Subscribe in iTunes:

Subscribe with XML:

FULL TRANSCRIPT

Amrit Williams: Welcome! This is Amrit Williams, your host on Beyond the Perimeter. Today I am joined by Bill Corrigan, CMO of Neocleus, and Chad Jones, Vice President of Product Marketing. Guys, thanks for joining me today.

Bill Corrigan: No problem. I am glad to be here.

Chad Jones: Thank you Amrit.

Amrit Williams: So just a little background on you guys. Bill and Chad and some other members of the team were with a company called Softricity, and Softricity provided virtualization technology that was acquired by Microsoft in about the 2006 time frame. A good chunk of the team went over to Microsoft and a lot of you guys left recently to join a company called Neocleus.

And Neocleus, which we will talk about in a little while, basically provides a bare-metal, Type 1 hypervisor technology and a management framework on top of that and some pretty exciting stuff.

Before we dig into that guys, I know virtualization in general, especially client side or client virtualization, is a very needy topic. There are so many different aspects of that. So let’s start by providing the audience just a quick high level cliff notes, a primer on what is desktop virtualization and what are the various permutations. If you guys could just take the audience through, this is what people mostly think about what desktop virtualization, the VDI Models, talk a little bit about the Type 2 style, and then drill into, what does Type 1 mean?

Bill Corrigan: Sure. I will start it and then I will turn it over to Chad. Yeah, so there is multiple levels of virtualization on the client. At Softricity, we approached it purely from an application virtualization perspective, which was putting a layer in between the applications and the Operating System, so that applications did not conflict with each other.

We were able to solve a lot of problems with that, but we also saw there were other additional problems that haven’t been solved. Some of them pertain to abstracting the Operating System away from the actual hardware, and that’s sort of what we are doing now.

There are two flavors of that. One is called Type 2, which is basically when you have an installed Operating System sitting on the bare-metal and then you install a program that is a Type 2 hypervisor, like a Parallels or Microsoft Virtual PC, and then you run an Operating System as a guest inside of that.

Then there is Type 1, which is what we have been focusing on at Neocleus, and that is bare metal. That is, underneath the Operating System, you put on a thin layer of technology called a hypervisor, and then you are able to run multiple Operating Systems on top of that.

Some of the OSs may be a very small little OS that doesn’t even have a face to the user, so it could just be a small little Linux Operating System or it could be two full blown copies of Windows. You have a lot of different choices there.

A lot of people have talked about client virtualization and they equate it with what’s called VDI or Virtual Desktop Infrastructure. VDI is basically the next generation of terminal services which is remoting of computing. So the computing is happening in the data center. You are basically taking a picture of that computing environment and presenting it at a presentation level or layer to the end-user on a computer, whether it’s a thin client device or a thick client device.

So we are very much — we see a need for VDI for certain aspects of computing, but that’s not really where we have been focusing on, we have been focusing on solving a lot of the client management, client stability problems, and user stability problems that we see on the client, on the thick client, so being able to use that Type 1 type of virtualization.

I will turn it over to Chad to take it a little bit further.

Chad Jones: Sure. Amrit, if you look back at the history of virtualization, virtualization is really the abstraction of computing resources from each other so that you can easily move them around, group them together in logical units, and gain functionality with a much higher level of management.

You look at server virtualization that happened on the data center side, and really the hypervisor being introduced was a revolution in how the data center was being able to manage. Instead of individual servers on a one to one basis, you end up having consolidation of multiple servers into one physical box, that’s great.

But a lot of the benefits in TCO really showed up when you started to be able to apply management capabilities to those servers, being able to easily move around virtualized server entities across different physical servers and count them, inventory them, do backup and disaster recovery and all those types of things.

When we look at the client side, the need for that same type of capability is even more prevalent problem, and being able to deploy Operating Systems as a simple file, like you did in the server side, all those things can extend to the client side as long as you have the management capabilities to be able to do that.

And at Neocleus, really we are looking to help bring that along. But virtualization is the key here that allows all levels of management to become to that next evolved level.

(00:05:02)

Amrit Williams: Let me do this. Let me abstract the conversation itself to a higher level, because I think a lot of people may be listening to this that are not familiar with virtualization and they may be thinking, yeah, yeah, I get it, virtualization provides me a lot of benefits on the server side, that it’s about consolidation.

But consolidation is not really a killer app for virtualization on the desktop side, I think the killer app that people are looking for is standardization, and through standardization they get more effective, more efficient cost reduction, and on and on and on through systems management and some of the things you talked about, the better ability to effectively control these abstracted resources.

Why do we care? And I would like to pose something out there, which is from a different perspective, my background is in security and operations. I have spent a lot of time, almost two decades now, looking at the evolution of security threats and security impact on large enterprises, as well as how they deal with those on a systems management side, and I think one thing is pretty clear, the current computing paradigm is broken.

The reason I say that is because we continue to put more emphasis on more tools and more technologies and more methods to improve security and to maintain the health of computing systems, but everything is beholden and a slave to the Operating System itself. We rely on the integrity of the Operating System for these tools to function. If I compromise the OS, if I install a rootkit, then no manner of endpoint security technology is going to bypass or prevent me from basically owning the box. And there is a direct correlation between the Operating System and the device hardware itself.

So what really attracted me to the Type 1 client virtualization technologies is the ability to abstract management and security technologies outside of the Operating System. It means that it doesn’t matter what happens to the Operating System itself, if it has been compromised, if it has had an operational failure, you still have, as an IT organization, out-of-band management, you can still look at ingress and egress traffic, you still have control of the device, no matter what state the underlying Operating System resides in.

So I want to talk about two things real quick. One is, I imagine what a lot of people who aren’t that familiar with virtualization would say, so I don’t get it, what’s the difference between a server virtualization and client virtualization? Can’t you just take a server hypervisor, like Hyper-V or VMware or Citrix and just put that on a PC and make it work? And we know you can’t do that.

Why don’t you guys talk a little bit about the difference between and the requirements for PC hypervisors and server hypervisors in the context of, really, you are not doing consolidation of computing resources, like you are not going to run 12 OSs on a PC. That’s not the point. So there are different demands on what that hypervisor provides, and I want to get you guys to provide the audience a little bit of feedback on what’s the difference, what’s the real key to PC hypervisors?

Bill Corrigan: Yeah, absolutely Amrit, you made some really good points there. From a management standpoint, it is a little crazy to think that the management of Windows is actually done from inside of Windows in and of itself. I mean, that’s kind of like the surgeon trying to operate on himself and fix himself. I mean, it just doesn’t really work out that way.

But really hypervisors provide that extra layer, where you can provide a management system outside of the OS and gain those types of benefits, certainly in security as well.

But you are absolutely correct, the differences between a server hypervisor and the requirements of the client are very different things. On a server side, you have a very limited amount of devices that you have to deal with. Video performance really is of paramount importance when you are thinking of an exchange server or any other type of server that’s out there.

Servers don’t have lids with monitors in them. They don’t sleep. They don’t have five million devices, the random Logitech Camera that you have to plug-in. Those are all things that a server hypervisor just does not have to deal with. They have device models inside of server hypervisors that are focused around emulated drivers, which is creating hardware and software, so that you have a generic driver set and you can move those servers around, no problem.

But then there is also a requirement to have a little bit higher level performance in some of those drivers, and that’s where a parent virtualized device driver model comes up on the serve hypervisor side as well, and that’s where you need a Linux driver coupled with a Windows driver, they work together to be able to give you a higher level performance with those devices.

Now, on the client side that’s problematic, because on the client side you already have tens of thousands of PCs in some of these enterprises that are already deployed, number one. Number two, have over five million possible devices that can connect to them with their associated device drivers, and those are things that need to be taken into consideration when you roll up a hypervisor.

So the emulated device driver model on the client side is difficult, because an emulated device driver pretty much dumps everything down to the lowest common denominator.

(00:09:59)

So to give you an example for that, every mouse has at least one button, but not every mouse has five buttons. So if I use an emulated device driver model, well, I am only going to get to use just that one or two buttons on the mouse, not all five of those buttons.

So really a lot of the value in an OEM device is expressed through the device driver. If you don’t have that device driver working, well, then you are not going to get the full value of that device.

Now, the next part of that is that the parent virtualized model on the client side is also problematic, because you need a Linux back-end driver coupled with a Windows front-end to make those things work. And yeah, you get better performance and more specific capability, but you still have to maintain that Linux driver and that Windows driver that’s different than what comes from the manufacturer themselves. There’s not a lot of Linux drivers for all of the devices that are possible on the client out there.

So those things are problematic when it comes to dealing with the device drivers, but there is a third option out there that actually Neocleus is really focused on, and that’s called PassThrough Virtualization. So that allows the native device drivers and the Windows device drivers that come with the devices right out of the box to actually work inside of Windows, pass to the hypervisor, and still control those devices as they natively would if the hypervisor wasn’t there.

So now you are really being able to still maintain all of the devices that you want to be able to use, all five million of them, and be able to use the native drivers and get the performance without having to do anything special. That’s a very big importance to note when you are looking at the client side, that you just don’t have as an issue on the server side.

You then look at all the rest of it with power management, how you deal with lids and sleep and all of those types of things, and those are all very specific to the client and very different from the server.

Amrit Williams: There is one really big one, this concept of PassThrough, and how important this is. And let me break this down to the guys in the audience, because I know many of you listening to this podcast like to play video games, you like to watch movies.

Well, guess what? If you are using Windows 7, for example, you want to do 3D modeling, you want to play Counter-Strike, and you want to watch a high quality DVD, you are not going to be able to do that with a generic video card driver, you are not going to be able to do that if you are trying to emulate or paravirtualize some type of generic video card performance against a high end video card. So if you want to do that you need PassThrough, and that to me is one of the major keys here.

And if you look at server virtualization, you really don’t need video card performance and a lot of the other things Chad talked about, because most of that stuff is executing on the clients, it’s not executing on the server. Most people are not playing Counter-Strike on their servers, well, not all people, I know some of you do, but most people don’t.

By the way, am I the only one who still plays Counter-Strike, is it just me, because I love that game, but maybe it’s just me.

Bill Corrigan: I have Unreal Tournament, Game of the Year still.

Amrit Williams: So PassThrough. Can you dig into PassThrough and what that means and why it’s so darn difficult, because I mean, you are talking about something here, which is you are abstracting hardware from the OS through a hypervisor, but then you are trying to allow and gain the same performance you would get so that the end-user doesn’t know. At the end of the day, the end-users should know whether they are sitting on a hypervisor or not, and if they have a high end video card, they need to be able to use it. So talk a little bit more about PassThrough and what that means.

Chad Jones: Sure. So PassThrough really, as you said, is critical for all of the performance reasons you are talking about, and for especially the cases that you can’t even imagine. So those USB picture frames that do the rotating pictures that you get randomly for Christmas, I mean, you want to be able to plug those in and have those work. Well, PassThrough is a big part of that, because you want to be able to have that random driver be able to work, without having to worry about anything special.

So in PassThrough, the native Windows driver is still being used and still shows up inside of the Device Manager. When the calls are made down to the hypervisor, they are allowed to pass through the actual hypervisor itself, and those calls are making the control points at the devices directly.

So they are still hitting the same memory mapping points. They are still able to — you have every type of button and all those types of things and the devices actually work without any special drivers.

The detection inside of plug-and-play inside of Windows as well, fully works with PassThrough, and you can see when you plug in that new USB device and its actual identifiers, so that you can go out to Windows update and get the right driver. That system remains intact.

So that means that when I take an OEM laptop right out of Staples, let’s say, and I want to be able to apply the management of a hypervisor underneath, well, you don’t have to call the IT group and say, oh, I have got this new Dell system I got from Staples and then list off all of the different devices and have to switch those things out. No. IT doesn’t have to worry about that. You simply install the hypervisor, the same Windows device drivers continue to work, and those devices work as they would before.

(00:15:05)

And it’s a completely transparent operation to the user, which as you said Amrit, it really should be. It’s about managing in a way that helps IT without being intrusive to the user and PassThrough is specifically key to that.

There is one other side to this as well, and there is a whole emerging movement in part of business that’s looking at this, bring your own PC model, where you can pay a user to bring in their own PC and then have a secondary work environment, is some of the things these enterprises are talking about.

Well, if you are allowing someone to bring in their own PC, you can’t go through and mess with all the device drivers and all that sort of stuff, and why to replace the system and all of that, because that’s that user’s personal environment that you are adding on to. With PassThrough, you are able to allow that environment to remain intact and then add on additional business things in management without being intrusive.

Amrit Williams: You mentioned something very interesting and I am going to get to that in one second. I want to refresh everybody here with the different types of client side virtualization. You have VDI, which I think most people are familiar with; this is what VMware and Citrix have been pushing primarily. This is really the next evolution of terminal services. It’s basically remoting an OS to a device, and it could be a thin client, fat client, almost doesn’t matter.

Very inappropriate for large scale, highly distributed environments, very inappropriate for your knowledge worker who requires PC, computing power. Pretty much inappropriate for anybody who still wants to play Counter-Strike.

The second method is what we referred to as a Type 2 hypervisor, and essentially this is very similar to what XP mode is inside of Windows or VMware Fusion or Parallel, something like that, or Virtual PC from Microsoft. This is basically, you still require the OS to have the integrity to be operational, and you put a virtual container inside of it. This is very similar to workspace virtualization or even what application virtualization is. You still require the OS to be operational and you are providing a virtual container to it.

Then there is what we have been talking about, which is the Type 1, bare-metal client side PC hypervisors, which is a hypervisor layer that sits on top of the hardware. It does not require an Operating System to be there, but can communicate and facilitate communications between an Operating System or multiple Operating Systems in the hardware. I wanted to talk about that.

The reason I wanted to bring that up is just to make sure we are all on the same page, but I wanted to bring it back to something you said, which is very interesting. When I was at Gartner, we had lot of conversations about bringing your own PC to work and consumerization of IT. I have to tell you, the security guys and the IT apps guys were radically opposed to it, but the reality is, it’s happening.

One of the things is, is if you look at like European countries, for example, or even here in the United States, there is a lot of concern about privacy. And if I own my own PC and the company says, well, the only way you can access computing resources is, I have to put something inside of your Operating System. Well, I would be quite nervous about that, because it means that you guys can see what I do at 3 in the morning when I am playing with my laptop, or you can see my banking activity, or there is a potential for you to do all types of things no matter how much you tell me it’s isolated and segmented.

I think a lot of people would be less concerned about a PC hypervisor that shims underneath the Operating System and brings up another Operating System or another environment that people can access.

There is an easier story there about segmentation and isolation. So I think you are right on there, that there really is an opportunity to facilitate this concept of a stipend or bring your own PC or consumerization play here that most enterprises have a hard time dealing.

Guys, I really appreciate the information. On our next podcast, we will continue the conversation.

Announcer: You have just listened to Beyond the Perimeter, sponsored by BigFix Inc. Views expressed on this Podcast are the personal opinions of Podcast participants and do not reflect official positions of their employers or BigFix.

Thanks for listening.

Subscribe in iTunes:

Subscribe with XML:

FULL TRANSCRIPT

Amrit Williams: Welcome! This is Amrit Williams, your host on Beyond the Perimeter, and I am back with Will Gragido and John Pirc. Guys, thanks for joining me back.

I want to switch gears a little bit. Since both of you guys have a background in DOD and Intel, one of the things I have been struggling with a lot in how we communicate inside of security industry and then how that’s adopted by the media, I think has been troubling me lately.

And the trouble that I am having is this concept of cyber warfare versus cyber crime versus cyber espionage. The first thing that I would suggest is that, really, there is nothing new going on here, the only thing that’s new is that there is a new medium that’s being used to basically execute some of these things.

So criminal activity isn’t new, organized crime isn’t new, sophisticated organized crime is not new at all, it’s just, here is a new medium that they are using to basically further their gains.

Espionage is not new. Espionage has been going on for a long time. And John, if you spent some time in the CIA, I am sure that you may have heard of what we were doing in Nepal and India during the Cold War, because China and India are pretty close to each other, and I know the U.S. government was very concerned about that in the 50s and 60s, but we will never hear about it. So there is definitely a lot of espionage that occurs, there is just a new medium that’s being used here.

Warfare, obviously, is not new. It’s been around since the beginning of time. But it really is the distinction between these things that I think the media is having a very difficult time grappling.

I also think the U.S. government and probably every other government is struggling with these two. We have already segmented and created agencies to deal with each of these things independently. If you are talking about criminal activity, well, we have the Department of Justice, they deal with those activities. If you are talking about warfare, well, we have the DOD, whose charter is to support the war fighter. And if you are talking about espionage or intelligence, well, we have got several intelligence agencies that deal with those things specifically.

But what I see happening right now is a convergence of all these terms into one thing, and then you have very scary responses from people in the U.S. government, Congressmen and Senators, that say things like, we have just had a DDoS attack from North Korea, it deserves a kinetic response. And you look at this and you go, are you ridiculous, are you kidding me? I mean, this hasn’t even reached the level of cyber espionage, this is like kid stuff.

So I want to get you guys’ take, since you have that background, on how we help folks better understand the differences here, because when we start saying things like China attacked the U.S., this Google thing, you get very close to having people in the DOD say things like, then we need to respond kinetically to that. And that is a very, very inappropriate response for what we just saw.

Will Gragido: Yeah. I think — you bring up a good point, right, points of confluence within — and largely because of the economy or the Internet, it’s an interesting time we live in.

John and I spend a lot of time researching this obviously, and we also have our collective backgrounds to pull from, which suggests that there have been fundamental changes. The world, as Thomas Friedman said years ago, has become flat, either the flattening from a global vision perspective and the rapid adoption of technology, it’s a foregone conclusion that more people, good and bad, will have access to more advanced technology.

You touched on a very interesting point from the segregation of what is traditionally considered criminal activity versus — that was just considered the realm of warfare, which is — and then of course what is considered to be the realm of intelligence. In traditional terminology, those are nothing new, and I think anyone with any kind of experience on pedigree, pulling from background such as our own and environment such as our own, would say that, yeah, those have been ongoing, and they continue to be ongoing, and that it’s just a natural progression that we are seeing today.

I think where the difference becomes is really the rapid fire adoption, and certain historical events that triggered the economic ecosystem developments, which saw the rapid fire arms race, if you will, or the creation of the cyber arms dealer, coming to fruition.

And I think that, to your point about response, it’s an educational process. There is a lot of fear, uncertainty, and doubt, and it is inappropriate to suggest that one should retaliate against something when we don’t have all the facts.

In 2007, for example, to your point about organized crimes, here in the United States, three members of the Lucchese crime family in New York were indicted by the Department of Justice for SEC violations, and trying to manipulate via cyber criminology and manipulate the markets, so that’s an example of cyber crime, and in a very sophisticated format.

Why are people doing that? Why do we see an evolution of organized criminals as well as less organized criminals? Because the risk to reward proposition is greater and it’s in their favor. It’s a lot less risky to, from their perception, to become involved in cyber criminal activity as it is to say traffic invoices, which is a traditional area in which those organizations grew from and derived profitability from in the past.

The same can be said of organizations in Central and South America and in Asia and in Europe, right?

(00:05:09)

Amrit Williams: Absolutely.

Will Gragido: I think that we are seeing a lot of this going on, and it is becoming a bit of a — we are throwing the baby out with the bathwater in some senses, and that needs to change.

John Pirc: Yeah Amrit, I mean, to expand on what Will said and to your point, I mean, distributed denial-of-service attacks, do they require a response because they knocked a website offline? I mean, I think that’s ridiculous from my point of view.

I think when you start looking at the severity of the attack. So for instance, let’s just say, someone took over our power grid and shut that down. I mean, something that is more catastrophic, where there could be human loss based upon a certain technology that they are shutting down or taking advantage of, I would say in maybe some instances those would — because there is some sort of retaliation back.

But the whole notion of DDoS attacks that we are seeing, shutting down social media websites for a little time, I mean, that’s more of a nuisance, and to your point before, it’s child play. I mean, those type of tools are easy, readily available. I mean, I have a 12-year-old daughter who could probably run those tools.

But when you get into things that do cause catastrophic damage, I think that’s when we need to start worrying or start doing the retaliation. But furthermore, this is where we really start — where we really need to start showing up our defenses and critical infrastructure so we don’t see anything like that.

Amrit Williams: I agree with you completely. I would just say that we have to be careful if we are only looking at the measure of an attack as an indicator of how we should respond, because in many cases a criminal organization could use what appears to be a state-sponsored national attack to create an economic  windfall for themselves, depending on what type of investments they were making.

And if you think about it, and the best way to deal with criminal activity is to change the risk/reward equation. So the best answer to deal with cyber criminals is to look at the economic situation. The best way to deter a war is with deterrence. And it has been proven in the Cold War, for example.

