An Information Security Place

I had an interesting phone discussion a couple days ago with Veriwave’s CTO, Tom Alexander and VP of Marketing, Eran Karoly.  We were talking about field tools for testing the quality of installed wireless LANs.  At a high level, we all agreed that much of the field testing and verification for WLANs today have centered around data related to site surveys, such as signal strength, RF interference, and the coverage “footprint”.

There are many existing tools for testing wireless coverage ranging from embedded supplicant software & Netstumbler to more complex commercial tools such AirMagnet Site Surveyor or Motorola’s LANPlanner.  Check out my blog for more information about site surveys, including the difference between active and passive site surveys.  More sophisticated wireless engineers might also gather data regarding RF interference with a spectrum analyzer, such as the WiSpy DBx, or AirMagnet Spectrum Analyzer.

However, our conversation highlighted the need to expand WLAN installation and verification tools beyond the focus on complete WiFi coverage with low interference.  How do wireless vendors and/or VARs ensure that an organization’s business and technical requirements have been met?   A focus on signal strength neglects other critical areas such as roaming, quality of service, and security.  Additionally, there is often no verification of the proper configuration of the *wired* network.

We discussed how many of the testing tools available today focus on the wireless infrastructure (the APs, arrays, WLAN controllers) and lacked visibility into the client side of the equation.  Most testing seems to concentrate on laptops – but what about wireless VOIP phones, hand-held scanners, printers, and RFID?

The three of us on the phone, as well as everyone I have discussed this with since, seems to understand the inherent value of a more robust way to validate WLAN installations.  However, what are the costs?  Personally, I don’t see a good cost model for a product of this nature.  It seems that a system that tests both the infrastructure and clients across many functional boundaries would be extremely expensive, especially for a field testing unit (where vendors or VARs might need more than one kit as they are running multiple projects).

Many wireless LAN vendors can justify the capital expenditure of Veriwave’s existing test beds, because they are involved with testing new product lines, etc.   However, many vendors seem to have a bare bones professional services group and turn over that work to VARs.  I also can’t see many VARs purchase uber expensive field testing tools – many are too small to afford tools like the AirMagnet suite, let alone something more costly.  If VARs do purchase, they will inevitably have to pass along the cost to their customers. Is this viable either?  Why would a customer pay a higher cost to insure themselves against a WLAN that wasn’t properly field verified?  Customers should be able to do this by properly scoping their projects and enforcing the terms of their contract.

What do you think?  Do you see the value of such a tool?  Do you see an appropriate cost model?  Sound off in the comments below!

- WiFi Jedi

Most people probably would read the title of this blog post and think, “another idiot hit ‘Reply All’” and pissed a bunch of people off and Michael thinks it is funny”.  Well, you would right on two and three quarters of those points because the person who hit Reply All is not an idiot.  In fact, though it was accidental, it actually served a great purpose and hopefully taught someone a lesson.  So after that cryptic intro, here’s the story:

A client of mine (I have his permission to write this, even though I am not mentioning his name or his company’s name) is looking for a specific security product to cure a compliance pain they are currently having.  We work with a few companies that sell the type of product he is looking for, but we recommended the one of those that we think has the best answer for the problem our client is trying to solve.  Since that company came back with some fairly high prices, the client asked us to contact some of the competing vendors and setup some meetings.

Well, one of those competing companies we contacted immediately decided to sic their inside sales person on our client.  This inside sales guy was calling our client at least 3-4 times a day (if not more) and was sending multiple meeting requests and emails, even after we asked him to back off.  He then started calling from other numbers when the client started screening his calls.  It got to the point where our client was getting pretty upset and was asking us to make some further demands that the guy back off.  The client seriously had no desire to be mean to the inside sales person, and we certainly did not want to cause bad relations between our company and the vendor, but the customer obviously comes first.

So after a few days of this going on, our client decided to forward one of the vendor’s emails to our sales person.  Our client was nearing the end of his rope, so the email was frustrated in tone.  It pointed out that the inside sales person was making his company seem cheap and desperate, and it was written with some fairly strong language.  But of course, as you have probably guessed by now, the client accidentally hit reply all when he was trying to forward, causing the vendor to receive a copy of the email.  Our client says that he received cancellation notices for the multiple meeting requests that he had received from the vendor within about 5 minutes after his email went out, and he has yet to hear back from that inside sales person.

So, while all of this is funny and falls right in there with a lot of these types of stories, it really serves a purpose beyond the “be careful with email” lesson.  Though our client swears it was accidental, the “accident” actually served the purpose of which I spoke in the introduction paragraph (it got the client some peace), and it hopefully taught that inside sales person a few lessons, which are these: persistence does not mean annoyance, listen to your clients and partners, and, for goodness’ sake, BE SELF AWARE.  Think about what you are doing.  And if you ARE self aware and you are being forced to make all these calls by your management, you might want to ask yourself why they are making you do this.  Is your company about to tank?  Do you need to start looking for a job?  Are you going to give yourself a bad reputation in the industry by making these calls and pissing people off?  Think about what you are doing and how you can do it better.

And another lesson: if you persist in pissing off my client, I have no qualms in calling in some favors from some friends of mine named Vito and Santino.

Vet

I will start out this post by saying that I generally am a fan of SC Magazine.   Though the product reviews are not very good, they often have informative interviews with some folks whose views I respect.  But I had to guffaw a bit with the Nov 2008 edition when I got to the opinion section, and specifically the article by Richard Moulds.

