I'm a Twit(terer) but did you know that the L.A. Fire Department is, too?

If you look over to the right under the Lijit widget, you'll see that I use Twitter.  It's addictive.  At first I thought it was stupid.  Now I'm having simplex "conversations" with myself and others(?) that are strangely satisfying.

If you don't happen to know what Twitter is, it's basically a "micro-blogging" (ugh) social-networking site.  Read more about it here.

If you were so inclined, you can feel free to bore yourself to tears by tapping into the ever-exciting neartime log of my activities -- only to discover that all I do is eat and sit in airports.  Thrilling.

However, as I was browsing the Twitter site today, I found that the L.A. Fire Department actually logs (all?) its calls to Twitter -- it's the web-based version of sitting in front of a scanner and listening to dispatch.  They also maintain a blog.  Imagine if the LAPD did the same...now that would be "fun."

Scoble covered this back in July and unfortunately I didn't happen to see it at the time. 

This got me thinking about not only how interesting this is to those whose hobby in the analog world is following the LAFD's actions and this obviously unique particular application for information dispersal and broadcast of information from and to these first responders as an alert/emergency service, but also that of potential applications in the DoD space.

I'm readying another post regarding some of the impacts that Web2.x and various collaboration and interactive technologies have had on the modern warfighter, but thus really struck me as interesting. 

With some of the various visualization tools coming to bear (Twitter is introducing one) one could take human-generated as well as automated feeds of unstructured, yet contextual theater updates (in addition to more structured data such as engagement, position, movement, number, etc.) and parse/visualize activity over time to arrive at some very interesting data points.  More on that later, but noddle on it.

Back to the LAFD's Twitter and why I'm bringing this up on my "security" blog...while it appears that these logs are public record, check out the information you can glean from these entries -- they appear to be unparsed.  Is anyone else concerned by the privacy implications of including personal information as part of these feeds...esp. when paired with the types of activities profiled in the abstracts?

/Hoff

Cisco & Trend Micro: Friends, Lovers or Still Contemplating the 29 Dimensions of Compatibility on eHarmony.com?

Cisco Turns to Trend Micro for Router Security

Interesting title -- and one that's appropriately bold (pun intended.)

I found this story (below) regarding the apparent renewal of vows between Cisco and Trend interesting because of what is perceived by many as somewhat of a strange on-going dating relationship between the two companies. 

Some might suggest that over the last few years, with Trend's inclusion as the A/V function of choice across many Cisco platforms and the NAC partnership, etc., that TM was looking to ultimately get bought by Cisco. It certainly appeared that way to me.  Perhaps the dowry was just too great, but it certainly looked like Cisco decided that monogamy wasn't in the cards.

When Cisco acquired IronPort, many felt that while they were specifically focused on messaging security, that the technology would be leveraged heavily across Cisco's product lines and the Trend partnership would eventually wane.

Trend is well known for both it's anti-virus/spyware/spam solutions as well as its web-based security gateways while IronPort is known mostly for the former (see below, however.) 

It's interesting to try and reconcile the commonalities between the two company's product offerings.  On the surface, they both claim to do similar sets of things -- even down to the reputation services elements of their products.

Here's what IronPort suggests they provide:

Email Security

The IronPort email security appliances are the most sophisticated systems available today. In production at eight of the ten largest ISPs and more than 20 percent of the world's largest enterprises, these systems have a demonstrated record of unparalleled security and reliability. The same code base that powers IronPort's most sophisticated customers is available in all of IronPort's email security appliances, to protect the email systems of enterprises of all sizes. More.

Web Security

The IronPort S-Series™ is the industry's fastest Web security appliance. The IronPort S-Series appliances combine a high-performance security platform with IronPort's exclusive Web Reputation technology and IronPort's breakthrough Dynamic Vectoring and Streaming™ (DVS) engine, a new scanning technology that enables signature-based spyware filtering. Robust management and reporting tools deliver ease of administration and complete visibility into threat-related activity. More.

...and yet exclusing the desktop reach, it's almost identical to what Trend Micro suggests they bring to the party. 

 

So if IronPort was supposed to be the content security play for Cisco, does this mean that their adaptabilty beyond messaging was either never in the cards or just isn't panning out as quickly as was hoped?

Specific activity in the Channel from Trend certainly seemed to imply there was a wave of panic regarding the long strategic partnership between the two companies after the acquisition and it was unclear how Trend might proceed should the couple "become friends" instead of lovers. 

That's not to say that Trend isn't a healthy company, but there was, and is, a lot riding on this relationship.

So today, we see this announcement (from CRN/ChannelWeb):

Cisco Systems Thursday unveiled plans to add content security services to its routers via an extended partnership with Trend Micro.

The San Jose, Calif.-based networking vendor plans soon to integrate Trend Micro technology into the operating system of its Integrated Services Routers (ISRs), adding services such as content filtering to its family of branch office routers, said Tom Russell, senior director of Cisco's Security Technology Group.

The new offering, which will be available "in the near future," will make it easier for channel partners to build layered security solutions, as the ISR family already supports several integrated security options, Russell said. It will also help push content security out to remote locations, he added.

"You need to have content security at the central site, but you also have to distribute it to all of the points in the network," he said.

Cisco and Cupertino, Calif.-based Trend Micro have been working together since 2004. Trend Micro content security technology is already incorporated into Cisco's Adaptive Security Appliance family of unified threat management wares.

Trend Micro is also a partner in Cisco's Network Admission Control initiative and offers its own Damage Cleanup Services for the Cisco MARS (Mitigation, Analysis and Response System) platform.

Interesting, eh?  The ASA's were looking like the beginning of a UTM platform of choice for Cisco, but given the popularity of the ISR and the integration of certain WAN/Branch Office functionality (not to mention install base,) this makes sense.

So we're back to figuring out where the intersection of IronPort and Trend lays.  It certainly seems that this announcement sees the happy couple holding hands again and leaves me more confused about IronPort in the long term now instead of Trend.  I also seem to recall that IronPort utilized Sophos' AV engine...perhaps that will/has changed?

I continue to go to shows where the IronPort brand (and booth) is still separate from Cisco's and the IronPort website is still brand discrete (albeit with a "...part of Cisco" graphic) which is a little odd.  I thought IronPort was going to be the leveraged integrated content security play for them?

It wouldn't be the first time I'm confused by Cisco's acquisition integration strategy.

/Hoff

Those of You Wanting the .PPT/.KEY version of the Virtualization Deck...

Here you go.

As I explained, the export from Keynote to PowerPoint renders some of the font formatting and shadow effects rather poorly.  You can fix this by:

     1. Using a Mac, and
     2. Using Keynote ;)

You will need to clean this up should you hope it matches the .PDF you first saw.