So it’s not an economic situation necessarily, but it is one of deterrence, and we need to look at that in terms of cyber warfare, if it’s state-sponsored.

And in terms of cyber espionage, well, the best deterrent for that is misdirection, it’s propaganda. And the intelligence communities know how to do that quite well in the physical world.

But I always get a little bit nervous when you look at just — if you only look at the attack type, because it is really, as you guys know, extremely difficult to prove that somebody, state-sponsored, was behind anything.

And quite honestly, I would bet you anything, and I know the Chinese government says this, but whether it’s true or not who knows, I bet the Chinese government is under much more attack than the U.S. government, because their infrastructure is far more less technologically advanced than ours. They are using, in many cases, U.S. made infrastructure and U.S. made computing devices and U.S. made software, so I would guess, if you had the U.S. and China sitting at a table talking about cyber security, China would be far more fearful of what could happen than the U.S. would, with one small caveat, which is obviously the U.S. is far more reliant on critical infrastructure in terms of digital assets than they are. But that is changing.

Will Gragido: Yeah, I would agree with you Amrit. I think the burden of proof is ultimately speaking most important than any type of analysis activity. And understanding the psychological motivations behind any given instance or event of interest is equally as important. And it is irresponsible to suggest that an event of interest mandates or requires a response without having done the due diligence to unequivocally ascertain that party A is responsible for events D and E, right? So it’s really — and I think the media, being the media, has a tendency to gravitate towards the sensational, and that doesn’t help anyone.

Amrit Williams: On the one side — I mean, you are absolutely right, and I wasn’t suggesting that you guys were suggesting that either. But warfare has changed as well. And I remember right after 9/11, you guys read ‘The Onion’, fake news?

Will Gragido: Oh yeah.

Amrit Williams: I thought — and as — it was very difficult to find humor and just get back to day-to-day life after 9/11. But ‘The Onion’ ran an article which basically said, U.S. government, wishing it had somebody to bomb. And it just sort of speaks to what’s going on in global dynamics anyway, which is, it is no longer large armies facing off with each other, we are talking about very small coordinated guerrilla warfare. That’s in the physical world today, and that’s definitely being transpired and being executed in the cyber realm, so it becomes very difficult to find borders, to find nation states to face off with.

(00:10:00)

And it could very well be that a small guerrilla organization inside of China, or inside of the United States, does not represent the feelings of the state that they are in, and then they spark off something pretty devastating, and that’s really scary.

John Pirc: Asymmetric warfare. I mean, you bring up a good point. I mean, the technology and tools that are available today, like you said, I mean, it’s kind of like finding a needle in the haystack. I mean, you can find out the points of origin, where some of the attacks are coming from sometimes, but those can be hidden as well. But I think that’s quite possible for a small group to entice a lot of activity hoping for some countermeasures to come back on the other side.

I mean, to your point earlier, I mean do we go back and hurry up and bomb whatever country that’s — or retaliate via electronic news to the other country, you just have to have that data, and like we all know on the phone, that’s very hard to pull together.

Will Gragido: Right. I would say that there has been quite a large body of knowledge and data put together over the last ten years. A great example of that is ‘Black Ice’ by Dan Verton, which was released in 2003, which — Dan Verton was a former United States Marine Corps intelligence officer and he is a journalist. You are probably familiar with him. He wrote the book ‘Black Ice’, specifically as it related to exercises that were conducted by the Department of Energy out of the Idaho National Laboratory and Pacific Northwest Power conglomeracy to test infrastructural capabilities in the event of a cataclysmic failure or event, whether they were naturally caused or whether it was unnaturally caused 11:38, in order to test and see what the potential ramifications would be in the event in which it occurred, and an unknown variable such cyber warfare or cyber activity was introduced.

‘Black Ice’ led you to ‘Blue Cascade’ three years later, which was interesting, because the exercises yielded that over the span of time between the two individualized exercises that nothing had changed fundamentally from a posture perspective.

Verton hit on some very, very good points, and he took that data and extrapolated the information that he gleaned, and pulling off of his own background and talking to folks like Robert Clark and other folks that the probability of cyber-based attacks, and he was focusing specifically on subnational attacks, specifically al-Qaeda being a primary focus, because at the time that was a very hot ticket item, and we know that in early 2001, prior to 9/11, al-Qaeda had been operating pretty heavily, from a cyber perspective, hopping from Pakistan to Saudi Arabia and into the United States, doing things like enumeration and network mapping and things of this nature.

So the reality is that — again, just like we talked earlier, these are not new activities or occurrences, but the burden of proof is required, and in order to curtail unnecessary levels of alarm and fear, we need to have that. We need to be — we need to exercise discipline, and we need to exercise due diligence in order to really ascertain what is occurring and who is responsible.

Amrit Williams: I completely agree. You said something very important that I want to make sure doesn’t get missed in those who are listening, when you said, whether it was from a cataclysmic or a cyber event, at the end of the day organizations should be very, very focused on how they return their infrastructure to homeostasis regardless of the method of attack or exploitation, whether it is malicious, intentional or unintentional, whether it’s created through a digital asset or whether it’s just an operational failure of the infrastructure that happens all the time.

I think people forget that, because of what’s going on, they lose sight of, at the end of the day it’s about availability and survivability for a lot of organizations. It becomes extremely critical for returning services back, regardless of the method that puts them down. So I thought that was a nice observation.

Guys, I really appreciate you joining me today. I want to make sure that the folks listening have an opportunity to reach out to you guys, so if you could, Will, if you could state how they get to Cassandra, and then if you could both sort of state how folks can find you on the Net and reach out and talk with you if they would like to get more information?

Will Gragido: Sure. Well, we are available at www.cassandrasecurity.com, and they can reach me directly at will@cassandrasecurity.com.

John Pirc: This is John. You can reach me at john@cassandrasecurity.com. You can follow me on Twitter as well, so just search for jopirc, and you can follow me. Again, thank you so much for having us today.

Amrit Williams: Oh, you guys were great, so I am really glad that you guys were on. Thanks very much. I will have you back on again, hopefully you guys will join.

Announcer: You have just listened to Beyond the Perimeter, sponsored by BigFix Inc. Views expressed on this Podcast are the personal opinions of Podcast participants and do not reflect official positions of their employers or BigFix.

Thanks for listening.

Subscribe in iTunes:

Subscribe with XML:

FULL TRANSCRIPT

Amrit Williams: Welcome, this is Amrit Williams, your host on “Beyond the Perimeter:, and I’m back with Will Gragido and John Pirc.

Guys, thanks for joining me back. We were talking about some of the more sophisticated exploitation methods that were being used, and I posed a question after you guys had discussed some mitigation control, just sort of briefly mentioning things like, you know, network behavioral analysis or monitoring ingress or egress traffic into critical infrastructure; and the question I asked is: you know, we always seem to be challenged by applying technologies that would work today or yesterday but become handicapped tomorrow, and in this case the monitoring of ingress or egress traffic into critical corporate assets is handicapped if we start using Cloud computing. So if you have, you know, one of your corporate assets sitting at a hotel, for example, in a laptop and it’s accessing a corporate resource that is owned and maintained by a third party, the NBA technology starts to break down.

So I wanted to get your thoughts on that, how organizations that are looking at Cloud computing that do take security, obviously, seriously, as most would like to, how do they approach solving this problem when the corporate assets and the corporate network and the data that traverses it, they simply can’t see it?

Will Gragido: I have some pretty strong feelings on that, and they mainly stem from my experience in the consultancies and also working with at one point in time the world’s largest managed-security service provider. I think that any time you endeavor to adapt a technology or a solution with a solution partner, that requires the transference of a risk, which ultimately speaking manifests in the transference of responsibility, day-to-day operational responsibility and data flows and asset management. One has to take into consideration just, A, how trustworthy that provider is, what level of due diligence they’re striving for and they can demonstrate in a repeatable fashion, whether it’s by advanced third-party certification — 1:52, for example, Safe Harbor, SYSTRA, independent audits and assessments, all those things.

I think that those very basic things at a minimum need to be considered. And the MSSPs, for all of their faults, along with the carriers traditionally, did a very good job of that, right, and they sort of invented that space. Where I think Cloud computing, ‘though it’s quite popular today and arguably is on the tongue of every CIO or corporate officer looking to consider ways in which to consolidate efforts and resources and then ultimately seeking to save money, where that’s important and ‘though that’s important, they need to also be asking themselves from a risk-management perspective, you know, just how trustworthy is the partner; what degrees of due diligence are being presented and are being conducted on their behalf; what the safety level of their data is; what levels of assurance are being provided from a provider to the customer. If those questions can’t be answered at a very, very basic and visceral level, in my opinion it really diminishes the overt value of the solution set. Where a CIO, or a CSO or a CTO or a CEO, for that matter, was endeavoring to take what a small-, medium- or a large-sized enterprise down that path I would really be asking those tough questions, because I think that ‘though the technology is there and has been for a long time — like, Clouds aren’t new (laughing). I’m sure that Chris Hoff will get mad when he hears that I said that; but Cloud-based computing technology is not a new idea, it was first conceptualized in 1961. And though it isn’t new, the challenges that have been present in other environments — for an example, those MSSPs and those carrier environments — will now become more manifest as we start to see more and more startups and the evolution of newer event service-delivery offerings by other organizations which have previously been in business in other areas — for example, Amazon, Google, whatever — however their core business was not in information assurance and security.

But that’s how I feel about that, and I think there is significant risk involved when you can’t, to your point earlier, guarantee from a cradle-to-grave perspective the transmission patterns, the activity, the behavioral patterns, so on and so forth associated with a given host or given set of hosts or thousands or millions of hosts, right? I think that’s important, and I think that’s really a point of concern.

Amrit Williams: Hold on one second. I don’t want to turn this into a Cloud computing secure/not secure debate at all, because I think that there’s plenty of people doing that out there and I think they all make strong arguments.

I think your points are very well-taken. Ultimately, the thing that organizations need to consider and the fear that I think many have is that they will move to Cloud computing and start adopting these technologies where they lack a level of visibility of control, because they feel that it will save them a lot of money and will allow them to turn over and acquiesce sort of, you know, a level of knowledge to these third parties.

The thing that I don’t think that they realize is that sometimes these third parties do not have any more intelligence around how to secure a network than they do themselves, even though they may claim to or advertise that they do.

Will Gragido: Absolutely.

Amrit Williams: So it is a very sticky situation.

(00:04:56)

But I want to pose something else to you guys. You know, it’s interesting that as we talk in the security industry, everything that we’re doing for the most part is a reaction to something that’s occurring, and inherently everything that we’re building on top of is foundationally insecure. We use insecure operating systems, we use insecure Internet and routing infrastructure, and we try to add security post fact.

And I think the thing I’d like to drill into a little bit with you guys is, it seems like what we’re doing as an industry is just simply accepting the insecure infrastructure and then trying to secure it after it’s deployed, as opposed to proposing new paradigms for computing and revolutionary new ways that we can look at different computing models to very significantly limit the attack vectors and start gaining control back of the computing stack.

So have you guys — I mean, I have some thoughts on this; I don’t want to dig in too much on my own side — but have you guys looked at, thought about or have some ideas around how to get around this problem, because everything that we always talk about is, “Let’s add this other technology” or “Let’s add these new processes” or we’re keeping the computing stack the same; we’re just adding more stuff around it to protect ourselves.

John Pirc: Yeah. No, I think that’s a good question. I mean, what I want to talk to you about now is I did a presentation in Stockholm at SEC-T on “Assessing the Risk of Cloud Computing” and, I mean, you bring up a good point. I mean, we’re constantly building upon this insecure stack, right? And when we start looking at some of the risks in the Cloud, you look at — you need, Bob, some of the vendor trust, legislative boundaries, you have web threats, data leakage, you have shared infrastructures. You know, how does security play into that? And when you start looking at security from a Cloud perspective and kind of building a model, what would that model look like?

Obviously, when you look at Cloud, you know, we live in a worldwide spectrum of the Internet, right? So we have a ton of international standards, right? For example, you know, doing Cloud computing in Luxembourg if you’re a financial organization, that Cloud has to physically reside in Luxembourg, right? Otherwise, there’s a lot of inherent law that you’re going to break, et cetera.

So I think understanding the international standards as they apply to where the Cloud is being served, you know, availability; making sure that there’s a web security model tied into that, right, because when we look at the telemetry of the attack landscape, I know we talked some of that in the previous podcast; but when you look at the web browser, a lot of the Cloud from a SaaS perspective, for example, is being delivered through the web browser. And then you start looking at the whole notion of data-leakage prevention, what are you putting up in the Cloud, right? Is it mission-critical data? Is it day-to-day operational data, et cetera — but, you know, knowing that there’s mechanisms to protect that data, tag it and allowing it, you know, to either stay or be within some sort of landscape of trust.

And then the whole notion of isolation of technologies, when you start looking at the Cloud and diving in a little bit deeper, a lot of them are using virtualization. So where I’m being hosted in this virtual Cloud in terms of virtualization, you know, it’s great that I’m sharing the same bandwidth, all the utilization of resources, which is a great thing about virtualization; but am I sharing that physical sandbox with somebody else, and what are some of the isolation technologies that are there? And when you look at this, I mean from a client perspective, I mean, you have less control; and then we start talking about compliancy in the Cloud, you know, how does that hit?

So I think when we start looking at, you know, what are some of the models that can be put together when we start looking at Cloud, I think is again understanding the national standards, understanding availability, you know, web security, data leakage and isolation technologies are key; and then understanding, you know, who owns the data.

So I know from a security perspective, there is absolutely no silver bullet; but I think by addressing some of these key areas that I talked about, I think you could start building that model around that that will address, you know, some of these risks that we see.

Will, do you want to add to that?

Will Gragido: Yeah. You know, following up with what John said, you know, obviously applying a greater degree of due diligence to the actual architecture of networks and systems is important. I think it goes fundamentally lower-level than that. You know, we all collectively share in the pain, as well as the reward of our industry and our space as a result of fundamental efficiencies present in code development. It’s not a secret.

(00:09:51)

Coming from a former auditing background and assessor background and still doing that work today, SBLC has always been a problem and continues to be somewhat of a bugbear in the industry. I think that until we reach a point — and this is what we need to advocate on behalf of, and there are initiatives out there, like Rugged, for example, which some folks are pushing today calling for a more secure, a more ubiquitously secure approach to code development and design — but until we achieve something like that, regardless of your industry and regardless of the sector in which you find yourself in, then I think we will continue to be faced with challenges like the ones we are discussing.

In my mind, it all begins and ends with code and developmental platforms, if you will. And so until we start to see a fundamental mind shift occur in intent to deliver products or services, regardless of what those products or services are — whether it’s a financial application, whether it’s, you know, a word-processing application, you know, whether it’s an image-rendering base system, whatever the case may be — until we see a change in philosophy and really also an epiphanous type of realization that, you know, the longer we push out insecure or half-baked code, right, in order to meet deadlines, in order to meet our sales directives, in order to meet the street if we’re public or, if we’re not public, just to meet our own individualized sales goals as corporations or whatever the case may be, the longer we continue to do that, the longer we will incur pain.

So I think it really needs to be a campaign really of advocation of starting at the beginning; certainly not leaving things to just kind of dangle in the wind; certainly taking into consideration the need to adopt strict, sound, comprehensive, standards-based architectures and frameworks that are both operational and as well as philosophical, but also taking it down to the lower level and saying, you know, again, our code is really the beginning of the end. If that’s not secure, nothing will be secure.

Amrit Williams: I don’t disagree with you at all, Will, and I’ve been a big proponent of secure software development or using security and interjecting security methods inside of software development for a while — it’s one of the areas that I covered when I was at Gartner — one of the challenges is that developers are still bounded by the platforms that they code within.

John Pirc: Yeah, right.

Amrit Williams: And so even if we get to a point of, you know, definitely materially impacting the security of developed code throughout web services or on top of the OS, we still inherently have an insecure infrastructure that’s being coded on top of.

But I definitely agree that awareness does need to be raised, and we definitely need to deal with that. And what’s really — what I do appreciate is to folks like you and others like Corman and his guys, which are actually going to come on pretty soon here to talk about Rugged, are trying to drive that message.

Did want to switch back a little bit to John’s point about isolation, though, because I think this is a concept that many people don’t understand. And if you look at even some of the very sophisticated and even targeted malware threats that have been identified forensically, even in those cases where you find some very sophisticated targeted malware, in a lot of cases the attack vector that they used to propagate that malware was very basic, all right?

John Pirc: Uh-huh. Absolutely.

Amrit Williams: And in a lot of cases what they did is they exploited the human to commit some action through the use of clicking on an email or visiting a site, and in a lot of cases, you know, there’s some type of infected iFrame, so they’re visiting what is an uninfected or legitimate site and there is a dancing cowboy ad on CNN.com and, you know, they’re infected.

(Laughter.)

Amrit Williams: So the thing about isolation and where I think computing really needs to change here is, you need to isolate the user’s habits from the corporate resources; and it’s a very difficult thing to do in the current OS environment, but there are technologies that we’ll be seen coming out over the next three to five years that will hopefully radically change that.

But this concept of isolation, this concept of securing code in the beginning, these are two concepts that we definitely need to drive further in the security industry and help the rest of technology and the business understand what that means and how they can actually adopt and take advantage of those things. And it’s a little bit unfortunate that we’re always looking back and not talking more about some of these things that people can adopt today.

John Pirc: Absolutely.

Will Gragido: Yeah. I know, I totally agree with that. I mean, when you start looking at multitenancy, I mean, and having isolation I think is key, and when you start looking at it from a Cloud perspective — I mean, it’s, you know, isolation with inside the Cloud: CF10 and security management, controls of privileged user access — you start looking at even image security: so, you know, isolation and location of security policies; virtualization security, so isolating your virtual instance, the integrity of that, et cetera. I think in going to the Cloud, this whole notion of isolation and multitenancy is huge, and how do we solve it.

And as you just mentioned, I mean, there are technologies I think that are coming down the pipeline that are going to follow that and be more effective. But to your point, Amrit, I mean, it does all come down to code, having secure code. Otherwise, we probably wouldn’t be having this conversation right now.

Amrit Williams: Well, actually we would (laughing) …

(Laughter.)

Amrit Williams: … because even if code was secure, someone, somewhere is still going to click on an email because they think somebody really does love them, and unfortunately the OS that that someone is sitting on is not secure itself.

Will Gragido: Yeah.

Amrit Williams: But, you know, you guys make some really good points.

Guys, I really appreciate you joining me today. I want to make sure that the folks listening have an opportunity to reach out to you guys. So if you could, Will, if you could state how they get to Cassandra; and then if you could both sort of state how folks can find you on the ‘Net and reach out and talk with you if they’d like to get more information?

Will Gragido: Sure. Well, we’re available at www.cassandrasecurity.com, and they can reach me directly at will@cassandrasecurity.com.

John Pirc: And this is John. I mean, you can reach me at john@cassandrasecurity.com. You can follow me on Twitter, as well, so just search for “jopirc” and you can follow me.

And again, thank you so much for having us today.

Amrit Williams: Oh, you guys were great guests; I’m really glad that you guys were on. Thanks very much, I’ll have you back on again; hopefully, you guys will join.

Will Gragido: We look forward to it.

Announcer: You have just listened to “Beyond the Perimeter”, sponsored by BigFix, Inc. Views expressed on this podcast are the personal opinions of podcast participants and do not reflect official positions of their employers or BigFix.

Thanks for listening.

Subscribe in iTunes:

Subscribe with XML:

FULL TRANSCRIPT

Amrit Williams: Welcome! This is Amrit Williams, I’m your host on “Beyond the Perimeter”, and today I am joined by Joshua Corman, Enterprise Security Practice Research Director at the 451 Group, and David Rice, Executive Director at the Monterey Group.

Guys, thanks for joining me today.

What I wanted to talk to you guys about today is the Rugged Software Manifesto you and David and Jeff put together. Basically it is an awareness campaign with some tenets around how developers should be looking at developing software in regards to making it more survivable, more available, more secure. I hope I’m not misstating that too much, so why don’t I turn over to you guys, and just take the audience through what is Rugged Software, what is the Rugged Software Manifesto, what are you guys trying to achieve?

Joshua Corman: I think the genesis of this idea was we were at the Grayloc party at RSA last year –  and I think you’ve agreed with me on this before, Amrit — but each year at RSA a lot of us kind of feel like we should quit security. And I say that tongue-in-cheek; but we tend to be fairly frustrated, because we hear a very similar message year to year to year, and it seems like a very stagnant and static security approach to a very dynamic and evolutionary problem.