The reason I LOL’ed at this article was not because the article was wrong.  Mr. Moulds talked about how enterprise encryption was the last line of defense, where if "other security and access control systems fail, if the data is encrypted – it is probably safe."  I agree with that.  I also do not disagree with his assertion that key management is "central to deployment on any encryption-based system."  Makes perfect sense.  Mr. Moulds also says that key management must protect keys but should also make them accessible and highly mobile.  Again, no disagreement.  Just about everything in the article makes sense when talking about an enterprise data encryption system.

No, I don’t agree with the content of the article.  What I disagree with is the placement of the article.  I disagree that this article should be placed in the "opinion" section of SC Magazine because Mr. Moulds is an EVP in Thales Group, which recently purchased nCipher.  And nCipher, according to their website, "provides state-of-the-art encryption management to the world’s most trusted enterprises."  So what else do we expect Mr. Moulds to say about encryption?  That it sucks?  That you shouldn’t look into it?  Sheesh.

SC Magazine’s editorial page says this about what kind of articles it will accept in the opinion page:

SC Magazine does accept vendor-neutral contributions for its monthly Last Word and Opinion sections. Offering viewpoints on timely and sometimes controversial subjects, these may also include some pragmatic advice to help readers deal with everyday problems.

If you can’t see through that smokescreen, then you need to get better fog lamps.  Please SC Magazine.  In the future, do not allow vendors to write opinions in your magazine about the very technology they sell.  It doesn’t give me much of a warm fuzzy that the writer’s opinion is genuine, and it makes me question the integrity of you publication.

Vet

Those of you who know the SE side of me hopefully know that I do not hold very many security products to a very high standard because I don’t expect them to perform to it.  Many products do a good job, but I really see very few that make a lasting impression on me.  So, that is the reason I generally do not review products or write about them.

But every once in a while I see something that knocks my socks off and keeps impressing me.  And one of those is NitroSecurity’s SIEM product, ESM (Enterprise Security Manager).  The interface was the first thing that caught my eye when I first saw it about a year or so ago.  It uses Flash / Flex, and it is beautiful.  And not only does it look good, it makes management and forensic research extremely easy.  Plus, the product accepts flows along with events, so correlation is superior.  AND, it has a REALLY fast database, enabling high performance testing while not sacrificing the number of events coming in and being captured.  Basically, you don’t miss stuff because you are trying to look up and investigate OTHER stuff.  And that last point is something that has, remarkably, gotten better.

Now, to be honest, I have not experienced this.  I have only talked to some internal people at Nitro about it.  So the press release below from Nitro gets your knowledge to the same level where I sit.  But I can’t wait to see this new line if it performs like they say it does.

So, here’s the release.  Good luck Nitro people.

NITROSECURITY RELEASES INDUSTRY’S HIGHEST PERFORMING, MOST SCALABLE SECURITY INFORMATION & EVENT MANAGEMENT (SIEM) SOLUTION

NitroView ESM 5000 Reduces Business Risk and Increases Availability by Identifying, Correlating and Remediating Threats in Minutes

Portsmouth, NH – November 18, 2008 – NitroSecurity, Inc., a leading provider of network and information security solutions, today announced the availability of the NitroView Enterprise Security Manager (ESM) 5000 family of SIEM products that are capable of analyzing, correlating and reporting on billions of security events, network flows and logs per minute.  With NitroView ESM 5000 organizations can now mitigate risks to their information and infrastructure by responding to and eliminating security threats in minutes instead of the hours typically required with current SIEM technology.

“The true value of SIEM comes down to how much data it has access to and can handle to make accurate and timely decisions,” said Michael Leland, chief technology officer, NitroSecurity.  “SIEM effectiveness requires a data processing architecture capable of meeting increasing scalability and performance requirements.  NitroView ESM 5000, for the first time, gives organizations risk mitigation that responds in minutes to threats that have typically taken hours to identify with competing technology available today.”

The SIEM products currently on the market are mostly capable of detecting and alerting on a particular incident.  However, they do not have the high-speed processing capability to perform the in-depth forensic analysis necessary to prevent or reduce the exposure to looming threats including loss of data, DoS and DNS attacks.  Supported by the patented NitroEDB relational data management engine, NitroView ESM 5000 is capable of meeting, and in most cases exceeding, this response time. 

“As business needs evolve, so do SIEM capabilities, which is important if vendors wish to remain cutting-edge,” said Jon Oltsik, senior analyst, Enterprise Security Group.  “One of the biggest things we have noticed is that there is a direct correlation between the amount of data available to a SIEM and the value it provides to an organization that has implemented it as part of their overall security structure.”

The NitroView ESM 5000 SIEM is able to deliver an “Order of Magnitude” increase in event, log and flow processing capability, including the ability to: 

•    Analyze and correlate months or years worth of network event, log, and flow data in minutes – down to the preserved packet level. 
•    Process a sustained input of four million events/flows/logs per second while simultaneously analyzing, correlating and reporting on 100 million record queries per second (six billion per minute).

NitroView ESM 5000 is currently available in four models with pricing starting at $39,995.  Pricing is based on models that have input and correlation rates ranging from two million events per second (eps); 25 million record queries per second to four million eps; 100 million record queries per second.

To register for a live demonstration of the NitroView ESM 5000 led by an engineer or to “test drive” this industry leading SIEM product please visit the NitroSecurity website.  For more information, you can also download NitroSecurity’s whitepaper titled, “Fundamental Requirements of SIEM.” 

About NitroSecurity
NitroSecurity is the leading supplier of information security products that protect business information and infrastructure — Edge-to-Core.  NitroSecurity solutions reduce business risk exposure and increase network and information availability by monitoring, protecting and alerting organizations about suspicious or harmful network activities from inside or outside the enterprise.  Utilizing the industry’s fastest analytical tools, NitroSecurity will identify, correlate and remediate threats in minutes instead of hours, allowing organizations to quickly mitigate risks to the organization’s information and infrastructure.

