Rachel Ray Is A Terrorist, Sponsored By Osama Bin Doughnut...

Talk about your weapons of mass distortion!  As much as I detest Rachel Ray, her proclivity for abbreviating ingredient names, and her lack of actual mad chef skillz, this is absolutely retarded.

The Chicago Tribune reports that Dunkin' Donuts, for whom Ray is a spokesperson, has pulled an advertisement featuring her EVOO-ness because some nut job -- Michelle Malkin -- suggested that the scarf she was wearing in the commercial looked like a "jihadi (chic) keffiyeh" worn as traditional garb by Palestinians:

Dunkin' Donuts has canceled an online advertisement featuring celebrity chef Rachael Ray after complaints that a scarf she wore in the ad offers symbolic support for terrorism.

Dunkin' Donuts said Wednesday it pulled the ad over the weekend because of what it calls a "misperception" about the scarf that detracted from its original intent to promote its iced coffee.

Critics, including conservative commentator Michelle Malkin, complained that the scarf appeared to be traditional garb worn by Arab men. The ad's critics say such scarves have come to symbolize Muslim extremism and terrorism.

Malkin decided to describe Ray's choice of accessory as "hate couture."  Unbelievable.

Well, I guess I'll have to go back to drinking Starbucks since consuming DD iced coffees is obviously the equivalent of state-sponsored (or at least costumed) terrorism.

Land of the free, indeed...

/Hoff

"Revolutionary" VirtSec Startup Emerges From Stealth

If Barracuda attempting to gobble up SourceFire today wasn't interesting enough, check this out...

WALTHAM, Mass., May 30 /PRNewswire/ -- Hyperbole, Inc., the the pioneer and leader in virtualization security solutions today announced it has emerged from stealth mode and raised $14 million in a Series A funding which it will use to expand its R&D efforts and grow its sales and distribution teams.

Hyperbole's flagship product, HyperTension, provides a zero footprint and forensically tight paradigm-shift in the emerging virtualization security (VirtSec) market by automatically protecting all virtual infrastructure against known or unknown attacks without the need for expensive and clumsy IDS, firewall and IPS technology. 

With no agent software and no hardware requirements save for a specially-constructed tamper-proof USB device called the HyperDrive, HyperTension is able to secure any virtualization platform automatically within seconds and with no downtime required.

HyperTension provides an undetectable ring compression insertion technology that injects itself into memory space transparently and utilizes the flash memory space available in PCI cards present in the system to load, thereby not corrupting the main heap and rendering itself undetectable. 

Further, HyperTension will probe for the presence of parallelized graphics processing units (GPU) from leading graphics card providers and if found, will utilize them to provide the compute cycles necessary for operation thereby not impacting the on-board main CPU or cache, further lessening the impact of the solution running in virtualized environments. 

This allows for massive computation capabilities used to provide real-time memory-space attack detection functionality which can be manually or automatically adjusted using our patented HyperSensitivity comb filter technology.

Hyperbole's patented HyperVentilation technology utilizes quantum cryptography and open source algorithms to create "holes" in memory to dynamically encrypt/decrypt the entire memory space of a virtualized host and upon register access, leverage commodity TPM solutions to authenticate and decrypt memory on the fly when used in conjunction with any of Hyperbole's partner-supplied whitelisting solutions.

Once accessed, HyperTension automatically performs an ASLR operation for pointer obfuscation and then re-encrypts the memory space using a newly-generated quantum key derived from the unique properties of the hashed cache entries from the rotating cipher.

This provides unbreakable security since only authorized applications can attempt to gain access to HyperVentilated memory space which is also encrypted to prevent unauthorized access.

...

Speechless. 

/Hoff

Pushing Virtual Buttons...

My last couple of VirtSec posts have caused quite a stir in certain circles.

The "debate" between who "owns" VirtSec that originated as part of my response to Simon Crosby of Citrix regarding the same has been picked up and amplified on multiple fronts.

Greg Ness from BlueLane wrote a piece referencing it that was cross-posted on virtualization.com and that even made its way up to VC/investment blogs such as seekingalpha.com (Citrix vs. Chris Hoff ;) and has had my mobile ringing/vibrating itself off my desk over the last week or so.

It's hard to believe sometimes just how many people -- and who -- reads my steaming pile of blogginess.

The second post of interest was in regard to the provenance of VMware's VMsafe and my reflection on prior art (Livewire) by VMware's Rosenblum & Garfinkel which seems as though it could be the progenitor of the upcoming technology.

The very tail-end update of that post referenced another piece of research produced by Komoku based upon similar work focused on rootkit defense. As I pointed out, Komoku was recently acquired by Microsoft.

I added those comments deliberately as a parenthetical -- almost like a bookmark -- because what I intended to do next was directly compare and contrast the technology architectures and approaches of VMware, Citrix and Microsoft as it relates to security integration.

It seems a bunch of really bright folks caught onto that because a slew of links (such as this one) followed -- driven mostly by Alessandro's (virtualization.info) post titled "Is Microsoft Working On VMsafe-like Framework"

I think that's an excellent question ;)

It's pretty clear where Citrix's CTO stands on the matter -- as flawed as I see his shortsighted market approach (note I didn't say *technical approach*) -- but Microsoft stands to gain an interesting foothold in regards to security should they play this game correctly.

I found it interesting that others are starting to recognize that the virtualization battle isn't going to be won by a shoot-out and the hypervisor-version of the OK corral. It's the effectiveness of the ecosystem and the ability for the channel to serve it up and the customers to implement it.

