Amrit Williams, BigFix CTO, discusses how the ever-changing threat landscape is met by a static set of solutions. He is joined by Will Gragido and John Pirc of Cassandra Security.

Subscribe in iTunes:

Subscribe with XML:

FULL TRANSCRIPT

Amrit Williams: Welcome, this is Amrit Williams, your host on “Beyond the Perimeter:, and I’m back with Will Gragido and John Pirc.

Guys, thanks for joining me back. We were talking about some of the more sophisticated exploitation methods that were being used, and I posed a question after you guys had discussed some mitigation control, just sort of briefly mentioning things like, you know, network behavioral analysis or monitoring ingress or egress traffic into critical infrastructure; and the question I asked is: you know, we always seem to be challenged by applying technologies that would work today or yesterday but become handicapped tomorrow, and in this case the monitoring of ingress or egress traffic into critical corporate assets is handicapped if we start using Cloud computing. So if you have, you know, one of your corporate assets sitting at a hotel, for example, in a laptop and it’s accessing a corporate resource that is owned and maintained by a third party, the NBA technology starts to break down.

So I wanted to get your thoughts on that, how organizations that are looking at Cloud computing that do take security, obviously, seriously, as most would like to, how do they approach solving this problem when the corporate assets and the corporate network and the data that traverses it, they simply can’t see it?

Will Gragido: I have some pretty strong feelings on that, and they mainly stem from my experience in the consultancies and also working with at one point in time the world’s largest managed-security service provider. I think that any time you endeavor to adapt a technology or a solution with a solution partner, that requires the transference of a risk, which ultimately speaking manifests in the transference of responsibility, day-to-day operational responsibility and data flows and asset management. One has to take into consideration just, A, how trustworthy that provider is, what level of due diligence they’re striving for and they can demonstrate in a repeatable fashion, whether it’s by advanced third-party certification — 1:52, for example, Safe Harbor, SYSTRA, independent audits and assessments, all those things.

I think that those very basic things at a minimum need to be considered. And the MSSPs, for all of their faults, along with the carriers traditionally, did a very good job of that, right, and they sort of invented that space. Where I think Cloud computing, ‘though it’s quite popular today and arguably is on the tongue of every CIO or corporate officer looking to consider ways in which to consolidate efforts and resources and then ultimately seeking to save money, where that’s important and ‘though that’s important, they need to also be asking themselves from a risk-management perspective, you know, just how trustworthy is the partner; what degrees of due diligence are being presented and are being conducted on their behalf; what the safety level of their data is; what levels of assurance are being provided from a provider to the customer. If those questions can’t be answered at a very, very basic and visceral level, in my opinion it really diminishes the overt value of the solution set. Where a CIO, or a CSO or a CTO or a CEO, for that matter, was endeavoring to take what a small-, medium- or a large-sized enterprise down that path I would really be asking those tough questions, because I think that ‘though the technology is there and has been for a long time — like, Clouds aren’t new (laughing). I’m sure that Chris Hoff will get mad when he hears that I said that; but Cloud-based computing technology is not a new idea, it was first conceptualized in 1961. And though it isn’t new, the challenges that have been present in other environments — for an example, those MSSPs and those carrier environments — will now become more manifest as we start to see more and more startups and the evolution of newer event service-delivery offerings by other organizations which have previously been in business in other areas — for example, Amazon, Google, whatever – however their core business was not in information assurance and security.

But that’s how I feel about that, and I think there is significant risk involved when you can’t, to your point earlier, guarantee from a cradle-to-grave perspective the transmission patterns, the activity, the behavioral patterns, so on and so forth associated with a given host or given set of hosts or thousands or millions of hosts, right? I think that’s important, and I think that’s really a point of concern.

Amrit Williams: Hold on one second. I don’t want to turn this into a Cloud computing secure/not secure debate at all, because I think that there’s plenty of people doing that out there and I think they all make strong arguments.

I think your points are very well-taken. Ultimately, the thing that organizations need to consider and the fear that I think many have is that they will move to Cloud computing and start adopting these technologies where they lack a level of visibility of control, because they feel that it will save them a lot of money and will allow them to turn over and acquiesce sort of, you know, a level of knowledge to these third parties.

The thing that I don’t think that they realize is that sometimes these third parties do not have any more intelligence around how to secure a network than they do themselves, even though they may claim to or advertise that they do.

Will Gragido: Absolutely.

Amrit Williams: So it is a very sticky situation.

(00:04:56)

But I want to pose something else to you guys. You know, it’s interesting that as we talk in the security industry, everything that we’re doing for the most part is a reaction to something that’s occurring, and inherently everything that we’re building on top of is foundationally insecure. We use insecure operating systems, we use insecure Internet and routing infrastructure, and we try to add security post fact.

