Amrit Williams, BigFix CTO, discusses how enterprises can move security and management facilities outside of the OS with Chad Jones and Bill Corrigan of Neocleus.

Subscribe in iTunes:

Subscribe with XML:

FULL TRANSCRIPT

Amrit Williams: Welcome! This is Amrit Williams, your host on Beyond the Perimeter, and I am back with Bill Corrigan, CMO with Neocleus, and Chad Jones, VP of Product Management. Guys, thanks for coming back and joining me today.

As we were talking a little bit, in the last podcast, we were talking about various types of virtualization technology, client virtualization technology specifically, and I wanted to drill into this concept, because I think a lot of people are having a hard time understanding this. What exactly is the benefit of abstracting technology, systems management and security management technologies outside of the OS? This is my main area of focus, and has been for almost a decade, dealing with security problems and dealing with operational problems, especially in a large enterprise.

As I stated in the last podcast, we have really hit an inflection point, especially as it relates to security. We are completely overwhelmed. We are in an environment where we have extremely sophisticated, very well-organized criminal organizations, state-sponsored espionage, on and on and on, that are infiltrating our computing devices. They are writing targeted malware against our nation’s infrastructure, whether they be commercial, public, or private. I know I deal with defense contractors that basically go through an OS re-imaging exercise basically on a quarterly basis; I mean, we are under attack.

Quite honestly, nobody has a good answer to deal with this, and I think the main problem is that for the most part we are completely beholden to the integrity of the Operating System and the bad guys know how to attack the Operating System.

We have been seeing for well over a decade these sophisticated attacks. I mean, it was over seven years ago where we saw the viruses, basically three-stage attacks. The first stage is a very lightweight mechanism that is able to get on to the computing device and it basically performs a quick scan and it determines what are the configuration, what’s the state of the machine, and what are the protection mechanisms in place.

And if you happen to be running a specific type of endpoint security technology, it then pulls down another set of software so that it can bypass and hide itself from those endpoint security technologies. And then once that occurs, it then implements the back doors that enable the bad guys to take ownership of these computing devices. The problem is untenable.

And if we continue to place these tools inside of the Operating System, we will not win, because the bottom line is that we are not going to radically change the Operating System any time soon.

Props to Microsoft, they do have a great SDL process in place; they are making radical improvements to how they develop software and implement security as part of the process. But fundamentally, they have to balance user experience, productivity, and all the glitz and the glamor that is in Windows UI over the inherent security of the operating software itself, and Windows 7 is no different. So there are incremental improvements, but it doesn’t change the paradigm.

What does this mean? This means that if you are relying on technologies to sit inside of the Operating System, you have to make sure the Operating System itself has not been compromised, and that is just not something anyone today can do.

So you guys have been talking about Type 1 client hypervisors, PC hypervisors that abstract technology and capabilities outside of the OS. It’s not relying on the OS; it’s completely isolated from the OS operating environment itself.

When we first sat down and talked about this a couple of years ago, I thought to myself, you look at PC hypervisors, they seem to offer us a route out. They seem to offer us a viable alternative to the never ending hamster wheel of pain, death, and multiple agents, and management infrastructures people are having to deploy.

So what I want to talk about a little bit more is what that means and how is that done and how Neocleus is helping to facilitate that. Because I think a lot of people when they hear this, they go, yeah, I could see that, I could see how that could benefit me, but doesn’t that create a whole level of new management problems for me?

So guys, what I am proposing here is that we have a discussion about what it really means to change the current client computing paradigm to abstract the tools away, the massive tools that we have, and put them in an abstractive layer.

Just real quick before we go into that. So when I was at Gartner, there was a time when you had two, maybe three agents, and you had an antivirus agent, and you had something to do with patch or configuration management.

It’s not uncommon to go into an environment right now and find 5, 8, even 15; I was at a company the other day that had 23 separate agents running at the endpoints to do all manner of things, everything to address compliance, to address security, and to address systems management. And every single one of those agents will completely die, crumble, and not work if the Operating System is compromised by these sophisticated bad guys or even just an operational failure.

So I see tremendous promise in a path that leads us out of being slaves to the Operating System. If we can abstract systems and security management tools into an environment that is isolated and segmented away from the OS, I think we have made a material impact on the security of Operating Systems and our critical infrastructure.

So I know I ranted a while there guys. I needed to get that off of my chest. I want to talk to you guys about how Neocleus provides that environment and some specifics about what Neocleus is building, because it’s more than just a Type 1 hypervisor, right?

(00:04:59)

Bill Corrigan: Definitely. The other thing too is, when we are out talking to a lot of the government accounts and a lot of Wall Street firms, one of the big trends that we see in security vulnerability is the fact that people attack the perimeter far more than they try to even remotely attack the actual data center now. They have just realized, it’s so much easier to hack into somebody’s laptop or somebody’s desktop than to try to attack. So we see the perimeter, the devices, being the number one area of security concerns for both government and commercial accounts, going forward.

