Rational Survivability

I’m almost finished with a concept brief on how I describe and liken Enterprise UTM security service layers to a model I define as a Security Service Oriented Architecture (SSOA.)

(Ed: If you like, you can read the brief here — it is a summary compilation of thoughts that forms the basis of several presentations.)

I’ll post the entire brief shortly, but here’s the abstract from the paper titled "Delivering Enterprise Risk Mitigation Utilizing a UTM Security Service Oriented Architecture":

The evolution of modern enterprise information architecture has driven tectonic shifts in how information is made available and consumed across constituent layers within the Enterprise ecosystem.  The paradigm itself has undergone fundamental changes as the delivery mechanism and application model has transitioned from Client/Server to Internet/Web-based and now loosely-coupled componentized Service Oriented Architectures (SOA.)   

SOA provides for transformational methods of producing, accessing and consuming information across a delivery “platform” (the network) and provides quantifiable benefits across multiple boundaries: the reduction of integration and management total cost of ownership (TCO), asset and resource modularity and reusability, business process agility and flexibility, and the overall reduction of business risk.

Enterprise information architects have responded to this paradigm change by adopting methodologies such as Extreme Programming (XP) which is designed to deliver on-demand software layers where and when they are needed.   XP enables and empowers developers and information architects to rapidly respond to changing business requirements across the entire life cycle.  This methodology emphasizes collaboration and a modular approach toward delivering best-of-breed solutions on-demand.

These highly dynamic, just-in-time solutions pose distribution, management, protection and scaling issues that static product-centric network and security paradigms cannot adapt to quickly enough; each new technology presents new architectural changes, new vulnerabilities and new attack surfaces against which threats must be evaluated.  Unfortunately, there is no analog to Extreme Programming in the security world.

The networks charged with the delivery of this information and the infrastructure tasked with its secure operation have failed to keep evolutionary pace, are still mostly rigid and inflexible and are unable to deliver given a misalignment of execution capabilities, methodologies and ideologies.

This brief will first demonstrate that pure network infrastructure is, and always will be, fundamentally and unfortunately at odds with the technology and services designed to protect the information that is transported across it.   

The brief will then introduce the concept of a Security Service Oriented Architecture (SSOA) that effectively addresses the network/security conflict. By using an Enterprise Unified Threat Management (UTM) system overlaid across traditional network technology it becomes possible to eliminate individual security appliance sprawl and provide best-of-breed security value with maximum coverage exactly where needed, when needed and at a cost that can be measured, allocated and applied to most appropriately manage risk.

I’ll be interested in your comments regarding the abstract as well as the entire brief once I link to it.

/Chris

When tools such as NMAP arrived on the scene years ago and fingerprinting for enumeration for pentesting and VA was the "hot" ticket, evasion techniques sprung up that were quite creative and forced researchers to get even more creative in attempts to discover and detect OS, applications and services running on a host remotely.

This has got to be one of the (and you’ll pardon the pun) "coolest" methods of detection and service enumeration I have seen to date; using CPU speed and temperature to detect processor utilization by hidden services — remotely using timestamp skews!

From Steven J. Murdoch @ Light Blue Touchpaper:

It is well known that quartz crystals, as used for controlling system
clocks of computers, change speed when their temperature is altered.
The paper shows how to use this effect to attack anonymity systems. One
such attack is to observe timestamps from a PC connected to the
Internet and watch how the frequency of the system clock changes.

I’m sure we’ll see evasion techniques, exception cases and "debubking the myth" posts pile up, but Mr. Murdoch sure made me scratch my head in amazement.  Maybe I’m just simple folk, but I think it’s really neat.

Next thing you know it’ll detect operator arousal after downloading pr0n!  I can tell you one thing, it’s pretty damned easy to fingerprint a MacBook Pro w/Core Duo processors…it heats my living room on a cold day and burns the hair of my thighs if I try to use it like a laptop…

Wow.

I find it oddly ironic that vendors such as Cisco maintain that the human immune system is a good model for how "network" security ought to function.  Now, I know that John Chambers’ parents are doctors, so perhaps he can’t help it…

In a recent blog entry, Richard Stiennon reviews John Chambers’ recent keynote at the Security Standards show, wherein he summarizes:

The human body is a good metaphor for the way security should be. You
hardly ever notice when your body is attacked because the majority of
attacks are warded off. It is the exception when you catch a cold or
have to go to the doctor.

It’s an unfortunate analog because PEOPLE DIE.

In my Unified Risk Management Part I whitepaper, I specifically suggested that this idea sucks:

Networks of the future are being described as being able to self-diagnose and self-prescribe antigens to cure their ills, all the while delivering applications and data transparently and securely to those who desire it.