Just in case you're interested in the Keynote version, here is the link to it, also.  I compressed this one.

I apologize for the filesizes, I didn't spend much time optimizing anything for these.  I hope they help.  I will, at some point, probably revise them to include some timely information.

Enjoy

/Hoff

{Link was broken for the Keynote file.  Fixed as of 2:31am EST.  ;) }

Apparently, InfoWorld's Executive Forum on Virtualization *IS* Concerned About Security...

You might remember a post from a few days ago wherein I lambasted InfoWorld for not including security as a mainline topic for their upcoming Executive Forum on Virtualization.  I was pretty gruff, but I don't think out of line, in calling them on this point.

I blogged about it, tracked down the Forum organizers' contact information and fired off an email to Jill Martay (VP of Events) and Doug Dineley (Conference Chair) with no expectation that I'd receive a response.

In the meantime, Alan Shimel piped in, consoling me in his ever-effervescent style, by suggesting that despite my longwinded plea for sanity, I was merely wasting my breath -- but that I shouldn't worry because he's making up for it with all the interviews he's giving on how StillSecure will address the topic ;)

My friend Chris Hoff has himself all worked up. In fact Hoff is in a huff. What has Christofer (for those who may not realize he spells his name funny) so worked up you ask? It seems the good folks over at InfoWorld are staging an Executive Forum on virtualization next month down in NYC.  No where on the agenda is even a mention of security and the challenges that a secure virtualization environment poses.  Chris goes so far as to offer, on his own dime, to go down and personally deliver a presentation on security and virtualization. Well Chris it would be nice to see the InfoWorld folks take you up on this, but I would not hold my breath.

 While I obviously agree with Alan that virtualization is a fantastically interesting and relevant topic, It's nice to know that even Alan can be wrong sometimes, too...it wasn't a waste of time, at all.

Today I received an unexpected response to my email that described my disappointment in the lack of security content in the forum.  This email came from both Jill Martay and Doug Dineley which I thought was not only classy but reasonable:

I don't disagree. My original plan for this event included an expert 
panel session on security, and I spent a good deal of time trying to 
put that together. I found it quite difficult to create a meaningful 
session that included people with useful things to say. And I didn't 
want a session with a lot of hand waving and cries of "the sky is falling.

I hope to do better for the next forum, which is coming around in 
February (I think). The level of discussion around securing virtual 
servers will rise over time, as more security officers start grappling
with larger virtual environments.

I thank you Doug and Jill for both responding and explaining the situation and I look forward to speaking with you soon with some recommendations for content which satisfies your requirements -- and those of your attendees.  I'm convinced there's plenty out there...

So, Alan, sometimes it's worth a few altruistic exhales oh behalf of a secure humanity.   You never know, you might get back a breath of fresh air in return.

/Hoff

Das GooglePhone...Powered by GoogleOS...Will Be Connected Via GoogleFi via GooglePOPs...paid for by GoogleAds...

There have been no shortage of rumors, leaks and innuendo lately regarding Google's plans for the production of the GooglePhone.

Google's made no secret of the fact that it's shopping for platform partners as they "explore" the potential.  It's suggested an announcement will come officially after the Labor Day holidays here in the U.S.

Google has quietly made at least one acquisition that would support the case, namely that of a mobile software company called Android.  Android was started by one of Danger's co-founders and developed a Linux based OS for mobile platforms.

Stick that OS on any number of platforms (such as those from HTC which recently leaked prototype information) and you get a nifty little extensible platform that runs a litany of Google Apps natively.  So far we've got the GooglePhone and GoogleOS labels out of the way...

Mitchell is smiling in anticipation in that he thinks he'll be able to ditch his possessed PPC/SmartPhone and use a GooglePhone on Verizon's network.  Not so fast, Mr. Happy...

Now, while many folks are happy to think that they can have a more usable, extensible, flexible, reliable and expandable mobile platform that natively runs Google's Apps., what many are not piecing together is Google's 4.6 Billion dollar decision to participate in the federal government’s upcoming auction of wireless spectrum   in the 700 megahertz (MHz) band:    

In a filing with the FCC on July 9, Google urged the Commission to adopt rules for the auction that ensure that, regardless of who wins the spectrum at auction, consumers' interests are served. Specifically, Google encouraged the FCC to require the adoption of four types of "open" platforms as part of the license conditions:

• Open applications: Consumers should be able to download and utilize any software applications, content, or services they desire;
• Open devices: Consumers should be able to utilize a handheld communications device with whatever wireless network they prefer;
• Open services: Third parties (resellers) should be able to acquire wireless services from a 700 MHz licensee on a wholesale basis, based on reasonably nondiscriminatory commercial terms; and
• Open networks: Third parties (like internet service providers) should be able to interconnect at any technically feasible point in a 700 MHz licensee's wireless network.

As a sign of Google’s commitment to promoting greater innovation and choices for consumers, CEO Eric Schmidt sent a letter to FCC Chairman Kevin Martin, stating that should the FCC adopt all four license conditions requested above, Google intends to commit a minimum of $4.6 billion to bidding in the upcoming 700 MHz auction.

So, without the dark overlord overtones, let's say that Google wins the auction.  They become a mobile operator -- or they can likely lease that space back to others with some element of control over the four conditions above.  Even if you use someone else's phone and resold service, Google wins.

This means that they pair the GooglePhone which will utilize the newly acquired GoogleFi (as I call it) served securely cached out of converged IMS GooglePOPs which I blogged about earlier.   If the GooglePhone has some form of WiFi capabilities, I would expect it will have the split capability to use that network connectivity, also.

...but here's the rub.  Google makes it's dough from serving Ads.  What do you think will subsidize the on-going operation and assumed "low cost" consumer service for the GooglePhone.

Yup.  Ads.

So, in between your call to Aunt Sally (or perhaps before, during or after) you'll get an Ad popping up on your phone for sales on Geritol.  An SMS will be sent to your GooglePhone which will be placed in your GoogleMail inbox.  It'll then pop up GoogleMaps directing you to the closest store.  When you get to the store, you can search directly for the Geritol product you want by comparing it to pictures provided by Google Photos and interact in realtime with a pharmacist using Google Talk whereupon you'll be able to pay for said products with Google Checkout.

All. From. Your. GooglePhone.

All driven, end-to-end, through GoogleNet.  Revenue is shared throughout the entire transaction and supply chain driven from that one little ad.

Think I'm nuts?

/Hoff

A Play on Negroponte's OLPC. I present "OHPC" - One Honeypot per Computer...