People are sick of sweeping up the decaying corpses of good technical solutions that suck in terms of integration, implementation, operationalization and accountable support -- especially when they have to keep paying for it. Ah the "best-in-breed" versus "good-enough" debate again?

Not to further pick on Citrix (or Xen specifically) but here's a great post from Schley Andrew Kutz from the searchservervirtualization.com blog titled "Xen: An endangered species in the virtualization ecosystem?":

While Citrix Systems’ Xen’s ubiquity may help the technology earn a legacy as the invisible hypervisor, it may also prove the most challenging next step for IT administrators and developers who want to find or develop software that leverages, supports or extends the Xen hypervisor.

...

While ultimately it may not prove difficult to develop cutting-edge technology compatible with the Xen hypervisor, it may prove so to market it. If you are in the business of selling virtualization add-on products, you want to ensure that your product is compatible with VMware Infrastructure, because that is where the sales are.

...

As Xen’s legacy may be to become the ubiquitous, embedded hypervisor for all to use, its strength may also be its greatest detriment to Xen-based virtualization platforms. Xen’s strength is its practical application as the invisible, reused, resold, embedded hypervisor, but invisibility just hasn’t worked in Citrix’s favor. Instead, it shields partners from building ecosystems around Xen and has marginalized the brand name.

Amen to that.

Take heed, Citrix. I maintain your CTO is blinded by what can only be described as a denial of market realities and an undying (arrogant) allegiance to what some might consider to be an architecturally superior product on some fronts, but a lacking solution on many others.

Securing the hypervisor is definitely important. However, securing both the hypervisor and the assets that sit on top of it by providing the most extensible, effective and manageable means of doing so is really what's important to customers. Sometimes, it has to be about more than where you came from. Sometimes it's about where you're going.

I'll be finishing up my post on where I think Microsoft ought to go shortly.

/Hoff

The Ghost Of Future's Past: VirtSec Innovation Circa 2002

One of the things I try to do when looking forward for inspiration in solving problems is to ensure that I spend enough time looking back to gain perspective.  I've been thinking a lot about models for virtualization security lately.

As I surveyed the options (or lack thereof) splayed about before me in terms of deployment options and available technology to solve some of the problems I've been researching, I was struck by what I can only describe as a ghost of future's past. 

It shouldn't really surprise me like it does, but I always giggle when reminded of my own favorite saying: "Security is like bellbottoms -- every 20 years or so, the same funny-looking kit comes back into style."

As it is with jeans, it is with security solutions.

I dredged up some of my collected research from moon's ago on the topic and dusted off a PDF that I had completely forgotten about as I was trying to piece together some vague semblance of something that strangely reminded me of VMware's VMsafe.

I cracked a gigantic smile when I saw the authors -- Tal Garfinkel and some guy named Mendel Rosenblum (now co-founder and chief scientist at VMware.)

The PDF in question is titled Virtual Machine Introspection ("productized" as LiveWire) and presents the following case:

In this paper we present a new architecture for building intrusion detection systems that provides good visibility into the state of the monitored host, while still providing strong isolation for the IDS, thus lending significant resistance to both evasion and attack.  

Our approach leverages virtual machine monitor (VMM) technology. This mechanism allows us to pull our IDS “outside” of the host it is monitoring, into a completely different hardware protection domain, providing a high-confidence barrier between the IDS and an attacker’s malicious code.

We achieve this through the use of a virtual machine monitor. Using this approach allows us to isolate the IDS from the monitored host but still retain excellent visibility into the host’s state. The VMM also offers us the unique ability to completely mediate interactions between the host software and the underlying hardware. We present a detailed study of our architecture, including Livewire, a prototype implementation. We demonstrate Livewire by implementing a suite of simple intrusion detection policies and using them to detect real attacks.

I got to thinking about the relevance of this approach because of some of the arguments that Simon Crosby made in our debate recently.  I wanted to spend some more time thinking about the architectural differences between VMware and Xen so I could try an appreciate the genesis of Simon's comments in context.

This paper and the Livewire prototype was created circa 2002.  It's six years later and we're just now starting to see products and technology being announced as "new and fresh"  that is basically just like Livewire.

While it's certainly not the first and only research on this topic, it's interesting to see that sometimes the wisdom of the past just takes just a little longer to cook before it's fully baked, ready for icing and ready to be consumed.

If VMsafe is an example of the evolution of prior art like Livewire, what else do we have to look forward to that's buried somewhere waiting to come back to life?  Oh wait, those mainframes are coming back, aren't they?  What's old is new again.

/Hoff

{Update: I also found some cool related stuff from Tim Fraser called Virtual Machine Introspection for Cognitive Immunity (kernel rootkit mitigation using VM Introspection) from Komoku which was acquired about a month ago by, gasp, Microsoft...}

IANS - NY Metro Security Forum

I'm in New York presenting as faculty at the IANS NY Metro Security Forum.

Marcus Ranum and I spent today presenting the "Network Potluck" track on Log Consolidation/Analysis/Correlation, Next-Generation Network Security and Endpoint/Mobility Security.

Further, I gave a couple of presentations on virtualization security.

For those of you unfamiliar with the Institute (IANS,) you should check it out. What an absolutely incredible gathering of faculty and partners from such a stacked and diverse set of verticals. The agenda and format is really unique and it's unlike any other forum I've attended:

The Forum is a highly interactive experience. Modeled on the Harvard Business School teaching method, it emphasizes expert-led, real-world discussions that draw on the experience and expertise of participants to drive insights to new levels.

