Bogus security promises and how to detect them
- 14 March, 2008 10:13
What is true enterprise security and how do you get it? Bogus promises by vendors are all too common. In this recent Network World chat, outspoken security analyst Nick Selby humorously tackles the truth about data leakage products, smartphone protection, hotspot threats and the word "solution." Nick Selby leads The 451 Group's Enterprise Security Practice. Selby also serves as The 451 Group's Director of Research Operations and is on the faculty of the Institute for Applied Network Security.
Security start-ups promising protection from bot attacks seems to be the rage. I'm skeptical. Should I be?
Well, the only alternative answer to your question would be my advising you to be gullible, so I think I'll go with A, yes you should be skeptical. Bot attacks are launched by people exploiting vulnerabilities for profit. The cost of an owned Windows box is really low - in Dan Geer and Dan Conway's recent Owned Price Index, he states the cost as US$0.04 - so the costs involved in getting a lot of them to do something awful is fairly low and the chance you'll be caught even lower. When companies come out and state that they can promise protection from botnets, I'd start by asking lots of questions and being very careful about believing the answers. Not saying they're lying, just saying that what they're promising is to fix a constantly moving target.
What is the biggest load of nonsense that security vendors are pushing at us?
This will sound like semantics but it's been the devious insertion by vendors of the use of the word "solution" and its take up by buyers. I could say that a farm that's biodynamically sustainable and militarily defensible is a "hunger solution," but calling an IDS a "solution" is a little ridiculous. It's saying, 'Oh, good, they've solved the problem of intrusion! Good for them!" It's truly insidious that people are now referring to products of some genuine but specific value as something that has solved a problem. Enterprise IT is like New York City - it will be great when it's finished.
Along those lines, what about data leak protection - is it a "product/solution" or is it all hype?
That they can stop intentional theft of data, and that they can - in a vendor's own words, 'Stop all leakage and loss in any language, via any channel'. What utter tosh! Anti-data leakage (ADL) boxes and agents are great at reducing noise, at stopping stupid and inadvertent leaks which are clearly the most prevalent source of confidential and regulated data dissemination BY VOLUME (not by severity). That says a lot. But protecting your data is about far more than just stopping accidental leakage, it is about understanding how your company does business and the processes by which it turns information that it processes into checks made payable to it. On March 31, we're releasing a long format report on this very subject called Mind The Gap. It sets forth a no-cost framework to help end users get a better grasp on how to prioritize and understand the flow of data through their organizations. It then helps them prioritize the problems and use information to get vendors of four classes of related products (ADL, disk encryption, port and device control and database transaction monitoring) to better understand their needs to start addressing the problems of unprotected data in the enterprise.
If a vendor (say a start-up) comes up with what they feel is a new approach to addressing security concerns, or a specific issue (say, stronger user authentication), what would you call it if not an authentication solution?
I'd err on the side of "product", seriously.
Are integrated end-point security suites (i.e. Symantec/McAfee) as effective as best-of-breed 'solutions'?
Not sure about the exact answer as I would say that it varies. But as far as the "is the agent dead?" kind of question, I would say that, interestingly enough, we find that we are seeing greater demand -- in fact increasingly shrill and irritated demands - from the enterprises to get agents right, unified and functional. We saw GE chuck out Symantec and the Miami Dade School System chuck out McAfee because of dissatisfaction with agent unification and performance, updates, customer support and stability. But we are also hearing from end users that they are desirous of ADL and port and device control and disk encryption agents to be unified with antimalware and host behavior-based IPS and the like. Guardium and Imperva tell us that their agent uptake for database servers is now through the roof. (Disclosure: Guardium is a 451 customer; Imperva is not.) So we say that there is tolerance for agents provided that they work, play nicely with other programs and don't blue screen Windows.
We see ADL as an important part of something bigger - and that something bigger is likely to be the second tier antimalware vendors who know a thing or two about building agents. So in that list we would out AhnLab, Hauri, Grisoft (AVG), Panda, Trend Micro, Sophos, Kaspersky, BitDefender, GFI Software and other companies (disclosure: Sophos is 451 customer) as tops in looking to extend their antimalware agents to look at data leakage. We've seen Utimaco (a 451 customer) and other disk encryption vendors doing the same thing. So are agents dead? No. It's just that most IT people wish they were. However were it not for that latter bit, companies like BigFix (a 451 customer) and Lumension (not a customer, and a company whose name sounds like a prescription sleep aid) would have less to do.