NitroSecurity serves more than 500 enterprises across many vertical markets, including healthcare, education, financial services, government, retail, hospitality and managed services.  For more information, please visit www.nitrosecurity.com.

Vet

To everyone reading this, take it from me that Palo Alto Networks has some excellent stuff.  I have seen this put into production networks and watched it give tremendous insight into what is getting in and out.  I wish this box had been around when I was an Information Security Manager and Network / Security Engineer.  It would have made my life a lot easier because I would have been able to block traffic according to layer 7, not just the traditional port / IP combination like in typical firewalls.  Please read below for a tease of what you will see if you are in the Houston area and come see the seminar.

====================================================

The network security space is in desperate need of innovation!  It’s no secret that the Internet generates the majority of traffic on today’s corporate networks.  The question is, how can you know exactly what that traffic is, and control it in a way that’s best for your business?

Comprehensive Internet visibility and control is now essential – not just of network ports, but of the actual applications, users, and content flowing through the firewall. Unfortunately, traditional firewalls are missing three key ingredients that prevent them from delivering the Internet security and protection your organization requires.

Please join us for a 90-minute seminar that puts a spotlight on what’s really happening in today’s enterprise networks, and provides strategic guidance on how to regain the visibility and control you need.

SEMINAR HIGHLIGHTS

• New research on the top high risk applications running on more than 50 enterprise networks today
• Insights into a new generation of evasive applications and related threats capable of bypassing your firewall controls
• A look at three new network security requirements – missing from traditional firewalls – that will restore IT’s ability to manage these and other Internet risks

In addition, you’ll hear from a CISO of a leading Midwest bank, who has experienced the pain that comes with the inability to control Internet traffic, but is now enjoying unprecedented network visibility and control.

LOCATION
Date: Wednesday, October 22nd, 2008

Time: 11:30 am to 1:00 pm (registration begins at 11:15 and lunch served)

Place:

Sullivan’s of Houston
4608 Westheimer
Houston, TX 77027  (MAP & DIRECTIONS)
Phone: (713) 961-0333
To reserve your place at this luncheon, please click HERE.

Vet

So there is a particular security product manufacturer that Accuvant sells that I cannot name since I will get in trouble (love ya’ Dan!) that has a good product, but their support has been horrendous lately.  Actually, even their product has been slipping, now that I think of it.  And it is starting to hurt the relationship we have with a couple of customers because we recommended the product back when they were kicking some major butt all around.  And it really just pisses me off because this started just a few months before they got bought by a big company.  Oops, man, that probably gave it away, didn’t it?  Huh?  Wadda mean there’s only been about 20 companies that fit that description?  Oh yeah…

As I was saying, this started just a few months before the announcement of their getting snapped up.  This just seems backwards to me.  Does management just get that distracted that their quality starts sucking wind?  Shouldn’t they be trying to concentrate more on quality?  Maybe the deal was pretty much done and they figured what the heck?  The new guys will clean up the mess? 

I experienced that back when Juniper bought Netscreen as well.  I was a customer, and their support went straight to hell for about a year, then it all came back together.  But I kinda expected that to happen.  That was a big deal.  The company I am talking about is not that big, so there should not be a drop in quality like that.  And the Juniper / Netscreen issues didn’t start until AFTER the buy out.  This is happening BEFORE the buy out.

So if there are any manufacturers reading right now, please think about this.  If you are getting ready to sell, please do everything you can to maintain quality in your product and support.  Don’t screw over your employees (don’t know if that is happening here, but the drive of the sales team seems to have dropped dramatically).  Because if your quality drops, I am going to quit recommending you, and so will a lot of people.  Of course, if you already have your money and are at the beach, you are probably not reading this and couldn’t give less of a crap anyway.

Vet

I just read a post by Mike Rothman where he is revisiting the "Big is the New Small" post he wrote oh so long ago (is it just me, or does 2 years in the blogging world seem more like 20?).  Basically, it was all about the consolidation of the security market, which is still happening, as Mike points out.

But the little nugget that Mike points out but really doesn’t give enough time to is the integration issue.  Mike says this:

There are many that cling to the "best of breed" myth. It’s even funnier when you think about folks positioning their offerings as "integrated best of breed," whether it happens on the perimeter or on the devices. Or even in security management. Integration/unification and best of breed are opposites. Oil and water. You get the picture. It just doesn’t happen.

I added the emphasis there because I think that is important.  I have seen some of these bigger companies that have a centralized management platform (especially the end-point security companies) that have bought these different products and are still trying to integrate them all into that platform.  Their vision is good as far as the concept goes.  "Let’s put all of these products into a central management console that can provide all the information in a single spot." It makes their offerings attractive to the client if it worked.  I think this is the reason a lot of people are going with some of these "bloated, unresponsive, lumbering vendors."  Some of it may be that they don’t want to work with 5 different companies, but I think that happens more often in infrastructure types of products (DLP products, now mostly owned by bigger companies, still often sell as best of breed much of the time because they each have their own strengths). 

What I see as something of a trend (though not long term because the consolidation will still happen) is that some of these shops will look at best of breed in some areas for a while because the integration they were sold has not been delivered.  I really see some of these shops not wanting "good enough" because it isn’t close enough to actually being good enough.  These products that should have been integrated and functioning smoothly by now are still struggling to get off the ground, and they are causing more management headaches.

I guess we’ll see.  Some people may continue to struggle through and wait for the promise.  But I see a lot of people getting aggravated, and they are being almost forced to make some changes in order to manage the problems.