So I met David through the Institute for Applied Network Security, and I know you got Jack Phillips on the podcast in the past; but David’s book on economics really made me look at the economic impact and the economic incentives and disincentives in the true cost of weak software. And obviously he can speak to his book better that I can; but he and I had some fairly, intellectually honest and vigorous debates over the years.

So we were speaking about some of the disdain for the Security community at this party, and he introduced me to Jeff Williams from OWASP; he is the Chairman of OWASP right now. And we were kind of say, “You know, it’s nice that we have web-app firewalls required by PCI. It’s nice that we have static and dynamic analysis. We have lots of tools and technologies — and, no offense, Jeff: OWASP is doing a fantastic job for the people who know about security — but until we get to the hearts and minds of all developers, until we can let them know that there’s a security context and that their software has become modern infrastructure, we’re fighting the heads of the Hydra and not the heart. We’re at the end of the lifecycle instead of the beginning, and part of the fix here to drive down the cost and complexity of security and make sure we don’t have 70 security products and 80 or 90 next year is, we need to inherently more secure infrastructure.

So we were talking about Agile, we are talking about different frameworks and what we said is, “You know, we don’t really have our own manifesto; we don’t have our own meme, our M-E-M-E. And we need a contagious philosophy or values that people can sink their teeth into”. So after a couple of hours, we came up with Rugged, R-U-G-G-E-D, and it was to have this concept or notion that you will be tested and that you’re tough enough to survive it or that you’ll have a mission to do and you’ll be attacked, you’ll live out longer than you were intended to; and we decided to come up with our own Manifesto that night back at RSA.

You want to pick it up from there, David?

David Rice: So in many ways, Rugged is simply an awareness campaign. I had to preach outside the choir of cyber security.

Unknown Male: We get it.

David Rice: And everyone in cyber security thinks, gets that there is a need; but the perceived need outside of the Security community is nonexistent. And so there is a notion that we create software to live in this utopian environment filled with unicorns and butterflies, and we’ll be all right on the Internet. What we know now from all of the news stories and data that we do have is that the Internet is not this utopian environment that it was originally envisioned to be; it is truly a UFC ring match, and unless your software can survive in that brutal, hostile environment, the very value that we’re trying to create through software can be called into question — not that we’re destroying all value, but that the notion that these attackers are spending a tremendous amount of effort across the board to get into software that, by one infrastructure report, recognizes that software is one of most effective products on the planet.

Well, that’s a really devastating comment; but it also has this notion that they say, “Well, okay. If this is an awareness campaign, we need to get outside of the choir and let people see that, in Rugged mentality, that is a different mindset is required than what was before”. Beyond that, it’s all detail. But it’s really that fundamental, simple but monumental task of just doing a bit flip, that little switch in the head that says, “Well, I have to think about the environment that this code is going to be running in, and for all intents and purposes we know that it’s hostile now”. And that’s fundamentally, I think, what we’re trying to do. It’s a very simple message, a very direct message, but monumental in its impact.

Joshua Corman: Yeah. And we did do this in San Francisco, and so just being in that environment I remember when I was a kid with all the earthquakes we’d get, my dad told me that — and I now know this as an adult — but if you’re an architect and you build a skyscraper in San Francisco, I mean, you can’t just build a building there the same way you can somewhere else. You need to factor in the earthquakes and design for it.

(00:05:09)

And I guess that was the same kind of sphere we were communicating at the SANS Conference was, “Look, this becomes a design parameter now that the environment your code is going to face, your code is going to live on well beyond its intended lifespan and is going to be used in ways you couldn’t anticipate for longer than it was ever supposed to, and there are talented adversaries in every series who seek to undermine it”. So the Manifesto that comes out of that: just trying to let problem-solvers — I mean, my first five years of my career were in a software-development organization, and engineers have an incredibly high standard for their work.

And when we first learned the memory leaks, they resisted at first; but eventually they were very, very proud to make sure that their code never had leaks in it when we ran it through the leak tests. And I realized that instead of all these other campaigns trying to call them stupid or lazy or ignorant, honestly if we can get an increased or enhanced worldview in front of them, programmers are very good problem-solvers, and in my experience even if 5% more people say, “Oh, I didn’t realize that”, it affects their choices on programming languages or avoids some of the common mistakes, drives them to their first OWASP meeting, gets them maybe to evaluate the differences between different frameworks. It’s not a silver bullet, but we simply can’t keep preaching to the choir that already knows about this.

Amrit Williams: Yeah, I would guess that anybody you talk to in Security if you said, “We would really like to create more awareness around developers taking security development of their software and improving the security of it more seriously”, there probably isn’t a single person in Security that would disagree that that’s a good thing — or, a bad thing.

What I wanted to focus on a little bit, though, is that I did read the Rugged Software Manifesto, I reviewed the presentation that you guys put together, I tried to view it from the perspective of a developer and what I would think about it, and the one thought that I walked away with is when put in a context or against the backdrop of something like the Agile Manifesto is the way that the Rugged Software Manifesto is laid out — and for those folks on the phone who’d like to find out more about it, they can go to  HYPERLINK “http://www.ruggedsoftware.org” ruggedsoftware.org and they can read the Manifesto there — is it’s presented in a way that I felt was a touch condescending, and I didn’t feel like it was empowering me. I mean, there had been the same struggle that has occurred with quality, and if you look at software development in the early ‘90s, no one really took QA or Quality Assurance seriously. It was really difficult to get folks to use even tools that were well-known like Purify and Quantify, and then there was a lot of folks who looked at memory leakage, who looked at performance technology tools and they did get excited about being the ones who could develop less-buggy software.

And I felt that some of the language here is not as empowering. Am I reading this wrong? Is that a fair comment? I mean, how do you guys address the developer mindset, because it’s pretty much from a perspective of a Security Analyst reading this, say, would go, “I completely agree, I’m on board, I’ll do whatever I can to support you”. From a development perspective, I felt like it was worded in such a way that I took exception with it.

David Rice: It listed a notion of a competition. And so the first perception is very important, and so I agree with you that the first impression of the taste-test sales, there is a difficulty there.

And then it’s also balancing against the fact that “Well, we have some very real data out there now, as soft as it may be; but we know that software is a critical aspect that’s enabling many of the attackers to come in”.

So part of what the Manifesto is doing is eliciting a notion of competition. And that is, developers typically live in a meritocracy; that is, it’s very much based on skills and capability. And what the Manifesto, in one of the lines of the Manifesto that we’re bringing out, is that this is a competition not between software companies, but between those individuals that wish to take away or undermine the value that these companies are trying to provide. So it’s not a competition between software companies; it is now a competition between attackers and the developers.

And one aspect of this is to elicit the notion that, “Well, who’s better here?” These hackers are talented; but we know that developers are far more talented. And certainly there’s pressures on their development: timelines, et cetera. Mainly it is a notion of trying to elicit this notion that there is a competition here between people on the outside wanting to undermine the software to get to the crown jewels of these companies, and the notion that, “Well, who’s really better here?”

And our vote is a very positive vote. It is that as Josh said before: developers are smart folks. These individuals are dedicated to their craft. And so that craft needs to reflect the mindset of the developers and not reflect the abilities of the attackers, which we’re seeing here getting far more press that the actual good software developers that are out there.

Josh, you have more to add on that?

Joshua Corman: Yeah, I mean, I took the criticisms on the chin, and we did a lot of testing of the Manifesto language to make sure it was positive so that at least from a design perspective it was never our intention to be condescending; and I still take that criticism on the chin, and this is our 1.0 Manifesto and now that it’s out there we’re getting lots of great feedback on it.

I think when we presented this, someone said, “How is this different, Josh?” and I said, “Well, it’s different than other initiatives in this space in three ways”, and this touches on why I was disappointed to see that it didn’t pass the taste test universally.

But I said, “It’s different in three ways. Number one, we’re trying to get outside of the choir, because if we keep preaching to the same people who care about it, we’re only going to be solving a single-digit percentage of the community.

“Number two, it has to get to the hearts and minds, everything, the technology solution and the technology fix. This is going to be explicitly a hearts-and-minds’ thing, because want to tap into a value set someone already has versus talking down to them. So we’re looking to just light a spark.”

I know you had Michael Santarcangelo on your program, and it’s the catalyst kind of idea: does this value set we’re putting forth resonate with you, and if it does then we want you to opt into it and light a fire and put you in touch with more resources.

And the third is that often in this space when we want to improve things we force people to do it, and this was intentionally not telling you “Thou shalt, thou shalt; you must. Here is a compliance mandate and a fine”. I mean, you and I, Amrit, have talked many times about the dangers of just using compliance regulatory and the stick instead of the carrot. This one was meant to be aspirational and look for the best in people, instead of assuming that they’re all incompetent jerks.

So I think you know me well enough to know that I have the respect level for these folks, and if we didn’t hit a homerun in the first set of language, this is a conversation that we’ve started. We believe the concept or the attribute of being Rugged as an individual, as a chunk, as an organization, as a chunk of code, as a website. We are now trying to give the mainstream a word that works better or a concept that works better than Security, because clearly we’ve been telling people to care about security and they don’t, whereas we do feel that this somehow has a stickiness in it, a more contagious concept that is more attractive to a business owner. Rugged Cloud or Rugged Datacenter or Rugged Website, something that might have tipped the scales in the economic conversation in a way that previous dialogue hasn’t.

So I think this intends to be aspirational and seek the best in people, and if we have got some rough edges, it’s this kind of feedback that’s going to help us fix that.

Amrit Williams: Well, I completely agree, by the way. I’m very glad you didn’t call it The Secure Software Manifesto, because that would have been lambasted to no end, and what you’re really talking about in Rugged is survivability of the software itself in a very hostile environment, and I do appreciate that. I don’t think you guys wrote it to be condescending; but I was just making an observation as a developer, it almost says to me, “You’re doing it wrong; here, you have to do it right, and here is a set of values you should adopt”.

Developers, as you know, as you stated — which I really appreciated the way that David and you have stated that — is that they are very competitive by nature, and I think that there is a really nice thread for you guys to pull on here around driving competition for survivability and Rugged in terms of how folks develop software, as opposed to what is normally done, which is “You’re the root of all evil, you’re the reason we have these problems, you need to fix yourself”, which instantly puts people in a defensive type of stance, which is what some of what you saw on the mailing list that we’re on, which was I think a natural reaction of folks that really work really hard — I mean, developers are some of the hardest-working people in the industry, and as David mentioned earlier, they take great pride in their craft, and more than most people in Security, they went to school and got degrees in the sector that they’re actually in right now. There’s a lot of people in Security don’t have that background. So I appreciate that.

I wanted to switch gears a little bit from this, because I don’t think you guys are again purposely trying to be condescending. I really like that you guys didn’t include the word “secure” in here and you went after something that has and represents something that is about survivability. It’s about Ruggedness.

One of the other things that struck me was, I think there’s a lot of frameworks, there’s a lot of methodologies out there that people can adopt. I mean, I wrote a paper I sent to you when I was at Gartner around adding security and enveloping securities as part of the software-development lifecycle: everything from threat modeling to code reviews and design reviews and blah, blah, blah that included a security perspective.

I don’t think you actually will have that hard of a time convincing developers that there’s things that they can do to better enable survivability and Ruggedness in their software. I think the challenge that a lot of developers have, and if you sit down with them — and I’m sure you have — and talk to them, the response is “I would love to do this; but Management is telling me I have two days to do something, and they won’t let me adopt the tools and the processes that I need to adopt to better enable this inside of my environment”.

So I wanted to ask you guys a little bit about how you have a conversation with organizations that do want to adopt this, but are struggling with the perception that there will be increased cost, longer times to market, all the other things — and by the way, we’ve been through this with QA and Quality Assurance already, and it’s already been proven, right, that finding bugs earlier in the cycle are obviously more economically attractive than finding them in the general public. So what is the type of conversation you have with an organization that’s struggling with the economic incentives of moving to survivable Rugged software?

Male Speaker: There’s large systemic issues that come with this. One of them is just market pressure. And again, you know, Security is very good of defining doctrines, creeds, practices. I mean, we have a bevy of them. If you look all the way back to Watts Humphrey through the Software Engineering Institute, I mean, the man was given a medal by the President for his work in software quality; and yet a majority of the market really still ignores stuff that he’s really through fact proven that, yes, you can improve quality and security of software.

But I think what we have to realize from a Security perspective is that people don’t buy facts; they buy feelings. And part of that is a recognition of when I am pressured by my Managers to develop in a certain amount of time, I’ve got to make certain economic decisions; that is, my time is an economy, and there’s only so much time I can spend. Well, what Security comes in and does is throws in all these frameworks and all these things, and the immediate reaction is push-back: “There’s just too much for me to do”.

One of the aspects in terms of success is starting from where you are with what you have and do the best you can with it. And Rugged in its simplicity is simply a recognition of that bit flip in the brain that says, “Well, okay, I might not be able to do all this; but, I mean, heck, it’s there. It’s just that notion that “Well, gee, I need to do this bounce check” or “I need to check this input”.

That’s different than having to do all these huge external-compliance frameworks, and really that’s what they come down to be is: you must to do this to get secure software.

Well, what Josh, Jeff and I are really trying to look at is a value-driven, an internal mechanism where the hands on the keyboard have a mind behind it that says, “Well, wait a minute, what about this?” And if we get that one extra question in terms of “How do I make this software more resilient without having to go through all these frameworks, although they’re available”, then we’ve already started to change the direction of the ship. It’s a huge ship, and it’ll take years to change direction of; but once you get the hands on the keyboard and the minds that control those hands thinking just a little bit differently, that’s a huge success, because right now the value argument around secure software has not been made well. And so you can argue that, yes, fixing a bug after production or in production is 100 times more expensive than in the design time. Well, why do we still have bugs, then? I mean, we all know the economics. Why are we not paying attention to the economics? And it basically comes down to the value argument.

So what we’re trying to do here is make it an onramp; that is, the value argument is that it’s hard for organizations, because “people get it”. They know that “Okay, well, we might not be able to do everything in a purist mindset to develop secure software, but at least we can do something”. And if we can move towards Ruggedness, as opposed to achieving security, completely different level of expectations and there’s actually hope in that message. Like “Well, actually, if we do A, B and C, we might be able to get a little bit more Rugged”, as opposed to in a typical Security mindset you need Thous: thou shalt do ABCDEFGHIJKLMNOP — you know, you lost people at D. They’re already checked out at that point. But it’s conceptual to get people at ABC, wow, that’s a totally different ballgame.

Male Speaker: Yeah. And there is no silver bullet. I mean, there are strong economic disincentives to doing this with the current mindsets, and we recognize that part of the Rugged movement here that started with a personal pledge, very personal language for the software developers; but it is our immediate intention to start working groups in business cases on successful ways in which if you’re an engineer you’ve sold security to your employer; if you are an employer, you’ve sold a new framework or a new methodology down to your employees. What are the business drivers?

I was talking to Weis Opel at VeriCode, and he and I had both started our careers in QA, it turns out; so we have similar heritage, I guess. But there are the traditional arguments, but there’s also arguments now and what he’s finding in the market is customers of the software can drive an economic action. So if someone is going to buy between your software package or a competitor’s software package, they’re putting in their RPs now to have the static and dynamic testing done and the analysis done by either Jeremiah’s company or one of the other product suites or Weis Opel’s at VeriCode, and there are other value lovers that are going to be outside the range of what an individual developer could do.

But I also can’t forget for a second that my first pragmatic marketing course or product-management course said something like, “He or she who owns the compiler wins”, right? So don’t ever forget that the hands on the keyboard ultimately are the biggest tipping point on what the outcome is.

(00:20:04)

So despite deadlines, if you have a program where who now knows not to use a risky system call or in the language selection on which programming language they’re going to use or which influence in their methodology, a tremendous amount of power and purview and influence comes from each individual developer at the end of the day.

So this is how you change the world: just kind of one person at a time, one project at a time. And it’s not going to be just in the hands of  developers. It’s going to be a multi-altitude, multi-point of attack, and now we at least have a sticky concept that’s hopefully more effective than just calling things secure.

Amrit Williams: Yeah. And I actually agree with that in a paper that I wrote — god, I think I wrote that back in 2005 or 2004. I actually put a prediction in there that by 2008, organizations would start adding the security of the software itself as a critical evaluation factor. So it’s very encouraging to hear that you’re seeing the folks at VeriCode and White Hat hearing that back from the market. That’s definitely an encouraging thing.

I wanted to talk a little bit about real quick, you’ve mentioned a couple of times the economic disincentives for adopting this, and I want to switch the bid a little bit because I think there’s actually a lot of economic incentives for people to make their software more secure — “more secure”, I’ll even stay away from that  — but just more survivable and more Rugged, because of the impact that it could have in market adoption. But the problem is that it’s very difficult to prove that, and companies are very slow to respond to those market dynamics.

I mean, everyone always points to Microsoft as a great example of a company that does this well. They didn’t do it by choice, and they didn’t do it quickly. They did it very slowly over time, because the market really pressured them to do it.

You look at Adobe, and I don’t imagine Adobe is going to do anything quickly, either. They’re trying; but it’ll probably be a while before they actually get a response that’s acceptable by the market. It almost seems like this is so much market-driven.

But how do you raise that conversation up to an executive so that they understand how critically important it is, that it’s on the same level as software quality, that they do invest in it and that they do understand now?

Male Speaker: I think we’re really soft on the business cases, yeah. And I know that Jim Routh, who was formerly CISO at DTCC, Depository Trust & Clearing Corporation, in the program that he built up, over time he could show about a 10% to 12% savings over the lifetime of any given project when they embedded security into the actual project, as opposed to waiting until afterwards. If you walk into any executive office and say, “Listen, I can save you 10% to 12% on this project”, certainly that’ll raise the eyebrows.

But Gary McGraw has a great counterpoint, not directly to Jim; but the problem with metrics is that they’re like body organs: all of us have them, but I can’t take my liver and put it in Josh’s body without some consternation from Josh’s body.

So we can take certain metrics and try to apply them to other organization, but we’re still at a very nascent stage in terms of the business concept or the business drivers of software assurance. And so we can make some fairly good statements; whether or not those statements apply across the board will always be open to debate.

But I think a lot of Security executives are out there — and maybe in lines of business executive in some instances — actually see that value that is in a recession-pressured company to actually start realizing savings. I mean, if you look at cost-avoidance mechanisms, if we put in a CFL light bulb, we can show you a payback period in a two- to three-year timeframe. So we know it might be a large upfront expense, but we get a payback period of three years.

In software assurance, we’re still not quite there yet; but we’re getting closer. So between Jim’s work and other executives out there, I think people are starting to get their heads around how we can actually show the payback period for the business case of software assurance. We still have a long way to go.

Amrit Williams: It’s going to be critically important, because even when you do win over the hearts and minds of the developers, just as you would in the example that Josh gave about the memory problems or the boundary problems that they experienced in the ’90s, it was difficult for the developers to adopt. I imagine that even when they said “Completely agree”, there still had to be an economic case made to the executives that “I do need to invest in software, I do need to change processes and policies, and there will be a near-term impact hopefully to sustain a long-term gain”.

And so this is going to be really important to drive this message out is to wrap it around an ecosystem that can support those values and those ideals. So it’s really encouraging to hear that you guys are also pursuing those things, because there is, as you state, David, a real lack of that information as it pertains to this area.

David Rice: Yeah, you know, we’ve encountered quite a bit of like passionate and enthusiastic support from some places we never even anticipated. Like when I was talking to Joe Jarzombek from the Department of Homeland Security, and he was just a really enthusiastic supporter. And the enthusiasm’s been there and so has the criticism, and what I noticed after I got some of the criticisms, which was pretty much the minority; but people are looking like “You’re not going to have a quick fix, Josh”. And I said, “I know we’re not going to have a quick fix. This is a long view; we’re taking a long view at this”.

In fact, I actually expect that some of more fruitful progress we’re going to make has been with the conversations I’ve been having with universities that have an undergrad or postgrad program. And I’m not saying that we can’t teach an old dog new tricks. I mean, the people whose kids play or my kids, they’re still programmers, and just simply talking to them about this, they’ve already started looking into things, they’re going to go to their first OWASP meeting in the area, and I think we’re going to have some impact on the existing population. But we kind of have to have a long view. This is going to take time. Maybe it’s five years, maybe it’s ten years; but we were kidding in San Francisco and said, “What’s security going to be like in 100 years?” And I think there’s a tendency in the Security market to want a quick fix. Well, guess what? A bunch of quick fixes and instant Band-Aids, we’ve got that and we have 70 different product markets, and we’ve got firewalls and IPSs and the number of pizza boxes you could install in your network perimeter is staggering, and those quick fixes aren’t really getting at the systematic issues.