This is not a person yapping at you from behind a PowerPoint, it's a moderated dialog between real practitioner's from some of the most forward-thinking companies on the planet offering you real advice (and seeking it) regarding what works and doesn't.

Tomorrow is "solutions provider" day where we put the vendors through their paces and the opportunity for real face-to-face "no bull" sessions between vendors and customers -- moderated by faculty members -- begins.

Look forward to seeing you at an IANS event!

/Hoff

Poetic Weekly Security Review

I do these every once in a while.

Enjoy

--

The Air Force, it seems,
wants its own net of bots
how many you ask?
The good colonel says "lots!"

The best defense is offense
to defend, they'll attack
After the DDoS
you'll get your game console back

Seems NATO's on board
the Baltics are chuffed
the Cybersecurity center
means attacks will be stuffed

If your cable's from Charter
they'll know you surf porn.
Want your privacy back?
Get Obama on the horn

Speaking of privacy,
can you say P-R-N-G?
if you're running Ubuntu
I've pwned your root key

The free email archival
from NSA -- quite a mess
they got knocked off the air
'cos of bad DNS

Seems virtualization security's
not Simon's problem to fix
beyond hypervisors
they simply don't mix

Troubled by compliance?
governance giving you fits?
risk management efforts
driven by auditor twits?

Fear not my good lemmings
I've the answer, you see
close your eyes, send a check
Behold: GRC!

Check Point launched ForceField
sandboxed browsing - how zen
I installed it, went browsing
but it broke VPN

Nessus licensing changed
not that much of a hassle
though some might have to pay
for the  coolest new NASL?

Dave & Busters suggests
that you eat, drink, and play
Three dudes from east europe
took that quite the wrong way

Yahoo's in turmoil
Ichan wanted a "yes!"
HP spent near twelve billion
and they bought EDS

HSBC lost a server
Oh what could be finer
than your banking details
floating 'round China

Oh rootkits, we love thee
Where are you hiding them then?
In software, in firmware?
Oh, look! SMM

Don't forget IOS,
there's a rootkit there, too
pwnage of routers
means no sleep for you!

Intrusion tolerance solutions?
What's that you may query?
It's admitting that losses
are real, not theory 

New PCI -- deadline's coming,
what will you do,
to comply with the new stuff
in version 1.2?    

And finally,
I'm bullish on Google, I am
except when their mailer
starts sending me spam 

Crosby: Xen and the Art of Marketcycle Maintenance

It seems I have fallen victim to a series of misunderstandings these days.

First there was Joanna-Gate and now Simon Crosby, Citrix's CTO, suggests in a blog entry titled "Chris Hoff & The Mother Of All Misunderstandings" that I'm puffing on the wrong end of my cigars for disagreeing with his position.

I'm a little concerned that Simon's response to me was issued on what is listed as the "beta" version of Citrix's official blog.  Perhaps the virtualized version hasn't made it out of QA yet? ;)

Simon's response was extremely well crafted to avoid responding to most of my actual points, was contextually oblique at points, and was a fantastic marketing piece for Xen Citrix, but I wish he'd paid more attention to the actual points within my post. 

Further his little quips/comments on his hyperlinks "Who is this guy, anyway?  Think before you type dude, we're not idiots," etc. didn't go unnoticed - cute but juvenile)

I am, however, honored that Simon would accord me the high-status of being "...normally fairly clued-in:"

I reckon that Hoff, who is normally fairly clued-in,  has put the smoking end of the cigar in his mouth before thinking through this argument. He's horribly confused, but as smug as always, so let me clarify what I said, and what it means.

...but I can assure you that I've only ever done that with a cigar once, and it was for a much better reason than blogging.  If you must know, it was Kentucky's finest bourbon.  That is all I'm going to say about that. 

I'm glad he's "clarifying" what he said, since I will also.  I seem to have that effect on people.  Must be the accent thing...

The reason for my allergic reaction to Simon's comments stem from my opinion that it is the responsibility of virtualization platform providers to ensure that their "[virtualized] data center operating system platforms of the future" don't become the next generation of insecure infrastructure.

Simon sums up his opinion:

In summary an assertion that the virtualization platform vendor has to fix the sad state of the OS/App world by making it secure is demanding too much.  It would mean that we have to be experts in every piece of system software including all of the vulnerabilities of all OSes and their apps.  In my view the reason the state of security is poor now is because of the monolithic approaches of traditional OS and app vendors. 

We will focus manically on our layer, make it secure, tiny and bulletproof to attack in its own right.  And we will work closely with experts in security of OSes and Apps to give them an opportunity to implement guest-level security outside the guest, through privileged interfaces that themselves are secure.

After 15 years of dealing with this crap, I respectfully suggest that it is not too much to ask and it's about time we stood up and did.  First  you criticize OS/App. vendors and blame them for the state of security because of their "monolithic approach" and then you go on to propose the exact same thing!

Focusing only on your little patch of grass is short-sighted and it won't work.  Just like it hasn't worked in the past.  It's a disaster waiting to happen, and you're enabling it. 

I shudder at the potential tunnel vision of virtualization platform providers only focusing on the security of the hypervisor without taking the bigger picture into consideration and expect a piecemeal approach to securing the expanse of the virtualized environment to suffice.