I was catching up with an old friend the other day, and in chatting with Lance Spitzner, we got to talking about virtualization and Honeypots.  Lance, as you no doubt already know, is one of the ringleaders of the Honeynet Project whose charter is the following:

The Honeynet Project is a non-profit (501c3) volunteer, research organization dedicated to improving the security of the Internet at no cost to the public.  All of our work is released as and we are firmly committed to the ideals of OpenSource.  Our goal, simply put, is to make a difference.  We accomplish this goal in the following three ways.

 

Awareness
We raise awareness of the threats and vulnerabilities that exist in the Internet today.  Many individuals and organizations do not realize they are a target, nor understand who is attacking them, how, or why.  We provide this information so people can better understand they are a target, and understand the basic measures they can take to mitigate these threats. This information is provided through our Know Your Enemy series of papers.

Information
For those who are already aware and concerned, we provide details to better secure and defend your resources. Historically, information about attackers has been limited to the tools they use. We provide critical additional information, such as their motives in attacking, how they communicate, when they attack systems and their actions after compromising a system.  We provide this service through our Know Your Enemy whitepapers and our Scan of the Month challenges.

Tools
For organizations interested in continuing their own research about cyber threats, we provide the tools and techniques we have developed.  We provide these through our Tools Site.

Look for an upcoming Take5 Interview with Lance shortly.

We were chatting about the application of Honeypots within a virtualized environment and how, for detection purposes, one might integrate them into virtual environments.  Lance brought up the point that the Honeynet Project already talks about the deployment of virtualized Honeypots and the excellent new book by Provos and Holz titled "Virtual Honeypots: From Botnet Tracking to Intrusion Detection" talks about utilizing virtualization and HN's.

I clarified that what I meant was actually integrating a HoneyPot running in a VM on a production host as part of a standardized deployment model for virtualized environments.  I suggested that this would integrate into the data collection and analysis models the same was as a "regular" physical HoneyPot machine, but could utilize some of the capabilities built into the VMM/HV's vSwitch to actually make the virtualization of a single HoneyPot across an entire collection of VM's on a single physical host.

He seemed intrigued by this slightly different perspective.

We've seen some pretty interesting discussions both pro and con for production Honeypots in the last couple of weeks.  First there was this excellent write up by InfoWorld's Roger Grimes which prompted an "operational yeah, but..." from LonerVamp's blog.

So, with the hopes that this will actually turn into a discussion, Lance said he was going to bring this up internally within the HN Project forums, but I wanted to raise it here.

I'd be very interested in discussing how folks perceive the  notion of OHPC and whether you'd consider deploying one as a VM on each production virtualized host machine you put into production?  If so, why. If not, why?

/Hoff

How To Begin Discussing the Virtualization Threat/Vulnerability Landscape: Proactive Approaches to Managing Emerging Risk?

It's no doubt apparent that trafficking in the ideas and concepts surrounding both virtualized security and securing virtualized environments really honks my horn.  I've been writing about it a lot lately, and it's starting to garner some very interesting amounts of attention from lots of different sources.

One of those sources sent me an email after reading some of my ramblings and framed a discussion point that I was writing about anyway, so I thought it a perfect opportunity to discuss it.

Specifically, when a disruptive emerging technology bursts onto the scene with many of the threats and vulnerabilities associated with said technology being mostly theoretical, conceptual and virtual in nature, how does one have a very real conversation with management regarding what should be done proactively to (and please forgive me both ISS and ISS-naysayers) "get ahead of the threat."

That is, how do you start talking about the need to assess and make actionable, if possible, the things necessary to secure such an impacting technology?  Asked not to be identified when I quoted him, I believe one of my readers summed this up quite nicely:

"I really enjoy your blog posts about virtualization security, since it's a challenge I'm dealing with right now. The real problem I'm finding is explaining the security issues to people who don't get security in general, and double-don't-get-it in the context of virtualization.

The two points I really try to get across are:

1. the fact that there aren't any common, well-known attacks specific to virtualization in the wild (guest hopping etc) is not a good thing, it's a BAD thing; they're coming!

2. a virtual server is like a little mini-network where essentially none of our existing security measures apply (I guess I'm mostly thinking of IDS here)

Am I hitting the right points, do you think? Where else can I go with this, since the "threat" is pretty much "I don't know but something someday?"

My response is straightforward.   I think that he's dead-on inasmuch as explaining virtualization and the risks associated with it is difficult, mostly because the "threats" are today mostly theoretical and the surface area for attack -- or the vulnerabilities for that matter -- just aren't perceived as being there.

So the normal thing to do is just suggest that what we have will be applied to solve the "same" problems in the virtualized context and we'll deal with the virtualization-specific threats and vulnerabilities when they become more "real." <sigh>

We can shout to the treetops about what is coming, but people don't generally invest in security proactively because in many cases we've seemed to accept that the war is lost and we're just looking to win a battle every once and a while.  <sigh^2>

It doesn't help that we're trying to build business cases to start thinking about investing in securing virtualized environments when the threats and vulnerabilities are so esoteric and by manner of omission executives are basically told that security is something they do not need to focus on any differently in their virtualization deployments.

So I only have a few suggestions for now:

1. I'd use my preso. to help lubricate the conversation a little; it sums most of this up nicely
2. Don't make the mistake of suggesting the sky is falling -- it may be, but that's not going to get you timeshare or share of wallet
3. In this nascent market, we have to communicate the potential exposure and elevated risk in the language of and terms associated with business; why should you spend time and money on this versus, say, patch management.
4. You better have an answer to this one: "Virtualization is going to save us money, now you want to spend more to secure it!?"
5. Abstract the discussion related to investment in terms of pushing vendors in your portfolio (by spending time/money) on making sure they will have something to offer you when you need it and start assessing your business and IT plans to see how they align to policy today
6. Start to build what will be the best practices for what your virtualized environments ought to look like with what you know now, BEFORE you start having to put them into production next week
7. Talk with your auditors -- make them your allies.  Ask them how they expect to audit and assess your virtual environments (be careful what you ask for, however)
8. Use what you have; you're going to have to for a while anyway.
9. Start testing now; demonstrate empirically how existing compensating controls will/will not satisfy your security policies in a virtualized construct
10. Keep calm.  By the time we get around to cleaning this mess up, we'll have another pile right around the corner.  This is a continuum, remember?  Same crap, different decade. At least we have twitter and facebook now.

In closing, and without sounding like a clucking chicken, check out this summary of a recent vulnerability disclosure on how to run arbitrary code on a VMware GuestOS thanks to a "feature" in VMware's scripting automation API. Dennis Fisher over at SearchSecurity did a nice write-up about Mark Burnett's recent discovery:

The folks at VMware have been in the news quite a bit of late, thanks to their big IPO and their discreet acquisition of Determina a couple of weeks ago. Now, the company’s core virtualization product is getting some attention, but not the kind company executives will like. Mark Burnett, an independent security consultant and author, recently posted a long description of a vulnerability in VMware’s scripting automation API that he found.