HauteSecure released a new version of its anti-drive-by-download product recently. Is there really a market for browser plugins that do this sort of thing?
Well, if you ask the guys at Finjan, Grisoft (AVG), Symantec and McAfee then the answer is yes. But the real issue I suppose is the reactive nature of this. I like the power of the gang by companies like Prevx and indeed Haute of trying to use the users to gather intel and feed a central hive to disseminate. But at the end of the day it's reactive and therefore by definition behind the eight-ball from the get go - whaddaya think?
Do you think security vendors are creating problems then, to which they have the solutions for? That sounds very cynical...
I am not seeing the connection between what I said and what it seems like you thought I said. . . As we all know, Microsoft is to blame for everything. What I do mean to say is that security vendors often have very valid things to say about very real problems, but they get so caught up in the cycle of hype and marketing that they forget to speak English. Take the anti-data leakage guys - they solve an enormous problem, yet they insist on saying that they solve the WHOLE problem, ALL OF IT! It's disingenuous and needlessly distracting.
What's the upside to these data leakage products -- what's new with them? In what ways are they improving?
They're all getting better at "stopping stupid" and they're all getting better at helping managers have more visibility into the traffic that is moving from inside their organizations to the outside. Our recent survey for Mind The Gap showed that only 37 per cent of commercial enterprises had done work to determine where data resided within its organization, and while 26 per cent had created a data classification scheme (with data classifications such as "public," "confidential" and "regulated") more than half admitted that enforcement was non-existent. Only 22 per cent of organizations surveyed had even conducted any analysis into interdepartmental communication at all, let alone analysis of whom people inside the company were talking to outside of the company. ADL products can help with these kinds of analyses.
What's the market for mobile security going to be like now that the iPhone has opened up a bit? Is this what F-Secure has been waiting for?
Interesting that you say that because F-Secure seemed to back away from its very expensive strategy of serving the needs of mobile malware sufferers. Like the guy who gambled on Newark real estate in the 1940s because NYC was getting too big and people would need to expand, F-Secure was right but a long, long time too early. Now that we are starting to see smartphones actually having much of the functionality of endpoints, I do believe that we will start seeing those kinds of threats emerge slowly. And look who's making hay? McAfee!
What do you think is the biggest "real" security problem that enterprises are facing?
It's really broad, but the most important thing, I think, is to get an understanding - and this might require a committee comprising a business leader, an IT leader, an apps and DBA and security leader - of what traffic is going on in your networks or through / to / from your servers and why. What business purpose do we suppose, on a truly enterprise-wide basis, is served by the flows we observe? That's when we start to see the true impact of broken or ad-hoc business processes on our IT infrastructure. It takes time, commitment and senior business leadership support. And at the end of the day we think that information protection is far more a business problem than an IT problem. What hoops have we set up inadvertently as security professionals that have had the downstream effect of asking well-intentioned people just trying to do their job to take shortcuts to circumvent our "fixes"? How can we fix processes that are broken and better understand how people ARE working, rather than how we would like them to work? Getting that horizontal, enterprise-wide, non-siloed view into our operations is really, really hard - and I say this as someone doing it, as well as someone talking to hundreds and hundreds of people doing the same thing. The key is that there's no magic box, no goddamn "solution" and you're never done. Ever.
The other thing that drives me crazy is the oft-repeated malarkey about 'secure computers being ones encased in cement.' Helloooooo? Security comprises confidentiality, integrity and AVAILABILITY. People need to use the stuff, not just look at it. It's like with instant messaging. Our managing analyst Nick Patience said that with IM there were three distinct steps: Panic ("Shut it down! Shut it down now!"); followed by step two, Peasant Revolt ("Hey, we can just download Gaim/Skype/Whatever"), closely followed by step three, Capitulation and an enterprise-wide strategy to adopt a new technology. Step 2 was caused by removing the availability of a great business tool that people were already using. Skipping it and going directly to step three has tremendous ROI in terms of not having to fix the zillions of holes opened by the adoption by users of whatever the hell they can get their hands on to circumvent a silly attempt to stanch the flow.