It is clear, however, that unfortunately there are infections that humans do not recover from.  The immune system is sometimes overwhelmed by attack from invaders that adapt faster than it can.  Pathogens spread before detection and activate in an overwhelming fashion before anything can be done to turn the tide of infection.

Mutations occur that were unexpected, unforeseen and previously unknown.  The body is used against itself as the defense systems attack both attacker and healthy tissue and the patient is ultimately overcome.  These illnesses are terminal with no cure.

Potent drugs, experimental treatments and radical medical intervention may certainly extend or prolong life for a short time, but the victims still die.  Their immune systems fail. 

If this analogy is to be realistically adopted as the basis for information survivability and risk management best practices, then anything worse than a bad case of the sniffles could potentially cause networks – and businesses — to wither and die if a more reasonable and measured approach is not taken regarding what is expendable should the worst occur.  Lose a limb or lose a life?  What is more important? The autonomic system can’t make that decision.

I’m sick of these industry generalizations and fluffy conference sound bites because they’re always painted with a rosy end, downplaying the realities of the "cons" (pun intended) at the expense of the what everyone knows as the truth.

…and the truth be told, this analog is actually the PERFECT model for the Information Security paradigm because of just how spectacularly the immune systems fails.

Chris

BeanSec! #2 is scheduled for Wednesday, September 27th:

An informal meetup of information security professionals and academics
in the Cambridge/Boston area. Unlike other meetings, you will not be
expected to pay dues, “join up”, present a zero-day exploit, or defend
your dissertation to attend.

The location is the Enormous Room (map) in Cambridge.   I believe we’re going to start @ 6PM again.

Please subscribe to the BeanSec! Mailing list.

Chris

I don’t know how I forgot to mention this.  I’m an idiot.  I listen to Martin McKeay’s podcasts religiously…and I’ve been lucky enough to participate as part of a Mobcast once before.  Martin’s depth
of knowledge and the breadth of catagories/topics and guests he includes is phenomenal.

On August 29th, Martin was kind enough to have me on his podcast and interviewed me.  I did what I always do…talk too much.  We spoke about risk management, the security landscape, and UTM.

If you’ve got 40 minutes to kill, check out the podcast here.

Chris

I’m sorry.  I can’t resist.  If you can’t stomach grand-standing and vendor eye-poking, skip this post.  I’m sitting in Logan Airport after 3 Knob Creeks and a Board Meeting, so you’ll have to cut me some slack.

This is an example of the petty vendor one-upmanship that Rothman hates, but I’m tired of Nokia’s bogus announcements year after year of how they are kings of the pile when they are in fact one-trick wonders who have, to their credit, been able to successfully and parasitically build a  $1BN market on the top of the backs of Check Point. 

In case you didn’t know, that’s the ever-vigilant Nokia-Van-Winkle napping under the security tree…

You probably recognize by now that Crossbeam "competes" with Nokia.  They produce a suite of appliances, we provide an architecture that scales.  But who’s picking nits…

I’m being nice when I say that we "compete" because their continued reliance upon an antiquated, proprietary OS that requires "porting" of software and the fact that they only run ONE application (Check Point) on their platforms, really doesn’t offer a fair comparison to our solutions which offers combinations of over 20+ best-of-breed security applications.

Nokia "We’re more than phones, damnit!" announced today that they are going to OEM SourceFire’s IPS product for use on their appliances. 

We announced our partnership with SourceFire in 2005, but I suppose porting takes time so Nokia finally got it done.

After an aborted attempt with ISS and an AV vendor years ago, it finally dawned on Nokia that in order to be viewed as being "…more than phones and a firewall" that they actually have to run at least one other application to add value to its customers — other than milking them for maintenance contracts, that is.

Guess what else is coming!?  They’re more than likely going to OEM DeepNine’s UTM/IPS software also.  Then they can say they play in the UTM world, too.  I wonder how long it’ll take for them to figure out that people are tired of stacking boxes — even theirs.  Oh, wait!  I know!

Welcome to 2005, Nokia!

Next up…Cisco!

You can forget any amount of nicey-nicey in this response.  I don’t mind debating topics, but generally, I do my homework before I post rather than generalizing or debating via analogy. 

Mitchell Ashley just got my goat with his post since he’s poking the bear with a pretty flimsy stick, all things considered.

Mitchell (and an assembled cast of thousands such as Stiennon, Neihaus, etc…) just can’t get over the fact that their perception and (mis)understanding of what makes an Enterprise/Service Provider UTM solution like the Crossbeam X-Series so phenomenally differentiated and VALUABLE to our customers is NOT about the hardware!