Vet

I have been evaluating a new SaaS mobile data encryption solution from a company called  HyBlue.  The product is called IceLock, and essentially they put all the management of the encryption in the cloud without storing the keys in the cloud.  They offer some other services as well, but this one is what they asked me to review.

While I cannot get into a full review right now, I can say that it looks pretty good.  It uses a virtual drive for encryption instead of a full disk or file encryption solution.  So once you install it and start the service, it creates a new drive letter.  If you want something to be encrypted, you just pull it into the drive.  The typical install they see targets the My Documents folder, which makes sense, but it is flexible and allows other directories to be encrypted as well.

It uses a combination of the motherboard serial number, a password, and multiple other factors to create an ephemeral key for encryption.  So basically, you can’t walk out with the disk and expect it to work on another system.  They also say that "all keys are deleted from RAM and overwritten with random data" during hibernation, screen saver activation, power-off, log-off, etc. (I think they generate a key every time your system comes out of the screen saver or hibernation state because I have to enter my password every time – that can get annoying).

The install process and management are still kinda kludgey.  However, they are nothing of not flexible and willing to take criticism (they made a change based on a question I had within just a few days of my asking)  so I expect this to change fairly quickly. 

Anyway, take a look.  I am putting it on a VM (which they say will work fine) since it is fairly new, but I haven’t experienced any issues.

Vet

The simple answer to the title is "yes".  However, that is really not the exact question I am asking here.  The question is really "are DMZ’s actually still DMZ’s?"  Let me ’splain.

I had a client ask me the other day if I was seeing a drop in the use of DMZ’s out there.  We had a quick discussion about it, but it got me to thinking more of the concept of a DMZ, the various implementations of DMZ’s (the point of this post is not to get into the security or various benefits of the different models, so I won’t discuss that or make any judgements on which is the best), the progression of the DMZ concept into the zone concept (and even a little further), and if the term DMZ is even really applicable anymore in the larger scope (or if it even matters). 

Oh, and as a note, you might need to take some of my terminology with a grain of salt if you started your firewall experience with Checkpoint.  I started out with Netscreen, so that affects the way I think about networks and DMZ, and zones.  It all comes out in the wash since they are all doing the same thing, but just wanted to give a warning there.  Also, be prepared for rambling as I flesh this out.  It’s my style.

So anyway, to dig in a bit, let’s briefly define what a DMZ is and look at some of the more common implementations.  The rationale behind a DMZ is to place externally accessible servers (such as HTTP, SMTP, etc) on a segment where potentially dangerous traffic can be isolated.  Simply, you don’t want direct external access to your internal servers.  Makes complete sense.  So, how is this implemented?

Some people implement a DMZ by squashing a bunch of servers in between two firewalls like this:

The external firewall controls access from the Internet to your DMZ, and the internal firewall controls access from your DMZ to your internal network.  Traffic may need to flow between your DMZ and internal network, but at least you can control that to a larger degree than just opening up the world to your servers as you must in the DMZ.  This is physically identical to the military term DMZ, which is the space between two opposing army lines.  Each army controls access to their side of the line.

But the original concept of a DMZ generally costs a bit more because of more hardware.  So in comes the concept of using three interfaces.  Basically, with a three interface box, you let the firewall become the single point where all inside and outside traffic flows, as seen below:

This gives you control in a single box, which keeps cost down.  The DMZ is virtual in this case, since it is created and controlled by routing and policies, but the benefit is the same.

But many smart people outside and inside firewall manufacturers started looking at this at started saying, "Hey, why can’t we put even more interfaces on this?"  Basically, they started allowing for more than one DMZ.  So if you had some externally accessible boxes that you wanted to keep isolated from your internal network AND each other, this allowed you to do so without building more firewalls and adding complexity to your network design.

This was the precursor to the concept of zones, where you could create multiple areas where you wanted to segment off traffic with your firewall.  So if you had multiple server farms, you could have a zone for each one.  That is the point where I think the term DMZ becomes somewhat less effective, but it is still realistic if only used in the segmenting potentially dangerous traffic that is coming from the Internet.  It is still not a DMZ in the physical sense (just like the three interface box), but it still serves the same purpose.

But what about those people who put a firewall between internal segments or between two nodes on their private WAN?  As an example, if you work at ABCCorp and your company bought XYZCorp, you might put in a firewall between the companies when you setup a WAN link.  In that case, you probably would rename zones to something more representative, like "ABCCorp_Network" and "XYZCorp_Network".

Here you are not really isolating traffic in the traditional sense in this case because you are creating a wall between the units.  There is likely not an area where you have some isolated servers.  You are simply controlling access between the two areas.  So there is really no trusted or untrusted side (well, I guess that depends on which side of the firewall you are on and who implemented the firewall, but you know what I mean).   This is more like the concept of a checkpoint in more modern urban warfare scenarios.  There is no real DMZ, just checkpoints as you move from one hostile area to another.  That doesn’t exactly fit since there are no distinctive lines in modern urban warfare, but I think there is a decent fit there.  So the term DMZ does not fit.

Now you can go the next step by creating virtual firewalls, with each FW treated as a separate entity with its own policy set, routing table, etc.  But that is generally used in more of a carrier type of environment or a very large enterprise that needs to maintain total separation between units.  Though this setup can be utilized to perform the same function as a DMZ or a zone, it is generally too complicated for that.

But saying all of this makes me also come back to how I view many issues such as these, meaning what terms make sense or don’t make sense, which terms have been outdated, etc.  Though I thoroughly believe that accuracy is needed when defining terms, I also think that in this case the term is not terribly important.  I think the term is still very valid, even if the DMZ is virtual. 