It's clear you're making arguments about security from an engineering and code-base perspective that is simply disconnected from the realities of what it means to actually deploy these solutions. 

Virtualization is more than just the hypervisor.  You should know that by now, Simon.  The company that acquired your company knows all about that.  The hypervisor will shortly become a commodity, so in the long term the value brought to bear has to be more than just an ultra-thin layer of code:

...and furthermore, we're going to deploy many of them:

I wish to make it clear that I hold all virtualization platform vendors to the same level of scrutiny and criticism, not just Citrix. 

I happen to like Xen very much.  I like VMware, also.  I think the latter is more realistic and measured when it comes to addressing the need and approach in recognizing that as a major layer in the infrastructure, there's more required than to just secure the hypervisor and leave the remaining mess to someone else to solve.

I think Simon's blog title is apropos, but I think the misunderstanding is his.

It's important to understand that I'm not suggesting that virtualization platform providers should secure the actual guest operating systems but they should enable an easier and more effective way of doing so when virtualized.

I mean that the virtualization platform providers should ensure the security of the instantiation of those guests as "hosted" by the virtualization platform.  In some cases this means leveraging technology present in the virtualization platform to do things that non-virtualized instances cannot. That's more than just securing the hypervisor.

Securing the hypervisor whilst closing your eyes to the likelihood that the majority of attacks against it and other guests will come from "guests" within the same system is planting your head in the sand.  That means that there will be a need to ensure that certain behaviors specific to the hosted guests are mitigated to ensure that bad things don't happen -- to the guest or the hypervisor.

Transferring the responsibility to secure the environment to third party security ISV's in order to secure the VM's and preventing them from compromising one another or the hypervisor is difficult for me to comprehend, especially when they are playing catch up of what virtualization means within the context of security.

Fundamentally, attempting to mate static and topology-dependent policies to incredibly dynamic and transitive technology delivered by virtualization will simply fail.  Third party security ISV's will simply require a complete re-tool to even get close to delivering this and will need to provide intimate hooks to allow for this policy/guest affinity to occur in the first place.

I consider the virtualization infrastructure layer as that of an operating system and as such, I would expect that the underpinning mechanicals are as sound and secure as possible while also ensuring that anything running on top of it is as secure as possible, also.

Let's take Microsoft (with or without Hyper-V) as an example:

Microsoft is fundamentally concerned now with making the OS as resilient and secure as possible whilst preventing the applications and interaction with elements riding on top of the OS from doing bad things to the system as a whole; this isn't just to protect the OS, but the assets on it. 

This is really what I'm getting at.  Yes, Microsoft is an OS provider.  Shortly, that OS provider will integrate virtualization directly into the operating system.  That means more, not less, direct integration and security embedded as a function of the virtualization platform.  Citrix, VMware, etc. are all just operating system vendors of a different shape and size.

It's unclear to me, Simon, whether your arguments are meant to justify a business model, a lack of planning, a crafty plan to perpetuate the security hamster wheel of pain, or all of the above.  It's clear to me, however, that you've not felt the pain of actually having to use the products you suggest should be deployed in order to secure this mess.

I promised myself I wouldn't turn this into one of those cut/paste blog pong entries, but the following really confused me:

But we are not in the business of specifically securing guests or their applications, other than through offering a secure virtualization platform.  Even VMware with VMsafe simply exposes APIs to third party security vendors, so that customers can choose their preferred security partner to secure guests.  I think that the VMware Determina acquisition was very smart, and that hints to me that VMware sees itself having a greater role in the security of guest OSes, since it could choose to be in the vulnerability checking business without 3rd party security vendors, but thus far they are working very openly with the ecosystem.

So which is it?  You've established that Citrix is not in the business of securing guests or applications (you must mean Xen specifically, because somebody at Citrix spent quite a bit of money on this stuff with their other acquisitions) and that you believe it to be a lousy idea, but you think that VMware's approach through their Determina acquisition as well as the capabilities of VMsafe is "...very smart?"

Simon, you're the CTO and I'm the security wonk.  If we didn't disagree, I'd be alarmed.  However, I think you might want to rethink your approach to how you market the security of your platform.

I've got a cigar for you anytime you want one.  I'll let you light it.

/Hoff

GooglePOPs - Cloud Computing and Clean Pipes: Told Ya So...

In July of last year, I prognosticated that Google with it's various acquisitions was entering the security space with the intent to not just include it as a browser feature for search and the odd GoogleApp, but a revenue-generating service delivery differentiator using SaaS via applications and clean pipes delivery transit in the cloud for Enterprises.

My position even got picked up by thestreet.com.  By now it probably sounds like old news, but...

Specifically, in my post titled "Tell Me Again How Google Isn't Entering the Security Market? GooglePOPs will Bring Clean Pipes..." I argued (and was ultimately argued with) that Google's $625M purchase of Postini was just the beginning:

This morning's news that Google is acquiring Postini for $625 Million dollars doesn't surprise me at all and I believe it proves the point.

In fact, I reckon that in the long term we'll see the evolution of the Google Toolbar morph into a much more intelligent and rich client-side security application proxy service whereby Google actually utilizes client-side security of the Toolbar paired with the GreenBorder browsing environment and tunnel/proxy all outgoing requests to GooglePOPs.

What's a GooglePOP?

These GooglePOPs (Google Point of Presence) will house large search and caching repositories that will -- in conjunction with services such as those from Postini -- provide a "clean pipes service to the consumer.  Don't forget utility services that recent acquisitions such as GrandCentral and FeedBurner provide...it's too bad that eBay snatched up Skype...

