolve over time to mature and provide service to the business.  Keep it short, concise, in “English” and make sure it has pretty pictures.  Circulate it for commentary.  Produce a mantra and show pride in what you do and the value you add to the business.   It’s a business plan.  Sell it and support it like it is.  Demonstrate value (see #1) and you’ll get budget (#2) because it shows that you understand you make business decisions, not technology knee-jerks.

This means that you keep pulse with what technology can offer, how that maps to trends in your business, and what you’re going to do about them with the most efficient and effective use of your portfolio.

Most of this stuff is common sense and you can see what’s coming down the pike quite early if you pay attention.  If you craft your business plan and evolution in stages over time, you’ll look like a freaking prescient genius.  You’ll end up solving problems before they become one.  Demonstrate that sort of track record and you’ll have more runway to do what you want as well as what you need.

8.    Go buy a Car
Used or new, it doesn’t matter.  Why?  Because the guys and gals who sell cars for a living have to deal with schmucks like you all day long and yet they still make six-figures and go home at the end of the day after an 8-10 hour shift and get to ignore the office.  They know how to sell.  They listen (#6,) determine what you have to spend (#2) and then tell you how good you look in that ’84 Sentra and still manage to up-sell you to a BMW M3 with the paddle shifters and undercoating.

You need to learn to sell and market like a car salesman – not the kind that makes you feel sticky, but the kind that you want to invite over to your BBQ because he had your car washed while you waited, brought you coffee and called you back the day after to make sure everything was OK.

Seriously.  Why do you think that most CEO’s were salesmen?  You’re the CEO of the security organization.  Act like it.

9.    Learn to Say “Yes” by saying “No” and vice-versa
Ah, no one word with so few letters inspires such wretched responses from those who hear it.  And Security folks just LOVE to say it.  We say it with such a sense of entitlement and overwhelming omnipotence. too.   We say it and then giggle to ourselves whilst we strike the Dr. Evil pinky pose wearing the schwag-shirt we scored from the $5000 security conference we attended to learn how to more effectively secure the business by promoting security as  an enabler.

It’s OK to say no, just think about how, why and when to say it.  Better yet, get someone else to say it, preferably the person who’s trying to get you to say yes.  Use the Jedi mind-trick.  Learn to sell – or unsell.  This is tricky security ninja skills and takes a while to master.

Having someone justify the business reason, risk and rewards for doing something – like you should be doing – is the best way to have someone talk themselves out of having you do something foolish in the first place.  You won’t win every battle, but the war will amass less casualties because you’re not running over every hill lobbing grenades at every request.

10.    Break the Rules
Security isn’t black and white.  Why?  Because despite the fact that we have binary compute systems enforcing the rules, those who push the limits use fuzzy logic and don’t concern themselves with the constraints of 1 and 0.   You shouldn’t, either.

Think different.  Be creative.  Manage risk and don’t be averse to it because if you’re running your program as a business, you make solid decisions based on assessments that include the potential of failure.

Don’t gauge success by thinking that unless you’ve reached 100% that 80% represents failure.  Incremental improvement over time – even when it’s not overtly dramatic – does make a difference.  If you measure it, by the way, it’s clearly demonstrable.

Challenge the status quo and do so with the vision of fighting the good fight – the right one for the right reasons – and seek to improve the health, survivability, and sustainability of the business.

Sometimes this means making exceptions and being human about things.  Sometimes it means getting somebody fired and cleared out of their cube.  Sometimes it means carrot, sometimes stick.

If you want to be a security guard, fine, but don’t be surprised when you get treated like one.  Likewise, don’t think that you’re entitled to a seat at the executive table just because you wear a tie, play golf with the CFO, or do the things on this list.

Value is demonstrated and trust is earned.   Learn to be adaptive, flexible and fair — dare I say pragmatic, and you’ll demonstrate your value and you’ll earn the trust and confidence of those around you.

So there you go.  One Venti-Iced-Americano inspired “Hoff’s giving back” rant. Preachy, somewhat cocky and self-serving?  Probably.  Useful and proven in battle?  Absolutely.   If anyone tells you any different, please ask them why they’re reading this post in the first place.

Think about this stuff.  It’s not rocket science.  Never has been.  Most of the greatest business people, strategists, military leaders, and politicians are nothing more than good listeners who can sell, aren’t afraid of making mistakes, learn from the ones they make and speak in a language all can relate to and understand.  They demonstrate value and think outside of the box; solving classes of problems rather than taking the parochial and pedestrian approach that we mostly see.