So basically, use the term if you want (aren’t you glad I gave you permission?)  But I think "zone" is really more accurate in how most DMZ’s are implemented today, both in the hardware and in the actual production installs. 

Vet

I had a long talk with a client yesterday regarding IPS.  They were setting up a nice sized extranet infrastructure to serve their clients, and they needed to build some security into the design before they implemented.  They had already thought of a lot of pieces, and now they were looking at putting in IPS.  They were already being courted by one IPS company, but they wanted to know about others and what the strengths and weaknesses were.

So as I started into the discussion, I diverged a bit from the pure technical discussion and talked about the view of the network as a whole.  Basically, I tried to get them to look at the big picture of what they were buying versus just an IPS as a single silo.  What I talked about was how the one IPS they were looking at was an excellent IPS, but I also told them that they really had no big advantage over any of the other big IPS vendors in the market.  If you look at the Gartner chart for IPS, there are about 5-7 vendors in the magic quadrant.  Basically, the product is a commodity, just like anti-virus and other mature products.  Though some boxes have advantages over others, they all really can do the job.  Most are able to protect multiple segments and can handle multi-gig speeds.  Most have a default set of policies that are not very noisy and protect against the big threats.  Most are HA capable.  Most have fail open or fail close options. Etc, etc, etc.  Some people might disagree here, and I understand that.  One IPS might have a feature that another one does not that may fit a certain need.  But I contend that in a general sense, none of the big ones really have a huge advantage.

So in that light, what are the factors you have to consider?  Well, it really comes down to the intangibles.  Let’s look at a few of those:

Is the company diversified in their product line?  In today’s converging security market, that tells us whether the company is likely to be snatched up or simply disappear, depending on product quality and whether there is someone out there who has money and has a whole in their product line. 

Product diversification may also mean that the company is trying to take a look at the network as a whole versus just one piece.  If they have developed or bought different products that compliment each other and are trying to bring them together in a way that gives insight into the network and allow collaboration, then that type of company is likely planning on sticking around for a while.

In this light, also look at management of the product.  Though this is not exactly an intangible, it is still something that many companies don’t think about.  What about the learning curve for you employees?  Do you already have products from this vendor?  If so, does this new technology fit well into that console, thus lessening the time the your employees need to learn it? If a company fits the diversification example above, they might have a problem in this area.  Of course, if they are serious about making it work, they might very well have an EXCELLENT console.  Take a close look.  You also have to consider the talents of your employees with this factor.

Another intangible is support.  How well do they support their product, keeping in mind that the company with one product may be better at this versus the big one with multiple products?

There are probably many other factors to consider here, but the basic point is that when you are looking at a mature, commoditized product (this does not just apply to IPS, obviously), a decision should not be made on technical issues alone.  Look at your business. Look at your risk.  Look at your employees.  Look at the vendor as a whole.  Compare their position in the market to other vendors.  How do they stack up?  Do they seem to have tunnel vision, or are they trying to diversify?  Make sure you don’t let your technical folks make the decision by themselves and then hand you a PO to sign.  They may like the product in the short term, but you have to think long term.  You might piss off the team for a bit, but you can use the decision as a lesson to help mature your staff.

Vet

I took a class a couple of weeks ago on DLP (data leak/loss prevention).  it was specifically the Websense Content Protection Suite (former PortAuthority).  The class was very good because the instructor spoke a lot about how to position the product as well as the technical workings (good stuff for an SE to know).  One question that arose was whether DLP was a security product.  Now I have a very large definition for the term “security product” because I don’t believe that security can be stove piped like it was in the past (even a switch can be a security product because of its role in availability).

But the point of the conversation was this: do you implement DLP for purposes of protecting data from malicious activity, or do you implement DLP for purposes of protecting against inadvertent data leakage?  Basically, are you protecting against the smart bad guy looking for stuff to steal or the dumb good guy who doesn’t know it is a bad idea to send credit cards in plain text?

I was a little mixed on my opinion on this one.  I understand that you have to protect against the biggest risk.  Most companies are going to experience much more inadvertent loss via SSN’s, CC numbers, customer info, etc. going out through email or some such method.  And because of this, it makes sense to position this type of product in such a way that you are most likely to get a sale.  If you go into a medium-sized shop that has a lot of customers but little-to-no intellectual property, then you are better off positioning the product in this way.

However, let’s look at a few other scenarios:

• Client A is a B-2-B company with no CC numbers, a little customer data, and a huge software app that they developed and is bread and butter to them.
• Client B is a publishing firm that has a new book coming out from a best seller and is afraid that someone will try to steal the manuscript before publishing.
• Client C is a law firm that has all its client data in a SQL db and has not setup any encryption tools yet.  They also have an application that builds legal docs for them and holds the data in a flat file.

Here is where I see DLP having problems, at least from what I have seen so far (PLEASE correct me if I am wrong, especially Mogull).  You might consider positioning it in such a way that shows it can protect against data theft rather than something protecting against inadvertent loss.  Then it IS a security product in that sense of the term.  But the problem I have seen thus far from DLP is that unstructured data is very hard to protect.  It is just not as simple as making a hash of the data and looking for that in a signature.  That type of data just changes too much, and the hash would get broken all the time.

Let’s take Client A.  They are trying to protect their application, so they are protecting against their source code getting out.  Source code is very unstructured, so it is the hardest for a DLP solution to protect.  So Joe Programmer gets paid off by a rival company, and he starts shipping out the code.  If he grabs the source code and just starts dumping it, then any good DLP solution will stop the dump.  But what if he starts breaking it in to pieces and puts it out a bit at a time?  With some experimentation, he can figure out how much gets stopped and how much gets through.  It will be time consuming, but he can get it all out without getting stopped.  Of course, you hope someone notices the dump while he is experimenting and goes to see what is going on, but it is still a feasible scenario.