So this is not going to be a quick thing, it’s not a silver bullet; but I think the hearts and minds giving some sort of sticky concept that can be used at universities and the purchasers of software, the developers of software — I mean, heck, I didn’t even intend this initially; but as the Cloud adoption happens, there’s going to be datacenters or Cloud services that will have some failures, and how can they articulate in business terms that their Cloud is more Rugged or survivable than someone else’s Cloud? So this could become an economic token or totem that can be used to essentially slowly crank up the awareness, the design, the education; so it’s not going to be quick overnight, but it is going to hopefully permeate the way we approach these offerings.

David Rice: And not to spend too much time on it, but at the highest level in economics there’s really two driving forces: one, people will do whatever they can to make themselves better off; and, two, which is probably more important than one, is that people will not consciously do anything what they feel they’ll be worse off for doing. And right now we can simply answer the question of why don’t people or why don’t software developers do security a lot in their code? Well, because they don’t believe they’re going to be better off for doing it. I mean, at the highest level it’s the simplest question that they’re asking yourselves: will I be better off for doing this? And the answer is probably not. I know I’ll be worse off, because I’ve got more frameworks, I’ve got more work to do, I’ve got time pressures.

So at the highest level, economics really isn’t about numbers; it’s about people. And so what we’re trying to address is a core incentive, and that is again that bit flip that goes from “Oh, my gosh, I’ve got to do all this stuff” to being right to “Well, gee, if I can aspire to Ruggedness, can do what I can where I am to the best of my ability and actually make some progress” — and that’s hugely important, because then all of a sudden, like I said, people don’t buy facts, they buy feelings. Well, Rugged is a feeling, and that’s really important because what that does is drive different behaviors. And ultimately if they feel they’re better off and not worse off for becoming Rugged, well, then that’s a huge win for us and that’s a key aspect that “No, you can’t buy a pizza box for this; there’s just no way to do it”. And so we really want to get to the hands on the keyboards, because that’s where both the solution is and the aspiration.

Amrit Williams: And I appreciate that. I wish you guys the best of luck.

For those out there who want to get more information, they can visit  HYPERLINK “http://www.ruggedsoftware.org” www.ruggedsoftware.org. This is Joshua Corman, Enterprise Security Practice Research Director from the 451 Group who joined us, and David Rice, Executive Director at The Monterey Group.

Guys, I really appreciate you guys joining us today. If folks want to hear more from you directly, how can they contact you guys? Josh?

Joshua Corman: I’m on Twitter at Josh Corman, J-O-S-H, C-O-R-M-A-N; or email me at  HYPERLINK “mailto:jcorman@the451group.com” jcorman@the451group.com.

David Rice: And you can contact me at  HYPERLINK “mailto:david@montereygrp.com” david@montereygrp.com, M-O-N-T-E-R-E-Y, G-R-P, dot com.

Amrit Williams: Really appreciate having you guys on, wish you the best of luck; I’ll see you guys at RSA, correct?

Joshua Corman: Yes.

David Rice: Wonderful. See you there.

Announcer: You have just listened to “Beyond the Perimeter”, sponsored by BigFix, Inc. Views expressed on this podcast are the personal opinions of podcast participants and do not reflect official positions of their employers or BigFix. Thanks for listening.

Subscribe in iTunes:

Subscribe with XML:

FULL TRANSCRIPT

Amrit Williams: Welcome! This is Amrit Williams, I’m your host on “Beyond the Perimeter”, and today I am joined by Joshua Corman, Enterprise Security Practice Research Director at the 451 Group, and David Rice, Executive Director at the Monterey Group.

Guys, thanks for joining me today.

What I wanted to talk to you guys about today is the Rugged Software Manifesto you and David and Jeff put together. Basically it is an awareness campaign with some tenets around how developers should be looking at developing software in regards to making it more survivable, more available, more secure. I hope I’m not misstating that too much, so why don’t I turn over to you guys, and just take the audience through what is Rugged Software, what is the Rugged Software Manifesto, what are you guys trying to achieve?

Joshua Corman: I think the genesis of this idea was we were at the Grayloc party at RSA last year –  and I think you’ve agreed with me on this before, Amrit — but each year at RSA a lot of us kind of feel like we should quit security. And I say that tongue-in-cheek; but we tend to be fairly frustrated, because we hear a very similar message year to year to year, and it seems like a very stagnant and static security approach to a very dynamic and evolutionary problem.

So I met David through the Institute for Applied Network Security, and I know you got Jack Phillips on the podcast in the past; but David’s book on economics really made me look at the economic impact and the economic incentives and disincentives in the true cost of weak software. And obviously he can speak to his book better that I can; but he and I had some fairly, intellectually honest and vigorous debates over the years.

So we were speaking about some of the disdain for the Security community at this party, and he introduced me to Jeff Williams from OWASP; he is the Chairman of OWASP right now. And we were kind of say, “You know, it’s nice that we have web-app firewalls required by PCI. It’s nice that we have static and dynamic analysis. We have lots of tools and technologies — and, no offense, Jeff: OWASP is doing a fantastic job for the people who know about security — but until we get to the hearts and minds of all developers, until we can let them know that there’s a security context and that their software has become modern infrastructure, we’re fighting the heads of the Hydra and not the heart. We’re at the end of the lifecycle instead of the beginning, and part of the fix here to drive down the cost and complexity of security and make sure we don’t have 70 security products and 80 or 90 next year is, we need to inherently more secure infrastructure.

So we were talking about Agile, we are talking about different frameworks and what we said is, “You know, we don’t really have our own manifesto; we don’t have our own meme, our M-E-M-E. And we need a contagious philosophy or values that people can sink their teeth into”. So after a couple of hours, we came up with Rugged, R-U-G-G-E-D, and it was to have this concept or notion that you will be tested and that you’re tough enough to survive it or that you’ll have a mission to do and you’ll be attacked, you’ll live out longer than you were intended to; and we decided to come up with our own Manifesto that night back at RSA.

You want to pick it up from there, David?

David Rice: So in many ways, Rugged is simply an awareness campaign. I had to preach outside the choir of cyber security.

Unknown Male: We get it.

David Rice: And everyone in cyber security thinks, gets that there is a need; but the perceived need outside of the Security community is nonexistent. And so there is a notion that we create software to live in this utopian environment filled with unicorns and butterflies, and we’ll be all right on the Internet. What we know now from all of the news stories and data that we do have is that the Internet is not this utopian environment that it was originally envisioned to be; it is truly a UFC ring match, and unless your software can survive in that brutal, hostile environment, the very value that we’re trying to create through software can be called into question — not that we’re destroying all value, but that the notion that these attackers are spending a tremendous amount of effort across the board to get into software that, by one infrastructure report, recognizes that software is one of most effective products on the planet.

Well, that’s a really devastating comment; but it also has this notion that they say, “Well, okay. If this is an awareness campaign, we need to get outside of the choir and let people see that, in Rugged mentality, that is a different mindset is required than what was before”. Beyond that, it’s all detail. But it’s really that fundamental, simple but monumental task of just doing a bit flip, that little switch in the head that says, “Well, I have to think about the environment that this code is going to be running in, and for all intents and purposes we know that it’s hostile now”. And that’s fundamentally, I think, what we’re trying to do. It’s a very simple message, a very direct message, but monumental in its impact.

Joshua Corman: Yeah. And we did do this in San Francisco, and so just being in that environment I remember when I was a kid with all the earthquakes we’d get, my dad told me that — and I now know this as an adult — but if you’re an architect and you build a skyscraper in San Francisco, I mean, you can’t just build a building there the same way you can somewhere else. You need to factor in the earthquakes and design for it.

And I guess that was the same kind of sphere we were communicating at the SANS Conference was, “Look, this becomes a design parameter now that the environment your code is going to face, your code is going to live on well beyond its intended lifespan and is going to be used in ways you couldn’t anticipate for longer than it was ever supposed to, and there are talented adversaries in every series who seek to undermine it”. So the Manifesto that comes out of that: just trying to let problem-solvers — I mean, my first five years of my career were in a software-development organization, and engineers have an incredibly high standard for their work.

And when we first learned the memory leaks, they resisted at first; but eventually they were very, very proud to make sure that their code never had leaks in it when we ran it through the leak tests. And I realized that instead of all these other campaigns trying to call them stupid or lazy or ignorant, honestly if we can get an increased or enhanced worldview in front of them, programmers are very good problem-solvers, and in my experience even if 5% more people say, “Oh, I didn’t realize that”, it affects their choices on programming languages or avoids some of the common mistakes, drives them to their first OWASP meeting, gets them maybe to evaluate the differences between different frameworks. It’s not a silver bullet, but we simply can’t keep preaching to the choir that already knows about this.

Amrit Williams: Yeah, I would guess that anybody you talk to in Security if you said, “We would really like to create more awareness around developers taking security development of their software and improving the security of it more seriously”, there probably isn’t a single person in Security that would disagree that that’s a good thing — or, a bad thing.

What I wanted to focus on a little bit, though, is that I did read the Rugged Software Manifesto, I reviewed the presentation that you guys put together, I tried to view it from the perspective of a developer and what I would think about it, and the one thought that I walked away with is when put in a context or against the backdrop of something like the Agile Manifesto is the way that the Rugged Software Manifesto is laid out — and for those folks on the phone who’d like to find out more about it, they can go to  ruggedsoftware.org and they can read the Manifesto there — is it’s presented in a way that I felt was a touch condescending, and I didn’t feel like it was empowering me. I mean, there had been the same struggle that has occurred with quality, and if you look at software development in the early ‘90s, no one really took QA or Quality Assurance seriously. It was really difficult to get folks to use even tools that were well-known like Purify and Quantify, and then there was a lot of folks who looked at memory leakage, who looked at performance technology tools and they did get excited about being the ones who could develop less-buggy software.

And I felt that some of the language here is not as empowering. Am I reading this wrong? Is that a fair comment? I mean, how do you guys address the developer mindset, because it’s pretty much from a perspective of a Security Analyst reading this, say, would go, “I completely agree, I’m on board, I’ll do whatever I can to support you”. From a development perspective, I felt like it was worded in such a way that I took exception with it.

David Rice: It listed a notion of a competition. And so the first perception is very important, and so I agree with you that the first impression of the taste-test sales, there is a difficulty there.

And then it’s also balancing against the fact that “Well, we have some very real data out there now, as soft as it may be; but we know that software is a critical aspect that’s enabling many of the attackers to come in”.

So part of what the Manifesto is doing is eliciting a notion of competition. And that is, developers typically live in a meritocracy; that is, it’s very much based on skills and capability. And what the Manifesto, in one of the lines of the Manifesto that we’re bringing out, is that this is a competition not between software companies, but between those individuals that wish to take away or undermine the value that these companies are trying to provide. So it’s not a competition between software companies; it is now a competition between attackers and the developers.

And one aspect of this is to elicit the notion that, “Well, who’s better here?” These hackers are talented; but we know that developers are far more talented. And certainly there’s pressures on their development: timelines, et cetera. Mainly it is a notion of trying to elicit this notion that there is a competition here between people on the outside wanting to undermine the software to get to the crown jewels of these companies, and the notion that, “Well, who’s really better here?”

And our vote is a very positive vote. It is that as Josh said before: developers are smart folks. These individuals are dedicated to their craft. And so that craft needs to reflect the mindset of the developers and not reflect the abilities of the attackers, which we’re seeing here getting far more press that the actual good software developers that are out there.

Josh, you have more to add on that?

Joshua Corman: Yeah, I mean, I took the criticisms on the chin, and we did a lot of testing of the Manifesto language to make sure it was positive so that at least from a design perspective it was never our intention to be condescending; and I still take that criticism on the chin, and this is our 1.0 Manifesto and now that it’s out there we’re getting lots of great feedback on it.

I think when we presented this, someone said, “How is this different, Josh?” and I said, “Well, it’s different than other initiatives in this space in three ways”, and this touches on why I was disappointed to see that it didn’t pass the taste test universally.

But I said, “It’s different in three ways. Number one, we’re trying to get outside of the choir, because if we keep preaching to the same people who care about it, we’re only going to be solving a single-digit percentage of the community.

“Number two, it has to get to the hearts and minds, everything, the technology solution and the technology fix. This is going to be explicitly a hearts-and-minds’ thing, because want to tap into a value set someone already has versus talking down to them. So we’re looking to just light a spark.”

I know you had Michael Santarcangelo on your program, and it’s the catalyst kind of idea: does this value set we’re putting forth resonate with you, and if it does then we want you to opt into it and light a fire and put you in touch with more resources.

And the third is that often in this space when we want to improve things we force people to do it, and this was intentionally not telling you “Thou shalt, thou shalt; you must. Here is a compliance mandate and a fine”. I mean, you and I, Amrit, have talked many times about the dangers of just using compliance regulatory and the stick instead of the carrot. This one was meant to be aspirational and look for the best in people, instead of assuming that they’re all incompetent jerks.

So I think you know me well enough to know that I have the respect level for these folks, and if we didn’t hit a homerun in the first set of language, this is a conversation that we’ve started. We believe the concept or the attribute of being Rugged as an individual, as a chunk, as an organization, as a chunk of code, as a website. We are now trying to give the mainstream a word that works better or a concept that works better than Security, because clearly we’ve been telling people to care about security and they don’t, whereas we do feel that this somehow has a stickiness in it, a more contagious concept that is more attractive to a business owner. Rugged Cloud or Rugged Datacenter or Rugged Website, something that might have tipped the scales in the economic conversation in a way that previous dialogue hasn’t.

So I think this intends to be aspirational and seek the best in people, and if we have got some rough edges, it’s this kind of feedback that’s going to help us fix that.

Amrit Williams: Well, I completely agree, by the way. I’m very glad you didn’t call it The Secure Software Manifesto, because that would have been lambasted to no end, and what you’re really talking about in Rugged is survivability of the software itself in a very hostile environment, and I do appreciate that. I don’t think you guys wrote it to be condescending; but I was just making an observation as a developer, it almost says to me, “You’re doing it wrong; here, you have to do it right, and here is a set of values you should adopt”.

Developers, as you know, as you stated — which I really appreciated the way that David and you have stated that — is that they are very competitive by nature, and I think that there is a really nice thread for you guys to pull on here around driving competition for survivability and Rugged in terms of how folks develop software, as opposed to what is normally done, which is “You’re the root of all evil, you’re the reason we have these problems, you need to fix yourself”, which instantly puts people in a defensive type of stance, which is what some of what you saw on the mailing list that we’re on, which was I think a natural reaction of folks that really work really hard — I mean, developers are some of the hardest-working people in the industry, and as David mentioned earlier, they take great pride in their craft, and more than most people in Security, they went to school and got degrees in the sector that they’re actually in right now. There’s a lot of people in Security don’t have that background. So I appreciate that.

I wanted to switch gears a little bit from this, because I don’t think you guys are again purposely trying to be condescending. I really like that you guys didn’t include the word “secure” in here and you went after something that has and represents something that is about survivability. It’s about Ruggedness.

One of the other things that struck me was, I think there’s a lot of frameworks, there’s a lot of methodologies out there that people can adopt. I mean, I wrote a paper I sent to you when I was at Gartner around adding security and enveloping securities as part of the software-development lifecycle: everything from threat modeling to code reviews and design reviews and blah, blah, blah that included a security perspective.

I don’t think you actually will have that hard of a time convincing developers that there’s things that they can do to better enable survivability and Ruggedness in their software. I think the challenge that a lot of developers have, and if you sit down with them — and I’m sure you have — and talk to them, the response is “I would love to do this; but Management is telling me I have two days to do something, and they won’t let me adopt the tools and the processes that I need to adopt to better enable this inside of my environment”.

So I wanted to ask you guys a little bit about how you have a conversation with organizations that do want to adopt this, but are struggling with the perception that there will be increased cost, longer times to market, all the other things — and by the way, we’ve been through this with QA and Quality Assurance already, and it’s already been proven, right, that finding bugs earlier in the cycle are obviously more economically attractive than finding them in the general public. So what is the type of conversation you have with an organization that’s struggling with the economic incentives of moving to survivable Rugged software?

Male Speaker: There’s large systemic issues that come with this. One of them is just market pressure. And again, you know, Security is very good of defining doctrines, creeds, practices. I mean, we have a bevy of them. If you look all the way back to Watts Humphrey through the Software Engineering Institute, I mean, the man was given a medal by the President for his work in software quality; and yet a majority of the market really still ignores stuff that he’s really through fact proven that, yes, you can improve quality and security of software.

But I think what we have to realize from a Security perspective is that people don’t buy facts; they buy feelings. And part of that is a recognition of when I am pressured by my Managers to develop in a certain amount of time, I’ve got to make certain economic decisions; that is, my time is an economy, and there’s only so much time I can spend. Well, what Security comes in and does is throws in all these frameworks and all these things, and the immediate reaction is push-back: “There’s just too much for me to do”.

One of the aspects in terms of success is starting from where you are with what you have and do the best you can with it. And Rugged in its simplicity is simply a recognition of that bit flip in the brain that says, “Well, okay, I might not be able to do all this; but, I mean, heck, it’s there. It’s just that notion that “Well, gee, I need to do this bounce check” or “I need to check this input”.

That’s different than having to do all these huge external-compliance frameworks, and really that’s what they come down to be is: you must to do this to get secure software.

Well, what Josh, Jeff and I are really trying to look at is a value-driven, an internal mechanism where the hands on the keyboard have a mind behind it that says, “Well, wait a minute, what about this?” And if we get that one extra question in terms of “How do I make this software more resilient without having to go through all these frameworks, although they’re available”, then we’ve already started to change the direction of the ship. It’s a huge ship, and it’ll take years to change direction of; but once you get the hands on the keyboard and the minds that control those hands thinking just a little bit differently, that’s a huge success, because right now the value argument around secure software has not been made well. And so you can argue that, yes, fixing a bug after production or in production is 100 times more expensive than in the design time. Well, why do we still have bugs, then? I mean, we all know the economics. Why are we not paying attention to the economics? And it basically comes down to the value argument.

So what we’re trying to do here is make it an onramp; that is, the value argument is that it’s hard for organizations, because “people get it”. They know that “Okay, well, we might not be able to do everything in a purist mindset to develop secure software, but at least we can do something”. And if we can move towards Ruggedness, as opposed to achieving security, completely different level of expectations and there’s actually hope in that message. Like “Well, actually, if we do A, B and C, we might be able to get a little bit more Rugged”, as opposed to in a typical Security mindset you need Thous: thou shalt do ABCDEFGHIJKLMNOP — you know, you lost people at D. They’re already checked out at that point. But it’s conceptual to get people at ABC, wow, that’s a totally different ballgame.

Male Speaker: Yeah. And there is no silver bullet. I mean, there are strong economic disincentives to doing this with the current mindsets, and we recognize that part of the Rugged movement here that started with a personal pledge, very personal language for the software developers; but it is our immediate intention to start working groups in business cases on successful ways in which if you’re an engineer you’ve sold security to your employer; if you are an employer, you’ve sold a new framework or a new methodology down to your employees. What are the business drivers?

I was talking to Weis Opel at VeriCode, and he and I had both started our careers in QA, it turns out; so we have similar heritage, I guess. But there are the traditional arguments, but there’s also arguments now and what he’s finding in the market is customers of the software can drive an economic action. So if someone is going to buy between your software package or a competitor’s software package, they’re putting in their RPs now to have the static and dynamic testing done and the analysis done by either Jeremiah’s company or one of the other product suites or Weis Opel’s at VeriCode, and there are other value lovers that are going to be outside the range of what an individual developer could do.

But I also can’t forget for a second that my first pragmatic marketing course or product-management course said something like, “He or she who owns the compiler wins”, right? So don’t ever forget that the hands on the keyboard ultimately are the biggest tipping point on what the outcome is.

(00:20:04)

So despite deadlines, if you have a program where who now knows not to use a risky system call or in the language selection on which programming language they’re going to use or which influence in their methodology, a tremendous amount of power and purview and influence comes from each individual developer at the end of the day.

So this is how you change the world: just kind of one person at a time, one project at a time. And it’s not going to be just in the hands of  developers. It’s going to be a multi-altitude, multi-point of attack, and now we at least have a sticky concept that’s hopefully more effective than just calling things secure.

Amrit Williams: Yeah. And I actually agree with that in a paper that I wrote — god, I think I wrote that back in 2005 or 2004. I actually put a prediction in there that by 2008, organizations would start adding the security of the software itself as a critical evaluation factor. So it’s very encouraging to hear that you’re seeing the folks at VeriCode and White Hat hearing that back from the market. That’s definitely an encouraging thing.