You can be great, too.  If you feel you can’t, then you’re in the wrong line of work.

/Hoff

I posited the potential risks of vulnerability research in this blog entry here.   Specifically I asked about reverse engineering and implications related to IP law/trademark/copyright, but the focus was ultimately on the liabilities of the researchers engaging in such activities.

Admittedly I’m not a lawyer and my understanding of some of the legal and ethical dynamics are amateur at best, but what was very interesting to me was the breadth of the replies from both the on and off-line responses to my request for opinion on the matter. 

I was contacted by white, gray and blackhats regarding this meme and the results were divergent across legal, political and ideological lines.

KJH (Kelly Jackson Higgins — hey, Kel!) from Dark Reading recently posted an interesting collateral piece titled "Laws Threaten Security Researchers" in which she outlines the results of a CSI working group chartered to investigate and explore the implications that existing and pending legislation would have on vulnerability research and those who conduct it.  Folks like Jeremiah Grossman (who comments on this very story, here) and Billy Hoffman participate on this panel.

What is interesting is the contrast in commentary between how folks responded to my post versus these comments based upon the CSI working group’s findings:

In the report, some Web researchers say that even if they
find a bug accidentally on a site, they are hesitant to disclose it to
the Website’s owner for fear of prosecution. "This opinion grew
stronger the more they learned during dialogue with working group
members from the Department of Justice," the report says.

I believe we’ve all seen the results of some overly-litigious responses on behalf of companies against whom disclosures related to their products or services have been released — for good or bad.

Ask someone like Dave Maynor if the pain is ultimately worth it.  Depending upon your disposition, your mileage may vary. 

That revelation is unnerving to Jeremiah Grossman, CTO and
founder of WhiteHat Security and a member of the working group. "That
means only people that are on the side of the consumer are being
silenced for fear of prosecution," and not the bad guys.

…

"[Web] researchers are terrified about what they can and
can’t do, and whether they’ll face jail or fines," says Sara Peters,
CSI editor and author of the report. "Having the perspective of legal
people and law enforcement has been incredibly valuable. [And] this is
more complicated than we thought."

This sort of response didn’t come across that way at all from folks who both privately or publicly responded to my blog; most responses were just the opposite, stated with somewhat of a sense of entitlement and immunity.   I expect to query those same folks again on the topic. 

Check this out:

The report discusses several methods of Web research, such as
gathering information off-site about a Website or via social
engineering; testing for cross-site scripting by sending HTML mail from
the site to the researcher’s own Webmail account; purposely causing
errors on the site; and conducting port scans and vulnerability scans.

Interestingly, DOJ representatives say that using just one of
these methods might not be enough for a solid case against a [good or
bad] hacker. It would take several of these activities, as well as
evidence that the researcher tried to "cover his tracks," they say. And
other factors — such as whether the researcher discloses a
vulnerability, writes an exploit, or tries to sell the bug — may
factor in as well, according to the report.

Full disclosure and to whom you disclose it and when could mean the difference between time in the spotlight or time in the pokey!

/Hoff

Mark Wood from nCircle blogged about his recent experience at the Gartner IT Security Summit in D.C.  Alan Shimel commented on Mark’s summary and both of them make an interesting argument about how Gartner operates as the overall gauge of the security industry.  Given that I was  also there, I thought I’d add some color to Mark’s commentary:

In 2006, there were two types of solutions that seemed to dominate
the floor: network admission control and data leakage (with the old
reliable identity and access management coming in a strong third). This
year, the NAC vendors were almost all gone and there were many fewer
data leakage vendors than I had expected. Nor was there any one type of
solution that really seemed to dominate.

…that’s probably because both of those "markets" are becoming "features" (see here and here) and given how Gartner proselytizes to their clients, features and those who sell them need to spend their hype-budgets wisely and depending upon where one is on the hype cycle (and what I say below,) you’ll see less vendors participating when the $ per lead isn’t stellar.  Lots and lots of vendors in a single quadrant makes it difficult to differentiate.

The question is: What does this mean? On the one hand, I continue to
be staggered by the number of new vendors in the security space. They
seem to be like ants in the kitchen — acquire one and two more crawl
out of the cracks in the window sill. It’s madness, I tell you! There
were a good half a dozen names I had never seen before and I wonder if
the number of companies that continue to pop up is good or bad for our
industry. It’s certainly good that technological innovation continues,
but I wonder about the financial status of these companies as funding
for security startups continues to be more difficult to get. There sure
is a lot of money that’s been poured into security and I’m not sure how
investors are going to get it back.