Talk about making me grumpy.  I’m going to sound like Rothman!

It is about the software!  But despite Mitchell’s pleadings like this:

We need some fresh thinking about UTMs or we run the risk of customers thinking the lunatics are on the grass, or something worse.

…he ignores or chooses to remain ignorant about the fact that these "fresh solutions" do exist and how they work and still he continues to eat his own picnic lunch on the lunatic lawn he so dearly hopes to avoid. 🙂

Enterprise/Provider UTM is about the ability to run the best security products on the market in an amazingly scaleable, high-performance, highly-resilient and highly-flexible manner.  It’s about being able to deploy and architecture that allows one to manage risk, improve one’s security posture and deploy on-demand security SOFTWARE solutions where needed, when needed and at a price tag where the risk justifies the cost.

I think it’s fine to be contrarian (God knows I make a career out of it) and I think it’s fine that people continue to generalize about these issues, but I continue to make it my mission to educate those same people that there are solutions that actually solve the very problems they describe in their OTS 1U appliance model hell. 

Of course vendors that base their products on 1U appliances ought to be worried in forecasting the future —  because people are sick of deploying one after another of their darn boxes (even multi-function boxes) to get the value they need…or worse yet, not get the value they need.

The largest enterprises and service providers on the planet are re-evaluating their security architectures and how and why they deploy.  The largest IT/Security project on the planet has evaluated their choices and looked for "fresh solutions" that offer what UTM promises but at levels that support the confidentiality, integrity and availability service levels that they demand.

These folks are not buying Cisco or Juniper and they’re driving vendors who would otherwise have no shot to deploy into their network to run on our boxes.  Out UTM boxes.  They’re buying Crossbeam as an architecture that allows them to deploy a well-planed infrastructure. 

The continued chest pounding about the death of Best-of-Breed and diminishing point of return for the integration of said solutions on "big hardware" are just that — chest pounding.  Why?  Because of the following:

1. Big hardware that scales and does not require forklifts simply provides a stable foundation upon which to deploy and scale your security SOFTWARE.
2. A modular architecture allows the customer to invest over time and simply add blades, add additional SOFTWARE or even upgrade their memory/processors to capitalize on compute requirements
3. Leveraging Best-In-Breed security SOFTWARE solutions allows the customer to choose what the best solution truly is, not settle for one vendor’s version of the truth like Cisco, Juniper, Fortinet or even StillSecure.

I agree that collaboration, interoperatbility and better manageability and useability are needed on ALL platforms, not just UTMs.  Furthermore, one of my biggest missions over the next year is to improve just this on our platforms:

Better appliance hardware’s not the only solution to the customer’s
problem (Sorry Chris and my other hardware friends.)

You’re right, and I never said it was.  You should probably learn about what I did say, however.

They want
solutions that bring needed value by; intelligently identifying and communicating information events,
taking action when specific security actions occur, integrating the
functions on the box for me, and make it manageable and easy. Will I
need a log aggregator software (on a separate box) to analyze the logs
of the different parts of my UTM box? Even worse, what if I have
multiple UTMs? Integrated doesn’t mean co-located businesses with a
common receptionist. Yes, it needs a shiny GUI (well, at least a GUI
any way) but the functions really need to be integrated. And what if
the customer want to expand what the box can do? Make it run other
network software. Our paradigm needs some changing.

Hello!?  Our box runs 25+ applications that our customers asked us to establish a partnership with!  Perhaps "your" paradigm needs changing, but  "my" paradigm  works just fine — in fact it’s the same one you are  promoting!  Have we achieved the level of integration we desire?  No.  We’re working very hard at it, however.

Mitchell, if you’re going to generalize and call for new, "fresh" ideas regarding UTM and basically challenge the facts I’ve put forward, at least spend the 15 minutes as Alan did to learn about my solution before you dismiss it and lump it into the boneyard with the rest of the skeletons, mkay!?

Chris

[Editor’s Note: You should also check out Alan Shimel’s blog entry regarding this meme.  I’ll respond to some of his excellent points in a seperate entry, but he beat the crap out of Mike and my Pink Floyd references!  I guess that comes with age ;)]

Uncle Mike and I today debate his notion that Best Of Breed/Best In Breed is dead — it’s actually a sing-a-long to Pink Floyd’s "The Wall."  Who knew security could be so lyrical?

By the way, in case you didn’t figure it out, that’s Mark Twain to the right, who, in his own right was once Best In Breed, is credited for the (butchered) quote above.

I think Mike missed my point — or more realistically, I didn’t do a good enough job of making it before he turned/titled the discussion into another rambling argument about the dying "perimeter." 