The same is true for Client B.  A book is also a very unstructured document, and the same problems will arise. 

Now look at Client C.  The first part of the problem is a SQL database.  That can be fingerprinted fairly well and prevention can be done very well.  However, the second part of the problem is unstructured data, which leads to the same issue.

The other problem I see is protecting against streaming protocols.  Store-and-forward protocols are very easy to protect against, but protocols like FTP stream data out, so by the time a solution picks up on the data going out, much of it is already gone.  So if it is not some malicious insider but is Joe Hacker who got in and is stealing your stuff, then you will have lost some data and will likely not have anyone to go after to recover losses.

Anyway, these are some thoughts.  I am sure Rich and a few other people have written about this, but I wanted to get those thoughts out that have been on my mind since I started working on this product line.  I DO know that data, being the crown jewels, is what we have to protect.  I also know that many people forget to look at permissions to data as well as where the data resides, which I see as a flaw in the armor many times.  One of the products out there that can help with that in the Active Directory world is Varonis.  Very good stuff.

Also, Accuvant is starting a data security practice, which tells me that we are taking it VERY seriously.

Vet

I know, I know.  I can answer that question with a resounding “NO” and get on with things.  But seriously, what does it take to even approach security nirvana?  I mean really, there are so many people spouting theories about where we need to go to make the Internet secure.  Then there are a bunch of frickin’ criminal scum suckers over in Russia and China and America and wherever doing everything thing they can to keep fifteen steps ahead of us trying to plug the holes.  And then I take a closer look to see if we really are even plugging the holes (selling product sure as hell doesn’t do it). 

Seriously folks, I know the answer to the question.  But how can we keep going down this road if we can’t even approach a state where we don’t have to look over our cyber shoulder every night and day?  What are we fighting for?  Where did the fight turn into a battle for money instead of a battle for security?  I also know we live in a capitalist society.  I AM a capitalist.  Nothing wrong with making a buck.  But I feel like such a cog among a bunch of cogs.  Where the hell is the wheel??  

I know I sound depressed.  And maybe I am a little.  Maybe it is just because it is 12:35AM right now.  But I just feel like so many of us have lost sight of what it takes to make things secure.  Products have a fit in security.  But with so many of us pushing product after product after product and not looking at security overall, where are we getting to?  When did the industry turn into a churn and burn machine?  This feels like a uphill battle, both ways, in the snow.

I know Alan will probably call me a young, naive punk again (OK, he didn’t call me a punk), but sometimes I have to stop and make sure SOME of my ideals are still there.  otherwise I just become a big glob of compromise, picking up the lint and dirt on my way to security hell…

Vet

I was at a client site the other day…  Wait a minute.  I just realized how often I open posts with that line now.  I feel like Snoopy: It was a dark and stormy night!

Anyway, I was visiting a client the other day (yea, that’s better ), and I was accompanied by my sales guy and a sales guy from a vendor with which Accuvant partners.  My sales guy had invited the partner on the call, and then let me know a couple of days ahead of time that this was going on and that I needed to be there because the vendor’s sales guy was not going to have an SE available from his company.  I am fairly familiar with this particular partners products.  I have used them a lot in the past.  But during the meeting, the conversation turned specifically to a particular product line, and it just so happens that I am not as familiar with this product. 

So long story short, I basically had to admit in the meeting that I did not know the product line very well and I would have to do some research.  Now the customer had no issue with that at all, but I could tell that the partner was none to happy. 

Now generally, I could not care less about what partners think of me.  I have been in trouble before with vendors, and I will be in trouble again I am sure.  But in this particular incident, I felt like I had not done enough prep before hand and had done a disservice to the partner.

Anyway, the meeting went forward and turned to more security-centric talk, such as where they should place IPS, etc.  The sales guys got bored for a while because we got to whiteboarding a bit, but it turned out real well, and the customer ended up giving me some kudos because I pointed out some issues he had not considered.  And several times during the technical talk I pointed out products that the vendor had that could help with certain problems.  So me and my sales guy left feeling like the meeting went well, and I am pretty sure the customer felt the same.  But I still am not sure what the vendor’s sales guy thought.

As a pre-sales engineer, I am expected to know product as well as have in depth security knowledge.  Now I know which one I am better at (three guesses), but I realize the reality of these types of situations.  But as a VAR pre-sales engineer, I am expected to know a BUNCH or products.  It can be a little crazy at times.

So really this is just some thoughts on my blog about this.  I don’t know that I have a specific point.  But for some reason it just struck me to write about this.

Vet

OK, I am officially depressed.  Here’s Richard Bejtlich’s impression of the state of security after one day at BlackHat:

My overall impression from the first day of briefings can be summarized in this manner.

• Existing defenses are absolutely ineffective against current attacks. I am struggling to describe the importance of this insight. It does not matter if you are fully patched, “properly configured,” not running Javascript, or adopting any number of other current defensive stratgies if you use a Web browser that renders modern rich content. Almost none of the techniques described in the Black Hat talks relies upon exploiting vulnerable software. Almost all of them abuse inherent functionality for malicious reasons.
• Detecting current attacks in “real time” is increasingly difficult, if not impossible. Even if you assume attacks are not obscured by encryption, recognizing and understanding the variety of Web-based attacks shown at Black Hat is almost a lost cause. There is basically no way for defenders to address the expanse of the attack surface exposed by “rich Internet applications” and frameworks. I realized that the “rich” in “RIA” refers to the money intruders will make by exploiting Web clients.
• The average Web developer and security professional will never be able to counter these attacks. Intruders are so far ahead of the defenders with respect to tools and techniques that it is simply not possible to prevent the attacks I saw at Black Hat. This statement will probably offend many people but it’s time to face the truth. There is no way to get “ahead of the threat” here.