Without waxing on philosophically on the subconscious of the security market, let me offer a far more simple and unfortunate explanation:

Booth space at the Gartner show is one of, if not the most, expensive shows on the planet when you consider how absolutely miserable the scheduling of the expo hours are for the vendors.  They open the vendor expo at lunch time and during track sessions when everyone is usually eating, checking email, or attending the conference sessions!  It’s a purely economic issue, not some great temperature taking of the industry.

I suppose one could argue that if the industry were flush with cash, everyone showing up here would indicate overall "health," but I really do think it’s not such a complex interdependency.  Gartner is a great place for a booth if you’re one of those giant, hamster wheel confab "We Do Everything" vendors like Verisign, IBM or BT.

I spoke to about 5 vendors who had people at the show but no booth.  Why?  Because they would get sucked dry on booth costs and given the exposure (unless you’re a major sponsor with speaking opportunities or a party sponsor) it’s just not worth it.  I spoke with Ted Julian prior to his guest Matasano blog summary, and we looked at each other shaking our heads.

While the quality of the folks visiting are usually decision makers, the foot traffic is limited in the highly-compressed windows of availability.  The thing you really want to do is get some face time with the analysts and key customers and stick and move. 

The best bang for the exposure buck @ Gartner is the party at the end of the second day.  Crossbeam was a platinum sponsor this year; we had a booth (facing a wall in the back,) had two speaking sessions and sponsored a party.  The booth position and visibility sucked for us (and others) while the party had folks lined out the door for food, booze and (believe it or not) temporary tattoos with grown men and women stripping off clothing to get inked.  Even Stiennon showed up to our party! 😉

On the other hand, it seemed that there was much less hysteria than
in years past. No
"we-can-make-every-one-of-your-compliance-problems-vanish-overnight" or
"confidential-data-is-seeping-through-the-cracks-in-your-network-while-you-sleep-Run!-Run!"
pitches this year. There seems to be more maturity in how the industry
is addressing its buying audience and I find this fairly encouraging.
Despite the number of companies, maybe the industry is slowing growing
up after all. It’ll be interesting to see how this plays out.

Well, given the "Security 3.0 theme" which apparently overall trends toward mitigating and managing "risk", a bunch of technology box sprinkling hype doesn’t work well in that arena.  I would also ask whether or not this really does represent maturity or the "natural" byproduct of survival of the fittest — or those with the biggest marketing budgets?  Maybe it’s the same thing?

/Hoff

I’ve got a little quiz for you.  I’ve asked this question 30 times over the last week and received an interesting set of answers.   One set of numbers represent "real world" numbers, the other is a set of "marketing" numbers.

Here’s the deal:

Take an appliance of your choice (let’s say a security appliance like an IPS) that has 10 x 1Gb/s Ethernet interfaces.

Connect five of those interfaces interfaces to the test rig that generates traffic and connect the remaining five interfaces to the receiver.

Let’s say that you send 5 Gb/s from the sender (Avalanche in the example above) across interfaces 1-5.

The traffic passes from the MAC’s up the stack and through the appliance under test and then out through interfaces 6-10 where the traffic is received by the receiver (Reflector in the example above.)

So you’ve got 5Gb/s of traffic into the DUT and 5Gb/s of traffic out of the DUT with zero% loss.

You’re question is as follows:

Using whatever math you desire (Cisco or otherwise,) what is the throughput of the traffic going through the DUT?

I ask this question because of the recent sets of claims by certain vendors over the last few weeks.   Let’s not get into stacking/manipulating the test traffic patterns — I don’t want to cloud the issue.

{Ed: Let me give you some guidance on the two most widely applicable answers to this question that I have received thus far. 85% of those surveyed said that the  answer was 5Gb/s while a smaller minority asserts that it’s 10Gb/s)  It comes down to how one measures "aggregate" throughput.  Please read comments below regarding measurement specifics.

So, what’s your answer?  Please feel free to ‘splain your logic.  I will comment with my response once comments show up so as not to color the results.

/Hoff

A personal plea…

I spend a decent amount of time trying to engage folks in discussion.  I blog and expect that there will be those who agree and those who disagree with my comments.  I am truly interested in seeing both perspectives in your responses.

In order to do that, however, I have to know that you’ve written something in response.  Unless you leave a comment I can’t tell that, especially if you’ve authored a response on your blog and don’t leave a trackback.