The vulnerability comes down to this: The API allows any script on the host machine to execute code and take other actions on any virtual machine that’s running on the PC, without requiring any credentials on the guest operating system. This presents a number of problems, as Burnett points out:

The problem is that a malicious script running within the context of a regular user on my desktop can run administrator-level scripts on any guest I am currently logged in to. Using Ctrl+Alt+Del to lock the desktop of those machines does not prevent VIX from executing commands on the guest. Even if I log out of each guest machine the malware can just queue the command to run the next time I log in at the console of the guest OS.

However, this is in fact a feature that the VMware developers intentionally included. VMware told Burnett that, in essence, anyone who can access the virtual machine APIs on a machine can access the virtual hard disks anyway and would be able to attack the PC from that direction. But it seems to me that Burnett is on to something here. Sure, there are plenty of other methods for attacking virtual machines, but that doesn’t mean this should be ignored.

Burnett also has found a way to mitigate the problem by adding a switch to the VMX config file.

This will be the first of many, of that you can be sure.  Without flapping your feathers, however, you can use something like this to start having discussions in a calm, rational manner...before you have to go reconfigure or patch your global virtualized server farms, that is...

/Hoff

 

HyperJackStacking? Layers of Chewy VMM Goodness -- the BLT of Security Models

So Mogull is back on the bench and I'm glad to see him blogging again. 

As I type this, I'm listening to James Blunt's  new single "1973" which is unfortunately where Rich's timing seems to be on this topic.  'Salright though.  Can't blame him.  He's been out scouting the minors for a while, so being late to practice is nothing to be too wound up about.

<If you can't tell, I'm being sarcastic.  I only wish that Rich was when he told me that his favorite TexMex place in his hometown is called the "Pink Taco."  That's all I'm going to say about that...>

The notion of the HyperJackStack (Hypervisor Jacking & Stacking) is actually a problem set that has been discussed at length and in the continuum of these discussions happened quite a while ago. 

To put it bluntly, I believe the discussion -- for right or wrong -- stepped over this naughty little topic months ago in lieu of working from the bottom up for the purpose exposing fundamental architectural deficiencies (or at least their potential) in the core of virtualization technology.  This is an argument that parallels dissecting a BLT sandwich...you're approaching getting to the center of a symmetric stack so which end you start at is almost irrelevant.

The good/bad VMM/HV problem has really been relegated to push-pin on the to-do board of all of the virtualization vendors and this particular problem has been framed by said vendors to be apparently solved first operationally from the management plane and THEN dealt with from the security perspective.

So Rich argues that after boning up on Joanna and Thom's research that they're arguing the wrong case completely for the dangers of virtualized rootkits.  Instead of worrying about undetectability of this or that -- pills and poultry be damned -- one should be focused on establishing the relative disposition of *any* VMM/Hypervisor running in/on a host:

Problem is, they’re looking at the wrong problem. I will easily concede that detecting virtualization is always possible, but that’s not the real problem. Long-term virtualization will be normal, not an exception, so detecting if you’re virtualized won’t buy you anything. The bigger problem is detecting a malicious hypervisor, either the main hypervisor or maybe some wacky new malicious hypervisor layered on top of the trusted hypervisor.

To Rich's credit, I think that this is a huge problem and one that deserves to be solved.  That does not mean that I think one is the "right" versus "wrong" problem to solve, however.  Nor does it mean this hasn't been discussed.  I've talked about it many times already.  Maybe not as eloquently...

The flexibility of virtualization is what provides the surface expansion of vectors for threat; you can spin up, move or kill a VM across an enterprise with a point-click.  So the first thing to do before trying to determine if a VMM/HV is malicious is to detect its presence and layering in the first place...this is where Thom/Joanna's research really does make sense.

You're approaching this from a different direction, is all.

Thom responded here, and I have to agree with his overall posture; the notion of putting hooks into the VMM/HV to allow for "external" detection mechanisms for the sake solely of VMM/HV rootkit detection is unlikely given the threat, but we are already witness to the engineered capacities to allow for "plug-ins" such as Blue Lane's that function "along side" the HV/VMM and there's nothing saying one couldn't adapt a similar function for this sort of detection (and/or prevention) as a value-add.

Ultimately though, I think that the point of response boils down to the definition of the mechanisms used in the detection of a malicious VMM/HV.  I ask you Rich, please define a "malicious" VMM/HV from one steeped in goodness. 

This sounds like in practice, it will come down to yet another iteration of the signature-driven IPS circle jerk to fingerprint/profile disposition.  We'll no doubt see anomaly and behavioral analysis used here, and then we'll have hashing, memory firewalls, etc...it's going to be the Hamster Wheel all over again.  For the same reason we have trouble with validating security and compliance state for anything more than the cursory checks @ 30K feet today, you'll face the same issue with virtualization -- only worse.

I've got one for you...how about escaping from the entire VM "jail" entirely...Ed Skoudis over @ IntelGuardians just did an interview with the PaulDotCom boys on this topic...

I believe one must start from the bottom and work up; they're trying to make up for the fact that this stuff wasn't properly thought through in this iteration and are trying to expose the issue now. In fact, look at what Intel just announced today with vPro:

New in this product is Intel Trusted Execution Technology (Intel TXT, formerly codenamed LaGrande). Intel TXT protects data within virtualized computing environments, an important feature as IT managers are considering the adoption of new virtualization-enabled computer uses. Used in conjunction with a new generation of the company's virtualization technology - Intel Virtualization Technology for Directed I/O - Intel TXT ensures that virtual machine monitors are less vulnerable to attacks that cannot be detected by today's conventional software-security solutions. By isolating assigned memory through this hardware-based protection, it keeps data in each virtual partition protected from unauthorized access from software in another partition.

So no, Ptacek and Joanna aren't fighting the "wrong" battle, they're just fighting one that garners much more attention, notoriety, and terms like "HyperJackStack" than the one you're singling out.  ;)

/Hoff

P.S. Please invest in a better setup for your blog...I can't trackback to you (you need Halo or something) and your comment system requires registration...bah!  Those G-Boys have you programmed... ;)

As Promised: ISO17799-Aligned Set of IT/Information Security P&P's - Great Rational Starter Kit for a Security Program

Per my offer last week, I received a positive response to my query asking if folks might find useful a set of well-written policy and procedures that were aligned to ISO17799.  I said that I would do the sanitizing work and release them if I got a fair response.