Amrit Williams: Sorry to interrupt you, but I just want to get one point across here so everyone understands. The perimeter is now Starbucks. The perimeter of your organization is now the airport. The perimeter is now the hotel and your employees’ homes. Your enterprise perimeter as you thought it was in 1999 is gone. So the endpoint is the new perimeter, which is essentially your point, right Bill?

Bill Corrigan: Exactly, yeah. And I will just let Chad talk you through some of the concepts of moving the security and management facilities outside of the OS, because it’s definitely near and dear to our hearts.

Chad Jones: Yeah, absolutely. In fact, you got me excited on your rant there. It’s absolutely a transformative potential here with these types of technologies. If you look at virus protection in general and malware and those types of things, it really falls into two kinds of categories. It’s prevention and remediation.

First of all, in the prevention side, right now when you have security tools that are inside of the Operating System itself, it actually has, first of all, a lot of overhead, looking at everything that’s going on, their security concerns; Windows can get in the way. You need to understand what’s white listed, what’s not, if you even have that technology as part of your antivirus.

You need to be able to have a signature that understands what is a virus and what’s not. And some of the behavioral approaches to actually looking at some of the viruses are very incomplete at best. And of course not to mention that the virus is now running almost in the same security context as parts of the antivirus are as well, so they can actually get to attack it, look for that particular antivirus. If it’s a particular type maybe, morph itself to try different attacks. I mean, these are all things that are part of that ever escalating arms race between protection and the actual viruses themselves.

But when you start to pull the antivirus outside and you are able to look back inside of Windows from outside, first of all, there is not a path that a virus can take to actually be able to see the antivirus outside. They don’t know it’s there. They are looking for the process inside of the Windows, process list and those types of things. Unless of course it’s a Blue Pill, which tries to slide a rootkit down or something. But even then, antivirus that’s outside of the Operating System can harden the floor, if you will, so that those rootkits can’t take hold, because you already have something there that’s monitoring and protecting that level below the Operating System.

You can also consider things like a zero-day attack on a couple of levels. First of all, when you look from the outside back into the actual Operating System, from an antivirus standpoint, there is different behavior that happens from a virus that’s more clear to the antivirus when it’s external, than getting confused with some of the things that can be looking at when it’s inside of Windows. It can see certain patterns, where maybe a polymorphic virus, a task gets killed and it pops up under another name, they can look and track those things.

Plus, they have unprecedented control then over that Operating System instance. They can pause — an antivirus outside of Windows can pause Windows and do cleanup and things like that without having to — if you pause Windows today, the antivirus gets paused. With the antivirus outside, being able to control that point is something that’s completely new.

Now, of course, signature based updates and all those types of things are definitely a problem in zero-day attacks. Having the antivirus outside and doing different behavioral approaches, combined with white listing, can actually really give you a level of protection that’s unseen. But nothing is ever perfect.

So that’s where it takes me to the remediation side. So on the remediation side, let’s say a virus does get intact, today, without this type of technology, the disk image becomes corrupted by that virus. And you know Amrit, to your point, there are very subtle attacks now. They are not the old attacks where they put an evil face on top of the screen and try to delete everything, it’s much more insidious than that. Now viruses go in and try to hide themselves so that they can keylog and capture logins and get data and those types of things, which is a far, more intrusive and destructive action, but it’s less in your face and it’s tougher to see if your antivirus doesn’t catch it.

(00:10:07)

But what normally happens is that when you catch that virus and it’s finally known, no one remediates those things. They actually end up re-imaging the entire system to make 100% sure that, that virus is eradicated, because if you miss that one little Browser Helper Object and you relaunch IE and it reinfects the whole system, and that happens inside your network and it starts to spread, you just can’t take that chance.

Again, what happens with that user at Starbucks, has to go in a meeting, all those types of things. Those are problematic and very costly.

So with a Type 1 hypervisor approach, especially with something like Neocleus, you are able to put a protective copy-on-write layer that sits in between the executing Operating System and the actual Windows image. So you are creating a Windows trusted image.

That virus comes in, and for some reason that agent, the external antivirus or even internal or both, can’t catch that. Well, as it populates itself, it’s actually only populating itself to the copy-on-write layer. It’s not able to pass through and actually corrupt that trusted Windows image.

So that when it’s discovered there is a virus, you can simply stop the OS, take that copy-on-write layer and export it for later analysis, but pull it out of the system, put a blank copy-on-write layer, and restart the OS, and you are right back to a known good state with the OS, at 100% level, without having to re-image. And you can do it within a couple of minutes, one reboot, those types of things. Even if you did it remotely through an API with the antivirus, or if the client did it themselves when they are sitting at Starbucks, and they are off and ready to go.

Amrit Williams: So hold on Chad, I just need to stop you for a quick second here, because I think that there is going to be a lot of skepticism, especially from the security conscious world, because the first thought is going to be that we are introducing a new attack vector, that somehow now we are increasing the attack space.

And I definitely appreciate everything you just said, I am in complete agreement, but I wanted to focus on this while we had the time, which is, I have had some conversations with folks who say, yeah, yeah, yeah, whatever, this is just like — I know, I have a new way I can get in and on the machine.