Really, how hard is that, exactly?

I do that with every post I reference.  Can I ask you a favor and do the same for me?

Your opinion counts.  Make it so, please.

/Hoff

Interop has has been great thus far.  One of the most visible themes of this year’s show is (not suprisingly) the hyped emergence of 10Gb/s Ethernet.  10G isn’t new, but the market is now ripe with products supporting it: routers, switches, servers and, of course, security kit.

With this uptick in connectivity as well as the corresponding float in compute power thanks to Mr. Moore AND some nifty evolution of very fast, low latency, reasonably accurate deep packet inspection (including behavioral technology,) the marketing wars have begun on who has the biggest, baddest toys on the block.

Whenever this discussion arises, without question the notion of "carrier class" gets bandied about in order to essentially qualify a product as being able to withstand enormous amounts of traffic load without imposing latency. 

One of the most compelling reasons for these big pieces of iron (which are ultimately a means to an end to run software, afterall) is the service provider/carrier/mobile operator market which certainly has its fair share of challenges in terms of not only scale and performance but also security.

I blogged a couple of weeks ago regarding the resurgence of what can be described as "clean pipes" wherein a service provider applies some technology that gets rid of the big lumps upstream of the customer premises in order to deliver more sanitary network transport.

What’s interesting about clean pipes is that much of what security providers talk about today is only actually a small amount of what is actually needed.  Security providers, most notably IPS vendors, anchor the entire strategy of clean pipes around "threat protection" that appears somewhat one dimensional.

This normally means getting rid of what is generically referred to today as "malware," arresting worm propagation and quashing DoS/DDoS attacks.  It doesn’t speak at all to the need for things that aren’t purely "security" in nature such as parental controls (URL filtering,) anti-spam, P2P, etc.  It appears that in the strictest definition, these aren’t threats?

So, this week we’ve seen the following announcements:

• ISS announces their new appliance that offers 6Gb/s of IPS
• McAfee announces thei new appliance that offers 10Gb/s of IPS

The trumpets sounded and the heavens parted as these products were announced touting threat protection via IPS at levels supposedly never approached before.  More appliances.  Lots of interfaces.  Big numbers.  Yet to be seen in action.  Also, to be clear a 2U rackmount appliance that is not DC powered and non-NEBS certified isn’t normally called "Carrier-Class."

I find these announcements interesting because even with our existing products (which run ISS and Sourcefire’s IDS/IPS software, by the way) we can deliver 8Gb/s of firewall and IPS today and have been able to for some time.

Lisa Vaas over @ eWeek just covered
the ISS and McAfee announcements and she was nice enough to talk about
our products and positioning.  One super-critical difference is that along with high throughput and low latency you get to actually CHOOSE which IPS you want to run — ISS, Sourcefire and shortly Check Point’s IPS-1.

You can then combine that with firewall, AV, AS, URL filtering, web app. and database firewalls and XML security gateways in the same chassis to name a few other functions — all best of breed from top-tier players — and this is what we call Enterprise and Provider-Class UTM folks.

Holistically approaching threat management across the entire spectrum is really important along with the speeds and feeds and we’ve all seen what happens when more and more functionality is added to the feature stack — you turn a feature on and you pay for it performance-wise somewhere else.  It’s robbing Peter to pay Paul.  The processing requirements necessary at 10G line rates to do IPS is different when you add AV to the mix.

The next steps will be interesting and we’ll have to see how the switch and overlay vendors rev up to make their move to have the biggest on the block.  Hey, what ever did happen to that 3Com M160?

Then there’s that little company called Cisco…

{Ed: Oops.  I made a boo-boo and talked about some stuff I shouldn’t have.  You didn’t notice, did you?  Ah, the perils of the intersection of Corporate Blvd. and Personal Way!  Lesson learned. 😉 }

[Live from Interop’s Data Center Summit]

Jon Oltsik crafted an interesting post today regarding the bifurcation of opinion on where the “intelligence” ought to sit in a networked world: baked into the routers and switches or overlaid using general-purpose compute engines that ride Moore’s curve.

I think that I’ve made it pretty clear where I stand.   I submit that you should keep the network dumb, fast, reliable and resilient and add intelligence (such as security) via flexible and extensible service layers that scale both in terms of speed but also choice.

You should get to define and pick what best of breed means to you and add/remove services at the speed of your business, not the speed of an ASIC spin or an acquisition of technology that is neither in line with the pace and evolution of classes of threats and vulnerabilities or the speed of an agile business. 