When we talk about enterprise-security, we talk only about the decision makers. Shouldn't end users be made part of the whole process, since that's where most of the problem starts?
Great question and yes, absolutely. I think the part of the last thing I said in my rant was addressing that entirely. What we find when speaking with end users is that the vast majority are nice people just trying to do their jobs and finding ways around the roadblocks we have set up to let them just get to it. So it's really important to have a look at the traffic on your subnets and networks and see what pops out; see if you can for example tie the most popular server in the place to an actual business process or something else ... then find out why people have reverted to doing whatever it is that they're doing that you didn't figure they would do ... and then doing something about it.
So what's the solution to keeping tight security and not setting up too many "hoops" for people to jump through? That's the trade-off isn't it? If they don't want hoops, they don't get much security.
That one is another great question. But basically in a nutshell I would say that business should drive your IT and security infrastructure, and not the other way around. That sounds simple enough until you realize that for the most part that just does not happen. The real issue we find in talks with end users and in our analysis of our own networks is that we don't know where anything is!
It does sound like you're giving a lot of credit to end users. I know a lot of them that are walking security holes...
Totally, but if we think about what they're actually trying to do we can come up with ...oh, GOD, better ways to help them do what they want in a way that we want them to do it.
On the topic of NAC - are you seeing many successful real-world enterprise-scale implementations?
It depends on what you mean by "successful" - we believe that the definition of NAC has changed in the past five years and just released a report about that last month. A F50 customer told me that NAC to him was "Just tell me if the damn firewall is turned on and the AV is on and relatively up to date" where others, like in Israel, are looking seriously to throw people off the corporate resource and also to get visibility into what is actually connected to the network at any given time.
What's the outlook for typical security consulting as we head into a recession?
I think that midsize and smaller businesses that are regulated either by governmental or industry rule sets like PCI offer a tremendous consulting opportunity to smaller consultants - these are folks who can't necessarily afford the PWC or the IBMs but they have as burning a need as those larger brethren who can afford it. Smaller shops have a tremendous opportunity here for semi-bespoke services and audits.
How should we roll out ADL what steps and what tools?
I just grabbed two graphs from our upcoming report, Mind The Gap: The best customer for any category of ADL product is one that has determined roughly the scope of its problem and the areas of its most immediate concern. These data points would have been derived through a fearless examination of its business processes to determine the business risk associated with various activities and the business impact of a leak or loss resulting from those activities.
Such well-informed customers increase vendor profits by reducing sales cycles and effort spent on education; our research indicates that such customers tend to buy more initially, and deploy more thoroughly than do non-informed customers. In the words of one vendor, a customer able to articulate the scope and breadth of its problem and specific areas of priority is, "Our dream customer." He then said that of all his customers, only one fit our description of a "well-informed" one.
Is compliance with regulations and industry standards as big a security driver as most vendors think (or claim)?
What we are seeing is that yes, compliance is driving budgets. The problem there is that it is also driving security purchases, and that in turn means that businesses are allowing the government and MasterCard to set their priorities for them. Now, unless you ARE MasterCard, we think that's kind of a bogus way to proceed. But your question sadly I answered with a "yes." What we would like to see more of is use of compliance and rule sets to get actually secure as opposed to merely comply. PCI for example is really, really prescriptive, and 90 per cent of it is stuff you should do anyway.
How fast are enterprises catching up to the increasing complexity of wired/wireless networks? Security solutions are getting obsolete faster? How does one design a good solution keeping the economics in mind?
One investment banker we spoke with talked about this in terms of perimeterization and I think that it counts here. It's not really about where (wired or wireless) the attack is coming from, it's about what is being attacked. I mean, if a guy shot you, would you care if he drove or took the subway? We've been saying now for some time that the decade old paradigm where there is a big red circle and everything inside is goo and everything outside is bad - is and must give way to a new way of thinking. A look at the enterprise - even small companies like The 451 Group, which has 90 people in five offices and two countries - rely increasingly on Web-based applications that face towards the public Internet. Our workers are mobile, and insist on the same experience whether in the office or in the airport, and that means that we need instead lots of little circles - firewalls around our crown jewels, database transaction monitoring, multi-factor authentication, user-level authentication to data from our database, endpoint firewalls etc. So we're clearly moving towards the time in the enterprise world where nearly all connections are made essentially as remote ones, whether you're at the racetrack or on the 16th floor of corporate HQ. That means rethinking how we perimeterize, how we protect the endpoints and how we secure the connections from the endpoint, through the Web application firewall, through the Web-based application, back to the secure data repository, so that each link in the transaction (using the term to mean "computers exchanging stuff" not "someone buying something") is secured as much as is reasonably possible.