This is the reality. There is really no shortage of ways for a malicious actor to take ownership of the current Operating System. It really is not terribly difficult for me to come in through the application stack or through the web browser, for me to inject some type of really sophisticated back door rootkit on the Operating System itself. The Operating System is just not designed to do that type of segmentation today. It’s better, but it’s not the ultimate.

So when posed the question, okay, fine, I believe everything you are saying, but you are still introducing yet another attack vector. The difference, I think, people need to be aware of, and I want you to talk a little bit, some of the technical details about this is, we are not introducing another attack vector if we go down this route, what we are introducing is a very, very lightweight, hardened, small operating environment, that has a lot of protection and security mechanisms around it to prevent it from being exploited.

So we are not doing — if anything, this is neutral. It’s not a negative. Meaning that we are not increasing the potential for attack vectors, we are reducing the potential for attack vectors. Because the reality is, most people are falling prey to the less sophisticated stuff. That doesn’t mean that, like you said, it’s not total security, nothing is 100%. The only thing we can do in security today, and probably for the foreseeable future, is we can limit the possibility of exploit by reducing the attack vectors that people know about, and when something does occur and we are compromised, that we return to homeostasis and we limit the impact on the environment.

So you mentioned a couple of things there. The ability to very quickly take a snapshot of a golden image, launch that golden image, have people mess with it, it becomes compromised, and you can very quickly just blow that image away and bring up a new one very fast. I mean, this is one of the benefits of virtualization.

The other is, what type of security mechanisms does a hypervisor, a PC hypervisor, especially those from Neocleus, provide to limit the possibility that it itself can be exploited? And of course everything can be exploited, but what type of mechanisms, and obviously, don’t share anything that is confidential or private, but at a high level, what type of things would a PC Type 1 hypervisor do to prevent itself from being exploited in the same way the normal Operating System would?

Chad Jones: Right. And that’s a really good question, and again, that also goes back to the requirements of a client hypervisor as well over a server hypervisor, because again, as you said, the attack vectors and your new perimeter of the enterprise is really Starbucks or your home, wherever you are taking your laptop these days.

First of all, when I have a client OS today, there is nothing preventing rootkits to getting down. There is nothing that’s looking from the bottom, from the floor, if you will, and having a preventative mechanism to harden that floor so a rootkit can’t dig down and put itself underneath the OS.

(00:15:05)

When you are putting the thin layer of protection underneath it, number one, it’s hardened and it’s specifically only serving the function of the management and security platform and APIs, and that’s something that runs in a trusted execution environment. It’s fully locked down. So those are signed and trusted entities running inside of that client hypervisor platform.

You then also have a hardened floor then, so that if something tries to come down, there is already — if a rootkit tries to come down, there is already a piece of software that’s running and active, that’s sitting underneath the OS, that could say, hey, I know something is trying to write to the master boot record or it’s trying to lay down the rootkit foundations underneath the OS, and that’s a different visibility into that type of activity that you don’t have while you are sitting inside the OS. So that gives that external environment the ability to say, stop whatever that process is doing till it does whatever. Pause the OS.

You could get to a point where you say, hey, if I just don’t know what’s going on, send the OS into the panic state where it says, pause it, boom, done, there is just something that’s not right. You need to call IT. I mean, those are things that give you that next level up.

As far as that next attack vector, it’s specifically and expressly built so that it is that hardened floor, so that nothing can go through that, Blue Pill can’t get through, and providing, again, a very locked down execution environment to ensure that nothing is going to mess and take over with those agents.

Now again, there is security through obfuscation, which isn’t the best approach to security, but you couple that with a very hardened approach, built by some very security savvy people, and that definitely leads to a more positive and secure environment.

Amrit Williams: Chad, I really appreciate that. Guys, I really appreciate you joining me today. I can’t wait to have you guys back on to the podcast so we can drill into a couple of more things, like why Neocleus and not VMware or Citrix, and what are these guys doing about Type 1 hypervisors, and how ahead of the pack are you guys, and what are we doing together. So I really appreciate you guys joining me today. I think this was an incredibly helpful conversation for those new to the concept and the topic.

I also did want to put a disclaimer out there. For those listening to the podcast, I am the Chief Technology Officer of BigFix. BigFix is an enterprise systems and security management vendor. We provide systems management and security software to very large enterprises. We do have an OEM relationship and an agreement, a partnership agreement with Neocleus to deliver Type 1 hypervisors and the Neocleus NeoSphere management framework that sits on top of it, integrated, fully into our BigFix platform.

That being said, I do personally and my company does feel very passionately that this is the right move for the industry to go in. So it is okay that I speak this way. I just want to let everyone out there know who is listening to the podcast that, that disclaimer is there, and to understand that as they go through and listen to the podcast.

Guys, I really appreciate you coming here. Thanks a lot. Will talk to you soon.

Announcer: You have just listened to Beyond the Perimeter, sponsored by BigFix Inc. Views expressed on this Podcast are the personal opinions of Podcast participants and do not reflect official positions of their employers or BigFix.

Thanks for listening.