The focal point of his post, however, was to suggest that the real issue is the fact that all of this intelligence requires exposure to the data streams which means that each component that comprises it needs to crack the packet before processing.   Jon suggests that you ought to crack the packet once and then do interesting things to the flows.  He calls this COPM (crack once, process many) and suggests that it yields efficiencies — of what, he did not say, but I will assume he means latency and efficacy.

So, here’s my contentious point that I explain below:

Cracking the packet really doesn’t contribute much to the overall latency equation anymore thanks to high-speed hardware, but the processing sure as heck does!  So whether you crack once or many times, it doesn’t really matter, what you do with the packet does.

Now, on to the explanation…

I think that it’s fair to say that many of the underlying mechanics of security are commoditizing so things like anti-virus, IDS, firewalling, etc. can be done without a lot of specialization – leveraging prior art is quick and easy and thus companies can broaden their product portfolios by just adding a feature to an existing product.

Companies can do this because of the agility that software provides, not hardware.  Hardware can give you scales of economy as it relates to overall speed (for certain things) but generally not flexibility. 

However, software has it’s own Moore’s curve or sorts and I maintain that unfortunately its lifecycle, much like what we’re hearing @ Interop regarding CPU’s, does actually have a shelf life and point of diminishing return for reasons that you’re probably not thinking about…more on this from Interop later.

John describes the stew of security componenty and what he expects to see @ Interop this week:

I expect network intelligence to be the dominant theme at this week’s Interop show in Las Vegas. It may be subtle but its definitely there. Security companies will talk about cracking packets to identify threats, encrypt bits, or block data leakage. The WAN optimization crowd will discuss manipulating protocols and caching files, Application layer guys crow about XML parsing, XSLT transformation, and business logic. It’s all about stuffing networking gear with fat microprocessors to perform one task or another.

That’s a lot of stuff tied to a lot of competing religious beliefs about how to do it all as Jon rightly demonstrates and ultimately highlights a nasty issue:

The problem now is that we are cracking packets all over the place. You can’t send an e-mail, IM, or ping a router without some type of intelligent manipulation along the way.

<nod>  Whether it’s in the network, bolted on via an appliance or done on the hosts, this is and will always be true.  Here’s the really interesting next step:

I predict that the next bit wave in this evolution will be known as COPM for "Crack once, process many." In this model, IP packets are stopped and inspected and then all kinds of security, acceleration, and application logic actions occur. Seems like a more efficient model to me.

To do this, it basically means that this sort of solution requires Proxy (transparent or terminating) functionality.  Now, the challenge is that whilst “cracking the packets” is relatively easy and cheap even at 10G line rates due to hardware, the processing is really, really hard to do well across the spectrum of processing requirements if you care about things such as quality, efficacy, and latency and is “expensive” in all of those categories.

The intelligence of deciding what to process and how once you’ve cracked the packets is critical. 

This is where embedding this stuff into the network is a lousy idea. 

How can a single vendor possibly provide anything more than “good enough” security in a platform never designed to solve this sort of problem whilst simultaneously trying to balance delivery and security at line rate? 

This will require a paradigm shift for the networking folks that will either mean starting from scratch and integrating high-speed networking with general-purpose compute blades, re-purposing a chassis (like, say, a Cat65K) and stuffing it with nothing but security cards and grafting it onto the switches or stack appliances (big or small – single form factor or in blades) and graft them onto the switches once again.   And by the way, simply adding networking cards to a blade server isn’t an effective solution, either.  "Regular" applications (and esp. SOA/Web 2.0 apps) aren’t particularly topology sensitive.  Security "applications" on the other hand, are wholly dependent and integrated with the topologies into which they are plumbed.

It’s the hamster wheel of pain.

Or, you can get one of these which offers all the competency, agility, performance, resilience and availability of a specialized networking component combined with an open, agile and flexible operating and virtualized compute architecture that scales with parity based on Intel chipsets and Moore’s law.

What this gives you is an ecosystem of loosely-coupled BoB security services that can be intelligently combined in any order once cracked and ruthlessly manipulated as it passes through them governed by policy – and ultimately dependent upon making decisions on how and what to do to a packet/flow based upon content in context.

The consolidation of best of breed security functionality delivered in a converged architecture yields efficiencies that is spread across the domains of scale, performance, availability and security but also on the traditional economic scopes of CapEx and OpEx.

Cracking packets, bah!  That’s so last Tuesday.

/Hoff