And I think the thing I’d like to drill into a little bit with you guys is, it seems like what we’re doing as an industry is just simply accepting the insecure infrastructure and then trying to secure it after it’s deployed, as opposed to proposing new paradigms for computing and revolutionary new ways that we can look at different computing models to very significantly limit the attack vectors and start gaining control back of the computing stack.

So have you guys — I mean, I have some thoughts on this; I don’t want to dig in too much on my own side — but have you guys looked at, thought about or have some ideas around how to get around this problem, because everything that we always talk about is, “Let’s add this other technology” or “Let’s add these new processes” or we’re keeping the computing stack the same; we’re just adding more stuff around it to protect ourselves.

John Pirc: Yeah. No, I think that’s a good question. I mean, what I want to talk to you about now is I did a presentation in Stockholm at SEC-T on “Assessing the Risk of Cloud Computing” and, I mean, you bring up a good point. I mean, we’re constantly building upon this insecure stack, right? And when we start looking at some of the risks in the Cloud, you look at – you need, Bob, some of the vendor trust, legislative boundaries, you have web threats, data leakage, you have shared infrastructures. You know, how does security play into that? And when you start looking at security from a Cloud perspective and kind of building a model, what would that model look like?

Obviously, when you look at Cloud, you know, we live in a worldwide spectrum of the Internet, right? So we have a ton of international standards, right? For example, you know, doing Cloud computing in Luxembourg if you’re a financial organization, that Cloud has to physically reside in Luxembourg, right? Otherwise, there’s a lot of inherent law that you’re going to break, et cetera.

So I think understanding the international standards as they apply to where the Cloud is being served, you know, availability; making sure that there’s a web security model tied into that, right, because when we look at the telemetry of the attack landscape, I know we talked some of that in the previous podcast; but when you look at the web browser, a lot of the Cloud from a SaaS perspective, for example, is being delivered through the web browser. And then you start looking at the whole notion of data-leakage prevention, what are you putting up in the Cloud, right? Is it mission-critical data? Is it day-to-day operational data, et cetera — but, you know, knowing that there’s mechanisms to protect that data, tag it and allowing it, you know, to either stay or be within some sort of landscape of trust.

And then the whole notion of isolation of technologies, when you start looking at the Cloud and diving in a little bit deeper, a lot of them are using virtualization. So where I’m being hosted in this virtual Cloud in terms of virtualization, you know, it’s great that I’m sharing the same bandwidth, all the utilization of resources, which is a great thing about virtualization; but am I sharing that physical sandbox with somebody else, and what are some of the isolation technologies that are there? And when you look at this, I mean from a client perspective, I mean, you have less control; and then we start talking about compliancy in the Cloud, you know, how does that hit?

So I think when we start looking at, you know, what are some of the models that can be put together when we start looking at Cloud, I think is again understanding the national standards, understanding availability, you know, web security, data leakage and isolation technologies are key; and then understanding, you know, who owns the data.

So I know from a security perspective, there is absolutely no silver bullet; but I think by addressing some of these key areas that I talked about, I think you could start building that model around that that will address, you know, some of these risks that we see.

Will, do you want to add to that?

Will Gragido: Yeah. You know, following up with what John said, you know, obviously applying a greater degree of due diligence to the actual architecture of networks and systems is important. I think it goes fundamentally lower-level than that. You know, we all collectively share in the pain, as well as the reward of our industry and our space as a result of fundamental efficiencies present in code development. It’s not a secret.

(00:09:51)

Coming from a former auditing background and assessor background and still doing that work today, SBLC has always been a problem and continues to be somewhat of a bugbear in the industry. I think that until we reach a point – and this is what we need to advocate on behalf of, and there are initiatives out there, like Rugged, for example, which some folks are pushing today calling for a more secure, a more ubiquitously secure approach to code development and design – but until we achieve something like that, regardless of your industry and regardless of the sector in which you find yourself in, then I think we will continue to be faced with challenges like the ones we are discussing.

In my mind, it all begins and ends with code and developmental platforms, if you will. And so until we start to see a fundamental mind shift occur in intent to deliver products or services, regardless of what those products or services are – whether it’s a financial application, whether it’s, you know, a word-processing application, you know, whether it’s an image-rendering base system, whatever the case may be — until we see a change in philosophy and really also an epiphanous type of realization that, you know, the longer we push out insecure or half-baked code, right, in order to meet deadlines, in order to meet our sales directives, in order to meet the street if we’re public or, if we’re not public, just to meet our own individualized sales goals as corporations or whatever the case may be, the longer we continue to do that, the longer we will incur pain.