I wanted to talk a little bit about real quick, you’ve mentioned a couple of times the economic disincentives for adopting this, and I want to switch the bid a little bit because I think there’s actually a lot of economic incentives for people to make their software more secure — “more secure”, I’ll even stay away from that  — but just more survivable and more Rugged, because of the impact that it could have in market adoption. But the problem is that it’s very difficult to prove that, and companies are very slow to respond to those market dynamics.

I mean, everyone always points to Microsoft as a great example of a company that does this well. They didn’t do it by choice, and they didn’t do it quickly. They did it very slowly over time, because the market really pressured them to do it.

You look at Adobe, and I don’t imagine Adobe is going to do anything quickly, either. They’re trying; but it’ll probably be a while before they actually get a response that’s acceptable by the market. It almost seems like this is so much market-driven.

But how do you raise that conversation up to an executive so that they understand how critically important it is, that it’s on the same level as software quality, that they do invest in it and that they do understand now?

Male Speaker: I think we’re really soft on the business cases, yeah. And I know that Jim Routh, who was formerly CISO at DTCC, Depository Trust & Clearing Corporation, in the program that he built up, over time he could show about a 10% to 12% savings over the lifetime of any given project when they embedded security into the actual project, as opposed to waiting until afterwards. If you walk into any executive office and say, “Listen, I can save you 10% to 12% on this project”, certainly that’ll raise the eyebrows.

But Gary McGraw has a great counterpoint, not directly to Jim; but the problem with metrics is that they’re like body organs: all of us have them, but I can’t take my liver and put it in Josh’s body without some consternation from Josh’s body.

So we can take certain metrics and try to apply them to other organization, but we’re still at a very nascent stage in terms of the business concept or the business drivers of software assurance. And so we can make some fairly good statements; whether or not those statements apply across the board will always be open to debate.

But I think a lot of Security executives are out there — and maybe in lines of business executive in some instances — actually see that value that is in a recession-pressured company to actually start realizing savings. I mean, if you look at cost-avoidance mechanisms, if we put in a CFL light bulb, we can show you a payback period in a two- to three-year timeframe. So we know it might be a large upfront expense, but we get a payback period of three years.

In software assurance, we’re still not quite there yet; but we’re getting closer. So between Jim’s work and other executives out there, I think people are starting to get their heads around how we can actually show the payback period for the business case of software assurance. We still have a long way to go.

Amrit Williams: It’s going to be critically important, because even when you do win over the hearts and minds of the developers, just as you would in the example that Josh gave about the memory problems or the boundary problems that they experienced in the ’90s, it was difficult for the developers to adopt. I imagine that even when they said “Completely agree”, there still had to be an economic case made to the executives that “I do need to invest in software, I do need to change processes and policies, and there will be a near-term impact hopefully to sustain a long-term gain”.

And so this is going to be really important to drive this message out is to wrap it around an ecosystem that can support those values and those ideals. So it’s really encouraging to hear that you guys are also pursuing those things, because there is, as you state, David, a real lack of that information as it pertains to this area.

David Rice: Yeah, you know, we’ve encountered quite a bit of like passionate and enthusiastic support from some places we never even anticipated. Like when I was talking to Joe Jarzombek from the Department of Homeland Security, and he was just a really enthusiastic supporter. And the enthusiasm’s been there and so has the criticism, and what I noticed after I got some of the criticisms, which was pretty much the minority; but people are looking like “You’re not going to have a quick fix, Josh”. And I said, “I know we’re not going to have a quick fix. This is a long view; we’re taking a long view at this”.

In fact, I actually expect that some of more fruitful progress we’re going to make has been with the conversations I’ve been having with universities that have an undergrad or postgrad program. And I’m not saying that we can’t teach an old dog new tricks. I mean, the people whose kids play or my kids, they’re still programmers, and just simply talking to them about this, they’ve already started looking into things, they’re going to go to their first OWASP meeting in the area, and I think we’re going to have some impact on the existing population. But we kind of have to have a long view. This is going to take time. Maybe it’s five years, maybe it’s ten years; but we were kidding in San Francisco and said, “What’s security going to be like in 100 years?” And I think there’s a tendency in the Security market to want a quick fix. Well, guess what? A bunch of quick fixes and instant Band-Aids, we’ve got that and we have 70 different product markets, and we’ve got firewalls and IPSs and the number of pizza boxes you could install in your network perimeter is staggering, and those quick fixes aren’t really getting at the systematic issues.

So this is not going to be a quick thing, it’s not a silver bullet; but I think the hearts and minds giving some sort of sticky concept that can be used at universities and the purchasers of software, the developers of software — I mean, heck, I didn’t even intend this initially; but as the Cloud adoption happens, there’s going to be datacenters or Cloud services that will have some failures, and how can they articulate in business terms that their Cloud is more Rugged or survivable than someone else’s Cloud? So this could become an economic token or totem that can be used to essentially slowly crank up the awareness, the design, the education; so it’s not going to be quick overnight, but it is going to hopefully permeate the way we approach these offerings.

David Rice: And not to spend too much time on it, but at the highest level in economics there’s really two driving forces: one, people will do whatever they can to make themselves better off; and, two, which is probably more important than one, is that people will not consciously do anything what they feel they’ll be worse off for doing. And right now we can simply answer the question of why don’t people or why don’t software developers do security a lot in their code? Well, because they don’t believe they’re going to be better off for doing it. I mean, at the highest level it’s the simplest question that they’re asking yourselves: will I be better off for doing this? And the answer is probably not. I know I’ll be worse off, because I’ve got more frameworks, I’ve got more work to do, I’ve got time pressures.

So at the highest level, economics really isn’t about numbers; it’s about people. And so what we’re trying to address is a core incentive, and that is again that bit flip that goes from “Oh, my gosh, I’ve got to do all this stuff” to being right to “Well, gee, if I can aspire to Ruggedness, can do what I can where I am to the best of my ability and actually make some progress” — and that’s hugely important, because then all of a sudden, like I said, people don’t buy facts, they buy feelings. Well, Rugged is a feeling, and that’s really important because what that does is drive different behaviors. And ultimately if they feel they’re better off and not worse off for becoming Rugged, well, then that’s a huge win for us and that’s a key aspect that “No, you can’t buy a pizza box for this; there’s just no way to do it”. And so we really want to get to the hands on the keyboards, because that’s where both the solution is and the aspiration.

Amrit Williams: And I appreciate that. I wish you guys the best of luck.

For those out there who want to get more information, they can visit  HYPERLINK “http://www.ruggedsoftware.org” www.ruggedsoftware.org. This is Joshua Corman, Enterprise Security Practice Research Director from the 451 Group who joined us, and David Rice, Executive Director at The Monterey Group.

Guys, I really appreciate you guys joining us today. If folks want to hear more from you directly, how can they contact you guys? Josh?

Joshua Corman: I’m on Twitter at Josh Corman, J-O-S-H, C-O-R-M-A-N; or email me at  HYPERLINK “mailto:jcorman@the451group.com” jcorman@the451group.com.

David Rice: And you can contact me at  HYPERLINK “mailto:david@montereygrp.com” david@montereygrp.com, M-O-N-T-E-R-E-Y, G-R-P, dot com.

Amrit Williams: Really appreciate having you guys on, wish you the best of luck; I’ll see you guys at RSA, correct?

Joshua Corman: Yes.

David Rice: Wonderful. See you there.

Announcer: You have just listened to “Beyond the Perimeter”, sponsored by BigFix, Inc. Views expressed on this podcast are the personal opinions of podcast participants and do not reflect official positions of their employers or BigFix. Thanks for listening.

Subscribe in iTunes:

Subscribe with XML:

FULL TRANSCRIPT

Amrit Williams: Welcome, this is Amrit Williams, your host on Beyond the Perimeter, and today I’m joined by Will Gragido and John Pirc. Guys, thank you for joining me today. Before I turn over, I just want to give a brief introduction.

Will Gragido is the President of Cassandra Security. John Pirc is the Director of McAfee for the Network Security Business Unit and cofounder and security researcher at Cassandra as well.

Will, why don’t you tell us—tell the audience a little bit about yourself and we can then move on to John and what he’s been about and what he’s been up to, and then we’ll talk a little bit about Cassandra and a little bit about some of the threats firsthand.

Will Gragido: Excellent, yeah. Thank you very much Amrit. My name is Will Gragido. I’m the President of Cassandra Security. I’m an information security researcher, analyst, consultant and writer. I’ve got about 15 years experience in the industry working on both public and private sectors, DOD intelligence information security communities where I cut my teeth and then spent many years with consultancy such as Dr. Anderson in the International Network Services. In addition to working with houses such as internet security systems, McAfee for a brief period of time of research and then finally started off with Cassandra. Thank you for your time. I’m glad to be here.

Amrit Williams: Thanks for joining. How about you John?

John Pirc: Thanks Amrit. I do appreciate you having both of us on here. So yeah, for me it all started when I worked for the CIA. I worked at the CIA in the cyber security doing information assurance for quite a few years then went on to be a CTO of a small company that served the government. Then I moved off to Cisco. That’s kind of when I transitioned away from more of the consultative stuff I was doing and more to the product side of the house from the vender perspective. So I worked for Cisco in their security business unit on their Intrusion Prevention Systems then moved over to ISF after it was acquired by IBM. And then just most recently, I just came over to McAfee as Director running with their network—their next generation firewall.

I’m really excited about what we’re doing with Cassandra. We started Cassandra about a year ago. Several of us kind of came together that really have a passion and love for security. And furthermore, we really wanted to make a change based upon our worldwide experiences in security and pass the information on. But again, we’re really excited to be here.

Amrit Williams: Well, we really appreciate you guys joining us today, definitely some great backgrounds. What gap do you feel that Cassandra is filling right now?  There are certainly a lot of folks out there doing consulting. You guys have great experience. You’ve clearly been able to leverage that on both the commercial and private sector side, but what is it that Cassandra is providing to the industry that you feel is not being provided?

John Pirc: When we look at some of the gaps that are out there, one of the biggest things from our efforts that are our focus is really critical infrastructure security. Obviously, if you look at the news out there today, you’ll read all sorts of stuff on Aurora. You’ll read about Exxon Mobil. You’ll read about all these different critical infrastructures that are getting attacked. And one thing that we saw that was kind of missing was really going after these heightened attacks from a critical infrastructure perspective because when we look at I guess the whole field of information security, it’s absolutely wide and deep but when you really start looking at protecting critical infrastructure at the highest level, that kind of bubbles down.

And what we really want to do is bring out more awareness and then more awareness with respect to this notion of events, persistent threats, and all that we’ll talk a little bit about how we’re categorizing that under a different name. But our goal is to, you know, more from an educational perspective and get this information out, and then furthermore understanding what are some of the mitigated technologies out there that can actually help stop and forts some of these attacks A, and B, at least to identify that this sort of activity is going on your network. And then also clearly pointing out that the advanced persistent threats are going to crossover on to mainstream and we saw a great example of that with Aurora. Will, do you want to add to that?

Will Gragido: Sure. I feel that the gap that we address is a rather deep one, largely because as John has alluded to earlier, the primary areas that are focused on research are really somewhat esoteric and not that well known in the commercial space. We were fortunate in the sense that we grew up out of the DOD community and out of the intelligence community as many of our other researches did. And we were exposed at very early stages of those types of threats, our travels or our traversal step in the industry.

We spend a great deal of time focusing on the intricate ties between the cyber criminal world and how they relate to state and non-state cause of attacks and activities from a commoditization in terms of different perspectives in addition to  following the trends that lead into the commercialization and the enterprise initiative that we see going on and then globally. So the events of hacking at a service, the cyber mercenarism, cyber workers certainly, cyber espionage, and we wanted to address those things in a very real manner that does not invoke an inordinate sense of fear and uncertainty and doubts, but speaks to the truth that are out there while also bringing some hope and also introducing some technological, as well as risk management based principles that can aid in addressing these things ideally in tearing the risk factors of the environment that we spend—that John mentioned earlier, critical infrastructures and various and some denomination that we see being exploited actively today historically and in the future.

(00:05:41)

Amrit Williams: Well, we talked about these APTs. The level of sophistication has definitely increased. The level of stealth along with that sophistication has increased over the years, but we’re not really talking about anything new. Why don’t you provide for the audience your definition of what we’re talking about here, some of the ways you guys look at it, and then let’s get some thoughts on some of the things folks can be doing to better protect themselves.

Will Gragido: Sure. We—I think it is somewhat of a nebulous term and it’s becoming a little bit more nebulous in the sense that it means a lot of different things to a lot of different people.

Our view of the world and the things that we deal with on a day to day basis from a threat perspective is somewhat different than I would imagine the generalized interpretation of what those threats are today.

John talked about Aurora for example. Aurora is an extension of Titan Rain. Titan Rain has a long and well documented history for example. It certainly wasn’t the first national system threat if you will, if you categorize it in terms of evolving crisis. It really initially actively identified 2002, 2003, 2004 out of the labs of DOE laboratory environments. But there were certainly precursor to that particular event. Things like Moonlight Maze, Solar Sunrise for example, a whole host of other things. It will include GhostNet. So we took our research, we took our expertise, and we equate that to the problem. And then we said APT as the industry looks at them today really focuses on the technological element, so the technological threats.

However, technology is only one aspect of exploitations. We spend a lot of time based on our backgrounds and our research focusing on a larger picture. So we take a more comprehensive view of the world and that led to the development of what we call the Subversive Multi-Vector Threat. What that means in a nutshell is really the body of activity that surrounds the birth of activity in the industry, as well as the public and private, which takes traditional technological threats and point those exploitation, and miracles of non-traditional. So things such as human intelligence gathering, exploitation, open systems, intelligence gathering, a whole host of other things and merge those together to look at a more comprehensive picture, and really to put together more of a mosaic view of the world.

In our opinion, the APT from a technological perspective is maybe a part of an SMT. SMT doesn’t have to be an APT. It can be exploited and it can be leveraged from more of an interpersonal perspective. The act of exploitation of personnel for example for intelligence gatherings wherein a technological mechanism could be introduced such as GhostNet or it doesn’t necessarily have to be present. But our view is a little different of the man in the greater industry, and really that’s where we focus.

Amrit Williams: And that’s fair. There are a lot of folks who listens to podcasts who are in IT operations and not necessarily focused just on security, so they may need just a little bit of help with some of the things you just said. So to break it down, if you had to give a one-paragraph sentence on what you represent as APT versus SMT, just in a—this is what it means and this is how it’s different from what you’re seeing today.

Will Gragido: I think a good example would be in GhostNet for example. GhostNet was a nice example of a traditional technology, one that certainly wasn’t advanced, the ghost threat that was actively leveraged by—in this case, the Chinese National Government to the exploitation of the Dalai Lama and his office in Tibet and India. So what occurred there was a very sophisticated attack leveraging antiquated technology, certainly not being high speed and low drag to accomplish the mission. A very, very successful mission in that it exploited somewhere around 1300 to 1400 posts globally and by virtue of that exploitation, people will extract a great deal of information. So that’s the technological APT.

However, when we start looking at the expense of more kind of alluded attacks from the ecosystem perspective, SMTs take into consideration not only the introduction of a technical threat but takes into consideration traditional intelligence, I guess you would say vantage points and threat vectors, so compromising human intelligence.

(00:10:08)

We look at things like for example, historical examples like are there aims. We look at things like Clayton Lawntree who is a former United States Marine embassy guard who is exploited by the former KGB before the Cold War, that’s why they followed the wall and the Cold War ended it for the express troops of gathering intelligence and information about embassies, about Europe.

And we tend to believe that we’re dealing with a much more advanced adversary. As a result of that, the technological idiom may only be a portion of the actual full attack, and it doesn’t have to be the full embodying of the attack. It could only be a tool if you will a stepping stone to actually getting to the actual heart of the target and that’s where I think the differences are. I think that’s somewhat of a condensed version of what an APT is.

Amrit Williams: So it has taken into account not only traditional methods of exploiting humans, social engineering targeting specific folks for exploitation, but also leveraging common attack factors, as well as unknown or possibly targeted malware to basically infiltrate and do certain things after they’ve reached around and grabbed through maybe basic misconfigurations and whatnot.

Will Gragido: Absolutely.

Amrit Williams: So if you think about that, right now the majority of organizations—and I think all of us can agree to this—regardless of private or public sector, it can barely do the basics. I bet almost any organization you’re worked at, if you ask them how many assets are actively connected to your network right now and what are they doing, I’d bet almost nobody in any of those organizations can answer that with a definitive statement.

So knowing that we can barely do the basics, how is an organization supposed to start dealing with some of these more exotic threats?

John Pirc: That’s a good question and that’s something—in traveling around the world, you hear that a lot. When you talk to some of the C-level audiences, they’ll come to you and say, “You know, I don’t even know what I have on my network” and they feel bad because of this, but we know that that’s common.

So when we start looking at—well, what do you need to protect yourself?  And obviously, you have your core infrastructure security devices, so you have your end point you have your network security devices. We think all those are good, right?  And they are a must-haves. But when you really start looking beyond the envelope and understanding really what’s going on in your network, a lot of it has to do with what’s profiling on your network. So when we look at things that are typically from an IT perspective or nice to haves like NBA for example, Network Behavioral Analysis, things like these are really great, the who, when, where, what, why of the what’s going on in your network.

But what me and Will have kind of take a look at, and this is no plug, but it’s just understanding what’s going in the network is getting products adopted like, NetWitness for example, being able to have the capabilities of really understanding your data flows and how they’re going through your network. When you start looking at these advanced attacks, you have this whole notion of 80-20, 80% that are generalists, 20% that are highly technical. I think between us here, we fall on that 20% but I think to your point, how do we reach that 80% crowd and how do we enable them?

I think the first thing is understanding there is a big problem out there and be it an APT or SMT Subversive Multi Threat factor, understanding what they are, how they can infiltrate your network, and what are the proper tools that you need to mitigate them. And I think from the different venders community out there, I think a lot of them are trying to answer that question because when you look at some of these attacks, they’re using cryptography to encrypt the payloads to try to get through AV, to get through the network did an IT as a firewall, etcetera.

But when you’re really looking for these APTs, you know, me and Will were having a discussion, it’s basically stealing in broad daylight, right? I mean these things are very silent, they’re very slow, and it’s just a matter of how you get around these certain mitigative controls. But I think the biggest thing—and when you talk about the whole notion of people process and technology, it’s not so much a technology problem because there are technologies out there that can at least identify this. Now, there’s no silver bullet. But from our perspective, it’s getting it to the people and letting them understand what is this, how do you identify it, and how do you stop it. And no one is immune to it now because as Will mentioned before, these types of attacks were completely targeted toward the Intel, DOD, global financials research organizations, defense, industrial base, etcetera. Now, with those skill sets, those have now traversed over into the commercial sector which is going to make a big headache for all of us as what we saw what happened with Aurora.

(00:15:09)

So I think it’s really understanding what it is and getting that message out, and then having ways to mitigate them. And that’s what me and Will are working on and the team on delivering this set of papers on critical infrastructure. So it’s kind of identifying what are some of the problems out there but then coming back around how do you mitigate these more effectively.

Will Gragido: I was just going to say that I think from a technological solution set basis and in terms of talking about bringing technologies to our own research, we spend a great deal of time addressing a lot of the areas which are either—I don’t want to say ignored but I will say misunderstood by the greater industry at large, things like cryptoviral extortion, subliminal channel introduction, things that were typically introduced and utilized, which are not new, again, technologically but introduced and utilized within the realms of as John mentioned earlier, DOD, industrial based, Intel community that are seen a higher utilization with a non-DOD or non-public sector environments. So those are problems that are real and they’re present.

Now, cryptographic solutions from a payload perspective, cryptography—a whole other things which are more esoteric, a little bit more alchemic but definitely real.

Amrit Williams: I completely agree with you, so let me post two challenges here. One is that I think that most in the security industry, especially those that have been doing this for quite some time, would completely agree that the level of sophistication of threats out there has definitively had a new plateau. The exploitation mechanisms that are being used and the multi-faceted nature of them are becoming extremely sophisticated. Most commercial entities and I would, you know, based on my experience in dealing with the federal agencies, both on DOD and Intel is that most organizations have trouble just dealing with the stuff that’s being thrown at them like a massive tsunami on a daily basis that it’s very difficult for them to wrap themselves around the exotic.

And I think one of the things we have to get very good at in the security industry is helping people to recognize how they can find balance in dealing with the advanced exotic-type threats that we see, as well as the day to day threats and the day to day activity that most organizations simply are terrible at in the first place. And they can’t even stop the basic blocking and tackling on their daily basis, let alone stop these advanced threats. And we do need to find that balance because what we see happen a lot in the commercial world is people start reframing the risk to an organization based on level of sophistication because of the talks that we all do in the security industry and they let their guard down on some very basic stuff. They build very nice high perimeters and they leave a window open or their back door open and they don’t see some of these basic stuffs. But I do think you guys are doing an excellent job on that.