I did and here they are.  This is in Microsoft Word Format.  534 KB.

My only caveats for those who download and use these is please don't sell them or otherwise engage in commercial activity based upon this work.

I'm releasing it into the wild because I want to help make people's lives easier and if these P&P's can help make your environment more secure in the long term, great.  I don't want anything in return except perhaps that someone else will do something similar.

I must admit that I alluded to a lot of time, sweat and tears that *I* contributed to this document.  To be fair and honest in full disclosure, I did not create the majority of this work; it's based upon prior art from multiple past lives, and most of it isn't mine exclusively.

As a level-set reminder:

The P&P's are a complete package that outline at a high-level the basis of an ISO-aligned security program; you could basically search/replace and be good to go for what amounts to 99% of the basic security coverage you'd need to address most elements of a well-stocked security pantry.

You can use this "English" high-level summary set to point to indexed detailed P&P mechanics or standards that are specific to your organization.

All you need to do is modify the header/footer with your company's logo & information and do a search/replace for [COMPANY] with your own, and you've got a fantastic template to start building from or add onto another framework with.

Please let me know if this is worthwhile and helped you.  I could do all sorts of log tracking to see how many times it's downloaded, etc., but if you found it helpful (even if you just stash it away for a rainy day) do let me know in the comments, please.

I also have a really good Incident Response Plan that I consolidated from many inputs; that one's been put through at least one incident horizon and I lived to tell about it.

Regards,

/Hoff

Worried About Virtualization & Security? InfoWorld's "Virtualization Executive Forum" Isn't...

On September 24-25th, InfoWorld will host their Virtualization Executive Forum in NYC which promises "...two days of technical breakout sessions, case studies and industry expertise on server, desktop, application, storage and file virtualization technologies."

Here's the overview:

Designed for those who are evaluating where to begin and for those already implementing virtualization technologies, InfoWorld's Virtualization Executive Forum features:

• Analyst perspectives on innovative uses of virtualization adoption rates and trends, and policy-based datacenter automation
• In-depth sessions examining Virtual Machines and Security, Open Source Virtualization, Business Continuity/Disaster Recovery, and more.
• Industry Keynotes from IT end users addressing the challenges, pitfalls, results, and benefits of their implementations
• A spotlight on Green IT practices and its potential for cost savings and reducing power and cooling needs in large datacenters.

In addition to the in-depth case studies and industry panels you have come to expect from InfoWorld's Executive Forums, this fourth edition has added another key ingredient to the mix: more opportunities for you and your peers to  collaborate and share experiences.

For an "executive forum" they have an interesting split-track breakout agenda; one track features case studies and the other focuses on technical presentations and panels.

Here's the rub, did you notice that the word "security" appears only twice in the entire agenda, once in the keynote address and once more in a case-study breakout session on day two regarding applications of virtualization.  While I recognize that this is supposedly targeted at "executives," let's take a look at the technical track breakout topics:

• Vendor Crossfire: x86 Server Virtualization
• Getting Started with Server Virtualization
• Technical Track: Physical to Virtual Migration
• Leveraging Virtualization for Information Availability and Business Continuity
• Lessons from Big Iron: The Power of RISC UNIX Virtualization
• Open Source Hypervisor: Zeroing in on Xen
• VM Management and Monitoring
• Scaling Virtual Infrastructure

Not a mention of security in the bunch.  This is asinine. If you're at all curious as to why security is an after-thought in emerging markets, look no further than this sort of behavior. 

...and don't just tell me that security is "assumed."

If the executives who attend this two day forum walk away with a head full of fun new ideas and cautionary tales regarding virtualization and the closest thing to security they got was the valet guarding the doughnuts during the break, don't anybody get surprised in 18 months when the house of cards come tumbling down.

InfoWorld, what the hell!?  How about ONE session -- even a panel -- titled something as simple as "Virtualization and Security - A Discussion You Need to Have."

In fact, you're welcome to at least just print out my presentation from a couple of days ago and give it to your attendees.  At least they'll walk away with something relating to security and virtualization.  850+ people from my blog already have more information on security and virtualization *for free* than is being presented at the forum.

Listen, I feel so strongly about this that I'll speak for free on the topic -- I'll pay my own hotel, airfare, etc...and you can keep the doughnuts during the break.

By the way, I find it deliciously ironic that when I clicked on the "Visit Virtualization Portal" link in the above graphic, I was greeted by this little gem:

I'm sure this is probably running on a "real" server.  A virtualized instance would never have this sort of problem, right? ;)

/Hoff

Harvard Business Review: Excellent Data Breach Case Study...

I read the Harvard Business Review frequently and find that the quality of writing and insight it provides is excellent.  This month's (September 2007) edition is no exception as it features a timely data breach case study written by Eric McNulty titled "Boss, I think Someone Stole Out Customer Data."

The format of the HBR case studies are well framed because they ultimately ask you, the reader, to conclude what you would do in the situation and provide many -- often diametrically opposed -- opinions from industry experts.

This month's commentators were Bill Boni (CISO, Motorola,) James E. Lee (SVP ChoicePoint,) John Coghlan (former President & CEO of Visa,) and Jay Foley (Executive Director of the Identity Theft Resource Center)

The fictitious company profiled is Flayton Electronics, a regional electronics chain with 32 stores across six states.  The premise of the fictitious data breach focuses on the manner in which Flayton Electronics decides what to do, how to interact with LEO, and how/if to communicate the alleged data breach consisting of potentially thousands of their customer's credit cards. 

What I liked about the article are the classic quote gems that highlight the absolute temporal absurdity of PCI compliance and the false sense of security it provides to the management of companies -- especially in response to a breach.

You know, "We're compliant, thus we're secure, ergo we're at less risk."

Now, I'm not suggesting that compliance initiatives don't make things "better," in some sense, but they don't necessarily make a company more "secure."  I think the case study demonstrates that well enough and the readership of this blog certainly doesn't need to be convinced.

So, why write about it then?  The quote snippets below illustrate reality -- sometimes hysterically.  You'll have to read the entire story to gain true context and to appreciate the angst this sort of thing brings, but I chuckled a couple of times when reading these quotes:

“What’s our potential exposure?” Brett inquired matter-of-factly. Quietly he wondered whether the firm’s PCI compliance would provide sufficient protection.

“Why do we have to notify customers at all?” Brett asked, genuinely puzzled. “Haven’t the banks already informed them that their accounts have been compromised?”

“What about some kind of coincidence?” Brett was grasping at straws. “Perhaps 1,500 of our customers just had the same bad luck?”

“We’re still trying to determine what happened,” the CIO offered meekly.

“But we are sure that our PCI systems were working, right?” Brett pushed.

