I've spent quite a bit of time investigating emerging technology solutions for virtualization security (VirtSec) lately. I've made mention of an idea that conceptually didn't gel until this last week.
Joel was presenting his 5 myths of Information Security and one of the myths was (paraphrasing) that Intrusion Detection solutions don't detect solutions.
What Joel went on to suggest is that what IDS solutions actually do is provide one with a perspective visibility across the network; determining what represents an actual "intrusion" is a contextual argument that goes to the efficacy and correlation capabilities of the platform(s.)
This got me thinking along the lines of some of the emerging IDP (intrusion detection and prevention) solutions from emerging vendors in the virtualization space.
Something rather profound but obvious dawned on me.
Given the integration for management of these "security" solutions with the management platforms of the virtualization platform providers AND the operational shift of who was managing the security solutions (see here) really means that these aren't really virtualization security solutions at all, they are actually vitualization visualization solutions.
Virtualization management platforms provide the configuration and operational telemetry regarding the virtual environment to these solutions which does what most HostSec or NetSec solutions have been unable to do in the past: gain context regarding how the infrastructure the security solutions are protecting are actually configured.
HostSec and NetSec solutions have no context of the solutions outside of the host they are protecting or the network segment/IP address they are connected to respectively. Not so with VirtSec solutions.
That's pretty neat when you think of it. Even though we're substantially handicapped as to what these solutions can *do* with this capability today (see here) integrating this capability can dramatically and positively affect the way in which "security" administration and analytics manifests themselves over time.
"Yeah, but these are basically the same views someone might get looking at a firewall, IDS or IPS tool today," you might argue. That's right, except we already know that server and virtualization administrators (as well as most network folk) don't have access to those tools...
So in many cases the administrators who will be looking at this information are not "security" folks by trade, so the (and you'll excuse the wording) dumbing down of this information actually provides a very good perch upon which to troubleshoot and extend the forced simplicity of "checkbox" security in the virtualization platforms to this new class of security administrator.
This may be the first time some of these teams have had access to "security" telemetry of this kind.
In the long term, he challenge will be how, when you have multiple of these solutions, you gain a consolidated view, but the reality is that the NetSec and HostSec admins can use this same view and then click-through into the specific toolset management stacks for finer-grained configuration/analysis.
This is actually an interesting way to think about how the re-integration of the server admins, network and security teams might become more cohesive operationally in the future...through the same lens of visualizing the environment.
Here are some ideas of what I'm talking about; these are some snapshots of management interfaces of upcoming VirtSec solution providers. These are random shots of some of the different views of managing virtual appliances...
Thanks to Amir-Ben Afraim (Altor,) Greg Ness (Blue Lane,) Michael Berman (Catbird,) and Dave Devalk (Reflex) for getting these images to me. Also, hat-tip to Joel Snyder for the noodle nudge...