How about some insight on wireless security? Use WEP/WPA/WPA2 and call it good? Or is there some Big Dark Secret about wireless security that enterprises need to know and vendors aren't telling us?
Actually no. WEP isn't good enough. My litmus test is that if I can break it - and I am truly, truly untalented - then it sucks. So WEP sucks. I also think that people have been saying this for quite some time - WPA or better is not really a secret; it comes out of the box. I think that wireless IPS and understanding from a user and infrastructure perspective what wireless is around and connectable and connected to by your employees is really important.
What about WEP at home? I live in a sparsely populated area, WEP should be fine or am I misguided?
The latter, sorry. It comes to this: do you want to explain to the group of FBI agents who are milling about your living room and eating your donuts that you didn't mean to be the conduit for child porn they've been watching for six weeks? Or just set your router to WPA and be a lot more reasonably protected? An interesting question, too, is whether WEP or an unprotected Wi-Fi access point is actually breaching the Patriot Act. What if a Danish terrorist used your unprotected connection to send back illegal cookie recipes to Copenhagen? Are you sending material comfort and aid to the enemy? I would not want to argue that in a room at Gitmo.
Is Vista going to seriously dent the AV market by making it non-essential?
I think that we're seeing the effects of Vista now in the dynamic that has been taking place within the AV industry, and it hasn't really, like, DONE anything yet. But we are seeing a nascent industry pop up around support for things that Vista ALMOST does, and I think that we can expect to see the second and current third tier of AV vendors making products that expand or enhance the built-in features of Vista to make them more usable or sensible.
Is it safe at all to recommend to the mobile workers about using wireless hot spots when they're out and about?
The idea of letting our users out and about on public hotspots is one that gives me the willies but is also one we can't really get away from. I think that securing endpoints - and again we're back to the next generation of those second tier AV and endpoint agent guys again, using firewalls and behavioral detection methods at the endpoint and on the application side is crucial. It's a huge question that goes back to the earlier answers about perimeterization and goes forward to how we will be connecting and getting that fat-client experience over the next couple of years that people are increasingly demanding.
What do you see as the biggest up and coming security technology and why?
This will sound ho hum but I have been really excited about Voltage's new Format Preserving Encryption [disclosure: Voltage is a customer of The 451 Group], because it lets companies that process credit cards and have legacy systems which might be capable of only holding 16 digit numbers for a card number (as opposed to a long encrypted string) to convert credit card numbers to encrypted numbers. Voltage claims that the algorithm they use to make the conversion is as hard to reverse as is AES 128, and shows a long proof drawing on work that's been in the public domain for a long time. I think that identity-based encryption itself is another good step forward.
What about antivirus for the smartphone?
I think that the earlier question asked started to get towards that, and we do see that this will increasingly become a threat. Interestingly I think that this will go after the coolest and most popular kinds of fat mobile clients first, which could be a real shock if EVERYONE is trying to break a certain piece of gear at once. But immediately? I wouldn't run out and buy anything today, but I would watch and wait and see, with increasing interest depending on how cool my smartphone is.
What's the easiest way for me to find out whether I have insiders stealing data from my company?
This is a really hard question. The cynic in me says, go into work and open the door, but the reality is that insider threat and its detection are increasingly vexing problems. The stuff I was talking about earlier regarding looking at business processes, looking at net flow, USING WHAT YOU HAVE NOW instead of buying the latest and greatest is the easiest way. Use application layer firewalls and IDS and ngrep and whatever you have to search for strings that are sensitive - not regulated, but sensitive to HOW YOU DO BUSINESS. Log them to a text file and read it every now and then. If you see stuff you shouldn't, find out why. That also goes back to being an educated customer - the ADL, database transaction monitoring and port and device control guys can all help you do this, but the more you know when you walk in the door, the more you're likely to get out of the relationship.