“Becoming PCI compliant is complicated,” Sergei hedged, “especially when you’re constantly improving your own technology.” He ran through a laundry list of the complexities of recent improvements. At any given moment, Sergei had three or four high-priority tech projects in various stages of implementation. It was a constant juggling act.

Brett, in a rare display of anger, pounded his fist on Sergei’s desk. “Are you saying, Sergei, that we’re not actually PCI compliant?”

Sergei stiffened. “We meet about 75% or so of the PCI requirements. That’s better than average for retailers of our size.” The response was defensive but honest.

“How have we been able to get away with that?” Brett growled. He knew that PCI compliance, which was mandated by all the major credit card companies, required regular scans by an outside auditor to ensure that a company’s systems were working—with stiff penalties for failure.

“They don’t scan us every day,” Sergei demurred. “Compliance really is up to us, to me, in the end.”

Sergei reported finding a hole—a disabled firewall that was supposed to be part of the wireless inventory-control system, which used real-time data from each transaction to trigger replenishment from the distribution center and automate reorders from suppliers.

“How did the firewall get down in the first place?” Laurie snapped.

“Impossible to say,” said Sergei resolutely. “It could have been deliberate or accidental. The system is relatively new, so we’ve had things turned off and on at various times as we’ve worked out the bugs. It was crashing a lot for a while. Firewalls can often be problematic.”

Sounds like a typical Monday morning staff meeting to me...I think you could be a fly in the wall in many mid-size (or large, for that matter) companies and hear this same set of quotes -- regardless of how many millions of dollars the company may have spent on compliance initiatives.  It is indeed sad to see how many of these folks don't realize that "compliance" is merely the floor, not the ceiling.  <sigh>

If you pay close attention to the dynamics of the management team within the story, you'll bear witness to all seven distinct stages of the data breach grieving process:

• Shock or Disbelief
  

• Denial
  

• Bargaining
  

• Guilt
  

• Anger
  

• Depression
  

• Acceptance and Hope

I'm not really aiming for a punchline here, but I will suggest that you read the entire story to appreciate the tale in the grandest of its context.  The commentary from the industry experts is also very interesting...

/Hoff

P.S. I think it's very cool the HBR allows you to access these stories without paying or registering and allows one to use up to 500 words on blogs and the like for the non-commercial purpose of summarizing the story.  Nice policy. 

I Know It's Been 4 Months Since I Said it, but "NO! DLP is (Still) NOT the Next Big Thing In Security!"

Nope.  Haven't changed my mind.  Sorry.  Harrington stirred it up and Chuvakin reminded me of it.

OK, so way back in April, on the cusp of one of my normal rages against the (security) machine, I blogged how Data Leakage Protection (DLP) is doomed to be a feature and not a market. 

I said the same thing about NAC, too.  Makin' friends and influencin' people.  That's me!

Oh my how the emails flew from the VP's of Marketing & Sales from the various "Flying V's" (see below)  Good times, good times.

Here's snippets of what I said:

Besides having the single largest collection of vendors that begin with the letter 'V" in one segment of the security space (Vontu, Vericept, Verdasys, Vormetric...what the hell!?) it's interesting to see how quickly content monitoring and protection functionality is approaching the inflection point of market versus feature definition.

The "evolution" of the security market marches on.

Known by many names, what I describe as content monitoring and protection (CMP) is also known as extrusion prevention, data leakage or intellectual property management toolsets.  I think for most, the anchor concept of digital rights management (DRM) within the Enterprise becomes glue that makes CMP attractive and compelling; knowing what and where your data is and how its distribution needs to be controlled is critical.

The difficulty with this technology is the just like any other feature, it needs a delivery mechanism.  Usually this means yet another appliance; one that's positioned either as close to the data as possible or right back at the perimeter in order to profile and control data based upon policy before it leaves the "inside" and goes "outside."

I made the point previously that I see this capability becoming a feature in a greater amalgam of functionality;  I see it becoming table stakes included in application delivery controllers, FW/IDP systems and the inevitable smoosh of WAF/XML/Database security gateways (which I think will also further combine with ADC's.)

I see CMP becoming part of UTM suites.  Soon.

That being said, the deeper we go to inspect content in order to make decisions in context, the more demanding the requirements for the applications and "appliances" that perform this functionality become. Making line speed decisions on content, in context, is going to be difficult to solve. 

CMP vendors are making a push seeing this writing on the wall, but it's sort of like IPS or FW or URL Filtering...it's going to smoosh.

Websense acquired PortAuthority.  McAfee acquired Onigma.  Cisco will buy...

I Never Metadata I Didn't Like...

I didn't even bother to go into the difficulty and differences in classifying, administering, controlling and auditing structured versus unstructured data, nor did I highlight the differences between those solutions on the market who seek to protect and manage information from leaking "out" (the classic perimeter model) versus management of all content ubiquitously regardless of source or destination.  Oh, then there's the whole encryption in motion, flight and rest thing...and metadata, can't forget that...

Yet I digress...let's get back to industry dynamics.  It seems that Uncle Art is bound and determined to make good on his statement that in three years there will be no stand-alone security companies left.  At this rate, he's going to buy them all himself!

As we no doubt already know, EMC acquired Tablus. Forrester seems to think this is the beginning of the end of DLP as we know it.  I'm not sure I'd attach *that* much gloom and doom to this specific singular transaction, but it certainly makes my point:

  August 20, 2007

EMC/RSA Drafts Tablus For Deeper Data-Centric Security
The Beginning Of The End Of The Standalone ILP Market
by Thomas Raschke
with Jonathan Penn, Bill Nagel, Caroline Hoekendijk

EXECUTIVE SUMMARY

EMC expects Tablus to play a key role in its information-centric security and storage lineup. Tablus' balanced information leak prevention (ILP) offering will benefit both sides of the EMC/RSA house, boosting the latter's run at the title of information and risk market leader. Tablus' data classification capabilities will broaden EMC's Infoscape beyond understanding unstructured data at rest; its structured approach to data detection and protection will provide a data-centric framework that will benefit RSA's security offerings like encryption and key management. While holding a lot of potential, this latest acquisition by one of the industry's heavyweights will require comprehensive integration efforts at both the technology and strategic level. It will also increase the pressure on other large security and systems management vendors to address their organization's information risk management pain points. More importantly, it will be remembered as the turning point that led to the demise of the standalone ILP market as we know it today.

So Mogull will probably (still) disagree, as will the VP's of Marketing/Sales working for the Flying-V's who will no doubt barrage me with email again, but it's inevitable.  Besides, when an analyst firm agrees with you, you can't be wrong, right Rich!?

/Hoff

 

Anyone interested in an ISO17799-Aligned Set of IT/Information Security P&P's - Great Rational Starter Kit for a Security Program!