The second challenge I want to pose at you when we come back, and we’ll come back on the second podcast here, is one of my issues with network monitoring. I had a brief conversation with Richard Batelick about this who is obviously a big proponent of monitoring ingress and egress traffic flows into all critical infrastructure within a corporate organization, is that the answers that we usually provide to solve problems that we see or we see coming are always hindered and handicapped by the evolution of the network environments themselves.

So I’ll give you an example. You simply can’t monitor the ingress and egress of traffic flows from a computing device that isn’t on your network that’s accessing corporate resources that’s being maintained by a third part in the cloud.

Will Gragido: Amen! Absolutely.

Amrit Williams: So what I actually want to do is as we come back, I want to focus on that because cloud computing, infrastructure as a service, platform as a service, software as a service, these things are being adopted. We know Vivek Chandra for example has a big initiative to drive cloud through the US government. Almost every large commercial entity is looking at these things, and the traditional methods that we would have applied five years ago to help stop these problems are becoming handicapped by the new evolution and the new adoption.

So we’ll be back real soon with our next podcast. I want to thank Will and John for joining me and we’ll talk to you real soon.

Announcer: You have just listened to Beyond the Perimeter, sponsored by BigFix.Inc. Views expressed on this podcast are the personal opinions of podcast participants and do not reflect official positions of their employers or BigFix.

Thanks for listening!

Subscribe in iTunes:

Subscribe with XML:

FULL TRANSCRIPT

Amrit Williams: Welcome! This is Amrit Williams, your host on Beyond the Perimeter, and I am back with Andrew Hay, who again, for anyone who missed it, is a Devastatingly Handsome Author, sporadic blogger, BBQ Junkie, and security strongman. Andrew, thanks for joining me again.

Andrew Hay: No problem.

Amrit Williams: So we were talking a little bit about, before, in the prior podcast, about one of the submissions you have for SecurityBSides. You actually have another one, which I find fascinating. It’s actually a panel on women in security, and I think the title is ‘Ruffled Feathers’. Is that the correct title?

Andrew Hay: The full title is ‘Unicorns, Clubhouses, and Ruffled Feathers: Women in Security’.

Amrit Williams: Right. And it’s a panel, as I understand it, about women in security. So of course it begs the question, and we were talking earlier about personal and private lives. What exactly are you doing on the panel?

Andrew Hay: You make it sound like we had some sort of secret conversation that kind of prepped me for this; in my past life, I like to dance in the evenings.

So really Erin Jacobs and Jennifer Jabbusch are the two prime people on this panel. And Erin put out a tweet saying, or she made a post saying, we are looking for other people to sit on the panel, let us know if you would be interested. And I thought, you know what, why not? So I contacted Erin and said, yeah, sure, why not, I will be on the panel.

Apparently, I am giving the male view so far. I don’t know if anyone else is going to be on the panel giving the male perspective, but I definitely will be.

I think I have a lot to add. My mother has been very successful, not necessarily in IT, but in business, working for the government. She has moved up the ranks quite quickly over the years.

I have worked with a lot of women in IT and in security, and I know the kind of things that they have had to go through to get ahead and to prove themselves.

I actually worked for an amazing woman, Daniella DeGrace, when I was at Q1 Labs, who, you could tell that everything she did was for the business and for her career. She was so driven. She just made you want to work harder, because you wanted to emulate her work ethics. So I hope that I can bring those kind of insights to the panel.

Amrit Williams: Oh, that would be fantastic, and it’s interesting because there actually are quite a lot of really intelligent, highly motivated women in the security industry that I think we all have a lot of respect for. Do you think that the security industry is easier for women to get into and respected than other industries inside of IT? And it’s probably an interesting discussion, because neither of us happen to be women, so we don’t have the experience.

Andrew Hay: So far as you know.

Amrit Williams: So far as I know, right.

Andrew Hay: I don’t know if it would be more difficult than any other aspect of IT. I think though with social media and communications channels, I don’t know that there is a perception of difference between women and men in IT security, to the extent that there would be in, let’s say, accounting or business. Because there is that stigma that’s been around for 50, 60 years of like, well — that show, ‘Mad Men’, is a great example for that, where the men are always right and the women are little playthings in the office.

I don’t see that same sort of thing happening in this day and age in IT security, because security is really a new field, and we are kind of blazing new trails with that clear path. But I could just be wrong.

Amrit Williams: Well, I think for us, because we have a respect for what they bring to the table versus who they are, physically, probably helps. But it’s going to be an interesting panel. I know you had given some information on how to vote for that panel. It’s going to have yourself, Jennifer Jabbusch, and Erin Jacobs. The panel is Unicorns, something and Ruffled Feathers. Can you just say that again?

Andrew Hay: ‘Unicorns, Clubhouses, and Ruffled Feathers: Women in Security’.

Amrit Williams: It sounds fantastic. And people can vote for that by sending, I vote for Unicorn’s –

Andrew Hay: It’s Ruffled Feathers, just Ruffled Feathers, we have shortened it; there are only so many characters you can use in Twitter.

Amrit Williams: And they can tweet that to, at SecurityBSides?

Andrew Hay: Yes.

Amrit Williams: Okay. I want to switch gears a little bit Andrew, you spent some time in Bermuda, and you actually have a talk coming up at SOURCE Boston, that’s in March, right?

Andrew Hay: That is in April.

Amrit Williams: April, at SOURCE Boston. I should get my facts straight before I get on the phone, don’t you think? You will probably let me know that. I am clearly not a journalist.

(00:04:58)

So yeah, you spent some time in Bermuda and you have got a talk for SOURCE Boston in April called Failagain’s Island. And I was actually quite intrigued by the concept that you put together about your time in Bermuda and what you are going to talk about. So if we could touch a little bit on the subject there and what your talk is going to be about, a little bit about your experience when you were in Bermuda.

Andrew Hay: Sure. So when I went to Bermuda, I really needed a change from my everyday life and I thought, what better way than to go to an Island Paradise and work there.

The unfortunate thing is that, in Bermuda, technology is about 10 years behind, especially security. It’s not something that companies really want to invest in, and I think that’s probably true for a lot of island nations, because it’s — I guess the water gives people a false sense of security that nothing is going to happen, or we are this tiny little island in the middle of nowhere, no one is going to attack us.

And I can’t remember the article or the study that I saw, but apparently small island nations are kind of breeding grounds for first trial attacks, because no one is going to detect them, no one is going to report them. If I can exploit something there, then I can probably exploit it someplace that is more secure and more aware.

So the idea of Failagain’s Island is really — it’s not specifically about Bermuda, it’s just about all island banking nations in general. Because half of the world’s capital flows through offshore centers and tax havens have 1.2% of the world’s population, but they hold 26% of the world’s wealth, which is a little scary.

What if your bank was in Haiti, and you went to the ATM machine, or you decide, okay, well, my bank is destroyed, I want to get all my money off of that island right now. Could you? And right now I don’t know the answer to that. I don’t know if you would be able to access your money and transfer it out. Even though it is all electronic right now, I don’t know that you would be able to get your money back as quickly as you would want, as going to the local bank, for instance, and taking your money with your ATM card.

Amrit Williams: I know that — I would imagine, and correct me if I am wrong, that these banks do take physical security and other aspects of security quite seriously, especially since they are probably dealing with a clientèle that — at least some aspect of their clientèle has probably some very strict demands around privacy, and not wanting federal agents of certain Western governments to see what they are doing.

But it sounds like what you are saying is, they are pretty cavalier about security when it comes to their digital assets. And first, is it true that they take the other aspects of security seriously, or is that not true at all?

Andrew Hay: I think it really depends. There is a lot of risk acceptance and risk avoidance. A lot of these small island nations have their own rights or have their own laws for dealing with breaches, if they exist at all.

The times I see where these sort of breach laws and compliance regulations come into play is if they have to deal with a European Union country or with United States or some other world power, because that’s where — when the money is passing in those electronic lines, they have to be compliant at the end.

I am by no means a compliance expert or a regulatory expert, but those are — if things are just kept locally, predominantly, you are going to be subject to the laws of that country.

Bermuda is a good example. They don’t really have a lot of privacy legislation in place. They are working towards it, but it hasn’t been seen as a priority until like the last five years. But they are working towards it very slowly.

Amrit Williams: And the island nation laws are interesting. I do know that many months ago when I was looking at how Internet gambling was progressing, there was actually a company that was publicly traded on the NASDAQ, I forget the name, I think their symbol was star. They were based in Toronto, Canada, and they were publicly traded, they had operations out of Antigua, and they were creating turnkey Internet gambling sites.

And the Royal Mounted Canadian police working with the FBI raided their offices and shut them down. They had funneled so much money through Antigua and they had such a large operation in Antigua that the government in Antigua basically gave them amnesty and sent a letter to the U.S. government stating that they were now citizens of the sovereign country of Antigua, and there was nothing that the U.S. could do. They became delisted, but the company didn’t go under, they just simply moved operations to one of these island nations, and there was very little that the U.S. government could do. I mean, I am sure they could have exerted pressure if they wanted to, but I don’t think the case warranted that.

(00:09:51)

So it becomes interesting when you talk about, then how do those island nations deal with the demands for sharing compromised and breach information that makes all of us better able to response to threats, which is a big demand that lot of folks are asking for the new cyber coordinator to implement. We need more transparency. We need more ability to share information. We need to allow mechanisms for that to be anonymous. And then you have these island banking nations, that are very much driven by privacy of the folks who use their services, how do you incorporate them into that process, and can you?

Andrew Hay: I honestly don’t know. A lot of islands are still, I will say, parented by European Union member countries, and I am really not sure if those disclosure and regulations trickle down to the island nations, I really don’t know. I would hope they would, so that there would be some sort of sharing and — I don’t even know what to call it, some sort of sharing in place for breach notification and disclosure, and some sort of standards and regulations that they can abide by. I think it is very ad hoc and it’s up to that country to decide if that’s the road they want to go.

I can tell you that no country ever wants to be labeled or to be known as a tax haven, they take it very seriously, because they don’t want to be known as some place that you can dump your money and not have to pay taxes and elude taxes of your home country. They hate that.

Amrit Williams: Especially given what the U.S. government is doing right now, they are in that. They are pretty aggressively going after this, what’s considered to be tax havens.

Andrew Hay: Yeah. And like really these nations want to be known as offshore banking options, where if you want to put your money in another country’s bank, then by all means come to us, but provide us with the proper paperwork and show us that you are acting within the laws of your country and what our country says is legal.

I will give you a good example. In Bermuda, you can’t get off a plane with a suitcase, go to the bank and say, hi, I am so and so, I would like to open up an account. They will say no. Because there are laws in place to prevent that from happening, and a lot of the island nations subscribe to that. And for the life of me, I can’t recall what it’s called. Oh, it’s the money laundering. I am not sure if it’s an Act, but it has to do with money laundering regulations that all these banks abide by.

Amrit Williams: Well, it’s interesting, it strikes me that we still for the most part have a mentality that is very centered and focused on boundaries of borders. The whole concept of offshore banking means it’s not on your shores. That doesn’t translate well into the Internet and information security, because there really is no concept of offshore and information security. There is no boundary. Everyone uses the same thing. The ports and communications and protocols that we use for email transfer, FTP, SNMP, on and on and on, they don’t change country by country.

So if I am attacking Port 80 in Bermuda or I am attacking Port 80 in Canada, or I am attacking Port 80 in Russia, I am attacking the same thing. There is no concept of the boundaries for me. The only thing I have is multiple hubs I might have to transfer to, which is really no barrier to anybody.

So until there starts to be an understanding that we really are looking at a borderless boundary, there are none that exist in cyberspace, it’s going to be very difficult to convince the island nations or anybody who seems to think that they are protected by some type of physical boundary that does not extend at all into the Internet or cyberspace.

Andrew Hay: Yeah, I completely agree.

Amrit Williams: So what are some of the, just to touch back on the talk,  Failagain’s Island, are there some proposals or suggestions that you have that folks who don’t happen to — I personally don’t own a bank in Bermuda, granted, I wish I did. But I live here in the West Coast of the United States. Are there things that I can learn, or things that people can learn who don’t happen to own a bank in Bermuda or Antigua?

Andrew Hay: I think so, or I hope so. Really, what I want to do is I want to expose some of the misconceptions that people have with offshore banking. A lot of people think that, it’s some guy in a back room that you send a briefcase full of money to and they will hang on to it until you need it. Where, as these banks are just as wise and complex, and yeah, just as up-to-date and wired as your local bank branch, it’s just a question of, are they implementing the same level of security that you are used to.

If you are a large corporation and you want to take some of your money, put it in an offshore bank, and then keep some of it here, you need to be sure that the level of security is going to be on par or greater in that nation that you are sending your money to, because the odds of you getting that money back are a lot less than getting the money from your local branch. Because you really — your lawyers are going to know the ins and outs of getting your money back from your local bank branch. Whereas in that foreign country you will have to hire someone who is allowed to practice law in that country, presumably, or hire a local lawyer to chase down, and it could be years before you see your money again, potentially.

(00:15:15)

Amrit Williams: And we already know that even some of the largest banks here in America, for example, or around the world, that have a tremendous amount of resources, influence, and money that they could potentially put at solving the problem, or at least improving the security of their customers, still fall prey to some very basic attacks. So it’s certainly conceivable, and probably as you mentioned earlier, understandable why it’s sort of some tip of the spear attacks. If you really wanted to make them more sophisticated and go after large targets, you would start with island nation banks.

Andrew Hay: Definitely. Because their investment in security may be less than your local bank branch or your national bank branch, just because there is going to be fewer people doing the work. There is going to be lesser — there will be lesser thought put into security than there would be a major publicly traded bank. Because a lot of the banks in the island nations, if they are not bought by like an HSBC or a big multinational bank branch, are going to be locally owned or family owned even.

Amrit Williams: It sounds like a fascinating talk, and I understand that you are going to dress up like Gilligan or the skipper?

Andrew Hay: I will dress up like probably the skipper; I don’t think I am fit enough to be Gilligan.

Amrit Williams: Well, it’s interesting, because if you actually do a really good job on the Panel, the ‘Women in Security’ Panel, it will probably be good if you dressed up as Mary Ann or Ginger.

Andrew Hay: Well, someone suggested that I dress up like Mary Ann, but I want people to come to the talk, so I don’t think I am going to do that.

Amrit Williams: Well, I am looking forward to it. You folks out in the audience, you can hear more from Andrew Hay, you can reach him at andrewhay.ca, is his blog.

You can also see him at SecurityBSides. He has a talk called My Life on the Infosec D-List, as well as he will be sitting in on a panel and helping with the panel on women in information security. And those folks going to SOURCE Boston in April can see his Failagain’s Island talk, which I personally am looking forward to.

Andrew, thanks for joining me today.

Andrew Hay: Thanks Amrit.

Announcer: You have just listened to Beyond the Perimeter, sponsored by BigFix Inc. Views expressed on this Podcast are the personal opinions of Podcast participants and do not reflect official positions of their employers or BigFix.

Thanks for listening.

Subscribe in iTunes:

Subscribe with XML:

FULL TRANSCRIPT

Amrit Williams: Welcome, this is Amrit Williams, your host on “Beyond the Perimeter”, and today I am joined by Andrew Hay, who describes himself as a “devastatingly handsome author, a sporadic blogger, a BBQ junkie” — that’s barbecue, for those who don’t know — “and a security strongman”.

Andrew, thanks for joining me today.

Andrew Hay: Thanks, Amrit.

Amrit Williams: And I’ve got to say, although we have not met in person, we’ve spoken on the phone often, and I can tell — I hope no one takes this wrong — but you’ve probably are devastatingly handsome. I can appreciate that as a security professional.

Andrew Hay: Must be my sultry, sullen voice (laughing).

Amrit Williams: A little Barry White we were talking about, right (laughing)?

So, Andrew, why don’t we start with a little bit of your background. You actually have written several books, you’ve worked at several well-known security companies, and you’ve done a lot of really cool and amazing things. So why don’t we dig in a little bit, give the audience a little preview of yourself, and then we can move on to some of the other topics we talked about.

Andrew Hay: Sure. Well, I started out in the network-support/network-security space with Nokia. Actually, prior to that, I did the grunt work in the trenches of doing dialup ISP support, which if you haven’t done it, I’d suggest you do it as part of your career to gain a perspective on how horrible a job it is. I came from network-security space. I’ve worked for a major SIM vendor as a support person, trainer, product manager, engineering manager. I’ve lived in Bermuda, working as a security analyst for a bank, and now I’m working as a security analyst for a university in western Canada.

Amrit Williams: Oh, that’s very cool. So before — I do want to get into the books, as I think it’s a fascinating labor of love that folks go through with technology books, and I work with Ryan Russell and he’s written several himself and several people that I know have. I’ve pondered the idea a lot, but quite honestly I think my love would probably lie in some type of fiction novel; but it really is a lot of work, and the returns for the most part are not what people think. So you want to talk a little bit about the mechanics of authoring the technical book and some of the nonromantic aspects of it?

Andrew Hay: Sure. I actually gave a presentation of this, on that topic at San Diego a few months back, and a lot of people go in with the idea of, “Oh, I’m going to be the next Stephen King” or “I’m going to be the next … ” who is it that wrote Harry Potter? I’m drawing a blank now.

Amrit Williams: J.K.

Andrew Hay: Exactly, yeah. She’s so rich, no one has to remember her name.

So if you are going in to write a tech book thinking you’re going to retire and make millions of dollar, odds are you’re wrong. It’s really three months to four months of your life, and if you have a full-time job and if you have a family, you are going to be dedicating a couple of hours a night and at least one weekend day to writing this book. And really, the more people you have contributing to the book, the harder it is, because you have to balance tone of everyone, you have to act as a project manager for the entire book to make sure everyone is committing their deliverables properly and on time. And it’s an awful lot of work; it’s almost a full-time job for four months, in addition to any regular job and family commitments you have.

Amrit Williams: So why do it? I mean, I ask this question of everybody that authors these technical books: why do it? What’s the point?

Andrew Hay: Well, when I decided to write a book, I’d first spoken to Harlan Carvey, who’s written the Windows Forensic Analysis book, now in second edition. I talked to him about it, and he told me that “If you’re going in writing this book thinking you’re going to make a lot of money, you’re going to be really disappointed”.

So I went in eyes wide-open, knowing that I’m not doing this for money; I’m doing this for career, because it looks awesome on a resume and it’s a good sense of personal pride. You can point — someone says to you in an interview, let’s say, “Oh, well, so what have you done? You’re in security, what have you done?” You can point to a bookshelf and say, “Well, I wrote these three books.” And they’re like, “Oh, really?” Like it’s very impressive, but it’s — I did it more from a sense of pride and professional development, and it has really helped me getting known in the security space as, “Oh, he’s Andrew Hay; he wrote the OSSEC book, and he’s a blogger, and he comes to conferences and things like that”. It definitely did help with my public-facing career.

Amrit Williams: And I’m glad people write these books. I read; I’m a voracious reader, and I’m so glad that people are contributing to the community, even though it’s not making them financially wealthy or financially better off. There are definitely benefits to it that you mentioned.

(00:05:01)

But I think one of the greatest benefits is that there is information being shared in the community that becomes very accessible to people, and you can’t get information on the Internet in a lot of the forums and the methods of communication that most people use in the same verbose way that you can get it from a book. So the fact that folks are out there authoring books is really — it should be commended.

Let me ask you this: what is some advice you would have for folks that — I’m reading a lot of people are getting into writing their own books, and getting into working with Syngress specifically more than others because they work really closely with the community. What’s some advice you have for people who are thinking about writing a technical book?

Andrew Hay: I think my number one piece of advice would be to go in knowing the time commitment. Ask the publisher, “How much time can I expect to be dedicating to this?” And if you really can’t dedicate two hours a night every night minimum for three months, four months, then this probably isn’t for you, because that’s a big time commitment. And really, the return? Most of the publishers will give you an advance to kind of whet your palate, saying, “Okay, here’s some money, get started writing the book”; but you have to also keep in mind that that advance counts against any future earnings you are going to get. So you have to burn through that advance before you actually start seeing money back from the book.

And to be perfectly honest, not a lot of authors of technical books will see any sort of return above and beyond that advance. To launch every book is, you write a first edition — let’s say it’s a piece of open-source software — odds are over the course of a year or over the course of two years, that’s going to change significantly, and then your book is no longer going to be as relevant as it once was.

