Amrit: I Love You, Man...But You're Still Not Getting My Bud Lite

I've created a monster!

Well, a humble, well-spoken and intelligent monster who -- like me -- isn't afraid to admit that sometimes it's better to let go than grip the bat too tight.  That doesn't happen often, but when it does, it's a wonderful thing.

I reckon that despite having opinions, perhaps sometimes it's better to listen with two holes and talk with one, shrugging off the almost autonomic hardline knee-jerks of defensiveness that come from having to spend years of single minded dedication to cramming good ideas down people's throats.

It appears Amrit's been speaking to my wife, or at least they read the same books.

So it is with the utmost humility that I take full credit for nudging along Amrit's renaissance and spiritual awakening as evidenced in this, his opus magnum of personal growth titled "Embracing Humility - Enlightened Information Security" wherein a dramatic battle of the Ego and Id is played out in daring fashion before the world:

---

Too often in IT ego drives one to be rigid and stubborn. This results in a myopic and distorted perspective of technology that can limit ones ability to gain an enlightened view of dynamic and highly volatile environments. This defect is especially true of information security professionals that tend towards ego driven dispositions that create obstacles to agility. Agility is one of the key foundational tenets to achieving an enlightened perspective on information security; humility enables one to become agile.  Humility, which is far different from humiliation, is the wisdom to realize one’s own ignorance, insignificance, and limitations of intellect, without which one cannot see the truth.

19th century philosopher Herbert Spencer captured this sentiment in an oft-cited quote “There is a principle which is a bar against all information, which is proof against all arguments and which cannot fail to keep a man in everlasting ignorance - that principle is contempt prior to investigation.”

The security blogging community is one manifestation of the information security profession, based upon which one could argue that security professionals lack humility and generally propose contempt for an idea prior to investigation. I will relate my own experience to highlight this concept.

Humility and the Jericho Forum
I was one of the traditionalists that was vehemently opposed to the ideas, at least my understanding of the ideas, put forth by the Jericho forum. In essence all I heard was “de-perimeterization”, “Firewalls are dead and you do not need them”, and “Perfect security is achieved through the end-point” – I lacked the humility required to properly investigate their position and debated against their ideas blinded by ego and contempt. Reviewing the recent spate of blog postings related to the Jericho forum I take solace in knowing that I was not alone in my lack of humility. The reality is that there is a tremendous amount of wisdom in realizing that the traditional methods of network security need to be adjusted to account for a growing mobile workforce, coupled with a dramatic increase in contractors, service providers and non pay rolled actors, all of which demand access to organizational assets, be it individuals, information or infrastructure. In the case of the Jericho forum’s ideas I lacked humility and it limited my ability to truly understand their position, which limits my ability to broaden my perspective’s on information security.

---

Good stuff.

It takes a lot of chutzpah to privately consider changing one's stance on matters; letting go of preconceived notions and embracing a sense of openness and innovation.  It's quite another thing to do it publicly.   I think that's very cool.  It's always been a refreshing study in personal growth when I've done it. 

I know it's still very hard for me to do in certain areas, but my kids -- especially my 3 year old -- remind me everyday just how fun it can be to be wrong and right within minutes of one another without any sense of shame.

I'm absolutely thrilled if any of my posts on Jericho and the ensuing debate has made Amrit or anyone else consider for a moment that perhaps there are other alternatives worth exploring in the way in which we think, act and take responsibility for what we do in our line of work.

I could stop blogging right now and...

Yeah, right.  Stiennon, batter up!

/Hoff

(P.S. Just to be clear, I said "batter" not "butter"...I'm not that open minded...)

Security Interoperability: Standards Are Great, Especially When They're Yours...

Wow, this is a rant and a half...grab a beer, you're going to need it...

Jon Robinson pens a lovely summary of the endpoint security software sprawl discussion we've been chatting about lately.

My original post on the matter is here. 