I have spent a lot of time, sweat and tears in prior lives chipping away at building a template set of IT/Information Security policies and procedures that were aligned to (and audited against) various regulatory requirements and the 10 Domains/127 Controls of ISO17799.

This consolidated set of P&P's is intact and well written.  Actual business people have been able to read, understand and (gasp!) comply with them.  I know, "impossible!" you say.  Nay, 'tis rational is all...

As part of my effort to give back, I thought that many of you maybe at a point where while you have lots of P&P's specific to your business, not having to reinvent the wheel by drafting this sort of polished package yourself or paying someone to do it might be useful.

The P&P's are a complete package that outline at a high-level the basis of an ISO-aligned security program; you could basically search/replace and be good to go for what amounts to 99% of the basic security coverage you'd need to address most elements of a well-stocked security pantry.

You can use this "English" high-level summary set to point to indexed detailed P&P mechanics or standards that are specific to your organization.

Would this be of some use to you?  I would need to do some work to take care of some rough spots and sanitize the word doc, but if there is enough interest I'll do it and post it for whomsoever would like it.  Just to be clear, the P&P's are already written, I'll just make it SEARCH/REPLACE friendly.

I'm not trying to tease anyone, I just don't want to do the up-front work if nobody is interested.

Let me know in the comments; no need to leave website links (for obvious reasons) just let me know by your comment if this is something you'd like.  If I get enough demand, I'll "get her done!"

OK, good enough.  Thanks for the comments.  I'll post it up in the next few days.  Thanks guys.

/Hoff

Wells Fargo System "Crash" Spools Up Phishing Attempts But Did It Also Allow for Bypassing Credit/Debit Card Anti-Fraud Systems?

Serendipity is a wonderful thing.  I was in my local MA bank branch on Monday arranging for a wire transfer from my local account to a Wells Fargo account I maintain in CA.  I realized that I didn't have the special ABA Routing Code that WF uses for wire transfers so I hopped on the phone to call customer service to get it.  We don't use this account much at all but wanted to put some money in it to keep up the balance which negates the service fee.

The wait time for customer service was higher than normal and I sat for about 20 minutes until I was connected to a live operator.  I told him what I wanted and he was able to give me the routing code but I also needed the physical address of the branch that my account calls home.  He informed me that he couldn't give me that information.

The reason he couldn't give me that information was that the WF "...computer systems have been down for the last 18 hours."  He also told me that "...we lost a server somewhere; people couldn't even use their ATM cards yesterday."

This story was covered here on Computerworld and was followed up with another article which described how Phishers and the criminal element were spooling up their attacks to take advantage of this issue:

August 21, 2007   (IDG News Service)  -- Wells Fargo & Co. customers may have a hard time getting an up-to-date balance statement today, as the nation's fifth-largest bank continues to iron out service problems related to a Sunday computer failure.

The outage knocked the company's Internet, telephone and ATM banking services offline for several hours, and Wells Fargo customers continued to experience problems today.

Wells Fargo didn't offer many details about the system failure, but it was serious enough that the company had to restore from backup.

"Using our backup facilities, we restored Internet banking service in about one hour and 40 minutes," the company said in a statement today. "We thank the hundreds of team members in our technology group for working so hard to resolve this problem."

Other banking services such as point-of-sale transactions, loan processing and wire transfers were also affected by the outage, and while all systems are now fully operational, some customers may continue to see their Friday bank balances until the end of the day, Wells Fargo said.

I chuckled uneasily because I continue to be directly impacted by critical computer systems failures such as two airline failures (the United Airlines and the TSA/ICE failure at LAX,) the Skype outage, and now this one.  I didn't get a chance to blog about it other than a comment on another blog, but if I were you, I'd not stand next to me in a lightning storm anytime soon!  I guess this is what happens when you're a convenient subscriber to World 2.0?

I'm sure WF will suggest this is because of Microsoft and Patch Tuesday, too... ;)

So I thought this would be the end of this little story (until the next time.)  However, the very next day, my wife came to me alarmed because she found a $375 charge on the same account as she was validating that the wire went through.

She asked me if I made a purchase on the WF account recently and I had not as we don't use this account much.  Then I asked her who the vendor was.  The charge was from Google.com.  Google.com?

Huh?  I asked her to show me the statement; there was no reference transaction number, no phone number and the purchase description was "general merchandise."

My wife immediately called WF anti-fraud and filed a fraudulent activity report.  The anti-fraud representative described the transaction as "odd" because there was no contact information available for the vendor.

She mentioned that she was able to see that the vendor executed both an auth. (testing to see that funds were available) followed then a capture (actually charging) but told us that unfortunately she couldn't get any more details because the computer systems were experiencing issues due to the recent outage!

This is highly suspicious to me.

Whilst the charge has been backed out, I am concerned that this is a little more than serendipity and coincidence. 

Were the WF anti-fraud and charge validation processes compromised during this "crash" and/or did their failure allow for fraudulent activity to occur?

Check your credit/debit card bills if you are a Wells Fargo customer!

/Hoff

Take5 (Episode #5) - Five Questions for Allwyn Sequeira, SVP of Product Operations, Blue Lane

This fifth episode of Take5 interviews Allwyn Sequeira, SVP of Product Operations for Blue Lane.  

First a little background on the victim:

Mr. Palmer is the President and Chief Executive Officer of Blue Lane Technologies. Previously, Jeff served as President of GetThere, the leading online corporate travel procurement solution, based in Menlo Park, CA. While at the company, GetThere grew to become the largest factor in the corporate online travel market, holding 70% market share among the top 100 US corporations, #1 share in the overall market with more than 3000 customers worldwide, and transaction volumes exceeding one million per month. GetThere went public on the NASDAQ in 1999 and was acquired by Sabre Holdings (NYSE: TSG) for $750 million in 2000.
         
Earlier in his career, Mr. Palmer served in a variety of general management and marketing officer roles at Tristrata Security, Memco Software, Pilot Software and BBN, establishing experience in enterprise networking, security, and applications software.
         
Mr. Palmer holds a Bachelor of Science degree from the Massachusetts Institute of Technology and an MBA from Harvard Business School.

Allwyn Sequeira is Senior Vice President of Product Operations at Blue Lane Technologies, responsible for managing the overall product life cycle, from concept through research, development and test, to delivery and support. He was previously the Senior Vice President of Technology and Operations at netVmg, an intelligent route control company acquired by InterNap in 2003, where he was responsible for the architecture, development and deployment of the industry-leading flow control platform. Prior to netVmg, he was founder, Chief Technology Officer and Executive Vice President of Products and Operations at First Virtual Corporation (FVC), a multi-service networking company that had a successful IPO in 1998. Prior to FVC, he was Director of the Network Management Business Unit at Ungermann-Bass, the first independent local area network company. Mr. Sequeira has previously served as a Director on the boards of FVC and netVmg.