Google will, in fact, become a monster ASP.  Note that I said ASP and not ISP.  ISP is a commoditized function.  Serving applications and content as close to the user as possible is fantastic.  So pair all the client side goodness with security functions AND add GoogleApps and you've got what amounts to a thin client version of the Internet.

Here's where we are almost a year later.  From the Ars Technica post titled "Google turns Postini into Google Web Security for Enterprise:"

The company's latest endeavor, Google Web Security for Enterprise, is now available, and promises to provide a consistent level of system security whether an end-user is surfing from the office or working at home halfway across town.

The new service is branded under Google's "Powered by Postini" product line and, according to the company, "provides real-time malware protection and URL filtering with policy enforcement and reporting. An additional feature extends the same protections to users working remotely on laptops in hotels, cafes, and even guest networks." The service is presumably activated by signing in directly to a Google service, as Google explicitly states that workers do not need access to a corporate network.

The race for cloud and secure utility computing continues with a focus on encapsulated browsing and application delivery environments, regardless of transport/ISP, starting to take shape.   

Just think about the traditional model of our enterprise and how we access our resources today turned inside out as a natural progression of re-perimeterization.  It starts to play out on the other end of the information centricity spectrum.

What with the many new companies entering this space and the likes of Google, Microsoft and IBM banging the drum, it's going to be one interesting ride.

/Hoff

Citrix's Crosby & The Mother Of All Cop-Outs

In an article over at SearchSecurity.com, Simon Crosby, the CTO of Citrix, suggests that "Virtualization vendors [are] not in the security business." 

Besides summarizing what is plainly an obvious statement of fact regarding the general omission of integrated security (outside of securing the hypervisor) from most virtualization platforms, Crosby's statement simply underscores the woeful state we're in:

While virtualization vendors will do their role in protecting the hypervisor, they are not in the business of catching bad guys or discovering vulnerabilities, said Simon Crosby, chief technology officer of Citrix Systems.

Independent security vendors will play a critical role in protecting virtual environments, he said. "The industry has already decided a long time ago that third party vendors are required to secure any platform," Crosby said. In this interview, Crosby agrees that using virtual technology introduces new complexities and security issues.

He said the uncertainties will be addressed once the industry matures.

I'm sure it's reasonable to suggest that nobody expects virtualization platform providers to "...catch bad guys," but I do expect that they employ a significant amount of resources and follow an SDLC to discover vulnerabilities -- at least in their software.

Further, I don't expect that the hypervisor should be the place in which all security functionality is delivered, but simply transferring the lack of design and architecture forethought from the hypervisor provider to the consumer by expecting someone else to clean up the mess is just, well, typical.

I love the last line.  What a crock of shit.  We've seen how well this approach had worked with operating system vendors in the past, so why shouldn't the "next generation" of OS vendors -- virtualization platform providers -- follow suit and not provide for a secure operating environment?

Let's see, Microsoft is investing hugely in security.  Cisco is too.  Why would the other tip of the trident want to?  VMware's at least taking steps to deliver a secure hypervisor as well as API's to help secure the  VM's that run atop of it.   Where's Citrix in this...I mean besides late and complaining they weren't first?

So, in trade for the "open framework for security ecosystem partnership" cop-out, we get to wait for the self-perpetuating security industry hamster wheel of pain to come back full circle. 

The fact that the "industry" has "decided" that "third party vendors are required to secure any platform" simply points to the ignorance, arrogance and manifest destiny we endure at the hands of those who are responsible for the computing infrastructure we're all held hostage with. 

Just so I understand the premise, the security industry (or is it the virtualization industry?) has decided that the security industry instead of the OS/infrastructure (virtualization) vendors are the one's responsible to secure the infrastructure -- and thus our businesses!?  What a shocker.  Way to push for change, Simon.

I can't even describe how utterly pissed off these statements make me.

/Hoff

Of Course Defense-In-Depth, er, Defense-In-Breadth Works!

I don't know what the the hell Ptacek and crew are on about.  Of course defense-in-depth defense-in-breadth is effective.  It's heresy to suggest otherwise.  Myopic, short-sighted, and heretical, I say!

In support, I submit into evidence People's Exhibit #1, from here your honor:

...and I quoteth:

We use layers of security to ensure the security of the traveling public and the Nation's transportation system.

Each one of these layers alone is capable of stopping a terrorist attack. In combination their security value is multiplied, creating a much stronger, formidable system.  A terrorist who has to overcome multiple security layers in order to carry out an attack is more likely to be pre-empted, deterred, or to fail during the attempt.

Yeah!  Get some! It's just like firewalls, IPS, and AV, bitches!  Mo' is betta!

It's patently clear that Ptacek simply doesn't layer enough, is all.  See, Rothman, you don't need to give up!

"Twenty is the number and the number shall be twenty!"

How's that for a metric?

That is all.

/Hoff

Down Under: Where Security Is SO Last Tuesday...

I read this article from Network World (Australia) where the author relayed the pinnings of C-levels from Australia and New Zealand by titling his story thusly: "If only reducing costs was as easy as security, say CIOs"

It seems that based upon a recent study, IDC has declared that "...conquering IT security is a breeze for CIOs." 

I'm proud of my Kiwi lineage, but I had no idea my peeps were so ahead of the curve when it comes to enlightened advancements in IT security governance.  They must all deploy GRC suites and UTM or something? 