Amrit Williams: That’s an interesting aspect of the technical books is, they certainly have a bounded time that their value is important. I have a basement of books; we’re actually going through moving, I’m trying to get rid of them. It’s hard to give them away.

Andrew Hay: Well, sure, because they mean a lot to you. Like when I moved to Bermuda, I gave away probably about 75 technical books. And those were books that had a lot of knowledge in them and a lot of references in there that, “Okay, I need this information; I won’t search the Internet, I know it’s in this book, I’ll go to it”. And you’re paying $60, $80 for this book, so it kind of means a lot when you’re throwing away hundreds and hundreds of dollars in a move.

Amrit Williams: Oh, yeah. In some of the books I have like specifics on SMT, for example, back in the day. Those were really expensive.

Andrew Hay: Yeah.

Amrit Williams: It’s the shame that I can like barely get pennies on the dollar for these things.

You know, this leads into a great segue. I want to switch gears a little bit and talk about a submission that you have for Security B-Sides, and for those who don’t know you can find out about Security B-Sides. I believe it’s  securitybsides.org?

Andrew Hay: .com, actually.

Amrit Williams: HYPERLINK “http://www.securitybsides.com” securitybsides.com, this was a concept that was a couple of folks got together and I guess some submissions that had then presented to RSA at their conferences were not accepted, and there was this general feeling that there was … it was difficult to hear fresh, new content from bright minds that for whatever reason the communities that want to authorize the talks and go through the panels weren’t allowing some of the content that a lot of people really wanted to be exposed to. And you sort of seize on that, almost I want to call it nepotism, going on in these large conferences.

So Security B-Sides was an opportunity for the industry to get exposed to some folks that may not have a chance to share their great ideas, and one of the submissions you have — I thought it was kind of funny (laughing) — it’s “My Life on the Infosec D-List” and … why don’t you explain a little bit about what that talk is going to be about and the proposal, and we can tell people how they can vote for it?

Andrew Hay: Sure, Well, so I don’t even remember how the term came up. I think it was a conversation with Anton Chuvakin. We were just talking about celebrity status in our industry and how 80% to 90% of us are all on this D-List; we’re just trying to break into security, we don’t know how to do it, we just know we want it. It’s kind of like a Google Wave invite: you don’t know why you want it, but you want it because everyone else wants it.

Amrit Williams: Great analogy, because when I got mine, I did really want it, and then I just sort of looked at it and went, “Okay, now what?” (laughing)

Andrew Hay: Well, I think Google should offer up a bounty for anyone that can figure out what to do with Wave. I think that they’d make a lot of money, or they’d be giving it a lot of money if someone could actually put some thought into it.

Amrit Williams: So anyway, I’m sorry to distract you there, I get a D for it; anyway, back to the D-List.

Andrew Hay: So, really, what I wanted to talk about in this presentation is: what are the steps that I took to get to my mediocre stardom — and it really is mediocre stardom. I’ve gone to conferences, and honestly I can’t remember the guy’s name and I wish I could; but he came up to me at RSA and he’s like, “Oh, wow, you’re Andrew Hay” and he recognized me immediately.

(00:10:06)

He shook my hand, he’s like, “Wow, I bought your OSSEC book; it was great. You know, you’re a great author. I really like the book. I’m telling all my friends about it”. And I just kind of stood there and I was shocked.

And I was there with John Strand and Rob Lee, and they both kind of looked to me, it’s like, “Oh, look, his eyes are rolling up” (laughing). “Look, shut up! No, there’s something in my eye” (laughing).

But it meant a lot to me that someone came up and said that and they immediately recognized me; and I don’t know if it’s because of my crazy Twitter picture or what, but people are recognizing me now, which is both scary and cool.

But they’re associating things that I do — my blog, the books I’ve written with my name — which I kind of consider that deal as celebrity status, because if you’re driving around LA, you’ll notice some guy who may have been an extra in a movie or something; you recognize them, “Hey, you’re that guy from that movie that I like”. And he’ll either say, “Yeah, that’s me. Yeah, my name’s actually this” or “No, I’m not that guy”.

So what I want to talk about in the conference, in the presentation is like: what steps did you take to kind of increase your exposure in our huge circle, because it is really a big circle of people. And it might be actually one of the biggest in any sort of industry. Like the security people seem to be very outgoing and very network-friendly, I’ll say.

Amrit Williams: Well, I don’t know if it’s the biggest gathering of folks within one segment or served by both the technology industry; but it certainly is one of the more vocal, and it has some of the most –

Andrew Hay: For good or bad (laughing).

Amrit Williams: Right. It’s really one of the most vocal, and it has some of the most pervasive characters. There certainly is a lot of characters in the security industry, and if you’ve been around for a long time you have these connections. It used to be quite small, and it used to be folks just moved around and they changed jerseys; but you kept a lot of those connections, and it’s expanding in a very interesting way and has probably over the last five years dramatically where you see this huge influx of people that have in two to five years of experience moving into the security realm, but weren’t there back in the day. And “back in the day” is, you know, back in the day (laughing). Back in the day is really not that long ago; but if you look back to the early ‘90s, for example, when a lot of folks that are now the thought leaders for security or running the companies themselves or driving some of the technology innovation, that’s when a lot of folks cut their teeth in what would become a fairly large and prosperous industry in security.

So I honestly think that Twitter and other social-media communication tools like Twitter are probably the biggest benefit to that communication, because think of how many people you’re connected to on Twitter and who you probably never would have spoken to if you met them at a conference, had you not already been connected to them on Twitter.

Andrew Hay: Oh, it’s fantastic. The other thing I appreciate about Twitter is that I have a large set of people that I communicate with infrequently prior to Twitter, because we just don’t live that close to each other. Folks who live in Boston and New York, for example, on the East Coast or outside of the country that I have strong relationships with, that I have a lot of respect for, would like to communicate more with, but really can’t see myself picking up the phone to have a brief conversation about what I would be having for dinner or if they saw a certain movie, the type of interactions you have on a friendly basis with those around you.

Amrit Williams: Twitter is great for keeping in touch with those folks you just can’t see on a daily basis. It’s great for sharing quick ideas, getting thoughts out there, getting feedback; it’s also probably the snarkiest social-media mechanism I’ve ever seen. They’re like a big sitcom.

(Laughter.)

Amrit Williams: The security networkers are sort of a … they’d be a great sitcom, I think.

Andrew Hay: Yeah (laughing). I was thinking about that, because I’ve got family in Hollywood. My brother is standup comedian and my cousins, both of them, are actors — in fact, my cousin has a movie coming out. But it’s interesting, both of them sort of comment on that desire to become famous, so people recognize them. But as people start recognizing them, I know for Christmas I was out with my brother, we were at a movie theater and this guy came up and he said, “Oh, my god, I saw you on Comedy Central”. And my brother, he was very kind and humbled; but he sort of turned to me and said, “Man, that can become really annoying” (laughing).

(Laughter.)

Andrew Hay: And you have to think about that. I mean, you sort of have to have a certain mindset and a certain mentality to expose yourself publicly that way, because a lot of people by their very nature have egos; it’s natural for us to want to be seen and be known and feel like we’re succeeding. But there is also a side of us that wants to remain private and doesn’t want to share thoughts with others and wants to keep a line between what we would like to share and what we don’t in this. As you become more known, then that line becomes a lot blurrier and people start penetrating into the other side of your life that you may not want to share.

(00:15:05)

Amrit Williams: Yeah. Before we switch gears, I do want to let the audience know how they can vote for your security D-List talk at  HYPERLINK “http://www.securitybsides.com” securitybsides.com: “My Life on the Infosec D-List”. How do they do that?

Andrew Hay: All right, so what you can do is you can either email to  HYPERLINK “mailto:info@securitybsides.com” info@securitybsides.com and say that you want to hear my talk, or on Twitter you can type “I vote for ‘My Life on the Infosec D-List’ by @andrewsmhay” and then the #BSidesSF. And then what the B-Sides guys’ do is they tally the votes at the end of the day, and I think overall voting will pick who gets to go on (laughing).

Amrit Williams: And if folks want information about Andrew, they can get it; you have a website:  HYPERLINK “http://www.andrewnhay.com” andrewnhay.com, is that correct?

Andrew Hay: No, it’s  HYPERLINK “http://www.andrewhay.ca” andrewhay.ca.

Amrit Williams: HYPERLINK “http://www.Andrewhay.ca/”andrewhay.ca; and that’s H-A-Y.

Andrew Hay: H-A-Y. Easy to remember.

Amrit Williams: All right. Well, Andrew, thanks for joining me today. We’ll have a little bit more with Andrew coming soon.

Announcer: You have just listened to “Beyond the Perimeter”, sponsored by BigFix, Inc. Views expressed on this podcast are the personal opinions of podcast participants and do not reflect official positions of their employers or BigFix.

Thanks for listening!

Subscribe in iTunes:

Subscribe with XML:

FULL TRANSCRIPT

Amrit Williams: Welcome! This is Amrit Williams, your host on Beyond the Perimeter, and I am back with Josh Corman, who is the Research Director in the Enterprise Security Practice with The 451 Group.

Josh, thanks for coming back. We were speaking before about a paper you put out at The 451 Group called Security Derivatives, and in it you speak about information asymmetry. We were speaking about some of the first stages of what you describe in terms of the timeline of information asymmetry, beginning with the first sort of initial virus concepts and then the market’s response to that by creating anti-virus software.

We then touched a little bit on how the vendors, the security vendors themselves started to filter out the information they were giving to the purchasers, so you had information asymmetry between the buyers and the providers.

And then right when we left off you had touched on the new information asymmetry that progressed from that, which is the information asymmetry between the security developers, the security vendors themselves, and the threats and the attackers themselves. So I wanted to just get back into that flow and take it from there.

Josh Corman: Sure. I mean, we have basically gone through successive filtering from reality. So if in the original model there was a threat, and I knew about the threat and I purchased for the threat, that was pretty direct.

The second generation, I think I sort of call it the Trust Me Generation, and that’s really when there were too many threats so the vendor themselves became the de facto. The trusted security advisor would study the threats, educate the buyers about the threats to create demands and satisfy it.

The third era I think is where we started to leave off, which is trust abuse, and that’s really where some of the harder threats, that are going to take a lot of R&D effort, something like group hits.

There wasn’t lot of demand for it, because they were slower and stealthier, they were fairly difficult, so a lot of the vendors just really weren’t talking about them. So we started to abuse that trust and filter; if we knew 15 threats, we would only market and message to the ten that we could solve and make money on.

The most troubling one is which is where we left off, is the next step, I guess we will pick up there, where it was blind spots. The threat has evolved and accelerated so rapidly, whether it’s 2004 or through 2006, we started to see that most of the threat was primarily driven by ego, I call that the prestige era, whereas around that time frame it really started to multiply and accelerate to be profit, politics, and prestige.

So all the e-crime we have all been beaten to death with, has very different motives and very different uses. They don’t want to be loud; they want to be stealthy, and financially successful, whether it’s a cyber protest or even state-sponsored attacks and reconnaissance .

So those other two Ps, profit and politics, in addition to prestige, really changed the game, but many of the incumbents who had a big nest egg in legacy portfolio were resistant to talk about that, but more importantly, their R&D teams, they just don’t get it. A lot of them are so stuck in that early era that everything is a virus and gets a signature, it’s about cranking out signatures more quickly or something.

They develop blind spots, to the point where now if there are 20 threats, the vendors don’t even know about more than 10 or 15 of them. So it’s this subset of a subset. If we strictly use normal market demand, the buyer just doesn’t know enough, there’s too much complexity, too much change. And because they are relying on, usually their vendors as their source of trusted advisor, you get a highly sub-optimized system.

Amrit Williams: I think the thing that I wanted to touch on a little bit is, is that — let me test this with you, because I am not even suggesting that this is the wrong lens to put on this problem. Is that the right way to look at it though, I mean, from a vendor’s perspective, not yours of course? Because if you think about it, there’s an inevitable progression to the type of attacks that we are going to experience. They are definitely going to continue to become more sophisticated, new technologies will come online. Those will have inherent vulnerabilities, they will be exploited. So that problem doesn’t seem one that is easily solved by looking at, how do we look at the threats and what protections do we develop against those threats. That does need to occur.

Are we missing something here, which is — and let me just test this with you, does it matter what the threat is, shouldn’t the response be, it doesn’t matter how the attack occurs, if I can figure out a way to detect it, then I just need to figure out a way that I can make sure my business stays online?

I know that that’s overly simplistic, but let me give you just a little bit of what I am thinking here. I had a conversation with someone recently about the energy utilities and how they should respond to the potential of the smart grid and how that would be attacked and on and on and on.

(00:04:56)

And the comment was made that the PG&E, for example, which is the Pacific Gas and Electric, the energy utility here, in Northern California, where I live, that they didn’t do enough and weren’t really prepared for an onslaught of attacks against the energy utilities by hackers.

I asked the question, I said, well, do you think that they are prepared for the other things that bring energy to a halt, because at the end of the day their main objective is to ensure that energy is provided to their constituents? What I do notice here in Northern California is that PG&E is actually pretty good about trying to restore energy when there is an operational failure, and at the end of the day does the consumer of the energy, the consumer of PG&E care what impacted their inability to get energy? They don’t; they just want to know that they pay for a service and it’s provided.

And are we missing that side of it, which is the response side, the business continuity side? I know that it’s not as an attractive and exotic discussion that people like to have in the information security arena, but how do we rationalize those two sides to find balance between the two of them?

Josh Corman: So I think there’s a couple of issues tangled up in there, and one of them is confusing anti-threat, specific anti-threat terrorism as the only form of security, which I don’t believe.

Another is the notion of survivability or resilience. Chris Hoff is a big fan of this, I am a big fan of this. We do a lot of this with our round tables, through IANS, and in our conference speeches. In fact, back in, I think it was like in 2001, maybe even earlier, Carnegie Mellon was first talking about this — pushing the idea of survivability. So not that you can prevent the attack, but that you can maintain the mission throughout the attack or recover more quickly. So that’s another topic entirely.

I think, should they care? I think yeah, they should care, and I am not trying to be one of those tin foil hat brigade guys, but a lot of times I would be pulled in for my clients, whether it’s the ISS or IBM ones. A large pharmaceutical company had a custom piece of malware take the research data and ransom it for six figures successfully. They are wondering why their anti-virus didn’t work. Well, their anti-virus was never get to work, because that model of threat, with the advanced persistent threat, was not going to — if you have a virus written for one target, there’s no Patient Zero to create a signature from. Patient Zero is Patient Z, it’s over.

This was not an edge case, this was most of my work for the last several years for  these kinds of examples where the threat was becoming more sophisticated, and the available supply of security simply wasn’t up for the task of noticing the slower and lower and more quiet things.

I mean, Richard Baily does very good thought leadership, and a lot of talking about infinite response and how to build your infinite response workbench, and the kind of tools, and that we want increased visibility, and how do you go firefight when you notice these things, but most of these breaches he was referring to, I mean the compromise was resident for seven plus months or so. I mean, take whatever report you like, these types of attacks simply can’t be noticed or prevented with the lion’s share of the spending that we are doing on legacy controls.

Amrit Williams: So you touched on it right now Josh. They can’t be prevented with a lion’s share of money that we are spending on the legacy controls. So I want to just shift a little bit to talk about what can we do, because I know that I am in agreement with you; I have had conversations with you before about how we spend so much time fighting last week’s, last year’s, last decade’s battle. There is a lot of regulations that push us to do that. There is a lot of information that says that’s the best thing to do, and we neglect looking at the type of technologies, the type of processes, the type of methodologies, that would allow us to have better visibility and better response to threats that cannot be detected by these legacy controls. How do we break out of that?

Josh Corman: Again, it’s the awareness factor. I mean, the last stage of the paper on derivatives was that, even for the things that we are getting spending two or three years ago, the economic downturn, and the too much cost complexity has people retreating to compliance as the simplified, really shortlist of the controls you should spend on. And given that the budgets are so tight, people are basically passing on it and not spending a penny more.

The conversations and debates I have had recently has been about the very dangerous and all-consuming impact of compliance mandates, and specifically PCI. There has been a lot of debates, I think you have been following.

But my concern is that, of all the things we need to do, the executives are saying, look, we have no money, you are taking up too much. What are the things we have to do? If you are not going to get a find, I am not going to give you a budget for it. So you have gone from 70 known product markets, down to the ones that directly map to the digital, those in the PCI, for example.

(00:09:49)

And I know the people listening are going to say, PCI is only meant to handle card holder data, etcetera, but the derivatives and the copies we have conflated compliance as an industry best practice, and it’s being misapplied in the enterprise because people think that is the best thing you are supposed to do, the minimum you are supposed to do.

And even the stuff that the vendors are selling, which was already a subset of a subset, we have now focused most of the spending on the compliance mandates and usually not a penny more.

I had a big argument with the CIO and I said, you know that you need to do more than this. You know that you have already had three breaches, two of them public. How can you cancel this project? And he said, Josh, I might get hacked, but I will be fine, and it was really that simple for him.

So the last stage of derivative here is, if we have got 40 threat types and your vendors know about 30 of them, and they only have solutions that sell you for 20 of them, and you are only going to be able to have a budget for the really old, the really antiquated ones that are in some sort of compliance or government or industry mandate, like a compliance reg, this is the very dangerous downward spiral where most spending is on a very small subset of controls, and most of those controls are very ill-suited to handle the kind of awareness and infinite response.

So I didn’t answer your question about what you should be doing, but if we don’t recognize that if our entire risk management program is a cut and paste and execution of 12 rules from some credit card company, we don’t have a chance of increasing our visibility and noticing these smaller, stealthier, or financially impacting threats.

Amrit Williams: We do feel we have crossed the chasm, where most organizations are more fearful of regulatory compliance than they are of the actual threats coming from some Eastern European organized criminal gang that’s trying to steal money from them.

Josh Corman: Part of it is that, it’s a possible threat versus an actual threat. I mean, the fine is real. The attackers from — the sophisticated attackers are also real, but you are taking a gamble.

And another part is that — you heard my 7 Dirty Secrets talk, and you know how hard I am on the vendor community, but the vendors kind of — they then go tone deaf to fud, too much fear, too much doubt, and we made them realize that there’s more lions and tigers and bears that they can ever handle. Some of them are real and some of them are fabricated, like the snake oil markets. And they have tried to retreat it to a more simple and mandated final holistic controls, and that’s the real big concern.

I mean, there are technologies; I mean, I have been a big fan of what you guys have been doing at BigFix for a long time, because you don’t have to anticipate what the attack is. If I want to ask a question of any number of systems in my population, I can do so. If I want to affect the change on those systems, I can do so.

So the SIMS are becoming potentially more strategic, the log management stuff is properly used. A lot of the infinite response things. Some of the botnet technologies or network anomaly detection, things like integrity checkers on the endpoint. There are a good list of controls that you can use to prevent known threats and unknown threats, loud threats or stealthy threats. The problem I have is, good luck as a stray practitioner getting a budget for those, because right now, at least in 2009, most of the dollars were spent on a compliance mandate and no more.

Amrit Williams: Let’s test, and I know that recently you did a podcast with a set of folks who look at PCI, this was moderated by Bill Brenner from CSO Online. I know it’s going to be both on CSO Online and Martin McKeay and Bridge Mobile’s NetSec Podcast. It’s interesting, because I have taken a rather harsh tone with PCI. I don’t know if I have ever really sat down and described what my issues are. I think they can really be summed up in two ways.

One is, I completely agree with you around the imposition and the thought that everyone basically sucks and need to be brought up to this very basic level, and PCI is a very basic level of information security. And I think that really discredits a lot of the information security programs and the information security professionals that want to look at how they can implement all these other compensating controls or controls that are not even part of the spectrum of what PCI mandates against new threats that aren’t being discussed.

The other issue I have, and again, I think that PCI is one direction, and people are trying to take that direction, and I give those folks credit who have tried to better the PCI program in general, and those folks who advocate for it, I think that they do believe they are doing the right thing and I don’t begrudge them for that.

The other issue I have is that, again, we are in a free market, we are a capitalist society, we tend to shy away from regulations, if we can. This is one area where we seem to completely embrace regulation. That doesn’t make sense to me, because we are actually, through this economic dynamic that we are seeing, as you described, we are forcing conditions through regulations that become unnatural, and basically make it very difficult for information security to evolve.

(00:15:07)

I don’t fully understand how on one hand we can advocate for regulatory compliance initiatives for information security; and I have seen several of these people advocate against regulations and other aspects of our lives. So it seems to be misplaced, the way that we want to regulate one side of this idea, not the other.