Mr. Sequeira started his career as a software developer at HP in the Information Networks Division, working on the development of TCP/IP protocols. During the early 1980's, he worked on the CSNET project, an early realization of the Internet concept. Mr. Sequeira is a recognized expert in data networking, with twenty five years of experience in the industry, and has been a featured speaker at industry leading forums like Networld+Interop, Next Generation Networks, ISP Con and RSA Conference.

Mr. Sequeira holds a Bachelor of Technology degree in Computer Science from the Indian Institute of Technology, Bombay, and a Master of Science in Computer Science from the University of Wisconsin, Madison.   

Allwyn, despite all this good schoolin' forgot to send me a picture, so he gets what he deserves ;)
(Ed: Yes, those of you quick enough were smart enough to detect that the previous picture was of Brad Pitt and not Allwyn.  I apologize for the unnecessary froth-factor.)

 Questions:

1) Blue Lane has two distinct product lines, VirtualShield and PatchPoint.  The former is a software-based solution which provides protection for VMware Infrastructure 3 virtual servers as an ESX VM plug-in whilst the latter offers a network appliance-based solution for physical servers.  How are these products different than either virtual switch IPS' like Virtual Iron or in-line network-based IPS's?

IPS technologies have been charged with the incredible mission of trying to protect everything from anything.  Overall they've done well, considering how much the perimeter of the network has changed and how sophisticated hackers have become. Much of their core technology, however, was relevant and useful when hackers could be easily identified by their signatures. As many have proclaimed, those days are coming to an end.

A defense department official recently quipped, "If you offer the same protection for your toothbrushes and your diamonds you are bound to lose fewer toothbrushes and more diamonds."  We think that data center security similarly demands specialized solutions.  The concept of an enterprise network has become so ambiguous when it comes to endpoints and devices and supply chain partners, etc. we think its time to think more realistically in terms of trusted, yet highly available zones within the data center.

It seems clear at this point that different parts of the network need very different security capabilities.  Servers, for example need highly accurate solutions that do not block or impede good traffic and can correct bad traffic, especially when it comes to closing network-facing vulnerability windows.  They need to maintain availability with minimal latency for starters; and that has been a sort of Achilles heel for signature-based approaches.  Of course, signatures also bring considerable management burdens over and beyond their security capabilities.

No one is advocating turning off the IPS, but rather approaching servers with more specialized capabilities.  We started focusing on servers years ago and established very sophisticated application and protocol intelligence, which has allowed us to correct traffic inline without the noise, suspense and delay that general purpose network security appliance users have come to expect.

IPS solutions depend on deep packet inspection typically at the perimeter based on regexp pattern matching for exploits.  Emerging challenges with this approach have made alert and block modes absolutely necessary as most IPS solutions aren't accurate enough to be trusted in full library block. 

Blue Lane uses a vastly different approach.  We call it deep flow inspection/correction for known server vulnerabilities based on stateful decoding up to layer 7.  We can alert, block and correct, but most of are deployments are in correct mode, with our full capabilities enabled. From an operational standpoint we have substantially different impacts.

A typical IPS may have 10K signatures while experts recommend turning on just a few hundred.  That kind of marketing shell game (find out what really works) means that there will be plenty of false alarms, false positives and negatives and plenty of tuning.  With polymorphic attacks signature libraries can increase exponentially while not delivering meaningful improvements in protection. 

Blue Lane supports about 1000 inline security patches across dozens of very specific server vulnerabilities, applications and operating systems.  We generate very few false alarms and minimal latency.  We don't require ANY tuning.  Our customers run our solution in automated, correct mode.

The traditional static signature IPS category has evolved into an ASIC war between some very capable players for the reasons we just discussed.Exploding variations of exploits and vectors means that exploit-centric approaches will require more processing power.

Virtualization is pulling the data center into an entirely different direction, driven by commodity processors.  So of course our VirtualShield solution was a much cleaner setup with a hypervisor; we can plug into the hypervisor layer and run on top of existing hardware, again with minimal latency and footprint.

You don't have to be a Metasploit genius to evade IPS signatures.  Our higher layer 7 stateful decoding is much more resilient. 

2) With zero-days on the rise, pay-for-play vulnerability research and now Zero-Bay (WabiSabiLabi) vulnerability auctions and the like, do you see an uptake in customer demand for vulnerability shielding solutions?

Exploit-signature technologies are meaningless in the face of evanescent, polymorphic threats, resulting in 0-day exploits. Slight modifications to signatures can bypass IPSes, even against known vulnerabilities.  Blue Lane technology provides 0-day protection for any variant of an exploit against known vulnerabilities.  No technology can provide ultimate protection against 0-day exploits based on 0-day vulnerabilities. However, this requires a different class of hacker.

3) As large companies start to put their virtualization strategies in play, how do you see customers addressing securing their virtualized infrastructure?  Do they try to adapt existing layered security methodologies and where do these fall down in a virtualized world?

I've explored this topic in depth at the Next Generation Data Center conference last week. Also, your readers might be interested in listening to a recent podcast: The Myths and Realities of Virtualization Security: An Interview. 

To summarize, there are a few things that change with virtualization, that folks need to be aware of.  It represents a new architecture.  The hypervisor layer represents the un-tethering and clustering of VMs, and centralized control.  It introduces a new virtual network layer.  There are entirely new states of servers, not anticipated by traditional static security approaches (like instant create, destroy, clone, suspend, snapshot and revert to snapshot). 

Then you'll see unprecedented levels of mobility and new virtual appliances and black boxing of complex stacks including embedded databases.  Organizations will have to work out who is responsible for securing this very fluid environment.  We'll also see unprecedented scalability with Infiniband cores attaching LAN/SAN out to 100's of ESX hypervisors and thousands of VMs.

Organizations will need the capability to shield these complex, fluid environments; because trying to keep track of individual VMs, states, patch levels, locations will make tuning an IPS for polymorphic attacks look like childs play in comparison.   Effective solutions will need to be highly accurate, low latency solutions deployed in correct mode. Gone will be the days of man-to-man blocking and tuning.  Here to stay are the days of zone defense.

4) VMware just purchased Determina and intends to integrate their memory firewall IPS product as an ESX VM plug-in.  Given your early partnership with VMware, are you surprised by this move?  Doesn't this directly compete with the VirtualSheild offering?

I wouldn't read too much into this. Determina hit the wall on sales, primarily because it's original memory wall techno