Anton, there must be something in the logs down there!

As per that famous line in "When Harry Met Sally," I respond with "I'll have what [s]he's having..." 

Check this out:

The IDC Annual Forecast for Management report surveyed 363 IT executives from Australia (254 respondents) and New Zealand (109 respondents) across industries including finance, distribution, leisure and the public sector.

Information security was rated last place in the Top 10 challenges for CIOs.

Threats targeting the application layer were cited as the biggest concern (36%), while spyware (16%) was rated as a bigger threat than disgruntled employees, remote access, and mobile devices.

The CIOs top priority for the next 12 months was reducing costs and addressing a lack of resources. This was followed by meeting user expectations and developing effective business cases.

The top four IT investments for the next year will be in collaborative technologies and knowledge management; systems infrastructure; back office applications; and business intelligence.

I'm no analyst, but allow me to suggest that just because security is not the top priority or "challenge" does NOT mean they have the problem licked.   It simply means it's not a priority!

Perhaps it's that these CIO's recognize that they've been spending their budgets on things that aren't making a difference and should instead be focusing on elements that positively impact corporate sustainability and survivability as an on-going concern instead?

The most hysterical thing about this article -- besides the re-cockulous premise they overly-hyped and the (likely) incorrect interpretation of results the title suggests -- is that on the same page as this article which suggests the security problem is licked, we see this little blurb for a NWW podcast:

So, there we have it.  A direct tie.  Security is solved and failing, all at the same time!

Sigh.

/Hoff

Virtualizing Security Will NOT Save You Money; It Will Cost You More

In my post titled "The Four Horsemen Of the Virtualization Apocalypse" I brought to light what I think are some nasty performance, resilience, configuration and capacity planning issues in regards to operationalizing virtualized security within the context of security solutions as virtual appliances/VM's in hosts.

This point was really intended to be discussed outside of the context of virtualizing security in physical switches, and I'll get to that point and what it means in relation to this topic in a later post.

I wanted to reiterate the point I made when describing the fourth horseman, Famine, summarized by what I called "Spinning VM straw into budgetary gold:"

By this point you probably recognize that you're going to be deploying the same old security  software/agents to each VM and then adding at least one VA to each physical host, and probably more.  Also, you're likely not going to do away with the hardware-based versions of these appliances on the physical networks.

That also means you're going to be adding additional monitoring points on the network and who is going to do that?  The network team?  The security team?  The, gulp, virtual server admin team?

What does this mean?  With all this consolidation, you're going to end up spending MORE on security in a virtualized world instead of less.

This is a really important issue because over the last few weeks, I've seen more and more discussions surrounding virtualization TCO and ROI calculations, but most simply do not take these points into consideration.

We talk about virtualization providing cooling, power and administrative cost-avoidance and savings.  We hear about operational efficiencies, improved service levels and agility, increased resource utilization and reduced carbon footprint. 

That's great, but with all this virtualized and converged functionality now "simplified" into a tab or two in the management console of your favorite virtualization platform provider, the complexity and operational issues related to security have just faded into the background and been thought of as having been absorbed or abstracted away.

I suppose that might point to why many simply think that security ought to be nothing more than a drop-down menu and checkbox because in most virtualization platforms, it is!

When thinking about this, I rationalized the experience and data points against my concern related to security's impact on performance, scale, and resiliency to arrive at what I think explains this behavior:

Most of the virtualization implementations today, regardless of whether they are client, server, production/QA or otherwise, are still internally-facing and internally-located.  There are not, based upon my briefings and research, a lot of externally-facing "classically DMZ'd" virtualized production instances.

This means that given the majority lack of segmentation of internal networks (from both a networking and security perspective,) the amount of network security controls in place are few.

Following that logic, one can then assume that short of the existing host-based controls which are put in place with every non-virtualized server install, most people continue this operational practice in their virtualized infrastructure; what they did yesterday is what they do today. 

Couple that with the lack of compelling security technologies available for deployment in the virtual hosts, most people have yet to start to implement multiple security virtual appliances on the same host.

Why would people worry about this now?   It's not really a problem...now.

When we start to see folks ramp up virtual host-based security solutions to protect against intra-vm threats and vulnerabilities (whether internally or externally-facing) as well as to prevent jail-breaking and leapfrog attacks against the underlying hypervisors, we'll start to see these problems bubble to the surface.

What are your thoughts?  Are you thinking about these issues as you plan your virtualization roll-outs?

/Hoff

The Five Laws Of Virtualization - Not Immutable Any More?

Update: Please read the comments section.  Rather than force playing blog pong, I've cross-posted some of the comment thread from Lindstrom's blog.

I believe I've offered up a clear present and future case that invalidates "immutable" law #1. Pete, of course, disagrees...

--

I've commented a couple of times about the confusingly contradictory nature of Lindstrom's Burton's "Five Immutable Laws of Virtualization."  I go back every once and a while and try to utilize them as suggested by their author to see what pops out the other end:

When combining the standard risk principles with an understanding of the use cases of virtualization, a set of immutable laws can be derived to assist in securing virtual environments

I'm not sure I really ever got an answer to what those "...standard risk principles" are and as such, there seems to exist a variability based upon interpretation that again makes me scratch my head when staring at the word "immutable."

So I try and overlook the word (as did the author/editor in the title of the Baseline magazine article below -- it was omitted) and I find myself back where I started which sort of makes sense given the somewhat reflexive and corollary nature of these "laws."   

