Security and Risk Management Strategies Blog

Blogger: Phil Schacter

With its acquisition of Ironport, Cisco once again leads with the “self defending” network marketing message. But with Jericho Forum, Burton Group and others highlighting the changing role of the network in security, has the self defending network marketing message outlived its usefulness and merely serves to confuse the issues?

Marketing slogan aside, it’s a useful exercise to consider what it means for a network to be capable of defending itself. Self defense is a reasonable goal as long as what we’re talking about are the operational components of a network that are responsible for reliably moving bits around.

When we refer to the network fabric often what we’re talking about are the routers, switches, and other devices that play an active role in the primary job of the network, bit hauling. These network devices incorporate specialized hardware, run optimized real-time operating systems, implement support for various networking protocols, and are instrumented to enable common administrative and operational functions. Proper self defense should include attack resistant software, hardened operating systems, protocols that are secure by design, and controls that permit only authorized administrators and network operations personnel to access privileged functions. Even with this relatively narrow definition, there is an argument that the industry has a long way to go to deliver on the vision of a “self defending” network.

There is a great temptation, especially by vendors of network infrastructure equipment, to want to broaden the role of the network’s routers and switches to include additional security functions that impose restrictions on the traffic and usage of the network. These functions include authentication of devices and users based on 802.1X, enforcement of network access control (NAC) policies based on a system health assessment, and traffic filtering based on deep inspection of application protocols and packet content. Such vendors have positioned the “self defending” network as including this kind of security intelligence, the distorted goal being to protect the IT resources and users that are connected to the network. This is no longer the network devices defending themselves but extending their protective umbrella to every user and resource inside the enterprise managed network’s perimeter.

The notion of a bastion network with an impermeable perimeter around a global, distributed enterprise is almost never the reality. Networks need to be open and flexible to enable dynamic business relationships and business expansion. They typically involve use of public wired and wireless networks, leveraging the ubiquity and economics of the Internet. In these cases, it’s not practical for the network fabric to protect the rest of the IT infrastructure, and attempts to add this kind of intelligence introduce complexity, overhead, and set a false expectation of security. It’s time to shift the burden of defense back to the endpoint devices and the data centers that host business applications and information.

Burton Group will be exploring these issues at the Catalyst conference in its “Networks Without Borders” content track. Check out http://catalyst.burtongroup.com/NA07/CatLiveBlogs.htm over the next few days for real-time coverage of this and other exciting issues!

Blogger: Diana Kelley

Over two years ago, in the Market analysis section of a Burton Report on application security I wrote, “As the technology and market matures, Burton Group expects that large, established vendors who supply complementary technologies will either develop their own tools or add one of the startups to their portfolio.”  Based on my assessment of the tools and the market, I genuinely believed we’d see that happen sometime in 2006. I was wrong. But, only by a few months.

This month we saw two titans purchase web application testing tools. IBM was first out of the gate, with the acquisition of Watchfire. And HP followed suit this week with the announcement that they’d scooped up SPI Dynamics. These are powerful data points proving that “large, established vendors” are taking the security of applications seriously. Both acquisitions make sense, IBM has a strong history in software development and owns the Rational line. HP put out a clear message about application testing last year when they purchased Mercury Interactive.

From an application security perspective, this is a really exciting shift in the market – but it surprised me that both companies picked web application testing as the strongest horses. My first questions were: Why didn’t either go for a static software analysis vendor? And, what about WAF (web application firewalls)?

IBM had a strong Rational Unified Process (RUP) relationship with static source code analysis vendor Secure Software, the original owners of the Comprehensive Lightweight Application Security Process (CLASP), which has since moved to OWASP. But Secure Software was acquired by competing static source code analysis vendor Fortify in January of this year, not by IBM. And WAF’s (like those from F5, Citrix, Breach, NetContinuum, and Imperva) dynamically learn where and how an application may be failing while it’s in production. While the WAFs can be configured to protect the application against its failures, wouldn’t it be sweet if they could consume information from the penetration testing tools, like SPI and Watchifire, and not only provide stronger protection against known vulnerabilities but also communicate their knowledge back to static source code analysis tools (Fortify, Klockwork, Ounce) – the very tools that can point a developer to the exact line of code where the problems may have originated?

Security guys – we know about defense in depth – and I think it’s time to apply that to software. Both in the SDLC and in production. Specifically, the company that really gets this right is going take the software security tool trifecta; the “shadrack, meshack, and abendigo” (gotta imagine Marlon Brando saying that in his best Sky Masterson voice) of software security. This means, static source code analysis (both in the IDE and stand-alone), pen testing tools, and WAFs – integrated and working together.

IBM – you’re first out of the gate – are you willing to make the acquisitions and do the integration work required to cross the finish line? CA and HP – you’re well positioned, are either of you willing to take the big win? And Symantec and McAfee – take note. Focusing on risk is a great direction – but let’s not forget that the software running our systems, our transactions, our core business processes directly informs what we have to “secure” after the fact. Making that software stronger is imperative.

I’m not a betting man (person?), but if I were, I’d also bet that IBM is going to figure this out first.