So I think it really needs to be a campaign really of advocation of starting at the beginning; certainly not leaving things to just kind of dangle in the wind; certainly taking into consideration the need to adopt strict, sound, comprehensive, standards-based architectures and frameworks that are both operational and as well as philosophical, but also taking it down to the lower level and saying, you know, again, our code is really the beginning of the end. If that’s not secure, nothing will be secure.

Amrit Williams: I don’t disagree with you at all, Will, and I’ve been a big proponent of secure software development or using security and interjecting security methods inside of software development for a while — it’s one of the areas that I covered when I was at Gartner — one of the challenges is that developers are still bounded by the platforms that they code within.

John Pirc: Yeah, right.

Amrit Williams: And so even if we get to a point of, you know, definitely materially impacting the security of developed code throughout web services or on top of the OS, we still inherently have an insecure infrastructure that’s being coded on top of.

But I definitely agree that awareness does need to be raised, and we definitely need to deal with that. And what’s really — what I do appreciate is to folks like you and others like Corman and his guys, which are actually going to come on pretty soon here to talk about Rugged, are trying to drive that message.

Did want to switch back a little bit to John’s point about isolation, though, because I think this is a concept that many people don’t understand. And if you look at even some of the very sophisticated and even targeted malware threats that have been identified forensically, even in those cases where you find some very sophisticated targeted malware, in a lot of cases the attack vector that they used to propagate that malware was very basic, all right?

John Pirc: Uh-huh. Absolutely.

Amrit Williams: And in a lot of cases what they did is they exploited the human to commit some action through the use of clicking on an email or visiting a site, and in a lot of cases, you know, there’s some type of infected iFrame, so they’re visiting what is an uninfected or legitimate site and there is a dancing cowboy ad on CNN.com and, you know, they’re infected.

(Laughter.)

Amrit Williams: So the thing about isolation and where I think computing really needs to change here is, you need to isolate the user’s habits from the corporate resources; and it’s a very difficult thing to do in the current OS environment, but there are technologies that we’ll be seen coming out over the next three to five years that will hopefully radically change that.

But this concept of isolation, this concept of securing code in the beginning, these are two concepts that we definitely need to drive further in the security industry and help the rest of technology and the business understand what that means and how they can actually adopt and take advantage of those things. And it’s a little bit unfortunate that we’re always looking back and not talking more about some of these things that people can adopt today.

John Pirc: Absolutely.

Will Gragido: Yeah. I know, I totally agree with that. I mean, when you start looking at multitenancy, I mean, and having isolation I think is key, and when you start looking at it from a Cloud perspective – I mean, it‘s, you know, isolation with inside the Cloud: CF10 and security management, controls of privileged user access — you start looking at even image security: so, you know, isolation and location of security policies; virtualization security, so isolating your virtual instance, the integrity of that, et cetera. I think in going to the Cloud, this whole notion of isolation and multitenancy is huge, and how do we solve it.

And as you just mentioned, I mean, there are technologies I think that are coming down the pipeline that are going to follow that and be more effective. But to your point, Amrit, I mean, it does all come down to code, having secure code. Otherwise, we probably wouldn’t be having this conversation right now.

Amrit Williams: Well, actually we would (laughing) …

(Laughter.)

Amrit Williams: … because even if code was secure, someone, somewhere is still going to click on an email because they think somebody really does love them, and unfortunately the OS that that someone is sitting on is not secure itself.

Will Gragido: Yeah.

Amrit Williams: But, you know, you guys make some really good points.

Guys, I really appreciate you joining me today. I want to make sure that the folks listening have an opportunity to reach out to you guys. So if you could, Will, if you could state how they get to Cassandra; and then if you could both sort of state how folks can find you on the ‘Net and reach out and talk with you if they’d like to get more information?

Will Gragido: Sure. Well, we’re available at www.cassandrasecurity.com, and they can reach me directly at will@cassandrasecurity.com.

John Pirc: And this is John. I mean, you can reach me at john@cassandrasecurity.com. You can follow me on Twitter, as well, so just search for “jopirc” and you can follow me.

And again, thank you so much for having us today.

Amrit Williams: Oh, you guys were great guests; I’m really glad that you guys were on. Thanks very much, I’ll have you back on again; hopefully, you guys will join.

Will Gragido: We look forward to it.

Announcer: You have just listened to “Beyond the Perimeter”, sponsored by BigFix, Inc. Views expressed on this podcast are the personal opinions of podcast participants and do not reflect official positions of their employers or BigFix.

Thanks for listening.