This is where I get stuck.  I don't know whether to interpret each law as though it can stand on its own or the group as a whole.

Basically, I have a hard time seeing how they enable making more effective risk management decisions any easier.  I will admit, it could just be me...

Further, I've noticed the very careful choice of words used in these laws, and interestingly they don't appear to be consistently referenced which would defeat the purpose of calling them "immutable," no?

Take for example the original wording of the five laws from Burton's original minting and compare it against an article appearing in Baseline magazine from the same author(s) -- Lindstrom in this case:

Original Burton Article Example:

Law 1: Attacks against the OS and applications of a physical system have the exact same damage potential against a duplicate virtual system.

Baseline Magazine Article Example:

Law 1. Attacking a virtual combination of operating systems and applications is exactly the same as attacking the physical system it replicates.

This example may seem subtle and unimportant, but I maintain it is not.  I suggest that they mean very different things indeed.  I mean, if these are "laws," they're not something you get to reword at a whim.  I trust I don't have to  explain why.

One could have lots of fun with the Constitution if that were the case. ;)

There are additional differences scattered throughout the two articles.  See if they appeal differently to you as they did to me.

Now, I'm sure Pete's going to suggest I'm picking nits and that I'm missing the spirit and intent of these "laws," but before he does, I'm going to remind him that I didn't come up with the title, he did.  I'm merely stuck on trying to assess whether these are actually "immutable" or "refutable" but I am admittedly still having trouble getting past step #1.

Help a brother out.  Explain these to me to where they make sense.  Pete tried and it didn't stick.  Maybe you can help?

/Hoff

Asset Focused, Not Auditor Focused

Gunnar Peterson wrote a great piece the other day on the latest productization craze in InfoSec - GRC (Governance, Risk Management and Compliance) wherein he asks "GRC - To Be or To Do?"

I don't really recall when or from whence GRC sprung up as an allegedly legitimate offering, but to me it seems like a fashionably over-sized rug under which the existing failures of companies to effectively execute on the individual G, R, and C initiatives are conveniently being swept.

I suppose the logic goes something like this: "If you cant effectively govern, manage risk or measure compliance it must be because what you're doing is fragmented and siloed.  What you need is a product/framework/methodology that takes potentially digestible deliverables and perspectives and "evolves" them into a behemoth suite instead?"

I do not dispute that throughout most enterprises, the definitions, approaches and processes in managing each function are largely siloed and fragmented and I see the attractiveness of integrating and standardizing them, but  I am unconvinced that re-badging a control and policy framework collection constitutes a radical new approach. 

GRC appears to be a way to sell more products and services under a fancy new name to address problems rather than evaluate and potentially change the way in which we solve them.  Look at who's pushing this: large software companies and consultants as well as analysts looking to pin their research to something more meaningful.

From a first blush, GRC isn't really about governance or managing risk.  It's audit-driven compliance all tarted up.

It's a more fashionable way of getting all your various framework and control definitions in one place and appealing to an auditor's desire for centralized "stuff" in order to document the effectiveness of controls and track findings against some benchmark.  I'm not really sure where the business-driven focus comes into play?

It's also sold as a more efficient way of reducing the scope and costs of manual process controls.  Fine.  Can't argue with that.  I might even say it's helpful, but at what cost?

Gunnar said:

GRC (or Governance, Risk Management, and Compliance for the uninitiated) is all the rage, but I have to say I think that again Infosec has the wrong focus.

Instead of Risk Management helping to deliver transparent Governance and as a natural by-product demonstrate compliance as a function of the former, the model's up-ended with compliance driving the inputs and being mislabeled.

As I think about it, I'm not sure GRC would be something a typical InfoSec function would purchase or use unless forced which is part of the problem.  I see internal audit driving the adoption which given today's pressures (especially in public companies) would first start in establishing gaps against regulatory compliance.

If the InfoSec function is considering an approach that drives protecting the things that matter most and managing risk to an acceptable level and one that is not compliance-driven but rather built upon a business and asset-driven approach, rather than make a left turn Gunnar suggested:

Personally, I am happy sticking to classic infosec knitting - delivering confidentiality, integrity, and availability through authentication, authorization, and auditing. But if you are looking for a next generation conceptual horse to bet on, I don't think GRC is it, I would look at information survivability. Hoff's information survivability primer is a great starting point for learning about survivability.

Why survivability is more valuable over the long haul than GRC is that survivability is focused on assets not focused on giving an auditor what they need, but giving the business what it needs.

Seminal paper on survivability by Lipson, et al. "survivability solutions are best understood as risk management strategies that first depend on an intimate knowledge of the mission being protected." Make a difference - asset focus, not auditor focus.

For obvious reasons, I am compelled to say "me, too."

I would really like to talk to someone in a large enterprise who is using one of these GRC suites -- I don't really care which department you're from.  I just want to examine my assertions and compare them against my efforts and understanding.

/Hoff

Shimel's in Der Himmel & Stiennon's A Mean-Un...NAC Dust-Up Part Deux.

Nothing to see here folks.  Move along...

This is like a bad episode of "Groundhog Day" meets "Back To the Future." 

You know, when you wake every day to the same daymare where one person's touting that features like NAC are the next flux capacitor while another compares its utility to that of sandpaper in the toilet roll dispensers in a truck stop restroom? 

I know Internet blog debates like this get me more excited than having my nipples connected to jumper cables and being waterboarded whilst simultaneously shocked with 1.21 Jigawatts...