Josh Corman: Well, you and I have had some great conversations about this, and I would like to do so maybe on our future podcast. The nature of this particular debate, the great PCI debate that you referred to with Bill Brenner, was I gave a speech, my baby speech at The 451 Group Client Event and Bill Brenner was sitting in the audience, and I said, you know, in the great ecosystem of security, most of the spending, would it have anything to do with regulated card holder data or not, most of the spending, most of the innovation, most of the vendor activity, most of the VC shifting, is all basically moving backwards to some fairly legacy controls because of the economic conditions.

So I have often compared PCI, jokingly, to the devil, I said PCI is the devil, in an IANS event. That was a joke, but what isn’t a joke is, I started realizing a very solid comparison to the No Child Left Behind Act. That’s really what spurred a lot of volatile reactions. I think it came — the article came out saying Josh compares it to the No Child Left Behind Act. Well, basically I am saying, we meant to raise the bar, and for some we have, but for others we have lowered it. We meant to make it a starting point, but it has become the finish line. We meant to set the floor, but we have actually set the ceiling. We are suppose to make the smart kids dumber, we made — I mean, we are suppose to make the dumb kids smarter, we have made the smart kids dumber. So it’s a lot of good consistent metaphor there with the No Child Left Behind, and in fact, I will be writing about that very soon.

The debate was that Anton Chuvakin, who has written a book on PCI, even Ben Rothke retorted and retaliated. Mike Dahn and Martin McKeay jumped on as well. I mean, these guys have done a lot of very noble and good work to try to help raise the bar for the retailers and the people who take card transactions that were doing nothing.

So if on a bell curve, some people are negligent and doing nothing, and on the other end of the bell curve, people are doing an excellent risk management program, like a lot of the clients I had. There’s all sorts of points in between. My suggestion wasn’t to do the debate we have all had a thousand times and pick on PCI. I am saying, look, PCI has raised the bar for the negligence, but its also had unintended consequences on everyone else, and its had a negative impact on some.

We haven’t actually improved security overall, in fact, year to year, the breaches go up and up and up, and show no signs of slowing. It’s more a matter of, I am seeing, when I talk to my clients at The 451 or my partners when I was at IBM, or the buyers in financial services and pharmaceutical, in areas that don’t even take credit cards, what I am seeing is all the money is going to compliance mandates. Therefore, the vendors swallowed the money, therefore the vendors are not providing advanced threat prevention. They are doing pretty reports, compliance dashboards.

Basically, the bad guys continue to innovate, and we have kind of given up on them because the auditor is scarier than the attacker, and you know the next stage is going to be that the investors stop investing in the good threat prevention stuff, like you were referring to.

Are they going to invest in an anti-botnet? Are they going to invest in a network forensic tool? Are they going to invest in advanced persistent threat things or anti-fraud? Maybe eventually, but in such a space that moves so quickly and changes so often, information asymmetry has a pronounced impact on this sector, more so than it does on which iPhone or smartphone am I going to buy. That kind of thing, supply and demand is pretty direct and there’s no life or death, there’s no massive financial losses. And this one it’s pretty unrealistic that the average security buyer at a retail chain is going to know what the Russian mafia is going to be doing next week.

But because of these successive layout levels of information asymmetry, we are wildly sub-optimized. The VCs are taking a bath on markets like Mac. Some promising data with really applicable technologies are struggling in a bad economy. The legacy guys continue to resell things we don’t really need, because it’s grandfathered in on a PCI budget.

What I really want to do is map these factors out, such that we can be more aware, more explicit, and then give some pretty decent and actionable guidelines to each constituent on how we can try to get on a more convergent path, instead of a divergent path, because right now we are mandating wooden shields and sticks, whereas our adversaries have very advanced weaponry.

(00:19:56)

Amrit Williams: Yeah, I don’t disagree. Okay. Well, let me switch gears just a little bit, Josh, because I do want to get you back on and others to talk about how we deal with some of the regulatory compliance pressures that organizations deal with, and how we sort of change that dynamics, so organizations can look at some of the more innovative technologies that are out there to deal with security threats, as opposed to just the ones that are mandated by compliance, which are difficult to change.

What does the future look like for this year and next in terms of The 451 Group research that you are driving? I mean, I know that the security derivatives is one piece of the coin, can you talk a little bit about some of the ideas and thoughts you are going to be adding to that foundation?

Josh Corman: Yes, I think people act in their own rationale self-interest and they act in the economic interest. Most of my subscribers are — there is huge chunk, since we really focus, not on being the consensus of the masses, I mean different analyst firms have different value propositions, I think The 451 has been more about intellectual honesty or focus on innovators and investors. So it tends to be the newer technologies and the investment community.

So I am really writing theories of these reports; the information asymmetry was one concept to establish, we are doing about three or four more of those that will stand on their own, but I am going to stitch them together to really paint what is the ecosystem of information security, economically. Who are the constituents? So I am going to be codifying essentially the infrastructure vendors as a constituent, the large incumbent security vendors who respond to threat, the threat landscape, the smaller VC based startups that try to fill in the gaps and those incumbents, the VCs who fund them in a regulatory environment.

So by painting them, showing the dynamics where it’s working well, where it’s not working well, then I hope to have a more accurate world view and give, again, actionable and reasonable suggestions to each constituent.

So the bottom line is, the information asymmetry hurts everybody in the long run. It stifles innovation. It forces people to spend on things that have a very low return on investment. The VCs aren’t getting a good return on their investments. If we let things progress as they are, everyone stands to lose. If we improve the information and the caliber, and we have a more accurate world view, people will still act in their own rationale self-interest, but we are going to have a much higher caliber result, from better — a more realistic world view, and I think we don’t really have that today.

Amrit Williams: I completely agree, and I really look forward to the research. Josh, I really want to thank you and appreciate your conversation today, and I look forward to having you back as well.

Those of you looking for more information from Josh, you can find him at, Josh Corman is again the Research Director for the Enterprise Security Practice at The 451 Group. Josh does not have a blog and just completely refuses to build one, don’t know why. But you can find him on Twitter, if you search Josh Corman.

Josh, thank you very much for joining me, I really appreciate it.

Josh Corman: Thanks Amrit.

Amrit Williams: Take care.

Announcer: You have just listened to Beyond the Perimeter, sponsored by BigFix Inc. Views expressed on this Podcast are the personal opinions of Podcast participants and do not reflect official positions of their employers or BigFix.

Thanks for listening.

Subscribe in iTunes:

Subscribe with XML:

FULL TRANSCRIPT

Amrit Williams: Welcome! This is Amrit Williams, your host on Beyond the Perimeter, and today I am joined by Founder, President, and Principal Analyst with Security Incite, Mike Rothman.

So Mike I wanted to actually turn a little bit to a look back and a look forward 2009, you know we had some interesting things happened. Was there anything in 2009 that stood out in your mind as a really important an impactful event for security in general or IT in general?

Mike Rothman: Sure well you know, I mean I think we can sit here and look at the end of 2009 and say, you know this really was the year of the cloud, right? And I don’t mean from the standpoint that people are actually doing anything with the cloud but it seems that all we’ve been talking at least for the last six to eight months has been cloud, this cloud that, you know manage service this, manage that.

So you know I think we look back and once again, you know again having followed all these markets for many years as you have its just funny to pay attention to the cycles. How you know, the hype cycles happen and then when you don’t actually start hearing about stuff, or if you stop hearing about stuff is probably when it’s really starting to be deployed by a number of customers.

So you know, I look back and say a couple of things. One, you know, we were all very enamored with the cloud and the impact that that’s going to have on the computing infrastructure, which I believe will be measured most likely in a decade as opposed to a year and I think we kind of forget that. But from a security standpoint, it’s been more the same and from my standpoint I’m kind of numb to it at this point. You see okay here are the top ten data breaches of 2009 and all of them are pretty much north of hundred million identities compromised, right?

You know whereas two years ago it was like, holy crap somebody lost 100,000 identities. You know, the magnitude of the attacks has just really gotten so crazy that you kind of lose perspective on it. It reminds of when I did an internship in college at Mobil Oil Company and you know the models we we’re making were kind of breaking Lotus 123 because it had like a hundred digits. Because this guy, you know they were measuring revenues in 70 billion and not that’s so big now but back in late 80’s it really was. So you just kind get numb to just the sheer magnitude of the attacks that are happening now and I actually think that’s kind of a dangerous thing because you get sort of complacent and even if—you know your complacency is “oh crap, you know, identities are going to get lost. There’s nothing I can do about that.” Complacency in any way shape or from is a very dangerous thing. So that’s kind of the first comment that I would make is that, I do see an increasing amount apathy. I do see a significant amount of complacency and I see a lot very innovative attacks.

We can talk a little about that RBC pimp pay card attack. Right, where these guys got into the system, was able to replenish a series of 45 ATM cards and these guys had a world wide network of mules in effect that were there just pulling money out and I think they were able to get 9 million in about 30 minutes right. That’s an attack that—I mean if somebody would have presented that attack to you five years ago, your head would explode. There’s no way anybody can do that and these guys—

Amrit Williams: Well it’s interesting I think this adoption of using physical, cheap labor to be part of the attack value chain is really an interesting turn of events. It’s happening a lot more. We had this with the captures where they were—the bad guys were basically hiring these guys to manually fill in the captures and then send it back to the malware can get past the captures.

It’s really interesting because what you have is a level of sophistication with the organized criminals, they’re saying “listen, we can combine the aspects of things we already understand the physical world, the supply chain, cheap labor, manipulating local law” and then combine that with sophisticated malware and you just have a recipe for some pretty advanced techniques in terms capturing your stuff, your data, your information, you money and we’re certainly going to see a lot more of that especially as the level of sophistication increase. So it is—what’s amazing though is your right. You hear these things couple of years ago, probably your head would explode. You hear them and you just go “Huh, that’s interesting.”

Mike Rothman: Right yeah, that’s cool. I don’t even say that’s interesting or wow, that’s cool. We’re talking about a guy basically robbing a bank, wow that’s cool. Again it’s just totally you know, in some cases I kind of feel it’s like bizarre world. Where you know the innovation isn’t happening from the good guys. We don’t sit there and say wow, blue pill that’s cool. You go “Holy crap, these guys figured out how to pull 9 million bucks out of an ATM in 30 minutes. Now that’s cool.”

(00:05:10)

Amrit Williams: Do you think we became jaded in that respect because I hear this a lot. I hear people saying innovations coming from the bad guys. The good guys aren’t innovating at least in terms of security. You look around and the level of sophistication in terms of technology today and how quickly it’s moving it’s pretty phenomenal. You know the user cloud computing for example and not the use of the cloud but cloud computing specifically or virtualization technologies, mobility the fact that I can hold a small computing device in my palm and basically make reservations at a restaurant—the level of sophistication of the technology today is pretty phenomenal. We don’t see that much on the security side per se, is this sort of a—?

Mike Rothman: Yeah, I mean we certainly have not seen innovation at the level of the rest of the computing stack and security. And you know what I think part of that—I mean there are a couple of different reasons for that. You know but I think a lot of it has to do with most of the attacks are perpetrated more on social engineering type of techniques than hardcore, you know real technical innovation. It’s usually you know multi-faceted aspects certainly of the bigger compromises. But you know, the typical fraud is really as much smash and grab as it is anything else right. You know send a fishing message, you get somebody to click on it, their machine is owned and then I can do a whole bunch of interesting stuff. I also think that there is a lack of ability for most customers to consume innovation.

So you know, we could sit here and like you know, listen we both spend a lot of time in venture back companies that actually have to think about things in a quarterly basis. And interesting as it is to think about real innovation from a technology standpoint, the cold harsh reality is most companies wouldn’t even be able to consume if it was built. So, you know and if that happens three, four, five years in a row, you have this disincentive for companies to actually do innovative things and, you know, again, if I ever sit here and I’m worried complacency. I’m also worried that there’s no real fault leadership about how this stuff should be happening over the next couple years. We all talk about “Wow, the clouds are never going to happen until security.”  That’s a load of crap! You know the cloud is going to happen, the real question is what are we going to do mitigate deferral transfer, you know some of the risks of that kind of computing model.

So and again, my fears tend to be more that, you know because the customers can’t buy it, there’s no economic incentive to build it which means we’ll constantly be—you know, I wouldn’t even say reactive. You know it may not even make sense to fight anymore. Visa and MasterCard they put a, what 2%, 3% of all of their revenues in a reserve bucket because they know what’s going to shrink. Maybe that’s just what we do over time and obviously that’s excessive and that’s something that will happen over decades, not years. But if I sit here and really be objective about where all of this stuff is going, that’s a huge fear for me.

Amrit Williams: Well it’s interesting I mean I think we keep ourselves in this never ending state of moving forward. There is no real ability for a company to implement a radically different approach to security. They really just can’t logistically, politically or even process wise deal with it. So if there was a radically different approach to keeping the bad guys out, its adoption would be really slow. So because of that, it slows the innovation around that and what people are doing instead of trying to change the paradigm, or just simply trying to make a better mouse trap. No one’s really trying to figure out how to get rid of the mice and that’s really an interesting take. I think there’s probably you know aspects of economy or economics that we need to look at and other things to try and change the demand for all of this malicious actors. But you know, C’est la vie, it is what it is. I don’t see a change anytime soon.

Mike Rothman: Well hey, you know guys like us live off the fat of the land right?  So you know part of me says, “Well this is just the wrong thing to do overtime” the other part of me says, “God, I’m pretty lucky to have at least some semblance of this skill set in an environment that’s not going away any time soon.” This kind of weird model again, as wrong as it is when you think about it from that perspective, you know, selfishly I can’t complain too much.

Amrit Williams: You know that’s true and you know we all think God for Microsoft’s security issues.

Mike Rothman: That’s right.

(00:10:00)

Amrit Williams: But what scares a little bit, 2010 what do you see in the horizon of 2010?  Is it another year and a life?

Mike Rothman: It is, and you know I think that’s part of my challenge right because I was in this space when it was like cool and exciting and you had, you know really magnetic entrepreneurs that were—you know really out there to kind of change the world. You know now it’s as much—you know, “hey man, you auditor showing up, you know you got to do something right.” And you know to an early market type of guy, you know that kind of is a little bit painful but you know, the reality as you had said right, it is what it is. We have to accept the situation for what it’s going to be and in 2010 I mean I think we’re going to continue to see a lot more the same. I think you are going to see more hybrid models from a lot of the companies that are out there which is, “You know what if you don’t want to mange this, we’ll manage it for you.”

So a lot of the stuff that we see as traditional software businesses or customer prime oriented businesses, I think we’ll have highbred models because again, that’s where customers want to be. I think that we have to start paying attention a lot more to the user experience.

Again guys like us are able to make this stuff work. If we really want security to happen and permeate the broader market it’s got to be easier to use. So I think the folks that we’ll doing some level of innovation aren’t necessarily about a better mouse trap, but it’s a mouse trap that’s easier to set up and reduces the likelihood that you’ll snap your finger or your toe and be in a world of hurt. And you know I think these are kind of market evolutionary things that are indicative of what is a rapidly maturing marketplace.

And I think we all have to come to grips to the fact that you know this isn’t a bunch of guys that are rubbing their cryptographic antennas once a year at the RSA show anymore. It’s a freaking industry and you have a lot of big companies in here that are trying to, you know wanting to do the right thing on their computing stacks and make them some semblance of secure. But you also have a real driver on the customer’s side to at least be able to prove some set of controls that are in place and utilize, and be able to document those controls so that when the auditor show up, you actually have something to say to them.

Amrit Williams: Do you see the role of the security professional changing? We’ve certainly seen it changed from the firewall jockeys to somebody who could more properly speak to the business and talk about risk. These roles diverging more, converging more, what happens—?

Mike Rothman: Oh I still think we have many, way too many that aren’t comfortable, kind of talking about risk and giving a presentation to senior management. I don’t think we’ve made much progress at all on the front. We talk about it a lot, I certainly do. That was one of the lynchpins of the pragmatic CSO is the importance of realizing the fact that you’ve got to play the game. You’ve got to get political, you’ve got to get phased time with a lot of the senior business leaders that are out there but, yeah again, I don’t necessarily know that we’ve made a huge amount of progress on that front.

I think that we really have to get to is this idea that there’s the large enterprise and large government agencies and that’s really a different world. The things that you have to do to successfully implement the security program in that space is radically different than what you have to do in a mid-market type of platform in order to protect some stuff. Because you know remember, we tend to spend a lot of time with the specialist, right?

The guys that are whether they are world class firewall jockeys or IPS signature gurus or identity management directory masters, you know whatever it is, I think what we don’t spend enough time thinking about is how do we get that guy who is the exchange administrator and the sequel server jockey, how do we get this guy cognizant and knowledgeable enough about basic security stuff so that 90% of the world is not totally Swiss cheese. We spend a lot of time protecting the edges of the Fortune 500 and the Global 2000. You know it’s literally an open door and pretty much the rest of the world.

Amrit Williams: Oh it’s just one of the reasons that targeting SMBs, targeting the mom and pop shops are very profitable for those folks that can commit volume of crimes.

(00:14:55)

Mike Rothman: That’s right. That’s right! That’s exactly right and I think—so when you think about it as I re-envision my business now that I’m kind of back in the independent agitator role. It really is trying to think about and solve that problem for that administrator that wears multiple hats. You know your PCI things going to happen, what do I do. You know you’ve got issues in terms of a contractor needing to come and access your stuff. You know you have people that are using social media, what do you do? Knowing that maybe I’ve got 10 hours a week to spend on this stuff assuming that these guys work 50 or 60 hours on your typical week.

I think that we need to spend more time as a community thinking about those issues but we also need to package both solutions and information to help those folks do something besides just go “Hey Mister Symantec or McAfee or anybody that’s out there make this problem go away.” Or, “Hey Mister Phish Net or Ocuvan” or your big reseller, whoever they are, you know, drop ships and stuff to fix this problem for me and have people start thinking a lot more strategically about architecture and how security needs to really fit into the larger computing stack of everything that they’re doing.

Amrit Williams: Any big moves for security inside?  I mean not big moves but big changes, you’re still going to focus on the same type of markets that you have before?

Mike Rothman: Yeah I mean I think I am going to focus a little bit more so I would get say my typical customer is going to be that mid-market professional. I think I am going to focus a little more probably on the things that are a little bit less sexy. Nowadays things like, as you had mentioned patch management and IPS and UTM and some of those things end-point security that and again isn’t necessarily sexy for the security cognoscenti but it is where most of the bulk problem in that mid-market space, as well as economic revenue share would be when you think about all the money that people spend on securities. As most entrepreneurs, I’m going to chase the money and that’s where I think the money is going to be.

Amrit Williams: I agree with you and I think it’s interesting, you know we’d start earlier by saying that we’re sort of shocked about some of the priorities that people are putting on are the same sort of old things that have been around for a while. I think the reality is people don’t know how to implement them properly. They’re still challenged to do the basics and one of the things that the security professionals can really help companies deal with is let’s get the basics right before we start dealing with all this weird edge cases. And that’s something that has not been done very well. We tend to go focus on the sexy, exotic things that will not impact everybody and forgetting about the things that happen to everybody. Like I really am not that concerned about a bunch ninja assassins breaking into my—although it possible.

Mike Rothman: It is possible and especially with your background man. You’ll never know when these guys are going to say “Time to take that guy out” but I agree with you in that. You know again we spend a lot of time as a security—you know let’s call at the security echo chamber right and that’s whether it’s the blogs or the twitter or any of these other things. Some of the conferences, the hacker shows, we do by definitions spend a lot of time on edge cases and I guess the epiphany that I had is, the big soft underbelly are the folks that, again they don’t even know what they don’t know. And we’ve got a do better job collectively of helping them understand what they don’t know and giving them some information and hopefully some solutions to allow them to integrate good computing, good safety-security and privacy practices into kind of their day to day operations. And I think that’s the best opportunity that we have to impact the economic side of things.

It’s sort of like that supply side economics, old philosophy but as long as these guys have that huge economic motive, they’re going to keep doing it. And until we can figure out a way to shut off that oxygen and you’ll never going to totally shut it off but right now it’s kind of coming out of a fire hose and I think we do have to change that.

Amrit Williams: Absolutely Mike Rothman, thanks for joining me today. For those of you interested in more of the information and insights that Mike has, you can subscribe to the Daily Inside and you can visit Mike and his thoughts at securityincite.com. That’s security S-E-C-U-R-I-T-Y incite I-N-C-I-T-E .com, Mike thanks for joining me today.

Mike Rothman: Thank you Amrit, always a pleasure.

Announcer: You have just listened to Beyond the Perimeter, sponsored by BigFix Inc. Views expressed on this podcast are the personal opinions of podcast participants and do not reflect official positions of their employers or BigFix.

Thanks for listening!