Holy crap.  What in world am I doing then?  I guess making money off some poor, ignorant bastards who have no idea that every effort we are making is totally useless.  Well, I guess in order to maintain my integrity, I should just quit.

Sheesh.

Vet

OK, now that I am settled in my hotel room in Dallas, I have some time to respond to Alan’s post calling me a hooker (like I said to Alan, at least he called me high-priced).  I will also be responding to a comment left by a reader who goes by the name of Shaneo.  You can read that comment here.

The first thing that strikes me about Alan’s and Shaneo’s comments is that they seem to think that selling products is what makes a person bad.  Either that, or they think I was making that implication.  Alan says:

To me Michael sounds a bit like an expensive call girl talking down on a lowly street walker.  At the end of the day they are both working girls, who work hard for the money, but they are what they are.  As long as Michael is putting the food on the table by selling products to customers, whether they be from a line card that Accuvant offers or from a specific vendor, he is selling nevertheless.

Shaneo says it like this:

You make me laugh! A VAR is still always a VAR – a sales engine. If you were an Independent consultants and didn’t sell any product, then I could support some of your statements.

…don’t put yourself so high and mighty above all the rest…When your a part of the food chain.

I seriously do not get why they think that because I sell products that I am a whore.  My point was never that selling a product was a bad thing.  In fact, my point in the original article wasn’t even to attack vendors, though I’ll admit I was harsh on the vendors (not apologizing, just admitting ).  My point was that I, as the trusted adviser to the client, need to make sure that their expectations are managed so that they can make the right decisions.  I made that point by saying that vendor marketing departments often try to make their products look like they can solve all ills and the client often buys what the marketing department says because they WANT to believe it. 

When Alan asked me in a comment what I would do if I worked for a vendor, I told him straight that I would have to look hard at the vendor before I made a decision “because of the situations I would be in that would require me to sell a product that was not a good fit”.  Do I think every vendor will try to sell something even if it is not a good fit?  No.  And I believe Alan when he says, “It is not some sort of pump and dump scheme over here.” But I also know that it is extremely hard for a salesperson (VAR or vendor) to turn down a sale, and it makes it doubly difficult when you are feeling pressure from above.  So the temptation is there to push the product whether it is a good fit or not.

Now where Accuvant comes into play is that we look at the product that the client is asking about, and since we are the trusted adviser in the situation, we have the leeway to tell them the truth.  If we don’t, then we can lose that status.  Not a good idea for a company that leads with services, not product.  And Alan, you asked, “if Accuvant did not have a product that was a good fit, would you send the customer to EnPointe, Cadre, Fishnet or another VAR?”  Actually, yes, I would.  And I can speak for most, if not all, of Accuvant when I say that they would as well.  That may be hard to believe, but I think you know me well enough to know that I ain’t jerking you around.  In fact, we have contracted with competitors before for stuff that we could not do because of lack of resources or whatever (and no, we did not make them wear Accuvant shirts and not tell anyone where they were from).  We have done that because we place our customers first.  If the competitor gets in and steals the business, then obviuosly we weren’t doing our job in the first place, and we deserve to lose the customer.

Alan also says:

Michael here is another example you site.  The vendor who is upset with you for bringing in his competitor in a deal.  Of course he is.  You would be too.  In fact you are upset by it and you even say that your dander was up because the vendor admitted he wanted another reseller in there.  You wouldn’t mind the vendor suggesting another reseller? See the point.

Well Alan, I see the point you are TRYING to make, but you actually miss it.  Read my paragraph again:

 But what really got my dander up was that I knew that the guy had not brought me in to the client.  In fact, the client requested Accuvant (the client and I were old friends – we had worked at another reseller together).  And in the course of the conversation with me, the sales guy got so flustered that he actually admitted that he had suggested another reseller first (a big mistake on his part that essentially killed his argument, no matter what my argument had been).  This was just pure and simple dishonesty, and it irked me tremendously.

Go to the end.  I wasn’t upset because he suggested another reseller.  I was upset because the vendor was dishonest about saying that he had brought me to the deal when he had actually suggested another reseller first.  That is what makes me wary of vendors.  I have seen that kind of dishonesty time and time again, both from the reseller POV and the client POV.

Another Alan quote:

As long as you are getting paid to put products in at the customer, whether you make and sell them or just sell them, you still sell.  As long as you sell, you are as guilty or innocent, moral or immoral as anyone else in the food chain.

This goes back to my original question.  Why does selling make me guilty or innocent or immoral or moral?  That makes no sense.  It is not the act of selling that makes a person bad.  Guilt and immorality come into play when the sales person or the marketing department or whomever makes false statements to make a sale, and that applies to the VAR or the vendor.  And I know plenty of VARs who sell based on the best spiff that month.  But everything I have seen from Accuvant since before I worked here and after I have been here 9 months tells me that we don’t follow that kind of crap.  Have we had people collect on spiffs before?  Hell yes.  But it was not the driver behind the business.  And if you don’t believe we are on the up-and-up, just ask a customer (thanks again, LonerVamp).

Alan again:

First of all Michael assumes that only someone like a VAR would tell the customer that a case study or lab result are “done in pristine situations”. Why would a vendor be disqualified from saying that?

They’re not.  But do they?  It is not in their interest to do so.

Mr. Shimel again:

Then he talks about telling the customer the truth about how long it takes to install the product. Do you think a vendor is going to lie about this?  Especially if the vendor is selling install professional services along with the product.