Alan Shimel's post ("Stiennon says NAC is dead - I must be in heaven!") in response to Stiennon's entry ("Don't even bother investing in Network Admission Control") is hysterical.

Why?

Because it's the exact arguments (here and here) they had back in August 2007 when I refereed (see below) the squabble the first time around and demonstrated convincingly how they were both right and both wrong.  The silly little squabble -- like most things -- is all a matter of perspective.

I'd suggest that if you want a quick summary of the arguments without having to play blog pong, you can just read my summary from last year, as none of their arguments have changed.

/Hoff

P.S. The German word "himmel" translates to "heaven" (and sky) in English...funny given Shimmy's post title, methinks...

Welcome To the Information Survivability/Sustainability/Centricity Circus...

Forget "Security Theater."  The "Security Circus" is in town...

I wrote this some time ago and decided that I didn't like the tone as it just came out as another whiny complaint against the "man."  I'm in a funny mood as I hit a threshold yesterday with all the so-called experts coming out of the woodwork lately, so I figured I'd post it because it made me chortle. 

They Shoot Horses, Don't They?

To answer what seems to be a question increasing in frequency due to the surge in my blog's readership lately, as well as being cycled through the gossip mill, I did not change the name of my blog from "Rational Security" to "Rational Survivability" due to IBM's Val Rahmani's charming advertisement keynote at RSA.  ;)

One might suggest that Val's use of the mythological reference to Sisyphus wasn't as entertaining as Noonan's "security as the width of two horses' asses" keynote from a couple of years ago, but her punchline served to illustrate the sad state of Information Security, even if it also wanted to make me shoot myself.

Val's shocking admission that IBM was "...exiting the security business," that "...information security was dead," and that we should all celebrate by chanting "...long live [information] sustainability!" 

This caused those of us here at Rational Survivability HQ to bow our heads in a moment of silence for the passing of yet another topical meme and catchphrase that has now been "legitimized" by industry and thus must be put out of its misery and never used again.

You say "tomato," I say "tomato..."

Yeah, you might argue that "sustainability" is more business-focused and less military-sounding than "survivability," but it's really about the same concepts. 

I'm not going to dissect her speech because that's been done.  I have said most of what I have to say on this concept in my posts on Information Survivability and honestly, I think they are as relevant as ever. 

You can read the first one here and follow on with the some more, here. 

For those of you who weren't around when it happened, I changed the name of my blog over six months ago to illustrate what is akin to the security industry's equivalent of an introduction at an AA meeting and was so perfectly illustrated by Val's fireside chat. 

You know the scene.  It's where an alcoholic stands up and admits his or her weaknesses for a vice amongst an audience of current and "former" addicts.  Hoping for a collective understanding of one's failure and declaring the observed days of committed sobriety to date,  the goal is to convince oneself and those around you that the counter's been reset and you've really changed.  Despite the possibility of relapse at any moment, the declaration of intent -- the will to live sober -- is all one needs.

That and a damned good sponsor.

And now for something completely different!

That was a bloody depressing analogy, wasn't it?  Since this was supposed to be a happy occasion, I found myself challenged to divine an even worse analogy for your viewing pleasure.   Here goes.

That's right.  I'm going to violate the Prime Directive and go right with the patented Analog Of Barnum & Bailey's Circus:

What Information Security has become is the equivalent of a carnie's dancing poodle in the circus tent of industry. 

Secretly we want to see the tigers eat the dude with the whip, but we cheer when he makes them do the Macarena anyway. 

We all know that one day, that little Romanian kid on the trapeze is going to miss the triple-lindy and crash to the floor sans net, but we're not willing to do anything about it and it's the tension that makes the act work, despite the exploitative child labor practices and horrible costumes.

We pump $180 in tokens into the ring toss to win an $11 stuffed animal, because it's the effort that counts, not the price.

We're all buying tickets, suffering through the stupid antics of the clowns piling out of the tiny little car in the spotlight hoping that the elephant act at the end of the show is going to be worth the price of admission. 

At the end of the night, we leave exhausted, disappointed, broke and smelling like sweaty caramel apples and stale pretzels...wondering when they'll be back next year so we can take the kids.

See, I told you it was awful.  But you know what's much worse than my shitty little clown analogy? 

Reality.

Come one, come all.  Let Me Guess Your Weight!

So in today's time of crappy economics when money is hard to come by, it's now as consumers that we start to pay attention to these practices -- this circus.  It's now that we start to demand that these alleged predatory vendors actually solve our business problems and attend to our issues rather than simply recycle the packaging.

So when life hands vendors a lemon, they make marketingade, charge us $4.50 a pop and we still drink it.

Along those lines, many mainstream players have now begun to work their marketing sideshows by pitching the supposedly novel themes of sustainability, survivability, or information centricity.  It's a surreptitiously repentant admission that all the peanuts and popcorn they've been selling us while all along we ooh and ahh at the product equivalents of the bearded lady, werewolf children and the world's tallest man still climax at the realization that it's all just an act.

At the end of the night, they count their money, tear down the tents and move on.  When the bearded lady gets a better gig, she bails and they bring in the dude with the longest mustache.  Hey, hair is hair; it's just packaged differently, and we go to ogle at the newest attraction.

There's no real punchline here folks, just the jaded, bitter and annoyed comments of someone who's becoming more and more like the grumpy folks he always made fun of at bingo night and a stark realization of just how much I hate the circus.

/Hoff