Any litmus-tests for the every month(/day) security solutions like PEAP, EAP/TLS etc. Can a security admin just be sure which one to use over the other?
I am frightened of the concept of a 'security litmus test' because the way we all do business is different. There is no one size fits all. What is important to my business is worthless to yours and vice versa. But the fact is that whether you make artisanal cheese or missile systems, there is SOMETHING that you need, that is truly competitively crucial to your survival, and you should let that business need drive what you protect and how.
Any types of security products that are better off being bought as a SaaS product than as a traditional software product?
I would say that messaging is a no-brainer here. The Google/Postini product offering messaging filtering for like US$25 per user per year is just a hell of a lot better than I can get anywhere else. We use hosted Zimbra and Barracuda and it's wonderful - much better than when we were all sitting around trying to do it ourselves. Log management, firewall management - anything that is not your core competence and is someone else's is a great candidate. [Disclosure: Barracuda is not a client. I don't know if Google is. I think Yahoo (which bought Zimbra) may be].
LifeLock (or other anti-identity theft) organizations are getting the thumbs up from several well-respected security pros. Others say these kinds of services are a rip off. What gives?
I'm one of the pros who gives it a thumbs up. I'm a LifeLock customer (no discount, and I think they MAY be a customer of ours) and I can say that it works as advertised at least as far as setting and maintaining the alerts. I am also a customer of freecreditreport.com's decidedly not free service, and Equifax or Experian or one of those, and I keep a close eye on it, so I see what LifeLock does for me. Their analogy about changing the oil on your car is the best one - sure you can do it yourself. Go ahead and deal with the credit bureaus if you want. That's well outside my core competence. Besides, the credit bureaus are there to protect lenders, not you, and staffed, it seems, entirely by graduates from the New Jersey Registry of Motor Vehicles or the immigration bureau. Horrible experiences. I would much rather pay LifeLock US$100 or so a year to deal with them. If you've got the time and inclination to wrassle with TransUnion, Experian and Equifax, have at it - it's free as the air to set fraud statements every 90 days, last I checked.
Application security is getting more attention and is being addressed as a higher priority now. What are your thoughts on this emerging area of technology?
Very cool. We are seeing this as a truly painful and necessary evolution and this is a cultural shock more than a technical one. This has to be top down change in the way we look at imagining, developing, testing and rolling out applications. Some of the companies we like here: Veracode, Clockwork, Fortify (can't remember if any are customers of ours) but we also like the Six Sigma approach of looking at your application-development cycle as starting with secure code training for EVERYONE involved with coding, testing in dev, auditing, then testing, then dynamically testing in QA and in production or in a virtualized production image - but testing, testing, testing and baking it right in. Companies really good at this are GE and many of the investment banks, which have been doing it for years. Smaller companies do it the traditional way - hurry, hurry, hurry, get it out, fix it in the mix - which means that you're always going back and fixing stuff you could have fixed earlier in the name of getting business done. That is a false economy, so baking security testing into the application development and QA stage is crucial, and as I said will be painful for many. Dynamic testing after is easy-peasy.
Mobile voice encryption is an up and coming technology for companies wanting to protect cell phone users from eavesdropping. What are some of the pros/cons of it?
Encrypted voice! It's like a JetPack - of course I want it, and I have absolutely no need for it, it's just cool. Speaking of cool, KoolSpan (Disclosure: Not a 451 customer) just launched the TrustChip, which allows smartphones with an SD card slot to do encrypted voice and other applications for US$300 a pop - THAT is cool. It also is an elegant approach to solving the problem of extended trust -- that is, TrustGroups claims it's configurable in a manner that means that just because A trusts B, and B trusts C, it does not necessarily follow that A trusts C. Awesome, but we wonder about KoolSpan's funding. That said, a wicked smart friend of mine who works at a high-falutin' lab just spent a day down there vetting the thing and says it's as cool as I thought it was. So yeah, bring on the voice encryption calls! Cons? So you're pressing me and I'll pull one from the sky: I would assume scrambled calls might send your line directly to the Raised Eyebrow Department of whatever federal agency is monitoring your calls - and if none is, what could be wrong with encrypted voice calls?