Because it is often a bait-and-switch.  Alan, I have seen this so many times it is impossible to name them all.  In fact, one of your competitors in the NAC space does this very thing.  In all honesty, I don’t think the sales person is actually lieing.  However, when he says the product installs in 30 mintues (OK, I exaggerated by saying 5 minutes), he is not telling the full truth.  Does the product physically install in place in that amount of time?  Yes.  They are specifically trying to counter Cisco NAC because they have seen the uber-pain people have gone through trying to implement CleanAccess.  But it takes time to determine the business behind the need for the product, create the policies to fit those needs, get the agent installed on all the workstations, etc.  And yes, a security manager or administrator worth his salt will know the intricacies involved and will know that is a shortsighted claim.  But the fact that he says it and uses it in every sales call creates the need for me to manage the customer’s expectations and let them know all of the other details if installing a product like this.

And if you don’t believe that this is a problem, let me tell you that I have had to convince customers numerous times that getting this product (and others whose salespeople make similiar claims) installed is not just plugging in a couple of patch cables and letting rip.

Anyway, in the immortal words of Forrest Gump:

And that’s all I have to say about that.

I’m going to bed.

Vet

Judging by Alan’s comment to my Managing Expectations post, I think he is a little aggravated with me for picking on vendors.  It probably had something to do with this comment:

…the marketing departments of companies typically make it sound like their product can cure world hunger and make you a sandwich at the same time it is keeping your network totally secure (and it does all that in a nice little 1U appliance that takes five minutes to install and configure). 

Or maybe this:

So as the sales person and sales engineer (often the same person), it is imperative that the expectations for a product are managed up front.  If the customer calls you in and says that the brochure for XYZ Security Widget says that it can perform a certain function, you have to be able to explain if the claim is true or not.  You have to make it clear that often case studies are done in pristine situations.  And you also have to clarify that the “setup” of the widget (yes, the one that takes only five minutes) in a network often means that it was simply screwed into a rack, plugged into the network, and assigned an IP address.  There is usually little to no configuration done on the widget, and it is absolutely worthless in this state.  You have to enlighten the naïve customer by telling him that trade rag product reviews are often rigged (it sucks, but it is true).

I was going to respond in the comments, but it got long, so I thought it was worth a post. OK, here goes.

Alan,

To answer your “what would I do working for a vendor” question, I would honestly have to look long and hard at a vendor before I would go to work there.  Not because they are all a bunch of ” lying no-goodnicks”, but because of the situations I would be in that would require me to sell a product that was not a good fit.  I have interviewed a few times with vendors.  One interview stands out because they asked me what I would say to a client if our product was not a good fit.  I said that I would tell the client it was not a good fit, and the interviewer’s jaw almost hit the floor.  He couldn’t believe I would say that.  But how could I not and stay true to my morals?

I know I give vendors a bad rap, but I have a good bit of experience with them on the customer side and reselling side (this is not my first go ’round as a reseller).  And many, if not most, push their product on everyone, no matter if it is a fit or not.  And then they get aggravated at me for telling the customer the real deal.  Since more often than not Accuvant is the trusted adviser at clients, I am not going to listen to grief from the vendor when I step in as a reseller and try to protect my customer.  I just can’t afford to let a client buy something that is not a good fit.  If I do that a couple of times, I am no longer a trusted adviser.

As an example, I spent 30 minutes on the phone with a vendor sales guy a couple of weeks ago on this very thing.  He was griping at me because I was bringing in a competitor of his into an account he thought he had brought me in on.  The reason I was bringing someone else in was because my client has an internal policy that they have to bring in at least three vendors of any one product before they can make a purchase.   I explained that I could not refuse the customer, especially if he was specifically requesting that I do all the work.  Again, if I don’t help my client, then my status as a trusted adviser gets hurt or lost.

But what really got my dander up was that I knew that the guy had not brought me in to the client.  In fact, the client requested Accuvant (the client and I were old friends – we had worked at another reseller together).  And in the course of the conversation with me, the sales guy got so flustered that he actually admitted that he had suggested another reseller first (a big mistake on his part that essentially killed his argument, no matter what my argument had been).  This was just pure and simple dishonesty, and it irked me tremendously.

I am not saying that all vendors are dishonest.  And I know that vendor product sales make up a huge amount of our revenue at Accuvant.  But I would rather not be put in a situation where I have to choose between making my boss angry by not selling the product or convincing the customer that the product is what he needs when I know it is not.  I just don’t know if I can work in the situation.

Having said all of that, I would really love to hear your deeper opinion on this matter.  Obviously you have had a lot of experience working for vendors, and I want to hear your side on this and how you handle this kind of thing, what you teach your sales people, etc.  I have heard that the vendor side of the house is great, so I want to know what the argument from your side is so I can keep from limiting my options for future employment.

Vet

In Dallas today doing a quick dive into the Websense Content Protection Suite . This is the information leakage protection product formerly known as PortAuthority. I looked at these guys a while back when I was a security manager. They get their accuracy by fingerprinting your data. Basically, they crawl your files and databases and match based on that versus just matching on a string that looks like an SSN or a driver’s license number, which can lead to high false positives (they can match on strings as well).

What also interested me today more was their explanation of when you actually have a compliance violation. Let’s say your HR person sends out an SSN via email. Your first inclination is that you have a violation on your hands. But if you send an SSN without a name or other identifiable info that can be tied to that SSN, then you have no violation. And like I said above, matching on strings can lead to false positives, so you can avoid that with this technology.

They can filter http, ftp, smtp, IM, and some others. As soon as I get a more in depth demo, I will talk more about it.

Vet