This really is the first time I’ve had trouble following Senor Rothman’s logic.  I think Stiennon planted a trojan via our IM chat the other night and is typing in his stead 😉

This is also probably my first really Crossbeam-centric post, but I’ve been prodded by Mike into ‘splaining/defending what we do (and how we do it) via BoB/BiB, so here goes:

Here’s my clarification:

Mike says:

It is my belief
(and remember I get paid to have opinions) that perimeter best of breed
is a dying architecture. Crossbeam even calls what you do UTM. So maybe
we are just disagreeing about semantics and words. Ultimately isn’t
this abstracted "security services" layer that you evangelize more of
what customers are interested in.

Your definition of the "perimeter" no longer interests me 😉 

If you’re talking about the SMB market and their adoption of Perimeter UTM to consolidate seperate appliances, then this argument is done. 

However, these customers that suffer from box stacking recognize that they bought the best product they could (perhaps it was more than they could afford) at the time, but what they’re looking for now is "good enough" and "reduced cost."  When you purhase a $500 box that does 8 things for $500, you get a "reduction of (device) complexity" as a side effect.  But it’s silly to suggest that these folks were really BoB/BiB targets in the first place.  That’s why BoB/BiB companies such as Check Point have small UTM boxes in this range.  Please see below. 

This abstracted "security services" layer is exactly what I evangelize, however it’s comprised of BoB/BiB solutions and functionality at it’s foundation.  As players commoditize, they move into core technology as a table stakes play, but then we have distinguished BoB/BiB technology that is truly differentiated for some period of time.  Sometimes this technology becomes a market, sometimes it becomes a feature, but either way, it’s an organic process that is still based upon BoB/BiB.

You bet that Crossbeam is a UTM player.  In fact, despite what Fortinet lies (yes, lies) about in their press releases, Crossbeam continues to be the leader in the high-end ($50K+) UTM market.  However, as I’ve said eleventy-billion times, there is an enormous difference between the small SMB $500 Perimeter UTM solutions and our Enterprise and Provider-Class UTM solutions.

I’m not going to re-hash this here again.  You’ll need to reference this post to get the big picture.  Suffice it to say, we’ve been in business for 6 years with revenue doubling YoY doing the thing that is now called UTM — and we do it in a way that nobody else can because it’s damned hard to do right.

I admit/concede/agree that Single-function BoB/BiB solutions that are intended by their creators to be deployed in a singular fashion on their own appliance stacked next to or on top of another BoB/BiB solution is a dying proposition.   This is why you see vendors — even Cisco — combining functionality into a consolidated solution to reduce security sprawl.   That won’t stop them from building BoB/BiB compartmentalized solutions, however.  This is what vendors do.

Typically integrators get to make money from cobbling it all together.  Savvy resellers and integrators don’t have to cobble if they use an architecture that aligns all of these solutions into and onto a platform architecture that is as much a competent networking component as it is a BoB/BiB security layer.  That would be Crossbeam.

That does NOT, however, mean that BoB/BiB itself is dead (at the perimeter or otherwise) because just like IBM buying ISS (the market leader in BoB/BiB IPS,)  this will result in the inevitable integration via service of ISS’ components into a  more robust suite of security services complemented by infrastructure.   

However, when a single vendor does this, you only get that single vendor’s version of the truth and so I assume this is what Mike means when he says a customer has to "settle" for BoB/BiB.

The dirty little secret is that customers are forcing BoB/BiB vendors to work together — or more specifically work together on a platform using an architecture that provides for this integration in an amazingly scaleable, highly-available, and high performance way.

Here are some pertinent examples:

• Next Generation Networks de-couple the transport from the service layers.  You have plumbing and intelligence.  The plumbing is dumb, fast and reliable whilst the service layer providers the value in things such as content delivery, security, etc.

  In this model, the plumbing is made up of the BoB/BiB networking components and the intelligence layer is comprised of BoB/BiB service delivery components.

  NGN’s are driving the re-architecture of some of the biggest networks on the planet — in fact THE largest IT project in the world, BT’s 21CN, calls for this architecture where BoB/BiB components have been selected to be consolidated in a single platform in order to deliver BoB/BiB security as a service layer across the entire network — end to end.  They don’t expect switches or routers to be able to deliver this security — they trust in the fact that BoB/BiB players will — in one platform. 

  By the way, that includes that little thing called "the perimeter."  I’ve said it once and I’ll say it again:

  The perimeter is not going away.  In fact, it’s multiplying.  However, the diameter is collapsing.

Applying dynamic, on-demand and highly-differentiated combinations of BoB/BiB security services at different areas of the network from a single set of carrier/enterprise -class security switches allows you to secure these micro-perimeters as you best see fit.