Specifically, he isolates what might appear to be diametrically-opposed perspectives on the matter; mine and Amrit Williams' from BigFix.

No good story flows without a schism-inducing polarizing galvanic component, so Jon graciously obliges by proposing to slice the issue in half with the introduction of what amounts to a discussion of open versus proprietary approaches to security interoperability between components. 

I'm not sure that this is the right starting point to frame this discussion, and I'm not convinced that Amrit and I are actually at polar ends of the discussion.  I think we're actually both describing the same behavior in the market, and whilst Amrit works for a company that produces endpoint agents, I think he's discussing the issue at hand in a reasonably objective manner. 

We'll get back to this in a second.  First, let's peel back the skin from the skeleton a little.

Dissecting the Frog
Just like in high school, this is the messy part of science class where people either reveal their darksides as they take deep lung-fulls of formaldehyde vapor and hack the little amphibian victim to bits...or run shrieking from the room.

Jon comments on Amrit's description of the "birth of the endpoint protection platform" while I care to describe it as the unnatural (but predictable) abortive by-product of industrial economic consolidation. The notion here -- emotionally blanketed by the almost-unilateral hatred for anti-virus -- is that we'll see a:

"...convergence of desktop security functionality into a single product that delivers antivirus, antispyware, personal firewall and other styles of host intrusion prevention (for example, behavioral blocking) capabilities into a single and cohesive policy-managed solution."

I acknowledge this and agree that it's happening.  I'm not very happy about *how* it's manifesting itself, however.  We're just ending up with endpoint oligopolies that still fail to provide a truly integrated and holistic security solution, and when a new class of threat or vulnerability arises, we get another agent -- or chunky bit grafted onto the Super Agent from some acquisition that clumsily  ends up as a product roadmap feature due to market opportunism. 

You know, like DLP, NAC, WAF... ;)

One might suggest that if the "platform" as described was an open, standards-based framework that defined how to operate and communicate, acted as a skeleton upon which to hang the muscular offerings of any vendor, and provided a methodology and communications protocol that allowed them all to work together and intercommunicate using a common nervous system, that would be excellent.

We would end up with a much lighter-weight intelligent threat defense mechanism.  Adaptive and open, flexible and accommodating.  Modular and a cause of little overhead.

But it isn't, and it won't be.

Unfortunately, all the "Endpoint Protection Platform" illustrates, as I pointed out previously, is that the same consolidation issues pervasive in the network world are happening now at the endpoint.  All those network-based firewalls, IPS's, AV gateways, IDS's, etc. are smooshing into UTM platforms (you can call it whatever you want) and what we're ending up with is the software equivalent of UTM on the endpoint.

SuperAgents or "Endpoint Protection Platforms" represent the desperately selfish grasping by security vendors (large and small) to remain relevant in an ever-shrinking marketspace.  Just like most UTM offerings at the network level.  Since piling up individual endpoint software hasn't solved the problem, it must hold true that one is better than many, right?

Each of these vendors producing "Super Agent" frameworks, all have their own standards.  Each of them are battling furiously to be "THE" standard, and we're still not solving the problem.

Man, that stinks
Jon added some color to my point that the failure to interoperate is really an economic issue, not a technical one, by my describing "greed" as the cause.  I got a chuckle out of his response:

Hoff goes on to say that he doesn’t think we will ever see this type of interoperability among vendors because of greed. I wouldn’t blame greed though, unless by greed he means an unwillingness to collaborate because they believe their value lies in their micro-monopoly patents and their ability to lock customers in their solution. (Little do they know, that they are making themselves less valuable by doing so.) No, there isn’t any interoperability because customers aren’t demanding it.

Some might suggest that my logic is flawed and the market demonstrates it with an example like where GE booted out Symantec in favor of 350,000 seats of Sophos:

Seeking to improve manageability and reduce costs which arise from managing multiple solutions, GE will introduce Network Access Control (NAC) as well as antivirus and client firewall protection which forms part of the Sophos Security and Control solution.