Short disclaimer: If you’ve read previous writings of mine on software security, you’ll know I don’t think this is a tools only problem. If you haven’t: it’s not a tools only problem. Robust software means a robust SDLC and there’s a lot of people and process in there, stuff a tool can’t always catch, that must be security aware.

Blogger: Trent Henry

Software as a Service (SaaS) is quite the rage. Google, Microsoft, Salesforce.com.... The list of vendors providing such capabilities goes on, and it's becoming a who's who in the software industry. The value proposition is obvious: use the Internet to connect to software hosted and managed by someone else; don't buy equipment, don't staff personnel, and don't take on the headaches of running IT in-house. The desired result is cost savings. And it's definitely been borne out by customer testimonials. They say there are advantages in reduced capital expense, faster deployment, better focus on core business activities, and pay-as-you go capacity planning.

But what about SaaS for security?

I'm not talking about the security practices of SaaS vendors themselves, although that is a tantalizing question. Rather, does information security SaaS itself make sense? Firewalls are software, right? E-mail filters are software. Arguably, all the major protection mechanisms from the perimeter layer on down could become services. It might not be fun to think about back-hauling all Internet traffic to the firewall service provider for filtering, but, hey, it's certainly possible (and, frankly, we're often already doing the equivalent with branch sites). Probably the question isn't "can" but rather "should" security become SaaS?

It's a good question to ask because vendors are lining up to offer solutions, and we better have our stories straight before management makes the decision for us. The latest company to enter this fray is Symantec, with a recent announcement about the Symantec Protection Network. This is an evolving platform for delivering security SaaS. It's not the managed security service (MSS), mind you, with simple remote monitoring of your premises infrastructure, but the first step toward intended "security in the cloud." Clearly we've seen elements of this before. Iron Mountain Digital and Sungard provide remote network backup. Postini and MXLogic (among others) provide e-mail filtering offsite. These features are two that Symantec plans to roll out, accompanied by others (no doubt reflective of Symantec's enterprise security suite features) over time.

Is it a good idea? For companies with limited staff and expertise, the phrase "stick to core competencies" certainly resonates. Perhaps SaaS-provided security is better than no security (or bad security). But for a large enterprise, it's not so clear. The goal of information protection is to reduce risk by adding controls for confidentiality, integrity, availability, use control, and accountability. Risk reduction and cost savings don't have to be antithetical, but short-changing risk at the, er, expense of cost-reduction would be a bitter pill to swallow. And this might be what SaaS security offers in the near term: less cost, but more risk.

It's an issue that's soon going to be critical for CISOs and team to tackle. We're discussing it at the end of the month at Burton Group's Catalyst conference. Eric Maiwald's talk, "SaaS for Collaboration and Content: A Smart Move or an Invitation to Disaster?" will be a key element. Join in the conversation.

Blogger: Diana Kelley

At the end of the film "Harold and Kumar go to White Castle," Harold, emboldened by 30 sliders and an evening of raucous adventures in New Jersey, decides it is time for him to face his fears and declare his affection for Maria. He declares his intentions to his friend Kumar, who, perhaps made sleepy rather than energized by the sliders, responds, "still not getting it!"

Like Kumar, it appears that IT is also, "still not getting it!" when it comes to malware. Case in point, the recently published CIO Insight survey reports that while only 12% of respondents reported that money or property had been stolen through electronic means, a whopping 48% of companies reported penetration by viruses, worms, and Trojans in the past 12 months.

48%. Essentially HALF of all reporting enterprises were hit by some form of virus or worm last year. In most cases, 52% success equals failure. And maybe it is for AV - but maybe not. Another data point - 33% reported that their companies had been penetrated by spyware or other malware. Now contrast these numbers with the fact that 99% of the companies spent money on AV/spyware/malware detection in 2006 and 97% plan to spend on AV/spyware/malware in 2007.

Hmmmm, we spent money on AV, it didn't work and half of us were penetrated, so let's keep spending! More must be better, right? Not to mention that many security assessments will mark down an organization for not having AV, the PCI DSS explicitly states AV must be on Windows machines in the payment ecosystem, and the generally accepted rule is that we're better off with AV than without it.

But is that true? Are we better off? What's the real cost of deploying and managing traditional AV products versus their overall effectiveness? Is AV worth that cost? I'm not talking about the standard hand waving of "oh signatures won't work," but a real shift in thinking. If the 52% represents real dollar savings over and above the cost to purchase and deploy the AV and that also outbalances the costs associated with the 48% penetrations - then it could be success from a bottom line perspective. But it might not be.

We know that 99% of the companies in the survey spent on AV last year, and half of them got hit. What we don't know is if that money was well spent. What we need are metrics that study percentage of attack for companies that use mitigating controls (such as perimeter and host firewalls, intrusion prevention and white listing) in lieu of AV and in addition to AV. We need a quantitative survey of the effectiveness of various measures. As far as I know, we don't have these yet. Let me know if you know of any.

We have an industry that continues to throw money at technology with a high penetration rate. What we don't have are numbers that tell us whether that rate is acceptable or not. What we are is, "still not getting it."