You don’t "settle" for anything.  The customer has a choice of which BoB/BiB security software he/she wishes to run and like a "Security Service Oriented Architecture" and dynamically and at will apply these choices where, when and how needed.  If vendor A changes strategy or goes out of business, you can add/switch vendor B.

• Virtualization in both the data center and the "network" is dependent upon BoB/BiB to deliver the functionality required for distributed computing.  Just as servers, storage, networking and processing is virtualized, security is too.

  Since many companies are utilizing VLANs to being their virtualization efforts and beginning to abstract the network in VRF terms @ Layer 2/Layer 3, they have two choices: use the still immature security technology present in clumps in their routers/switches (and hold your breath for SNF — which is really just a product like ours connected to a switch — don’t believe me?  I’ll post one of Richard Stiennon’s slides describing SNF) or choose an architecture that delivers EXACTLY the level of security you need at its most potent level as a combined virtualized service layer across the network using BoB/BiB.

• Consolidation and Acquisitions will come and go, but you’ll notice that we are able to do things that nobody else can in the BoB/BiB market.  Take this VARBusiness story for example — just published today — in which an established BoB/BiB Firewall player (Check Point) is combined with a BoB/BiB IPS player (SourceFire) on our platform doing something the two companies could not do otherwise.  By the way, and most importantly, the customer can choose from 15+ other BoB/BiB security applications to combine, also, such as ISS, WebSense, Trend Micro, Forum Systems, Imperva, Dragon, etc.
• Customers (in our world that’s large enterprise and service providers/carriers/mobile operators) are no longer settling for "good enough" and they’re also not settling for having BoB/BiB providers suggest that they need to tear into their networks to integrate their individual wares.  Here’s an interesting one for you:

  While many of them utilize things like FWSM modules in their 6500 series Cisco switches for firewall or even combine Juniper’s ISG2000 IPS devices with the 6500’s to provide FW and IPS together (and both of those are still considered BoB/BiB solutions by the way,) they tell the BoB/BiB purveyors of Web Services/SOA/XML security, gateway A/V, Content Filtering, Web Application and Database security solutions that while they will most definitely want their products, they won’t deploy them unless they run on the big, white, box.  That would be these.

To wrap up, Mike ends with:

To get back to my another brick
analogy, you could say that every new best of breed application you add
to your box is another brick that makes your box more interesting to
customers. No?

Yes, but how does that mean BoB/BiB is dead again?

In the spirit of the Who, here’s an appropriate selection from the Quadrophenia song "I’ve had enough":

You were under the impression
That when you were walking forward
You’d end up further onward
But things ain’t quite that simple.

You got altered information
You were told to not take chances
You missed out on new dances
Now you’re losing all your dimples.

Yours wordily, Mr. Dimples…

Chris

In the fine tradition started by the boys over @ Matasano, Oliver Day and I (well, Oliver did all the work) as well as Chris Wysopal have conspired to bring you BeanSec! 1.  The event is detailed here, but the relevant description is as follows:

An informal meetup of information security professionals and academics
in the Cambridge/Boston area. Unlike other meetings, you will not be
expected to pay dues, “join up”, present a zero-day exploit, or defend
your dissertation to attend. (… but Oliver, my dissertation rules!)

The location is the Enormous Room (map) in Cambridge.  6PM.

Unfortunately, I have to go out of town so I cannot attend, but I know Oliver has picked a kick-ass place and the event should be great for those in the Boston area!

Be(an) there or be…well, attending an ISSA event instead, I guess…

Our online MobCast featuring Martin McKeay, Mike Rothman, Richard Stiennon, Alan Shimel and I regarding our on-going debate regarding NAC and SNF was almost a DNF when we discovered that SkypeCast sucked beyond compare (we jumped to "regular skype") and then Martin’s recording software decided to dedicate its compute cycles to the SETI project rather than record us.

Many thanks to the esteemed Mr. Stiennon who was luckily committing a felony by recording us all without disclosure. 😉  See, there’s a good side to all that government training. 😉

At any rate, we had a lively debate that needed to go on for about an hour more because (surprise!) we didn’t actually resolve anything — other than the two analysts were late to the call (surprise #2) and the two vendors were loud and obnoxious (not really a surprise.)

It was a great session that got passionately elevated across multiple elements of the discussion.  What we really recognized was that the definition of and expectations from NAC are wildly differing across the board; from the analyst to the vendor to the customer.

Take a listen when Martin posts it and let us know if we should have a second session.  I believe it will show up here:

http://www.securityroundtable.com/

Chris