Sophos CEO, Steve Munford, said companies want a single integrated agent that handles all aspects of endpoint security on each PC.                     

"Other vendors offer security suites that are little more than a bunch of separate applications bundled together, all vying for resources on the user's computer," he said.    

"Enterprises tell us that the tide has turned, and the place for NAC and integrated security is at the endpoint."

While I philosophically don't agree with the CEO's comment relating the need for a Super Agent,  the last line is the most important "...the place for...integrated security is at the endpoint."  They didn't say Super Agent, they said "integrated."  If we had integration and interoperability, the customer wouldn't care about how many "components" it would take so long as it was cost-effective and easily managed.  That's the rub because we don't. 

So I get the point here.  Super Agents are our only logical choice, right?  No!

I suggest that while we make progress toward secure OS's and applications, instead of moving from tons of agents to a Super Agent, the more intelligent approach would be a graceful introduction of an interoperable framework of open-standards based protocols that allow these components to work together as the "natural" consolidation effect takes its course and markets become features.  Don't go from one extreme to the other.

I have yet to find anyone that actually believes that deploying a monolithic magnum malware mediator that maintains a modality of mediocrity masking a monoculture  is a good idea.

...unless, of course, all you care about is taking the cost out of operationalizing security and not actually reducing risk.  For some reason, these are being positioned by people as mutually-exclusive.  The same argument holds true in the network space; in some regards we're settling for "good enough" instead of pushing to fix the problem and not the symptoms.

If people would vote with the wallets (which *is* what the Jericho Forum does, Rich) we wouldn't waste our time yapping about this, we'd be busy solving issues relevant to the business, not the sales quotas of security company sales reps. I guess that's what GE did, but they had a choice.  As the biggest IT consumer on the planet (so I've been told,) they could have driven their vendors together instead of apart.

People are loathe to think that progress can be made in this regard.  That's a shame, because it can, and it has.   It may not be as public as you think, but there are people really working hard behind the scenes to make the operating systems, applications and protocols more secure. 

As Jon points out, and many others like Ranum have said thousands of times before, we wouldn't need half of these individual agents -- or even Super Agents -- if the operating systems and software were secure in the first place. 

Run, Forrest, Run!
This is where people roll their eyes and suggest that I'm copping out because I'm describing a problem that's not going to be fixed anytime soon.  This is where they stop reading.  This is where they just keep plodding along on the Hamster Wheel of Pain and add that line item for either more endpoint agents or a roll-up to a Super Agent.

I suggest that those of you who subscribe to this theory are wrong (and probably have huge calves from all that running.)  The first evidence of this is already showing up on shelves.  It's not perfect, but it's a start. 

Take Vista, as an example.  Love it or hate it, it *is* a more secure operating system and it features a slew of functionality that is causing dread and panic in the security industry -- especially from folks like Symantec, hence the antitrust suits in the EU.  If the OS becomes secure, how will we sell our Super Agents.  ANTI-TRUST!

Let me reiterate that while we make progress toward secure OS's and applications, instead of going from tons of agents to a Super Agent, the more intelligent approach is a graceful introduction of an interoperable framework of open-standards based protocols that allow these components to work together as the "natural" consolidation effect takes its course and markets become features.  Don't go from one extreme to the other.

Jon sums it up with the following describing solving the interoperability problem:

In short, let the market play out, rather than relying on and hoping for central planning. If customers demand it, it will emerge. There is no reason why there can’t be multiple standards competing for market share (look at all the different web syndication standards for example). Essentially, a standard would be collaboration between vendors to make their stuff play well together so they can win business. They create frameworks and APIs to make that happen more easily in the future so they can win business easier. If customers like it, it becomes a “standard”.

At any rate, I'm sitting in the Starbucks around the corner from tonight's BeanSec! event.  We're going to solve world hunger tonight -- I wonder if a Super Agent will do that one day, too?

/Hoff